Audit Reports and Monitoring
Nearly everything that happens in Identity Security Cloud is tracked in audit reports that you can download, send to auditors, and search for events or patterns. You can view audit data in Search, on the Admin Dashboard, and throughout Identity Security Cloud. You can additionally configure Identity Security Cloud to send notifications when certain components of your site have problems.
Audit data is stored for 1 year, plus the current month. If you need to access older data, up to 5 years old, fill out the Audit History Request Form and submit it with a support ticket.
Audit Reports in Search
All audit activity can be found in Search. You can download default audit reports or modify your search query to download a custom report.
You can download the following default audit reports from Search:
- All Events - All activity that Identity Security Cloud tracks in audit events.
- Access Request Activity - All activity related to access requests.
- Authentication Activity - Events related to any kind of authentication, including into Identity Security Cloud and into apps.
- Password Changes - All password updates, including for apps, sources, and Identity Security Cloud.
- Provisioning Activity - View a basic audit report of provisioning events.
- All Source Activity (Non-Provisioning) - All activity on all sources, not including provisioning activity.
You can learn more about these reports, the queries they use, and how to download them in Downloading Reports from the Search Interface.
Reporting in Suggested Searches
You can find suggested search queries, like:
Suggested Search | Description |
All Identity Security Cloud Admins | All org administrators in your Identity Security Cloud site. |
Identities with Errors | All identities in your system that have errors. |
Identity Activity |
All activity performed by or on any identity in your site. To return activity from only one identity, change both instances of * to the name of the identity. |
Inactive Identities with Active Accounts | All identities in your system that don't have access to Identity Security Cloud, but can access to one or more source accounts. |
Source Activity |
All activity performed by or on any source in your site. To narrow this query to return activity from only one source, change the * to the name of the source you want to search for. |
Download the results of these queries using the same steps found in Downloading Reports from the Search Interface.
Admin Dashboard
The Admin Dashboard contains at-a-glance information about configured data and recent activity in your site. You can view the following information on the Admin Dashboard, depending on what you have configured in your SailPoint SaaS platform.
This panel displays the total number of sources, VA clusters, identities, and applications available in your tenant.
You can view following information displays in this panel:
- Sources - The number of sources in your tenant.
- Clusters - The number of virtual appliance clusters set up in your tenant.
- Identities - The number of identities in your system.
- Applications - The number of enabled applications in your site.
Warnings will display on a tile if an item is unhealthy or in an error state. The tile will also list the number of errors associated with the component.
For VA clusters, the following warnings may also display:
- A yellow warning displays if a cluster is in a warning state.
- A red warning displays if a cluster is in an error or failed state.
- A red warning displays if multiple clusters are in warning and error states.
Aggregation Activity
View aggregations from the past 90 days. The 5 most recent aggregations are displayed by default. Select View All to view a complete list.
Org Details
View basic metadata about your site. You can find out which features are active and the number of identities permitted for your organization in Global > System Settings > System Features.
To Do Tasks
Review a list of the manual provisioning tasks that are assigned to users in your org. Select View All for a complete list of incomplete manual provisioning tasks.
Password Resets
View a list of the password resets Identity Security Cloud has performed in the last 7 days.
You can also view an estimate of the financial savings generated for your organization by Identity Security Cloud password resets.
You can modify the amount saved per reset based on your company's internal metrics. The Savings value automatically recalculates based on the number of password resets displayed in the panel.
Certification Campaigns
View graphs that represent the progress of certification campaigns in your site.
Refer to Certification Campaign Status Information and Reports for more information.
Provisioning
View a summary of the provisioning activity over the last 7 days.
Reporting Overview
This table contains an overview of various data tracked in Identity Security Cloud and where you can find it.
For more information about the status of Identity Security Cloud and its services, visit status.sailpoint.com.
Tracked Activity | Description | Location and Details |
All Audit Data | All activity tracked in audit events. |
This audit data is available in Search in a default report. You can also use the search query: type:* |
Access Requests | All activity related to access requests. |
This audit data is available in Search in a default report. You can also use the search query: type:"ACCESS_REQUEST" |
Active Jobs | In-progress background tasks, such as the ACCOUNT_AGGREGATION, REFRESH_IDENTITIES, or SYNCHRONIZE_IDENTITIES jobs. | From the Admin dashboard, go to Dashboard > Monitor and refer to the Active Jobs table. |
Applications | Audit events related to app configuration. |
This audit data is available in Search. Use the search query: technicalName:"APP_*" |
Authentication |
Audit events related to any kind of authentication. |
This audit data is available in Search in a default report. You can also use the search query: type:AUTH |
Certifications | A basic summary of certification activity. | On the home page, in the Certification Campaigns widget, you can see a list of the 10 oldest certification campaigns in your system and their progress. |
Audit events related to any kind of certification activity. |
This audit data is available in Search. Use the search query: type:CERTIFICATION |
|
Reports about a specific certification or general information about the campaigns in your site. |
Refer to Certification Campaign Status Information and Reports for more information. |
|
Data Access Security |
A summary of your Data Access Security tenant activity. |
On the home page, you can review your DAS activity on two panels:
|
Forms |
View, edit, and launch the forms in your tenant. |
You can review information about the Forms in your site in two places:
|
Identities and Users | Download a list of identities. |
You can download a complete list of the identities in your system in two ways.
