Skip to content

Activity Forensics

The purpose of the activity forensics page is to control and monitor access to sensitive data at the user level, across multiple applications.

Administrators and Data Owners can monitor and control identities and external users accessing sensitive resources. This ensures visibility, transparency, and accountability in data governance practices.

Administrators and Data Owners can filter activities based on multiple attributes to enhance investigations, set a specific investigation period, and obtain more details on the event card for a specific activity.

Administrators and Data Owners can also generate ad hoc or scheduled reports with flexible filtering for any type of activity to be automatically saved according to a set schedule.

Activity Monitoring Capabilities

Data Access Security Activity Monitoring enables Administrators and Data Owners to gain the following visibility into data access activities:

  • Capabilities to capture, track, and analyze activities taking place on data assets and allow detection on unusual identity activity.
  • Captures and analyzes activities on data assets six months from the moment activity took place, getting a real time or historical snapshot.
  • Enriches information about the actors and their activities with Identity Attributes, providing more context about “who” acted.
  • Enriches resource information that are objects to the activity with Data Classification Engine categories, rules, and policies.
  • Provides visibility on activities that are not known to Identity Security Cloud users.
  • Enables activity log on demand for a customized retention period (up to 7 years) with automatic deletion afterward.

Using Activity Forensics

To view activities, go to Forensics > Activity.

The user is presented with a list of various activities. By selecting one of the time stamps, you can view details about each activity like the date and time of the action and who performed it, the type of action they performed on the object, the name of the resource, the location of the resource, and more.


Activities are available for up to 6 months. At the 6 month threshold, activity events are moved to offline storage. The data retention configuration defines the length of time the activity data is stored offline. This data can be made accessible by a support ticket.

By default, the data displayed includes the following columns for each activity:

  • Action Time
  • User Name
  • Object Name
  • Action Type
  • Resource Path
  • Data Classification Policies
  • Identity Department

Searching for an Activity

There are a couple of ways to find certain activities.

You can use the Filter function to locate an activity. Using the dropdowns, provide the desired parameters of the filter to perform the search.

From that filter, you can save it for future use by selecting Save on the filters row and also the save button next to the Filters button. When a filter is saved, it then becomes a query.

When a query is created, an overlay appears with fields that need information. Provide a name for the query and if you want to share it with anyone, search for that specific identity. When the information is provided, select Save.

To view any saved queries, select Saved Queries at the top right of the screen. From here you can view three types of saved queries:

  • Recent - queries that have been recently used but are not saved.
  • Saved - queries that have been saved.
  • Shared - queries that have been shared with others.

Another way to find activities is to select the Time Frame dropdown to look for activities within a certain time frame. If selecting Advanced Options, you are able to fine tune your search by being able to select date and time ranges.

Viewing Activity Details

To view more details about an activity from the activities list, select the desired activity timestamp and an Activity Details overlay displays. Viewing more details on a particular activity gives the user insight into what type of event took place (read, write, etc.) and who performed that event.

In Activity Details, there are three tabs the user can choose from to find information.

  • Actor tab – data about the identity who performed the action. This data is enriched from Identity Security Cloud.
  • Object Details tab - all details about the object itself.
  • Advanced Properties tab - displays information that is dependent on the action type that was performed. This set of information shows the old and new information, if it is applicable. For example, if a resource was moved, this tab shows the old and new resource path.

Select Close to go back to the main Activity Forensics page.

Global Options

There are two global options that can be performed on the Activity Forensics page.

  • Generate Report – This generates a report based off of a query. This report is available in Reports > My Reports.
  • Schedule Report Template – This creates a report template with a schedule to generate the report. The report template can be seen in Reports > Report Templates.

Refer to Data Access Security Reports for more information.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at