SailPoint SIEM Plugin

:fire: Summary The SIEM Plugin Allows popular SIEM solutions to extract Audit, Syslog, and Task events from IdentityIQ
:hammer_and_wrench: Repository Link GitHub - sailpoint-oss/colab-siem-plugin: Creates API endpoints to fetch AuditEvent, Syslog Event, and Task Results from IdentityIQ.
:open_book: New to IdentityIQ Plugins in the marketplace? Read the getting started guide for plugins in the marketplace.
:hospital: Supported by SailPoint Certified
:email: Contact SailPoint Technology Alliance

Overview

Security Information and Event Management technologies provide real-time analysis of security alerts generated by network hardware and applications. Oftentimes this is done through the ‘scraping’ of end-system log files, which are then filtered, analyzed, and prepared for easy consumption by security administrators. In general, SIEM tools excel at the detection and reporting of threats, vulnerabilities, and security events - but are lacking in their ability to provide real-time mitigation. IdentityIQ, with its built-in suite of enterprise application connectors, can alleviate this shortcoming. A symbiotic relationship has been identified, whereby a SIEM tool can detect security issues in near real-time and then provide the necessary information to IdentityIQ which can then mitigate the threat. The SIEM Plugin has been developed by SailPoint to provide an integration point between third party SIEM monitoring tools and IdentityIQ.

The Plugin itself is meant to be a ‘jumping off point’ for future developments. A basic set of use cases was defined and implemented, but the logic can be extended to satisfy additional processes.

Requirements

  1. Plugin Administrator access to IdentityIQ 7.2 or higher (for installation only)
  2. A SIEM product cable of making external REST API when a security event is triggered
  3. An Identity that can be configured/assigned with the Capabilities (included in the Plugin) SIEMAdministrator and SIEMExtAdministrator, and the out of the box Capability (WebServicesExecutor). An example Identity is included with the plugin that has these capabilities assigned - the Identity is named ‘siemservice’.

Guide

Installation Instructions

  1. Download the latest SIEM Plugin release files from GitHub
  2. Log into IdentityIQ as an administrator or plugin administrator
  3. Navigate to the ‘Gear Icon’->‘Plugins’ Screen
  4. Click the ‘New’ button at the top right
  5. Drag and drop the archive or select the file using the IdentityIQ plugin installation screen
  6. Once properly installed, a new widget will appear on the plugin screen, and a ‘pie’ icon will appear in the top navigation bar of the IdentityIQ UI

Prerequisites

The SIEM Plugin requires that angular snippets are enabled in the IdentityIQ instance. To enable angular snippets, modify the iiq.properties file and set the ‘plugins.angularSnippetEnabled’ flag to true as seen below:

# Determines whether or not plugins are enabled, change
# to false if plugins should be disabled globally
plugins.enabled=true


# Determines if SQL scripts should be executed dynamically
# at the time a plugin is installed, upgraded or uninstalled
plugins.runSqlScripts=true


# Determines if XML object files should be imported dynamically
# at the time a plugin is installed, upgraded or uninstalled
plugins.importObjects=true


# Determines if the global SailPoint angular bundle will be used when
# there are snippets on a page
plugins.angularSnippetEnabled=true

Note: The plugin is built and tested on top of MYSQL - all SQL creation/deletion statements provided are for MYSQL. Any DB that IdentityIQ supports should work as well, however the respective SQL scripts (DB2, Oracle, SQLServer) may need to be adjusted.

Steps

  1. Navigate to the ‘Gear’ menu, and select ‘Plugins’:

  1. Click the ‘New’ button

  1. Drag the .zip archive of the plugin into the section with the ‘upload’ iconography

  1. At this point, the plugin should be installed, and you should see the success message below. If errors occurred, refer to the IdentityIQ logs for details

Note: The SailPoint SIEM plugin requires trigger and sequence functions that the ‘identityiqPlugin’ user is not created with permissions to run when installing using Oracle database.

After installing the SIEM plugin, run the following scripts in order to complete the creation of the required database functions on Oracle database.

-- Generate ID using sequence and trigger
CREATE SEQUENCE siem_alert_seq START WITH 1 INCREMENT BY 1;

CREATE OR REPLACE TRIGGER siem_alert_seq_tr
 BEFORE INSERT ON siem_alert FOR EACH ROW
 WHEN (NEW.id IS NULL)
BEGIN
 SELECT siem_alert_seq.NEXTVAL INTO :NEW.id FROM DUAL;
END;
/

If the user you are logged in with does not have permission to create sequences or triggers their permissions will need to be elevated prior to running the above commands. Use this script to do so.

