- Elastic integrations
- Integrations quick reference
- 1Password
- Abnormal Security
- ActiveMQ
- Active Directory Entity Analytics
- Admin By Request EPM integration
- Airflow
- Akamai
- Apache
- API (custom)
- Arbor Peakflow SP Logs
- Arista NG Firewall
- Atlassian
- Auditd
- Auth0
- authentik
- AWS
- Amazon CloudFront
- Amazon DynamoDB
- Amazon EBS
- Amazon EC2
- Amazon ECS
- Amazon EMR
- AWS API Gateway
- Amazon GuardDuty
- AWS Health
- Amazon Kinesis Data Firehose
- Amazon Kinesis Data Stream
- Amazon MQ
- Amazon Managed Streaming for Apache Kafka (MSK)
- Amazon NAT Gateway
- Amazon RDS
- Amazon Redshift
- Amazon S3
- Amazon S3 Storage Lens
- Amazon Security Lake
- Amazon SNS
- Amazon SQS
- Amazon VPC
- Amazon VPN
- AWS Bedrock
- AWS Billing
- AWS CloudTrail
- AWS CloudWatch
- AWS ELB
- AWS Fargate
- AWS Inspector
- AWS Lambda
- AWS Logs (custom)
- AWS Network Firewall
- AWS Route 53
- AWS Security Hub
- AWS Transit Gateway
- AWS Usage
- AWS WAF
- Azure
- Activity logs
- App Service
- Application Gateway
- Application Insights metrics
- Application Insights metrics overview
- Application State Insights metrics
- Azure logs (v2 preview)
- Azure OpenAI
- Billing metrics
- Container instance metrics
- Container registry metrics
- Container service metrics
- Custom Azure Logs
- Custom Blob Storage Input
- Database Account metrics
- Event Hub input
- Firewall logs
- Frontdoor
- Functions
- Microsoft Entra ID
- Monitor metrics
- Network Watcher VNet
- Network Watcher NSG
- Platform logs
- Resource metrics
- Spring Cloud logs
- Storage Account metrics
- Virtual machines metrics
- Virtual machines scaleset metrics
- Barracuda
- BeyondInsight and Password Safe Integration
- BitDefender
- Bitwarden
- blacklens.io
- Blue Coat Director Logs
- BBOT (Bighuge BLS OSINT Tool)
- Box Events
- Bravura Monitor
- Broadcom ProxySG
- Canva
- Cassandra
- CEL Custom API
- Ceph
- Check Point
- Cilium Tetragon
- CISA Known Exploited Vulnerabilities
- Cisco
- Cisco Meraki Metrics
- Citrix
- Claroty CTD
- Cloudflare
- Cloud Asset Inventory
- CockroachDB Metrics
- Common Event Format (CEF)
- Containerd
- CoreDNS
- Corelight
- Couchbase
- CouchDB
- Cribl
- CrowdStrike
- Cyberark
- Cybereason
- CylanceProtect Logs
- Custom Websocket logs
- Darktrace
- Data Exfiltration Detection
- DGA
- Digital Guardian
- Docker
- DomainTools Real Time Unified Feeds
- Elastic APM
- Elastic Fleet Server
- Elastic Security
- Elastic Stack monitoring
- Elasticsearch Service Billing
- Envoy Proxy
- ESET PROTECT
- ESET Threat Intelligence
- etcd
- Falco
- F5
- File Integrity Monitoring
- FireEye Network Security
- First EPSS
- Forcepoint Web Security
- ForgeRock
- Fortinet
- Gigamon
- GitHub
- GitLab
- Golang
- Google Cloud
- Custom GCS Input
- GCP
- GCP Audit logs
- GCP Billing metrics
- GCP Cloud Run metrics
- GCP CloudSQL metrics
- GCP Compute metrics
- GCP Dataproc metrics
- GCP DNS logs
- GCP Firestore metrics
- GCP Firewall logs
- GCP GKE metrics
- GCP Load Balancing metrics
- GCP Metrics Input
- GCP PubSub logs (custom)
- GCP PubSub metrics
- GCP Redis metrics
- GCP Security Command Center
- GCP Storage metrics
- GCP VPC Flow logs
- GCP Vertex AI
- GoFlow2 logs
- Hadoop
- HAProxy
- Hashicorp Vault
- HTTP Endpoint logs (custom)
- IBM MQ
- IIS
- Imperva
- InfluxDb
- Infoblox
- Iptables
- Istio
- Jamf Compliance Reporter
