Document toolboxDocument toolbox

auth.ping

Owned by Juan Tomás Alonso Nieto (Deactivated)
Feb 23, 2022
3 min read

Introduction

Tags beginning with auth.ping identify events generated by PingIdentity.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as auth.ping. The third level identifies the type of events sent, and the fourth level indicates the event subtype. 

Technology

Brand

Type

Subtype

Technology

Brand

Type

Subtype

auth

ping

id

mfa

federate

security_audit

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

Tag

Data table

auth.ping.id.mfa

auth.ping.id.mfa

auth.ping.federate.security_audit

auth.ping.federate.security_audit

Log samples

The following are sample logs sent to each of the auth.ping data tables. Also, find how the information will be parsed in your data table under each sample log.

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

 

 

auth.ping.id.mfa

2022-02-17 13:26:24.349 localhost=127.0.0.1 auth.ping.id.mfa: {"action": null, "actors": [{"type": "user", "id": null, "name": "kill2554"}], "source": "PINGID", "resources": [], "id": "18093988-1bb9-11ec-9c15-0a47239ab552", "client": null, "result": {"status": "POLICY", "message": "Authentication Details:\\nIP Address: 192.168.14.44\\nPrevious Authentication IP: N/A\\nPrevious Authentication Time: N/A\\nIP Reputation Whitelist Met: false\\nIP Risk Score: N/A\\nCountry: United States\\nPrevious Country: N/A\\nGround Speed: N/A km/h\\nCurrent VPN/Proxy login: N/A\\nPrevious VPN/Proxy login: N/A\\nGeovelocity Whitelist Met: N/A\\nNew Device: true\\nRisk Level: N/A\\nRequested Application ID: urn:amazon:cognito:sp:us-east-1_6ZqXMw2xL\\nRequested Application Name: N/A\\nPassword Reset: false\\nSelf Service Device Management: false\\nTime since last Authentication: N/A\\nAccessing Device UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36\\nAccessing Device OS: Windows 10\\nAccessing Device Browser: Chrome 93.0\\nTime since last Authentication from Office: N/A\\nMobile OS Version: iOS 15.0\\nDevice Model: iPhone 8 (GSM)\\nDevice Lock Enabled: true\\nDevice Rooted or Jailbroken: false\\nDevice enrolled in MDM: false\\nPingID App Version: 1.15.0\\nDevice biometrics supported: true\\nAction: Authenticate\\nPolicy Met: SpyCloud Policy\\nRule Met: \\"New device\\"\\nGroup Affected: ALL"}, "recorded": "2021-22-09T15:23:52.780Z"}

And this is how the log would be parsed:

Field

Value 

Type

Field transformation

Source field name

Extra fields

eventdate

2022-02-17 13:26:24.349

timestamp

 

 

 

hostname

localhost

str

 

 

 

action

null

str

 

 

 

actors__type_str

user

str

join(actors__type, ',')

 

actors__type

 

actors__id_str

 

str

join(actors__id, ',')

 

actors__id

 

actors__name_str

kill2554

str

join(actors__name, ',')

 

actors__name

 

source

PINGID

str

 

 

 

id

18093988-1bb9-11ec-9c15-0a47239ab552

str

 

 

 

client2

null

str

 

 

 

result__status

POLICY

str

 

 

 

result__message

Authentication Details:\nIP Address: 192.168.14.44\nPrevious Authentication IP: N/A\nPrevious Authentication Time: N/A\nIP Reputation Whitelist Met: false\nIP Risk Score: N/A\nCountry: United States\nPrevious Country: N/A\nGround Speed: N/A km/h\nCurrent VPN/Proxy login: N/A\nPrevious VPN/Proxy login: N/A\nGeovelocity Whitelist Met: N/A\nNew Device: true\nRisk Level: N/A\nRequested Application ID: urn:amazon:cognito:sp:us-east-1_6ZqXMw2xL\nRequested Application Name: N/A\nPassword Reset: false\nSelf Service Device Management: false\nTime since last Authentication: N/A\nAccessing Device UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36\nAccessing Device OS: Windows 10\nAccessing Device Browser: Chrome 93.0\nTime since last Authentication from Office: N/A\nMobile OS Version: iOS 15.0\nDevice Model: iPhone 8 (GSM)\nDevice Lock Enabled: true\nDevice Rooted or Jailbroken: false\nDevice enrolled in MDM: false\nPingID App Version: 1.15.0\nDevice biometrics supported: true\nAction: Authenticate\nPolicy Met: SpyCloud Policy\nRule Met: \

str

 