GRANT SELECT ANY SEQUENCE TO <USER>;
GRANT CREATE ANY TRIGGER TO <USER>;
COMMIT;

Uninstall

To remove the SIEM Plugin, simply navigate to the plugin dashboard in IdentityIQ and click the ‘X’ button located in the SIEM Plugin widget:

IMPORTANT NOTE: Deleting a plugin runs the SQL scripts found in the db folder of the unzipped plugin archive - in the case of the SIEM Plugin, and most, this is a destructive operation that will purge the specific plugin tables from the identityiqPlugin database. SIEM alerts residing in that table will be lost, unless a database backup is available.

Design

The overall design for the SIEM plugin is simple: Utilize the IdentityIQ Plugin Frameworks to provide outward facing REST endpoints that when accessed will perform automatic provisioning and/or compliance actions within IdentityIQ. To facilitate this, the SIEM plugin consists of six major components (covered in more detail later):

  1. Plugin database - siem_alert table stores basic details of SIEM alerts in the identityiqPlugin database
  2. Plugin settings - Used to determine the behavior of the plugin
  3. REST endpoints - Determine, along with the provided parameters (JSON body), the behavior required for the Alert
  4. XML artifacts - Generic definitions required for the plugin (workflows, certifications, etc…)
  5. Service - Creates, provisions, and actions alerts
  6. User Interface - Dashboard view of Alert activity

Process Diagram

  1. An alert is detected by the SIEM system
  2. SIEM system creates an alert action and makes POST request to plugin endpoint
  3. Endpoint creates IdentityIQ Alert object and siem_plugin table entry
  4. Plugin Service examines alert, and makes provisioning request or creates certification
  5. Access is disabled/removed in the monitored secure system

Provisioning

The plugin supports two modes of provisioning:

  1. Direct (Default) - the SIEMService will create , compile, and immediately execute a provisioning plan.
  2. Workflow (Optional) - the SIEMService will pass the compiled provisioning project to a workflow. This workflow is specified in the plugin settings under the option ‘Provisioning Workflow’. Workflow provisioning is only used if the global plugin setting ‘Defer Provisioning’ is set to true, or if an individual REST endpoint parameter ‘use_workflow’ is set to ‘true’. Custom workflows can be developed and specified in the ‘Provisioning Workflow’ - see the included ‘SIEM Provisioning’ workflow for required input parameters. This option is useful if there are any approval or audit requirements that need to be implemented.

Certifications

Some end points will initiate compliance campaigns within IdentityIQ. These will all use the packaged CertificationDefinitions as a template. Modifications to the template can be made to add additional custom functionality - additional phase transition rules, exclusions, escalations, notifications etc…

Plugin Database

When the Plugin is installed, a table ‘siem_alert’ is created in the plugin database. This database name is specified in the ‘iiq.properties’ associated with the IdentityIQ installation. When a REST endpoint receives a correctly formatted POST request, a new entry will be created in the siem_alert table. This entry will be missing two fields that indicate it is ‘new’ - alert_id and processed_date. These fields are filled in by the background service in IdentityIQ. Each entry can also have a ‘level’ which is used if the plugin setting for prioritizing alerts is utilized (see Plugin settings). The table below describes each field in the seim_alert table and provides a brief description of use.

SIEM_ALERT Table Description

Field Type Description
id varchar(32) auto-incremented unique value for table entry
alert_id varchar(32) this field stores the hibernate id of the Alert object created in IdentityIQ - poplulated by the SIEMService
created bigint Unix timestamp of the datetime when this alert entry was inserted into the siem_alert table
native_id varchar(255) stores the native identity of the account on the alerting system - only relevant for identity endpoints
source_application varchar(255) the application name that generated the alert, or that the alert relates to - must match application name in IdentityIQ
target_group_name varchar(255) for entitlement/managed attribute related endpoints, this is the group name (sometimes called the ‘value’ attribute in IdentityIQ)
target_group_type varchar(255) the entitlement/managed attribute type (ex. ‘memberOf’ in Active Directory)
level varchar(32) indicates the severity of this alert - valid entires are {low, medium, high}
processed_date bigint Unix timestamp of when the alert was actioned by the Service in IdentityIQ
alert_type varchar(255) set by the REST endpoint, indicates the action required
action varchar(32) For provisioning related requests, can be set to either ‘disable’ or ‘delete’. Defaults to ‘disable’
use_workflow tinyint 1 (true) or 0 (false) - determines at the alert level if provisioning should be direct or via workflow - this setting

supersedes global SIEM plugin setting for the individual alert|

Note: The plugin is built and tested on top of MYSQL - all SQL creation/deletion statements provided are for MYSQL. Any DB that IdentityIQ supports should work as well, however the respective SQL scripts (DB2, Oracle, SQLServer) may need to be adjusted.

Plugin Settings

The SIEM Plugin contains a few basic settings that determine the behavior of the plugin.