- Jamf Pro
- Jamf Protect
- Jolokia Input
- Journald logs (custom)
- JumpCloud
- Kafka
- Keycloak
- Kubernetes
- LastPass
- Lateral Movement Detection
- Linux Metrics
- Living off the Land Attack Detection
- Logs (custom)
- Lumos
- Lyve Cloud
- Mattermost
- Memcached
- Menlo Security
- Microsoft
- Microsoft 365
- Microsoft Defender for Cloud
- Microsoft Defender for Endpoint
- Microsoft DHCP
- Microsoft DNS Server
- Microsoft Entra ID Entity Analytics
- Microsoft Exchange Online Message Trace
- Microsoft Exchange Server
- Microsoft Graph Activity Logs
- Microsoft M365 Defender
- Microsoft Office 365 Metrics Integration
- Microsoft Sentinel
- Microsoft SQL Server
- Mimecast
- ModSecurity Audit
- MongoDB
- MongoDB Atlas
- MySQL
- Nagios XI
- NATS
- NetFlow Records
- Netskope
- Network Beaconing Identification
- Network Packet Capture
- Nginx
- Okta
- Oracle
- OpenAI
- OpenCanary
- Osquery
- Palo Alto
- pfSense
- PHP-FPM
- PingOne
- PingFederate
- Pleasant Password Server
- PostgreSQL
- Prometheus
- Proofpoint TAP
- Proofpoint On Demand
- Pulse Connect Secure
- Qualys VMDR
- QNAP NAS
- RabbitMQ Logs
- Radware DefensePro Logs
- Rapid7
- Redis
- Rubrik RSC Metrics Integration
- Sailpoint Identity Security Cloud
- Salesforce
- SentinelOne
- ServiceNow
- Slack Logs
- Snort
- Snyk
- SonicWall Firewall
- Sophos
- Spring Boot
- SpyCloud Enterprise Protection
- SQL Input
- Squid Logs
- SRX
- STAN
- Statsd Input
- Sublime Security
- Suricata
- StormShield SNS
- Symantec
- Symantec Endpoint Security
- Sysmon for Linux
- Sysdig
- Syslog Router Integration
- System
- System Audit
- Tanium
- TCP Logs (custom)
- Teleport
- Tenable
- Threat intelligence
- ThreatConnect
- Threat Map
- Thycotic Secret Server
- Tines
- Traefik
- Trellix
- Trend Micro
- TYCHON Agentless
- UDP Logs (custom)
- Universal Profiling
- Vectra Detect
- VMware
- WatchGuard Firebox
- WebSphere Application Server
- Windows
- Wiz
- Zeek
- ZeroFox
- Zero Networks
- ZooKeeper Metrics
- Zoom
- Zscaler
PingOne
editPingOne
editVersion |
1.19.0 (View all) |
Compatible Kibana version(s) |
8.13.0 or higher |
Supported Serverless project types |
Security |
Subscription level |
Basic |
Level of support |
Elastic |
Overview
editThe PingOne integration allows you to monitor audit activity. PingOne is a cloud-based framework for secure identity access management.
Use the PingOne integration to collect and parse data from the REST APIs or HTTP Endpoint input. Then visualize that data in Kibana.
For example, you could use the data from this integration to know which action or activity is performed against a defined PingOne resource, and also track the actor or agent who initiated the action.
Data streams
editThe PingOne integration collects logs for one type of event: Audit.
Audit reporting stores incoming audit messages in a cache and provides endpoints for requesting audit events for a specific time period.
Requirements
editYou need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.
This module has been tested against PingOne API version 1.0.
Setup
editTo collect data from the PingOne REST API, follow the steps below:
editCreate a worker application in PingOne and copy the credentials, as follows:
- Go to pingidentity.com, click Sign On and carry out any necessary authentication steps. You will arrive at the PingIdentity console.
