Skip to content

Audit Reports and Monitoring

Audit data is how you track everything that happens in your organization - from whether an aggregation finished, to the cause of an error, to the status of your sources. Nearly everything that happens in IdentityNow is tracked in audit reports and surfaced in various places throughout the interface. They can be downloaded, sent to auditors, and searched for specific events or patterns. You can even configure IdentityNow to send you notifications when certain components of your site have problems.

All audit data in IdentityNow is stored for 1 year, plus the current month. If you need to access older data, up to 5 years old, fill out the Audit History Request Form and submit it with a support ticket.

This document covers the types of information IdentityNow tracks and how to find it. Use the navigation on the right side of this page to help you find the information most relevant to you.

All IdentityNow audit activity can be found in Search. You can download several readily available audit reports or download a custom report by modifying your search query.

You can download the following default audit reports from Search:

  • All Events - All activity that IdentityNow tracks in audit events.
  • Access Request Activity - All activity related to access requests.
  • Authentication Activity - Events related to any kind of authentication, including into IdentityNow and into apps.
  • Password Changes - All password updates, including for apps, sources, and IdentityNow.
  • Provisioning Activity - View a basic audit report of provisioning events.
  • All Source Activity (Non-Provisioning) - All activity on all sources, not including provisioning activity.

You can learn more about these reports, the queries they use, and how to download them in Downloading Reports from the Search Interface.

Reporting in Suggested Searches

You can find several helpful search queries in IdentityNow's list of Suggested Searches. This list contains many searches, but some users might find the following searches helpful:

Suggested Search Description
All IdentityNow Admins All org administrators in your IdentityNow site.
Identities with Errors All identities in your system that have errors.
Identity Activity

All activity performed by or on any identity in your site.

To narrow this query to return activity from only one specific identity, change both instances of * with the name of the identity you want to search for.

Inactive Identities with Active Accounts All identities in your system that don't have access to IdentityNow, but can access to one or more source accounts.
Source Activity

All activity performed by or on any source in your site.

To narrow this query to return activity from only one source, change the * to the name of the source you want to search for.

Download the results of these queries using the same steps found in Downloading Reports from the Search Interface.

Activity on the Admin Dashboard

The admin dashboard contains at-a-glance information about recent activity in your site.

On the admin dashboard, you can view some of the following information, depending on what's included in your SailPoint SaaS platform:

Dashboard Widget Screenshot
System Components Status
  • Sources - The number of sources that have accounts associated with identities.
  • Clusters - The number of virtual appliance clusters connected to sources.
  • Identities - The number of identities in your system.
  • Applications - The number of enabled applications in your site.
  • Component errors - Errors with the sources, clusters, identities, and applications.
System components panel showing the status of sources, clusters, identities, and applications.

System Activity - This panel displays a subset of important events that have happened in your system over the last 7 days. The 5 most recent events are displayed by default. Select View All to view a complete list of events.

These events may follow a different format than is displayed in Search. The times listed here reflect your browser's current settings.
Org Details - View basic metadata about your site. You can find out which features are active and the number of identities permitted for your organization in Global > System Settings > System Features. Organization details with the organization name, region, pod, and layer.
To Do Tasks - Review a list of the manual provisioning tasks that are assigned to users in your org. Select View All for a complete list of incomplete manual provisioning tasks.

Password Resets - View a list of the password resets IdentityNow has performed in the last 7 days.

You can also view an estimate of the financial savings generated for your organization by IdentityNow password resets.

You can modify the amount saved per reset based on your company's internal metrics. The Savings value automatically recalculates based on the number of password resets displayed in the panel.

Certification Campaigns - Page through graphs representing the progress of certification campaigns in your site.

Refer to Certification Campaign Status Information and Reports for more information.

Provisioning - View a summary of the provisioning activity in IdentityNow over the last 7 days.

Reporting Overview

This table contains an overview of various data tracked in IdentityNow, and where you can find it.

For more information about the status of IdentityNow and its services, visit status.sailpoint.com.

Tracked Activity Description Location and Details
All Audit Data All activity that IdentityNow tracks in audit events.

This audit data is available in Search in a default report.

You can also use the search query:

type:*

to retrieve this data.

Access Requests All activity related to access requests.

This audit data is available in Search in a default report.

You can also use the search query:

type:"ACCESS_REQUEST"

to retrieve this data.

Applications Audit events related to app configuration.

This audit data is available in Search.

Use the search query:

technicalName:"APP_*"

to retrieve this data.

Authentication

Audit events related to any kind of authentication.

This audit data is available in Search in a default report.

You can also use the search query:

type:AUTH

to retrieve this data.

Certifications

Audit events related to any kind of certification activity.

This audit data is available in Search.

Use the search query:

type:CERTIFICATION

to retrieve this data.

Reports about a specific certification, or general information about the campaigns in your site.

Refer to Certification Campaign Status Information and Reports for more information.

Identities and Users Download a list of identities.

You can download a complete list of the identities in your system in two ways.

