icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading SailPoint Adaptive Response
SHA256 checksum (sailpoint-adaptive-response_2011.tgz) 303105656fefb013b48774b97c7ce0fa082556af68908f982ccc77f153543acc
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

SailPoint Adaptive Response

Splunk Cloud
Overview
Details
The SailPoint Adaptive Response add-on allows Splunk administrators to automate security governance actions, such as revoking access from an enterprise user, using the powerful provisioning engine found in IdentityIQ. Automation begins when Splunk detects an alert and initiates a web-service request to one or more of a dozen action-specific endpoints available in SailPoint IdentityIQ after configuration. SailPoint IdentityIQ then creates, prioritizes, and processes the alert(s).
The add-on also provides a way to retrieve all task results within Splunk®. It utilizes IdentityIQ API built upon the RESTful SCIM2.0 to achieve this.

Along with the custom alert actions, the SailPoint Adaptive Response Add-on also provides two (3) new source types with in Splunk®.
SailPoint Syslog Events: Used to collect Syslog events from IdentityIQ
SailPoint Audit Events: Used to collect Audit events from IdentityIQ
SailPoint Task Results: Used to collect Task results from IdentityIQ
Users can configure these source type to collect events to Splunk® and populate a custom dashboard visualizing different types and details for these events.

Introduction

Security Information and Event Management (SIEM) technologies provide real-time analysis of security alerts generated by network hardware and applications. Oftentimes this is done through the 'scraping' of end-system log files, which are then filtered, analyzed, and prepared for easy consumption by security administrators. In general, SIEM tools excel at the detection and reporting of threats, vulnerabilities, and security events - but are limited in their ability to provide real-time mitigation. SailPoint IdentityIQ, with its built-in suite of enterprise application connectors, can alleviate this shortcoming. A symbiotic relationship has been identified, whereby a SIEM tool can detect security issues in near real-time and then provide the necessary information to IdentityIQ which can then mitigate the threat.

SailPoint has developed an official Splunk® Verified adaptive response ‘add-on’ for Splunk® Enterprise Security. This add-on contains a complete catalogue of pre-defined alert actions that map directly to the functionality provided by the IdentityIQ SIEM Plugin. When combined, the SailPoint Adaptive Response Add-on and the IdentityIQ SIEM Plugin provide a powerful integration between IdentityIQ and Splunk® that can:

  1. Gather and display IdentityIQ AuditEvents and SyslogEvents in Splunk
  2. Initiate identity, application, or entitlement based certifications
  3. Automatically disable or remove access from identities
  4. Disable or remove access from identities with additional approval steps

The add-on also provides a way to retrieve all task results within Splunk®. It utilizes IdentityIQ API built upon the RESTful SCIM2.0 to achieve this.

Additionally, the add-on also provides two (3) new source types with in Splunk®.
SailPoint Syslog Events: Used to collect Syslog events from IdentityIQ
SailPoint Audit Events: Used to collect Audit events from IdentityIQ
SailPoint Task Results: Used to collect Task results from IdentityIQ
Once ingested into Splunk® these events can be used to populate a custom dashboard visualizing the data.

IMPORTANT UPGRADE NOTE: Support for utilizing the 'Basic' authentication type has been removed in v2.0.7 of the add-on. This add-on only support OAuth2.0 authentication from v2.0.7 onwards

NOTE: For Task Results Data Input, there are rare chances of having duplicate records. In order to get distinct events while performing search- ‘dedup’ command can be used as a search reference. This commands removes duplicate results based on one field. We would recommend to use field ‘id’ for this commands. Events returned by dedup are based on search order.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/dedup

Eg: sourcetype=“sailpoint_identityiq_task_results”| dedup id | stats count

Requirements

Full functionality requires the following:

  • IdentityIQ 7.3 or higher
  • IdentityIQ SIEM Plugin installed
  • Splunk® Enterprise Security (8.0+)

Installation and User Guide

https://community.sailpoint.com/t5/Identity-Alliance/SailPoint-IdentityIQ-and-Splunk-Enterprise-Security-Integration/ta-p/161250

Solution Brief

https://www.sailpoint.com/identity-library/sailpoint-splunk-integrated-approach-identity-governance-monitoring-auditing/

Frequently asked Q&A

https://community.sailpoint.com/t5/Identity-Alliance/SailPoint-IdentityIQ-and-Splunk-Enterprise-Integration-FAQ/ta-p/208095

Process Overview

Alt text

  1. A Splunk®-monitored system logs an anomaly
  2. Splunk® detects anomaly and creates an Alert, utilizing a SailPoint Adaptive Response alert action
  3. The SailPoint Adaptive Response Add-on action makes POST request to IdentityIQ SIEM Plugin endpoint
  4. Endpoint creates IdentityIQ Alert object and SIEM plugin table entry
  5. SIEM Plugin Service examines alert, and initiates provisioning request or creates certification for LDAP group
  6. Access provided by membership of LDAP group is disabled/removed in the monitored secure system

IdentityIQ Screenshots

Splunk Dashboard

alt text

SIEM Plugin User Interface

alt text

Alert Widget

alt text

Release Notes

Version 2.0.11
Aug. 4, 2023

Following updates are made to SailPoint Adaptive Response Add-on v.2.0.11:
-To be fully compatible with Python 3.7 and Splunk Cloud.


Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.