- From the navigation sidebar, expand the Applications section and select Applications.
- Click + to begin creating a new application.
- Enter an Application Name.
- Select Worker as the application type.
- Click Save.
- On the application flyout, ensure that the toggle switch in the header is activated, in order to enable the application.
- Select the Roles tab of the application flyout.
- Click the Grant Roles button.
- Under Available responsibilities, in the Environment Admin, section, select the environment(s) to grant access to, then click Save.
- Select the Configuration tab of the application flyout.
- Expand the URLs section and copy the Token Endpoint.
- From the General section, copy the Client ID, Client Secret and Environment ID.
For more information, see the PingOne documentation about Adding an application.
In Elastic, navigate to the PingOne integration, then:
- Click Add PingOne.
- Deactivate the Collect PingOne logs via HTTP Endpoint input.
- Activate the Collect PingOne logs via API input.
- Enter the PingOne API URL for your region in the URL field.
- Enter the credentails copied from the PingOne console into the corresponding fields.
- In the Audit logs data stream section, set an Initial Interval of no more than 2 years.
- Choose an agent policy to add the integration to and click Save and Continue.
To collect data from PingOne via HTTP Endpoint, follow below steps:
editIn Elastic, navigate to the PingOne integration, then:
- Click Add PingOne.
- Deactivate the Collect PingOne logs via API input.
- Activate the Collect PingOne logs via HTTP Endpoint input.
- Set the Listen Address, and (from the Audit logs data stream settings) set and copy the Listen Port and (under Advanced options) the URL Path.
-
In the input settings, enter any SSL Configuration and Secret header
settings appropriate for the endpoint. Make a note of these details for use
while configuring the PingOne webhook. Note: This endpoint will expose a
port to the Internet, so it is advised to have proper network access
configured. PingOne webhooks will only work with a
https://destination URL. - Choose an agent policy to add the integration to and click Save and Continue.
Create a webhook in PingOne, as follows:
- Go to pingidentity.com, click Sign On and carry out any necessary authentication steps. You will arrive at the PingIdentity console.
- From the navigation sidebar, expand the Integrations section and select Webhooks.
- Click the + Add Webhook button to begin creating a new webhook.
-
In Destination URL, enter the full endpoint URL, including the port.
Example format:
https://{EXTERNAL_AGENT_LISTEN_ADDRESS}:{AGENT_LISTEN_PORT}/{URL_PATH}. - As Format select Ping Activity Format (JSON).
- In the Filters section, select all the Event Types you want to collect.
- Enter any TLS settings and Headers required for the webhook to establish connections with the Agent’s HTTP endpoint.
- Click Save.
- Ensure that the toggle switch for the webhook is activated, so that the webhook is enabled.
For more information, see the PingOne documentation about Creating or editing a webhook.
Logs Reference
editaudit
editThis is the audit dataset.
Example
An example event for audit looks as following:
{ "@timestamp": "2022-08-08T15:31:08.237Z", "agent": { "ephemeral_id": "e4d8fc8f-71fa-4e20-bd11-1c06f2e1d137", "id": "f25d13cd-18cc-4e73-822c-c4f849322623", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.10.1" }, "client": { "user": { "id": "123abc123-12ab-1234-1abc-abc123abc12", "name": "PingOne Admin Console" } }, "data_stream": { "dataset": "ping_one.audit", "namespace": "ep", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "f25d13cd-18cc-4e73-822c-c4f849322623", "snapshot": false, "version": "8.10.1" }, "event": { "action": "user.access_allowed", "agent_id_status": "verified", "category": [ "iam", "configuration" ], "dataset": "ping_one.audit", "id": "123abc123-12ab-1234-1abc-abc123abc12", "ingested": "2023-09-22T17:21:19Z", "kind": "event", "original": "{\"_embedded\":{},\"action\":{\"type\":\"USER.ACCESS_ALLOWED\"},\"actors\":{\"client\":{\"environment\":{\"id\":\"123abc123-12ab-1234-1abc-abc123abc12\"},\"href\":\"https://api.pingone.asia/v1/environments/123abc123-12ab-1234-1abc-abc123abc12/applications/123abc123-12ab-1234-1abc-abc123abc12\",\"id\":\"123abc123-12ab-1234-1abc-abc123abc12\",\"name\":\"PingOne