Skip to content

Downloading Reports from the Search Interface

Note

Identity Security Cloud is SailPoint’s next-generation identity security solution. It encompasses and builds on features and functions from IdentityNow. The product documentation covers both Identity Security Cloud and IdentityNow features.

Audit reporting in Identity Security Cloud takes place in Search.

You can download the results of any custom search query or any suggested search. You can also find all default audit reports in the toolbar in Search and use the same steps to download those reports.

Downloading the Results of a Search Query

Search gives you the power to download query results so that you have your most important information at your fingertips at any time.

To download the results of a query:

  1. From the Search interface, enter any query and select the Search icon.

  2. Tab to the search category you want to download data for.

    For example, if you want to download all of the entitlements that appeared in your search results, go to the Entitlements tab.

  3. Select the Column Chooser icon .

  4. Choose which columns you would like to include in your CSV report.

    These columns will also appear in the Search UI.

  5. Select the Get Report icon .

  6. If applicable, choose whether you'd like to include additional details about the access related to your data by moving the slider labeled Include Access Details.

    This option is available for identities, access profiles, and roles. The name of this slider is different for each search category it applies to.

    The Get Report dialog, which allows users to choose to include access details before generating a report.

  7. If applicable, select Generate Report.

    This might take several minutes. While Search can display up to 10,000 search results in the interface, this report will always contain the complete list of search results.

  8. Select Download.

  9. Unzip the file and open it in the editor of your choice.

You can access audit reports from the toolbar in Search.

  1. From the Search interface, select the Reports icon in the toolbar.

  2. Choose a report to run.

    When you select the report, Identity Security Cloud automatically runs a search query to return the audit events associated with that report.

    Some of these reports are only available if you subscribe to the applicable service. The table below includes the name of each report, a description of its contents, and the search query used to retrieve the results.

    Report Name Description Query
    All Events All activity tracked by audit events. type:*
    Access Request Activity All activity related to access requests. type:"ACCESS_REQUEST"
    Authentication Activity Events related to any kind of authentication, including into Identity Security Cloud and into apps.  type:AUTH
    Password Changes All password updates, including for apps, sources, and Identity Security Cloud. type:"PASSWORD_ACTIVITY"
    Provisioning Activity See a basic audit report of provisioning events. type:PROVISIONING
    All Source Activity (Non-Provisioning) All activity on all sources, not including provisioning activity. type:"SOURCE_MANAGEMENT"

    You'll see results on the Events tab.

  3. Follow steps 3 - 9 in Downloading the Results of a Search Query to get a copy of your report.

    Identity Security Cloud stores events for the last 12 months, plus the current month.

Reading Search Reports

Each report you download from the Search interface consists of a CSV file with multiple columns. Each column in the CSV file represents a column you selected in the Search interface.

Identities

You can see information about the identities that your search query returned. Note that if you add additional attributes to your identity profiles, those also will appear in the list of available columns.

In the table that follows, you can see the column headers, their definitions, and a search query to find information from those attributes directly.

Column Name
Description Search Query
Display Name The display name of the identity displayName:<term>
First Name The first name of the identity attributes.firstname:<term>
Last Name The last name of the identity attributes.lastname:<term>
Work E-mail The work email address associated with the identity email:<term>
Created The date that the identity was created in Identity Security Cloud created:<term>
Lifecycle State The identity's lifecycle state lifecycleState:<term>
Source Account Count The number of accounts the identity has on various sources accountCount:<term>
Access Count The number of access items the identity has, including entitlements, roles, and access profiles accessCount:<term>
Entitlement Count The number of entitlements the identity has entitlementCount:<term>
Role Count The number of roles assigned to the identity roleCount:<term>
Access Profile Count The number of access profiles the identity has accessProfileCount:<term>
Identity Profile Name The name of the identity profile the identity is a member of identityProfile.name:<term>
Identity Security Cloud Status The identity's status status:<term>
Identity ID The technical ID of the identity id:<term>
Modified The date that the identity was last modified modified:<term>
Personal Phone The identity's alternate phone number personalPhone:<term>
Inactive A boolean describing whether the identity is inactive
inactive:<term>
Employee Number The identity's unique employee number employeeNumber:<term>
Identity Name The name of the identity name:<term>
Source ID The technical ID of the identity's authoritative source source.id:<term>
Processing State Describes whether an identity is in an error state
processingState:<term>
Manager Display Name The display name of the identity's manager manager.displayName:<term>
country The country the identity lives in
attributes.country:<term>
endDate If applicable, the date the identity's employment at your company ended
attributes.endDate:<term>
identificationNumber The identity's employee number as configured in the identity profile
attributes.identificationNumber:<term>
licenseStatus States whether an identity is within the maximum number of identities licensed for your site. See Global > System Settings > System Features for your site's limit.
attributes.licenseStatus:<term>
Personal E-mail The identity's personal email address attributes.personalEmail:<term>
startDate The date the identity's employment at your company started
attributes.startDate:<term>
Identity Security Cloud User Name The Identity Security Cloud user name of the identity attributes.uid:<term>
Work Phone The identity's work phone number workPhone:<term>

You can also choose to include each identity's access information.

If you do this, each access item will be on a separate row of the file. Each identity will appear in the list once for each access item it has.

Including identity access information adds these columns:

Column Name
Description Search Query
Access Type The type of access item @access(type:<term>)
Access Source Name The display name of the source the access comes from @access(source.name:<term>)
Access Display Name The display name of the access item as configured in the UI @access(displayName:<term>)
Access Attribute For entitlements, the attribute used by the source to define the type of entitlement @access(attribute:<term>)
Access Value For entitlements, the value used by the source for the entitlement @access(value:<term>)
Access Description The description of the access item, as entered in the UI @access(description:<term>)
Access Owner Name The access owner's name as it appears on the Identities page. @access(owner.name:<term>)
Access Privileged If the access item is an entitlement, whether the entitlement is marked as privileged. For other access items, whether that item contains an entitlement marked as privileged. @access(privileged:<term>)
Application Name The display name of the app @apps(name:<term>)
Application Source Name The display name of the source that grants the app @apps(source.name:<term>)
Application ID The technical ID of the app @apps(id:<term>)
Application Account ID The technical ID of the user's account on the source that grants the app @apps(account.id:<term>)
Account Source Name The display name of the source the account is on @accounts(source.name:<term>)
Account ID The technical ID of the account @accounts(id:<term>)
Account Entitlements The number of entitlements that the identity has on that account This field is not searchable.
Account Disabled Whether or not the account is disabled in Identity Security Cloud @accounts(disabled:<term>)

Roles

You can see information about the roles that your search query returned.

Column Name
Description Search Query
Name The name of the role name:<term>
Description The user-entered description of the role description:<term>
Modified The date the role was last modified modified:<term>
Enabled A boolean describing whether the role is enabled enabled:<term>
Access Profile Count The number of access profiles granted by the role accessProfileCount:<term>
Owner Name The name of the role owner.name:<term>
Role ID The technical ID of the role id:<term>
Created The date the role was created created:<term>
Requestable A boolean describing whether the role is marked as requestable requestable:<term>
Owner ID The technical ID of the owner of the role owner.id:<term>

You can also choose to include each role's access profile information.

If you do this, each access profile will be on a separate row of the file. Each role will appear in the list once for each access profile it has.

These are the additional columns that will be included if you choose to include access profile details.

Column Name
Description Search Query
Access Profile ID The technical ID of the access profile in this role accessProfiles.id:<term>
Access Profile Name The name of the access profile accessProfiles.name:<term>

Access Profiles

You can see information about the access profiles that your search query returned.

Column Name
Description Search Query
Name The name of the access profile name:<term>
Description The user-entered description of the access profile description:<term>
Modified The date the access profile was last modified modified:<term>
Entitlement Count The number of entitlements in the access profile entitlementCount:<term>
Owner Name The name of the owner of the access profile owner.name:<term>
Source Name The name of the source the entitlements in the access profile come from source.name:<term>
Access Profile ID The technical ID of the access profile id:<term>
Created The date the access profile was created created:<term>
Requestable A boolean describing whether the access profile is marked as requestable requestable:<term>
Owner ID The technical ID of the owner of the access profile owner.id:<term>
Source ID The technical ID of the source the entitlements in the access profile come from source.id:<term>

You can also choose to include each access profile's entitlement information.

If you do this, each entitlement will be on a separate row of the file. Each access profile will appear in the list once for each entitlement it has.

If you choose to include entitlement information for your access profiles, these are the additional columns that will be included.

Column Name
Description Search Query
Entitlement ID The technical ID of the entitlement within the access profile @entitlements(id:<term>)
Entitlement Name The name of the entitlement @entitlements(name:<term>)
Entitlement Description The user-entered description of the entitlement @entitlements(description:<term>)
Entitlement Attribute The attribute used by the source to define the type of entitlement @entitlements(attribute:<term>)
Entitlement Value The value used by the source for this entitlement @entitlements(value:<term>)

Entitlements

You can see information about the entitlements that your search query returned.

Column Name
Description Search Query
Entitlement ID The technical ID of the entitlement id:<term>
Display Name The display name of the entitlement displayName:<term>
Name The name of the entitlement name:<term>
Description The user-entered description of the entitlement description:<term>
Source Name The name of the source the entitlement comes from source.name:<term>
Source ID The technical ID of the source the entitlement comes from source.id:<term>
Privileged Whether or not the entitlement is marked as privileged privileged:<term>
Attribute The attribute used by the source to define the type of entitlement attribute:<term>
Value The value used by the source for this entitlement value:<term>
Modified The date the entitlement was last modified modified:<term>

Events

You can see information about the audit events that your search query returned.

Column Name
Description Search Query
Created The date and time the event began. created:<term>
Name A user-friendly translation of the technical name. name:<term>
Actor The name of the identity, source, or system that generated the event. actor.name:<term>
Target The name of the recipient of the event. target.name:<term>
Operation The action performed during the event. operation:<term>
Status The result of the event. status:<term>
Technical Name The normalized name of the event. technicalName:<term>
Details When available, a description of the event. details:<term>
Type The type or classification of event. type:<term>
ID The technical ID of the event. id:<term>
IP Address The IP address of the target system. ipAddress:<term>
Objects The object or objects the event is happening to. objects:<term>
Source Name In most cases, the name of the source involved in the event. attributes.sourceName:<term>
Source ID In most cases, the technical ID of the source involved in the event. attributes.sourceId:<term>

Account Activity

You can see information about the account activity that your search query returned.

Column Name
Description Search Query
Status The overall status of the account action status:<term>
Action The action performed. This will always match an action in this list. action:<term>
Requester The display name of the user or system that requested the action requester.name:<term>
Recipient The display name of the user or system that the action is modifying recipient.name:<term>
Sources A list of sources that will be modified by the account action sources:<term>
Last Modified The date and time of the last activity related to the action. modified:<term>
Stage The progress of the action on the source stage:<term>
Identity Request ID The technical ID of the request id:<term>
Tracking Number The shortened tracking ID of the action trackingNumber:<term>
Created The date and time the account action was created created:<term>

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.