PingIdentity PingOne 的来源配置
与 PingIdentity PingOne 集成
PingOne 是 PingIdentity 基于云的身份即服务(IDaaS)平台,提供身份和访问管理功能。CloudWatch 管道使用 PingOne Audit Logs API 检索您的 PingOne 环境中的身份验证事件、用户活动、政策决策和管理变更的相关信息。Audit Logs API 支持通过 REST 端点访问事件数据,从而允许从 PingOne 组织检索安全和访问日志。
使用 PingIdentity PingOne 进行身份验证
要读取日志,该管道需要通过 PingOne 环境进行身份验证。对于 PingOne,身份验证将使用 OAuth2 执行。
为 PingOne 配置 OAuth2 身份验证
登录 PingOne 控制台并导航至“应用程序”→“应用程序”。创建一个工作线程类型的新应用程序。记下客户端 ID 和环境 ID。
从“配置”选项卡生成新的客户端密钥。立即复制密钥。
在 AWS Secrets Manager 中创建密钥,将客户端 ID 存储在
client_id键下,将客户端密钥存储在client_secret键下。为应用程序分配环境管理员和应用程序所有者角色。
确定您的 PingOne 区域(NA、EU、AP、AU、CA、SG)。
记下“设置”→“环境”→“属性”中的环境 ID。
配置 CloudWatch 管道
要将管道配置为读取日志,请选择 PingOne 作为数据来源。填写环境 ID 等必填信息。(可选)指定区域(默认为 NA)和范围持续时间格式(例如,最近 21 小时记为 PT21H)。默认范围为 0 小时,最大值为 90 天。创建并激活管道后,PingOne 中的审计日志数据将立即开始流入选定的 CloudWatch Logs 日志组。
支持的开放式网络安全架构框架事件类
本次集成支持 OCSF 架构 v1.5.0 版本,同时支持可映射到“账户变更”(3001)、“身份验证”(3002)和“实体管理”(3004)的 PingOne 事件。
账户变更包含以下事件:
USER.CREATED
USER.INVITED
USER.REINVITED
USER.INVITE_ACCEPTED
PASSWORD.FORCE_CHANGE
PASSWORD.RECOVERY
PASSWORD.RESET
USER.INVITE_REVOKED
USER.DELETED
USER.LOCKED
MFA_SETTINGS.UPDATED
PASSWORD.UNLOCKED
USER.UNLOCKED
身份验证包含以下事件:
AUTHENTICATION.CREATED
RADIUS_SESSION.CREATED
SESSION.CREATED
SESSION.UPDATED
SESSION.DELETED
USER.SLO_FAILURE
USER.SLO_PARTIAL_LOGOUT
USER.SLO_REQUESTED
USER.SLO_SUCCESS
USER.KERBEROS_FAILED
USER.KERBEROS_SUCCEEDED
DEVICE.ACTIVATION_OTP_FAILED
DEVICE.ACTIVATION_OTP_INVALID
DEVICE_PAYLOAD.CHECK_INVALID
DEVICE_PAYLOAD.CHECK_SUCCESS
OTP.CHECK_FAILED
OTP.CHECK_INVALID
OTP.CHECK_SUCCESS
PASSWORD.CHECK_FAILED
PASSWORD.CHECK_SUCCEEDED
实体管理包含以下事件:
ACTION.CREATED
AGREEMENT.CREATED
AGREEMENT_LANGUAGE.CREATED
AGREEMENT_LANGUAGE_REVISION.CREATED
APPLICATION.CREATED
AUTHORIZE_POLICY.CREATED
CERTIFICATE.CREATED
DEVICE.CREATED
DEVICE_AUTHENTICATION_POLICY.CREATED
FIDO_POLICY.CREATED
FLOW.CREATED
FLOW_DEFINITION.CREATED
FLOW_EXECUTION.CREATED
GROUP.CREATED
IDENTITY_PROVIDER.CREATED
IDP_ATTRIBUTE.CREATED
INSTANT_MESSAGING_DELIVERY_SETTINGS.CREATED
KEY.CREATED
LICENSE.CREATED
NOTIFICATION.CREATED
NOTIFICATION_POLICY.CREATED
ORGANIZATION.CREATED
POLICY.CREATED
RISK_POLICY_SET.CREATED
SAML_ATTRIBUTE.CREATED
SCHEMA_ATTRIBUTE.CREATED
SIGN_ON_POLICY_ASSIGNMENT.CREATED
VERIFY_POLICY.CREATED
CERTIFICATE.READ
KEY.READ
SECRET.READ
ACTION.UPDATED
ADMIN_CONFIGURATION.UPDATED
AGREEMENT.UPDATED
AGREEMENT_LANGUAGE.UPDATED
AGREEMENT_LANGUAGE_REVISION.UPDATED
APPLICATION.UPDATED
AUTHORIZE_POLICY.UPDATED
CERTIFICATE.UPDATED
DEVICE.NICKNAME_UPDATED
DEVICE.UPDATED
DEVICE_AUTHENTICATION_POLICY.UPDATED
FIDO_POLICY.UPDATED
FLOW.UPDATED
FLOW_DEFINITION.UPDATED
FLOW_EXECUTION.UPDATED
GROUP.UPDATED
IDENTITY_PROVIDER.UPDATED
IDP_ATTRIBUTE.UPDATED
INSTANT_MESSAGING_DELIVERY_SETTINGS.UPDATED
KEY.UPDATED
LICENSE.UPDATED
NOTIFICATION.UPDATED
NOTIFICATION_POLICY.UPDATED
NOTIFICATIONS_SETTINGS.UPDATED
ORGANIZATION.UPDATED
POLICY.UPDATED
RISK_POLICY_SET.ORDER_UPDATED
RISK_POLICY_SET.UPDATED
SAML_ATTRIBUTE.UPDATED
SCHEMA_ATTRIBUTE.UPDATED
SECRET.UPDATED
SETTINGS.UPDATED
SIGN_ON_POLICY_ASSIGNMENT.UPDATED
USER.QUOTA_RESET
USER.UPDATED
VERIFY_POLICY.UPDATED
ACTION.DELETED
AGREEMENT.DELETED
AGREEMENT_LANGUAGE.DELETED
AGREEMENT_LANGUAGE_REVISION.DELETED
APPLICATION.DELETED
AUTHORIZE_POLICY.DELETED
CERTIFICATE.DELETED
DEVICE.DELETED
DEVICE_AUTHENTICATION_POLICY.DELETED
FIDO_POLICY.DELETED
FLOW.DELETED
FLOW_DEFINITION.DELETED
GROUP.DELETED
IDENTITY_PROVIDER.DELETED
IDP_ATTRIBUTE.DELETED
INSTANT_MESSAGING_DELIVERY_SETTINGS.DELETED
KEY.DELETED
LICENSE.DELETED
NOTIFICATION_POLICY.DELETED
ORGANIZATION.DELETED
POLICY.DELETED
RISK_POLICY_SET.DELETED
SAML_ATTRIBUTE.DELETED
SCHEMA_ATTRIBUTE.DELETED
SIGN_ON_POLICY_ASSIGNMENT.DELETED
VERIFY_POLICY.DELETED
DEVICE.UNBLOCKED
DEVICE.BLOCKED
NOTIFICATION.REJECTED
DEVICE.ACTIVATED
DEVICE.LOCKED
DEVICE.UNLOCKED
ROLE.CREATED
ROLE.UPDATED
ROLE.DELETED
