Azure · v-atulyadav · Jun 23, 2025 · Apr 22, 2025 · Apr 22, 2025 · Apr 22, 2025
@@ -0,0 +1,47 @@
+[
+  {
+    "name": "PingOneDCR",
+    "apiVersion": "2023-03-11",
+    "type": "Microsoft.Insights/dataCollectionRules",
+    "location": "{{location}}",
+    "properties": {
+      "dataCollectionEndpointId": "{{dataCollectionEndpointId}}",
+      "streamDeclarations": {
+        "Custom-PingOne_AuditActivitiesV2_CL": {
+          "columns": [
+            { "name": "id", "type": "string" },
+            { "name": "correlationId", "type": "string" },
+            { "name": "recordedAt", "type": "datetime" },
+            { "name": "createdAt", "type": "datetime" },
+            { "name": "internalCorrelation", "type": "dynamic" },
+            { "name": "actors", "type": "dynamic" },
+            { "name": "source", "type": "dynamic" },
+            { "name": "action", "type": "dynamic" },
+            { "name": "resources", "type": "dynamic" },
+            { "name": "result", "type": "dynamic" }
+          ]
+        }
+      },
+      "destinations": {
+        "logAnalytics": [
+          {
+            "workspaceResourceId": "{{workspaceResourceId}}",
+            "name": "clv2ws1"
+          }
+        ]
+      },
+      "dataFlows": [
+        {
+          "streams": [
+            "Custom-PingOne_AuditActivitiesV2_CL"
+          ],
+          "destinations": [
+            "clv2ws1"
+          ],
+       "transformKql": "source | extend Id = tostring(id), CorrelationId = tostring(correlationId), RecordedAt = todatetime(recordedAt), CreatedAt = todatetime(createdAt), InternalCorrelationSessionId = tostring(internalCorrelation.sessionId), ClientId = tostring(actors.client.id), ClientName = tostring(actors.client.name), ClientType = tostring(actors.client.type), UserId = tostring(actors.user.id), UserName = tostring(actors.user.name), UserEnvironmentId = tostring(actors.user.environment.id), UserPopulationId = tostring(actors.user.population.id), UserType = tostring(actors.user.type), SourceUserAgent = tostring(source.userAgent), SourceIpAddress = tostring(source.ipAddress), ActionType= tostring(action.type), ActionDescription= tostring(action.description), Resources = resources, ResultStatus = tostring(result.status), ResultDescription = tostring(result.description), TimeGenerated = todatetime(createdAt) | project Id, CorrelationId, RecordedAt, CreatedAt, InternalCorrelationSessionId, ClientId, ClientName, ClientType, UserId, UserName, UserEnvironmentId, UserPopulationId, UserType, SourceUserAgent, SourceIpAddress, ActionType, ActionDescription, Resources, ResultStatus, ResultDescription, TimeGenerated",
+       "outputStream": "Custom-PingOne_AuditActivitiesV2_CL"
+        }
+      ]
+    }
+  }
+]
@@ -0,0 +1,154 @@
+{
+  "type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
+  "apiVersion": "2025-03-01",
+  "name": "PingOneAuditLogsCCPDefinition",
+  "location": "{{location}}",
+  "kind": "Customizable",
+  "properties": {
+    "connectorUiConfig": {
+      "id": "PingOneAuditLogsCCPDefinition",
+      "title": "Ping One",
+      "publisher": "Microsoft",
+      "descriptionMarkdown": "This connector ingests **audit activity logs** from the PingOne Identity platform into Microsoft Sentinel using a codeless connector.",
+      "graphQueriesTableName": "PingOne_AuditActivitiesV2_CL",
+      "graphQueries": [
+        {
+          "metricName": "Total audit events received",
+          "legend": "Audit Events",
+          "baseQuery": "PingOne_AuditActivitiesV2_CL"
+        }
+      ],
+      "sampleQueries": [
+        {
+          "description": "Get sample audit activity events",
+          "query": "PingOne_AuditActivitiesV2_CL\n | take 10"
+        }
+      ],
+      "dataTypes": [
+        {
+          "name": "PingOne_AuditActivitiesV2_CL",
+          "lastDataReceivedQuery": "PingOne_AuditActivitiesV2_CL\n | where TimeGenerated > ago(12h)\n | summarize Time=max(TimeGenerated)"
+        }
+      ],
+      "connectivityCriteria": [
+        {
+          "type": "HasDataConnectors"
+        }
+      ],
+      "availability": {
+        "isPreview": false
+      },
+      "permissions": {
+        "resourceProvider": [
+          {
+            "provider": "Microsoft.OperationalInsights/workspaces",
+            "permissionsDisplayText": "Read and Write permissions are required.",
+            "providerDisplayName": "Workspace",
+            "scope": "Workspace",
+            "requiredPermissions": {
+              "read": true,
+              "write": true,
+              "delete": false,
+              "action": false
+            }
+          }
+        ]
+      },
+      "instructionSteps": [
+        {
+          "title": "Connect Ping One connector to Microsoft Sentinel",
+          "instructions": [
+            {
+              "type": "Markdown",
+              "parameters": {
+                "content": "Before connecting to PingOne, ensure the following prerequisites are completed. Refer to the [document](https://github.com/v-anjohari/Ping-One-Documentation/blob/main/README.md) for detailed setup instructions, including how to obtain client credentials and the environment ID."
