Security Information and Event Management (SIEM) technologies provide real-time analysis of security alerts generated by network hardware and applications. Oftentimes this is done through the 'scraping' of end-system log files, which are then filtered, analyzed, and prepared for easy consumption by security administrators. In general, SIEM tools excel at the detection and reporting of threats, vulnerabilities, and security events - but are limited in their ability to provide real-time mitigation. SailPoint IdentityIQ, with its built-in suite of enterprise application connectors, can alleviate this shortcoming. A symbiotic relationship has been identified, whereby a SIEM tool can detect security issues in near real-time and then provide the necessary information to IdentityIQ which can then mitigate the threat.
SailPoint has developed an official Splunk® Verified adaptive response ‘add-on’ for Splunk® Enterprise Security. This add-on contains a complete catalogue of pre-defined alert actions that map directly to the functionality provided by the IdentityIQ SIEM Plugin. When combined, the SailPoint Adaptive Response Add-on and the IdentityIQ SIEM Plugin provide a powerful integration between IdentityIQ and Splunk® that can:
The add-on also provides a way to retrieve all task results within Splunk®. It utilizes IdentityIQ API built upon the RESTful SCIM2.0 to achieve this.
Additionally, the add-on also provides two (3) new source types with in Splunk®.
SailPoint Syslog Events: Used to collect Syslog events from IdentityIQ
SailPoint Audit Events: Used to collect Audit events from IdentityIQ
SailPoint Task Results: Used to collect Task results from IdentityIQ
Once ingested into Splunk® these events can be used to populate a custom dashboard visualizing the data.
NOTE: For Task Results Data Input, there are rare chances of having duplicate records. In order to get distinct events while performing search- ‘dedup’ command can be used as a search reference. This commands removes duplicate results based on one field. We would recommend to use field ‘id’ for this commands. Events returned by dedup are based on search order.
Eg: sourcetype=“sailpoint_identityiq_task_results”| dedup id | stats count
Full functionality requires the following:
Fixed bug related to Task result Data Input when results are pruned/overwritten in IdentityIQ.
Fixed Cloud Vetting issues:
Added check for is_https for all the data inputs.
Removed the log statement.
Added global parameters for all data inputs.
Removed the reference of log statements from both data inputs and application alerts.
*Removed the reference of log statements from both data inputs and application alerts.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.