Sailpoint Identity Security Cloud
| Version | 0.3.0 beta:[] (View all) |
| Compatible Kibana version(s) | 8.16.1 or higher 9.0.0 or higher |
| Supported Serverless project types What's this? |
Security Observability |
| Subscription level What's this? |
Basic |
| Level of support What's this? |
Elastic |
The Elastic integration for Sailpoint Identity Security Cloud enables real-time monitoring and analysis of identity security events within the SailPoint platform. This integration collects, processes, and visualizes audit logs, access activities, and identity lifecycle events to enhance security posture, compliance, and operational efficiency.
events: Provides audit data that includes actions such asUSER_MANAGEMENT,PASSWORD_ACTIVITY,PROVISIONING,ACCESS_ITEM,SOURCE_MANAGEMENT,CERTIFICATION,AUTH,SYSTEM_CONFIG,ACCESS_REQUEST,SSO,WORKFLOW,SEGMENTand more.- Audit Events are records that a user took action in an IdentityNow tenant, or other service like IdentityAI. Audit Events are structurally and conceptually very similar to IdentityIQ'sAudit Events, but have evolved in several ways.
- This data stream leverages the Sailpoint identity security cloud API's
/v2024/search/eventsendpoint to retrieve event logs.
Log in to the application with an administrator account and generate a Personal Access Token (PAT). Personal access tokens are associated with a user in Sailpoint identity security cloud and inherit the user's permission level (e.g., Admin, Helpdesk, etc.) to determine access.
To create a Personal Access Token (PAT) using an admin account, follow the instructions provided in the official documentation:
Generate a Personal Access Token.
Event documents can be found by setting the following filter:
event.dataset : "sailpoint_identity_sc.events"
Example
{
"@timestamp": "2024-12-12T10:58:27.962Z",
"agent": {
"ephemeral_id": "c66d99e7-2d3b-4b3a-98ea-d64d114e37fe",
"id": "e8f2e5b9-6585-49bd-9022-eb2edfc745c1",
"name": "elastic-agent-98705",
"type": "filebeat",
"version": "8.15.0"
},
"data_stream": {
"dataset": "sailpoint_identity_sc.events",
"namespace": "71277",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "e8f2e5b9-6585-49bd-9022-eb2edfc745c1",
"snapshot": false,
"version": "8.15.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"iam"
],
"dataset": "sailpoint_identity_sc.events",
"ingested": "2025-02-11T15:12:05Z",
"kind": "event",
"module": "sailpoint_identity_sc",
"type": [
"info"
]
},
"host": {
"geo": {
"city_name": "Milton",
"continent_name": "North America",
"country_iso_code": "US",
"country_name": "United States",
"location": {
"lat": 47.2513,
"lon": -122.3149
},
"region_iso_code": "US-WA",
"region_name": "Washington"
},
"ip": [
"216.160.83.56"
]
},
"input": {
"type": "cel"
},
"related": {
"hosts": [
"216.160.83.56"
],
"user": [
"test.user"
]
},
"sailpoint_identity_sc": {
"events": {
"_type": "event",
"_version": "v2",
"action": "USER_PASSWORD_UPDATE_PASSED",
"actor": {
"name": "test.user"
},
"attributes": {
"account_id": "test.user",
"host_name": "216.160.83.56",
"info": "Password workflow invoked successfully. Request Id :923169315cab448cac82091dc4827f38",
"org": "ta-partner14055",
"pod": "se01-useast1",
"scope": [
"sp:scopes:all"
],
"source_name": "IdentityNow"
},
"created": "2024-12-12T10:58:27.962Z",
"details": "38eef046d4594d7e9186cee997232f3d",
"id": "f514ad697321c49b61b65ec9b5099a192eb598d2c520d4e09f958f7abdfc16dd",
"ip_address": "216.160.83.56",
"name": "Update User Password Passed",
"objects": [
"USER",
"PASSWORD"
],
"operation": "UPDATE",
"org": "ta-partner14055",
"pod": "se01-useast1",
"stack": "pigs",
"status": "PASSED",
"synced": "2024-12-23T10:58:32.977Z",
"target": {
"name": "test.user"
},
"technical_name": "USER_PASSWORD_UPDATE_PASSED",
"tracking_number": "fb38cc3fb990451dab51133aed21268a",
"type": "PASSWORD_ACTIVITY"
}
},
"tags": [
"forwarded",
"sailpoint_identity_sc.events"
]
}
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
The following non-ECS fields are used in events documents:
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| input.type | Input type. | keyword |
| sailpoint_identity_sc.events._type | Document type of the access profile. This enum represents currently supported document types. Additional values may be introduced in the future without prior notice. | keyword |
| sailpoint_identity_sc.events._version | Version of the SailPoint events. Example: V2. | keyword |
| sailpoint_identity_sc.events.action | Event name as displayed in audit reports. | keyword |
| sailpoint_identity_sc.events.actor.name | Name of the actor responsible for generating the event. Example: System. | keyword |
| sailpoint_identity_sc.events.attributes.access_profiles_after | Access profiles assigned after the event. | keyword |
| sailpoint_identity_sc.events.attributes.access_profiles_before | Access profiles assigned before the event. | keyword |
| sailpoint_identity_sc.events.attributes.account_id | Account identifier. | keyword |
| sailpoint_identity_sc.events.attributes.account_name | Name of the account. | keyword |
| sailpoint_identity_sc.events.attributes.account_source | Source of the account. | keyword |
