Skip to content

Shared Signals Framework

Shared Signals Framework is a security identity standard that allows different security solutions to share and consume security events and alerts in real-time. This allows organizations to significantly reduce the time it takes to detect, respond to, and remediate identity-related threats. This real time, event-driven architecture supports Zero Trust principles by enabling dynamic access decisions based on the current identity context. It eliminates reliance on periodic polling or manual intervention, delivering a scalable, automated, and secure model for context-aware access control.

There are 5 main components in Shared Signals Framework:

  • Subject - A person, device, group, or organization about whom we want to communicate security events.

  • Event – A security-related occurrence pertaining to a subject, such as when a user’s device is no longer compliance.

  • Transmitter – A component within the infrastructure that is broadcasting events to other components.

  • Receiver - A security component within the infrastructure that receives and acts on events.

  • Stream - An abstraction for how events flow from a transmitter to a receiver.

Shared Signals Framework allows SailPoint to receive security events in real time with other components within the security architecture. Transmitters monitor all managed devices and flag any changes. The transmitter then sends security events to the receiver configured in Identity Security Cloud through a stream. The receiver correlates the events with identity data, providing comprehensive visibility. Admins can configure a workflow to trigger based on received signals and act in response to the security event.

Transmitters

A transmitter is a component within the infrastructure that is broadcasting events to other components. The transmitter is used to monitor all managed subjects and flag any changes. Refer to Integrating SailPoint with Jamf using SSF for more information on setting up a transmitter.

Receivers

A receiver is a security vendor that receives and acts on events. Receivers in Identity Security Cloud can configure which subjects they are interested in and how they would like to receive events. Refer to Adding the Receiver in SailPoint and Managing Receivers for more information.

Streams

A stream is an abstraction for how events flow from a transmitter to a receiver. There can be a single stream between a transmitter and receiver, or there can be multiple streams.

Events

An event is a security-related occurrence pertaining to a subject, such as when a user’s device is no longer compliant. The transmitter sends these events to the Identity Security Cloud receiver as Security Event Tokens via a stream.

Select a receiver to view details or view events associated with the receiver. Use workflows to define how to act on supported events as they are received.

Supported Events

SailPoint Shared Signals Framework supports the following event types.

CAEP Events

  • Device compliance change

Workflows

Build a workflow to define how events are handled.

SailPoint offers a pre-built workflow templates to assist in getting started with Shared Signals Framework. These templates serve as a starting point and must be configured to meet your needs.

Device Compliance Change Trigger

The Device Compliance Change trigger initiates the workflow when a device compliance change CAEP event is received.

Remove Access Based off Device Compliance Change template

The Remove Access Based off Device Compliance Change template is triggered by a Shared Signals Framework CAEP event when an identity’s device is no longer compliant. The workflow disables the identity’s accounts in response to a potential threat.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.