Skip to content

Audit Reports and Monitoring

Nearly everything that happens in Identity Security Cloud is tracked in audit reports that you can download, send to auditors, and search for events or patterns. You can view audit data in Search, on the Admin Dashboard, and throughout Identity Security Cloud. You can additionally configure Identity Security Cloud to send notifications when certain components of your site have problems.

Audit data is stored for 1 year, plus the current month. If you need to access older data, up to 5 years old, fill out the Audit History Request Form and submit it with a support ticket.

All audit activity can be found in Search. You can download default audit reports or modify your search query to download a custom report.

You can download the following default audit reports from Search:

  • All Events - All activity that Identity Security Cloud tracks in audit events.
  • Access Request Activity - All activity related to access requests.
  • Authentication Activity - Events related to any kind of authentication, including into Identity Security Cloud and into apps.
  • Password Changes - All password updates, including for apps, sources, and Identity Security Cloud.
  • Provisioning Activity - View a basic audit report of provisioning events.
  • All Source Activity (Non-Provisioning) - All activity on all sources, not including provisioning activity.

You can learn more about these reports, the queries they use, and how to download them in Downloading Reports from the Search Interface.

Reporting in Suggested Searches

You can find suggested search queries, like:

Suggested Search Description
All Identity Security Cloud Admins All org administrators in your Identity Security Cloud site.
Identities with Errors All identities in your system that have errors.
Identity Activity

All activity performed by or on any identity in your site.

To return activity from only one identity, change both instances of * to the name of the identity.

Inactive Identities with Active Accounts All identities in your system that don't have access to Identity Security Cloud, but can access to one or more source accounts.
Source Activity

All activity performed by or on any source in your site.

To narrow this query to return activity from only one source, change the * to the name of the source you want to search for.

Download the results of these queries using the same steps found in Downloading Reports from the Search Interface.

Admin Dashboard

The Admin Dashboard contains at-a-glance information about configured data and recent activity in your site. You can view the following information on the Admin Dashboard, depending on what you have configured in your SailPoint SaaS platform.

System Components Status

This panel displays the total number of sources, VA clusters, identities, and applications available in your tenant.

You can view following information displays in this panel:

  • Sources - The number of sources in your tenant.
  • Clusters - The number of virtual appliance clusters set up in your tenant.
  • Identities - The number of identities in your system.
  • Applications - The number of enabled applications in your site.

Warnings will display on a tile if an item is unhealthy or in an error state. The tile will also list the number of errors associated with the component.

For VA clusters, the following warnings may also display:

  • A yellow warning displays if a cluster is in a warning state.
  • A red warning displays if a cluster is in an error or failed state.
  • A red warning displays if multiple clusters are in warning and error states.

Aggregation Activity

View aggregations from the past 90 days. The 5 most recent aggregations are displayed by default. Select View All to view a complete list.

Org Details

View basic metadata about your site. You can find out which features are active and the number of identities permitted for your organization in Global > System Settings > System Features.

Organization details with the organization name, region, pod, and layer.

To Do Tasks

Review a list of the manual provisioning tasks that are assigned to users in your org. Select View All for a complete list of incomplete manual provisioning tasks.

Password Resets

View a list of the password resets Identity Security Cloud has performed in the last 7 days.

You can also view an estimate of the financial savings generated for your organization by Identity Security Cloud password resets.

You can modify the amount saved per reset based on your company's internal metrics. The Savings value automatically recalculates based on the number of password resets displayed in the panel.

Certification Campaigns

View graphs that represent the progress of certification campaigns in your site.

Refer to Certification Campaign Status Information and Reports for more information.

Provisioning

View a summary of the provisioning activity over the last 7 days.

Reporting Overview

This table contains an overview of various data tracked in Identity Security Cloud and where you can find it.

For more information about the status of Identity Security Cloud and its services, visit status.sailpoint.com.

Tracked Activity Description Location and Details
All Audit Data All activity tracked in audit events.

This audit data is available in Search in a default report.

You can also use the search query:

type:*

Access Requests All activity related to access requests.

This audit data is available in Search in a default report.

You can also use the search query:

type:"ACCESS_REQUEST"

Active Jobs In-progress background tasks, such as the ACCOUNT_AGGREGATION, REFRESH_IDENTITIES, or SYNCHRONIZE_IDENTITIES jobs. From the Admin dashboard, go to Dashboard > Monitor and refer to the Active Jobs table.
Applications Audit events related to app configuration.

This audit data is available in Search.

Use the search query:

technicalName:"APP_*"

Authentication

Audit events related to any kind of authentication.

This audit data is available in Search in a default report.

You can also use the search query:

type:AUTH

Certifications A basic summary of certification activity. On the home page, in the Certification Campaigns widget, you can see a list of the 10 oldest certification campaigns in your system and their progress.

Audit events related to any kind of certification activity.

This audit data is available in Search.

Use the search query:

type:CERTIFICATION

Reports about a specific certification or general information about the campaigns in your site.

Refer to Certification Campaign Status Information and Reports for more information.

Data Access Security

A summary of your Data Access Security tenant activity.

