Skip to content

SailPoint IAM

SailPoint IAM

About

SailPoint IAM offers a full range of solutions for controlling user access to systems, applications, and data.

Product Details

Vendor URL: SailPoint IAM

Product Type: Identity Access Management

Product Tier: Tier III

Integration Method: Custom

Integration URL: Not available

Log Guide: N\A

Parser Details

Log Format: JSON, XML

Expected Normalization Rate: 100%

Data Label: SAILPOINT_IAM

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
accountName principal.user.userid
ad_target_user_country target.user.office_address.country_or_region
ad_target_user_location target.user.office_address.name
ad_target_user_state target.user.office_address.state
ad_target_user_title target.user.title
ad_user_hire_date target.user.hire_date
application principal.application
assign_scope additional.fields.additional_assign_scope
assign_scope_path additional.field.additional_assign_scope_path
attr_name additional.field.additional_attr_name
attr_value additional.field.attributeValue
attributeMetaData additional.field.additional_attr_meta
attributes.City target.location.city
attributes.Company target.user.company_name
attributes.Country target.location.country_or_region
attributes.E-MailList target.user.email_addresses
attributes.Employee Number target.user.employee_id
attributes.First name target.user.first_name
attributes.FullName target.user.user_display_name
attributes.Last name target.user.last_name
attributes.Roles target.user.group_identifiers
full_path src.file.full_path
log_id metadata.product_log_id
logger_Name intermediary.application
message metadata.description
target_application target.application
target_user_company_location target.user.office_address.name

Product Event Types

Event UDM Event Classification
Create Group GROUP_CREATION
Create User USER_CREATION
Delete User USER_DELETION
General GENERIC_EVENT
Login USER_LOGIN
Modify Group GROUP_MODIFICATION
Modify User USER_UNCATEGORIZED

Log Sample

{"_classifications":null,"application":"Active Directory domain.com","attributeValue":"ABCD-1234","instance":null,"trackingId":null,"clientHost":null,"serverHost":"HOSTNAME.domain.com","accountName":"CN=User,OU=AE,OU=Users,OU=.Resources,DC=carcgl,DC=com","attributeName":"LDAP-BusinessEntity","string1":"AttributeSync","string2":"businessEntity","string3":"Set","string4":null,"pseudoCreated":0,"sailPointObjectName":null,"attributes":null,"target":"123456789","action":"expansion","source":"RequestHandler","interface":null,"xml":false,"id":"1a2b345c6d7e8f9g","disabled":false,"nameUnique":false,"uniqueKeyProperties":null,"auditClassName":"AuditEvent","persisted":true,"lock":null,"dirty":false,"modified":null,"created":1697515185599,"signOffs":null,"immutable":false,"assignedScope":null,"assignedScopePath":null,"pendingWorkflow":null,"uid":null,"refreshedExistingLock":false,"classifications":null,"extendedAttributes":null,"externalAttributes":null,"extended1":null,"extended2":null,"extended3":null,"extended4":null,"extended5":null,"extended6":null,"extended7":null,"extended8":null,"extended9":null,"extended10":null,"extended11":null,"extended12":null,"extended13":null,"extended14":null,"extended15":null,"extended16":null,"extended17":null,"extended18":null,"extended19":null,"extended20":null,"extendedIdentity1":null,"extendedIdentity2":null,"extendedIdentity3":null,"extendedIdentity4":null,"extendedIdentity5":null,"extendedIdentity6":null,"extendedIdentity7":null,"extendedIdentity8":null,"extendedIdentity9":null,"extendedIdentity10":null,"extendedIdentity11":null,"extendedIdentity12":null,"extendedIdentity13":null,"extendedIdentity14":null,"extendedIdentity15":null,"extendedIdentity16":null,"extendedIdentity17":null,"extendedIdentity18":null,"extendedIdentity19":null,"extendedIdentity20":null,"attributeMetaData":null,"referenceClass":"sailpoint.object.AuditEvent","referenceId":"0acf02c68b2b10d7818b3bca25bf1c31","referenceName":null,"autoCreated":false,"owner":null,"lockInfo":null,"name":null,"locked":false,"description":null}

Sample Parsing

additional.fields["attributeName"] = "LDAP-BusinessEntity"
additional.fields["attributeValue"] = "ABCD-1234"
additional.fields["string1"] = "AttributeSync"
additional.fields["string2"] = "businessEntity"
additional.fields["string3"] = "Set"
metadata.event_type = "GENERIC_EVENT"
metadata.log_type = "SAILPOINT_IAM"
metadata.product_event_type = "expansion"
metadata.product_name = "IAM"
metadata.vendor_name = "SAILPOINT"
principal.user.userid = "User"
security_result.about.user.attribute.creation_time = "2023-02-11T11:59:59Z"
security_result.rule_name = "sailpoint.object.AuditEvent"
src.asset.asset_id = ":RequestHandler"
src.file.full_path = "CN=User,OU=AE,OU=Users,OU=.Resources,DC=domain,DC=com"
target.asset.asset_id = ":123456789"
target.domain.name = "domain.com"
target.hostname = "HOSTNAME"

Rules

Coming Soon