SailPoint's IdentityNow AuditEvent Add-on has been certified by Splunk and is designed to provide customers the ability to extract audit information from one or more of their IdentityNow tenants using Splunk Enterprise or Splunk Cloud. Along with the audit information, the.SailPoint Adaptive Response Add-on also provides a source types with in.Splunk®.This source type is used to collect events from SailPoint's IdentitNow tenant(s). Users can configure this source type to collect events to Splunk®.and populate a custom dashboard visualizing different types and details for these events.
Using IdentityNow's AuditEvents API, we can solve a number of problems with this add-on. Some examples include:
- Surface and gain insights into the brute force password attempts IdentityNow has blocked
- Correlate IdentityNow user activity with other system events to identify coordinated attacks
- Evaluate the timing of login attempts from different geographies to identify problems
Full functionality requires the following:
- In order to stream AuditEvent data to a Splunk Enterprise, or Splunk Cloud deployment, an active IdentityNow tenant must exist.
- Configuration requires that the implementer also have the organization name of their IdentityNow API gateway.
- Splunk® Enterprise Security (7.3.0+)
Installation and User Guide
- The IdentityNow AuditEvent add-on is designed to be used for data collection.
- A Splunk®-monitored system logs an anomaly.
- The SailPoint's IdentityNow AuditEvent Add-on makes HTTP requests to the correct IdentityNow api gateway endpoints.
- Endpoint gathers the audit events.
- Each extracted event can be used for further examination externally.
Searching for sourcetype="sailpoint_identitynow" will list all the events consumed by the add-on