1. Go to Integrations > Webhooks.
  2. Click + Add Webhook or expand an existing webhook to edit it.
  3. Enter a descriptive name for the connection.
  4. Enter the Destination information.

    These settings configure the connection to the monitoring system.

    • Destination URL: The IP address or hostname of the application that you want to send data to.

      IPv6 addresses are not supported.

    • Format: The format of the activity data. Select the format that is most easily consumed by your management system:
      • Splunk: A Splunk-friendly format.
      • Ping Activity Format: Use this format if the destination cannot directly accept the Splunk or New Relic formats. It's a versatile, generic JSON format, which is the same used by the PingOne API for accessing event data using Audit Activities. For more information, see the Subscription Action Types table in Subscriptions (webhooks).
      • New Relic: A New Relic-friendly format.
    • Certificates: A certificate to ensure that the connection is secure. Browse existing certificates, or upload a new one.
    • Allow TLS connection with untrusted certificates: Select this option to allow a certificate that is not from a certificate authority (CA). PingOne certificates, and all certificates signed by the default CAs are trusted. This option is typically used for testing. For more information, see Certificates and key pairs.
    • TLS Client Authentication Key: Select a key to enable mutual TLS (mTLS). The key is used as a client credential to authenticate the webhook, and must have a usage type of outbound mTLS. For more information, see Adding a certificate and key pair.

      Using a TLS client authentication key requires Allow TLS connection with untrusted certificates to be disabled.

  5. Optional: To enter the headers information, click Add Headers:
    • Basic authentication: Enter a username and password for the destination system.
    • Custom HTTP headers: Specify additional information for the HTTP headers. Provide information in the form of key-value pairs. For example, you can define a custom Authorization header with a token instead of using basic authentication. This is the common method for modern security information and event management (SIEM) systems, such as Splunk and Sumo Logic.
  6. Enter the Filters information.

    These settings determine which events are monitored. Select a category or a subset of events in that category.

    • Event types: Specify the types of events to monitor, such as user created, user deleted, and so on. For more information, see Event types.
    • Tags: Specify a tag to monitor.
      Admin Identity Event: An action taken by an administrator or API client on another administrator user, such as:
      • Creating or deleting an administrator user
      • Enabling or disabling an administrator user
      • Adding or removing roles from an administrator user
      • Changing a password for an administrator user
      • Changing username or email address for an administrator user
      • Enabling or disabling MFA for an administrator user
      • Pairing a new MFA device for an administrator user
      • Adding or removing linked accounts for an administrator user
    • Applications: Specify the applications in your PingOne environment that you want to monitor. You can include up to 10 applications.
    • Populations: Specify the populations in your PingOne environment that you want to monitor. You can include up to 10 populations.

      For each filter, such as events, applications, or populations, the expression evaluates to true if any of the criteria are met (Boolean OR).

      For multiple filters, the expression evaluates to true if all of the criteria are met (Boolean AND).

  7. Enter the optional data.
    Specify whether to include the IP address and User Agent strings in the report. Because IP addresses and User Agent strings can be considered sensitive data, you must manually select these options to include them in the report.
    • Include IP address: Include the end user’s IP address in the report. IP addresses are the client’s IP address as it appears to the PingOne services. In some cases, this value is a proxy address rather than the actual client device address.
    • Include User Agent: Include the User Agent String in the report. User Agent Strings are included if PingOne interacts with the user client when the client provides the string. The recorded value is exactly what was presented to PingOne by the client.
  8. Click Save.