Available Settings

Setting Description
Prioritize By Level If selected (true), the service will process alerts in order of priority (High, then Medium, then Low)
Purge By Days Number of days elapsed before plugin table entries and IdentityIQ Alert objects are purged - once purged recovery is not possible except via database restoration
Defer Provisioning This global setting determines if provisioning related activites (except for certification revocation actions) are done via direct provisioning, or passed to a workflow
Provisioning Workflow If the global setting for ‘Defer Provisioning’ is set to ‘workflow,’ this is the name of the workflow that will be used. This is also the workflow that will be used

if an individual alert is set to use workflow provisioning|
|Maximum number for Syslog events (per API call)|Maximum number for Syslog events (per API call). Defaulted to 1000.|
|Maximum number for Audit events (per API call)|Maximum number for Audit events (per API call). Defaulted to 1000|

REST Endpoints

The initial set of use cases for SIEM alert mitigation focused on Identity and Application related activities; specifically, removal of access and certification of access. The following chart lists the available endpoints and provides a brief description of the intended outcome. For information regarding the required fields that should be included in the POST request JSON body, see section ‘Instructions for Use’.

Available Action Endpoints

Endpoint Type Description
identity/account Identity Disable or delete a single account on an identity
identity/accounts Identity Disable or delete all accounts on an identity
identity/entitlement Identity Remove an entitlement from an Identity
identity/entitlements Identity Remove all entitlements from a given application on an identity
identity/entitlements-all Identity Remove all entitlements from all applications on an identity
identity/password Identity Force password reset (Active Directory only - unless using workflow provision) on an identity
identity/passwords Identity Force password reset on all applications (Active Directory only - unless using workflow provision) on an identity
identity/certify Identity Generates a manager certification for a specific account on an identity
identity/certify-all Identity Generates a manager certification for all accounts belonging to an identity
application/groups Application Removes entitlement from all Identities and makes it non-requestable
application/accounts Application Deletes or disables all accounts on an Application
application/certify-group Application Performs an entitlement owner certification on the specified group
application/certify-all Application Performs an application owner certification

Available Information Endpoints

Endpoint Operation Description
/applications GET Returns a list of applications currently defined in the IdentityIQ system
/identityinfo POST Accepts a list of native identifiers for accounts, and returns a list of potential Identities that own those accounts
/syslog-events GET Used to retrieve IdentityIQ syslog events. Requires query parameters -quickKey, startTime, endTime, startIndex and count for better searching and pagination of results. quickKey can override other search parameters like startTime & endTime.
/audit-events GET Used to retrieve IdentityIQ audit events. Requires query parameters - type, startTime, endTime, startIndex and count for better searching and pagination of results.
/auditConfiguration GET Returns the current configuration of audits in IdentityIQ, or for a specifc audit if sent in the query parameter ‘name’

/applications Endpoint

The applications endpoint is designed to list all the applications with in the IdentityIQ environment.

Request:

GET http://localhost:8081/identityiq/plugin/rest/SIEMPlugin/applications

Response:

[

"HR Employees",

"HR Contractors",

"Active Directory",

"ERP Global",

"ProcurementSystem",

"AdminsApp",

"ADDirectDemodata",

"RealLDAPWithDemoData",

"JDBCDirectDemoData",

"FileBasedAlerts",

"JDBCDirectAlerts",

"SIEM Application"

]

/identityinfo Endpoint

The identityinfo endpoint is designed to allow a SIEM system administrator to get identity context information from IdentityIQ in the very likely situation that they only have knowledge of an application account name (native identifier). When provided with one more more native identifiers in the format:

{

"users": [

{

"nativeIdentity": "CN=Adam Kennedy,OU=London,OU=Europe,OU=DemoData,DC=test,DC=sailpoint,DC=com"

},

{

"nativeIdentity":"CN=Aaron Nichols,OU=Singapore,OU=Asia-Pacific,OU=DemoData,DC=test,DC=sailpoint,DC=com"

}

]

}

The endpoint will respond with a JSON similar to:

{

"identities": [

{

"nativeIdentity": "CN=Aaron Nichols,OU=Singapore,OU=Asia-Pacific,OU=DemoData,DC=test,DC=sailpoint,DC=com",

"results": []

},

{

"nativeIdentity": "CN=Adam Kennedy,OU=London,OU=Europe,OU=DemoData,DC=test,DC=sailpoint,DC=com",

"results": [

{

"confidence": 30,

"name": "Adam Kennedy"

},

{

"confidence": 11,

"name": "Aaron Nichols"

}

]

}

]

}

Reading this response, it is saying that for the first native identity in the POST request, there was no found Identity. For the second request, two possible identities were found, Adam Kenney, and Aaron Nichols. A confidence score is attached that indicates a ‘best guess’ determination on which of the Identities is likely the one being searched for. This confidence score takes into account the Identities last modified date, their last login to IdentityIQ, the number of roles attached to the cube, the number of accounts correlated to the cube, and the number of identity requests made by, and for, the Identity.

