--- title: Viewing policy events in the PingID report description: Generate a PingID report to view a range of PingID events. component: pingid page_id: pingid:pingid_service_management:pid_viewing_policy_events_pid_report canonical_url: http://docs.pingidentity.com/pingid/pingid_service_management/pid_viewing_policy_events_pid_report.html revdate: January 29, 2024 section_ids: about-this-task: About this task steps: Steps result: Result policy-event-examples: Policy event examples authentication-not-requested-because-the-user-recently-authenticated-successfully: Authentication not requested because the user recently authenticated successfully authentication-unsuccessful: Authentication unsuccessful pairing-successful: Pairing successful pairing-denied: Pairing denied --- # Viewing policy events in the PingID report Generate a PingID report to view a range of PingID events. ## About this task There are two types of policy events included in the PingID report: * `Pairing Details` event Provides details of a user's pairing attempt, based on the Device & Pairing rules. For more information, see [Device and pairing policy](pid_device_and_pairing_policy.html). * `Authentication Details` event Provides details of a user's authentication attempt, based on the defined policy rules together with the Device & Pairing rules. For more information, see [Configuring a global authentication policy (default policy)](pid_configuring_global_authentication_policy_default.html), [Configuring a RADIUS PCV and SSH access policy](pid_configuring_radius_pcv_and_ssh_policy.html), and [Device and pairing policy](pid_device_and_pairing_policy.html). The entry also indicates the apps and groups to which a policy is applied, if applicable. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | - Policy-related event data, such as `IP Address` and `Country`, is only included in report events when the accessing device is able to push the data as part of the authentication flow. For offline authentication events and authentication failure events, policy-related fields will therefore show results as `N/A`. - For an overview of running and filtering PingID reports, see [Running the PingID activity report](pid_run_activity_report.html). | ## Steps 1. In the PingOne admin console, go to **Dashboard → Reporting**. 2. From the **Report Type** list, select **PingID**. 3. In the **Within** field, enter `7`, and then select **Days** from the list. Click **Run**. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------- | | | You can filter the results by changing the **Time Range** or entering a string in the **Filter** field and then running the report again. | ![Screen capture of the Reporting tab showing the Report Parameters entered for PingID within 7 days. Below the Report Parameters the Report for PingID within the last 7 days is displayed.](_images/vop1564020540137.png) ## Result The PingID report displays, showing results for the past 7 days by default. Policy-related entries are identified by the following information: * **Timestamp** The time at which the policy event occurred. * **Subject** The user to whom the policy was applied. * **Message** A list of policy-related fields providing detailed information about policy-related events. The first line of the **Message** field indicates whether the event is a `Pairing Details` event or an `Authentication Details` event. * **Status** The status `POLICY` indicates that the event is a policy related event. Each policy entry lists values for the relevant policy elements. The following table describes the elements that can be included in a policy event and their potential values. NOTE: The order of the elements in the table corresponds to the order of the elements in the displayed report. | Policy element | Value | | ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Type of event | `Authentication Details` or `Pairing Details`. | | IP Address | The IP address of the accessing device. | | Previous Authentication IP | The IP address of the IP address of the accessing device used in the previous sign on. | | Previous Authentication Time | The time of the last successful authentication. | | IP Reputation Whitelist Met | Indicates whether the IP address of the accessing device appears in the IP reputation rule white list (`true` or `false`). | | Geovelocity Whitelist Met | Indicates whether the IP address of the accessing device appears in the Geovelocity rule white list (`true` or `false`). | | IP Risk Score | The risk score category of the IP address of the accessing device (`Low`, `Medium`, or `High`). | | Country | The location from which the accessing device is communicating. | | Previous Country | The location from which the accessing device communicated during the last sign on. | | Ground Speed | The speed taken to travel between the current login location and the previous location, in the time that elapsed since the previous sign on (`km/h`). If the speed exceeds 1000 km/h, the rule