SailPoint IdentityIQ
SailPoint IdentityIQ Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
SailPoint IdentityIQ context pack enables XSOAR customers to utilize the deep, enriched contextual data in the SailPoint predictive identity platform to better drive identity-aware security practices. This integration was integrated and tested with version 8.1 of SailPoint IdentityIQ. Supported Cortex XSOAR versions: 6.0.0 and later.
#
Configure SailPointIdentityIQ in CortexParameter | Description | Required |
---|---|---|
identityiq_url | IdentityIQ Server URL (e.g. https://identityiq-server.com/identityiq) | True |
client_id | Client Id (for OAuth 2.0) | True |
client_secret | Client Secret (for OAuth 2.0) | True |
isFetch | Fetch incidents | False |
insecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
incidentType | Incident type | False |
max_fetch | Maximum number of incidents per fetch | False |
first_fetch | First fetch time | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
identityiq-search-identitiesSearch identities by search/filter parameters (id, email, risk & active) using IdentityIQ SCIM API's.
#
Base Commandidentityiq-search-identities
#
InputArgument Name | Description | Required |
---|---|---|
id | Internal id of the identity being requested. | Optional |
Email address of the identity being requested. | Optional | |
active | Determines whether search will return only active identities. Default is true. | Optional |
risk | Numeric value of baseline risk score, users above this will be returned. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IdentityIQ.Identity.userName | String | The IdentityIQ username (primary id). |
IdentityIQ.Identity.id | String | The IdentityIQ internal id (uuid). |
IdentityIQ.Identity.name.formatted | String | The display name of the identity. |
IdentityIQ.Identity.name.familyName | String | The last name of the identity. |
IdentityIQ.Identity.name.givenName | String | The first name of the identity. |
IdentityIQ.Identity.active | Boolean | Indicates whether the id is active or inactive in IdentityIQ. |
IdentityIQ.Identity.manager.userName | String | The IdentityIQ username (primary id) of the identities manager. |
IdentityIQ.Identity.lastModified | Date | Timestamp of when the identity was last modified. |
IdentityIQ.Identity.displayName | String | The display name of the identity. |
IdentityIQ.Identity.emails | Unknown | Array of email objects. |
IdentityIQ.Identity.emails.type | String | Type of the email being returned. |
IdentityIQ.Identity.emails.value | String | The email address of the identity. |
IdentityIQ.Identity.emails.primary | Boolean | Indicates if this email address is the identities primary email. |
IdentityIQ.Identity.entitlements | Unknown | Array of entitlements objects that the identity has. |
IdentityIQ.Identity.roles | Unknown | Array of role objects that the identity has. |
IdentityIQ.Identity.capabilities | Unknown | Array of string representations of the IdentityIQ capabilities assigned to this identity. |
#
Command Examples#
Human Readable Output#
Results:#
Identityid | userName | displayName | name | emails | sailpointUser | extendedUser | entitlements | roles | capabilities | active |
---|---|---|---|---|---|---|---|---|---|---|
8a8080824df45873014df45bd97400c9 | Adam.Kennedy | Adam Kennedy | formatted: Adam Kennedy familyName: Kennedy givenName: Adam | {'type': 'work', 'value': 'Adam.Kennedy@sailpointdemo.com', 'primary': True} | capabilities: lastRefresh: 2020-10-08T15:45:47.034-05:00 jobTitle: Payroll Analyst II employeeId: 1b2c3a4e administrator: {} employeeType: Employee phone: 5124152339 isManager: false location: London accounts: {'displayName': '1b2c3a4e', 'value': '8a8080824df45873014df45bd97500ca', '$ref': 'http://localhost:8088/iiq/scim/v2/Accounts/8a8080824df45873014df45bd97500ca'}, {'displayName': 'Adam.Kennedy', 'value': '8a8080824df45873014df45c164601d8', '$ref': 'http://localhost:8088/iiq/scim/v2/Accounts/8a8080824df45873014df45c164601d8'}, {'displayName': 'AKENNE', 'value': '8a8080824df45873014df45d012705ae', '$ref': 'http://localhost:8088/iiq/scim/v2/Accounts/8a8080824df45873014df45d012705ae'}, {'displayName': 'Adam.Kennedy', 'value': '8a8080824df45873014df45da06308b0', '$ref': 'http://localhost:8088/iiq/scim/v2/Accounts/8a8080824df45873014df45da06308b0'} riskScore: 82 department: Accounting region: GB | manager: {"displayName": "Douglas Flores", "value": "8a8080824df45873014df45bcfab008d", "$ref": "http://localhost:8088/iiq/scim/v2/Users/8a8080824df45873014df45bcfab008d"} | true |
#
identityiq-get-policyviolationsFetch policy violation by id or all policy violations using IdentityIQ SCIM API's.
#
Base Commandidentityiq-get-policyviolations
#
InputArgument Name | Description | Required |
---|---|---|
id | Internal id of the policy violation being requested. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IdentityIQ.PolicyViolation.policyName | String | Name of the policy that was violated. |
IdentityIQ.PolicyViolation.constraintName | String | Name of the constraint being violated. |
IdentityIQ.PolicyViolation.status | String | Status of the violation (open/closed). |
IdentityIQ.PolicyViolation.description | String | Description of the policy/conflict. |
IdentityIQ.PolicyViolation.identity.value | Unknown | Internal id of the IdentityIQ identity in violation. |
IdentityIQ.PolicyViolation.identity.displayName | String | Display name of the IdentityIQ identity in violation. |
IdentityIQ.PolicyViolation.id | String | Internal id of the task result. |
#
Command Example#
Human Readable Output#
Results:#
PolicyViolationid | policyName | constraintName | status | description | identity | owner |
---|---|---|---|---|---|---|
8a8080824df45873014df46036521328 | SOD Policy Accounts Payable Access-Accounts Receivable Access | Accounts Payable Access - Accounts Receivable Access constraint | Open | displayName: Frank Rivera value: 8a8080824df45873014df45bc8480065 $ref: http://localhost:8088/iiq/scim/v2/Users/8a8080824df45873014df45bc8480065 | displayName: Richard Jackson value: 8a8080824df45873014df45bbbb9002b $ref: http://localhost:8088/iiq/scim/v2/Users/8a8080824df45873014df45bbbb9002b |
#
identityiq-get-taskresultsFetch task result by id or all task results using IdentityIQ SCIM API's.
#
Base Commandidentityiq-get-taskresults
#
InputArgument Name | Description | Required |
---|---|---|
id | Internal id of the task result being requested. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IdentityIQ.TaskResult.id | String | Internal id of the task result. |
IdentityIQ.TaskResult.progress | String | String representation of the status of the task. |
IdentityIQ.TaskResult.launched | Date | Date representation of when the task was launched in IdentityIQ. |
IdentityIQ.TaskResult.taskDefinition | String | Name of the task template that this task result is an instantiation of. |
IdentityIQ.TaskResult.host | String | Host name of the IdentityIQ application server that is executing this task. |
IdentityIQ.TaskResult.type | String | Type of the task being executed. |
IdentityIQ.TaskResult.pendingSignoffs | Number | Number of signoffs on the task result that have not been done. |
IdentityIQ.TaskResult.completionStatus | String | Status of task 'success', 'termianted', 'failure', etc. |
IdentityIQ.TaskResult.launcher | String | Name of the IdentityIQ identity who launched the task. |
IdentityIQ.TaskResult.name | String | Unique name of the task that was launched. |
IdentityIQ.TaskResult.completed | Date | Timestamp of when the task was completed (if not currently executed). |
#
Command Example#
Human Readable Output#
Results:#
TaskResultid | name | type | host | progress | completionStatus | launched | taskDefinition | pendingSignoffs | launcher | completed | taskSchedule | partitioned | terminated | messages | attributes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0a0000016b951ded816bb41351e901b3 | Joiner: DannyFieldsPS | Workflow | Success | 2019-07-02T14:04:53.471-05:00 | Workflow Launcher | 0 | Scheduler | 2019-07-02T14:04:53.480-05:00 | false | false | {'value': '\n', 'key': 'workflowSummary'} |
#
identityiq-get-accountsFetch accounts by search/filter parameters (id, display_name, last_refresh, native_identity, last_target_agg, identity_name & application_name) using IdentityIQ SCIM API's.
