Hi Experts,
We have been working on integrating our Azure Sentinel system(SIEM) with Saviynt. We have followed the guide available on the Docs portal (https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter20-EIC-Integrations/Saviynt-...) and successfully achieved connectivity between Saviynt and SIEM through the runtime analytics report and APIs.
However, we have noticed some discrepancies in the userlogin_access table log details. Some entries have a proper event_id captured, while others do not. Similarly, the detail field is filled with complex values for some entries, but only contains a high-level message or is blank for others.
Sample Detail field values
1. {"data":"actionType:Show, eventId:1634551574818, USERLOGINS_KEY:com.saviynt.ecm.utility.UserLogins :
45, remoteHost:34.199.249.8:52717, actionUri:\/ecmConfig\/generalConfiguration, category:SoD,
remoteAddress:34.199.249.8:52717, _:1634551569696,
objectType:GLOBAL_CONFIGURATION","objectName":"SoD","message":"Configuration of category SoD viewed
by user admin"}
2. {"data":"","objectName":"Connection List","message":"User admin requested for list of Connections"}
3.Connection ABCD updated by user admin on 10-18-2021. Details of old and new value :: [:]
We also observed the userlogin_accesskey attribute in the table, which is an auto-incremental field. We noticed that multiple userlogin_accesskey value sequences are generated for the same event_id. Because of these challenges, we are not able to decide on a unique identifier for the report.
Given these observations, we would appreciate Saviynt’s recommendation for a unique identifier for the logs/analytics report that Sentinel is pulling at certain intervals. This would help ensure that no duplicate details are being consumed.
We look forward to hearing from anyone from this forum group who can assist us with this query.
Sudhin Sudhakar
