Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Splunk and EIC Integration: Require Recommendations on Monitoring Audit Logs and Alert Triggers

New Contributor III
New Contributor III


We are working on the integration of Splunk with Saviynt EIC, designed to enhance the monitoring and management of audit logs within the Saviynt platform.
To ensure optimal results and a streamlined workflow, it is important to follow best practices for determining which audit events Splunk should trigger alerts for. We have provided a list of recommendations for capturing these events and configuring alerts accordingly.
Some recommended audit events to monitor and trigger alerts include:

1. ROLE_ADMIN Changes: Creating alerts for when a Saviynt Role Administrator role is either added to or removed from a user will help you maintain control over the administration of the platform and ensure that only authorized individuals have access to these privileges.

2. Job Triggers: Monitoring the deletion of job triggers.

3. Connection Updates: Keeping track of updates made to connections.

4. Connection Deletions: Similar to updates, deleting a connection can be a cause for concern as it may disrupt the operations on the platform.

Please note that the above recommendations are examples and a starting point for determining the appropriate audit events we want to monitor. 

We have already read the documentation for SIEM integration and created the list above:

We require the best practices and more events that need to be captured for sending alerts.

Best Regards,

Krunal Kadam



You can add all alerts which comes as OOTB reports in saviynt such as 

  • Failed tasks
  • Provisioning Limit exceeded
  • Hung Requests 
  • Hung Jobs
  • Request Approved without Tasks

Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.