SailPoint

SailPoint is a global leader in the field of Identity Security and Identity and Access Management (IAM). The company provides a comprehensive platform that helps organizations manage and govern the digital identities of all users—both human and non-human—and their access to critical enterprise applications and data.

Their solutions, notably the Identity Security Cloud, leverage AI and machine learning to automate access control, ensure regulatory compliance, and mitigate security risks associated with excessive or unauthorized access privileges. Essentially, SailPoint empowers complex organizations to secure their dynamic identity landscape effectively and efficiently.

• We need to define within the SailPoint system which internal SailPoint field (e.g., account.name, entitlement.value, request.status) maps to the corresponding CEF field (e.g., suser, cs1Label, duser)

Exaple for Mapping:

ransoware

CEF:0|SailPoint|SecurityIQ|1.0|%Rule|Name%|%Rule|Description%|8|fileName=%File Server|Object Name%; filePath=%File Server|Path%; cs1=%File Server|Action Type%; cs1Label=FileAction; dvc=%File Server|Server Name%; suser=%File Server|User Name%; src=%File Server|IP Address%

account lock 

CEF:0|SailPoint|SecurityIQ|1.0|%Rule|Name%|%Rule|Description%|8|cs1=%Active Directory|Extra Details%; cs1Label=Reason; cs2=%Active Directory|Action Type%; cs2Label=ActionType; suser=%Active Directory|User Name%; dvc=%Active Directory|Object DN%; src=%Active Directory|Caller IP%

SailPoint Admon User

The issue where CEF (Common Event Format) messages sent from SailPoint to SIEM systems like ArcSight arrive with incorrect or incomplete mapping is common.

Format Definition in SailPoint

The primary reason is that SailPoint allows significant flexibility in how the outgoing CEF message is constructed. While the goal is to send all relevant data, the default or current configuration does not always align perfectly with the specific structure ArcSight expects for each field.

• What is Missing? We need to define within the SailPoint system which internal SailPoint field (e.g., account.name, entitlement.value, request.status) maps to the corresponding CEF field (e.g., suser, cs1Label, duser).

• The Requirement: It is necessary to access the sending configurations within SailPoint and either build or modify the Format Template to ensure all required data is included and placed into the specific CEF fields that ArcSight's parser is designed to read and interpret correctly.

In summary: The format is "incorrect" because the sending format template must be customized and built within SailPoint itself to guarantee that every piece of information (e.g., the username, the type of operation, the status) lands in the ArcSight field (like Target User, Device Action) designated to receive it.