On the home page, you can review your DAS activity on two panels:

  • In the Data Access Security Accounts with Excessive Access widget, you can see a list of DAS accounts with high levels of access to critical data resources.
  • In the Data Access Security Accounts Overview widget, you can review information about DAS accounts, security control violations, and security infrastructure health.
Forms

View, edit, and launch the forms in your tenant.

You can review information about the Forms in your site in two places: 

  • On the Forms page, you can review and edit all forms in your site.
  • On the home page, you can see the Forms widget, which contains up to 10 forms that have been added to your MySailPoint home page in the form's details. Review Using the Forms Widget for more information about using forms on the home page.
Identities and Users Download a list of identities.

You can download a complete list of the identities in your system in two ways.

Find activity for a single identity.

You can view the activity for a single identity in two ways:

  • Select the Identity Activity suggested search or use the search query:
    (actor.name:<name> OR target.name:<name>) AND created:[now-7d/d TO now]
    where <name> is the identity you're searching for. This query returns activity for the previous 7 days by default, but you can adjust that time period. 
  • Navigate to the Activity tab for that identity. This is the same information that is available in Search, but it can be viewed by users who don't have access to Search.
Find events that impact a user's Identity Security Cloud experience, or configuration events for an identity.

This audit data is available in Search.

Use the search query:

type:"USER_MANAGEMENT" OR type:"IDENTITY_MANAGEMENT"

Find identities without managers.

You can download a complete list of identities without managers in two ways:

  • Use the search query:
    NOT _exists_:manager
    to retrieve a list of identities without managers to download.
  • Go to Global > Reports to generate and download the Identities Without Managers report.

Find a list of uncorrelated accounts.

Refer to Resolving Uncorrelated Accounts for more information.

Notices about identities in error states.

If identity processing puts 5% or more of your identities into an error state, your System Components Status will display an error.

Errors also display on the Identities page and on the identity itself.

Refer to Configuring System Health Notifications for more information.

Identity Processing

Track the progress of identity processing.

Refer to Processing Identity Data for more information.

Non-Employee Activity

Download a report of all activity related to non-employee sources.

Use the search query:

type:NON_EMPLOYEE

Results display on the Events tab.

Provisioning

Download a basic audit report of provisioning events.

This audit data is available in Search in a default report.

You can also use the search query:

type:PROVISIONING

Results display on the Events tab.

View a detailed report of all provisioning activity.

This audit data is available in Search.

Use the search query: *

Results display on the Account Activity tab.

View a basic summary of recent provisioning activity.

The Admin Dashboard displays a summary of recent provisioning activity.

Password Changes

All password updates, including for apps, sources, and Identity Security Cloud.

This audit data is available in Search in a default report.

You can also use the search query:

type:"PASSWORD_ACTIVITY"

Search

Download a set of search results for any search category.

Refer to Downloading Reports from the Search Interface for more information.

Source Activity View a detailed report of all activity on all sources, excluding provisioning activity.

This audit data is available in Search in a default report.

You can also use the search query:

type:"SOURCE_MANAGEMENT"

View a detailed report of all activity related to a single source.

This audit data is available in Search.

Select the suggested search called Source Activity to find this data.

You can also use the search query:

actor.name:<source name> OR target.name:<source name> OR attributes.sourceName:<source name>

where <source name> is the name of the source you're monitoring.

View the status of a source or virtual appliance.

Refer to Monitoring VA Health for more information.

View information about aggregations.

Source aggregation information displays throughout Identity Security Cloud.

  • On the Admin Dashboard, in the System Activity panel. You can also select View All to view the System Activity page.
  • On the home page, in the Source Account Activity widget, where you can see the total count of new, edited, or deleted source accounts that Identity Security Cloud detected in recent aggregations. 
  • On the home page, in the Account Changes by Source widget, where you can see the count of new, edited, or deleted accounts per source that Identity Security Cloud detected in recent aggregations.
  • In the table in Admin > System Activity, and in the dialog box that appears when you select the Info icon.
  • In the Aggregation Activity Log.

Notices about source errors.

Source errors display in your System Components Status, source list, and on the source itself.

On the home page, you can see a summary of the count of source errors and warnings over the last 7 days.

Refer to Configuring System Notifications for information on receiving notifications if a source enters an error state.

Task Manager

Find a list of tasks assigned to users that aren't completed.

The Admin Dashboard displays a partial list of incomplete tasks. To view a full list, select View All.

To download a report of these tasks, select CSV. The Global > Reports page displays. Select the appropriate format under Generate and then Download.

This report displays a maximum of 5,000 tasks. If there are fewer than 5,000 tasks, the report might also show completed tasks that are less than 90 days old.

Send daily notifications to users when they have a new task in their Task Manager.

Refer to the Pending Task Daily Digest Email Template for more information.

Virtual Appliances

Find the status of a virtual appliance or source.

Refer to Monitoring VA Health for more information.

Determine which sources are connected to a specific virtual appliance.

Refer to Reviewing Sources Connected to VAs for more information.

Notices about virtual appliance errors.

If Identity Security Cloud is unable to communicate with a VA, an error will display in your System Components Status.