Overview

Security Information and Event Management technologies provide real-time analysis of security alerts generated by network hardware and applications. Oftentimes this is done through the ‘scraping’ of end-system log files, which are then filtered, analyzed, and prepared for easy consumption by security administrators. In general, SIEM tools excel at the detection and reporting of threats, vulnerabilities, and security events - but are lacking in their ability to provide real-time mitigation. IdentityIQ, with its built-in suite of enterprise application connectors, can alleviate this shortcoming. A symbiotic relationship has been identified, whereby a SIEM tool can detect security issues in near real-time and then provide the necessary information to IdentityIQ which can then mitigate the threat. The SIEM Plugin has been developed by SailPoint to provide an integration point between third party SIEM monitoring tools and IdentityIQ.

The Plugin itself is meant to be a ‘jumping off point’ for future developments. A basic set of use cases was defined and implemented, but the logic can be extended to satisfy additional processes.

Requirements

1. Plugin Administrator access to IdentityIQ 7.2 or higher (for installation only)
2. A SIEM product cable of making external REST API when a security event is triggered
3. An Identity that can be configured/assigned with the Capabilities (included in the Plugin) SIEMAdministrator and SIEMExtAdministrator, and the out of the box Capability (WebServicesExecutor). An example Identity is included with the plugin that has these capabilities assigned - the Identity is named ‘siemservice’.

Guide

Installation Instructions

1. Download the latest SIEM Plugin release files from GitHub
2. Log into IdentityIQ as an administrator or plugin administrator
3. Navigate to the ‘Gear Icon’->‘Plugins’ Screen
4. Click the ‘New’ button at the top right
5. Drag and drop the archive or select the file using the IdentityIQ plugin installation screen
6. Once properly installed, a new widget will appear on the plugin screen, and a ‘pie’ icon will appear in the top navigation bar of the IdentityIQ UI

Prerequisites

The SIEM Plugin requires that angular snippets are enabled in the IdentityIQ instance. To enable angular snippets, modify the iiq.properties file and set the ‘plugins.angularSnippetEnabled’ flag to true as seen below:

# Determines whether or not plugins are enabled, change
# to false if plugins should be disabled globally
plugins.enabled=true


# Determines if SQL scripts should be executed dynamically
# at the time a plugin is installed, upgraded or uninstalled
plugins.runSqlScripts=true


# Determines if XML object files should be imported dynamically
# at the time a plugin is installed, upgraded or uninstalled
plugins.importObjects=true


# Determines if the global SailPoint angular bundle will be used when
# there are snippets on a page
plugins.angularSnippetEnabled=true

Note: The plugin is built and tested on top of MYSQL - all SQL creation/deletion statements provided are for MYSQL. Any DB that IdentityIQ supports should work as well, however the respective SQL scripts (DB2, Oracle, SQLServer) may need to be adjusted.

Steps

1. Navigate to the ‘Gear’ menu, and select ‘Plugins’:

2. Click the ‘New’ button

3. Drag the .zip archive of the plugin into the section with the ‘upload’ iconography

4. At this point, the plugin should be installed, and you should see the success message below. If errors occurred, refer to the IdentityIQ logs for details

Note: The SailPoint SIEM plugin requires trigger and sequence functions that the ‘identityiqPlugin’ user is not created with permissions to run when installing using Oracle database.

After installing the SIEM plugin, run the following scripts in order to complete the creation of the required database functions on Oracle database.

-- Generate ID using sequence and trigger
CREATE SEQUENCE siem_alert_seq START WITH 1 INCREMENT BY 1;

CREATE OR REPLACE TRIGGER siem_alert_seq_tr
 BEFORE INSERT ON siem_alert FOR EACH ROW
 WHEN (NEW.id IS NULL)
BEGIN
 SELECT siem_alert_seq.NEXTVAL INTO :NEW.id FROM DUAL;
END;
/

If the user you are logged in with does not have permission to create sequences or triggers their permissions will need to be elevated prior to running the above commands. Use this script to do so.