#
Base Commandidentityiq-get-accounts
#
InputArgument Name | Description | Required |
---|---|---|
id | Internal id of the account to be returned. | Optional |
display_name | displayName of the account to be returned. | Optional |
last_refresh | Timestamp of the last time the account(s) were refreshed from the target system. [format : yyyy-MM-dd'T'HH:mm:ss or yyyy-MM-dd]. | Optional |
native_identity | Unique identifier of the account on the target system. | Optional |
last_target_agg | Timestamp of the last targeted aggregation of the account from the target system. [format : yyyy-MM-dd'T'HH:mm:ss or yyyy-MM-dd]. | Optional |
identity_name | Unique name of the identity for which all accounts will be returned. | Optional |
application_name | Unique name of the application for which all accounts will be returned. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IdentityIQ.Account.id | String | Internal id of the account. |
IdentityIQ.Account.identity.value | String | Internal id of the identity that this account belongs to. |
IdentityIQ.Account.identity.displayName | String | Display name of the identity that this account belongs to. |
IdentityIQ.Account.hasEntitlements | Boolean | True if the account has access entitlements assigned to it, else false. |
IdentityIQ.Account.application.value | Unknown | Internal id of the application that this account is on. |
IdentityIQ.Account.application.displayName | String | Display name of the application that this account is on. |
IdentityIQ.Account.nativeIdentity | String | The name of the account as it exists on the application. |
IdentityIQ.Account.lastRefreshed | Date | Timestamp of when this account was last refreshed in IdentityIQ. |
#
Command Example#
Human Readable Output#
Results:#
Accountid | displayName | identity | hasEntitlements | application | nativeIdentity | active | lastRefresh | manuallyCorrelated | application | locked |
---|---|---|---|---|---|---|---|---|---|---|
8a8080824df45873014df45bb504000e | 1b | displayName: Jerry Bennett userName: Jerry.Bennett value: 8a8080824df45873014df45bb503000d $ref: http://localhost:8088/iiq/scim/v2/Users/8a8080824df45873014df45bb503000d | false | displayName: Human Resources value: 8a8080824df44d48014df4542d7402aa $ref: http://localhost:8088/iiq/scim/v2/Applications/8a8080824df44d48014df4542d7402aa | 1b | true | 2015-06-14T18:16:00.389-05:00 | false | displayName: Human Resources value: 8a8080824df44d48014df4542d7402aa $ref: http://localhost:8088/iiq/scim/v2/Applications/8a8080824df44d48014df4542d7402aa | false |
#
identityiq-disable-accountDisable account's active status by id using IdentityIQ SCIM API's.
#
Base Commandidentityiq-disable-account
#
InputArgument Name | Description | Required |
---|---|---|
id | Internal id of the specific account to be disabled. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IdentityIQ.AccountDisable.active | Boolean | Indicates the status of account (should be false after request is successfully completed). |
#
Command Example#
Human Readable Output#
Results:#
Accountid | displayName | identity | hasEntitlements | application | nativeIdentity | active | lastRefresh | manuallyCorrelated | application | locked |
---|---|---|---|---|---|---|---|---|---|---|
8a8080824df45873014df45c719f038c | Jerry.Bennett | displayName: Jerry Bennett userName: Jerry.Bennett value: 8a8080824df45873014df45bb503000d $ref: http://localhost:8088/iiq/scim/v2/Users/8a8080824df45873014df45bb503000d | true | displayName: Active Directory value: 8a8080824df44d48014df45440d502cf $ref: http://localhost:8088/iiq/scim/v2/Applications/8a8080824df44d48014df45440d502cf | CN=Jerry Bennett,OU=Brussels,OU=Europe,OU=Demo,DC=seri,DC=sailpointdemo,DC=com | false | 2020-12-16T16:39:56.638-06:00 | false | displayName: Active Directory value: 8a8080824df44d48014df45440d502cf $ref: http://localhost:8088/iiq/scim/v2/Applications/8a8080824df44d48014df45440d502cf | false |
#
identityiq-enable-accountEnable account's active status by id using IdentityIQ SCIM API's.