is triggered. | | Current VPN/Proxy login | Whether the accessing device for the current sign on is using a proxy or VPN. Possible values are `true` or `false`. If this value is true, the Geovelocity rule is ignored. | | Previous VPN/Proxy login | Indicates the accessing device for the previous sign on was using a proxy or VPN. Possible values are `true` or `false`. If this value is `true`, the Geovelocity rule is ignored. | | New Device | Whether the accessing device is new. Possible values are `true` or `false`. | | Requested Application ID | The ID of the app the user is trying to access. | | Requested Application Name | The name of the app the user is trying to access. | | Password Reset | Indicates whether the user tried to reset the SSO password. Possible values are `true` or `false`. | | Self Service Device Management | Whether the user tried to access the **Devices** page. Possible values are `true` or `false`. | | Time since last Authentication | The amount of time that has passed since the last authentication. `In the last minutes.` | | Accessing Device UserAgent | The user agent string of the browser on the accessing device. | | Accessing Device OS | The name and version of the OS on the accessing device, for example, `OS X 10,15`. | | Accessing Device Browser | The browser used on the accessing device, for example, `Chrome 89.0` | | Allowed Authentication Methods | The allowed authentication methods in the applied policy. This information is displayed in the event that a user attempts to authenticate with a device that is not allowed by this policy. | | Time since last Authentication from Office | The last time the user authenticated from the office, in minutes. If no office is defined, the value is `N/A`. | | Mobile OS Version | The OS name and version of the authenticating device. For example, `iOS 9.3.2`. | | Device Model | The make and model of the authenticating device. For example, `iPhone 6S`. | | Device Lock Enabled | Whether device lock is enabled on the mobile device. Possible values are `true` or `false`. | | Device Rooted or Jailbroken | Whether the mobile device rooted or jailbroken. Possible values are `true` or `false`. | | Device enrolled in MDM | Whether the mobile device is enrolled in mobile device management (MDM). Possible values are `true` or `false`. | | PingID App version | The version of the PingID app on the user device. For example, `1.8.1`. | | Action | The action defined for this policy:- Approve Authentication is approved without any further action from the user. - Deny Authentication is denied. - Swipe A push notification is sent to the user requiring swipe to authenticate. - Biometrics A push notification is sent to the user requiring the user to authenticate using their device biometrics. - OTP The user is prompted to enter a one-time passcode to authenticate. | | Policy/Policies not Met | The name of the policy/policies that were not met during the pairing or authentication action. | | Policy/Policies Met | The name of the policy or policies with which the action complied. | | Rule Met | The rule within the policy that was executed. | | Group Affected | The groups to which the policy was applied. | ## Policy event examples The following examples illustrate common policy event scenarios. ### Authentication not requested because the user recently authenticated successfully When performing an action that normally requires authentication, a user is not requested to authenticate (`Action:``Approve`) because they already authenticated within the time stated in the policy (`Rule Met:` `"Time since user's last authentication: 2 minutes"`. ![Screen capture of the PingID report showing how authentication is not requested.](_images/anv1564020953173.png) ### Authentication unsuccessful The policy does not support the specific mobile device. Authentication is denied to a user attempting to sign on using a device that is no longer supported (`Device Model: Moto E with 4G LTE (2nd Gen)`; `Authentication Successful: No`; `Policies not Met: Device model not supported`). ![Screen capture of the PingID report showing an unsuccessful authentication due to the device not being supported.](_images/vjm1564020954020.png) ### Pairing successful When pairing a device, an authentication action policy event entry is displayed after the pairing attempt entry. Pairing event shows successful pairing of an iPhone 6S (`Device Paired "iPhone 6S"` `Status=SUCCESS`. Authentication event shows `New Device: true`). ![Screen capture of the PingID report showing the successful pairing of an iPhone 6s.](_images/hmd1564020954915.png) ### Pairing denied A user's attempt to pair with an iPhone 6 fails, because the device is not supported. The event type (`Pairing Details`) indicates `Device Model: iPhone 6S`, `Policies not Met: Device model not supported`.![Screen capture of the PingID report showing how the pairing of an iPhone 6 is denied due to not being supported.](_images/jnq1564020955685.png)