Use Cases

Obtaining logging data from PingOne

Steps

  1. Sign on to PingOne and select your environment.

    Screen capture of the PingOne Your Environments page showing a list of available environments.
  2. In the left navigation pane, click Audit.

    Screen capture of the PingOne Overview page in the Dashboard navigation pane with the Audit section circled in white.
  3. In the Audit Parameters section, adjust the audit parameters fields as needed.

    Screen capture of the Audit Parameters section in PingOne, with the Time Range, Within, Filter Type, Selected Fields, Time Zone, and Secondary Filter Type fields.
  4. To update the report, click Run.

    Result:

    The audit report is created.

    Screen capture of a sample audit report showing the Timestamp, Event Type, Description, Client, Population, and Details columns in the audit report from PingOne.

    If no fields are selected, the audit report only contains an empty Details column.

Example

The Details column contains a View link showing the JSON representation of the audit entry, as shown in the following example.

All unique identifiers in this example are intentionally blocked.

{
 "_links": {
   "self": {
     "href": "https://api.pingone.com/v1/environments/429f5783-0f16-432f-b726-88223c380ab0/activities/979c1096-a693-4920-a2c6-62e34ff74dfe"
   }
 },
 "id": "9*******-a***-4***-a***-6**********",
 "recordedAt": "2021-04-06T16:27:34.783Z",
 "createdAt": "2021-04-06T16:27:34.803Z",
 "correlationId": "f******-2***-4***-9***-6***********",
 "actors": {
   "client": {
     "id": "b*******-4***-4***-9***-0************",
     "name": "PingOne Admin Console",
     "environment": {
       "id": "4*******-0***-4***-b***-8***********"
     },
     "href": "https://api.pingone.com/v1/environments/4*******-4*******-0***-4***-b***-8***********/applications/b*******-4***-4***-9***-0***********",
     "type": "CLIENT"
   },
   "user": {
     "id": "7*******-5***-4***-9***-d***********",
     "name": "m******p********@pingidentity.com",
     "environment": {
       "id": "4*******-0***-4***-b***-8***********"
     },
     "population": {
       "id": "4*******-0***-4***-b***-8***********"
     },
     "href": "https://api.pingone.com/v1/environments/4*******-0***-4***-b***-8***********/users/7*******-5***-4***-9***-d***********",
     "type": "USER"
   }
 },
 "action": {
   "type": "USER.ACCESS_ALLOWED",
   "description": "User Access Allowed"
 },
 "resources": [
   {
     "type": "USER",
     "id": "7*******-5***-4***-9***-d***********",
     "name": "matthewpollicove@pingidentity.com",
     "environment": {
       "id": "4*******-0***-4***-b***-8***********"
     },
     "population": {
       "id": "4*******-0***-4***-b***-8***********"
     },
     "href": "https://api.pingone.com/v1/environments/4*******-0***-4***-b***-8***********/users/7*******-5***-4***-9***-d***********"
   }
 ],
 "result": {
   "status": "SUCCESS",

   "description": "Passed role access control"
 }
}

Next steps

If you need to connect the audit data to an external application, such as Splunk, learn more in Monitoring activity with Splunk.

Audit parameter fields

The following table describes the fields and options available in the Audit Parameters section of PingOne.

Field Option Description

Time Range

Specific

Set the time range to a specific date range.

Relative

Set the time range to a period relative to the current time.

Filter Type

You must select a Filter Type before the Secondary Filter field is available.

Resource ID

Find activities by resource ID.

Correlation ID

Find activities by correlation ID. When an HTTP request is received by PingOne, it is assigned a correlation ID. You can use the correlation ID to associate HTTP responses with messages in the event log.

Event type

Find activities by event type.

Select an event type. If Risk is enabled, the following parameters are available:

  • Risk Evaluation Created

  • Risk Evaluation Updated

  • Risk Policy Created

  • Risk Policy Deleted

  • Risk Policy Updated

User ID (Actor)

Find activities that were performed by a particular user by user ID.

Username (Actor)

Find activities that were performed by a particular user by username.

Client (Actor)

Select a client to find activities that were performed by that client.

The list of clients can vary depending on your configuration.

Resource population

Select a population to find activities that were performed in resources within a particular population.

Resource type

Select a resource to find activities that were performed on a particular type of resource.

Population

Find activities that were performed on a particular population.

User

Find activities that were performed on a particular user.

Application

Find activities that were performed by a particular client application.

Selected Fields

Timestamp

The date and time of the event.

The format is: MM/DD/YYYY HH:mm:ss.

Event name

A unique identifier for the event.

Description

A brief description of the event.

Client

The client that performed the event.

User identity

The user for which the event was performed.

Population

The population in which the event was performed.

Resource type

The type of resource for which the event was performed.