#
Base Commandidentityiq-enable-account
#
InputArgument Name | Description | Required |
---|---|---|
id | Internal id of the specific account to be enabled. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IdentityIQ.AccountDisable.active | Boolean | Indicates the status of account (should be true after request is successfully completed). |
#
Command Example#
Human Readable Output#
Results:#
Accountid | displayName | identity | hasEntitlements | application | nativeIdentity | active | lastRefresh | manuallyCorrelated | application | locked |
---|---|---|---|---|---|---|---|---|---|---|
8a8080824df45873014df45c719f038c | Jerry.Bennett | displayName: Jerry Bennett userName: Jerry.Bennett value: 8a8080824df45873014df45bb503000d $ref: http://localhost:8088/iiq/scim/v2/Users/8a8080824df45873014df45bb503000d | true | displayName: Active Directory value: 8a8080824df44d48014df45440d502cf $ref: http://localhost:8088/iiq/scim/v2/Applications/8a8080824df44d48014df45440d502cf | CN=Jerry Bennett,OU=Brussels,OU=Europe,OU=Demo,DC=seri,DC=sailpointdemo,DC=com | true | 2020-12-16T16:39:56.638-06:00 | false | displayName: Active Directory value: 8a8080824df44d48014df45440d502cf $ref: http://localhost:8088/iiq/scim/v2/Applications/8a8080824df44d48014df45440d502cf | false |
#
identityiq-delete-accountDelete account by id using IdentityIQ SCIM API's.
#
Base Commandidentityiq-delete-account
#
InputArgument Name | Description | Required |
---|---|---|
id | Internal id of the specific account to be deleted. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example#
Human Readable OutputAccount deleted successfully!
#
identitytiq-get-launched-workflowsFetch launched workflow by id or all launched workflows using IdentityIQ SCIM API's.
#
Base Commandidentitytiq-get-launched-workflows
#
InputArgument Name | Description | Required |
---|---|---|
id | Internal id of the specific launched workflow being requested. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IdentityIQ.Workflow.workflowName | String | Name of the workflow that was launched. |
IdentityIQ.Workflow.identityRequestId | String | Unique id of the identity request that launched this workflow (if exists). |
IdentityIQ.Workflow.workflowCaseId | String | Internal id of the workflowcase for this workflow. |
IdentityIQ.Workflow.launched | Date | Timestamp of when this workflow was launched. |
IdentityIQ.Workflow.targetClass | String | Type of object targeted by the workflow, usually identity. |
IdentityIQ.Workflow.targetName | String | Unique name of the object (username in the case of identity). |
IdentityIQ.Workflow.type | String | The type of workflow. |
IdentityIQ.Workflow.id | String | Internal id of the workflow. |
IdentityIQ.Workflow.completionStatus | String | Status of workflow โ 'success', 'failure', 'pending' etc. |
IdentityIQ.Workflow.launcher | String | Name of the identity that launched the workflow. |
IdentityIQ.Workflow.terminated | Boolean | Indicates whether this workflow was terminated due to error or intentionally stopped. |
IdentityIQ.Workflow.name | String | Name of the workflow that was launched. |
IdentityIQ.Workflow.attributes | Unknown | Array of key/value pairs that are the inputs and their values to the workflow. |
IdentityIQ.Workflow.output | Unknown | Array of key/type/value objects that list the output of the workflow. |
#
Command Example#
Human Readable Output#
Results:#
Workflowid | name | workflowName | identityRequestId | workflowCaseId | launched | targetClass | targetName | type | completionStatus | launcher | terminated | attributes | partitioned | completed | pendingSignoffs | taskDefinition | launchedWorkflow |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0a0000016b951ded816bb41348e20197 | Joiner: Nick | 2019-07-02T14:04:51.148-05:00 | Workflow | Success | Scheduler | false | {'value': '\n', 'key': 'workflowSummary'} | false | 2019-07-02T14:04:51.169-05:00 | 0 | Workflow Launcher | output: {'type': 'application/xml', 'value': '\n', 'key': 'workflowSummary'} input: {} workflowSummary: workflowName: Joiner: Nick |
#
identityiq-get-rolesFetch role by id or all roles using IdentityIQ SCIM API's.
