Audit Reports and Monitoring

Nearly everything that happens in IdentityNow is tracked in audit reports that you can download, send to auditors, and search for events or patterns. You can view audit data in Search, on the Admin Dashboard, and throughout IdentityNow. You can additionally configure IdentityNow to send notifications when certain components of your site have problems.

Audit data in IdentityNow is stored for 1 year, plus the current month. If you need to access older data, up to 5 years old, fill out the Audit History Request Form and submit it with a support ticket.

Audit Reports in Search

All IdentityNow audit activity can be found in Search. You can download default audit reports or modify your search query to download a custom report.

You can download the following default audit reports from Search:

All Events - All activity that IdentityNow tracks in audit events.
Access Request Activity - All activity related to access requests.
Authentication Activity - Events related to any kind of authentication, including into IdentityNow and into apps.
Password Changes - All password updates, including for apps, sources, and IdentityNow.
Provisioning Activity - View a basic audit report of provisioning events.
All Source Activity (Non-Provisioning) - All activity on all sources, not including provisioning activity.

You can learn more about these reports, the queries they use, and how to download them in Downloading Reports from the Search Interface.

Reporting in Suggested Searches

You can find suggested search queries in IdentityNow, like:

Suggested Search	Description
All IdentityNow Admins	All org administrators in your IdentityNow site.
Identities with Errors	All identities in your system that have errors.
Identity Activity	All activity performed by or on any identity in your site. To return activity from only one identity, change both instances of * to the name of the identity.
Inactive Identities with Active Accounts	All identities in your system that don't have access to IdentityNow, but can access to one or more source accounts.
Source Activity	All activity performed by or on any source in your site. To narrow this query to return activity from only one source, change the * to the name of the source you want to search for.

Download the results of these queries using the same steps found in Downloading Reports from the Search Interface.

Admin Dashboard

The Admin Dashboard contains at-a-glance information about configured data and recent activity in your site. You can view the following information on the Admin Dashboard, depending on what you have configured in your SailPoint SaaS platform.

System Components Status

This panel displays the total number of sources, VA clusters, identities, and applications available in your tenant.

You can view following information displays in this panel:

Sources - The number of sources in your tenant.
Clusters - The number of virtual appliance clusters set up in your tenant.
Identities - The number of identities in your system.
Applications - The number of enabled applications in your site.

Warnings will display on a tile if an item is unhealthy or in an error state. The tile will also list the number of errors associated with the component.

For VA clusters, the following warnings may also display:

A yellow warning displays if a cluster is in a warning state.
A red warning displays if a cluster is in an error or failed state.
A red warning displays if multiple clusters are in warning and error states.

System Activity

View a subset of important events that have happened in your system over the last 7 days. The 5 most recent events are displayed by default. Select View All to view a complete list of events.

These events may follow a different format than is displayed in Search. The times listed here reflect your browser's current settings.

Org Details

View basic metadata about your site. You can find out which features are active and the number of identities permitted for your organization in Global > System Settings > System Features.

To Do Tasks

Review a list of the manual provisioning tasks that are assigned to users in your org. Select View All for a complete list of incomplete manual provisioning tasks.

Password Resets

View a list of the password resets IdentityNow has performed in the last 7 days.

You can also view an estimate of the financial savings generated for your organization by IdentityNow password resets.

You can modify the amount saved per reset based on your company's internal metrics. The Savings value automatically recalculates based on the number of password resets displayed in the panel.

Certification Campaigns

View graphs that represent the progress of certification campaigns in your site.

Refer to Certification Campaign Status Information and Reports for more information.

Provisioning

View a summary of the provisioning activity in IdentityNow over the last 7 days.

Reporting Overview

This table contains an overview of various data tracked in IdentityNow, and where you can find it.

For more information about the status of IdentityNow and its services, visit status.sailpoint.com.

