Security Information and Event Management (SIEM) technologies provide real-time analysis of security alerts generated by network hardware and applications. Oftentimes this is done through the 'scraping' of end-system log files, which are then filtered, analyzed, and prepared for easy consumption by security administrators. In general, SIEM tools excel at the detection and reporting of threats, vulnerabilities, and security events - but are limited in their ability to provide real-time mitigation. SailPoint IdentityIQ, with its built-in suite of enterprise application connectors, can alleviate this shortcoming. A symbiotic relationship has been identified, whereby a SIEM tool can detect security issues in near real-time and then provide the necessary information to IdentityIQ which can then mitigate the threat.
SailPoint has developed an official Splunk® Verified adaptive response ‘add-on’ for Splunk® Enterprise Security. This add-on contains a complete catalogue of pre-defined alert actions that map directly to the functionality provided by the IdentityIQ SIEM Plugin. When combined, the SailPoint Adaptive Response Add-on and the IdentityIQ SIEM Plugin provide a powerful integration between IdentityIQ and Splunk® that can:
The add-on also provides a way to retrieve all task results within Splunk®. It utilizes IdentityIQ API built upon the RESTful SCIM2.0 to achieve this.
Additionally, the add-on also provides two (3) new source types with in Splunk®.
SailPoint Syslog Events: Used to collect Syslog events from IdentityIQ
SailPoint Audit Events: Used to collect Audit events from IdentityIQ
SailPoint Task Results: Used to collect Task results from IdentityIQ
Once ingested into Splunk® these events can be used to populate a custom dashboard visualizing the data.
IMPORTANT UPGRADE NOTE: Support for utilizing the 'Basic' authentication type has been removed in v2.0.7 of the add-on. This add-on only support OAuth2.0 authentication from v2.0.7 onwards
NOTE: For Task Results Data Input, there are rare chances of having duplicate records. In order to get distinct events while performing search- ‘dedup’ command can be used as a search reference. This commands removes duplicate results based on one field. We would recommend to use field ‘id’ for this commands. Events returned by dedup are based on search order.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/dedup
Eg: sourcetype=“sailpoint_identityiq_task_results”| dedup id | stats count
Full functionality requires the following:
Following updates are made to SailPoint Adaptive Response Add-on v.2.0.11:
-To be fully compatible with Python 3.7 and Splunk Cloud.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.