SailPoint

Events

:::info Beta Feature This input is currently in beta. If you run into any issues, please reach out to product@monad.com. :::

Ingests SailPoint IdentityNow audit events via the Search API for security monitoring and compliance.

Sync Type: Incremental

Prerequisites

Before configuring this input, you need:

A SailPoint Identity Security Cloud (ISC) tenant — you will need the tenant subdomain, which is the part of your ISC URL before .api.identitynow.com. For example, if your ISC URL is https://acme.identitynow.com, your tenant subdomain is acme.
An OAuth2 API client with permission to read audit events:
- Log in to the ISC Admin Console.
- Navigate to Admin > Global > Security Settings > API Management.
- Click Add New API Client and grant it the sp:scopes:default scope at minimum, plus any scopes required to search events (consult your SailPoint administrator or see the SailPoint API Authentication docs).
- Record the Client ID and Client Secret — the secret is shown only once.

Authentication

This input uses OAuth2 client credentials (client_id / client_secret). Monad exchanges your Client ID and Client Secret for a bearer token at https://{tenant}.api.identitynow.com/oauth/token and automatically refreshes it on expiry. No additional token management is required.

Configuration

Settings

Setting	Type	Required	Description
Tenant	string	Yes	Your SailPoint tenant subdomain (the part before `.api.identitynow.com`). For example, `acme`.
Authentication	object	Yes	OAuth2 client credentials for authenticating with the SailPoint API. Contains Client ID and Client Secret (see Secrets below).
Search Delay Minutes	integer	No	How far below the current time (in minutes) to cap the query window, to guard against SailPoint Search-index lag. Defaults to 60. With the default, events become visible in Monad approximately 60 minutes after they occur.
Backfill Start Time	string	No	The date and time to start fetching events from on the first run. If not specified, only events that occur after the input is created will be ingested.
Use Synthetic Data	boolean	No	Generate synthetic demo data instead of connecting to the real data source. Useful for testing pipelines before go-live.

Secrets

Secret	Type	Required	Description
Client ID	string	Yes	OAuth2 Client ID for authenticating with the SailPoint API. Obtained when creating an API client in the ISC Admin Console.
Client Secret	string	Yes	OAuth2 Client Secret for authenticating with the SailPoint API. Shown once at creation time in the ISC Admin Console.

Setup Walk-through

In the ISC Admin Console, create an API client and copy the Client ID and Client Secret (see Prerequisites above).
In Monad, navigate to Inputs and click Add Input.
Search for SailPoint and select Events.
Enter your Tenant subdomain (e.g. acme).
Enter the Client ID and Client Secret from step 1.
Optionally, set Search Delay Minutes if your environment indexes events faster than the 60-minute default, or increase it if you observe gaps.
Optionally, set Backfill Start Time to ingest historical events from a specific date.
Click Save and verify that the input status transitions to Running.

Troubleshooting

Common Issues

Authentication failures (401 Unauthorized)

Confirm the Client ID and Client Secret are copied correctly with no extra whitespace.
Check that the API client has not been disabled or deleted in the ISC Admin Console.
Verify that the API client has the necessary scopes to search events.

No events returned

If you set a Backfill Start Time, ensure it is not in the future and not too far in the past (SailPoint Search retains a limited history — see SailPoint documentation for retention details).
With the default Search Delay Minutes of 60, no events will appear until at least 60 minutes after the input starts. This is expected and ensures index consistency; no events are lost.
Confirm your API client has read access to the audit event search scope.

Rate limiting (429 Too Many Requests)

Monad automatically handles 429 responses by honoring the Retry-After header and retrying. If you see persistent throttling, contact SailPoint support.

Tenant subdomain errors

Ensure the tenant value is only the subdomain portion (e.g. acme), not the full hostname (acme.api.identitynow.com) or a full URL.