|
Find activity for a single identity. |
You can view the activity for a single identity in two ways:
|
|
Find events that impact a user's Identity Security Cloud experience, or configuration events for an identity. |
This audit data is available in Search. Use the search query: type:"USER_MANAGEMENT" OR type:"IDENTITY_MANAGEMENT" |
|
Find identities without managers. |
You can download a complete list of identities without managers in two ways:
|
|
Refer to Resolving Uncorrelated Accounts for more information. |
||
Notices about identities in error states. |
If identity processing puts 5% or more of your identities into an error state, your System Components Status will display an error. Errors also display on the Identities page and on the identity itself. Refer to Configuring System Health Notifications for more information. |
|
Identity Processing |
Track the progress of identity processing. |
Refer to Processing Identity Data for more information. |
Machine Accounts | View and edit machine accounts in your tenant. | On the Machine Accounts page, you can review and manage all machine accounts in your tenant. |
View a high-level health breakdown of machine accounts. |
On the home page, you can see the Machine Account Management widget, which contains high-level information and insights about accounts in your tenant including:
|
|
Non-Employee Activity |
Download a report of all activity related to non-employee sources. |
Use the search query: type:NON_EMPLOYEE Results display on the Events tab. |
Provisioning |
Download a basic audit report of provisioning events. |
This audit data is available in Search in a default report. You can also use the search query: type:PROVISIONING Results display on the Events tab. |
View a detailed report of all provisioning activity. |
This audit data is available in Search. Use the search query: * Results display on the Account Activity tab. |
|
View a basic summary of recent provisioning activity. |
The Admin Dashboard displays a summary of recent provisioning activity. |
|
Password Changes |
All password updates, including for apps, sources, and Identity Security Cloud. |
This audit data is available in Search in a default report. You can also use the search query: type:"PASSWORD_ACTIVITY" |
Search |
Download a set of search results for any search category. |
Refer to Downloading Reports from the Search Interface for more information. |
Source Activity | View a detailed report of all activity on all sources, excluding provisioning activity. |
This audit data is available in Search in a default report. You can also use the search query: type:"SOURCE_MANAGEMENT" |
View a detailed report of all activity related to a single source. |
This audit data is available in Search. Select the suggested search called Source Activity to find this data. You can also use the search query: actor.name:<source name> OR target.name:<source name> OR attributes.sourceName:<source name> where <source name> is the name of the source you're monitoring. |
|
View the status of a source or virtual appliance. |
Refer to Monitoring VA Health for more information. |
|
View information about aggregations. |
Source aggregation information displays throughout Identity Security Cloud.
|
|
Notices about source errors. |
Source errors display in your System Components Status, source list, and on the source itself. On the home page, you can see a summary of the count of source errors and warnings over the last 7 days. Refer to Configuring System Notifications for information on receiving notifications if a source enters an error state. |
|
Task Manager |
Find a list of tasks assigned to users that aren't completed. |
The Admin Dashboard displays a partial list of incomplete tasks. To view a full list, select View All. To download a report of these tasks, select CSV. The Global > Reports page displays. Select the appropriate format under Generate and then Download. This report displays a maximum of 5,000 tasks. If there are fewer than 5,000 tasks, the report might also show completed tasks that are less than 90 days old. |
Send daily notifications to users when they have a new task in their Task Manager. |
Refer to the Pending Task Daily Digest Email Template for more information. |
|
Virtual Appliances |
Find the status of a virtual appliance or source. |
Refer to Monitoring VA Health for more information. |
Determine which sources are connected to a specific virtual appliance. |
Refer to Reviewing Sources Connected to VAs for more information. |
|
Notices about virtual appliance errors. |
If Identity Security Cloud is unable to communicate with a VA, an error will display in your System Components Status. |
|
Workflows |
Lifecycle management - create, update, or delete a workflow in your tenant. |
This audit data is available in Search. Use the search query: Workflows |
Enable or disable a workflow in your tenant. |
This audit data is available in Search. Use the search query: Workflows |
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.