Configuration to Export SailPoint Data to ArcSight

The Identity, Account, and Audit information from SailPoint can be exported to ArcSight using tables or a CEF flat file.

Export Data from SailPoint to ArcSight Tables

The ArcSight Data Export task enables you to export Identity and Audit data to external tables. You can select to export Identity information and Audit events from the SailPoint database.

Create the export databases on your destination data source before using the ArcSight Data Export task.

  1. Go to Monitor > Tasks.

  2. Create a new ArcSight Data export task.

  3. Provide the Data Source Parameters.

    ArcSight Data Export options are:

    Options

    Description

    Datasource Parameters

    Database

    Select a database type from the drop-down list.

    User Name

    Enter the user name parameter of the database.

    Password

    Enter the password of the database.

    Driver Class

    Enter the driver class used for the database.

    URL

    Enter the URL of the database.

  4. Select Generate table Creation SQL to generate the table’s schema and create a database that includes export tables which you can hand off to a database administrator for execution.

    The task adds the following tables in database:

    Tables

    Description

    sptr_arcsight_export

    Table to maintain the task execution history.

    sptr_arcsight_identity

    Table contains exported data of Identity.

    sptr_arcsight_audit_event

    Table contains Audit Events information.

  5. Select Object Export options.

    The Object Export options are as follows:

    Options

    Description

    Export Identities

    Select how to export the Identity data in ArcSight tables. It provides the following options:

    • Full – Exports all the records regardless if they were exported earlier.

    • Incremental – Exports only records that are updated since the task was last run.

      Note
      This option can be selected when running the task for the first time. When the task is running for the first time, this option exports all records similar to the Full option.

    Export Audits

    Select how to export the Audit events in the ArcSight table. It provides the following options:

    • Full – Exports all the records regardless if they were exported earlier.

    • Incremental – Exports only records that are updated since last run of this task.

      Note
      This option can be selected when running the task for the first time. When the task is running for the first time, this option exports all records similar to the Full option.

  6. After completing the customizing report options, select Save for later use or Save and Execute to save the report and run it immediately.

Export Data from SailPoint to Flat file

  1. Go to Analyze > Advanced Analytics.

  2. Go to Identity Search / Audit Search /Account Search Tab.

  3. Select the Search Criteria and Fields to display.

  4. Select Run Search.

  5. Select the CEF Flat file, to export the search results to the file in CEF.

    The Search Results page has the following options to save:

    • Save Search: Used to save the search criteria and fields to display.

    • Save Search as Report: This type of report can be accessed as a report, as schedules, or for execution by performing the procedure:

      1. Go to Analyze > Reports.

      2. Right-click on the report and schedule or execute the report.

      3. Go to the Report Results tab to see the report result.

      4. Select the Report.

      5. Select the CEF Flat file export button to export the report to file in CEF.

        This will generate a file with data in CEF, which can be used by ArcSight to import events in ArcSight ESM.

Note
For more information on Advanced Analytics, see SailPoint IdentityIQ User Guide.