+              }
+            },
+            {
+              "type": "Markdown",
+              "parameters": {
+                "content": "#### 1. Client Credentials \n You'll need client credentials, including your client id and client secret."
+              }
+            },
+            {
+              "type": "Markdown",
+              "parameters": {
+                "content": "#### 2. Environment Id  \n To generate token and gather logs from audit activities endpoint"
+              }
+            },
+            {
+              "type": "DataConnectorsGrid",
+              "parameters": {
+                "mapping": [
+                  {
+                    "columnName": "Environment ID",
+                    "columnValue": "properties.addOnAttributes.EnvironmentId"
+                  }
+                ],
+                "menuItems": [
+                  "DeleteConnector"
+                ]
+              }
+            },
+            {
+              "type": "ContextPane",
+              "parameters": {
+                "isPrimary": true,
+                "label": "Add domain",
+                "title": "Add domain",
+                "subtitle": "Add domain",
+                "contextPaneType": "DataConnectorsContextPane",
+                "instructionSteps": [
+                  {
+                    "instructions": [
+                      {
+                        "type": "Textbox",
+                        "parameters": {
+                          "label": "Client ID",
+                          "placeholder": "Enter ID of the client",
+                          "type": "text",
+                          "name": "clientId",
+                          "required": true
+                        }
+                      },
+                      {
+                        "type": "Textbox",
+                        "parameters": {
+                          "label": "Client Secret",
+                          "placeholder": "Enter your secret key",
+                          "type": "password",
+                          "name": "clientSecret",
+                          "required": true
+                        }
+                      },
+                      {
+                        "type": "Textbox",
+                        "parameters": {
+                          "label": "Environment ID",
+                          "placeholder": "Enter your environment Id ",
+                          "type": "text",
+                          "name": "environmentId",
+                          "required": true
+                        }
+                      },
+                      {
+                        "type": "Textbox",
+                        "parameters": {
+                          "label": "Api domain",
+                          "placeholder": "Enter your Api domain Eg.( pingone.com,pingone.eu etc )depending on the region credentials created for ",
+                          "type": "text",
+                          "name": "apidomain",
+                          "required": true
+                        }
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
@@ -0,0 +1,35 @@
+[
+  {
+    "name": "PingOne_AuditActivitiesV2_CL",
+    "type": "Microsoft.OperationalInsights/workspaces/tables",
+    "apiVersion": "2025-02-01",
+    "properties": {
+      "schema": {
+        "name": "PingOne_AuditActivitiesV2_CL",
+        "columns": [
+        { "name": "Id", "type": "string" },
+        { "name": "CorrelationId", "type": "string" },
+        { "name": "RecordedAt", "type": "datetime" },
+        { "name": "CreatedAt", "type": "datetime" },
+        { "name": "InternalCorrelationSessionId", "type": "string" },
+        { "name": "ClientId", "type": "string" },
+        { "name": "ClientName", "type": "string" },
+        { "name": "ClientType", "type": "string" },
+        { "name": "UserId", "type": "string" },
+        { "name": "UserName", "type": "string" },
+        { "name": "UserEnvironmentId", "type": "string" },
+        { "name": "UserPopulationId", "type": "string" },
+        { "name": "UserType", "type": "string" },
+        { "name": "SourceUserAgent", "type": "string" },
+        { "name": "SourceIpAddress", "type": "string" },
+        { "name": "ActionType", "type": "string" },
+        { "name": "ActionDescription", "type": "string" },
+        { "name": "Resources", "type": "dynamic" },
+        { "name": "ResultStatus", "type": "string" },
+        { "name": "ResultDescription", "type": "string" },
+        { "name": "TimeGenerated", "type": "datetime"}
+      ]
+      }
+    }
+  }
+]
@@ -0,0 +1,53 @@
+[
+  {
+    "type": "Microsoft.SecurityInsights/dataConnectors",
+    "apiVersion": "2025-03-01",
+    "name": "{{innerWorkspace}}/Microsoft.SecurityInsights/PingOneAuditActivitiesPoller_{{environmentId}}",
+    "kind": "RestApiPoller",
+    "properties": {
+        "connectorDefinitionName": "PingOneAuditLogsCCPDefinition",
+        "dataType": "PingOne_AuditActivitiesV2_CL",
+        "addOnAttributes": {
+        "EnvironmentId": "[[parameters('environmentId')]"
+      },
+        "auth":  {
+            "type": "OAuth2",
+            "ClientId": "[[parameters('clientId')]",
+            "ClientSecret": "[[parameters('clientSecret')]",
+            "grantType": "client_credentials",