Note, the above example is pretty terrible, because the first request for Aaron Nichols said no links existed, but the request for Adam Kennedy clearly returned an Aaron Nichols Identity. This is because of the example, attributes in the database were faked to show a cleanish result:

/syslog-events Endpoint

The syslog events endpoint is determined as a way for external tools to retrieve Syslog event data via RESful webservices. To narrow the result set down, query parameters should be passed as part of the GET request. The chart below describes those parameters.

Query Parameter Type Description
quickKey Long sequence number of the syslog event registered - required.*
startTime unix timestamp audit events created after this time will be returned - required.*
endTime unix timestamp audit events created before this time will be returned - required.*
count Integer defaults to 1000 or the limit set in the plugin settings (used for pagination).
startIndex Integer defaults to 1 (used for pagination).

*Note - If quickKey is present as the query parameter in the request, it will override startTime & endTime as this request is now looking for all the events since the given quickKey (sequence number). One should either use quickKey or startTime & endTime combo to filter the required results.

Here is an example request and response for this endpoint using parameters:

Request:

GET http://localhost:8081/identityiq/plugin/rest/SIEMPlugin/syslog-events?startTime=1542187696669&en...

Response:

{

"syslogEvents": [

{

"assignedScope": null,

"assignedScopePath": null,

"attributeMetaData": null,

"auditClassName": "SyslogEvent",

"autoCreated": false,

"classname": "sailpoint.tools.Console",

"created": 1582055024816,

"description": null,

"dirty": false,

"disabled": false,

"eventLevel": "ERROR",

"id": "7f000001705911b4817059d3e8b00866",

"immutable": false,

"lineNumber": "365",

"lock": null,

"lockInfo": null,

"locked": false,

"message": "org.apache.logging.log4j.core.impl.MutableLogEvent@6fead9a",

"modified": null,

"name": null,

"nameUnique": false,

"originalXml": null,

"owner": null,

"pendingWorkflow": null,

"persisted": true,

"quickKey": "0000000001",

"referenceClass": "sailpoint.object.SyslogEvent",

"referenceId": "7f000001705911b4817059d3e8b00866",

"referenceName": null,

"refreshedExistingLock": false,

"server": "[email protected]",

"signOffs": null,

"stacktrace": "java.lang.IllegalStateException: java.io.IOException: Input/output error\n\tat sailpoint.server.SailPointConsole$ReaderManager.readLine(SailPointConsole.java:339)\n\tat sailpoint.server.SailPointConsole.readLine(SailPointConsole.java:396)\n\tat sailpoint.server.SailPointConsole.readLine(SailPointConsole.java:391)\n\tat sailpoint.tools.Console.interactiveConsole(Console.java:323)\n\tat sailpoint.tools.Console.run(Console.java:91)\n\tat sailpoint.server.SailPointConsole.run(SailPointConsole.java:675)\n\tat sailpoint.server.SailPointConsole.main(SailPointConsole.java:598)\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tat java.lang.reflect.Method.invoke(Method.java:498)\n\tat sailpoint.launch.Launcher.main(Launcher.java:227)\nCaused by: java.io.IOException: Input/output error\n\tat java.io.FileInputStream.readBytes(Native Method)\n\tat java.io.FileInputStream.read(FileInputStream.java:255)\n\tat java.io.BufferedInputStream.read1(BufferedInputStream.java:284)\n\tat java.io.BufferedInputStream.read(BufferedInputStream.java:345)\n\tat sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:284)\n\tat sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:326)\n\tat sun.nio.cs.StreamDecoder.read(StreamDecoder.java:178)\n\tat java.io.InputStreamReader.read(InputStreamReader.java:184)\n\tat java.io.BufferedReader.fill(BufferedReader.java:161)\n\tat java.io.BufferedReader.readLine(BufferedReader.java:324)\n\tat java.io.BufferedReader.readLine(BufferedReader.java:389)\n\tat sailpoint.server.SailPointConsole$ReaderManager.readLine(SailPointConsole.java:335)\n\t... 11 more\n",

"thread": "main",

"uid": null,

"uniqueKeyProperties": [

"created",

"server",

"classname"

],

"username": "system",

"xml": false

}

],

"currentIndex": 1,

"itemsPerPage": 1,

"totalResults": 1

}

/audit-events Endpoint

The audit events endpoint is determined as a way for external tools to retrieve Audit event data via RESful webservices. To narrow the result set down, query parameters should be passed as part of the GET request. The chart below describes those parameters.

