sailpoint_identity_sc: make API version configurable and fix search endpoint format (#14935)

Updates the Sailpoint Identity SC integration with the following:
- Make the API version configurable, as API docs states[1] it will follow
  an annual release cycle. This parameter adds flexibility for users to choose
  which version they want to use, or update the API version by themselves.
- Fix the `search` API endpoint format, the search indices such as "events" should
  be added in the request body instead of the URL.

[1] https://developer.sailpoint.com/docs/api/v2025/api-versioning-strategy#release-schedule

Author: chemamartinez

packages/sailpoint_identity_sc/_dev/build/docs/README.md

@@ -6,7 +6,7 @@ The Elastic integration for [Sailpoint Identity Security Cloud](https://www.sail
 
 - **`events`**: Provides audit data that includes actions such as `USER_MANAGEMENT`, `PASSWORD_ACTIVITY`, `PROVISIONING`, `ACCESS_ITEM`, `SOURCE_MANAGEMENT`, `CERTIFICATION`, `AUTH`, `SYSTEM_CONFIG`, `ACCESS_REQUEST`, `SSO`, `WORKFLOW`, `SEGMENT` and more.
 - [Audit Events](https://community.sailpoint.com/t5/IdentityNow-Wiki/Audit-Events-in-Cloud-Audit/ta-p/218727) are records that a user took action in an [IdentityNow](https://www.sailpoint.com/products/identitynow) tenant, or other service like [IdentityAI](https://www.sailpoint.com/products/ai-driven-identity-security). Audit Events are structurally and conceptually very similar to [IdentityIQ's](https://www.sailpoint.com/products/identity-security-software/identity-iq)Audit Events, but have evolved in several ways.
-- This data stream leverages the Sailpoint identity security cloud API's `/v2024/search/events` endpoint to retrieve event logs.
+- This data stream leverages the Sailpoint identity security cloud API's [/v2025/search](https://developer.sailpoint.com/docs/api/v2025/search-post) endpoint to retrieve event logs.
 
 ## Requirements
 

packages/sailpoint_identity_sc/_dev/deploy/docker/files/config.yml

@@ -22,15 +22,15 @@ rules:
             "token_type": "Bearer"
           }
   # Search Events Endpoint for the 2nd pagination
-  - path: /v2024/search/events
+  - path: /v2025/search
     methods:
       - POST
     request_headers:
       Authorization:
         - Bearer xxxxxxxxxxxxx
       Content-Type:
         - application/json
-    request_body: /^\{"query":\{"query":"\*"\},"queryResultFilter":\{\},"queryType":"SAILPOINT","searchAfter":\["2024-12-13T19:42:26\.121Z"\],"sort":\["created"\]\}/
+    request_body: /^\{"indices":\["events"\],"query":\{"query":"\*"\},"queryResultFilter":\{\},"queryType":"SAILPOINT","searchAfter":\["2024-12-13T19:42:26\.121Z"\],"sort":\["created"\]\}/
     query_params:
       limit: "2"
     responses:
@@ -41,15 +41,15 @@ rules:
         body: |
           []
   # Search Events Endpoint for the 1st pagination
-  - path: /v2024/search/events
+  - path: /v2025/search
     methods:
       - POST
     request_headers:
       Authorization:
         - Bearer xxxxxxxxxxxxx
       Content-Type:
         - application/json
-    request_body: /{"query":\{"query":"\*"\},"queryResultFilter":\{\},"queryType":"SAILPOINT","searchAfter":\["2024-12-13T19:41:24\.124Z"\],"sort":\["created"\]\}/
+    request_body: /^\{"indices":\["events"\],"query":\{"query":"\*"\},"queryResultFilter":\{\},"queryType":"SAILPOINT","searchAfter":\["2024-12-13T19:41:24\.124Z"\],"sort":\["created"\]\}/
     query_params:
       limit: "2"
     responses:
@@ -77,15 +77,15 @@ rules:
             }
           ]
   # Search Events Endpoint initial
-  - path: /v2024/search/events
+  - path: /v2025/search
     methods:
       - POST
     request_headers:
       Authorization:
         - Bearer xxxxxxxxxxxxx
       Content-Type:
         - application/json
-    request_body: /^\{"query":\{"query":"\*"\},"queryResultFilter":\{\},"queryType":"SAILPOINT","searchAfter":\["[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z"\],"sort":\["created"\]\}/
+    request_body: /^\{"indices":\["events"\],"query":\{"query":"\*"\},"queryResultFilter":\{\},"queryType":"SAILPOINT","searchAfter":\["[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z"\],"sort":\["created"\]\}/
     query_params:
       limit: "2"
     responses:

packages/sailpoint_identity_sc/changelog.yml

@@ -1,3 +1,11 @@
+- version: "1.1.0"
+  changes:
+    - description: Add option to select the API version to use.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14935
+    - description: Fix POST request format for events data stream.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/14935
 - version: "1.0.0"
   changes:
     - description: Release package as GA.

