Skip to main content

SailPoint IdentityIQ

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

SailPoint IdentityIQ context pack enables XSOAR customers to utilize the deep, enriched contextual data in the SailPoint predictive identity platform to better drive identity-aware security practices. This integration was integrated and tested with version 8.1 of SailPoint IdentityIQ. Supported Cortex XSOAR versions: 6.0.0 and later.

Configure SailPointIdentityIQ on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for SailPointIdentityIQ.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    identityiq_urlIdentityIQ Server URL (e.g. https://identityiq-server.com/identityiq)True
    client_idClient Id (for OAuth 2.0)True
    client_secretClient Secret (for OAuth 2.0)True
    isFetchFetch incidentsFalse
    insecureTrust any certificate (not secure)False
    proxyUse system proxy settingsFalse
    incidentTypeIncident typeFalse
    max_fetchMaximum number of incidents per fetchFalse
    first_fetchFirst fetch timeFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

identityiq-search-identities#


Search identities by search/filter parameters (id, email, risk & active) using IdentityIQ SCIM API's.

Base Command#

identityiq-search-identities

Input#

Argument NameDescriptionRequired
idInternal id of the identity being requested.Optional
emailEmail address of the identity being requested.Optional
activeDetermines whether search will return only active identities. Default is true.Optional
riskNumeric value of baseline risk score, users above this will be returned.Optional

Context Output#

PathTypeDescription
IdentityIQ.Identity.userNameStringThe IdentityIQ username (primary id).
IdentityIQ.Identity.idStringThe IdentityIQ internal id (uuid).
IdentityIQ.Identity.name.formattedStringThe display name of the identity.
IdentityIQ.Identity.name.familyNameStringThe last name of the identity.
IdentityIQ.Identity.name.givenNameStringThe first name of the identity.
IdentityIQ.Identity.activeBooleanIndicates whether the id is active or inactive in IdentityIQ.
IdentityIQ.Identity.manager.userNameStringThe IdentityIQ username (primary id) of the identities manager.
IdentityIQ.Identity.lastModifiedDateTimestamp of when the identity was last modified.
IdentityIQ.Identity.displayNameStringThe display name of the identity.
IdentityIQ.Identity.emailsUnknownArray of email objects.
IdentityIQ.Identity.emails.typeStringType of the email being returned.
IdentityIQ.Identity.emails.valueStringThe email address of the identity.
IdentityIQ.Identity.emails.primaryBooleanIndicates if this email address is the identities primary email.
IdentityIQ.Identity.entitlementsUnknownArray of entitlements objects that the identity has.
IdentityIQ.Identity.rolesUnknownArray of role objects that the identity has.
IdentityIQ.Identity.capabilitiesUnknownArray of string representations of the IdentityIQ capabilities assigned to this identity.

Command Examples#

!identityiq-search-identities
!identityiq-search-identities id=8a8080824df45873014df45bd97400c9
!identityiq-search-identities email=jerry.bennett@sailpointdemo.com
!identityiq-search-identities active=False
!identityiq-search-identities risk=500
!identityiq-search-identities active=False risk=500

Human Readable Output#

Results:#

Identity#

iduserNamedisplayNamenameemailssailpointUserextendedUserentitlementsrolescapabilitiesactive
8a8080824df45873014df45bd97400c9Adam.KennedyAdam Kennedyformatted: Adam Kennedy
familyName: Kennedy
givenName: Adam
{'type': 'work', 'value': 'Adam.Kennedy@sailpointdemo.com', 'primary': True}capabilities:
lastRefresh: 2020-10-08T15:45:47.034-05:00
jobTitle: Payroll Analyst II
employeeId: 1b2c3a4e
administrator: {}
employeeType: Employee
phone: 5124152339
isManager: false
location: London
accounts: {'displayName': '1b2c3a4e', 'value': '8a8080824df45873014df45bd97500ca', '$ref': 'http://localhost:8088/iiq/scim/v2/Accounts/8a8080824df45873014df45bd97500ca'},
{'displayName': 'Adam.Kennedy', 'value': '8a8080824df45873014df45c164601d8', '$ref': 'http://localhost:8088/iiq/scim/v2/Accounts/8a8080824df45873014df45c164601d8'},
{'displayName': 'AKENNE', 'value': '8a8080824df45873014df45d012705ae', '$ref': 'http://localhost:8088/iiq/scim/v2/Accounts/8a8080824df45873014df45d012705ae'},
{'displayName': 'Adam.Kennedy', 'value': '8a8080824df45873014df45da06308b0', '$ref': 'http://localhost:8088/iiq/scim/v2/Accounts/8a8080824df45873014df45da06308b0'}
riskScore: 82
department: Accounting
region: GB
manager: {"displayName": "Douglas Flores", "value": "8a8080824df45873014df45bcfab008d", "$ref": "http://localhost:8088/iiq/scim/v2/Users/8a8080824df45873014df45bcfab008d"}true

