SailPoint Identity Security Cloud¶
About¶
SailPoint Identity Security Cloud is a comprehensive platform that helps organizations manage and secure access to critical data and applications across their entire environment, including cloud and on-premise systems. It offers a unified approach to identity governance and administration, enabling businesses to streamline processes, reduce risk, and enhance compliance.
Product Details¶
Vendor URL: SailPoint
Product Type: Identity and Access Management
Product Tier: Tier III
Integration Method: API
Integration URL: Sailpoint Cloud
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: IDENTITY_SECURITY_CLOUD
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| Actor.Name | principal.user.userid |
| Attributes.accountChangeTypes | security_result.category_details |
| Attributes.accountId | target.user.product_object_id |
| Attributes.accountName | principal.user.attribute.labels |
| Attributes.accountName | principal.user.group_identifiers |
| Attributes.accountNativeIdentity | target.user.attribute.labels |
| Attributes.accountNativeIdentity | target.user.user_display_name |
| Attributes.appId | target.asset.asset_id |
| Attributes.attributeValue | target.user.group_identifiers |
| Attributes.cloudAppName | target.application |
| Attributes.errors | security_result.summary |
| Attributes.hostName | principal.hostname |
| Attributes.identitiesSelected | additional.fields |
| Attributes.identitiesTotal | additional.fields |
| Attributes.interface | additional.fields |
| Attributes.org | principal.administrative_domain |
| Attributes.pod | principal.location.name |
| Attributes.processId | principal.process.pid |
| Attributes.scope | target.user.attribute.labels |
| Attributes.sourceId | principal.resource.id |
| Attributes.sourceName | principal.resource.name |
| Attributes.userId | target.user.userid |
| entitlementChanges.added.id | target.group.product_object_id |
| entitlementChanges.added.name | target.group.group_display_name |
| entitlementChanges.added.value | target.user.group_identifiers |
| entitlementChanges.added.value | target.group.attribute.labels |
| entitlementChanges.removed.id | target.group.product_object_id |
| entitlementChanges.removed.name | target.group.group_display_name |
| entitlementChanges.removed.value | target.group.attribute.labels |
| entitlementChanges.removed.value | target.user.group_identifiers |
| ID | metadata.product_log_id |
| identityId | additional.fields |
| multiValueAttributeChanges.multiVal.addedValues.name | target.asset.attribute.labels |
| multiValueAttributeChanges.multiVal.removedValues.name | target.asset.attribute.labels |
| Name | metadata.product_event_type |
| Objects | security_result.detection_fields |
| Operation | security_result.action_details |
| singleValueAttributeChanges.newValue.company | target.user.company_name |
| singleValueAttributeChanges.newValue.department | target.user.department |
| singleValueAttributeChanges.newValue.description | target_role.description |
| singleValueAttributeChanges.newValue.displayName | target.user.user_display_name |
| singleValueAttributeChanges.newValue.employeeId | target.user.employee_id |
| singleValueAttributeChanges.newValue.hRISManagerEmail | target.user.attribute.labels |
| singleValueAttributeChanges.newValue.manager | target.user.attribute.labels |
| singleValueAttributeChanges.newValue.NetBIOSName | principal.hostname |
| singleValueAttributeChanges.newValue.objectguid | target.resource.id |
| singleValueAttributeChanges.newValue.objectSid | target.user.windows_sid |
| singleValueAttributeChanges.newValue.pager | target.user.phone_numbers |
| singleValueAttributeChanges.newValue.telephoneNumber | target.user.phone_numbers |
| singleValueAttributeChanges.newValue.title | target.user.title |
| singleValueAttributeChanges.newValue.userPrincipalName | target.user.email_addresses |
| Status | security_result.description |
| Status | security_result.action |
| TrackingNumber | additional.fields |
| Type | metadata.description |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| ADD, UPDATE | GROUP_MODIFICATION |
| Create Account Passed | USER_CREATION |
| Delete Native Change Detected | USER_DELETION |
| Request Authentication Passed | USER_LOGIN |
| Update Native Change Detected, Modify Account Passed | USER_UNCATEGORIZED |
| Use Personal Access Token Passed | USER_RESOURCE_ACCESS |
Log Sample¶
{"ID":"6a0fff7185230c5645fe9c25f08bb9b57d6dfc31d113957799cb3bb962d0b17c","Name":"Request Authentication Passed","Type":"AUTH","Created":"2024-12-31T19:33:56.397Z","Actor":{"Name":"Jane.Doe"},"Operation":"REQUEST","Objects":["AUTHENTICATION"],"Status":"PASSED","TrackingNumber":"c8668fb822ae4a8fb95e92eeb1b93dba","Attributes":{"hostName":"10.1.255.125","info":"LOGIN_SUCCESS_SAML","org":"questrade-sb","pod":"ex01-cacentral1","sourceName":"AuthnProvider"}}
Sample Parsing¶
additional.fields["TrackingNumber"] = "c8668fb822ae4a8fb95e92eeb1b93dba"
metadata.description = "AUTH"
metadata.event_type = "USER_LOGIN"
metadata.log_type = "IDENTITY_SECURITY_CLOUD"
metadata.product_event_type = "Request Authentication Passed"
metadata.product_log_id = "6a0fff7185230c5645fe9c25f08bb9b57d6dfc31d113957799cb3bb962d0b17c"
metadata.product_name = "Identity Security Cloud"
metadata.vendor_name = "SailPoint"
principal.administrative_domain = "questrade-sb"
principal.ip = "10.1.255.125"
principal.location.name = "ex01-cacentral1"
principal.resource.name = "AuthnProvider"
principal.user.userid = "Jane.Doe"
security_result.action_details = "REQUEST"
security_result.action = "ALLOW"
security_result.description = "PASSED"
security_result.detection_fields.key = "Target Objects"
security_result.detection_fields.value = "AUTHENTICATION"
security_result.summary = "LOGIN_SUCCESS_SAML"
target.user.userid = "Jane.Doe"