There are two primary approaches for integrating security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solutions with Identity Security Cloud and IdentityNow:
- Consume IdentityNow event and log data by the SIEM and SOAR solutions
- Automate event response from the SIEM and SOAR solution via IdentityNow
For the first integration approach, there are a few options:
- Consume event data via the IdentityNow Search APIs from the SIEM solution
- For specific use cases, leverage Event Triggers to subscribe to and consume events into the SIEM solution
- Automate the secure retrieval and shipping of Virtual Appliance (VA) logs to the SIEM solution via scripting
With respect to the last option, refer to the Virtual Appliance Troubleshooting Guide, for a listing of VA log files and related diagnostics script.
For the second integration approach, the IdentityNow APIs may be leveraged for a variety of use cases.
