PingFederate sample event message
Use these sample event messages to verify a successful integration with IBM QRadar.
PingFederate sample message when you use the Syslog protocol: Authentication Attempt
The following sample event message shows that the event indicates an authentication attempt against an identity provider (IdP) adapter instance, and also an authentication request sent to another identity provider instance through an identity provider connection.
CEF:0|Ping Identity|PingFederate|12.0|AUTHN_ATTEMPT|AUTHN_ATTEMPT|0|rt=Feb 02 2024 15:49:12.139 duid= src=127.0.0.1 msg=inprogress cs1Label=Target Application URL cs1= cs2Label=Connection ID cs2=IAMShowcase cs3Label=Protocol cs3=SAML20 dvchost=ip-127-0-0-1.ec2.internal cs4Label=Role cs4=IdP externalId=tid:x7PBlk1Y1ZA0vnTest_iRSN1Q cs5Label=SP Local User ID cs5= cs6Label=Attributes cs6=| QRadar field name | Highlighted payload field name |
|---|---|
| Event ID | The value in QRadar is AUTHN_ATTEMPT_inprogress |
| Source IP | src |
| Device Time | rt |
PingFederate sample message when you use the Syslog protocol: Single Sign-On (SSO)
The following sample event message shows that the event indicates the process of authenticating an identity (sign-on) at a website (with a user ID and a password), and then accessing resources secured by other domains without re-authentication.
CEF:0|Ping Identity|PingFederate|12.0|SSO|SSO|0|rt=Feb 02 2024 15:49:15.178 duid=testuser src=127.0.0.1 msg=success cs1Label=Target Application URL cs1= cs2Label=Connection ID cs2=IAMShowcase cs3Label=Protocol cs3=SAML20 dvchost=ip-127-0-0-1.ec2.internal cs4Label=Role cs4=IdP externalId=tid:x7PBlk1Y1ZATest_iRSN1Q cs5Label=SP Local User ID cs5= cs6Label=Attributes cs6=SAML_SUBJECT\=testuser, email\=testuser@example.com| QRadar field name | Highlighted payload field name |
|---|---|
| Event ID | The value in QRadar is SSO_success |
| Source IP | src |
| Device Time | rt |