Ingest authentication logs from PingFederate - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Ingest authentication logs and data from PingFederate for use in Cortex XSIAM authentication stories.

To receive authentication logs from PingFederate, you must first write Audit and Provisioner Audit Logs to CEF in PingFederate and then set up a Syslog Collector in Cortex XSIAM to receive the logs. After you set up log collection, Cortex XSIAM immediately begins receiving new authentication logs from the source. Cortex XSIAM creates a dataset named ping_identity_pingfederate_raw. Logs from PingFederate are searchable in Cortex Query Language (XQL) queries using the dataset and surfaced, when relevant, in authentication stories.

  1. Activate the Syslog Collector.

  2. Set up PingFederate to write logs in CEF.

    To set up the integration, you must have an account for the PingFederate management dashboard and access to create a subscription for SSO logs.

    In your PingFederate deployment, write audit logs in CEF. During this set up you will need the IP address and port you configured in the Syslog Collector.

  3. To search for specific authentication logs or data, you can Create an Authentication Query or use the XQL Search.