pingidentity/pingone Dashboards | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support

Reading time: 6 minutes

pingidentity/pingone Dashboards

Overview

Widget	Description	Type
Top applications over time	Top applications Hide Query Show Query logscale `#logtype="pingone" \| actors.user.name = ?{user_name=} \| case{ action.type=SECRET. \| Application := resources[0].name; // Worker applications' name mapping action.type=FLOW.* \| Application := actors.client.name; // Client applications' name mapping } \| timechart(Application) // Display bar chart of applications by count of their operations`	`Time Chart`
Top users (all events)	Summary of top users by count of ALL events for a user. Note that this includes 'flow' events in PingOne so total events is not equal to authentication success + failures. Hide Query Show Query logscale `#logtype="pingone" \| groupBy("actors.user.id", function=[collect("actors.user.id"), collect("actors.user.name"), count("actors.user.id", as="count")]) // Group by user ID of the user and collect their name and ID \| "User ID" := rename("actors.user.id") \| "User name" := rename("actors.user.name") \| table(["User ID", "User name", "count"], sortby="count", limit=10)`	`Table`
Top applications	Breakdown of top applications Hide Query Show Query logscale `#logtype="pingone" \| actors.user.name = ?{user_name=} \| case{ action.type=SECRET. \| Application := resources[0].name; // Worker applications' name mapping action.type=FLOW.* \| Application := actors.client.name; // Client applications' name mapping } \| top(Application, as=count, limit=10) // Display bar chart of applications by count of their operations`	`Pie Chart`
Users enrolled	Count of users enrolled Hide Query Show Query logscale `#logtype="pingone" \| action.type = USER.CREATED // Created a new user \| count() // Count of new users enrolled`	`Single Value`
Top users - authentication success	Users with highest number of authentication successes Hide Query Show Query logscale `#logtype="pingone" \| action.type="SESSION.CREATED" // Successful authentication \| groupBy("resources[0].id", function=[collect("resources[0].id"), collect("resources[0].name"), count("resources[0].id", as="count")]) \| "User ID" := rename("resources[0].id") \| "User name" := rename("resources[0].name") \| table(["User ID", "User name", "count"], sortby="count", limit=10)`	`Table`
Successful authentications	Successful authentications per hour Hide Query Show Query logscale `#logtype="pingone" \| action.type=SESSION.CREATED // Successful authentication \| resources[0].name = ?{user_name=*} \| timeChart( unit = "/span to /hour") // Timechart based on authentication type`	`Single Value`
Authentication failure reasons	Breakdown of failed authentications by their type Hide Query Show Query logscale `#logtype="pingone" \| action.type =~ in(values=["PASSWORD.CHECK_FAILED", "OTP.CHECK_FAILED", "ASSERTION.CHECK_FAILED", "OTP.CHECK_INVALID"]) // Failed authentications \| resources[0].name = ?{user_name=*} \| groupBy("action.type") \| "Failed authentication reason" := rename("action.type")`	`Pie Chart`
Failed authentications	Failed authentications per day Hide Query Show Query logscale `#logtype="pingone" \| action.type =~ in(values=["PASSWORD.CHECK_FAILED", "OTP.CHECK_FAILED", "ASSERTION.CHECK_FAILED", "OTP.CHECK_INVALID"]) \| resources[0].name = ?{user_name=*} \| timechart(unit="/span to /day")`	`Single Value`
Authentication failure reasons over time	Failed authentications by failure type Hide Query Show Query logscale `#logtype="pingone" \| action.type =~ in(values=["PASSWORD.CHECK_FAILED", "OTP.CHECK_FAILED", "ASSERTION.CHECK_FAILED", "OTP.CHECK_INVALID"]) \| resources[0].name = ?{user_name=*} \| "Failed authentication reason" := rename("action.type") \| timechart("Failed authentication reason")`	`Time Chart`
Top users - authentication failures	Users with highest number of authentication failures Hide Query Show Query logscale #logtype="pingone" \| case { action.type=PASSWORD.CHECK_FAILED \| "User name" := resources[0].name; action.type=OTP.CHECK_FAILED \| "User name" := actors.user.name; action.type=ASSERTION.CHECK_FAILED \| "User name" := actors.user.name; action.type=OTP.CHECK_INVALID \| "User name" := actors.user.name; } \| groupBy("resources[0].id", function=[collect("resources[0].id"), collect("User name"), count("resources[0].id", as="count")]) \| "User ID" := rename("resources[0].id") \| table(["User ID", "User name", "count"], sortby="count", limit=10)	`Table`
Top applications	Top applications Hide Query Show Query logscale `#logtype="pingone" \| actors.user.name = ?{user_name=} \| case{ action.type=SECRET. \| Application := resources[0].name; // Worker applications' name mapping action.type=FLOW.* \| Application := actors.client.name; // Client applications' name mapping } \| top(Application, as=count, limit=10) // Display bar chart of applications by count of their operations`	`Bar Chart`
Successful authentications	Successful authentications per day Hide Query Show Query logscale `#logtype="pingone" \| action.type=SESSION.CREATED // Successful authentication \| resources[0].name = ?{user_name=*} \| timechart(unit="/span to /day") // Single value timechart of successful authentications`	`Single Value`
Authentication success/failure	Breakdown of authentication attempts by success/failure Hide Query Show Query logscale `#logtype="pingone" \| resources[0].name = ?{user_name=*} \| case { action.type = "SESSION.CREATED" \| Authentication_type := "SUCCESS"; action.type =~ in(values=["PASSWORD.CHECK_FAILED", "OTP.CHECK_FAILED", "ASSERTION.CHECK_FAILED", "OTP.CHECK_INVALID"]) \| Authentication_type := "FAILED"; } \| groupBy("Authentication_type")`	`Pie Chart`
Failed authentications	Failed authentications per hour Hide Query Show Query logscale `#logtype="pingone" \| action.type =~ in(values=["PASSWORD.CHECK_FAILED", "OTP.CHECK_FAILED", "ASSERTION.CHECK_FAILED", "OTP.CHECK_INVALID"]) \| resources[0].name = ?{user_name=*} \| timechart( unit="/span to /hour")`	`Single Value`
Authentications over time	Breakdown of successful and failed authentications Hide Query Show Query logscale `#logtype="pingone" \| resources[0].name = ?{user_name=*} \| case { action.type = "SESSION.CREATED" \| auth := "SUCCESS"; // Successful authentication action.type =~ in(values=["PASSWORD.CHECK_FAILED", "OTP.CHECK_FAILED", "ASSERTION.CHECK_FAILED", "OTP.CHECK_INVALID"]) \| auth := "FAILED"; // Failed authentication } \| timeChart(auth) // Display timechart of successful and failed authentications`	`Time Chart`