  • Use the search query:
    *
    to retrieve a list of all identities, and then download that list of identities.
  • view how to export a list of identities from the IdentityNow user interface.
Find activity for a single identity.

You can view the activity for a single identity in two ways:

  • Select the suggested search called Identity Activity. You can also use the search query:
    (actor.name:<name> OR target.name:<name>) AND created:[now-7d/d TO now]
    where <name> is the name of the identity you're searching for. This query returns activity for the previous 7 days by default, but you can adjust that time period. 
  • Navigate to the Activity tab for that identity. This is the same information that is available in Search, but it can be viewed by users who don't have access to Search.
Find events that impact a user's IdentityNow experience, or configuration events for an identity.

This audit data is available in Search.

Use the search query:

type:"USER_MANAGEMENT" OR type:"IDENTITY_MANAGEMENT"

to retrieve this data.

Find identities without managers.

You can download a complete list of identities without managers in two ways:

  • Use the search query:
    NOT _exists_:manager
    to retrieve a list of identities without managers, and then download that list.
  • Go to Global > Reports to generate and download the Identities Without Managers report.

Find a list of uncorrelated accounts.

view Manage Uncorrelated Accounts for more information on downloading uncorrelated accounts from Global.

Notices about identities in error states.

If identity processing occurs and puts 5% or more of your identities into an error state, your System Components Status.

will display an error.

Errors also display in the identity list and on the identity itself.

View Receiving System Error Notifications to learn how to receive notifications if your identities enter an error status.

Identity Processing

Track the progress of identity processing.

You can learn more about the identity processing taking place in your system in Processing Identity Data.

Non-Employee Activity

Download a report of all activity related to non-employee sources.

Use the search query:

type:NON_EMPLOYEE

to retrieve this data. This query returns results in the Events tab.

Provisioning

Download a basic audit report of provisioning events.

This audit data is available in Search in a default report.

You can also use the search query:

type:PROVISIONING

to retrieve this data. This query returns results in the Events tab.

View a detailed report of all provisioning activity.

This audit data is available in Search.

Use the search query:

*

to retrieve this data. This query returns results on the Account Activity tab.

View a basic summary of recent provisioning activity.

Go to the Admin Dashboard to view a summary of recent provisioning activity.

Password Changes

All password updates, including for apps, sources, and IdentityNow.

This audit data is available in Search in a default report.

You can also use the search query:

type:"PASSWORD_ACTIVITY"

to retrieve this data.

Search

You can download any set of search results for any search category.

You can learn more about downloading search results in Download Reports from the Search Interface.

Source Activity View a detailed report of all activity on all sources, not including provisioning activity.

This audit data is available in Search in a default report.

You can also use the search query:

type:"SOURCE_MANAGEMENT"

to retrieve this data.

View a detailed report of all activity related to a single source.

This audit data is available in Search.

Select the suggested search called Source Activity to find this data.

You can also use the search query:

actor.name:<source name> OR target.name:<source name> OR attributes.sourceName:<source name>

where <source name> is the name of the source you're monitoring.

View the status of a source or virtual appliance.

Learn more about virtual appliance and source statuses in Virtual Appliance and Source Configuration Status Definitions.

View information about aggregations.

You can find details about source aggregations in a number of places.

  • On the Admin dashboard, in the System Activity panel. You can also select View All to view the System Activity page.
  • In the table in Admin > System Activity, and in the dialog box that appears when you select the Info icon.
  • To view a specific source's detailed aggregation progress, go to Connections > Sources and select the source you want to view. In the Import Data tab, select Import Accounts. The last table on the page contains details about the most recent aggregations performed by that source, including any aggregations in progress.
    Select the Info icon beside an aggregation listed here to learn more about it. Select the X icon beside an in-progress aggregation to terminate it.

Notices about source errors.

A variety of problems can cause your source to enter an error state. This error displays in your System Components Status

Errors will display in your list of sources and on the source itself.

View Receiving System Error Notifications to learn how to receive notifications if a source enters an error status.

Task Manager

Find a list of all tasks assigned to users that aren't completed.

Go to the Admin Dashboard to view a partial list of incomplete tasks. To view a full list, select View All. To download a report of these tasks, select CSV.

The Global > Reports page is displayed. Select the appropriate format under Generate and then Download to download a report.

This report displays a maximum of 5,000 tasks. If there are fewer than 5,000 tasks, the report might also show completed tasks that are less than 90 days old.

Notify users when they have a new task in their Task Manager.

You can configure IdentityNow to remind users daily when they have outstanding tasks in their Task Manager. View Email Template: Task Manager Subscription for more information on enabling this feature and the email template it uses.

Virtual Appliances

Find the status of a virtual appliance or source.

You can learn more about a virtual appliance's status in Virtual Appliance and Source Configuration Status Definitions.

Determine which sources are connected to a specific virtual appliance.

View which sources are connected to a virtual appliance using Reviewing Sources Connected to a VA.

Notices about virtual appliance errors.

If IdentityNow is unable to communicate with a VA for a period of time, an error will display in your System Components Status.