auth.ping
Introduction
Tags beginning with auth.ping identify events generated by PingIdentity.
Valid tags and data tables
The full tag must have 4 levels. The first two are fixed as auth.ping. The third level identifies the type of events sent, and the fourth level indicates the event subtype.Â
Technology | Brand | Type | Subtype |
---|---|---|---|
auth | ping | id | mfa |
federate | security_audit |
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
---|---|
auth.ping.id.mfa | auth.ping.id.mfa |
auth.ping.federate.security_audit | auth.ping.federate.security_audit |
Log samples
The following are sample logs sent to each of the auth.ping data tables. Also, find how the information will be parsed in your data table under each sample log.
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns. |
Â
 auth.ping.id.mfa2022-02-17 13:26:24.349 localhost=127.0.0.1 auth.ping.id.mfa: {"action": null, "actors": [{"type": "user", "id": null, "name": "kill2554"}], "source": "PINGID", "resources": [], "id": "18093988-1bb9-11ec-9c15-0a47239ab552", "client": null, "result": {"status": "POLICY", "message": "Authentication Details:\\nIP Address: 192.168.14.44\\nPrevious Authentication IP: N/A\\nPrevious Authentication Time: N/A\\nIP Reputation Whitelist Met: false\\nIP Risk Score: N/A\\nCountry: United States\\nPrevious Country: N/A\\nGround Speed: N/A km/h\\nCurrent VPN/Proxy login: N/A\\nPrevious VPN/Proxy login: N/A\\nGeovelocity Whitelist Met: N/A\\nNew Device: true\\nRisk Level: N/A\\nRequested Application ID: urn:amazon:cognito:sp:us-east-1_6ZqXMw2xL\\nRequested Application Name: N/A\\nPassword Reset: false\\nSelf Service Device Management: false\\nTime since last Authentication: N/A\\nAccessing Device UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36\\nAccessing Device OS: Windows 10\\nAccessing Device Browser: Chrome 93.0\\nTime since last Authentication from Office: N/A\\nMobile OS Version: iOS 15.0\\nDevice Model: iPhone 8 (GSM)\\nDevice Lock Enabled: true\\nDevice Rooted or Jailbroken: false\\nDevice enrolled in MDM: false\\nPingID App Version: 1.15.0\\nDevice biometrics supported: true\\nAction: Authenticate\\nPolicy Met: SpyCloud Policy\\nRule Met: \\"New device\\"\\nGroup Affected: ALL"}, "recorded": "2021-22-09T15:23:52.780Z"} And this is how the log would be parsed: Field Value Type Field transformation Source field name Extra fields eventdate
   hostname
   action
   actors__type_str
 actors__type  actors__id_str Â
 actors__id  actors__name_str
 actors__name  source
   id
   client2
   result__status
   result__message
   recorded
   hostchain
  ✓ tag
  ✓ rawMessage
  ✓   auth.ping.federate.security_audit2022-02-17 14:38:51.756 localhost=127.0.0.1 auth.ping.federate.security_audit: 2021-12-30 05:40:14,975| tid:aBCdeFgHi123456JKLMNopqRST8910| OAuth| | 192.168.123.123 | | AdaptiveWithNuData| OAuth20| i-abcdefghijklm1234| AS| inprogress| | | 1 And this is how the log would be parsed: Field Value Type Extra fields eventdate
 hostname
 transactionTime
 trackingId
 event
 subject
 ip
 app
 connectionId
 protocol
 host
 role
 status
 adapterId
 description
 responseTime
 hostchain
✓ tag
✓ rawMessage
✓   |
Â