Elastic SIEM plugin for IDNow

Is there a connector or plugin available for IDN to send data from SailPoint to an Elastic SIEM? I see references like the below article but it appears to be all IIQ-centric.

https://community.sailpoint.com/t5/Plugin-Framework/SailPoint-SIEM-Plugin-Installation-and-User-Guide/ta-p/73214

1 Like

Hey Rebecca! A few qualifying questions, if I may:

  • What data/events are you looking to pull out of IdentityNow into your Elastic SIEM?
  • Does your Elastic SIEM support the ability to ingest webhooks?

All user and administrative activity is captured in the SailPoint solution audit logs and we were looking to send events to our Elastic SIEM to create alerts and react to any potential issues. Another use case is related to our CAM instances. We have failed API calls against some of our environments but not sure if it’s perhaps a misconfiguration or something more - we are looking for more visibility into these types of events as well if available. Webhooks are supported.

You need to reach out to your Elastic admin team and ask them to pull logs from idn on scheduled internal using search apis. For iiq they have so many apis listed in there but for idn it would be just search apis and most of the time it’s under events. All of those logs should be sufficient.

Elasticsearch should be able to pull logs easily by calling rest api. That’s how idn splunk plugin works.

2 Likes

I concur with Chirag. We don’t yet have event triggers that export the kind of event data you are looking for. Our search API can get to the data you are looking for.

1 Like