Search events for Splunk

dgomez · May 10, 2021, 11:29am

Hello Developers!

I am trying to identify what the Splunk integration can do for us, from my understanding, Splunk will only execute searches and then treat those as events, correct?

I need to create an event that detects:

Successful authentication on a user with any disabled Account and that belongs to any created tag.

Is there any search query that could provide this?

jordan_violet · May 10, 2021, 3:29pm

Hey @dgomez,

Thanks for posting. Let me take a look into this for you and circle back.

adam_creaney · May 10, 2021, 6:25pm

Hi @dgomez - You are correct - the current Splunk addon for IdentityNow is only pulling information on ‘Event’ objects - this will get you information around authentication, but not the other identity/account information. There would need to be a subsequent call to the IdentityNow APIs to determine that status of the identities accounts.

dgomez · May 11, 2021, 2:35pm

Interesting, so all Splunk integrations will have the following format regardless of the event, correct?

{
        "org": "org_name",
        "pod": "stg01-uswest2",
        "created": "2019-09-13T23:29:37.097Z",
        "id": "ffd69f6f-c3bc-4dbf-89cf-f4d7f91834bb",
        "action": "AUTHENTICATION-103",
        "type": "AUTH",
        "actor": {
            "name": "Adam.Kennedy"
        },
        "target": {
            "name": "Adam.Kennedy"
        },
        "stack": "oathkeeper",
        "trackingNumber": "748e1adb8fa94cda8f5b054e869c24cd",
        "ipAddress": "207.189.160.209",
        "details": "748e1adb8fa94cda8f5b054e869c24cd",
        "attributes": {
            "pod": "stg01-uswest2",
            "org": "org_name",
            "sourceName": "SailPoint",
            "info": "LOGIN_SUCCESS"
        },
        "objects": [
            "AUTHENTICATION"
        ],
        "operation": "REQUEST",
        "status": "PASSED",
        "technicalName": "AUTHENTICATION_REQUEST_PASSED",
        "name": "Request Authentication Passed",
        "synced": "2019-09-13T23:29:38.428Z"
    }

Is there any list we can receive for the “technicalName” possible values?

adam_creaney · May 12, 2021, 2:14pm

Good morning!

The event object structure should be consistent for the most part across event types.

A full list of the ‘technicalName’ values is quite large, so apologies for what I’m about to paste. The full list can also be found here