identityiq-get-policyviolations#


Fetch policy violation by id or all policy violations using IdentityIQ SCIM API's.

Base Command#

identityiq-get-policyviolations

Input#

Argument NameDescriptionRequired
idInternal id of the policy violation being requested.Optional

Context Output#

PathTypeDescription
IdentityIQ.PolicyViolation.policyNameStringName of the policy that was violated.
IdentityIQ.PolicyViolation.constraintNameStringName of the constraint being violated.
IdentityIQ.PolicyViolation.statusStringStatus of the violation (open/closed).
IdentityIQ.PolicyViolation.descriptionStringDescription of the policy/conflict.
IdentityIQ.PolicyViolation.identity.valueUnknownInternal id of the IdentityIQ identity in violation.
IdentityIQ.PolicyViolation.identity.displayNameStringDisplay name of the IdentityIQ identity in violation.
IdentityIQ.PolicyViolation.idStringInternal id of the task result.

Command Example#

!identityiq-get-policyviolations
!identityiq-get-policyviolations id=8a8080824df45873014df46036521328

Human Readable Output#

Results:#

PolicyViolation#

idpolicyNameconstraintNamestatusdescriptionidentityowner
8a8080824df45873014df46036521328SOD Policy Accounts Payable Access-Accounts Receivable AccessAccounts Payable Access - Accounts Receivable Access constraintOpendisplayName: Frank Rivera
value: 8a8080824df45873014df45bc8480065
$ref: http://localhost:8088/iiq/scim/v2/Users/8a8080824df45873014df45bc8480065
displayName: Richard Jackson
value: 8a8080824df45873014df45bbbb9002b
$ref: http://localhost:8088/iiq/scim/v2/Users/8a8080824df45873014df45bbbb9002b

identityiq-get-taskresults#


Fetch task result by id or all task results using IdentityIQ SCIM API's.

Base Command#

identityiq-get-taskresults

Input#

Argument NameDescriptionRequired
idInternal id of the task result being requested.Optional

Context Output#

PathTypeDescription
IdentityIQ.TaskResult.idStringInternal id of the task result.
IdentityIQ.TaskResult.progressStringString representation of the status of the task.
IdentityIQ.TaskResult.launchedDateDate representation of when the task was launched in IdentityIQ.
IdentityIQ.TaskResult.taskDefinitionStringName of the task template that this task result is an instantiation of.
IdentityIQ.TaskResult.hostStringHost name of the IdentityIQ application server that is executing this task.
IdentityIQ.TaskResult.typeStringType of the task being executed.
IdentityIQ.TaskResult.pendingSignoffsNumberNumber of signoffs on the task result that have not been done.
IdentityIQ.TaskResult.completionStatusStringStatus of task 'success', 'termianted', 'failure', etc.
IdentityIQ.TaskResult.launcherStringName of the IdentityIQ identity who launched the task.
IdentityIQ.TaskResult.nameStringUnique name of the task that was launched.
IdentityIQ.TaskResult.completedDateTimestamp of when the task was completed (if not currently executed).