Query Parameter Type Description
type String type of audit to retrieve, can be blank.
startTime unix timestamp audit events created after this time will be returned - required.
endTime unix timestamp audit events created before this time will be returned - required.
count Integer defaults to 1000 or the limit set in the plugin settings (used for pagination).
startIndex Integer defaults to 1 (used for pagination).

Here is an example request and response for this endpoint using parameters:

Request:

GET http://localhost:8081/identityiq/plugin/rest/SIEMPlugin/audit-events?startTime=1542187696669&end...

Response:

{

"auditEvents": [

{

"accountName": "",

"action": "ProvisioningFailure",

"application": "",

"attributeName": "",

"attributeValue": "",

"attributes": "{taskResultId=8ab075ec6713c5450168629abb481c7c, error1=No configuration found for Enable Account . Please add atleast one operation and try again}",

"created": 1548021252116,

"id": "8ab075ec6713c54501686d41c0101d8a",

"instance": "",

"interface": "LCM",

"owner": "",

"source": "The Administrator",

"string1": "",

"string2": "",

"string3": "",

"string4": "",

"target": "[email protected]",

"trackingId": ""

}

],

"currentIndex": 1,

"itemsPerPage": 1,

"totalResults": 1

}

/auditConfiguration Endpoint

The auditConfiguration endpoint is intended to retrieve specific configurations related to audits in IdentityIQ. Without specifying a parameter ‘name’ the response will contain all audit configuration (names of audit events, if they are active, etc.), when a ‘name’ is specified in the query just the details for that audit event (if it exists) will be returned.

Here are example requests and responses for queries with and without parameterization:

Request (without parameters):

GET http://localhost:8081/identityiq/plugin/rest/SIEMPlugin/auditConfiguration

Response:

[

{

"enabled": false,

"name": "login"

},

{

"enabled": false,

"name": "logout"

},

{

"enabled": false,

"name": "continuousCertItemsOverdue"

},

{

"enabled": true,

"name": "identityLifecycleEvent"

},

{

"enabled": true,

"name": "activate"

},

{

"enabled": true,

"name": "deactivate"

},

{

"enabled": false,

"name": "violationAllowException"

}

]

Request (with parameters):

GET http://localhost:8081/identityiq/plugin/rest/SIEMPlugin/auditConfiguration?name=loginFailure

Response:

{

"enabled": false,

"name": "loginFailure"

}

XML Artifacts

The plugin comes packaged with a number of XML files, some of which are used for basic plugin operation (such as SPRight and service Identity definitions), while others are provided as generic/simple and extendable objects used in the SIEM Service.

Required (Recommend do not modify)

Name File Object Type Description
SIEM Application SIEM_Application.xml Application Alert objects in IdentityIQ require an Application for creation - this application fills that requirement. Also allows filtering the OOTB Alert view to only show SIEM alerts
siemservice SIEM_Service_Identity.xml Identity Identity configured for use by SIEM tools to reach and perform POST requests to IdentityIQ webservices. NOTE: The credentials for this user should be secured, and does NOT (v2.1.3) ship with a default value
SIEM Administrator SIEM_SPRight.xml SPRight Fine grained permission granted to users to reach SIEM dashboard. This object contains 2 SPRights (siemadministrator and siemextadministrator) and 2 Capabilities (SIEMPluginAdministrator, and SIEMExtPluginAdministrator).
SIEM Remove Exclusion Rule SIEM_Remove_Exclusion_Workflow.xml Workflow Workflow that is scheduled after an entitlement owner certification generation (application/certify-group) to remove custom exclusion rule required to limit certification campaign to single group object
SIEM Alert Definition SIEM_Alert_Definition.xml AlertDefinition Stub that allows IdentityIQ alerts to be correctly created and searched
AuditConfig SIEM_AuditConfig-merge AuditConfig Merge file that adds SIEM specific audit action to the out of the box AuditConfig
SIEM Remove Exclusion Rule SIEM_Remove_Exclusion_Rule_Workflow Workflow Required to remove the custom exclusion rule that is created during the ‘entitlement owner certification’ to scope the certification down to just a single entitlement

Required (okay to modify)

Name File Object Type Description
SIEM Application Owner Certification SIEM_Application_Certification.xml CertificationDefinition Application owner certification template used by the application/certify-all REST endpoint. Can be modified to introduce customer specific certification logic
SIEM Entitlement Owner Certification SIEM_Entitlement_Owner_Certification.xml CertificationDefinition Entitlement owner certification template used by the application/certify-group REST endpoint. Can be modified to introduce customer specific certification logic,uses the SIEM Group Membership Exclusion Rule to limit certification to a single group
SIEM Identity Certification SIEM_Identity_Certification.xml CertificationDefinition Manager certification template used by the identity/certify and identity/certify-all REST endpoint. Can be modified to introduce customer specific certification logic
SIEM Provisioning Workflow SIEM_Provisioning_Workflow.xml Workflow Default workflow if global plugin setting ‘Defer Provisioning’ is selected - can be used as a model for other custom workflows. Contains inputs provided by the SIEM Service. In current state, just takes input project and calls Provisioner.execute()
SIEMService SIEM_Service.xml ServiceDefinition Determines the executor, and the execution interval of the SIEMService that is in charge of creating, actioning, and removing alerts in IdentityIQ. Adjust ‘interval’ attribute as necessary

