![]() Each event is given a timestamp, host, source, and source type. When data is indexed, it is divided into individual events. "technicalName": "AUTHENTICATION_REQUEST_PASSED",Īn event is a single piece of data in Splunk software, similar to a record in a log file or other data input. Currently, each event extracted via the API has the following JSON format: These include events such as an admin creating/deleting applications, successful authentications, provisioning failures, etc. IdentityNow has built-in reporting capabilities to review these events, but the /search API can be used to extract these events for further examination externally. Once a valid JWT is issued by IdentityNow, the add-on script will then make a POST request to /v3/search/events, using 'Bearer' authentication and this JWT token.ĪuditEvents in IdentityNow represent "things of interest" that occur during the normal day to day operations of IdentityNow. If the JWT is not issued due to error, the script will exit. The credentials are then utilized to retrieve a JSON web token (JWT) from the IdentityNow tenant. These credentials are saved on the 'Data Input' in Splunk, which allows a single installation of the add-on to be used across all tenants owned by an organization. It is recommended that when using the 'client_credentials' mechanism with a Personal Access Token, that a service account is created in IdentityNow for this process. The initial request requires that the add-on be configured with a Client ID,Client Secret issued by the IDN tenant, where the 'ClientID' and 'Client Secret' are attained by creating a Personal Access Token in IdentityNow ( Best Practices - IdentityNow REST API Authentication). ![]() The Splunk Add-on for IdentityNow authenticates to the IDN tenant twice, once to be issued a JSON Web Token (JWT) by the API gateway, and again using this JWT when retrieving the actual AuditEvent records from IDN.
0 Comments
Leave a Reply. |