SailPoint IAM¶
About¶
SailPoint IAM offers a full range of solutions for controlling user access to systems, applications, and data.
Product Details¶
Vendor URL: SailPoint IAM
Product Type: Identity Access Management
Product Tier: Tier III
Integration Method: Custom
Integration URL: Not available
Log Guide: N\A
Parser Details¶
Log Format: JSON, XML
Expected Normalization Rate: 100%
Data Label: SAILPOINT_IAM
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
accountName | principal.user.userid |
ad_target_user_country | target.user.office_address.country_or_region |
ad_target_user_location | target.user.office_address.name |
ad_target_user_state | target.user.office_address.state |
ad_target_user_title | target.user.title |
ad_user_hire_date | target.user.hire_date |
application | principal.application |
assign_scope | additional.fields.additional_assign_scope |
assign_scope_path | additional.field.additional_assign_scope_path |
attr_name | additional.field.additional_attr_name |
attr_value | additional.field.attributeValue |
attributeMetaData | additional.field.additional_attr_meta |
attributes.City | target.location.city |
attributes.Company | target.user.company_name |
attributes.Country | target.location.country_or_region |
attributes.E-MailList | target.user.email_addresses |
attributes.Employee Number | target.user.employee_id |
attributes.First name | target.user.first_name |
attributes.FullName | target.user.user_display_name |
attributes.Last name | target.user.last_name |
attributes.Roles | target.user.group_identifiers |
full_path | src.file.full_path |
log_id | metadata.product_log_id |
logger_Name | intermediary.application |
message | metadata.description |
target_application | target.application |
target_user_company_location | target.user.office_address.name |
Product Event Types¶
Event | UDM Event Classification |
---|---|
Create Group | GROUP_CREATION |
Create User | USER_CREATION |
Delete User | USER_DELETION |
General | GENERIC_EVENT |
Login | USER_LOGIN |
Modify Group | GROUP_MODIFICATION |
Modify User | USER_UNCATEGORIZED |
Log Sample¶
{"_classifications":null,"application":"Active Directory domain.com","attributeValue":"ABCD-1234","instance":null,"trackingId":null,"clientHost":null,"serverHost":"HOSTNAME.domain.com","accountName":"CN=User,OU=AE,OU=Users,OU=.Resources,DC=carcgl,DC=com","attributeName":"LDAP-BusinessEntity","string1":"AttributeSync","string2":"businessEntity","string3":"Set","string4":null,"pseudoCreated":0,"sailPointObjectName":null,"attributes":null,"target":"123456789","action":"expansion","source":"RequestHandler","interface":null,"xml":false,"id":"1a2b345c6d7e8f9g","disabled":false,"nameUnique":false,"uniqueKeyProperties":null,"auditClassName":"AuditEvent","persisted":true,"lock":null,"dirty":false,"modified":null,"created":1697515185599,"signOffs":null,"immutable":false,"assignedScope":null,"assignedScopePath":null,"pendingWorkflow":null,"uid":null,"refreshedExistingLock":false,"classifications":null,"extendedAttributes":null,"externalAttributes":null,"extended1":null,"extended2":null,"extended3":null,"extended4":null,"extended5":null,"extended6":null,"extended7":null,"extended8":null,"extended9":null,"extended10":null,"extended11":null,"extended12":null,"extended13":null,"extended14":null,"extended15":null,"extended16":null,"extended17":null,"extended18":null,"extended19":null,"extended20":null,"extendedIdentity1":null,"extendedIdentity2":null,"extendedIdentity3":null,"extendedIdentity4":null,"extendedIdentity5":null,"extendedIdentity6":null,"extendedIdentity7":null,"extendedIdentity8":null,"extendedIdentity9":null,"extendedIdentity10":null,"extendedIdentity11":null,"extendedIdentity12":null,"extendedIdentity13":null,"extendedIdentity14":null,"extendedIdentity15":null,"extendedIdentity16":null,"extendedIdentity17":null,"extendedIdentity18":null,"extendedIdentity19":null,"extendedIdentity20":null,"attributeMetaData":null,"referenceClass":"sailpoint.object.AuditEvent","referenceId":"0acf02c68b2b10d7818b3bca25bf1c31","referenceName":null,"autoCreated":false,"owner":null,"lockInfo":null,"name":null,"locked":false,"description":null}
Sample Parsing¶
additional.fields["attributeName"] = "LDAP-BusinessEntity"
additional.fields["attributeValue"] = "ABCD-1234"
additional.fields["string1"] = "AttributeSync"
additional.fields["string2"] = "businessEntity"
additional.fields["string3"] = "Set"
metadata.event_type = "GENERIC_EVENT"
metadata.log_type = "SAILPOINT_IAM"
metadata.product_event_type = "expansion"
metadata.product_name = "IAM"
metadata.vendor_name = "SAILPOINT"
principal.user.userid = "User"
security_result.about.user.attribute.creation_time = "2023-02-11T11:59:59Z"
security_result.rule_name = "sailpoint.object.AuditEvent"
src.asset.asset_id = ":RequestHandler"
src.file.full_path = "CN=User,OU=AE,OU=Users,OU=.Resources,DC=domain,DC=com"
target.asset.asset_id = ":123456789"
target.domain.name = "domain.com"
target.hostname = "HOSTNAME"