Change log for SAILPOINT_IAM
| Date | Changes |
|---|---|
| 2024-09-13 | Bug-Fix:
- Mapped "attributes.attributeValue" to "target.group.attribute.labels". - Mapped "attributes.accountName" to "principal.user.attribute.labels". |
| 2024-05-03 | Bug-Fix:
- Mapped "created" to "metadata.event_timestamp". - Mapped "auditClassName" to "metadata.product_event_type". - Mapped "interface", "referenceClass", "referenceId", "sailPointObjectName", and "target" to "additional.fields". - Mapped "serverHost" and "server" to "principal.hostname", and "principal.asset.hostname". |
| 2024-02-21 | Enhancement:
- Aligned "principal.ip to "principal.asset.ip". - Aligned "principal.hostname" to "principal.asset.hostname". - Aligned "target.ip" to "target.asset.ip". - Aligned "target.hostname" to "target.asset.hostname". - Mapped "operation" to "target.attribute.labels". - When "technicalName" in "PASSWORD_CHANGE_STARTED", "PASSWORD_ACTION_CHANGE_PASSED", "PASSWORD_CHANGE_FAILED" or "USER_PASSWORD_UPDATE_PASSED" and "action" in "PasswordChange", "PasswordChangeSuccess", "PasswordChangeFailure" or "USER_PASSWORD_UPDATE_PASSED", then mapped "metadata.event_type" to "USER_CHANGE_PASSWORD". - When "technicalName" in "IDENTITY_ACCOUNT_REMOVE_PASSED", "IDENTITY_DELETE_PASSED", "WORKFLOW_DELETE_PASSED" or "ACCOUNT_DISABLE_PASSED" and "action" in USER_REMOVE_ACCOUNT", "delete", "WORKFLOW_DELETED" or "DisableAccount", then mapped "metadata.event_type" to "USER_DELETION". - When "technicalName" in "PERSONAL_ACCESS_TOKEN_USE_PASSED", "SAML_ASSERTION_RECEIVE_PASSED", "SAML_REQUEST_SEND_PASSED", "SOURCE_ACCOUNT_AGGREGATE_STARTED", "IDENTITY_PROCESSING_MANUAL_PASSED", "SOURCE_ENTITLEMENT_AGGREGATE_PASSED" or "MFA_REGISTRATION_REGISTER_PASSED" and "action" in "PERSONAL_ACCESS_TOKEN_USED", "SAML2-142", "SAML2-31", "SOURCE_ACCOUNT_AGGREGATION_STARTED", "IDENTITY_PROCESSING", "SOURCE_ENTITLEMENT_AGGREGATION" or "MFA_REGISTRATION_REGISTERED", then mapped "metadata.event_type" to "USER_RESOURCE_ACCESS". - When "technicalName" in "AUTHENTICATION_REQUEST_PASSED", "ACCESS_REQUEST_PROCESSED", "ACCESS_REQUEST_APPROVED", "ACCESS_APPROVAL_CREATE_STARTED", "ACCESS_REQUEST_STARTED" or "SUBSCRIPTION_EXECUTE_STARTED" and "action" in "AUTHENTICATION-105", "AccessRequestProcessed", "AccessRequestApproved", "ACCESS_APPROVAL_STARTED", "AccessRequestRequested" or "SUBSCRIPTION_EXECUTE_STARTED", then mapped "metadata.event_type" to "USER_LOGIN". - When "technicalName" is "CERTIFICATION_ITEM_REMEDIATE_PASSED" and "action" is "remediate", then mapped "metadata.event_type" to "USER_RESOURCE_UPDATE_PERMISSIONS". - When "technicalName" in "SOURCE_ACCOUNT_AGGREGATE_PASSED", "SOURCE_ENTITLEMENT_AGGREGATE_STARTED" or "BRANDING_UPDATE_PASSED" and "action" in "SOURCE_ACCOUNT_AGGREGATION_PASSED", "SOURCE_ENTITLEMENT_AGGREGATION_STARTED" or "BRANDING_UPDATE", then mapped "metadata.event_type" to "USER_RESOURCE_UPDATE_CONTENT". - When "technicalName" in "SUPPORT_LOGIN_TOKEN_AUTHENTICATE_PASSED", "USER_AUTHENTICATION_STEP_UP_SETUP_PASSED", "IDENTITY_PROCESSING_SCHEDULED_PASSED", "MFA_VERIFICATION_FAILED", "CERTIFICATION_REASSIGN_PASSED", "WORKITEM_COMPLETE_COMMENTS_ADD_PASSED", "ACCESS_REQUEST_REJECTED" or "CERTIFICATION_CAMPAIGN_ACTIVATE_PASSED" and "action" in "SUPPORT_LOGIN_AUTHENTICATE", "USER_STEP_UP_AUTH", "IDENTITY_PROCESSING", "MFA_VERIFICATION_FAILED", "reassign", "Comment", "AccessRequestRejected" or "CertificationCampaignActivate", then mapped "metadata.event_type" to "USER_LOGIN". - When "technicalName" is "USER_LOGOUT_PASSED" or "CERTIFICATION_SIGNOFF_PASSED" and "action" is "AUTHENTICATION-303" or "signoff", then mapped "metadata.event_type" to "USER_LOGOUT". - When "technicalName" in "IDENTITY_PROCESSING_SCHEDULED_STARTED", "USER_ACTIVATE_PASSED", "USER_EMAIL_UPDATE_PASSED", "USER_PHONE_UPDATE_PASSED", "CERTIFICATION_CAMPAIGN_CREATE_PASSED", "ACCESS_REQUEST_CANCELLED", "ACCESS_PROFILE_CREATE_PASSED", "WORKFLOW_CREATE_PASSED", "ACCOUNT_ENABLE_PASSED", "ENTITLEMENT_SET_PASSED" or "ACCOUNT_CREATE_PASSED" and "action" in "IDENTITY_PROCESSING", "USER_ACTIVATE", "USER_EMAIL_UPDATE", "USER_PHONE_UPDATE", "CertificationCampaignCreate", "AccessRequestCancelled", "create", "WORKFLOW_CREATED", "EnableAccount", "SetEntitlement" or "CreateAccount", then mapped "metadata.event_type" to "USER_CREATION". - When "technicalName" in "USER_UNLOCK_PASSED", "SOURCE_ACCOUNT_AGGREGATE_FAILED", "SAML_ASSERTION_RECEIVE_FAILED", "IDENTITY_LIFECYCLE_CHANGE_PASSED", "IDENTITY_STATE_CHANGE_PASSED", "APP_CREATE_PASSED", "USER_ROLE_ADMIN_REVOKE_PASSED", "USER_ROLE_ADMIN_GRANT_PASSED", "USER_AUTHENTICATION_STEP_UP_SETUP_FAILED", "ACCESS_PROFILE_UPDATE_PASSED", "SOURCE_ENTITLEMENT_AGGREGATE_FAILED", "IAI_ADMIN_CONFIG_UPDATE_PASSED", "IDENTITY_ATTRIBUTE_VALUE_UPDATE_PASSED" or "APP_UPDATE_PASSED" and "action" in "USER_UNLOCK", "SOURCE_ACCOUNT_AGGREGATION_FAILED", "SAML2-166", "identityLifecycleEvent", "IdentityStateChange", "APP_CREATE", "USER_ADMIN_REVOKE", "USER_ADMIN_GRANT", "USER_STEP_UP_AUTH_FAILURE", "update", "SOURCE_ENTITLEMENT_AGGREGATION_FAILED", "IAI_ADMIN_CONFIG_UPDATE_EVENT", "IdentityAttributeUpdate" or "APP_UPDATE", then mapped "metadata.event_type" to "USER_CHANGE_PERMISSIONS". - When "technicalName" is "ROLE_ADD_PASSED" and "action" is "RoleAdd", then mapped "metadata.event_type" to "USER_RESOURCE_CREATION". - When "technicalName" in "ACCOUNT_MODIFY_FAILED", "ACCOUNT_UNLOCK_PASSED", "ENTITLEMENT_ADD_PASSED", "ENTITLEMENT_REMOVE_FAILED", "ACCOUNT_MODIFY_PASSED", "ENTITLEMENT_REMOVE_PASSED", "ENTITLEMENT_ADD_FAILED" or "TASK_RESULT_DELETE_PASSED" and "action" in "ModifyAccountFailure", "UnlockAccount", "AddEntitlement", "RemoveEntitlementFailure", "ModifyAccount", "RemoveEntitlement", "AddEntitlementFailure" or "taskResultsPruned", then mapped "metadata.event_type" to "USER_CHANGE_PERMISSIONS". - When "technicalName" is "EMAIL_SEND_PASSED" and "action" is "emailSent", then mapped "metadata.event_type" to "EMAIL_TRANSACTION". |
| 2023-12-03 | Enhancement:
- Mapped "org" to "principal.administrative_domain". - Mapped "pod" to "principal.location.name". - Mapped "id" to "metadata.product_log_id". - Mapped "type" to "metadata.product_event_type". - Mapped "action" to "metadata.description". - Mapped "actor.name" to "principal.user.user_display_name". - Mapped "attributes.accountName" to "principal.user.group_identifiers". - Mapped "target.name" to "principal.user.userid". - Mapped "stack", "attributes.interface", "trackingNumber", "attributes.accountUuid", "attributes.previousValue", "attributes.attributeName", and "attributes.attributeValue" to "additional.fields". - Mapped "attributes.sourceId" and "attributes.sourceName" to "principal.labels". - Mapped "attributes.cloudAppName" to "target.application". - Mapped "attributes.appId" to "target.asset_id". - Mapped "attributes.provisioningResult" to "security_result.detection_fields". - Mapped "attributes.operation" to "security_result.action_details". - Mapped "technicalName" to "security_result.summary". - Mapped "name" to "security_result.description". - Mapped '_version" to "metadata.product_version". - Mapped "status" to "security_result.severity_details". - Added condition check and on_error for "instant.epochSecond" before mapping. - If "principal.user" and "target.application" are present, then set "metadata.event_type" to "USER_LOGIN" and "extensions.auth_type" to "AUTHTYPE_UNSPECIFIED". - If "principal.user" is present and "target.application" is not present, then set "metadata.event_type" to "USER_UNCATEGORIZED" and "extensions.auth_type" to "AUTHTYPE_UNSPECIFIED". |
| 2022-07-08 | Enhancement:
- Modified mapping for "iiq_target_user_role" from "target.user.role_name" to "target.user.attribute.roles". |