Command Example#

!identityiq-get-taskresults
!identityiq-get-taskresults id=0a0000016b951ded816bb41351e901b3

Human Readable Output#

Results:#

TaskResult#

idnametypehostprogresscompletionStatuslaunchedtaskDefinitionpendingSignoffslaunchercompletedtaskSchedulepartitionedterminatedmessagesattributes
0a0000016b951ded816bb41351e901b3Joiner: DannyFieldsPSWorkflowSuccess2019-07-02T14:04:53.471-05:00Workflow Launcher0Scheduler2019-07-02T14:04:53.480-05:00falsefalse{'value': '
\n', 'key': 'workflowSummary'}

identityiq-get-accounts#


Fetch accounts by search/filter parameters (id, display_name, last_refresh, native_identity, last_target_agg, identity_name & application_name) using IdentityIQ SCIM API's.

Base Command#

identityiq-get-accounts

Input#

Argument NameDescriptionRequired
idInternal id of the account to be returned.Optional
display_namedisplayName of the account to be returned.Optional
last_refreshTimestamp of the last time the account(s) were refreshed from the target system.
[format : yyyy-MM-dd'T'HH:mm:ss or yyyy-MM-dd].
Optional
native_identityUnique identifier of the account on the target system.Optional
last_target_aggTimestamp of the last targeted aggregation of the account from the target system.
[format : yyyy-MM-dd'T'HH:mm:ss or yyyy-MM-dd].
Optional
identity_nameUnique name of the identity for which all accounts will be returned.Optional
application_nameUnique name of the application for which all accounts will be returned.Optional

Context Output#

PathTypeDescription
IdentityIQ.Account.idStringInternal id of the account.
IdentityIQ.Account.identity.valueStringInternal id of the identity that this account belongs to.
IdentityIQ.Account.identity.displayNameStringDisplay name of the identity that this account belongs to.
IdentityIQ.Account.hasEntitlementsBooleanTrue if the account has access entitlements assigned to it, else false.
IdentityIQ.Account.application.valueUnknownInternal id of the application that this account is on.
IdentityIQ.Account.application.displayNameStringDisplay name of the application that this account is on.
IdentityIQ.Account.nativeIdentityStringThe name of the account as it exists on the application.
IdentityIQ.Account.lastRefreshedDateTimestamp of when this account was last refreshed in IdentityIQ.

Command Example#

!identityiq-get-accounts
!identityiq-get-accounts id=8a8080824df45873014df45bb504000e
!identityiq-get-accounts last_refresh=2020-10-05T15:53:46
!identityiq-get-accounts native_identity=1b2c
!identityiq-get-accounts last_target_agg=2020-10-05T15:53:46
!identityiq-get-accounts identity_name=Amanda.Ross
!identityiq-get-accounts application_name=TRAKK
!identityiq-get-accounts identity_name=Amanda.Ross application_name=TRAKK

Human Readable Output#

Results:#

Account#

iddisplayNameidentityhasEntitlementsapplicationnativeIdentityactivelastRefreshmanuallyCorrelatedapplicationlocked
8a8080824df45873014df45bb504000e1bdisplayName: Jerry Bennett
userName: Jerry.Bennett
value: 8a8080824df45873014df45bb503000d
$ref: http://localhost:8088/iiq/scim/v2/Users/8a8080824df45873014df45bb503000d
falsedisplayName: Human Resources
value: 8a8080824df44d48014df4542d7402aa
$ref: http://localhost:8088/iiq/scim/v2/Applications/8a8080824df44d48014df4542d7402aa
1btrue2015-06-14T18:16:00.389-05:00falsedisplayName: Human Resources
value: 8a8080824df44d48014df4542d7402aa
$ref: http://localhost:8088/iiq/scim/v2/Applications/8a8080824df44d48014df4542d7402aa
false

identityiq-disable-account#


Disable account's active status by id using IdentityIQ SCIM API's.

Base Command#

identityiq-disable-account

Input#

Argument NameDescriptionRequired
idInternal id of the specific account to be disabled.Required

Context Output#

PathTypeDescription
IdentityIQ.AccountDisable.activeBooleanIndicates the status of account (should be false after request is successfully completed).

Command Example#

!identityiq-disable-account id=8a8080824df45873014df45c719f038c

Human Readable Output#

Results:#

Account#

iddisplayNameidentityhasEntitlementsapplicationnativeIdentityactivelastRefreshmanuallyCorrelatedapplicationlocked
8a8080824df45873014df45c719f038cJerry.BennettdisplayName: Jerry Bennett
userName: Jerry.Bennett
value: 8a8080824df45873014df45bb503000d
$ref: http://localhost:8088/iiq/scim/v2/Users/8a8080824df45873014df45bb503000d
truedisplayName: Active Directory
value: 8a8080824df44d48014df45440d502cf
$ref: http://localhost:8088/iiq/scim/v2/Applications/8a8080824df44d48014df45440d502cf
CN=Jerry Bennett,OU=Brussels,OU=Europe,OU=Demo,DC=seri,DC=sailpointdemo,DC=comfalse2020-12-16T16:39:56.638-06:00falsedisplayName: Active Directory
value: 8a8080824df44d48014df45440d502cf
$ref: http://localhost:8088/iiq/scim/v2/Applications/8a8080824df44d48014df45440d502cf
false

identityiq-enable-account#


Enable account's active status by id using IdentityIQ SCIM API's.

Base Command#

identityiq-enable-account

Input#

Argument NameDescriptionRequired
idInternal id of the specific account to be enabled.Required

Context Output#

PathTypeDescription
IdentityIQ.AccountDisable.activeBooleanIndicates the status of account (should be true after request is successfully completed).

Command Example#

!identityiq-enable-account id=8a8080824df45873014df45c719f038c

Human Readable Output#

Results:#

Account#

iddisplayNameidentityhasEntitlementsapplicationnativeIdentityactivelastRefreshmanuallyCorrelatedapplicationlocked
8a8080824df45873014df45c719f038cJerry.BennettdisplayName: Jerry Bennett
userName: Jerry.Bennett
value: 8a8080824df45873014df45bb503000d
$ref: http://localhost:8088/iiq/scim/v2/Users/8a8080824df45873014df45bb503000d
truedisplayName: Active Directory
value: 8a8080824df44d48014df45440d502cf
$ref: http://localhost:8088/iiq/scim/v2/Applications/8a8080824df44d48014df45440d502cf
CN=Jerry Bennett,OU=Brussels,OU=Europe,OU=Demo,DC=seri,DC=sailpointdemo,DC=comtrue2020-12-16T16:39:56.638-06:00falsedisplayName: Active Directory
value: 8a8080824df44d48014df45440d502cf
$ref: http://localhost:8088/iiq/scim/v2/Applications/8a8080824df44d48014df45440d502cf
false

identityiq-delete-account#


Delete account by id using IdentityIQ SCIM API's.

Base Command#

identityiq-delete-account

Input#

Argument NameDescriptionRequired
idInternal id of the specific account to be deleted.Required

Context Output#

There is no context output for this command.

Command Example#

!identityiq-delete-account id=8a8080824df45873014df45bb335000c

Human Readable Output#

Account deleted successfully!

identitytiq-get-launched-workflows#


Fetch launched workflow by id or all launched workflows using IdentityIQ SCIM API's.

Base Command#

identitytiq-get-launched-workflows

Input#

Argument NameDescriptionRequired
idInternal id of the specific launched workflow being requested.Optional

Context Output#

PathTypeDescription
IdentityIQ.Workflow.workflowNameStringName of the workflow that was launched.
IdentityIQ.Workflow.identityRequestIdStringUnique id of the identity request that launched this workflow (if exists).
IdentityIQ.Workflow.workflowCaseIdStringInternal id of the workflowcase for this workflow.
IdentityIQ.Workflow.launchedDateTimestamp of when this workflow was launched.
IdentityIQ.Workflow.targetClassStringType of object targeted by the workflow, usually identity.
IdentityIQ.Workflow.targetNameStringUnique name of the object (username in the case of identity).
IdentityIQ.Workflow.typeStringThe type of workflow.
IdentityIQ.Workflow.idStringInternal id of the workflow.
IdentityIQ.Workflow.completionStatusStringStatus of workflow โ€“ 'success', 'failure', 'pending' etc.
IdentityIQ.Workflow.launcherStringName of the identity that launched the workflow.
IdentityIQ.Workflow.terminatedBooleanIndicates whether this workflow was terminated due to error or intentionally stopped.
IdentityIQ.Workflow.nameStringName of the workflow that was launched.
IdentityIQ.Workflow.attributesUnknownArray of key/value pairs that are the inputs and their values to the workflow.
IdentityIQ.Workflow.outputUnknownArray of key/type/value objects that list the output of the workflow.

