Ingest Authentication Logs from PingFederate - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Ingest authentication logs and data from PingFederate for use in Cortex XDR authentication stories.


Ingesting Authentication Logs requires a Cortex XDR Pro per GB license.

To receive authentication logs from PingFederate, you must first write Audit and Provisioner Audit Logs to CEF in PingFederate and then set up a Syslog Collector in Cortex XDR to receive the logs. After you set up log collection, Cortex XDR immediately begins receiving new authentication logs from the source. Cortex XDR creates a dataset named ping_identity_pingfederate_raw. Logs from PingFederate are searchable in Cortex Query Language (XQL) queries using the dataset and surfaced, when relevant, in authentication stories.

  1. Activate the Syslog Collector.

  2. Set up PingFederate to write logs in CEF.

    To set up the integration, you must have an account for the PingFederate management dashboard and access to create a subscription for SSO logs.

    In your PingFederate deployment, write audit logs in CEF. During this set up you will need the IP address and port you configured in the Syslog Collector.

  3. To search for specific authentication logs or data, you can Create an Authentication Query or use the XQL Search.