Password activity

Widget	Description	Type
Password resets per day	Password resets per day Hide Query Show Query logscale `#logtype="pingone" \| action.type = "PASSWORD.RESET" // Password reset events \| timeChart(action.type, function=count(), unit="/span to /day") // Display a single value timechart of password reset activity`	`Single Value`
Account lockouts per day	Account lockouts per day Hide Query Show Query logscale `#logtype="pingone" \| action.type = "FLOW.UPDATED" \| result.description = "Authentication failed because account is locked out" // An account locked out after multiple failed login attempts \| timeChart(action.type, function=count(), unit="/span to /day")`	`Single Value`
Password resets and lockouts over time	Volume of password resets and lockouts over time Hide Query Show Query logscale `#logtype="pingone" \| case { action.type = "FLOW.UPDATED" \| result.description = "Authentication failed because account is locked out" \| action.type := "Lockouts"; action.type = "PASSWORD.RESET" \| action.type := "Resets"; } \| timeChart(action.type)`	`Time Chart`
Total account lockouts	Count of account lockouts over selected time span Hide Query Show Query logscale `#logtype="pingone" \| action.type = "FLOW.UPDATED" \| result.description = "Authentication failed because account is locked out" // An account locked out after multiple failed login attempts \| count() // Count of locked out accounts`	`Single Value`
Password reset details	Summary of password reset activity Hide Query Show Query logscale `#logtype="pingone" \| action.type = "PASSWORD.RESET"`	`Event List`
Short lived accounts (<1 hour)	Accounts deleted within one hour of being created Hide Query Show Query logscale #logtype="pingone" \| action.type = "USER.DELETED" \| join({ action.type="USER.CREATED" \| "createdAtTimestamp" := @timestamp \| "Created by" := actors.user.name }, field=resources[0].id, include=["createdAtTimestamp", "Created by"]) \| eval(millisAlive = @timestamp - createdAtTimestamp) \| millisAlive < 3600000 // 1 hour in milliseconds \| formatDuration(millisAlive, as="Time alive", precision=2) \| "Created at" := formatTime("%Y-%m-%d %H:%M:%S", field=createdAtTimestamp, timezone=Z) \| "Deleted at" := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, timezone=Z) \| User := rename("resources[0].name") \| "Deleted by" := rename("actors.user.name") \| table(["User", "Created by", "Deleted by", "Created at", "Deleted at", "Time alive"], sortby="Deleted at")	`Table`
Total password resets	Count of password resets over selected time span Hide Query Show Query logscale `#logtype="pingone" \| action.type = "PASSWORD.RESET" \| count() // Count of password reset events`	`Single Value`

Policy and MFA

Widget	Description	Type
Breakdown by policy	Breakdown of authentications by their policy (only successful authentications) Hide Query Show Query logscale `#logtype="pingone" \| action.type = FLOW.DELETED AND result.status = SUCCESS // Successful authentication \| regex("policy (?<authentication_type>.*)", field=result.description) // Policy type \| groupBy(authentication_type) // Display a piechart based on policy of the authentication`	`Pie Chart`
Authentication by policy over time	Breakdown of authentications by their policy (only successful authentications) Hide Query Show Query logscale `#logtype="pingone" \| action.type = FLOW.DELETED AND result.status = SUCCESS // Successful authentication \| regex("policy (?<authentication_type>.*)", field=result.description) // Policy type \| timechart(authentication_type) // Display a timechart based on policy of the authentication`	`Time Chart`
MFA by type over time	Breakdown of MFA authentications by their type (only successful authentications) Hide Query Show Query logscale `#logtype="pingone" // PASSWORD.CHECK_SUCCESS // OTP.CHECK_SUCCESS // ASSERTION.CHECK_SUCCESS \| action.type = .CHECK_SUCCESS \| case { result.description=TOTP \| auth_type := "Authenticator App"; result.description=Email* \| auth_type := "Email"; result.description=Security* OR result.description=Biometrics* \| auth_type := "Security Key"; } \| timechart(auth_type) // Display timechart based on type of MFA authentication`	`Time Chart`
MFA by type	Breakdown of MFA authentications by their type (only successful authentications) Hide Query Show Query logscale `#logtype="pingone" // PASSWORD.CHECK_SUCCESS // OTP.CHECK_SUCCESS // ASSERTION.CHECK_SUCCESS \| action.type = .CHECK_SUCCESS \| case { result.description=TOTP \| auth_type := "Authenticator App"; result.description=Email* \| auth_type := "Email"; result.description=Security* OR result.description=Biometrics* \| auth_type := "Security Key"; } \| groupBy("auth_type") // Display piechart based on type of MFA authentication`	`Pie Chart`

Enter search term