Service

The main driver of the SIEM plugin is the SIEMService class. It is responsible for the creation of Alert objects within IdentityIQ, determining and performing the correct actions based on the alert entries in the plugin database, updating the plugin database alert entries when actioned, and finally (if specified) removing alert objects from both IdentityIQ and the plugin database. The following methods have been defined:

Modifier and Type Method and Description
void actionAlerts(sailpoint.api.SailPointContext context) Method that will perform actions specified by the Alert
void closeAlert(sailpoint.api.SailPointContext context, sailpoint.object.Alert alert, java.util.Date closeDate, java.lang.String result, java.lang.String type) Close the alert in Identity, update processed and date
void configure(sailpoint.api.SailPointContext context)
void createAlerts(sailpoint.api.SailPointContext context) Method to create new IdentityIQ Alert objects from entries in plugin table
boolean deleteAlertObject(sailpoint.api.SailPointContext context, java.lang.String id) Deletes the SailPoint Alert object after elapsed days, if configured
void execute(sailpoint.api.SailPointContext context)
java.lang.String findMatchingIdentityId(sailpoint.api.SailPointContext context, SIEMAlert alert) Find an Identity in IdentityIQ based on link with nativeID and application provided
java.lang.String generateApplicationCertification(sailpoint.api.SailPointContext context, java.util.Map<java.lang.String,java.lang.Object> args, java.lang.String result, sailpoint.object.Alert iiqAlert) Method for generating all application based certifications
java.lang.String generateIdCertification(sailpoint.api.SailPointContext context, java.util.Map<java.lang.String,java.lang.Object> args, java.lang.String result, sailpoint.object.Alert iiqAlert) Method to generate Identity based certifications
java.lang.String getAlertDisplayName(java.lang.String type) Returns pretty display name of the IdentityIQ Alert object created
java.lang.String getPluginName()
java.lang.String modifyExclusionRule(sailpoint.api.SailPointContext context, java.lang.String ruleName, java.lang.String maId) Dynamically modifies the certification exclusion rule to specify a single group/ma
void processApplicationAlert(sailpoint.api.SailPointContext context, SIEMAlert alert) Method that processes all Application related alerts
void processIdentityAlert(sailpoint.api.SailPointContext context, SIEMAlert alert) Method that processes all Identity related alerts
java.lang.String provisionApplication(sailpoint.api.SailPointContext context, java.util.Map<java.lang.String,java.lang.Object> args, java.lang.String result, sailpoint.object.Alert iiqAlert)
java.lang.String provisionIdentity(sailpoint.api.SailPointContext context, java.util.Map<java.lang.String,java.lang.Object> args, java.lang.String result, sailpoint.object.Alert iiqAlert) This method will provision, or launch provisioning workflow for the SIEM alert
void pruneAlerts(sailpoint.api.SailPointContext context) Method that will prune alerts if plugin setting is configured ot do so
void removeModifiedExclusionRule(sailpoint.api.SailPointContext context, java.lang.String modifiedName) Rule to remove customized exclusion rule attached to group owner certification

User Interface

The goal with the UI design was not to replace or extend SIEM tool dashboards - they function very well - but to provide a quick ‘at-a-glance’ activity view for Identity administrators. The new UI features include additional SIEM related data shown in the ‘Identity Warehouse’ view of users, some optional dashboard widgets for the standard IdentityIQ landing page, and a full SIEM dashboard.

SIEM Dashboard

The dashboard can be accessed from any screen in IdentityIQ by clicking on the ‘dashboard’ widget that is added to the ul-navbar-right element:

Once clicked, the user is taken to the fullPage element of the plugin, which in this case is a SIEM Alert dashboard:

There are four sections of the SIEM dashboard - an alert histogram, an alert frequency chart, top 10 alerts view, and an overview of alert information.

Alert Histogram

The alert histogram shows the number of alerts that IdentityIQ has processed over the last week by default. The dropdown in this alert allows the administrator to look back at larger time periods.

Alert Frequency

This chart shows the frequency of alerts received in IdentityIQ broken down by type. The dropdown here allows investigation of only Identity alert frequency, only application alert frequency, or both on the same chart.

