Identity Manager & SIEM Integration Solution Accelerator
This solution accelerator allows One Identity Manager events to be fed to the majority of SIEM systems (such as Splunk, QRadar, ArcSight) using the CEF format without any modifications or customizations performed on the SIEM system.
The ability to feed IGA event information to a SIEM solution is very useful. First of all, most SOCs (Security Operations Centers) are SIEM-centric, and typically involve a SOAR and UEBA system as well. The goal of the SOC is to keep real-time tabs of risks and threats in the environment and determining next steps for mitigation, if needed.
Having IGA event information gives another layer of visibility into the background of many situations. The SOC analyst will be able to, not only, see who accessed a database (for example) at a specific time, but they will also be able to see if that person was recently given access to the database and who gave it to them. This level of information is key to investigating attacks or threats.
Another use case is for auditors to have insights into the IGA events from a SOC or SIEM interface.
Being able to create reports which focus exclusively on one area (such as IGA) is crtical. But even more critical and powerful is to have all data for a specific object (user, system, application) together in one place.
This Solution Accelerator is delivered "as is". Any issues encountered can be reported on Github and contributors will make a best effort to resolve them.