GRANT SELECT ANY SEQUENCE TO <USER>;
GRANT CREATE ANY TRIGGER TO <USER>;
COMMIT;

Uninstall

To remove the SIEM Plugin, simply navigate to the plugin dashboard in IdentityIQ and click the ‘X’ button located in the SIEM Plugin widget:

IMPORTANT NOTE: Deleting a plugin runs the SQL scripts found in the db folder of the unzipped plugin archive - in the case of the SIEM Plugin, and most, this is a destructive operation that will purge the specific plugin tables from the identityiqPlugin database. SIEM alerts residing in that table will be lost, unless a database backup is available.

Design

The overall design for the SIEM plugin is simple: Utilize the IdentityIQ Plugin Frameworks to provide outward facing REST endpoints that when accessed will perform automatic provisioning and/or compliance actions within IdentityIQ. To facilitate this, the SIEM plugin consists of six major components (covered in more detail later):

1. Plugin database - siem_alert table stores basic details of SIEM alerts in the identityiqPlugin database
2. Plugin settings - Used to determine the behavior of the plugin
3. REST endpoints - Determine, along with the provided parameters (JSON body), the behavior required for the Alert
4. XML artifacts - Generic definitions required for the plugin (workflows, certifications, etc…)
5. Service - Creates, provisions, and actions alerts
6. User Interface - Dashboard view of Alert activity

Process Diagram

1. An alert is detected by the SIEM system
2. SIEM system creates an alert action and makes POST request to plugin endpoint
3. Endpoint creates IdentityIQ Alert object and siem_plugin table entry
4. Plugin Service examines alert, and makes provisioning request or creates certification
5. Access is disabled/removed in the monitored secure system

Provisioning

The plugin supports two modes of provisioning:

1. Direct (Default) - the SIEMService will create , compile, and immediately execute a provisioning plan.
2. Workflow (Optional) - the SIEMService will pass the compiled provisioning project to a workflow. This workflow is specified in the plugin settings under the option ‘Provisioning Workflow’. Workflow provisioning is only used if the global plugin setting ‘Defer Provisioning’ is set to true, or if an individual REST endpoint parameter ‘use_workflow’ is set to ‘true’. Custom workflows can be developed and specified in the ‘Provisioning Workflow’ - see the included ‘SIEM Provisioning’ workflow for required input parameters. This option is useful if there are any approval or audit requirements that need to be implemented.

Certifications

Some end points will initiate compliance campaigns within IdentityIQ. These will all use the packaged CertificationDefinitions as a template. Modifications to the template can be made to add additional custom functionality - additional phase transition rules, exclusions, escalations, notifications etc…

Plugin Database

When the Plugin is installed, a table ‘siem_alert’ is created in the plugin database. This database name is specified in the ‘iiq.properties’ associated with the IdentityIQ installation. When a REST endpoint receives a correctly formatted POST request, a new entry will be created in the siem_alert table. This entry will be missing two fields that indicate it is ‘new’ - alert_id and processed_date. These fields are filled in by the background service in IdentityIQ. Each entry can also have a ‘level’ which is used if the plugin setting for prioritizing alerts is utilized (see Plugin settings). The table below describes each field in the seim_alert table and provides a brief description of use.

SIEM_ALERT Table Description

supersedes global SIEM plugin setting for the individual alert|

Note: The plugin is built and tested on top of MYSQL - all SQL creation/deletion statements provided are for MYSQL. Any DB that IdentityIQ supports should work as well, however the respective SQL scripts (DB2, Oracle, SQLServer) may need to be adjusted.

Plugin Settings

The SIEM Plugin contains a few basic settings that determine the behavior of the plugin.

Available Settings

if an individual alert is set to use workflow provisioning|
|Maximum number for Syslog events (per API call)|Maximum number for Syslog events (per API call). Defaulted to 1000.|
|Maximum number for Audit events (per API call)|Maximum number for Audit events (per API call). Defaulted to 1000|

REST Endpoints

The initial set of use cases for SIEM alert mitigation focused on Identity and Application related activities; specifically, removal of access and certification of access. The following chart lists the available endpoints and provides a brief description of the intended outcome. For information regarding the required fields that should be included in the POST request JSON body, see section ‘Instructions for Use’.