USER_ACTIVATE_PASSED
USER_ACTIVITY_EXPORT_PASSED
USER_ROLE_ADMIN_GRANT_PASSED
USER_ROLE_ADMIN_REVOKE_PASSED
USER_DELETE_PASSED
USER_EMAIL_UPDATE_PASSED
USER_ROLE_HELPDESK_GRANT_PASSED
USER_ROLE_HELPDESK_REVOKE_PASSED
USER_INVITE_PASSED
USER_INVITE_FAILED
USER_KBA_DELETE_PASSED
USER_KBA_UPDATE_PASSED
USER_KBA_NOTIFY_PASSED
USER_KBA_ANSWERS_PASSED
USER_LOCK_PASSED
USER_PHONE_UPDATE_PASSED
USER_REGISTER_PASSED
USER_REGISTER_FAILED
USER_REGISTER_STARTED
USER_RESET_PASSED
USER_AUTH_STEP_UP _SETUP_PASSED
USER_AUTH_STEP_UP _SETUP_FAILED
USER_UNLOCK_PASSED
USER_UNLOCK_REJECTED
EMAIL_SENT_PASSED
EMAIL_SENT_FAILED
USER_ROLE_DASHBOARD_GRANT_PASSED
USER_ROLE_DASHBOARD_REVOKE_PASSED
IDENTITY_DELETE_PASSED
USER_ROLE_CERTIFICATION_ADMIN_GRANT_PASSED
USER_ROLE_CERTIFICATION_ADMIN_REVOKE_PASSED
USER_ROLE_REPORT_ADMIN_GRANT_PASSED
USER_ROLE_REPORT_ADMIN_REVOKE_PASSED
USER_ROLE_ROLE_ADMIN_GRANT_PASSED
USER_ROLE_ROLE_ADMIN_REVOKE_PASSED
USER_ROLE_SOURCE_ADMIN_REVOKE_PASSED
USER_ROLE_SOURCE_ADMIN_REVOKE_PASSED
PASSWORD_CHANGE_STARTED
PASSWORD_CHANGE_FAILED
PASSWORD_ACTION_CHANGE_PASSED
PASSWORD_REQUEST_STARTED
PASSWORD_EXPIRED_CHANGE_STARTED
PASSWORD_EXPIRED_CHANGE_PASSED
PASSWORD_FORGOT_CHANGE_PASSED
PASSWORD_FORGOT_CHANGE_STARTED
ACCOUNT_PASSWORD_RESET_FAILED
ACCOUNT_PASSWORD_RESET_PASSED
ACCOUNT_PASSWORD_SYNC_PASSED
SOURCE_PASSWORD_CHANGE_STARTED
SOURCE_PASSWORD_CHANGE_FAILED
SOURCE_PASSWORD_CHANGE_PASSED
USER_PASSWORD_RESET_REJECTED
USER_PASSWORD_UPDATE_STARTED
USER_PASSWORD_UPDATE_FAILED
USER_PASSWORD_UPDATE_PASSED
SOURCE_PASSWORD_INTERCEPT_IGNORED
SOURCE_PASSWORD_INTERCEPT_PROCESSED
ACCOUNT_VAULT_UPDATE_PASSED
PASSWORD_POLICY_ASSIGN_PASSED
SAML_REDIRECT_PATTERNS_UPDATE_PASSED
PASSWORD_POLICY_CREATE_PASSED
PASSWORD_POLICY_DELETE_PASSED
PASSWORD_REPLAY_ENABLE_PASSED
STRONG_AUTHENTICATION_INTEGRATION_ENABLE_PASSED
PASSWORD_REPLAY_PASSIVE_LAUNCH_PASSED
PASSWORD_POLICY_UPDATE_PASSED
STRONG_AUTHENTICATION_INTEGRATION_DISABLE_PASSED
STRONG_AUTHENTICATION_INTEGRATION_UPDATE_PASSED
ACCOUNT_VAULT_RESET_PASSED
MFA_VERIFICATION_FAILED_PASSED
BROWSER_EXTENSION_DISABLE_PASSED

ACCOUNT_CREATE_PASSED
ACCOUNT_CREATE_FAILED
ACCOUNT_DELETE_PASSED
ACCOUNT_DELETE_FAILED
ACCOUNT_DISABLE_PASSED
ACCOUNT_DISABLE_FAILED
ATTRIBUTE_SYNC_DISABLE_PASSED
ACCOUNT_ENABLE_PASSED
ACCOUNT_ENABLE_FAILED
ATTRIBUTE_SYNC_ENABLE_PASSED
ACCOUNT_MODIFY_PASSED
ACCOUNT_MODIFY_FAILED
ACCOUNT_UNLOCK_PASSED
ACCOUNT_UNLOCK_FAILED
IDENTITY_STATE_CHANGE_PASSED
PROVISION_CHANGE_STARTED
PROVISION_CHANGE_PASSED
PROVISION_CHANGE_FAILED
APP_REQUEST_APPROVED
APP_REQUEST_REJECTED
IDENTITY_CREATE_PASSED
IDENTITY_UPDATE_PASSED
IDENTITY_DELETE_PASSED
IDENTITY_LIFECYCLE_CHANGE_PASSED
ACCOUNT_MANUAL_CHANGE_COMPLETE_PASSED
IDENTITY_ATTRIBUTE_VALUE_UPDATE_PASSED
WORKITEM_COMPLETE_COMMENTS_ADD_PASSED
APPROVAL_ITEM_APPROVE_PASSED
ACCOUNT_PROFILE_UPDATED
ACCOUNT_PROFILE_CREATED
ACCOUNT_PROFILE_DELETED
IDENTITY_ACCOUNT_REMOVE_PASSED
ACCESS_REQUEST_STARTED
ACCESS_REQUEST_APPROVED
ACCESS_REQUEST_REJECTED
ACCESS_REQUEST_FORWARDED
ACCESS_REQUEST_ESCALATED
APP_REQUEST_PASSED