Top 10 Alerts

This view is intended to give a visual display of the Identities or Applications that are the target of the most alerts. The dropdown allows switching between identity and application alerts

Alert Overview

This shows total ‘interesting’ counts of the alert transactions that have occurred in IdentityIQ.

Widgets

Two widgets have been added to IdentityIQ via the SIEM Plugin. The first, the “SIEM Alert Overview” widget gives various metrics based on the SIEM alerts created in IdentityIQ. The second is the “Recent SIEM Alerts” that displays a breakdown of alerts in the system by type, and allows selecting individual alerts to get more information.

Activating a widget

To activate a widget in IdentityIQ, from the home page:

1.) Click the ‘Edit’ button

2.) Click the ‘+ Add Widget’ button under ‘Widgets’

3.) Select the ‘SIEM Alert Overview’ and ‘Recent SIEM Alerts’ widgets and click save

4.) Click the ‘Save’ button

SIEM Alert Overview

The alert overview is a paginated widget that surfaces interesting metrics around the different types of alerts provided by the SIEM Plugin. The pages are broken up into account (or Identity based) alerts, and application based alerts.

Recent Alerts Widget

The recent alerts widget allows users with the SIEM administrator capability in IdentityIQ to see recent alerts, broken down by type.

Clicking on any line item in this widget will display an alert details window:

Identity Warehouse View

The identity warehouse view has been augmented to include information around the SIEM alerts. A new table has been added under the ‘History’ tab for individual identities listing any SIEM alerts that have been received.

Information on alert type, level, the application, creation date, and any requested provisioning action are displayed here.

Utilizing REST endpoints

Each endpoint available in the SIEM plugin requires specific information to successfully initiate responses from IdentityIQ and the SIEMService. The following section outlines those inputs for each.

NOTE: for each endpoint that results in provisioning, an additional JSON parameter can be passed to specify the provisioning type. By default provisioning will be done directly through the API, but if the parameter ‘use_workflow’ is included in the JSON set to ‘true,’ workflow provisioning will result for the specific alert. The workflow used will be that specified by the plugin setting ‘Provisioning Workflow’. This option is included for implementers who may wish to have finer grained control over provisioning operations for specific alert types/endpoints.

Example workflow provisioning overrideJSON

{

"application": "Active Directory",

"native_id": "Jane.Doe",

"action": "disable",

"level": "low",

"date": "149514462222",

"use_workflow": "true"

}

POST /identity/account

This endpoint should be utilized to disable or delete a single account on an Identity cube.

Key Value
application name of the IIQ application
native_id account name of Identity on application
action delete OR disable
level High, Medium, or Low
date current unix timestamp

Example JSON

{

"application": "Active Directory",

"native_id": "Jane.Doe",

"action": "disable",

"level": "low",

"date": "149514462222"

}

POST /identity/accounts

This endpoint should be used to disable or delete all accounts on an Identity cube

Key Value
application name of the IIQ application
native_id account name of Identity on application
action delete OR disable
level High, Medium, or Low
date current unix timestamp

Example JSON

{

"application": "Active Directory",

"native_id": "Jane.Doe",

"action": "disable",

"level": "low",

"date": "149514462222"

}

POST /identity/entitlement

This endpoint should be used to remove a single entitlement from a single application account on an Identity cube

Key Value
application name of the IIQ application
native_id account name of Identity on application
group_name name of the group/entitlement
group_type attribute of the group/entitlement (ex. ‘memberOf’ in Active Directory)
level High, Medium, or Low
date current unix timestamp

Example JSON

{

"application": "Active Directory",

"native_id": "Jane.Doe",

"group_name": "group1",

"group_type": "memberOf",

"level": "low",

"date": "149514462222"

}

POST /identity/entitlements

This endpoint should be used to remove all entitlements from a single application account on an Identity cube

Key Value
application name of the IIQ application
native_id account name of Identity on application
level High, Medium, or Low
date current unix timestamp

Example JSON

{

"application": "Active Directory",

"native_id": "Jane.Doe",

"level": "low",

"date": "149514462222"

}

POST /identity/entitlements-all

This endpoint should be used to remove all entitlements from all accounts on an Identity cube

Key Value
application name of the IIQ application
native_id account name of Identity on application
level High, Medium, or Low
date current unix timestamp

Example JSON

{

"application": "Active Directory",

"native_id": "Jane.Doe",

"level": "low",

"date": "149514462222"

}

POST /identity/password

This endpoint should be used to reset a password on a single application account.IMPORTANT* Currently only works for Active Directory type applications - if other application types are desired, the current solution is to specific ‘workflow’ provisioning in the JSON, and code implementation specific logic into the workflow for applications not currently supported by the plugin***

Key Value
application name of the IIQ application
native_id account name of Identity on application
level High, Medium, or Low
date current unix timestamp