Admin Console\",\"type\":\"CLIENT\"},\"user\":{\"environment\":{\"id\":\"123abc123-12ab-1234-1abc-abc123abc12\"},\"href\":\"https://api.pingone.asia/v1/environments/123abc123-12ab-1234-1abc-abc123abc12/users/123abc123-12ab-1234-1abc-abc123abc12\",\"id\":\"123abc123-12ab-1234-1abc-abc123abc12\",\"name\":\"example@gmail.com\",\"population\":{\"id\":\"123abc123-12ab-1234-1abc-abc123abc12\"},\"type\":\"USER\"}},\"id\":\"123abc123-12ab-1234-1abc-abc123abc12\",\"recordedAt\":\"2022-08-08T15:31:08.237Z\",\"resources\":[{\"environment\":{\"id\":\"123abc123-12ab-1234-1abc-abc123abc12\"},\"href\":\"https://api.pingone.asia/v1/environments/123abc123-12ab-1234-1abc-abc123abc12/users/123abc123-12ab-1234-1abc-abc123abc12\",\"id\":\"123abc123-12ab-1234-1abc-abc123abc12\",\"name\":\"example@gmail.com\",\"population\":{\"id\":\"123abc123-12ab-1234-1abc-abc123abc12\"},\"type\":\"USER\"}],\"result\":{\"description\":\"Passed role access control\",\"status\":\"SUCCESS\"}}", "outcome": "success", "type": [ "user", "info", "access" ] }, "input": { "type": "http_endpoint" }, "ping_one": { "audit": { "action": { "type": "USER.ACCESS_ALLOWED" }, "actors": { "client": { "environment": { "id": "123abc123-12ab-1234-1abc-abc123abc12" }, "href": "https://api.pingone.asia/v1/environments/123abc123-12ab-1234-1abc-abc123abc12/applications/123abc123-12ab-1234-1abc-abc123abc12", "id": "123abc123-12ab-1234-1abc-abc123abc12", "name": "PingOne Admin Console", "type": "CLIENT" }, "user": { "environment": { "id": "123abc123-12ab-1234-1abc-abc123abc12" }, "href": "https://api.pingone.asia/v1/environments/123abc123-12ab-1234-1abc-abc123abc12/users/123abc123-12ab-1234-1abc-abc123abc12", "id": "123abc123-12ab-1234-1abc-abc123abc12", "name": "example@gmail.com", "population": { "id": "123abc123-12ab-1234-1abc-abc123abc12" }, "type": "USER" } }, "id": "123abc123-12ab-1234-1abc-abc123abc12", "recorded_at": "2022-08-08T15:31:08.237Z", "resources": [ { "environment": { "id": "123abc123-12ab-1234-1abc-abc123abc12" }, "href": "https://api.pingone.asia/v1/environments/123abc123-12ab-1234-1abc-abc123abc12/users/123abc123-12ab-1234-1abc-abc123abc12", "id": "123abc123-12ab-1234-1abc-abc123abc12", "name": "example@gmail.com", "population": { "id": "123abc123-12ab-1234-1abc-abc123abc12" }, "type": "USER" } ], "result": { "description": "Passed role access control", "status": "SUCCESS" } } }, "related": { "user": [ "123abc123-12ab-1234-1abc-abc123abc12", "PingOne Admin Console", "example@gmail.com" ] }, "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields", "forwarded", "ping_one-audit" ], "url": { "domain": "api.pingone.asia", "original": "https://api.pingone.asia/v1/environments/123abc123-12ab-1234-1abc-abc123abc12/users/123abc123-12ab-1234-1abc-abc123abc12", "path": "/v1/environments/123abc123-12ab-1234-1abc-abc123abc12/users/123abc123-12ab-1234-1abc-abc123abc12", "scheme": "https" }, "user": { "id": "123abc123-12ab-1234-1abc-abc123abc12", "name": "example@gmail.com" } }
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Event timestamp. |
date |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
data_stream.dataset |
Data stream dataset. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
event.dataset |
Event dataset. |
constant_keyword |
event.module |
Event module. |
constant_keyword |
host.containerized |
If the host is a container. |
boolean |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
input.type |
Input type |
keyword |
log.offset |
Log offset |
long |
ping_one.audit.action.description |
A string that specifies the description of the action performed. |
text |
ping_one.audit.action.type |
A string that specifies the type of action performed (such as authentication or password reset). |
keyword |
ping_one.audit.actors.client.environment.id |
A string that specifies the ID of the environment resource associated with the client. |
keyword |
ping_one.audit.actors.client.href |
A string that specifies the URL for the specified client resource. |
keyword |
ping_one.audit.actors.client.id |
A string that specifies the ID of the client. |
keyword |
ping_one.audit.actors.client.name |
A string that specifies the name assigned to the client for PingOne sign on. |