CERTIFICATION_CAMPAIGN_COMPLETE_PASSED
CERTiFICATION_CAMPAIGN_DELETE_PASSED
CERTiFICATION_CAMPAIGN_FILTER_CREATE_PASSED
CERTiFICATION_CAMPAIGN_FILTER_DELETE_PASSED
CERTiFICATION_CAMPAIGN_FILTER_UPDATE_PASSED
CERTiFICATION_CAMPAIGN_STUCK_DETECTED
CERTiFICATION_CAMPAIGN_REVIEW_NOTIFY_PASSED
CERTiFICATION_CAMPAIGN_FINISH_PASSED
CERTIFICATION_SIGNOFF_PASSED
CERTIFICATION_REASSIGN_PASSED
CERTIFICATION_ITEM_CREATION_STATS_LOG_PASSED
CERTIFICATION_PHASE_CHANGE_PASSED
CERTIFICATION_ITEM_REMEDIATE
RULE_CREATE_PASSED
RULE_UPDATE_PASSED
RULE_DELETE_PASSED
ENTITLEMENT_ADD_PASSED
ENTITLEMENT_ADD_FAILED
ENTITLEMENT_REMOVE_PASSED
ENTITLEMENT_REMOVE_FAILED
ACCESS_PROFILE_CREATE_PASSED
ACCESS_PROFILE_DELETE_PASSED
ACCESS_PROFILE_UPDATE_PASSED
ROLE_DEPROVISION_ENABLE_PASSED
ROLE_DEPROVISION_DISABLE_PASSED
IDENTITY_PROFILE_UPDATE_PASSED
ROLE_CREATE_PASSED
ROLE_UPDATE_PASSED
ROLE_DELETE_PASSED
LIFECYCLE_STATE_CREATE_PASSED
LIFECYCLE_STATE_UPDATE_PASSED
LIFECYCLE_STATE_DELETE_PASSED
ENTITLEMENT_SET_PASSED
ROLE_ADD_PASSED
IDENTITY_PROFILE_ATTRIBUTE_CREATE_PASSED
IDENTITY_PROFILE_ATTRIBUTE_DELETE_PASSED
IDENTITY_PROFILE_ATTRIBUTE_UPDATE_PASSED
APP_UPDATE_PASSED
APP_CREATE_PASSED
APP_DELETE_PASSED
APP_IMPORT_PASSED
APP_ACCESS_PROFILE_SET_PASSED
APP_ADD_PASSED
APP_XML_UPDATE_PASSED
APP_REMOVE_PASSED
APP_PURGE_PASSED
IDENTITY_PROFILE_AUTHENTICATION_CONFIGURE_PASSED
ACCESS_REQUEST_APPROVAL_FORWARD_PASSED
ACCESS_REQUEST_CONFIG_UPDATE_PASSED
IDENTITY_PROFILE_DELETE_PASSED
IDENTITY_PROFILE_ATTRIBUTES_UPDATE_PASSED
IDENTITY_PROFILE_CREATE_PASSED
CONNECTOR_FILE_DELETE_PASSED
CONNECTOR_FILE_UPLOAD_PASSED
SOURCE_ACCOUNT_AGGREGATE_PASSED
SOURCE_ACCOUNT_AGGREGATE_TERMINATED
SOURCE_ACCOUNT_EXPORT_PASSED
SOURCE_ACCOUNT_FEED_DOWNLOAD_PASSED
SOURCE_ACTIVITY_EXPORT_PASSED
SOURCE_CREATE_PASSED
SOURCE_DELETE_PASSED
SOURCE_FEATURES_STRING_UPDATE_PASSED
SOURCE_RESET_PASSED
SOURCE_UPDATE_PASSED
SOURCE_ENTITLEMENT_AGGREGATE_PASSED
SOURCE_ENTITLEMENT_IMPORT_PASSED
SOURCE_ENTITLEMENT_EXPORT_PASSED
