1. Expel Help Center
  2. Connect Your Technology
  3. L-P Integrations

PingOne Platform (via Collector) Setup for Workbench

This onboarding guide takes you through how to connect PingOne Platform to Expel Workbench via a collector.

Prerequisites

  1. You must have a Splunk or Exabeam Fusion New-Scale SIEM Collector available as a Security Device in Expel Workbench before onboarding PingOne Platform.

Add PingOne Platform as a Security Device in Workbench

Please ensure you have met the prerequisites before proceeding with this step.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices.
  3. Select Add Security Device.
  4. In the search box, type “Ping” and then select the PingOne Platform (via Collector) integration.
  5. A configuration pane displays. Complete the fields as follows:
    pingone-config-wb.png
    • SIEM - select an onboarded collector from the dropdown.
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName PingOne Platform”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud.” This is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Collector query - this value will depend on the SIEM you are using:

      Splunk
      Enter the following string, replacing <ping ID index> with the value defined in your SIEM: 
      index=<ping ID index> status IN ("success","failure") event="AUTHN_ATTEMPT" | table *
       
      Exabeam Fusion New-Scale SIEM
      Enter the following string: 
      vendor:"Ping Identity" AND ((product:"PingOne" AND activity:"authentication") OR (product:"Ping Identity" AND event_name:"AUTHN_ATTEMPT")) AND outcome:("success","fail") AND NOT user: null
  6. Select Save.
  7. Your device should be created successfully within a few seconds. A few reminders:
    • After your connection is healthy, it will take some time for your device to begin receiving data.
    • To check on the status, click on the downward arrow for your device in the first column and choose View details. You can then scroll to the Connection section to see if your device is fully connected.
    • Polling will happen first; data will be received after that. You must refresh the page to see updates
    • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
       

Related articles