Available Action Endpoints

Available Information Endpoints

/applications Endpoint

The applications endpoint is designed to list all the applications with in the IdentityIQ environment.

Request:

GET http://localhost:8081/identityiq/plugin/rest/SIEMPlugin/applications

Response:

[

"HR Employees",

"HR Contractors",

"Active Directory",

"ERP Global",

"ProcurementSystem",

"AdminsApp",

"ADDirectDemodata",

"RealLDAPWithDemoData",

"JDBCDirectDemoData",

"FileBasedAlerts",

"JDBCDirectAlerts",

"SIEM Application"

]

/identityinfo Endpoint

The identityinfo endpoint is designed to allow a SIEM system administrator to get identity context information from IdentityIQ in the very likely situation that they only have knowledge of an application account name (native identifier). When provided with one more more native identifiers in the format:

{

"users": [

{

"nativeIdentity": "CN=Adam Kennedy,OU=London,OU=Europe,OU=DemoData,DC=test,DC=sailpoint,DC=com"

},

{

"nativeIdentity":"CN=Aaron Nichols,OU=Singapore,OU=Asia-Pacific,OU=DemoData,DC=test,DC=sailpoint,DC=com"

}

]

}

The endpoint will respond with a JSON similar to:

{

"identities": [

{

"nativeIdentity": "CN=Aaron Nichols,OU=Singapore,OU=Asia-Pacific,OU=DemoData,DC=test,DC=sailpoint,DC=com",

"results": []

},

{

"nativeIdentity": "CN=Adam Kennedy,OU=London,OU=Europe,OU=DemoData,DC=test,DC=sailpoint,DC=com",

"results": [

{

"confidence": 30,

"name": "Adam Kennedy"

},

{

"confidence": 11,

"name": "Aaron Nichols"

}

]

}

]

}

Reading this response, it is saying that for the first native identity in the POST request, there was no found Identity. For the second request, two possible identities were found, Adam Kenney, and Aaron Nichols. A confidence score is attached that indicates a ‘best guess’ determination on which of the Identities is likely the one being searched for. This confidence score takes into account the Identities last modified date, their last login to IdentityIQ, the number of roles attached to the cube, the number of accounts correlated to the cube, and the number of identity requests made by, and for, the Identity.

Note, the above example is pretty terrible, because the first request for Aaron Nichols said no links existed, but the request for Adam Kennedy clearly returned an Aaron Nichols Identity. This is because of the example, attributes in the database were faked to show a cleanish result:

/syslog-events Endpoint

The syslog events endpoint is determined as a way for external tools to retrieve Syslog event data via RESful webservices. To narrow the result set down, query parameters should be passed as part of the GET request. The chart below describes those parameters.

*Note - If quickKey is present as the query parameter in the request, it will override startTime & endTime as this request is now looking for all the events since the given quickKey (sequence number). One should either use quickKey or startTime & endTime combo to filter the required results.

Here is an example request and response for this endpoint using parameters:

Request:

GET http://localhost:8081/identityiq/plugin/rest/SIEMPlugin/syslog-events?startTime=1542187696669&en...

Response:

