SailPoint Identity Security Cloud

SailPoint Identity Security Cloud (ISC) is a SaaS platform that enables organizations to manage and secure access to critical data and applications for every enterprise identity with an intelligent and unified solution.

Configuring a webhook integration with SailPoint ISC allows Identity Security Insights to automatically start an example workflow in SailPoint ISC that:

• Disables the suspicious account.
• Identifies the owner of the suspicious account and their manager.
• Creates a certification task assigned to the manager to decide whether to maintain or revoke all entitlements for the owner of the suspicious account.

This integration example demonstrates how an organization can quickly respond to a security incident involving a suspicious account, to mitigate risk for the organization.

⚠️

Important

Third-party documentation is subject to change. Updates might not be reflected in BeyondTrust documentation. For the most up-to-date information, visit SailPoint's Identity Library.

Requirements

• Administrator (ORG_ADMIN) Entitlement in SailPoint ISC
• An Identity Security Insights account with administrator privileges.
• An account that has access to the applicable tenant in Identity Security Insights.

Configure workflow in SailPoint ISC

To configure a new workflow in SailPoint ISC, you must create the workflow JSON file, upload it to SailPoint, and trigger the workflow to generate a new access token.

Create the workflow JSON file

Below is the workflow script that can be saved into a file with the JSON extension and imported into SailPoint ISC as a new workflow.

{        
         "name": "API - Certification for Account Owner",
         "description": "API - Certification for Account Owner",
      "modified": "2024-04-24T15:13:47.14531083Z",
         "modifiedBy":{
       "type": "IDENTITY",
       "id": "0d6b37a5514547f184447e9bb8402259",
       "name": "mbluteau.mbluteau"
         },
         "definition": {
       "start": "Get Accounts",
       "steps": {
                 "Create Certification Campaign": {
            "actionId": "sp:create-campaign",
            "attributes": {
                    "activateUponCreation": true,
                    "description": "This action creates a certification campaign
assigned to the outlier identity's manager to verify all of the identity's access. The name 
of the campaign will be the display name of the outlier identity.",
                    "duration": "1d",
                    "emailNotificationEnabled": false,
                    "name.$": "$.getIdentity.attributes.displayName",
                    "recommendationsEnabled": false,en
                    "reviewerCertificationType": "IDENTITY",
                    "reviewerId.$": "$.getIdentity.managerRef.id",
                    "reviewerIdentitiesToCertify.$": 
"$.getAccounts.accounts[0].identity.id",
                    "type": "REVIEWER_IDENTITY",
                    "undecidedAccess": false
            },
            "description": "Suspicious Activity detected by User",
            "displayName": "",
            "nextStep": "End Step - Success",
            "type": "action",
            "versionNumber": 2
            },
            "End Step - Success": {
            "displayName": "",
            "type": "success"
            },
            "Get Accounts": {
            "actionId": "sp:get-accounts",
            "attributes": {
                    "filterCriteria": "nativeIdentity",
                    "getAccountsBy": "filters",
                    "operator": "eq",
                    "value.$": "$.trigger.account.id"
            },
            "description": "Get Account by ID (DN)",
            "displayName": "",
            "nextStep": "Manage Accounts",
            "type": "action",
            "versionNumber": 1
            },
            "Get Identity": {
            "actionId": "sp:get-identity",
            "attributes": {
            "id.$": "$.getAccounts.accounts[0].identity.id"
            },
            "description": "Get Identity that owns the Suspicious Account",
            "displayName": "",
            "nextStep": "Create Certification Campaign",
            "type": "action",
            "versionNumber": 2
            },
            "Manage Accounts": {
            "actionId": "sp:manage-account",
            "attributes": {
                    "accountIds.$": "$.getAccounts.accounts[*].id",
                    "operation": "disable"
                },
            "description": "Disable Account",
            "displayName": "",
            "nextStep": "Get Identity",
            "type": "action",
            "versionNumber": 1
            }
         }
     },
     "creator": {
     "type": "IDENTITY",
     "id": "0d6b37a5514547f184447e9bb8402259",
     "name": "mbluteau.mbluteau"
     },
     "trigger": {
      "type": "EXTERNAL",
      "attributes": {
              "clientId": "b8f469e2-7452-4228-b898-9b6d7b14eeed",
          "description": "use JSON with account.id to trigger Disable Account and 
Certification",
          "url": "/beta/workflows/execute/external/96c72e79-b032-429c-b1b2-931177b32976"
     }
    }
}

Upload the workflow JSON file to SailPoint ISC

1. In SailPoint ISC, navigate to Workflows > Create a New Workflow.
2. Click Upload File in the Start with a JSON File tile.

Workflow configuration in SailPoint

Once imported, you can edit the workflow to make modifications. The workflow script you created and imported above generates the following workflow in SailPoint:

• Action node: Get Accounts to retrieve the Account Details for the suspicious account, using the Account ID submitted from the JSON template.
• Action node: Manage Accounts to disable the suspicious using the Account Action of Disable Accounts.
• Action node: Get Identity to obtain the details for the Identity that is the owner of the suspicious account.
• Action node: Create Certification Campaign to create a campaign for the manager's review, configured as follows:
  • Uses the displayName attribute for the Campaign Name. This is the Identity of the owner of the suspicious account.
  • Provides a Campaign Description.
  • Sets the Reviewer Type as Individual.
  • Assigns the Reviewer Identity to the Identity’s manager.
  • Sets the Identities to Certify to the owner of the suspicious account.

Next, you must generate a new access token from the Trigger node at the top of the workflow to obtain the Client URL for the workflow, the Client ID and Secrets, and instructions for how to generate the long-lived bearer token.

Once you trigger the execution of the workflow by clicking the Test workflow button in SailPoint ISC, or from the webhook configuration in Identity Security Insights, check SailPoint to verify the following:

• The account for the Identity that owns the suspicious account is disabled.
• A Certification Campaign is assigned to the user’s manager.
• The Reviewer is asked to decide for each entitlement across all the systems and applications that the owner of the suspicious accounts has been previously granted.

Create a webhook for SailPoint ISC

1. In Identity Security Insights, select your tenant.
2. In the upper left menu, click Insights > Integrations.
   The Integrations page displays the available integrations.
3. Click Webhooks or your product.
   The Summary page displays.
4. Click Create Integration.
   The Configure Integration page displays.
5. Enter the following information:
   • Name: A name for the new webhook.
   • Webhook URL: The URL generated in SailPoint ISC
   • Authorization Type: Bearer
   • Token: Bearer token
   • Webhook Template: Use the below test webhook JSON template to test the connection and send a webhook to SailPoint ISC. After a successful test with the static test data, the template can be configured. Create or change the fields and add variables as per your requirements.

{
  "triggeringAccess": "Workflow", 
 "account": {
  "id": "CN=Brenda.April,OU=Users,OU=Accounts,DC=btintegrations,DC=cloud",
  "name": "brenda.april",
  "type": "ACCOUNT"
  }
}