PingOne

PingOne is a cloud-based identity as a service (IDaaS) framework for secure identity access management. PingOne uses an organization-based model to define tenant accounts and their related entities in the PingOne platform.

You can send event data from your PingOne account to InsightIDR through the Cloud.

To set up PingOne:

  1. Read the requirements and complete any prerequisite steps.
  2. Configure PingOne to send data to InsightIDR.
  3. Configure InsightIDR to collect data from the event source.
  4. Test the configuration.

You can also:

Visit the third-party vendor's documentation

For the most accurate information about preparing your event source product for integration with InsightIDR, we recommend that you visit the third-party vendor's product documentation.

Requirements

Before you can use the PingOne Read Audit Activities API, you'll need to:

Configure PingOne to send data to InsightIDR

To allow InsightIDR to receive data from PingOne, you must create an application connection and give role permissions from your PingOne account.

  1. Sign in to your PingOne account
  2. Follow the instructions at: https://apidocs.pingidentity.com/pingone/main/v1/api/#create-an-application-connection

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

Task 1: Select PingOne

  1. Go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for PingOne in the event sources search bar.
    • In the Product Type filter, select Cloud Service.
  3. Select the PingOne event source tile.

Task 2: Set up your collection method

There is one method of collecting data from PingOne; through a cloud connection.

New credentials are required for cloud event sources

You cannot reuse existing on-premise credentials to create a cloud connection with this event source. You must create new credentials.

  1. In the Add Event Source panel, select Run On Cloud.
  2. Name the event source. This will become the name of the log that contains the event data in Log Search.
  3. Optionally, select the option to send unparsed data.
  4. Select your LDAP Account Attribution preference:
    • Use short name attribution: Applies the short name of the user without the domain suffix in the username field. For example, if the username was jsmith@myorg.example.com, the short name would be jsmith.
    • Use fully qualified domain name attribution: If you have a multi-domain environment, this option works best to attribute users and assets.
  5. Optionally, in a multi-domain environment, use the dropdown menu to select your main Active Directory domain. See Deploy in Multi-domain Environments and Advanced Event Source Settings.
  6. Click Add a New Connection.
  7. In the Create a Cloud Connection screen, enter a name for the new connection.
  8. In the Region field, select the region of the PingOne instance from the dropdown menu.
  9. In the Environment ID field, add your Environment ID.
  10. In the Credentials section new credentials for Client ID and Client Secret:
    • Name your credentials.
    • Describe your credentials.
    • Select the credential type.
    • Enter the Client ID and Client Secret details(#configure-event-source-name-to-send-data-to-insightidr-required).
  11. Click Save Connection.
  12. Click Save.

Test the configuration

The event types that InsightIDR parses are:

  • Read Audit Activities: Information about filtered audit activity events for a selected environment.

To test that event data is flowing into InsightIDR:

  1. From the Data Collection Management page, open the Event Sources tab.
  2. Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
  3. Wait approximately 7 minutes, then open Log Search.

Next, verify that log entries are appearing in Log Search:

  1. In the Log Search filter panel, search for the event source you named in step 4 of Configure InsightIDR to collect data from the event source. PingOne logs should flow into these log sets:
    • Cloud Service
    • Ingress Authentication
  2. Select the log sets and the logs within them.
  3. Set the time range to Last 10 minutes and click Run.

The Results table displays all log entries that flowed into InsightIDR in the last 10 mins. The keys and values that are displayed are helpful to know when you want to build a query and search your logs.

Sample logs

In Log Search, the log that is generated uses the name of your event source by default. The log appears under the log set(s): Cloud Service and Ingress Authentication

Here is a typical log entry that is created by the event source:

Sample read audit activities log

json
1
{
2
"_links": {
3
"next": {
4
"href": "https://api.pingone.eu/v1/environments/<EnvironmentID>/activities?cursor=eyJvZmZzZXRUeXBlIjoibmV4dCIsIm9yZ0lkIjoiY2M3ZDdiMDgtOWExNC00MmJiLWIzNzMtZDFjNzhkZGI0ODhkIiwiZW52SWQiOiI3MzQ1MmIzYi05MDliLTQ1YzMtODc2MS0zNDNhN2NlODRkMjQiLCJmaWx0ZXIiOiIocmVjb3JkZWRhdCBndCBcIjIwMjQtMDYtMDVUMDA6MDA6MDBaXCIgYW5kIHJlY29yZGVkYXQgbHQgXCIyMDI0LTA2LTA1VDIzOjU5OjAwWlwiKSIsInByZXZDb2x1bW5zIjp7ImV2ZW50X2lkIjoiZDY0YjI2ODctNjNlMy00MWYzLTk3ODQtMDRmZDRjMTA2YzAyIiwidGltZV9wZXJpb2QiOjE3MTc1NzQ0MDAwMDAsImV2ZW50X3RpbWUiOjI5ODk0NTc4MDAwMDAwfSwiZXhwZWN0ZWRDbGFzc2VzIjp7ImV2ZW50X2lkIjoiamF2YS51dGlsLlVVSUQiLCJ0aW1lX3BlcmlvZCI6ImphdmEudXRpbC5EYXRlIiwiZXZlbnRfdGltZSI6ImphdmEubGFuZy5Mb25nIn0sImxpbWl0IjoxMDB9"
5
},
6
"self": {
7
"href": "https://api.pingone.eu/v1/environments/<EnvironmentID>/activities"
8
}
9
},
10
"_embedded": {
11
"activities": [
12
{
13
"_links": {
14
"self": {
15
"href": "https://api.pingone.eu/v1/environments/<EnvironmentID>/activities/96c61fa3-7507-4aac-988c-3d7b674779f5"
16
}
17
},
18
"id": "96c61fa3-7507-4aac-988c-3d7b674779f5",
19
"recordedAt": "2024-06-05T11:04:44.647Z",
20
"createdAt": "2024-06-05T11:04:44.661Z",
21
"correlationId": "7a74dd77-35c4-4638-a1ed-8d8f59245405",
22
"internalCorrelation": {
23
"sessionId": "dd9a5dca-acc9-4ab2-82d8-94a7ac2a1b1c"
24
},
25
"actors": {
26
"client": {
27
"id": "adminui",
28
"name": "adminui",
29
"type": "CLIENT"
30
},
31
"user": {
32
"id": "3482f2a4-1ecd-4cd4-85c7-e27d284c4bed",
33
"name": "rbowden@rapid7.com",
34
"environment": {
35
"id": "6e477ec2-1dc0-4301-8ea1-cb568af6fa52"
36
},
37
"population": {
38
"id": "37d44c42-d150-4e43-b3b7-59c09ae80639"
39
},
40
"href": "https://api.pingone.eu/v1/environments/<EnvironmentID>/users/3482f2a4-1ecd-4cd4-85c7-e27d284c4bed",
41
"type": "USER"
42
}
43
},
44
"source": {
45
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36",
46
"ipAddress": "212.36.185.220"
47
},
48
"action": {
49
"type": "SECRET.READ",
50
"description": "Secret Read"
51
},
52
"resources": [
53
{
54
"type": "APPLICATION",
55
"id": "1b445a97-3cd1-48d0-a26d-2b49d5a24611",
56
"name": "test 4",
57
"environment": {
58
"id": "73452b3b-909b-45c3-8761-343a7ce84d24"
59
},
60
"href": "https://api.pingone.eu/v1/environments/<EnvironmentID>/applications/1b445a97-3cd1-48d0-a26d-2b49d5a24611"
61
}
62
],
63
"result": {
64
"status": "SUCCESS",
65
"description": "Client secret read for application '1b445a97-3cd1-48d0-a26d-2b49d5a24611'"
66
},
67
"id": "96c61fa3-7507-4aac-988c-3d7b674779f5"
68
},
69
{
70
"_links": {
71
"self": {
72
"href": "https://api.pingone.eu/v1/environments/<EnvironmentID>/activities/f15e76d2-bec4-40bc-ac53-d880c524175c"
73
}
74
},
75
"id": "f15e76d2-bec4-40bc-ac53-d880c524175c",
76
"recordedAt": "2024-06-05T10:16:05.310Z",
77
"createdAt": "2024-06-05T10:16:05.324Z",
78
"correlationId": "53a1a720-8ac2-47f3-98c1-5b19dc62deed",
79
"internalCorrelation": {
80
"sessionId": "dd9a5dca-acc9-4ab2-82d8-94a7ac2a1b1c"
81
},
82
"actors": {
83
"client": {
84
"id": "adminui",
85
"name": "adminui",
86
"type": "CLIENT"
87
},
88
"user": {
89
"id": "3482f2a4-1ecd-4cd4-85c7-e27d284c4bed",
90
"name": "rbowden@rapid7.com",
91
"environment": {
92
"id": "6e477ec2-1dc0-4301-8ea1-cb568af6fa52"
93
},
94
"population": {
95
"id": "37d44c42-d150-4e43-b3b7-59c09ae80639"
96
},
97
"href": "https://api.pingone.eu/v1/environments/<EnvironmentID>/users/3482f2a4-1ecd-4cd4-85c7-e27d284c4bed",
98
"type": "USER"
99
}
100
},
101
"source": {
102
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36",
103
"ipAddress": "212.36.185.220"
104
},
105
"action": {
106
"type": "ROLE_ASSIGNMENT.DELETED",
107
"description": "Role Assignment Deleted"
108
},
109
"resources": [
110
{
111
"type": "APPLICATION",
112
"id": "ec6d9f30-fb1f-40e5-95ab-174a4f1d1326",
113
"name": "ec6d9f30-fb1f-40e5-95ab-174a4f1d1326",
114
"environment": {
115
"id": "73452b3b-909b-45c3-8761-343a7ce84d24"
116
},
117
"href": "https://api.pingone.eu/v1/environments/<EnvironmentID>/applications/1b445a97-3cd1-48d0-a26d-2b49d5a24611/roleAssignments/ec6d9f30-fb1f-40e5-95ab-174a4f1d1326"
118
}
119
],
120
"result": {
121
"status": "SUCCESS",
122
"description": "Deleted Role Assignment ec6d9f30-fb1f-40e5-95ab-174a4f1d1326 for role '1813bc13-8d13-4e88-a825-d40bfe82777b' scoped for ORGANIZATION 'cc7d7b08-9a14-42bb-b373-d1c78ddb488d'"
123
},
124
"id": "f15e76d2-bec4-40bc-ac53-d880c524175c"
125
}
126
]
127
}
128
}