Tracked Activity	Description	Location and Details
All Audit Data	All activity that IdentityNow tracks in audit events.	This audit data is available in Search in a default report. You can also use the search query: type:*
Access Requests	All activity related to access requests.	This audit data is available in Search in a default report. You can also use the search query: type:"ACCESS_REQUEST"
Active Jobs	In-progress background tasks, such as the ACCOUNT_AGGREGATION, REFRESH_IDENTITIES, or SYNCHRONIZE_IDENTITIES jobs.	From the Admin dashboard, go to Dashboard > Monitor and refer to the Active Jobs table.
Applications	Audit events related to app configuration.	This audit data is available in Search. Use the search query: technicalName:"APP_*"
Authentication	Audit events related to any kind of authentication.	This audit data is available in Search in a default report. You can also use the search query: type:AUTH
Certifications	Audit events related to any kind of certification activity.	This audit data is available in Search. Use the search query: type:CERTIFICATION
Certifications	Reports about a specific certification or general information about the campaigns in your site.	Refer to Certification Campaign Status Information and Reports for more information.
Identities and Users	Download a list of identities.	You can download a complete list of the identities in your system in two ways. Use the search query: * to retrieve a list of all identities to download. Export a list of identities from the IdentityNow user interface.
	Find activity for a single identity.	You can view the activity for a single identity in two ways: Select the Identity Activity suggested search or use the search query: (actor.name:<name> OR target.name:<name>) AND created:[now-7d/d TO now] where <name> is the identity you're searching for. This query returns activity for the previous 7 days by default, but you can adjust that time period. Navigate to the Activity tab for that identity. This is the same information that is available in Search, but it can be viewed by users who don't have access to Search.
	Find events that impact a user's IdentityNow experience, or configuration events for an identity.	This audit data is available in Search. Use the search query: type:"USER_MANAGEMENT" OR type:"IDENTITY_MANAGEMENT"
	Find identities without managers.	You can download a complete list of identities without managers in two ways: Use the search query: NOT _exists_:manager to retrieve a list of identities without managers to download. Go to Global > Reports to generate and download the Identities Without Managers report.
	Find a list of uncorrelated accounts.	Refer to Resolving Uncorrelated Accounts for more information.
	Notices about identities in error states.	If identity processing puts 5% or more of your identities into an error state, your System Components Status will display an error. Errors also display in the identity list and on the identity itself. Refer to Configuring System Health Notifications for more information.
Identity Processing	Track the progress of identity processing.	Refer to Processing Identity Data for more information.
Non-Employee Activity	Download a report of all activity related to non-employee sources.	Use the search query: type:NON_EMPLOYEE Results display on the Events tab.
Provisioning	Download a basic audit report of provisioning events.	This audit data is available in Search in a default report. You can also use the search query: type:PROVISIONING Results display on the Events tab.
	View a detailed report of all provisioning activity.	This audit data is available in Search. Use the search query: * Results display on the Account Activity tab.
	View a basic summary of recent provisioning activity.	The Admin Dashboard displays a summary of recent provisioning activity.
Password Changes	All password updates, including for apps, sources, and IdentityNow.	This audit data is available in Search in a default report. You can also use the search query: type:"PASSWORD_ACTIVITY"
Search	Download a set of search results for any search category.	Refer to Downloading Reports from the Search Interface for more information.
Source Activity	View a detailed report of all activity on all sources, excluding provisioning activity.	This audit data is available in Search in a default report. You can also use the search query: type:"SOURCE_MANAGEMENT"
	View a detailed report of all activity related to a single source.	This audit data is available in Search. Select the suggested search called Source Activity to find this data. You can also use the search query: actor.name:<source name> OR target.name:<source name> OR attributes.sourceName:<source name> where <source name> is the name of the source you're monitoring.
	View the status of a source or virtual appliance.	Refer to Monitoring VA Health for more information.
	View information about aggregations.	Source aggregation information displays throughout IdentityNow. On the Admin Dashboard, in the System Activity panel. You can also select View All to view the System Activity page. In the table in Admin > System Activity, and in the dialog box that appears when you select the Info icon. In the Aggregation Activity Log.
	Notices about source errors.	Source errors display in your System Components Status, source list, and on the source itself. Refer to Configuring System Notifications for information on receiving notifications if a source enters an error state.
Task Manager	Find a list of tasks assigned to users that aren't completed.	The Admin Dashboard displays a partial list of incomplete tasks. To view a full list, select View All. To download a report of these tasks, select CSV. The Global > Reports page displays. Select the appropriate format under Generate and then Download. This report displays a maximum of 5,000 tasks. If there are fewer than 5,000 tasks, the report might also show completed tasks that are less than 90 days old.
Task Manager	Send daily notifications to users when they have a new task in their Task Manager.	Refer to the Pending Task Daily Digest Email Template for more information.
Virtual Appliances	Find the status of a virtual appliance or source.	Refer to Monitoring VA Health for more information.
	Determine which sources are connected to a specific virtual appliance.	Refer to Reviewing Sources Connected to VAs for more information.
	Notices about virtual appliance errors.	If IdentityNow is unable to communicate with a VA, an error will display in your System Components Status.