Change log for SAILPOINT_IAM

Date Changes
2024-09-13 Bug-Fix:
- Mapped "attributes.attributeValue" to "target.group.attribute.labels".
- Mapped "attributes.accountName" to "principal.user.attribute.labels".
2024-05-03 Bug-Fix:
- Mapped "created" to "metadata.event_timestamp".
- Mapped "auditClassName" to "metadata.product_event_type".
- Mapped "interface", "referenceClass", "referenceId", "sailPointObjectName", and "target" to "additional.fields".
- Mapped "serverHost" and "server" to "principal.hostname", and "principal.asset.hostname".
2024-02-21 Enhancement:
- Aligned "principal.ip to "principal.asset.ip".
- Aligned "principal.hostname" to "principal.asset.hostname".
- Aligned "target.ip" to "target.asset.ip".
- Aligned "target.hostname" to "target.asset.hostname".
- Mapped "operation" to "target.attribute.labels".
- When "technicalName" in "PASSWORD_CHANGE_STARTED", "PASSWORD_ACTION_CHANGE_PASSED", "PASSWORD_CHANGE_FAILED" or "USER_PASSWORD_UPDATE_PASSED" and "action" in "PasswordChange", "PasswordChangeSuccess", "PasswordChangeFailure" or "USER_PASSWORD_UPDATE_PASSED", then mapped "metadata.event_type" to "USER_CHANGE_PASSWORD".
- When "technicalName" in "IDENTITY_ACCOUNT_REMOVE_PASSED", "IDENTITY_DELETE_PASSED", "WORKFLOW_DELETE_PASSED" or "ACCOUNT_DISABLE_PASSED" and "action" in USER_REMOVE_ACCOUNT", "delete", "WORKFLOW_DELETED" or "DisableAccount", then mapped "metadata.event_type" to "USER_DELETION".
- When "technicalName" in "PERSONAL_ACCESS_TOKEN_USE_PASSED", "SAML_ASSERTION_RECEIVE_PASSED", "SAML_REQUEST_SEND_PASSED", "SOURCE_ACCOUNT_AGGREGATE_STARTED", "IDENTITY_PROCESSING_MANUAL_PASSED", "SOURCE_ENTITLEMENT_AGGREGATE_PASSED" or "MFA_REGISTRATION_REGISTER_PASSED" and "action" in "PERSONAL_ACCESS_TOKEN_USED", "SAML2-142", "SAML2-31", "SOURCE_ACCOUNT_AGGREGATION_STARTED", "IDENTITY_PROCESSING", "SOURCE_ENTITLEMENT_AGGREGATION" or "MFA_REGISTRATION_REGISTERED", then mapped "metadata.event_type" to "USER_RESOURCE_ACCESS".
- When "technicalName" in "AUTHENTICATION_REQUEST_PASSED", "ACCESS_REQUEST_PROCESSED", "ACCESS_REQUEST_APPROVED", "ACCESS_APPROVAL_CREATE_STARTED", "ACCESS_REQUEST_STARTED" or "SUBSCRIPTION_EXECUTE_STARTED" and "action" in "AUTHENTICATION-105", "AccessRequestProcessed", "AccessRequestApproved", "ACCESS_APPROVAL_STARTED", "AccessRequestRequested" or "SUBSCRIPTION_EXECUTE_STARTED", then mapped "metadata.event_type" to "USER_LOGIN".
- When "technicalName" is "CERTIFICATION_ITEM_REMEDIATE_PASSED" and "action" is "remediate", then mapped "metadata.event_type" to "USER_RESOURCE_UPDATE_PERMISSIONS".
- When "technicalName" in "SOURCE_ACCOUNT_AGGREGATE_PASSED", "SOURCE_ENTITLEMENT_AGGREGATE_STARTED" or "BRANDING_UPDATE_PASSED" and "action" in "SOURCE_ACCOUNT_AGGREGATION_PASSED", "SOURCE_ENTITLEMENT_AGGREGATION_STARTED" or "BRANDING_UPDATE", then mapped "metadata.event_type" to "USER_RESOURCE_UPDATE_CONTENT".
- When "technicalName" in "SUPPORT_LOGIN_TOKEN_AUTHENTICATE_PASSED", "USER_AUTHENTICATION_STEP_UP_SETUP_PASSED", "IDENTITY_PROCESSING_SCHEDULED_PASSED", "MFA_VERIFICATION_FAILED", "CERTIFICATION_REASSIGN_PASSED", "WORKITEM_COMPLETE_COMMENTS_ADD_PASSED", "ACCESS_REQUEST_REJECTED" or "CERTIFICATION_CAMPAIGN_ACTIVATE_PASSED" and "action" in "SUPPORT_LOGIN_AUTHENTICATE", "USER_STEP_UP_AUTH", "IDENTITY_PROCESSING", "MFA_VERIFICATION_FAILED", "reassign", "Comment", "AccessRequestRejected" or "CertificationCampaignActivate", then mapped "metadata.event_type" to "USER_LOGIN".
- When "technicalName" is "USER_LOGOUT_PASSED" or "CERTIFICATION_SIGNOFF_PASSED" and "action" is "AUTHENTICATION-303" or "signoff", then mapped "metadata.event_type" to "USER_LOGOUT".
