Skip to content

SailPoint IdentityIQ

SailPoint IdentityIQ

About

IdentityIQ delivers full lifecycle and compliance management for comprehensive identity security.

Product Details

Vendor URL: SailPoint IdentityIQ

Product Type: Identity Access Management

Product Tier: Tier III

Integration Method: Custom

Integration URL: Not available

Log Guide: N\A

Parser Details

Log Format: SYSLOG

Expected Normalization Rate: 100%

Data Label: SAILPOINT_IIQ

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
id metadata.product_log_id
type metadata.product_event_type
host principal.hostname
requesterIdentitySummary.id principal.user.userid
requesterIdentitySummary.name principal.user.user_display_name
targetIdentitySummary.id target.user.userid
target.user.user_display_name target.user.user_display_name
path src.file.full_path.
completionStatus additional.fields["Completion Status"]
executionStatus additional.fields["Execution Status"]
operation additional.fields["Operation "]
approvalStatus additional.fields["Approval Status"]
provisioningStatus additional.fields["Provisioning Status"]
errors.0 security_result.description

Log Sample

<13>1 2025-08-05T19:09:57.827+00:00 host1234 IdentityIQ - - - {"clientMetadata":null,"@timestamp":"2025-08-05T19:09:57.827Z","warnings":null,"requesterIdentitySummary":null,"modified":"2025-08-05T19:09:57.830Z","type":"Identity Refresh","completionStatus":"SUCCESS","created":"2025-08-05T19:09:57.512Z","logType":"sailpoint","executionStatus":"COMPLETED","host":"aws1siem101pv","event":{"original":"{\"requesterIdentitySummary\":null,\"items\":[{\"id\":\"ac4a1bg13glq319d1024gdl68kde1c66\",\"clientMetadata\":null,\"name\":\"ac4a1bg13glq319d1024gdl68kde1c66\",\"nativeIdentity\":null,\"attribute\":\"assignedRoles\",\"sourceId\":\"IdentityNow\",\"operation\":\"REMOVE\",\"removeDate\":null,\"requesterComment\":null,\"reviewerComment\":null,\"approvalStatus\":\"PENDING\",\"value\":\"Workday - terminated [cloudLifecycle-1234567890]\",\"requested\":\"2025-08-05T19:09:57.506Z\",\"accountRequestInfo\":null,\"reviewerIdentitySummary\":null,\"provisioningStatus\":\"FINISHED\"}],\"modified\":\"2025-08-05T19:09:57.830Z\",\"completionStatus\":\"SUCCESS\",\"id\":\"ac4a1bg13glq319d1024gdl68kde1c66\",\"@version\":\"1\",\"type\":\"Identity Refresh\",\"clientMetadata\":null,\"name\":\"ac4a1bg13glq319d1024gdl68kde1c66\",\"completed\":\"2025-08-05T19:09:57.827Z\",\"created\":\"2025-08-05T19:09:57.512Z\",\"logType\":\"sailpoint\",\"warnings\":null,\"executionStatus\":\"COMPLETED\",\"targetIdentitySummary\":{\"name\":\"100013295\",\"id\":\"ac4a1bg13glq319d1024gdl68kde1c66\"},\"path\":\"/home/abc.json\",\"host\":\"host1234\",\"@timestamp\":\"2025-08-05T19:09:57.827Z\",\"errors\":null}"},"@version":"1","name":"ac4a1bg13glq319d1024gdl68kde1c66","id":"ac4a1bg13glq319d1024gdl68kde1c66","completed":"2025-08-05T19:09:57.827Z","path":"/home/logstash/sailpoint/2025-08-06-00-16-28.json","items":[{"clientMetadata":null,"sourceId":"IdentityNow","attribute":"assignedRoles","approvalStatus":"PENDING","reviewerComment":null,"accountRequestInfo":null,"provisioningStatus":"FINISHED","requested":"2025-08-05T19:09:57.506Z","nativeIdentity":null,"value":"Workday - terminated [cloudLifecycle-123456789]","reviewerIdentitySummary":null,"name":"ac4a1bg13glq319d1024gdl68kde1c66","id":"ac4a1bg13glq319d1024gdl68kde1c66","requesterComment":null,"operation":"REMOVE","removeDate":null}],"targetIdentitySummary":{"id":"ac4a1bg13glq319d1024gdl68kde1c66","name":"100013295"},"errors":null}

Sample Parsing

additional.fields["Completion Status"] = "SUCCESS"
additional.fields["Execution Status"] = "COMPLETED"
additional.fields["Operation"] = "REMOVE"
additional.fields["Approval Status"] = "PENDING"
additional.fields["Provisioning Status"] = "FINISHED"
metadata.base_labels.log_types = "SAILPOINT_IIQ"
metadata.event_type = "GENERIC_EVENT"
metadata.product_event_type = "Identity Refresh"
metadata.product_log_id = "ac4a1bg13glq319d1024gdl68kde1c66"
metadata.product_name = "SAILPOINT IIQ"
metadata.vendor_name = "SAILPOINT"
principal.asset.hostname = "host1234"
principal.hostname = "host1234"
target.user.user_display_name = "111115331"
target.user.userid = "ac4a1bg13glq319d1024gdl68kde1c66"