keyword |
ping_one.audit.actors.client.type |
A string that specifies the type of actor. Options are USER or CLIENT. |
keyword |
ping_one.audit.actors.user.environment.id |
A string that specifies the ID of the environment resource associated with the user. |
keyword |
ping_one.audit.actors.user.href |
A string that specifies the URL for the specified user resource. |
keyword |
ping_one.audit.actors.user.id |
A string that specifies the ID of the user. |
keyword |
ping_one.audit.actors.user.name |
A string that specifies the name assigned to the user for PingOne sign on. |
keyword |
ping_one.audit.actors.user.population.id |
A string that specifies the ID of the population resource associated with the user. |
keyword |
ping_one.audit.actors.user.type |
A string that specifies the type of actor. Options are USER or CLIENT. |
keyword |
ping_one.audit.correlation.id |
A string that specifies a PingOne identifier for multiple messages in a transaction. |
keyword |
ping_one.audit.created_at |
The date and time at which the event was created (ISO 8601 format). |
date |
ping_one.audit.embedded |
flattened |
|
ping_one.audit.id |
A string that specifies the ID of the audit activity event. |
keyword |
ping_one.audit.recorded_at |
The date and time at which the event was recorded (ISO 8601 format). |
date |
ping_one.audit.resources.environment.id |
The UUID assigned as the key for the environment resource. |
keyword |
ping_one.audit.resources.href |
A string that specifies the URL for the specified resource. |
keyword |
ping_one.audit.resources.id |
A string that specifies the ID assigned as the key for the identifier resource (such as the environment, population or event message). |
keyword |
ping_one.audit.resources.name |
A string that can be either the user name or the name of the environment, based on the resource type. |
keyword |
ping_one.audit.resources.population.id |
The UUID assigned as the key for the population resource. |
keyword |
ping_one.audit.resources.type |
A string that specifies the type of resource associated with the event. Options are USER, ORGANIZATION, or ENVIRONMENT. |
keyword |
ping_one.audit.result.description |
A string that specifies the description of the result of the operation. |
text |
ping_one.audit.result.id |
A string that specifies the ID for the result of the operation. |
keyword |
ping_one.audit.result.status |
A string that specifies the result of the operation. Options are succeeded or failed. |
keyword |
ping_one.audit.tags |
A string identifying the activity as the action of an administrator on other administrators. |
keyword |
Changelog
editChangelog
| Version | Details | Kibana version(s) |
|---|---|---|
1.19.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.18.1 |
Bug fix (View pull request) |
8.13.0 or higher |
1.18.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.17.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.16.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.15.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.14.1 |
Bug fix (View pull request) |
8.12.0 or higher |
1.14.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.13.2 |
Bug fix (View pull request) |
8.7.1 or higher |
1.13.1 |
Enhancement (View pull request) |
8.7.1 or higher |
1.13.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.12.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.11.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.10.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.9.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.8.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.7.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.6.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.5.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.4.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.3.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.2.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.1.0 |
Enhancement (View pull request) |
7.17.0 or higher |
1.0.0 |
Enhancement (View pull request) |
7.17.0 or higher |
0.3.1 |
Enhancement (View pull request) |
— |
0.3.0 |
Enhancement (View pull request) |
— |
0.2.0 |
Enhancement (View pull request) |
— |
0.1.0 |
Enhancement (View pull request) |
— |
On this page