Command Example#

!identitytiq-get-launched-workflows
!identitytiq-get-launched-workflows id=0a0000016b951ded816bb41348e20197

Human Readable Output#

Results:#

Workflow#

idnameworkflowNameidentityRequestIdworkflowCaseIdlaunchedtargetClasstargetNametypecompletionStatuslauncherterminatedattributespartitionedcompletedpendingSignoffstaskDefinitionlaunchedWorkflow
0a0000016b951ded816bb41348e20197Joiner: Nick2019-07-02T14:04:51.148-05:00WorkflowSuccessSchedulerfalse{'value': '
\n', 'key': 'workflowSummary'}
false2019-07-02T14:04:51.169-05:000Workflow Launcheroutput: {'type': 'application/xml', 'value': '
\n', 'key': 'workflowSummary'}
input: {}
workflowSummary:


workflowName: Joiner: Nick

identityiq-get-roles#


Fetch role by id or all roles using IdentityIQ SCIM API's.

Base Command#

identityiq-get-roles

Input#

Argument NameDescriptionRequired
idInternal id of the specific role being requested.Optional

Context Output#

PathTypeDescription
IdentityIQ.Role.nameStringUnique name of the role object in IdentityIQ.
IdentityIQ.Role.owner.valueStringInternal id of the role owner identity.
IdentityIQ.Role.owner.displayNameStringDisplayname of the owner of the role.
IdentityIQ.Role.activeBooleanIndicates whether the role is active in IdentityIQ.
IdentityIQ.Role.displayableNameStringDisplay name of the role in IdentityIQ.
IdentityIQ.Role.permitsUnknownArray of roles that this role permits in IdentityIQ.
IdentityIQ.Role.type.nameStringTemplate role on which this role is based.
IdentityIQ.Role.type.autoAssignmentBooleanIndicates whether this type of role can be auto-assigned to identities.
IdentityIQ.Role.type.displayNameStringDisplay name of the template role on which this role was based.
IdentityIQ.Role.type.manualAssignmentStringIndicates whether this role type can be manually assigned.
IdentityIQ.Role.descriptions.valueStringDescription of the role shown in the UI.

Command Example#

!identityiq-get-roles
!identityiq-get-roles id=8a8080824df45873014df45f8b6810e9

Human Readable Output#

Results:#

Role#

idnameowneractivedisplayableNamepermitstypedescriptionsrequirements
8a8080824df45873014df45f8b6810e9All UsersdisplayName: The Administrator
value: 8a8080824df44d48014df44def7100dd
$ref: http://localhost:8088/iiq/scim/v2/Users/8a8080824df44d48014df44def7100dd
trueAll Usersiiq: false
requirements: true
permits: true
displayName: Business
manualAssignment: true
name: business
autoAssignment: true
assignmentSelector: true
{'locale': 'en_US', 'value': 'Role that grants access all users should have'}{'displayName': 'User Basic', 'value': '8a8080824df45873014df45f8b1810e6', '$ref': 'http://localhost:8088/iiq/scim/v2/Roles/8a8080824df45873014df45f8b1810e6'}

identityiq-get-entitlements#


Fetch entitlement by id or all entitlements using IdentityIQ SCIM API's.

Base Command#

identityiq-get-entitlements

Input#

Argument NameDescriptionRequired
idInternal id of the specific entitlement being requested.Optional

Context Output#

PathTypeDescription
IdentityIQ.Entitlement.application.valueStringInternal id of the application that this entitlement resides on.
IdentityIQ.Entitlement.application.displayNameStringDisplay name of the application that this entitlement resides on.
IdentityIQ.Entitlement.attributeStringString representing the attribute on the application that this entitlement represents.
IdentityIQ.Entitlement.typeStringString representing the type of attribute on the application that this entitlement represents.
IdentityIQ.Entitlement.descriptionsUnknownArray of description objects that contain a locale, and a value.
IdentityIQ.Entitlement.idStringInternal id of the entitlement object in IdentityIQ.
IdentityIQ.Entitlement.requestableBooleanBoolean indicates whether this entitlement is directly requestable in the IdentityIQ UI.
IdentityIQ.Entitlement.owner.valueStringInternal id of the owner of the entitlement in IdentityIQ.
IdentityIQ.Entitlement.owner.displayNameStringDisplay name of the owner of the entitlement in IdentityIQ.
IdentityIQ.Entitlement.aggregatedStringIndicates whether this entitlement was aggregated from the source system or not.
IdentityIQ.Entitlement.createdDateTimestamp indicates when the entitlement was created in IdentityIQ.