+            "tokenEndpoint": "[[concat('https://auth.',parameters('apidomain'),'/',parameters('environmentId'),'/as/token')]",
+            "tokenEndpointHeaders": {
+              "Content-Type": "application/x-www-form-urlencoded"
+            }
+          },
+        "request": {
+            "apiEndpoint": "[[concat('https://api.', parameters('apidomain'), '/v1/environments/', parameters('environmentId'), '/activities')]",
+            "httpMethod": "GET",
+            "queryWindowInMin": 10,
+            "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",     
+            "headers": {
+                    "Accept": "application/json",
+                    "User-Agent": "Scuba"
+            },
+           "queryParameters": {
+    "filter": "recordedat gt \"{_QueryWindowStartTime}\" and recordedat lt \"{_QueryWindowEndTime}\""
+  }
+        },
+        "response": {
+      "eventsJsonPaths": [
+        "$._embedded.activities"
+      ],
+      "format": "json"
+    },
+        "dcrConfig": {
+            "streamName": "Custom-PingOne_AuditActivitiesV2_CL",
+            "dataCollectionEndpoint": "{{dataCollectionEndpoint}}",
+            "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}"
+        },
+        "paging": {
+      "pagingType": "LinkHeader",
+      "linkHeaderTokenJsonPath": "$._links.next.href"
+    }
+    }
+}
+]
@@ -0,0 +1,14 @@
+{
+    "Name": "PingOne",
+    "Author": "Microsoft - support@microsoft.com",
+    "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
+    "Description": "The [PingOne](https://www.pingidentity.com/en/platform/solutions.html) solution provides the capability to ingest [PingOne audit activity logs](https://docs.pingidentity.com/pingone/p1_cloud__platform_main_landing_page.html) into Microsoft Sentinel using the PingOne Platform API.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\na. [Codeless Connector Platform (CCP)](https://learn.microsoft.com/en-us/azure/sentinel/create-codeless-connector)",
+    "Data Connectors": [
+      "Data Connectors/PingOneAuditLogs_ccp/PingOneAuditLogs_DataConnectorDefinition.json"
+    ],
+    "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\PingOne",
+    "Version": "3.0.0",
+    "Metadata": "SolutionMetadata.json",
+    "TemplateSpec": true,
+    "Is1PConnector": false
+  }
@@ -0,0 +1,85 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+  "handler": "Microsoft.Azure.CreateUIDef",
+  "version": "0.1.2-preview",
+  "parameters": {
+    "config": {
+      "isWizard": false,
+      "basics": {
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PingOne/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [PingOne](https://www.pingidentity.com/en/platform/solutions.html) solution provides the capability to ingest [PingOne audit activity logs](https://docs.pingidentity.com/pingone/p1_cloud__platform_main_landing_page.html) into Microsoft Sentinel using the PingOne Platform API.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\na. [Codeless Connector Platform (CCP)](https://learn.microsoft.com/en-us/azure/sentinel/create-codeless-connector)\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "subscription": {
+          "resourceProviders": [
+            "Microsoft.OperationsManagement/solutions",
+            "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+            "Microsoft.Insights/workbooks",
+            "Microsoft.Logic/workflows"
+          ]
+        },
+        "location": {
+          "metadata": {
+            "hidden": "Hiding location, we get it from the log analytics workspace"
+          },
+          "visible": false
+        },
+        "resourceGroup": {
+          "allowExisting": true
+        }
+      }
+    },
+    "basics": [
+      {
+        "name": "getLAWorkspace",
+        "type": "Microsoft.Solutions.ArmApiControl",
+        "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+        "condition": "[greater(length(resourceGroup().name),0)]",
+        "request": {
+          "method": "GET",
+          "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+        }
+      },
+      {
+        "name": "workspace",
+        "type": "Microsoft.Common.DropDown",
+        "label": "Workspace",
+        "placeholder": "Select a workspace",
+        "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+        "constraints": {
+          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+          "required": true
+        },
+        "visible": true
+      }
+    ],
+    "steps": [
+      {
+        "name": "dataconnectors",
+        "label": "Data Connectors",
+        "bladeTitle": "Data Connectors",
+        "elements": [
+          {
+            "name": "dataconnectors1-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for PingOne. You can get PingOne data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+            }
+          },
+          {
+            "name": "dataconnectors-link1",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more about connecting data sources",
+                "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+              }
+            }
+          }
+        ]
+      }
+    ],
+    "outputs": {
+      "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+      "location": "[location()]",
+      "workspace": "[basics('workspace')]"
+    }
+  }
+}