{

"syslogEvents": [

{

"assignedScope": null,

"assignedScopePath": null,

"attributeMetaData": null,

"auditClassName": "SyslogEvent",

"autoCreated": false,

"classname": "sailpoint.tools.Console",

"created": 1582055024816,

"description": null,

"dirty": false,

"disabled": false,

"eventLevel": "ERROR",

"id": "7f000001705911b4817059d3e8b00866",

"immutable": false,

"lineNumber": "365",

"lock": null,

"lockInfo": null,

"locked": false,

"message": "org.apache.logging.log4j.core.impl.MutableLogEvent@6fead9a",

"modified": null,

"name": null,

"nameUnique": false,

"originalXml": null,

"owner": null,

"pendingWorkflow": null,

"persisted": true,

"quickKey": "0000000001",

"referenceClass": "sailpoint.object.SyslogEvent",

"referenceId": "7f000001705911b4817059d3e8b00866",

"referenceName": null,

"refreshedExistingLock": false,

"server": "[email protected]",

"signOffs": null,

"stacktrace": "java.lang.IllegalStateException: java.io.IOException: Input/output error\n\tat sailpoint.server.SailPointConsole$ReaderManager.readLine(SailPointConsole.java:339)\n\tat sailpoint.server.SailPointConsole.readLine(SailPointConsole.java:396)\n\tat sailpoint.server.SailPointConsole.readLine(SailPointConsole.java:391)\n\tat sailpoint.tools.Console.interactiveConsole(Console.java:323)\n\tat sailpoint.tools.Console.run(Console.java:91)\n\tat sailpoint.server.SailPointConsole.run(SailPointConsole.java:675)\n\tat sailpoint.server.SailPointConsole.main(SailPointConsole.java:598)\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tat java.lang.reflect.Method.invoke(Method.java:498)\n\tat sailpoint.launch.Launcher.main(Launcher.java:227)\nCaused by: java.io.IOException: Input/output error\n\tat java.io.FileInputStream.readBytes(Native Method)\n\tat java.io.FileInputStream.read(FileInputStream.java:255)\n\tat java.io.BufferedInputStream.read1(BufferedInputStream.java:284)\n\tat java.io.BufferedInputStream.read(BufferedInputStream.java:345)\n\tat sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:284)\n\tat sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:326)\n\tat sun.nio.cs.StreamDecoder.read(StreamDecoder.java:178)\n\tat java.io.InputStreamReader.read(InputStreamReader.java:184)\n\tat java.io.BufferedReader.fill(BufferedReader.java:161)\n\tat java.io.BufferedReader.readLine(BufferedReader.java:324)\n\tat java.io.BufferedReader.readLine(BufferedReader.java:389)\n\tat sailpoint.server.SailPointConsole$ReaderManager.readLine(SailPointConsole.java:335)\n\t... 11 more\n",

"thread": "main",

"uid": null,

"uniqueKeyProperties": [

"created",

"server",

"classname"

],

"username": "system",

"xml": false

}

],

"currentIndex": 1,

"itemsPerPage": 1,

"totalResults": 1

}

/audit-events Endpoint

The audit events endpoint is determined as a way for external tools to retrieve Audit event data via RESful webservices. To narrow the result set down, query parameters should be passed as part of the GET request. The chart below describes those parameters.

Here is an example request and response for this endpoint using parameters:

Request:

GET http://localhost:8081/identityiq/plugin/rest/SIEMPlugin/audit-events?startTime=1542187696669&end...

Response:

{

"auditEvents": [

{

"accountName": "",

"action": "ProvisioningFailure",

"application": "",

"attributeName": "",

"attributeValue": "",

"attributes": "{taskResultId=8ab075ec6713c5450168629abb481c7c, error1=No configuration found for Enable Account . Please add atleast one operation and try again}",

"created": 1548021252116,

"id": "8ab075ec6713c54501686d41c0101d8a",

"instance": "",

"interface": "LCM",

"owner": "",

"source": "The Administrator",

"string1": "",

"string2": "",

"string3": "",

"string4": "",

"target": "[email protected]",

"trackingId": ""

}

],

"currentIndex": 1,

"itemsPerPage": 1,

"totalResults": 1

}

/auditConfiguration Endpoint

The auditConfiguration endpoint is intended to retrieve specific configurations related to audits in IdentityIQ. Without specifying a parameter ‘name’ the response will contain all audit configuration (names of audit events, if they are active, etc.), when a ‘name’ is specified in the query just the details for that audit event (if it exists) will be returned.