- When "technicalName" in "IDENTITY_PROCESSING_SCHEDULED_STARTED", "USER_ACTIVATE_PASSED", "USER_EMAIL_UPDATE_PASSED", "USER_PHONE_UPDATE_PASSED", "CERTIFICATION_CAMPAIGN_CREATE_PASSED", "ACCESS_REQUEST_CANCELLED", "ACCESS_PROFILE_CREATE_PASSED", "WORKFLOW_CREATE_PASSED", "ACCOUNT_ENABLE_PASSED", "ENTITLEMENT_SET_PASSED" or "ACCOUNT_CREATE_PASSED" and "action" in "IDENTITY_PROCESSING", "USER_ACTIVATE", "USER_EMAIL_UPDATE", "USER_PHONE_UPDATE", "CertificationCampaignCreate", "AccessRequestCancelled", "create", "WORKFLOW_CREATED", "EnableAccount", "SetEntitlement" or "CreateAccount", then mapped "metadata.event_type" to "USER_CREATION".
- When "technicalName" in "USER_UNLOCK_PASSED", "SOURCE_ACCOUNT_AGGREGATE_FAILED", "SAML_ASSERTION_RECEIVE_FAILED", "IDENTITY_LIFECYCLE_CHANGE_PASSED", "IDENTITY_STATE_CHANGE_PASSED", "APP_CREATE_PASSED", "USER_ROLE_ADMIN_REVOKE_PASSED", "USER_ROLE_ADMIN_GRANT_PASSED", "USER_AUTHENTICATION_STEP_UP_SETUP_FAILED", "ACCESS_PROFILE_UPDATE_PASSED", "SOURCE_ENTITLEMENT_AGGREGATE_FAILED", "IAI_ADMIN_CONFIG_UPDATE_PASSED", "IDENTITY_ATTRIBUTE_VALUE_UPDATE_PASSED" or "APP_UPDATE_PASSED" and "action" in "USER_UNLOCK", "SOURCE_ACCOUNT_AGGREGATION_FAILED", "SAML2-166", "identityLifecycleEvent", "IdentityStateChange", "APP_CREATE", "USER_ADMIN_REVOKE", "USER_ADMIN_GRANT", "USER_STEP_UP_AUTH_FAILURE", "update", "SOURCE_ENTITLEMENT_AGGREGATION_FAILED", "IAI_ADMIN_CONFIG_UPDATE_EVENT", "IdentityAttributeUpdate" or "APP_UPDATE", then mapped "metadata.event_type" to "USER_CHANGE_PERMISSIONS".
- When "technicalName" is "ROLE_ADD_PASSED" and "action" is "RoleAdd", then mapped "metadata.event_type" to "USER_RESOURCE_CREATION".
- When "technicalName" in "ACCOUNT_MODIFY_FAILED", "ACCOUNT_UNLOCK_PASSED", "ENTITLEMENT_ADD_PASSED", "ENTITLEMENT_REMOVE_FAILED", "ACCOUNT_MODIFY_PASSED", "ENTITLEMENT_REMOVE_PASSED", "ENTITLEMENT_ADD_FAILED" or "TASK_RESULT_DELETE_PASSED" and "action" in "ModifyAccountFailure", "UnlockAccount", "AddEntitlement", "RemoveEntitlementFailure", "ModifyAccount", "RemoveEntitlement", "AddEntitlementFailure" or "taskResultsPruned", then mapped "metadata.event_type" to "USER_CHANGE_PERMISSIONS".
- When "technicalName" is "EMAIL_SEND_PASSED" and "action" is "emailSent", then mapped "metadata.event_type" to "EMAIL_TRANSACTION".
2023-12-03 Enhancement:
- Mapped "org" to "principal.administrative_domain".
- Mapped "pod" to "principal.location.name".
- Mapped "id" to "metadata.product_log_id".
- Mapped "type" to "metadata.product_event_type".
- Mapped "action" to "metadata.description".
- Mapped "actor.name" to "principal.user.user_display_name".
- Mapped "attributes.accountName" to "principal.user.group_identifiers".
- Mapped "target.name" to "principal.user.userid".
- Mapped "stack", "attributes.interface", "trackingNumber", "attributes.accountUuid", "attributes.previousValue", "attributes.attributeName", and "attributes.attributeValue" to "additional.fields".
- Mapped "attributes.sourceId" and "attributes.sourceName" to "principal.labels".
- Mapped "attributes.cloudAppName" to "target.application".
- Mapped "attributes.appId" to "target.asset_id".
- Mapped "attributes.provisioningResult" to "security_result.detection_fields".
- Mapped "attributes.operation" to "security_result.action_details".
- Mapped "technicalName" to "security_result.summary".
- Mapped "name" to "security_result.description".
- Mapped '_version" to "metadata.product_version".
- Mapped "status" to "security_result.severity_details".
- Added condition check and on_error for "instant.epochSecond" before mapping.
- If "principal.user" and "target.application" are present, then set "metadata.event_type" to "USER_LOGIN" and "extensions.auth_type" to "AUTHTYPE_UNSPECIFIED".
- If "principal.user" is present and "target.application" is not present, then set "metadata.event_type" to "USER_UNCATEGORIZED" and "extensions.auth_type" to "AUTHTYPE_UNSPECIFIED".
2022-07-08 Enhancement:
- Modified mapping for "iiq_target_user_role" from "target.user.role_name" to "target.user.attribute.roles".