Example JSON

{

"application": "Active Directory",

"native_id": "Jane.Doe",

"level": "low",

"date": "149514462222"

}

POST /identity/passwords-all

This endpoint should be used to reset a password on all application accounts.IMPORTANT* Currently only works for Active Directory type applications - if other application types are desired, the current solution is to specific ‘workflow’ provisioning in the JSON, and code implementation specific logic into the workflow for applications not currently supported by the plugin***

Key Value
application name of the IIQ application
native_id account name of Identity on application
level High, Medium, or Low
date current unix timestamp

Example JSON

{

"application": "Active Directory",

"native_id": "Jane.Doe",

"level": "low",

"date": "149514462222"

}

POST /identity/certify

This end point should be used to initiate an application specific manager certification for the Identity that correlates to the application/native identity combination specified in the JSON

Key Value
application name of the IIQ application
native_id account name of Identity on application
level High, Medium, or Low
date current unix timestamp

Example JSON

{

"application": "Active Directory",

"native_id": "Jane.Doe",

"level": "low",

"date": "149514462222"

}

POST /identity/certify-all

This end point should be used to initiate a manager certification for the Identity that correlates to the application/native identity combination specified in the JSON

Key Value
application name of the IIQ application
native_id account name of Identity on application
level High, Medium, or Low
date current unix timestamp

Example JSON

{

"application": "Active Directory",

"native_id": "Jane.Doe",

"level": "low",

"date": "149514462222"

}

POST /application/group

This end point should be used to remove all users from a specified group, and make that group non-requestable in the IdentityIQ LCM access request process

Key Value
application name of the IIQ application
group_name name of the group/entitlement
group_type attribute of the group/entitlement

(ex. ‘memberOf’ in Active Directory)|
|level|High, Medium, or Low|
|date|current unix timestamp|

Example JSON

{

"application": "Active Directory",

"group_name": "Group1",

"group_type": "memberOf",

"level": "low",

"date": "149514462222"

}

POST /application/accounts

This endpoint should be used to disable or delete ALL accounts on the specified application. USE WITH CAUTION

Key Value
application name of the IIQ application
action Disable or Delete
level High, Medium, or Low
date current unix timestamp

Example JSON

{

"application": "Active Directory",

"level": "low",

"date": "149514462222"

}

POST /application/certify-group

This end point should be used to initiate an entitlement owner certification for the provided group

Key Value
application name of the IIQ application
group_name name of the group/entitlement
group_type attribute of the group/entitlement (ex. ‘memberOf’ in Active Directory)
level High, Medium, or Low
date current unix timestamp

Example JSON

{

"application": "Active Directory",

"group_name": "Group1",

"group_type": "memberOf",

"level": "low",

"date": "149514462222"

}

POST /application/certify-all

This end point should be used to initiate an application owner certification for the provided application

Key Value
application name of the IIQ application
level High, Medium, or Low
date current unix timestamp

Example JSON

{

"application": "Active Directory",

"level": "low",

"date": "149514462222"

}

Security

Authentication for the plugin framework in IdentityIQ is done for the web service using ‘Basic’ authentication – meaning the username and password are combined and then translated into base64 notation and sent in clear text as part of the request. This is easily reversible and not secure – it should be the requirement of any organization that this communication be secured above the nominal measures provided by Basic Auth. Major issues with Basic Auth include:

  • Password sent in base64
  • Password sent for each request
  • Password can be cached by the browser (CSRF vulnerability)
  • User may store password in browser permanently

This is not specific to use of the SIEM Plugin, but all communication that uses Basic Auth.

Logging

The SIEM Plugin follows the same practice of logging as that of the core IdentityIQ product. Turning ‘on’ logging for a specific class is done by editing the log4j.properties file found in the ‘WEB-INF/classes’ directory of the IdentityIQ deployment. The list below contains useful log4j entries in the event that debugging the SIEM Plugin is necessary.

  • com.sailpoint.siem.server.SIEMService=debug
  • com.sailpoint.siem.rest.DashboardService=debug
  • com.sailpoint.siem.rest.SIEMAuthorizer=debug
  • com.sailpoint.siem.rest.SIEMResource=debug
  • com.sailpoint.siem.service.SIEMAccess=debug
  • com.sailpoint.siem.service.SIEMAlertService=debug
  • com.sailpoint.siem.util.SIEMUtil=trace

In the event that all logs should be activated

  • com.sailpoints.siem=trace

Updates

  • 2.0.1 Update - fixed minor issue with Oracle installation scripts.
  • 2.1.2 Update - fixed bug with getting one same event with every new interval.
  • 2.1.3 Update- fixed minor issue with service identity xml.
  • 2.1.4 Update- Fixed bug with SQLServer.