Enhance SailPoint ISC Security with Splunk Audit Analysis

Introduction Of Sailpoint ISC Auditevent Add-on For SPLUNK

1. Integrates SailPoint Identity Security Cloud with Splunk for real-time monitoring.

2. Centralizes identity-related activities for better visibility and control.

3. Facilitates compliance with governance frameworks using structured data.

4. Enhances threat detection and response capabilities by analyzing identity activity logs.

SPLUNK

Splunk is a software platform that helps organizations search, monitor and analyse data from any source. Splunk is used to monitor and troubleshoot problems with applications, servers, and networks.

HELPS WITH

• It shows when SailPoint has blocked multiple incorrect login attempts.

• SailPoint logs alone show user activity within your identity system, but when combined with other systems’ data in Splunk, it becomes easier to detect more complex attacks happening across your entire organization.

• It helps track login attempts from different locations to spot issues, like unauthorized access or errors.

HOW IT WORKS

• The add-on uses SailPoint's Audit Events API to send audit data to Splunk, so Splunk can easily get and analyses the data.

• This add-on just makes it simpler to get SailPoint data into Splunk.

• This add-on does not interact with SailPoint’s virtual appliance (VA), so you don’t need to worry about making changes there. It just works with Splunk directly.

AUTHENTICATION

The Splunk Add-on needs to authenticate with SailPoint Identity Security Cloud (ISC) twice.

1.    The add-on needs a Client ID and Client Secret, which are basically login details. These come from a Personal Access Token you create in SailPoint.

2.    The Client ID and Client Secret are stored in Splunk, and they allow the add-on to access all the audit events.

3.    The add-on gets a JWT (JSON Web Token) by making a request to SailPoint's API gateway.

4.    Once the add-on has this JWT, it uses it to pull actual AuditEvent records (logs) from SailPoint.

5. Once the token is successfully issued, the add-on uses Bearer authentication (which means sending the token with each request) to pull audit data from the /v3/search/events endpoint in SailPoint.

EVENT IN SPLUNK

An event in Splunk is like a single entry in a log file. It represents a piece of data that gets stored and indexed in Splunk.

Each event has important details, such as:

• Time Stamp

• Host

• Source

• Source Type.

Each event in your logs appears as a separate line. However, there are times when a single event may have multiple lines, or multiple events may be combined into one line.

SOURCE TYPES

• A source type is a field that helps in formatting the data when it gets indexed in Splunk.

• Splunk comes with many predefined source types, but you can also create your own.

• Example: For the SailPoint add-on, a custom source type called sailpoint_identitynow is created. This helps in organizing and searching for events related to SailPoint data easily.

• A Splunk admin can use the source type field in searches to find all data of a certain type 

DATA INPUT

Splunk has three process:

1.    Data Input: Raw data is first received. Splunk breaks the data into blocks and adds metadata (like host, source, and source type).

2.    Indexing: The raw data is processed and stored in a way that makes it easy to search. After the data is input, it is then parsed into individual events.

3.    Search Management: This is where users can search and analyze the indexed data.

• The ISC add-on is set up to handle a specific type of data input known as source type.

• You can configure how often this data input runs, with the default set to every 300 seconds (or 5 minutes).

• The input runs a Python script that makes HTTP requests to the Identity Security Cloud API endpoints to gather audit events from SailPoint.

The ISC add-on collects and processes audit data from SailPoint in a structured way, making it easier for users to analyse security events within Splunk.

ADD-ON

1. The add-on runs a Python script that makes HTTP requests to the SailPoint API. It gathers audit events (logs of actions) from Identity Security Cloud.

2. To set this up, you need to provide:

• Organization name

• Client ID

• Client Secret

• Username and Password

3. These credentials are necessary to connect securely to SailPoint's API and access the audit events.

4. The main use of Add-on is to import the data and format the data for better usage.

5. It’s not a stand-alone app, instead it works as a supportive application that improves the functionality of other apps with Splunk.

6. Installed through Splunk-Base directly via the local system.

7. The SailPoint IdentityNow add-on is a type of add-on that connects Splunk with Identity Security Cloud to pull audit data. It is meant that it is not a standalone application.

Thus, Splunk improves the SailPoint IdentityNow Add-on by offering strong tools for collecting and analysing data. It helps organizations track user activities, spot security issues, and generate reports. This way, companies can better understand their identity management and strengthen their security practices. Ultimately, it assists in meeting compliance requirements as well.

Conclusion

1. Simplify Identity Analytics: Leverage centralized monitoring to strengthen identity security.

2. Start Installation Today: Follow the setup process to connect SailPoint with Splunk.

3. Unlock Advanced Insights: Use dashboards and alerts to stay ahead of threats.

4. Scalable Solution: Expand monitoring as your organization’s identity ecosystem grows.