#
Base Commandidentityiq-get-roles
#
InputArgument Name | Description | Required |
---|---|---|
id | Internal id of the specific role being requested. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IdentityIQ.Role.name | String | Unique name of the role object in IdentityIQ. |
IdentityIQ.Role.owner.value | String | Internal id of the role owner identity. |
IdentityIQ.Role.owner.displayName | String | Displayname of the owner of the role. |
IdentityIQ.Role.active | Boolean | Indicates whether the role is active in IdentityIQ. |
IdentityIQ.Role.displayableName | String | Display name of the role in IdentityIQ. |
IdentityIQ.Role.permits | Unknown | Array of roles that this role permits in IdentityIQ. |
IdentityIQ.Role.type.name | String | Template role on which this role is based. |
IdentityIQ.Role.type.autoAssignment | Boolean | Indicates whether this type of role can be auto-assigned to identities. |
IdentityIQ.Role.type.displayName | String | Display name of the template role on which this role was based. |
IdentityIQ.Role.type.manualAssignment | String | Indicates whether this role type can be manually assigned. |
IdentityIQ.Role.descriptions.value | String | Description of the role shown in the UI. |
#
Command Example#
Human Readable Output#
Results:#
Roleid | name | owner | active | displayableName | permits | type | descriptions | requirements |
---|---|---|---|---|---|---|---|---|
8a8080824df45873014df45f8b6810e9 | All Users | displayName: The Administrator value: 8a8080824df44d48014df44def7100dd $ref: http://localhost:8088/iiq/scim/v2/Users/8a8080824df44d48014df44def7100dd | true | All Users | iiq: false requirements: true permits: true displayName: Business manualAssignment: true name: business autoAssignment: true assignmentSelector: true | {'locale': 'en_US', 'value': 'Role that grants access all users should have'} | {'displayName': 'User Basic', 'value': '8a8080824df45873014df45f8b1810e6', '$ref': 'http://localhost:8088/iiq/scim/v2/Roles/8a8080824df45873014df45f8b1810e6'} |
#
identityiq-get-entitlementsFetch entitlement by id or all entitlements using IdentityIQ SCIM API's.