Here are example requests and responses for queries with and without parameterization:

Request (without parameters):

GET http://localhost:8081/identityiq/plugin/rest/SIEMPlugin/auditConfiguration

Response:

[

{

"enabled": false,

"name": "login"

},

{

"enabled": false,

"name": "logout"

},

{

"enabled": false,

"name": "continuousCertItemsOverdue"

},

{

"enabled": true,

"name": "identityLifecycleEvent"

},

{

"enabled": true,

"name": "activate"

},

{

"enabled": true,

"name": "deactivate"

},

{

"enabled": false,

"name": "violationAllowException"

}

]

Request (with parameters):

GET http://localhost:8081/identityiq/plugin/rest/SIEMPlugin/auditConfiguration?name=loginFailure

Response:

{

"enabled": false,

"name": "loginFailure"

}

XML Artifacts

The plugin comes packaged with a number of XML files, some of which are used for basic plugin operation (such as SPRight and service Identity definitions), while others are provided as generic/simple and extendable objects used in the SIEM Service.

Required (Recommend do not modify)

Required (okay to modify)

Service

The main driver of the SIEM plugin is the SIEMService class. It is responsible for the creation of Alert objects within IdentityIQ, determining and performing the correct actions based on the alert entries in the plugin database, updating the plugin database alert entries when actioned, and finally (if specified) removing alert objects from both IdentityIQ and the plugin database. The following methods have been defined:

User Interface

The goal with the UI design was not to replace or extend SIEM tool dashboards - they function very well - but to provide a quick ‘at-a-glance’ activity view for Identity administrators. The new UI features include additional SIEM related data shown in the ‘Identity Warehouse’ view of users, some optional dashboard widgets for the standard IdentityIQ landing page, and a full SIEM dashboard.

SIEM Dashboard

The dashboard can be accessed from any screen in IdentityIQ by clicking on the ‘dashboard’ widget that is added to the ul-navbar-right element:

Once clicked, the user is taken to the fullPage element of the plugin, which in this case is a SIEM Alert dashboard:

There are four sections of the SIEM dashboard - an alert histogram, an alert frequency chart, top 10 alerts view, and an overview of alert information.

Alert Histogram

The alert histogram shows the number of alerts that IdentityIQ has processed over the last week by default. The dropdown in this alert allows the administrator to look back at larger time periods.

Alert Frequency

This chart shows the frequency of alerts received in IdentityIQ broken down by type. The dropdown here allows investigation of only Identity alert frequency, only application alert frequency, or both on the same chart.

Top 10 Alerts

This view is intended to give a visual display of the Identities or Applications that are the target of the most alerts. The dropdown allows switching between identity and application alerts

Alert Overview

This shows total ‘interesting’ counts of the alert transactions that have occurred in IdentityIQ.

Widgets

Two widgets have been added to IdentityIQ via the SIEM Plugin. The first, the “SIEM Alert Overview” widget gives various metrics based on the SIEM alerts created in IdentityIQ. The second is the “Recent SIEM Alerts” that displays a breakdown of alerts in the system by type, and allows selecting individual alerts to get more information.

Activating a widget

To activate a widget in IdentityIQ, from the home page:

1.) Click the ‘Edit’ button

2.) Click the ‘+ Add Widget’ button under ‘Widgets’

3.) Select the ‘SIEM Alert Overview’ and ‘Recent SIEM Alerts’ widgets and click save

4.) Click the ‘Save’ button

SIEM Alert Overview

The alert overview is a paginated widget that surfaces interesting metrics around the different types of alerts provided by the SIEM Plugin. The pages are broken up into account (or Identity based) alerts, and application based alerts.

Recent Alerts Widget

The recent alerts widget allows users with the SIEM administrator capability in IdentityIQ to see recent alerts, broken down by type.

Clicking on any line item in this widget will display an alert details window:

Identity Warehouse View

The identity warehouse view has been augmented to include information around the SIEM alerts. A new table has been added under the ‘History’ tab for individual identities listing any SIEM alerts that have been received.

Information on alert type, level, the application, creation date, and any requested provisioning action are displayed here.