| sailpoint_identity_sc.events.attributes.account_uuid | Unique identifier for the account. | keyword |
| sailpoint_identity_sc.events.attributes.app_id | Application identifier. | keyword |
| sailpoint_identity_sc.events.attributes.attribute_name | Name of the attribute. | keyword |
| sailpoint_identity_sc.events.attributes.attribute_value | Value of the attribute. | keyword |
| sailpoint_identity_sc.events.attributes.cloud_app_name | Name of the cloud application. | keyword |
| sailpoint_identity_sc.events.attributes.description | Description of the entity. | keyword |
| sailpoint_identity_sc.events.attributes.duration | Duration of the process. | keyword |
| sailpoint_identity_sc.events.attributes.errors | Errors related to the event. | keyword |
| sailpoint_identity_sc.events.attributes.host_name | Hostname involved in the event. | ip |
| sailpoint_identity_sc.events.attributes.id | Unique identifier. | keyword |
| sailpoint_identity_sc.events.attributes.identities_processed | Identifier for processed identities. | keyword |
| sailpoint_identity_sc.events.attributes.identities_selected | Number of selected identities. | keyword |
| sailpoint_identity_sc.events.attributes.identities_total | Total number of identities involved. | keyword |
| sailpoint_identity_sc.events.attributes.info | Information related to the attribute in the event. Example: SailPoint. | keyword |
| sailpoint_identity_sc.events.attributes.interface | Interface associated with the event. | keyword |
| sailpoint_identity_sc.events.attributes.match_all_account | Criteria for matching all accounts. | keyword |
| sailpoint_identity_sc.events.attributes.match_all_accounts_after | Matching criteria for accounts after the event. | keyword |
| sailpoint_identity_sc.events.attributes.match_all_accounts_before | Matching criteria for accounts before the event. | keyword |
| sailpoint_identity_sc.events.attributes.modified_after | Last modification timestamp after the event. | keyword |
| sailpoint_identity_sc.events.attributes.modified_before | Last modification timestamp before the event. | keyword |
| sailpoint_identity_sc.events.attributes.name | Name of the entity. | keyword |
| sailpoint_identity_sc.events.attributes.operation | Type of operation. | keyword |
| sailpoint_identity_sc.events.attributes.org | Organization involved in the event. Example: acme. | keyword |
| sailpoint_identity_sc.events.attributes.pod | Pod name involved in the event. Example: stg03-useast1. | keyword |
| sailpoint_identity_sc.events.attributes.process_id | Process identifier. | keyword |
| sailpoint_identity_sc.events.attributes.scope | Scope of the event. | keyword |
| sailpoint_identity_sc.events.attributes.segment | Segment associated with the event. | keyword |
| sailpoint_identity_sc.events.attributes.source_name | Name of the source involved in the event. | keyword |
| sailpoint_identity_sc.events.attributes.user_id | User identifier. | keyword |
| sailpoint_identity_sc.events.attributes.users_added | Users added during the event. | keyword |
| sailpoint_identity_sc.events.created | ISO-8601 date-time indicating when the object was created. | date |
| sailpoint_identity_sc.events.details | Identifier for event details. | keyword |
| sailpoint_identity_sc.events.id | Unique identifier for the access profile. | keyword |
| sailpoint_identity_sc.events.ip_address | IP address of the target system. | ip |
| sailpoint_identity_sc.events.name | Name of the access profile. | keyword |
| sailpoint_identity_sc.events.objects | Objects affected by the event. | keyword |
| sailpoint_identity_sc.events.operation | Operation or action performed during the event. | keyword |
| sailpoint_identity_sc.events.org | Organization associated with the event. Example: acme. | keyword |
| sailpoint_identity_sc.events.pod | Name of the pod involved in the event. Example: stg03-useast1. | keyword |
| sailpoint_identity_sc.events.stack | The event stack. Example: Type. | keyword |
| sailpoint_identity_sc.events.status | Status of the event. | keyword |
| sailpoint_identity_sc.events.synced | ISO-8601 date-time indicating when the object was queued for synchronization into the search database for API use. | date |
| sailpoint_identity_sc.events.target.name | Name of the target or recipient of the event. | keyword |
| sailpoint_identity_sc.events.technical_name | Normalized event name following the pattern 'objects_operation_status'. | keyword |
| sailpoint_identity_sc.events.tracking_number | Identifier for the group of events. | keyword |
| sailpoint_identity_sc.events.type | Type of event. Refer to the Event Types list for more details. Example: "IDENTITY_PROCESSING". | keyword |
Changelog
| Version | Details | Kibana version(s) |
|---|---|---|
| 0.3.0 | Enhancement (View pull request) Enable request trace log removal. |
— |
| 0.2.1 | Bug fix (View pull request) Added description to ssl nodes in package level manifest.yml file to including links to documentation. |
— |
| 0.2.0 | Enhancement (View pull request) Update Kibana constraint to support 9.0.0. |
— |
| 0.1.0 | Enhancement (View pull request) Initial release. |
— |