SOURCE_EXTERNAL_PASSWORD_ CHANGE_ACTIVITY_EXPORT_PASSED
SOURCE_SCHEMA_ATTRIBUTE_ADD_PASSED
SOURCE_SCHEMA_ATTRIBUTE_DELETE_PASSED
SOURCE_SCHEMA_ATTRIBUTE_UPDATE_PASSED
SOURCE_DELETE_THRESHOLD_UPDATE_PASSED
SOURCE_AGGREGATION_SCHEDULE_UPDATE_PASSED
CUSTOM_CONNECTOR_CREATE_PASSED
CUSTOM_CONNECTOR_DELETE_PASSED
CUSTOM_CONNECTOR_EXPORT_PASSED
CUSTOM_CONNECTOR_UPDATE_PASSED
SOURCE_RENAME_FAILED
SESSION_CREATED_PASSED
SESSION_MAXIMUM_TIMEOUT_PASSED
SESSION_IDLE_TIMEOUT_PASSED
USER_LOGOUT_PASSED
SESSION_DESTROY_PASSED
AUTHENTICATION_REQUEST_PASSED
AUTHENTICATION_REQUEST_PASSED
AUTHENTICATION_REQUEST_FAILED
AUTHENTICATION_REQUEST_FAILED
USER_LOGOUT_PASSED
USER_LOGOUT_PASSED
AUTHENTICATION_REQUEST_PASSED
IDEENTITY_PROVIDER_ENABLE_PASSED
IDENTITY_PROVIDER_EXTERNAL_ENABLE_PASSED
IDENTITY_PROVIDER_EXTERNAL_DISABLE_PASSED
CLIENT_TOKEN_CREATE_PASSED
FORCE_SAML_AUTHENTICATION_PASSED
APP_SAML_LAUNCH_PASSED
APP_WSFED_LAUNCH_PASSED
APP_USAGE_AGREEMENT_PASSED
APP_PASSWORD_LAUNCH_PASSED
APP_ACCESS_DENY_PASSED
APP_BOOKMARK_LAUNCH_PASSED
APP_DIRECTORY_PASSWORD_LAUNCH_PASSED
SERVICE_BROWSER_PASSWORD_REPLAY_PASSED
SERVICE_BROWSER_PASSWORD_REPLAY_CREDENTIALS_RETRIEVE_PASSED

SYSTEM_KBA_ADD_PASSED
SYSTEM_KBA_DELETE_PASSED
API_CLIENT_CREATE_PASSED
API_CLIENT_DELETE_PASSED
BRANDING_CREATE_PASSED
BRANDING_UPDATE_PASSED
BRANDING_DELETE_PASSED
EMAIL_REDIRECTION_ENABLE_PASSED
EMAIL_TEMPLATE_UPDATE_PASSED
TASK_RESULT_DELETE_PASSED
TASK_SCHEDULE_CREATE_PASSED
TASK_SCHEDULE_UPDATE_PASSED
TASK_SCHEDULE_DELETE_PASSED
API_IDENTITY_CREATE_PASSED
API_IDENTITY_CREATE_FAILED

Topic		Replies	Views
Tags in IdentityNow ISC Discussion and Questions	2	978	July 19, 2023
SailPoint IdentityNow PowerShell Module ISC Show and Tell	24	5200	April 19, 2024
Identitynow Search ISC Discussion and Questions	4	1063	July 19, 2023
Disable identity API ISC Discussion and Questions apis	4	513	July 19, 2023
Automated operations not being audited in IdentityNow ISC Discussion and Questions	4	892	July 19, 2023

Search events for Splunk

Related Topics