Utilizing REST endpoints

Each endpoint available in the SIEM plugin requires specific information to successfully initiate responses from IdentityIQ and the SIEMService. The following section outlines those inputs for each.

NOTE: for each endpoint that results in provisioning, an additional JSON parameter can be passed to specify the provisioning type. By default provisioning will be done directly through the API, but if the parameter ‘use_workflow’ is included in the JSON set to ‘true,’ workflow provisioning will result for the specific alert. The workflow used will be that specified by the plugin setting ‘Provisioning Workflow’. This option is included for implementers who may wish to have finer grained control over provisioning operations for specific alert types/endpoints.

Example workflow provisioning overrideJSON

{

"application": "Active Directory",

"native_id": "Jane.Doe",

"action": "disable",

"level": "low",

"date": "149514462222",

"use_workflow": "true"

}

POST /identity/account

This endpoint should be utilized to disable or delete a single account on an Identity cube.

Example JSON

{

"application": "Active Directory",

"native_id": "Jane.Doe",

"action": "disable",

"level": "low",

"date": "149514462222"

}

POST /identity/accounts

This endpoint should be used to disable or delete all accounts on an Identity cube

Example JSON

{

"application": "Active Directory",

"native_id": "Jane.Doe",

"action": "disable",

"level": "low",

"date": "149514462222"

}

POST /identity/entitlement

This endpoint should be used to remove a single entitlement from a single application account on an Identity cube

Example JSON

{

"application": "Active Directory",

"native_id": "Jane.Doe",

"group_name": "group1",

"group_type": "memberOf",

"level": "low",

"date": "149514462222"

}

POST /identity/entitlements

This endpoint should be used to remove all entitlements from a single application account on an Identity cube

Example JSON

{

"application": "Active Directory",

"native_id": "Jane.Doe",

"level": "low",

"date": "149514462222"

}

POST /identity/entitlements-all

This endpoint should be used to remove all entitlements from all accounts on an Identity cube

Example JSON

{

"application": "Active Directory",

"native_id": "Jane.Doe",

"level": "low",

"date": "149514462222"

}

POST /identity/password

This endpoint should be used to reset a password on a single application account.IMPORTANT* Currently only works for Active Directory type applications - if other application types are desired, the current solution is to specific ‘workflow’ provisioning in the JSON, and code implementation specific logic into the workflow for applications not currently supported by the plugin***

Example JSON

{

"application": "Active Directory",

"native_id": "Jane.Doe",

"level": "low",

"date": "149514462222"

}

POST /identity/passwords-all

This endpoint should be used to reset a password on all application accounts.IMPORTANT* Currently only works for Active Directory type applications - if other application types are desired, the current solution is to specific ‘workflow’ provisioning in the JSON, and code implementation specific logic into the workflow for applications not currently supported by the plugin***

Example JSON

{

"application": "Active Directory",

"native_id": "Jane.Doe",

"level": "low",

"date": "149514462222"

}

POST /identity/certify

This end point should be used to initiate an application specific manager certification for the Identity that correlates to the application/native identity combination specified in the JSON

Example JSON

{

"application": "Active Directory",

"native_id": "Jane.Doe",

"level": "low",

"date": "149514462222"

}

POST /identity/certify-all

This end point should be used to initiate a manager certification for the Identity that correlates to the application/native identity combination specified in the JSON

Example JSON

{

"application": "Active Directory",

"native_id": "Jane.Doe",

"level": "low",

"date": "149514462222"

}

POST /application/group

This end point should be used to remove all users from a specified group, and make that group non-requestable in the IdentityIQ LCM access request process

(ex. ‘memberOf’ in Active Directory)|
|level|High, Medium, or Low|
|date|current unix timestamp|

Example JSON

{

"application": "Active Directory",

"group_name": "Group1",

"group_type": "memberOf",

"level": "low",

"date": "149514462222"

}

POST /application/accounts

This endpoint should be used to disable or delete ALL accounts on the specified application. USE WITH CAUTION

