Non-Employee Risk Management Splunk Add-on


:spiral_notepad: Description The SailPoint Non-Employee Risk Management AuditEvent Add-on is an open-source Splunk add-on built using the Splunk Add-on builder.
:balance_scale: Legal Agreement By using this CoLab item, you are agreeing to SailPoint’s Terms of Service for our developer community and open-source CoLab.
:hammer_and_wrench: Repository Link GitHub - sailpoint-oss/colab-non-employee-risk-management-splunk-addon: The SailPoint Non-employee Risk Management AuditEvent Add-on is an open-source splunk add-on built using the Splunk Add-on builder
:hospital: Supported by Community Developed

-|-|-|
:spiral_notepad: | Description | The SailPoint Non-employee Risk Management AuditEvent Add-on is an open-source splunk add-on built using the Splunk Add-on builder.
:balance_scale: | Legal Agreement | By using this CoLab item, you are agreeing to SailPoint’s Terms of Service for our developer community and open-source CoLab.
:hammer_and_wrench: | Repository Link | GitHub - sailpoint-oss/colab-non-employee-risk-management-splunk-addon: The SailPoint Non-employee Risk Management AuditEvent Add-on is an open-source splunk add-on built using the Splunk Add-on builder
:hospital: | Supported by | Community Developed

Overview

The SailPoint Non-Employee Risk Management Splunk Add-on is an open-source integration built using the Splunk Add-on Builder. It allows organizations to collect, parse and normalize audit data from SailPoints Non-Employee Risk Management API directly into Splunk.

Designed for security teams, this add-on provides visibility into non-employee identity governance by seamlessly ingesting SailPoint logs into Splunk’s search and analytics engine.

It leverages Splunk’s onboarding framework to support both Splunk Enterprise and Splunk Cloud deployments, helping teams monitor access activity, audit eventsand compliance risks accross the non-employee identity lifecycle.

For more information about the /search API used by the add-on Click here »

Requirements

  • Splunk Enterprise and Splunk Cloud instance with admin access
  • API Access
    - Tenant Name
    - API Token How to generate token

Guide

Please see the GitHub project for more details.

3 Likes

We’ve installed the NERM Add-On for Splunk from Colab, and we’re observing normal activity logs that reflect the Activity logs in the Admin console of NERM itself, but we are also seeing a lot of 404 errors in the Splunk logs showing up, seemingly during periods where NERM is not being used heavily. Does anyone know if the Add-On return 404s whenever there is no new NERM Activity log present to pull into Splunk?

@sfraser_snhu We haven’t encountered the specific scenario ourselves, but if that’s indeed the case, you’re welcome to make any necessary changes or updates. Since the add-on is open source, you have the flexibility to implement the solution that best resolves the issue.

-Thanks,
Dhara Shah