Ingest authentication logs and data from PingFederate for use in Cortex XDR authentication stories.
Notice
Requires the Data Collection add-on.
Note
Collecting data from Corelight Zeek, Forcepoint DLP, and PingFederate by activating the Syslog Collector applet is only possible in your tenant if the tenant was activated before October 1, 2025 with an active Data Collection add-on.
To receive authentication logs from PingFederate, you must first write Audit and Provisioner Audit Logs to CEF in PingFederate and then set up a Syslog Collector in Cortex XDR to receive the logs. After you set up log collection, Cortex XDR immediately begins receiving new authentication logs from the source. Cortex XDR creates a dataset named ping_identity_pingfederate_raw. Logs from PingFederate are searchable in Cortex Query Language (XQL) queries using the dataset and surfaced, when relevant, in authentication stories.
Set up PingFederate to write logs in CEF.
To set up the integration, you must have an account for the PingFederate management dashboard and access to create a subscription for SSO logs.
In your PingFederate deployment, write audit logs in CEF. During this set up you will need the IP address and port you configured in the Syslog Collector.
To search for specific authentication logs or data, you can Create an Authentication Query or use the XQL Search.