Last modified on June 10, 2026

Vulnerabilities Pubsub

SailPoint

Events

:::info Beta Feature This input is currently in beta. If you run into any issues, please reach out to product@monad.com. :::

Ingests SailPoint IdentityNow audit events via the Search API for security monitoring and compliance.

Sync Type: Incremental

Prerequisites

Before configuring this input, you need:

A SailPoint Identity Security Cloud (ISC) tenant — you will need the tenant subdomain, which is the part of your ISC URL before .api.identitynow.com. For example, if your ISC URL is https://acme.identitynow.com, your tenant subdomain is acme.
An OAuth2 API client with permission to read audit events:
- Log in to the ISC Admin Console.
- Navigate to Admin > Global > Security Settings > API Management.
- Click Add New API Client and grant it the sp:scopes:default scope at minimum, plus any scopes required to search events (consult your SailPoint administrator or see the SailPoint API Authentication docs).
- Record the Client ID and Client Secret — the secret is shown only once.

Authentication

Configuration

Settings

Setting	Type	Required	Description
Tenant	string	Yes	Your SailPoint tenant subdomain (the part before `.api.identitynow.com`). For example, `acme`.
Authentication	object	Yes	OAuth2 client credentials for authenticating with the SailPoint API. Contains Client ID and Client Secret (see Secrets below).
Search Delay Minutes	integer	No	How far below the current time (in minutes) to cap the query window, to guard against SailPoint Search-index lag. Defaults to 60. With the default, events become visible in Monad approximately 60 minutes after they occur.
Backfill Start Time	string	No	The date and time to start fetching events from on the first run. If not specified, only events that occur after the input is created will be ingested.
Use Synthetic Data	boolean	No	Generate synthetic demo data instead of connecting to the real data source. Useful for testing pipelines before go-live.

Secrets

Secret	Type	Required	Description
Client ID	string	Yes	OAuth2 Client ID for authenticating with the SailPoint API. Obtained when creating an API client in the ISC Admin Console.
Client Secret	string	Yes	OAuth2 Client Secret for authenticating with the SailPoint API. Shown once at creation time in the ISC Admin Console.

Setup Walk-through

In the ISC Admin Console, create an API client and copy the Client ID and Client Secret (see Prerequisites above).
In Monad, navigate to Inputs and click Add Input.
Search for SailPoint and select Events.
Enter your Tenant subdomain (e.g. acme).
Enter the Client ID and Client Secret from step 1.
Optionally, set Search Delay Minutes if your environment indexes events faster than the 60-minute default, or increase it if you observe gaps.
Optionally, set Backfill Start Time to ingest historical events from a specific date.
Click Save and verify that the input status transitions to Running.

Troubleshooting

Common Issues

Authentication failures (401 Unauthorized)

Confirm the Client ID and Client Secret are copied correctly with no extra whitespace.
Check that the API client has not been disabled or deleted in the ISC Admin Console.
Verify that the API client has the necessary scopes to search events.

No events returned

If you set a Backfill Start Time, ensure it is not in the future and not too far in the past (SailPoint Search retains a limited history — see SailPoint documentation for retention details).
With the default Search Delay Minutes of 60, no events will appear until at least 60 minutes after the input starts. This is expected and ensures index consistency; no events are lost.
Confirm your API client has read access to the audit event search scope.

Rate limiting (429 Too Many Requests)

Monad automatically handles 429 responses by honoring the Retry-After header and retrying. If you see persistent throttling, contact SailPoint support.

Tenant subdomain errors

Ensure the tenant value is only the subdomain portion (e.g. acme), not the full hostname (acme.api.identitynow.com) or a full URL.

Last modified on June 10, 2026

Vulnerabilities Pubsub

Events

Prerequisites

Authentication

Configuration

Settings

Secrets

Setup Walk-through

Troubleshooting

Common Issues

Related Articles

Events

Prerequisites

Authentication

Configuration

Settings

Secrets

Setup Walk-through

Troubleshooting

Common Issues

Related Articles