 

 

recorded

null

str

 

 

 

hostchain

localhost=127.0.0.1

str

 

 

✓

tag

auth.ping.id.mfa

str

 

 

✓

rawMessage

{"action": null, "actors": [{"type": "user", "id": null, "name": "kill2554"}], "source": "PINGID", "resources": [], "id": "18093988-1bb9-11ec-9c15-0a47239ab552", "client": null, "result": {"status": "POLICY", "message": "Authentication Details:\\nIP Address: 192.168.14.44\\nPrevious Authentication IP: N/A\\nPrevious Authentication Time: N/A\\nIP Reputation Whitelist Met: false\\nIP Risk Score: N/A\\nCountry: United States\\nPrevious Country: N/A\\nGround Speed: N/A km/h\\nCurrent VPN/Proxy login: N/A\\nPrevious VPN/Proxy login: N/A\\nGeovelocity Whitelist Met: N/A\\nNew Device: true\\nRisk Level: N/A\\nRequested Application ID: urn:amazon:cognito:sp:us-east-1_6ZqXMw2xL\\nRequested Application Name: N/A\\nPassword Reset: false\\nSelf Service Device Management: false\\nTime since last Authentication: N/A\\nAccessing Device UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36\\nAccessing Device OS: Windows 10\\nAccessing Device Browser: Chrome 93.0\\nTime since last Authentication from Office: N/A\\nMobile OS Version: iOS 15.0\\nDevice Model: iPhone 8 (GSM)\\nDevice Lock Enabled: true\\nDevice Rooted or Jailbroken: false\\nDevice enrolled in MDM: false\\nPingID App Version: 1.15.0\\nDevice biometrics supported: true\\nAction: Authenticate\\nPolicy Met: SpyCloud Policy\\nRule Met: \\"New device\\"\\nGroup Affected: ALL"}, "recorded": "2021-22-09T15:23:52.780Z"}

str

 

 

✓

 

 

auth.ping.federate.security_audit

2022-02-17 14:38:51.756 localhost=127.0.0.1 auth.ping.federate.security_audit: 2021-12-30 05:40:14,975| tid:aBCdeFgHi123456JKLMNopqRST8910| OAuth| | 192.168.123.123 | | AdaptiveWithNuData| OAuth20| i-abcdefghijklm1234| AS| inprogress| | | 1

And this is how the log would be parsed:

Field

Value 

Type

Extra fields

eventdate

2022-02-17 14:38:51.756

timestamp

 

hostname

localhost

str

 

transactionTime

2021-12-30 05:40:14.975

timestamp

 

trackingId

tid:aBCdeFgHi123456JKLMNopqRST8910

str

 

event

OAuth

str

 

subject

null

str

 

ip

192.168.123.123

ip4

 

app

null

str

 

connectionId

AdaptiveWithNuData

str

 

protocol

OAuth20

str

 

host

i-abcdefghijklm1234

str

 

role

AS

str

 

status

inprogress

str

 

adapterId

null

str

 

description

null

str

 

responseTime

1

int4

 

hostchain

localhost=127.0.0.1

str

✓

tag

auth.ping.federate.security_audit

str

✓

rawMessage

2021-12-30 05:40:14,975| tid:aBCdeFgHi123456JKLMNopqRST8910| OAuth| | 192.168.123.123 | | AdaptiveWithNuData| OAuth20| i-abcdefghijklm1234| AS| inprogress| | | 1

str

✓

 

 

Â