SailPoint for Microsoft Sentinel
Solution: SailPointIdentityNow
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | Security - Threat Protection,Identity |
| Version | 3.0.1 |
| Author | SailPointIdentityNow |
| First Published | 2021-10-26 |
| Solution Folder | SailPointIdentityNow |
| Marketplace | Azure Marketplace · Rating: ★★★★★ 4.7/5 (173 ratings) · Popularity: 🟢 High (80%) |
The SailPoint Integration solution provides the capability to ingest SailPoint IdentityNow search events into Microsoft Sentinel through the REST API. The solution includes two data connectors: a legacy Azure Function-based connector and a Codeless Connector Framework (CCF) based connector.
** Underlying Microsoft Technologies used: **
This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
a. Azure Monitor HTTP Data Collector API (used by the Azure Function-based connector)
b. Azure Functions (used by the Azure Function-based connector)
c. Microsoft Sentinel Codeless Connector Framework (used by the CCF-based connector)
Contents
Data Connectors
This solution provides 2 data connector(s):
🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Tables Used
This solution uses 3 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
SailPointIDN_EventsV2_CL |
SailPoint IdentityNow (via Codeless Connector Framework) | - |
SailPointIDN_Events_CL 🔶 |
SailPoint IdentityNow | - |
SailPointIDN_Triggers_CL 🔶 |
SailPoint IdentityNow | Analytics |
🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Content Items
This solution includes 6 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 6 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| SailPointIdentityNowAlertForTriggers | Informational | InitialAccess, Collection | SailPointIDN_Triggers_CL |
| SailPointIdentityNowEventType | High | InitialAccess | - |
| SailPointIdentityNowEventTypeTechnicalName | High | InitialAccess | - |
| SailPointIdentityNowFailedEvents | High | InitialAccess | - |
| SailPointIdentityNowFailedEventsBasedOnTime | High | InitialAccess | - |
| SailPointIdentityNowUserWithFailedEvent | High | InitialAccess | - |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.1 | 11-05-2026 | Added CCF Data Connector support with one Parser for backward compatibility and new schema for SailPoint IdentityNow events; updated Analytic Rules to use the parser alias and new connector ID |
| 3.0.0 | 28-08-2024 | Data Connector instruction updated |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