#
Base Commandidentityiq-get-entitlements
#
InputArgument Name | Description | Required |
---|---|---|
id | Internal id of the specific entitlement being requested. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IdentityIQ.Entitlement.application.value | String | Internal id of the application that this entitlement resides on. |
IdentityIQ.Entitlement.application.displayName | String | Display name of the application that this entitlement resides on. |
IdentityIQ.Entitlement.attribute | String | String representing the attribute on the application that this entitlement represents. |
IdentityIQ.Entitlement.type | String | String representing the type of attribute on the application that this entitlement represents. |
IdentityIQ.Entitlement.descriptions | Unknown | Array of description objects that contain a locale, and a value. |
IdentityIQ.Entitlement.id | String | Internal id of the entitlement object in IdentityIQ. |
IdentityIQ.Entitlement.requestable | Boolean | Boolean indicates whether this entitlement is directly requestable in the IdentityIQ UI. |
IdentityIQ.Entitlement.owner.value | String | Internal id of the owner of the entitlement in IdentityIQ. |
IdentityIQ.Entitlement.owner.displayName | String | Display name of the owner of the entitlement in IdentityIQ. |
IdentityIQ.Entitlement.aggregated | String | Indicates whether this entitlement was aggregated from the source system or not. |
IdentityIQ.Entitlement.created | Date | Timestamp indicates when the entitlement was created in IdentityIQ. |
#
Command Example#
Human Readable Output#
Results:#
Entitlementid | displayableName | type | attribute | value | owner | application | descriptions | requestable | aggregated | created |
---|---|---|---|---|---|---|---|---|---|---|
8a8080824df45873014df45d9f9008a8 | input | Entitlement | capability | input | displayName: TRAKK value: 8a8080824df44d48014df45444c002da $ref: http://localhost:8088/iiq/scim/v2/Applications/8a8080824df44d48014df45444c002da | true | false |
#
identityiq-get-alertsFetch alert by id or all alerts using IdentityIQ SCIM API's.
#
Base Commandidentityiq-get-alerts
#
InputArgument Name | Description | Required |
---|---|---|
id | Internal id of the specific alert being requested. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IdentityIQ.Alert.id | String | Internal id of the Alert in IdentityIQ. |
IdentityIQ.Alert.lastProcessed | Date | Timestamp of when this alert was processed by IdentityIQ for match. |
IdentityIQ.Alert.displayName | String | Display name of the alert in IdentityIQ. |
IdentityIQ.Alert.meta.created | Date | Timestamp of when this alert was created in IdentityIQ |
IdentityIQ.Alert.name | String | Name of the alert in IdentityIQ |
IdentityIQ.Alert.attributes | Unknown | Array of attributes associated with this alert. |
IdentityIQ.Alert.actions | Unknown | Array of actions taken on this alert after processing. |
IdentityIQ.Alert.application | String | List of applications that are related to this alert. |
#
Command Example#
Human Readable Output#
Results:#
Alertid | name | displayName | type | targetId | targetDisplayName | targetType | alertInput | actions | application | attributes | lastProcessed |
---|---|---|---|---|---|---|---|---|---|---|---|
0a000001764519c981766dbd2bd518ad | 0000000015 | Test Alert | PAN XSOAR | input: processorTaskInput: aggregationTaskInput: | 2020-12-16T16:48:02.773-06:00 |
#
identityiq-create-alertCreate an alert using IdentityIQ SCIM API's.
#
Base Commandidentityiq-create-alert
#
InputArgument Name | Description | Required |
---|---|---|
display_name | Display name of the alert. | Required |
attributes | List of JSON objects with the following structure. { 'key': '', 'value': '', 'type': '' }. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IdentityIQ.Alert.id | String | Internal id of the Alert in IdentityIQ. |
IdentityIQ.Alert.lastProcessed | Date | Timestamp of when this alert was processed by IdentityIQ for match. |
IdentityIQ.Alert.displayName | String | Display name of the alert in IdentityIQ. |
IdentityIQ.Alert.meta.created | Date | Timestamp of when this alert. |
IdentityIQ.Alert.name | String | Unique name of the alert in IdentityIQ. |
IdentityIQ.Alert.attributes | Unknown | Array of attributes associated with this alert. |
IdentityIQ.Alert.actions | Unknown | Array of actions taken on this alert after processing. |
IdentityIQ.Alert.application | String | List of applications that are related to this alert. |
#
Command Example#
Human Readable Output#
Results:#
Alertid | name | displayName | type | targetId | targetDisplayName | targetType | alertInput | actions | application | attributes | lastProcessed |
---|---|---|---|---|---|---|---|---|---|---|---|
0a000001764519c981767209e7491c04 | 0000000016 | XSOAR-Alert | PAN XSOAR | input: processorTaskInput: aggregationTaskInput: | 2020-12-17T12:50:20.369-06:00 |