SailPoint IdentityIQ¶
About¶
IdentityIQ delivers full lifecycle and compliance management for comprehensive identity security.
Product Details¶
Vendor URL: SailPoint IdentityIQ
Product Type: Identity Access Management
Product Tier: Tier III
Integration Method: Custom
Integration URL: Not available
Log Guide: N\A
Parser Details¶
Log Format: SYSLOG
Expected Normalization Rate: 100%
Data Label: SAILPOINT_IIQ
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| id | metadata.product_log_id |
| type | metadata.product_event_type |
| host | principal.hostname |
| requesterIdentitySummary.id | principal.user.userid |
| requesterIdentitySummary.name | principal.user.user_display_name |
| targetIdentitySummary.id | target.user.userid |
| target.user.user_display_name | target.user.user_display_name |
| path | src.file.full_path. |
| completionStatus | additional.fields["Completion Status"] |
| executionStatus | additional.fields["Execution Status"] |
| operation | additional.fields["Operation "] |
| approvalStatus | additional.fields["Approval Status"] |
| provisioningStatus | additional.fields["Provisioning Status"] |
| errors.0 | security_result.description |
Log Sample¶
<13>1 2025-08-05T19:09:57.827+00:00 host1234 IdentityIQ - - - {"clientMetadata":null,"@timestamp":"2025-08-05T19:09:57.827Z","warnings":null,"requesterIdentitySummary":null,"modified":"2025-08-05T19:09:57.830Z","type":"Identity Refresh","completionStatus":"SUCCESS","created":"2025-08-05T19:09:57.512Z","logType":"sailpoint","executionStatus":"COMPLETED","host":"aws1siem101pv","event":{"original":"{\"requesterIdentitySummary\":null,\"items\":[{\"id\":\"ac4a1bg13glq319d1024gdl68kde1c66\",\"clientMetadata\":null,\"name\":\"ac4a1bg13glq319d1024gdl68kde1c66\",\"nativeIdentity\":null,\"attribute\":\"assignedRoles\",\"sourceId\":\"IdentityNow\",\"operation\":\"REMOVE\",\"removeDate\":null,\"requesterComment\":null,\"reviewerComment\":null,\"approvalStatus\":\"PENDING\",\"value\":\"Workday - terminated [cloudLifecycle-1234567890]\",\"requested\":\"2025-08-05T19:09:57.506Z\",\"accountRequestInfo\":null,\"reviewerIdentitySummary\":null,\"provisioningStatus\":\"FINISHED\"}],\"modified\":\"2025-08-05T19:09:57.830Z\",\"completionStatus\":\"SUCCESS\",\"id\":\"ac4a1bg13glq319d1024gdl68kde1c66\",\"@version\":\"1\",\"type\":\"Identity Refresh\",\"clientMetadata\":null,\"name\":\"ac4a1bg13glq319d1024gdl68kde1c66\",\"completed\":\"2025-08-05T19:09:57.827Z\",\"created\":\"2025-08-05T19:09:57.512Z\",\"logType\":\"sailpoint\",\"warnings\":null,\"executionStatus\":\"COMPLETED\",\"targetIdentitySummary\":{\"name\":\"100013295\",\"id\":\"ac4a1bg13glq319d1024gdl68kde1c66\"},\"path\":\"/home/abc.json\",\"host\":\"host1234\",\"@timestamp\":\"2025-08-05T19:09:57.827Z\",\"errors\":null}"},"@version":"1","name":"ac4a1bg13glq319d1024gdl68kde1c66","id":"ac4a1bg13glq319d1024gdl68kde1c66","completed":"2025-08-05T19:09:57.827Z","path":"/home/logstash/sailpoint/2025-08-06-00-16-28.json","items":[{"clientMetadata":null,"sourceId":"IdentityNow","attribute":"assignedRoles","approvalStatus":"PENDING","reviewerComment":null,"accountRequestInfo":null,"provisioningStatus":"FINISHED","requested":"2025-08-05T19:09:57.506Z","nativeIdentity":null,"value":"Workday - terminated [cloudLifecycle-123456789]","reviewerIdentitySummary":null,"name":"ac4a1bg13glq319d1024gdl68kde1c66","id":"ac4a1bg13glq319d1024gdl68kde1c66","requesterComment":null,"operation":"REMOVE","removeDate":null}],"targetIdentitySummary":{"id":"ac4a1bg13glq319d1024gdl68kde1c66","name":"100013295"},"errors":null}
Sample Parsing¶
additional.fields["Completion Status"] = "SUCCESS"
additional.fields["Execution Status"] = "COMPLETED"
additional.fields["Operation"] = "REMOVE"
additional.fields["Approval Status"] = "PENDING"
additional.fields["Provisioning Status"] = "FINISHED"
metadata.base_labels.log_types = "SAILPOINT_IIQ"
metadata.event_type = "GENERIC_EVENT"
metadata.product_event_type = "Identity Refresh"
metadata.product_log_id = "ac4a1bg13glq319d1024gdl68kde1c66"
metadata.product_name = "SAILPOINT IIQ"
metadata.vendor_name = "SAILPOINT"
principal.asset.hostname = "host1234"
principal.hostname = "host1234"
target.user.user_display_name = "111115331"
target.user.userid = "ac4a1bg13glq319d1024gdl68kde1c66"