elastic/integrations

[New Integration] Sailpoint Identity Security Cloud

Opened this issue · 0 comments

Description

Sailpoint Identity Security Cloud provides enterprise identity governance and security capabilities. The integration is designed to provide users the ability to extract audit information from their Identity Security Cloud tenant using ISC's AuditEvent API.

Architecture

Sailpoint exposes audit events via Identity Security Cloud's AuditEvents API. These represent events such as an admin creating/deleting applications, successful authentications, provisioning failures, etc and can be extracted via /v3/search/events.

Each audit event contains:

  • Organization and pod details
  • Timestamp and event ID
  • Action and event type classification
  • Actor and target identity information
  • IP address and tracking data
  • Event details and attributes
  • Operation status and technical metadata
{
        "org": "org_name",
        "pod": "stg01-uswest2",
        "created": "2019-09-13T23:29:37.097Z",
        "id": "ffd69f6f-c3bc-4dbf-89cf-f4d7f91834bb",
        "action": "AUTHENTICATION-103",
        "type": "AUTH",
        "actor": {
            "name": "Adam.Kennedy"
        },
        "target": {
            "name": "Adam.Kennedy"
        },
        "stack": "oathkeeper",
        "trackingNumber": "748e1adb8fa94cda8f5b054e869c24cd",
        "ipAddress": "207.189.160.209",
        "details": "748e1adb8fa94cda8f5b054e869c24cd",
        "attributes": {
            "pod": "stg01-uswest2",
            "org": "org_name",
            "sourceName": "SailPoint",
            "info": "LOGIN_SUCCESS"
        },
        "objects": [
            "AUTHENTICATION"
        ],
        "operation": "REQUEST",
        "status": "PASSED",
        "technicalName": "AUTHENTICATION_REQUEST_PASSED",
        "name": "Request Authentication Passed",
        "synced": "2019-09-13T23:29:38.428Z"
    },

Reference:

Dashboard Ideas

The dashboard provides a comprehensive view of identity-related events and enables quick analysis of security patterns and system usage, such as authentication failures, system configuration changes, provisioning attempts and access request patterns.

Visualization types:

  • Key metrics overview: Quick-view cards showing critical numbers for security events, failed attempts, configuration changes, and provisioning
  • Event distribution: Pie chart showing the breakdown of different event types
  • Operation patterns: Bar chart displaying ADD/MODIFY/DELETE operations
  • Authentication trends: Line chart tracking authentication success/failures over time
  • Event status: Bar chart showing PASSED/FAILED/PROCESSED status distribution

Integration release checklist

This checklist is intended for integrations maintainers to ensure consistency
when creating or updating a Package, Module or Dataset for an Integration.

All changes

  • Change follows the contributing guidelines
  • Supported versions of the monitoring target are documented
  • Supported operating systems are documented (if applicable)
  • Integration or System tests exist
  • Documentation exists, useful guidelines to follow
  • Fields follow ECS and naming conventions
  • At least a manual test with ES / Kibana / Agent has been performed.
  • Required Kibana version set to: