Downloading Reports from the Search Interface
Note
Identity Security Cloud is SailPoint’s next-generation identity security solution. It encompasses and builds on features and functions from IdentityNow. The product documentation covers both Identity Security Cloud and IdentityNow features.
Audit reporting in Identity Security Cloud takes place in Search.
You can download the results of any custom search query or any suggested search. You can also find all default audit reports in the toolbar in Search and use the same steps to download those reports.
Downloading the Results of a Search Query
Search gives you the power to download query results so that you have your most important information at your fingertips at any time.
To download the results of a query:
-
From the Search interface, enter any query and select the Search icon.
-
Tab to the search category you want to download data for.
For example, if you want to download all of the entitlements that appeared in your search results, go to the Entitlements tab.
-
Select the Column Chooser icon
. -
Choose which columns you would like to include in your CSV report.
These columns will also appear in the Search UI.
-
Select the Get Report icon
. -
If applicable, choose whether you'd like to include additional details about the access related to your data by moving the slider labeled Include Access Details.
This option is available for identities, access profiles, and roles. The name of this slider is different for each search category it applies to.
-
If applicable, select Generate Report.
This might take several minutes. While Search can display up to 10,000 search results in the interface, this report will always contain the complete list of search results.
-
Select Download.
-
Unzip the file and open it in the editor of your choice.
Downloading Audit Reports from Search
You can access audit reports from the toolbar in Search.
-
From the Search interface, select the Reports icon
in the toolbar.
-
Choose a report to run.
When you select the report, Identity Security Cloud automatically runs a search query to return the audit events associated with that report.
Some of these reports are only available if you subscribe to the applicable service. The table below includes the name of each report, a description of its contents, and the search query used to retrieve the results.
Report Name Description Query All Events All activity tracked by audit events. type:* Access Request Activity All activity related to access requests. type:"ACCESS_REQUEST" Authentication Activity Events related to any kind of authentication, including into Identity Security Cloud and into apps. type:AUTH Password Changes All password updates, including for apps, sources, and Identity Security Cloud. type:"PASSWORD_ACTIVITY" Provisioning Activity See a basic audit report of provisioning events. type:PROVISIONING All Source Activity (Non-Provisioning) All activity on all sources, not including provisioning activity. type:"SOURCE_MANAGEMENT" You'll see results on the Events tab.
-
Follow steps 3 - 9 in Downloading the Results of a Search Query to get a copy of your report.
Identity Security Cloud stores events for the last 12 months, plus the current month.
Reading Search Reports
Each report you download from the Search interface consists of a CSV file with multiple columns. Each column in the CSV file represents a column you selected in the Search interface.
Identities
You can see information about the identities that your search query returned. Note that if you add additional attributes to your identity profiles, those also will appear in the list of available columns.
In the table that follows, you can see the column headers, their definitions, and a search query to find information from those attributes directly.
| Column Name |
Description | Search Query |
| Display Name | The display name of the identity | displayName:<term> |
| First Name | The first name of the identity | attributes.firstname:<term> |
| Last Name | The last name of the identity | attributes.lastname:<term> |
| Work E-mail | The work email address associated with the identity | email:<term> |
| Created | The date that the identity was created in Identity Security Cloud | created:<term> |
| Lifecycle State | The identity's lifecycle state | lifecycleState:<term> |
| Source Account Count | The number of accounts the identity has on various sources | accountCount:<term> |
| Access Count | The number of access items the identity has, including entitlements, roles, and access profiles | accessCount:<term> |
| Entitlement Count | The number of entitlements the identity has | entitlementCount:<term> |
| Role Count | The number of roles assigned to the identity | roleCount:<term> |
| Access Profile Count | The number of access profiles the identity has | accessProfileCount:<term> |
| Identity Profile Name | The name of the identity profile the identity is a member of | identityProfile.name:<term> |
| Identity Security Cloud Status | The identity's status | status:<term> |
| Identity ID | The technical ID of the identity | id:<term> |
| Modified | The date that the identity was last modified | modified:<term> |
| Personal Phone | The identity's alternate phone number | personalPhone:<term> |
| Inactive | A boolean describing whether the identity is inactive |
inactive:<term> |
| Employee Number | The identity's unique employee number | employeeNumber:<term> |
| Identity Name | The name of the identity | name:<term> |
| Source ID | The technical ID of the identity's authoritative source | source.id:<term> |
| Processing State | Describes whether an identity is in an error state |
processingState:<term> |
| Manager Display Name | The display name of the identity's manager | manager.displayName:<term> |
| country | The country the identity lives in |
attributes.country:<term> |
| endDate | If applicable, the date the identity's employment at your company ended |
attributes.endDate:<term> |
| identificationNumber | The identity's employee number as configured in the identity profile |
attributes.identificationNumber:<term> |
| licenseStatus | States whether an identity is within the maximum number of identities licensed for your site. See Global > System Settings > System Features for your site's limit. |
attributes.licenseStatus:<term> |
| Personal E-mail | The identity's personal email address | attributes.personalEmail:<term> |
| startDate | The date the identity's employment at your company started |
attributes.startDate:<term> |
| Identity Security Cloud User Name | The Identity Security Cloud user name of the identity | attributes.uid:<term> |
| Work Phone | The identity's work phone number | workPhone:<term> |
You can also choose to include each identity's access information.
If you do this, each access item will be on a separate row of the file. Each identity will appear in the list once for each access item it has.
Including identity access information adds these columns:
| Column Name |
Description | Search Query |
| Access Type | The type of access item | @access(type:<term>) |
| Access Source Name | The display name of the source the access comes from | @access(source.name:<term>) |
| Access Display Name | The display name of the access item as configured in the UI | @access(displayName:<term>) |
| Access Attribute | For entitlements, the attribute used by the source to define the type of entitlement | @access(attribute:<term>) |
| Access Value | For entitlements, the value used by the source for the entitlement | @access(value:<term>) |
| Access Description | The description of the access item, as entered in the UI | @access(description:<term>) |
| Access Owner Name | The access owner's name as it appears on the Identities page. | @access(owner.name:<term>) |
| Access Privileged | If the access item is an entitlement, whether the entitlement is marked as privileged. For other access items, whether that item contains an entitlement marked as privileged. | @access(privileged:<term>) |
| Application Name | The display name of the app | @apps(name:<term>) |
| Application Source Name | The display name of the source that grants the app | @apps(source.name:<term>) |
| Application ID | The technical ID of the app | @apps(id:<term>) |
| Application Account ID | The technical ID of the user's account on the source that grants the app | @apps(account.id:<term>) |
| Account Source Name | The display name of the source the account is on | @accounts(source.name:<term>) |
| Account ID | The technical ID of the account | @accounts(id:<term>) |
| Account Entitlements | The number of entitlements that the identity has on that account | This field is not searchable. |
| Account Disabled | Whether or not the account is disabled in Identity Security Cloud | @accounts(disabled:<term>) |
Roles
You can see information about the roles that your search query returned.
| Column Name |
Description | Search Query |
| Name | The name of the role | name:<term> |
| Description | The user-entered description of the role | description:<term> |
| Modified | The date the role was last modified | modified:<term> |
| Enabled | A boolean describing whether the role is enabled | enabled:<term> |
| Access Profile Count | The number of access profiles granted by the role | accessProfileCount:<term> |
| Owner Name | The name of the role | owner.name:<term> |
| Role ID | The technical ID of the role | id:<term> |
| Created | The date the role was created | created:<term> |
| Requestable | A boolean describing whether the role is marked as requestable | requestable:<term> |
| Owner ID | The technical ID of the owner of the role | owner.id:<term> |
You can also choose to include each role's access profile information.
If you do this, each access profile will be on a separate row of the file. Each role will appear in the list once for each access profile it has.
These are the additional columns that will be included if you choose to include access profile details.
| Column Name |
Description | Search Query |
| Access Profile ID | The technical ID of the access profile in this role | accessProfiles.id:<term> |
| Access Profile Name | The name of the access profile | accessProfiles.name:<term> |
Access Profiles
You can see information about the access profiles that your search query returned.
| Column Name |
Description | Search Query |
| Name | The name of the access profile | name:<term> |
| Description | The user-entered description of the access profile | description:<term> |
| Modified | The date the access profile was last modified | modified:<term> |
| Entitlement Count | The number of entitlements in the access profile | entitlementCount:<term> |
| Owner Name | The name of the owner of the access profile | owner.name:<term> |
| Source Name | The name of the source the entitlements in the access profile come from | source.name:<term> |
| Access Profile ID | The technical ID of the access profile | id:<term> |
| Created | The date the access profile was created | created:<term> |
| Requestable | A boolean describing whether the access profile is marked as requestable | requestable:<term> |
| Owner ID | The technical ID of the owner of the access profile | owner.id:<term> |
| Source ID | The technical ID of the source the entitlements in the access profile come from | source.id:<term> |
You can also choose to include each access profile's entitlement information.
If you do this, each entitlement will be on a separate row of the file. Each access profile will appear in the list once for each entitlement it has.
If you choose to include entitlement information for your access profiles, these are the additional columns that will be included.
| Column Name |
Description | Search Query |
| Entitlement ID | The technical ID of the entitlement within the access profile | @entitlements(id:<term>) |
| Entitlement Name | The name of the entitlement | @entitlements(name:<term>) |
| Entitlement Description | The user-entered description of the entitlement | @entitlements(description:<term>) |
| Entitlement Attribute | The attribute used by the source to define the type of entitlement | @entitlements(attribute:<term>) |
| Entitlement Value | The value used by the source for this entitlement | @entitlements(value:<term>) |
Entitlements
You can see information about the entitlements that your search query returned.
| Column Name |
Description | Search Query |
| Entitlement ID | The technical ID of the entitlement | id:<term> |
| Display Name | The display name of the entitlement | displayName:<term> |
| Name | The name of the entitlement | name:<term> |
| Description | The user-entered description of the entitlement | description:<term> |
| Source Name | The name of the source the entitlement comes from | source.name:<term> |
| Source ID | The technical ID of the source the entitlement comes from | source.id:<term> |
| Privileged | Whether or not the entitlement is marked as privileged | privileged:<term> |
| Attribute | The attribute used by the source to define the type of entitlement | attribute:<term> |
| Value | The value used by the source for this entitlement | value:<term> |
| Modified | The date the entitlement was last modified | modified:<term> |
Events
You can see information about the audit events that your search query returned.
| Column Name |
Description | Search Query |
| Created | The date and time the event began. | created:<term> |
| Name | A user-friendly translation of the technical name. | name:<term> |
| Actor | The name of the identity, source, or system that generated the event. | actor.name:<term> |
| Target | The name of the recipient of the event. | target.name:<term> |
| Operation | The action performed during the event. | operation:<term> |
| Status | The result of the event. | status:<term> |
| Technical Name | The normalized name of the event. | technicalName:<term> |
| Details | When available, a description of the event. | details:<term> |
| Type | The type or classification of event. | type:<term> |
| ID | The technical ID of the event. | id:<term> |
| IP Address | The IP address of the target system. | ipAddress:<term> |
| Objects | The object or objects the event is happening to. | objects:<term> |
| Source Name | In most cases, the name of the source involved in the event. | attributes.sourceName:<term> |
| Source ID | In most cases, the technical ID of the source involved in the event. | attributes.sourceId:<term> |
Account Activity
You can see information about the account activity that your search query returned.
| Column Name |
Description | Search Query |
| Status | The overall status of the account action | status:<term> |
| Action | The action performed. This will always match an action in this list. | action:<term> |
| Requester | The display name of the user or system that requested the action | requester.name:<term> |
| Recipient | The display name of the user or system that the action is modifying | recipient.name:<term> |
| Sources | A list of sources that will be modified by the account action | sources:<term> |
| Last Modified | The date and time of the last activity related to the action. | modified:<term> |
| Stage | The progress of the action on the source | stage:<term> |
| Identity Request ID | The technical ID of the request | id:<term> |
| Tracking Number | The shortened tracking ID of the action | trackingNumber:<term> |
| Created | The date and time the account action was created | created:<term> |
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.