Integration of SailPoint IIQ with QRadar to monitor audit activities

milinaphalke · October 31, 2023, 6:32am

Hi All,

We are in the process to integrate SailPoint with SIEM system.

So, we want the SIEM (QRadar) to monitor all the auditevent actions like login, login failure, password change etc.

So, we were looking for SailPoint logs which will log all the audit related activities.

Have browsed through the forums and noticed the suggestion to use spt_audit_event table.

Is it good way to allow QRadar to read the spt_audit_event table ? Did anyone implement this solution at their customer end.

Please share inputs.

Thanks & Regards,

Milina Phalke

MVKR7T · November 1, 2023, 12:37pm

Alternatively you can use SIEM Plugin as well.

I don’t see any issue with that, I would go for read only permission.

In one of my clients, We integrated with Splunk with config in log4j. Splunk reads all the SailPoint logs, send us an email if there are any errors.

system · December 31, 2023, 12:37pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Use cases covered to monitor SailPoint IIQ using QRadar IIQ Discussion and Questions identityiq	2	257	December 30, 2023
IIQ REST API List needed IIQ Discussion and Questions	6	1865	July 19, 2023
IDN2QRadar - Open Source Tool ISC Show and Tell	0	2654	March 23, 2021
SailPoint SIEM Plugin Plugins identityiq , plugins , sailpoint-certified	0	1070	July 12, 2023
Custom Task to Prune Audit Logs IIQ Discussion and Questions rules , identityiq	3	229	March 28, 2024