Example JSON

{

"application": "Active Directory",

"level": "low",

"date": "149514462222"

}

POST /application/certify-group

This end point should be used to initiate an entitlement owner certification for the provided group

Example JSON

{

"application": "Active Directory",

"group_name": "Group1",

"group_type": "memberOf",

"level": "low",

"date": "149514462222"

}

POST /application/certify-all

This end point should be used to initiate an application owner certification for the provided application

Example JSON

{

"application": "Active Directory",

"level": "low",

"date": "149514462222"

}

Security

Authentication for the plugin framework in IdentityIQ is done for the web service using ‘Basic’ authentication – meaning the username and password are combined and then translated into base64 notation and sent in clear text as part of the request. This is easily reversible and not secure – it should be the requirement of any organization that this communication be secured above the nominal measures provided by Basic Auth. Major issues with Basic Auth include:

• Password sent in base64
• Password sent for each request
• Password can be cached by the browser (CSRF vulnerability)
• User may store password in browser permanently

This is not specific to use of the SIEM Plugin, but all communication that uses Basic Auth.

Logging

The SIEM Plugin follows the same practice of logging as that of the core IdentityIQ product. Turning ‘on’ logging for a specific class is done by editing the log4j.properties file found in the ‘WEB-INF/classes’ directory of the IdentityIQ deployment. The list below contains useful log4j entries in the event that debugging the SIEM Plugin is necessary.

• com.sailpoint.siem.server.SIEMService=debug
• com.sailpoint.siem.rest.DashboardService=debug
• com.sailpoint.siem.rest.SIEMAuthorizer=debug
• com.sailpoint.siem.rest.SIEMResource=debug
• com.sailpoint.siem.service.SIEMAccess=debug
• com.sailpoint.siem.service.SIEMAlertService=debug
• com.sailpoint.siem.util.SIEMUtil=trace

In the event that all logs should be activated

• com.sailpoints.siem=trace

Updates

• 2.0.1 Update - fixed minor issue with Oracle installation scripts.
• 2.1.2 Update - fixed bug with getting one same event with every new interval.
• 2.1.3 Update- fixed minor issue with service identity xml.
• 2.1.4 Update- Fixed bug with SQLServer.

Hello Adam Creaney,

I would like to understand more about this plugin. I am trying to configure it but it is not bringing the information I need. I would like to get the task results that gave Success, Warning, Terminated, Error.

Waiting for feedback.

Att.

Hi @victor_28 - welcome to the Developer Community!

The methods that return data in this plugin are located here

and the helper class here

From a technical perspective you could create your own method in the helper class, that would return TaskResult objects similar to what we do with AuditEvent and SyslogEvent data, you could even use those existing methods to see how to handle large data sets with limits and index parameters. AuditEvents and SyslogEvents have settings in the plugin itself that also help with limits on how many results to grab per call etc - you could add your own plugin settings for things like TaskResults

Ok, eu abrir um chamado para a central da sailpoint pra entender como eu implemento o plugin do siem para trazer as taksresult. Eu queria mais ou menos um passo a passo pra implementar ele. eu já instalei no sailpoint. Agora falta só configurar pra trazer as informações.

Att.

Hi @adam_creaney is there a way to restrict the use of POST API call by the plugin users. I mean user should only be allowed to perform GET API call only.

Yes, you should be able to fork the repo, and make your changes to the authorization model to introduce new SPRights and Capabilities, and then modify the actual POST methods to require your new permissions.

Hi Thanks for the response. can you please share any document which helps to achieve it?

For securing the rest endpoints - see Java Classes - Rest Resources | SailPoint Developer Community

For the XML objects (Capabilities and SPrights) you can see how they are currently set up in the project here : colab-siem-plugin/import/install/SIEM_SPRight.xml at 53f6b34f53a49b4bddcaed71c5ab1916e1efd6bd · sailpoint-oss/colab-siem-plugin · GitHub and add as necessary for your use case

Thanks, this might help.