SailPoint
SailPoint is an identity management solution that helps organizations manage employee permissions, digital identities, information security, data access, and compliance. The Sumo Logic App for SailPoint helps you monitor the user events, actions, operations, failed logins, successful logins, and user activities to your applications through SailPoint. The App consists of dashboards that give you visibility into the source deletion, user events, and geo locations of authentication events.
Log types
The SailPoint Source ingests:
- Events from the Search API Endpoint.
- Users Inventory data from the Public Identities API Endpoint.
Sample Log Messages
{
"org":"sp-ITgrp",
"pod":"stg02-useast1",
"created":"2022-10-05T11:52:42.119Z",
"id":"aa138dc5c4c8dbfdbdb68336ac89730cb9531a0e5bfec876af6630a6f12e4a2e",
"action":"update",
"type":"WORKFLOW",
"actor":"▶"{
"..."
},
"target":"▶"{
"..."
},
"stack":"tpe",
"trackingNumber":"8e2b88914f2d4ffea13c541daeb57952",
"attributes":"▶"{
"..."
},
"objects":"▶"[
"..."
],
"operation":"UPDATE",
"status":"PASSED",
"technicalName":"TASK_SCHEDULE_UPDATE_PASSED",
"name":"Update Task Schedule Passed",
"synced":"2022-10-05T11:52:42.119Z",
"_type":"event",
"_version":"v7"
}
{
"org":"sp-solgrp",
"pod":"stg02-useast1",
"created":"2022-10-05T11:43:02.214Z",
"id":"e554182b1186adbd0e6183701a39c534dc434dce218822dc4817090ddaac2c4c",
"action":"AUTHENTICATION-103",
"type":"AUTH",
"actor":"▶"{
"..."
},
"target":"▶"{
"..."
},
"stack":"oathkeeper",
"trackingNumber":"5624c8b0a8a843adbd979d5de12e3723",
"ipAddress":"177.53.184.122",
"details":"5624c8b0a8a843adbd979d5de12e3723",
"attributes":"▶"{
"..."
},
"objects":"▶"[
"..."
],
"operation":"REQUEST",
"status":"PASSED",
"technicalName":"AUTHENTICATION_REQUEST_PASSED",
"name":"Request Authentication Passed",
"synced":"2022-10-05T11:43:02.214Z",
"_type":"event",
"_version":"v7"
}
Sample Queries
_sourceCategory=Labs/sailpoint ipAddress
| json field=_raw "created", "type", "technicalName", "status","operation","actor.name", "action", "name", "target.name", "attributes.sourceName" as created, event_type, technical_name_in_search, event_status, operation, user_name, action, event_desc, target_name, source_name
| json "org" as org
| where technical_name_in_search = "AUTHENTICATION_REQUEST_PASSED"
| json field=_raw "ipAddress" as client_ip
| lookup latitude, longitude, country_code, country_name, region, city, postal_code from geo://location on ip = client_ip
| where country_name matches "*" and city matches "*"
| count by latitude, longitude, country_code, country_name, region, city, postal_code
| sort _count
_sourceCategory=Labs/sailpoint
| json field=_raw "created", "type", "technicalName", "status","operation","actor.name", "action", "name", "target.name", "attributes.sourceName" as created, event_type, technical_name_in_search, event_status, operation, user_name, action, event_desc, target_name, source_name | json "org" as org
| count by event_type
| sort by _count
Set up collection
Follow the instructions for setting up Cloud to Cloud Integration for SailPoint App to create the source and use the same source category while installing the app.
Installing the SailPoint App
This section demonstrates how to install the SailPoint App.
To install the app:
- From the Sumo Logic nav, select App Catalog.
- Search for and select your app.
- (Optional) To see a preview of the dashboards included with the app, scroll down to the Dashboard Preview section.
- If the app has multiple versions - not all apps do - select the version of the service you're using, then click Add Integration.
- On the next configuration page, under Select Data Source for your App, complete the following fields:
- Data Source. Select one of the following options:
- Choose Source Category and select a source category from the list; or
- Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. For example,
_sourceCategory=MyCategory
.
- Folder Name. You can retain the existing name or enter a custom name of your choice for the app.
- All Folders (optional). Default location is the Personal folder in your Library. If desired, you can choose a different location and/or click New Folder to add it to a new folder.
- Data Source. Select one of the following options:
- Click Next.
- You'll see a dialog confirming that the app was installed successfully.
Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization.
Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't be available immediately, but within 20 minutes, you'll see full graphs and maps.
Viewing SailPoint Dashboards
Overview
The SailPoint - Overview dashboard provides a summary of SailPoint events, actions, operations, event trend analysis, and a summary table for all user events.

Successful Authentications
The SailPoint - Successful Authentications dashboard provides the details of success logins such as the geolocation, country, state, failed login trends, outlier, and top 10 users.

Failed Authentications
The SailPoint - Failed Authentications dashboard shows the details of failed logins such as the geolocation, country, state, failed login trends, outlier, and top 10 users.

Security
The SailPoint - Security dashboard provides a summary of source deletion events in source management operations.