packages/sailpoint_identity_sc/data_stream/events/_dev/test/system/test-default-config.yml

@@ -1,6 +1,7 @@
 input: cel
 service: sailpoint
 vars:
+  api_version: v2025
   client_id: qwerty
   client_secret: eweqweqwqew
   api_host: http://{{Hostname}}:{{Port}}

packages/sailpoint_identity_sc/data_stream/events/agent/stream/cel.yml.hbs

@@ -31,11 +31,12 @@ state:
   want_more: false
   limit: {{limit}}
   initial_interval: {{initial_interval}}
+  api_version: {{api_version}}
 program: |-
   {"startTime": state.?cursor.searchAfter.orValue(timestamp(now() - duration(state.initial_interval)).format(time_layout.RFC3339))}.as(timeframe,
   	request(
   		"POST",
-  		state.url.trim_right("/") + "/v2024/search/events?" + {
+  		state.url.trim_right("/") + "/" + state.api_version + "/search?" + {
   			"limit": [string(state.limit)],
   		}.format_query()
   	).with(
@@ -44,6 +45,7 @@ program: |-
   				"Content-Type": ["application/json"],
   			},
   			"Body": {
+  				"indices": ["events"],
   				"searchAfter": [string(timeframe.startTime)],
   				"queryType": "SAILPOINT",
   				"sort": ["created"],

packages/sailpoint_identity_sc/docs/README.md

@@ -6,7 +6,7 @@ The Elastic integration for [Sailpoint Identity Security Cloud](https://www.sail
 
 - **`events`**: Provides audit data that includes actions such as `USER_MANAGEMENT`, `PASSWORD_ACTIVITY`, `PROVISIONING`, `ACCESS_ITEM`, `SOURCE_MANAGEMENT`, `CERTIFICATION`, `AUTH`, `SYSTEM_CONFIG`, `ACCESS_REQUEST`, `SSO`, `WORKFLOW`, `SEGMENT` and more.
 - [Audit Events](https://community.sailpoint.com/t5/IdentityNow-Wiki/Audit-Events-in-Cloud-Audit/ta-p/218727) are records that a user took action in an [IdentityNow](https://www.sailpoint.com/products/identitynow) tenant, or other service like [IdentityAI](https://www.sailpoint.com/products/ai-driven-identity-security). Audit Events are structurally and conceptually very similar to [IdentityIQ's](https://www.sailpoint.com/products/identity-security-software/identity-iq)Audit Events, but have evolved in several ways.
-- This data stream leverages the Sailpoint identity security cloud API's `/v2024/search/events` endpoint to retrieve event logs.
+- This data stream leverages the Sailpoint identity security cloud API's [/v2025/search](https://developer.sailpoint.com/docs/api/v2025/search-post) endpoint to retrieve event logs.
 
 ## Requirements
 

packages/sailpoint_identity_sc/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.3.0
 name: sailpoint_identity_sc
 title: Sailpoint Identity Security Cloud
-version: "1.0.0"
+version: "1.1.0"
 source:
   license: "Elastic-2.0"
 description: "Sailpoint identity security cloud provides enterprise identity governance and security capabilities. The integration allows users to extract audit information from their identity security cloud tenant using the ISC's AuditEvent API."
@@ -38,6 +38,16 @@ policy_templates:
             description: "Enter the URL of the Sailpoint identity security cloud host API server, e.g., https://{tenant}.api.identitynow-demo.com/"
             show_user: true
             required: true
+          - name: api_version
+            type: text
+            title: API Version
+            description: |
+              Enter the API version to use, e.g., v2025.
+              Sailpoint Identity Security Cloud API follows a annual release cycle.
+              More information about it can be found [here](https://developer.sailpoint.com/docs/api/v2025/api-versioning-strategy).
+            show_user: true
+            required: true
+            default: v2025
           - name: client_id
             type: text
             title: Client ID for Sailpoint identity security cloud