Summary
The sailpoint_identity_sc integration currently collects only audit events from the SailPoint Identity Security Cloud Search API. It does not collect identity data and therefore cannot support ECS entity workflows. This issue tracks the addition of two new data streams (identities and machine_identities) to bring entity support to the integration.
Background
The existing events data stream collects audit logs via POST /v2025/search (indices: ["events"]). Identity records (who users are, what they own, who they manage, what permissions they hold) are not collected today. Adding entity support requires dedicated data streams that pull from the identity-focused endpoints of the SailPoint ISC API.
Scope
Two new data streams will be added:
| Data Stream |
ECS Entity Type |
Description |
identities |
user |
Human identities; employees, contractors, and external users governed by SailPoint |
machine_identities |
service |
Non-human identities; service accounts, application accounts, and bots |
The two data streams are kept separate because they use different API endpoints with different schemas, different OAuth scopes, different pagination mechanisms, and different ECS entity types. The machine identity API is also currently marked experimental by SailPoint, so isolating it avoids coupling its stability to the human identity stream.
Endpoint Strategy
identities data stream
Two SailPoint endpoints can serve human identity data:
| Capability |
GET /v2026/identities |
POST /v2026/search (indices: identities) |
| Owned objects (roles, sources, apps) |
Not included |
Included (owns object) |
| Access items (entitlements, access profiles, roles) |
Not included |
Included (access array with type and source) |
| Manager reference |
Basic (id, name) |
Full (id, name, displayName) |
| Segment membership |
Not included |
Included (visibleSegments) |
| Connected applications |
Not included |
Included (apps array) |
| Max page size |
250 |
10,000 (plus searchAfter cursor for datasets above 10K) |
| OAuth scope |
idn:identity:read |
sp:search:read |
| Already in use by integration |
No |
Yes, same endpoint used by events data stream |
Decision: use POST /v2026/search with indices: ["identities"]. It provides the richest schema, is already authenticated, supports a 40× larger page size, and is the only endpoint that exposes the ownership, access, and segment data needed for entity field mapping.
For manager–report relationships (who a manager supervises), an additional targeted Search call is needed per manager identity: POST /v2026/search with query: "manager.id:<id>". This uses the same endpoint and scope and is gated on the isManager flag so it only fires for identities that manage others.
machine_identities data stream
Only one endpoint exists for machine identities: GET /v2026/machine-identities. It is marked experimental by SailPoint and requires the request header X-SailPoint-Experimental: true and a distinct OAuth scope (idn:mis-identity:read). Pagination uses limit/offset with a maximum page size of 250.
Endpoints
identities data stream
| Endpoint |
Method |
Purpose |
/{version}/search |
POST |
Primary collection of all human identity documents (indices: ["identities"]) |
/{version}/search |
POST |
Reverse-lookup of direct reports for manager identities (query: "manager.id:<id>") |
OAuth scope required: sp:search:read
machine_identities data stream
| Endpoint |
Method |
Purpose |
/{version}/machine-identities |
GET |
Collection of all machine identity documents |
OAuth scope required: idn:mis-identity:read
Required header: X-SailPoint-Experimental: true
Notes
- The
machine_identities data stream depends on a SailPoint experimental API. The CEL program must handle 404/501 responses gracefully and the manifest should document this dependency clearly.
- The
idn:mis-identity:read scope is not currently present in the integration manifest and will need to be added, either as a new default scope or as part of a separate optional policy template.
- The
api_version variable already present in the manifest should be reused for both new data streams to remain consistent with the existing events data stream. Its default value could be updated from v2025 to v2026 as the most recent versions provide new features and ensures backward compatibility.
Summary
The
sailpoint_identity_scintegration currently collects only audit events from the SailPoint Identity Security Cloud Search API. It does not collect identity data and therefore cannot support ECS entity workflows. This issue tracks the addition of two new data streams (identitiesandmachine_identities) to bring entity support to the integration.Background
The existing
eventsdata stream collects audit logs viaPOST /v2025/search(indices: ["events"]). Identity records (who users are, what they own, who they manage, what permissions they hold) are not collected today. Adding entity support requires dedicated data streams that pull from the identity-focused endpoints of the SailPoint ISC API.Scope
Two new data streams will be added:
identitiesusermachine_identitiesserviceThe two data streams are kept separate because they use different API endpoints with different schemas, different OAuth scopes, different pagination mechanisms, and different ECS entity types. The machine identity API is also currently marked experimental by SailPoint, so isolating it avoids coupling its stability to the human identity stream.
Endpoint Strategy
identitiesdata streamTwo SailPoint endpoints can serve human identity data:
GET /v2026/identitiesPOST /v2026/search(indices: identities)ownsobject)accessarray with type and source)visibleSegments)appsarray)searchAftercursor for datasets above 10K)idn:identity:readsp:search:readeventsdata streamDecision: use
POST /v2026/searchwithindices: ["identities"]. It provides the richest schema, is already authenticated, supports a 40× larger page size, and is the only endpoint that exposes the ownership, access, and segment data needed for entity field mapping.For manager–report relationships (who a manager supervises), an additional targeted Search call is needed per manager identity:
POST /v2026/searchwithquery: "manager.id:<id>". This uses the same endpoint and scope and is gated on theisManagerflag so it only fires for identities that manage others.machine_identitiesdata streamOnly one endpoint exists for machine identities:
GET /v2026/machine-identities. It is marked experimental by SailPoint and requires the request headerX-SailPoint-Experimental: trueand a distinct OAuth scope (idn:mis-identity:read). Pagination uses limit/offset with a maximum page size of 250.Endpoints
identitiesdata stream/{version}/searchindices: ["identities"])/{version}/searchquery: "manager.id:<id>")OAuth scope required:
sp:search:readmachine_identitiesdata stream/{version}/machine-identitiesOAuth scope required:
idn:mis-identity:readRequired header:
X-SailPoint-Experimental: trueNotes
machine_identitiesdata stream depends on a SailPoint experimental API. The CEL program must handle404/501responses gracefully and the manifest should document this dependency clearly.idn:mis-identity:readscope is not currently present in the integration manifest and will need to be added, either as a new default scope or as part of a separate optional policy template.api_versionvariable already present in the manifest should be reused for both new data streams to remain consistent with the existingeventsdata stream. Its default value could be updated fromv2025tov2026as the most recent versions provide new features and ensures backward compatibility.