Command Example#

!identityiq-get-entitlements
!identityiq-get-entitlements id=8a8080824df45873014df45d9f9008a8

Human Readable Output#

Results:#

Entitlement#

iddisplayableNametypeattributevalueownerapplicationdescriptionsrequestableaggregatedcreated
8a8080824df45873014df45d9f9008a8inputEntitlementcapabilityinputdisplayName: TRAKK
value: 8a8080824df44d48014df45444c002da
$ref: http://localhost:8088/iiq/scim/v2/Applications/8a8080824df44d48014df45444c002da
truefalse

identityiq-get-alerts#


Fetch alert by id or all alerts using IdentityIQ SCIM API's.

Base Command#

identityiq-get-alerts

Input#

Argument NameDescriptionRequired
idInternal id of the specific alert being requested.Optional

Context Output#

PathTypeDescription
IdentityIQ.Alert.idStringInternal id of the Alert in IdentityIQ.
IdentityIQ.Alert.lastProcessedDateTimestamp of when this alert was processed by IdentityIQ for match.
IdentityIQ.Alert.displayNameStringDisplay name of the alert in IdentityIQ.
IdentityIQ.Alert.meta.createdDateTimestamp of when this alert was created in IdentityIQ
IdentityIQ.Alert.nameStringName of the alert in IdentityIQ
IdentityIQ.Alert.attributesUnknownArray of attributes associated with this alert.
IdentityIQ.Alert.actionsUnknownArray of actions taken on this alert after processing.
IdentityIQ.Alert.applicationStringList of applications that are related to this alert.

Command Example#

!identityiq-get-alerts
!identityiq-get-alerts id=0a000001764519c981766dbd2bd518ad

Human Readable Output#

Results:#

Alert#

idnamedisplayNametypetargetIdtargetDisplayNametargetTypealertInputactionsapplicationattributeslastProcessed
0a000001764519c981766dbd2bd518ad0000000015Test AlertPAN XSOARinput:
processorTaskInput:
aggregationTaskInput:
2020-12-16T16:48:02.773-06:00

identityiq-create-alert#


Create an alert using IdentityIQ SCIM API's.

Base Command#

identityiq-create-alert

Input#

Argument NameDescriptionRequired
display_nameDisplay name of the alert.Required
attributesList of JSON objects with the following structure.
{
'key': '',
'value': '',
'type': ''
}.
Optional

Context Output#

PathTypeDescription
IdentityIQ.Alert.idStringInternal id of the Alert in IdentityIQ.
IdentityIQ.Alert.lastProcessedDateTimestamp of when this alert was processed by IdentityIQ for match.
IdentityIQ.Alert.displayNameStringDisplay name of the alert in IdentityIQ.
IdentityIQ.Alert.meta.createdDateTimestamp of when this alert.
IdentityIQ.Alert.nameStringUnique name of the alert in IdentityIQ.
IdentityIQ.Alert.attributesUnknownArray of attributes associated with this alert.
IdentityIQ.Alert.actionsUnknownArray of actions taken on this alert after processing.
IdentityIQ.Alert.applicationStringList of applications that are related to this alert.

Command Example#

!identityiq-create-alert display_name=Testing-Via-XSOAR

Human Readable Output#

Results:#

Alert#

idnamedisplayNametypetargetIdtargetDisplayNametargetTypealertInputactionsapplicationattributeslastProcessed
0a000001764519c981767209e7491c040000000016XSOAR-AlertPAN XSOARinput:
processorTaskInput:
aggregationTaskInput:
2020-12-17T12:50:20.369-06:00