Forum Discussion
Help Ingesting PingID Logs into Microsoft Sentinel
Hello,
Microsoft Sentinel has a Data Connector for PingFederate, however this does not capture other PingIdentity products. Namely, PingID logs.
Making this post asking if there are any ways to best implement ingesting PingID logs into Sentinel, as I am unable to find any documentation for PingIdentity or Sentinel that would assist me in coming up with a solution.
Thank you for all comments and ideas.
hi colinc10
I'm also testing out PingID log ingestion.
There may be 2 options:
- webhook configuration - PingOne supports webhooks - so you'd need to set up a DCE/DCR configuration which uses a SAS token in the url to authenticate - Ping doesn't support OAuth so I think a SAS token/url would be the only way. I'm hoping to try this method this week.
- syslog - IF the Ping Federate syslog connector also pulls in the PingID logs then that's a supported method - have you tried this?
Hi colinc10,
Unfortunately, as far as i know, there isn't a direct data connector for PingID logs in Sentinel.
However, you can still ingest PingID logs by using Custom Logs in Sentinel. This involves setting up your PingID logs to send data to an Azure Log Analytics workspace.
First, you'll need to configure PingID to export its logs, typically through syslog or another supported protocol, and direct them to the Log Analytics workspace. Once the logs are in the workspace, you can set up a Custom Log in Sentinel to capture the data and parse it as needed. You may need to create a custom KQL query to properly format and search through these logs.
I had a similar case couple of years ago and reading the official documentation some of the guidance is now deprecated. (https://learn.microsoft.com/en-us/previous-versions/azure/sentinel/connect-custom-logs?tabs=DCG)
But hopefully it may give you an idea on how to work your way around.
Regards
