Support Center

Details

Query

Monitor All Activity in the last hour

created:[now-1h TO now]

Monitor Selective Activity in the last hour

This is like ‘Monitor All Activity in the last hour’ but will remove any events that do not need immediate attention, but also reveal any new events.

created:[now-1h TO now] AND NOT name:"Aggregate" AND NOT name:"Delete Identity" AND NOT name:"Update Task" AND NOT name:"Change Identity Lifecycle Passed" AND NOT name:"Delete Task Result Passed"

Focus on a specific identity

This is useful for the admin to run in the UI on-demand.

Tip: Search on common terms, such as sAMAccountName, Display Name and Employee ID to yield full results

("John Doe" OR 12345)

Events: Failed

Consider building automated alerts/incidents to check if action is required.

created:[now-10h TO now] AND status:Failed

Account Activity Failed

Consider building automated alerts/incidents to check if action is required.

created:[now-1d TO now] AND (status:"Incomplete" OR status:"Failure")

Account Activity Failed specific source

Consider building automated alerts/incidents to check if action is required.

created:[now-1d TO now] AND (status:"Incomplete" OR status:"Failure") AND sources:AD

Account Creations

Useful for Business Intelligence and Reporting / Trend Analysis.

created:[now-48h TO now] AND name:"Create Account Passed"

Account Creations specific source

Useful for Business Intelligence and Reporting / Trend Analysis.

created:[now-48h TO now] AND name:"Create Account Passed" AND attributes.sourceName:"AD"

Account Disablements

Useful for Business Intelligence and Reporting / Trend Analysis.

created:[now-48h TO now] AND name:"Disable Account Passed"

Account Enablements

Useful for Business Intelligence and Reporting / Trend Analysis.

created:[now-3d TO now] AND name:"Enable Account Passed"

Account Entitlement Add

Useful for Business Intelligence and Reporting / Trend Analysis.

created:[now-1d TO now] AND name:"Add Entitlement Passed"

Account Entitlement Removal

Useful for Business Intelligence and Reporting / Trend Analysis.

created:[now-1d TO now] AND name:"Remove Entitlement Passed"

Need to understand why mark some as Passed even they contain errors

technicalName:"ACCOUNT_MODIFY_PASSED" AND exists:attributes.errors

Provisioning Activity because of a change of Lifecycle State.

Useful for Business Intelligence and Reporting.

action:"Cloud Automated *"

action:"Cloud Automated Active"

All Provisioning Activity resulting in Manual Tasks

Useful for Business Intelligence and Reporting / Trend Analysis.

type:MANUAL_WORKITEM

All Provisioning Activity also resulting in Manual Tasks

This is a useful catch-all.

type:PROVISIONING

find entitlements outdife a Role - stand alone

@access(source.name:SAP* AND standalone:true)

find users with specific Role

@access(name:"RoleName")

find identities where attribute is not null

attributes.sapusername.exact:*

find identities where attribute is XXX

attributes.sapusername.exact:YANIV

find identities where attribute is null

1. NOT _exists_:attributes.sapusername
2. NOT _exists_:manager.name

Details

Query

Specific State

Useful for Business Intelligence and Reporting and Compliance Checking

attributes.cloudLifecycleState:inactive

Lifecycle State not set

Data Integrity and Compliance Checking. All regular identities should have an LCS.

NOT _exists_:attributes.cloudLifecycleState

Recent Lifecycle State change

Useful for Business Intelligence / Reporting / Compliance Checking / Trend Analysis

created:[now-48h TO now] AND "Change Identity State Passed"

LCS Transition from one state to another

Useful for Business Intelligence / Reporting / Compliance Checking / Trend Analysis

name:"Change Identity State Passed" AND attributes.info:"newState:active previousState:leaver"

Compare Lifecycle State to Account State i.e AD enabled but Leaver.

Use this for Compliance Checking.

@accounts(source.name:"AD" AND disabled:true) AND attributes.cloudLifecycleState:active

Non-active users with active accounts

Use this for Compliance Checking.

NOT attributes.cloudLifecycleState:active AND @accounts(disabled:false)

Non-active Identity owning a Role, Access Profiles, Governance Group or Source.

Tip: Use the Identity ID on a sub-sequent Search to identify the object that needs a new owner.

Use this for internal governance.

(owns.roles.id:* OR owns.accessProfiles.id:* OR owns.governanceGroups.id:* OR owns.sources.id:*) AND NOT attributes.cloudLifecycleState:active

owner.id:2c..............0

Identities who are not active and have elevated permissions.

Use this for internal governance.

@access(type:ENTITLEMENT AND source.name:IdentityNow) AND NOT attributes.cloudLifecycleState:active

Details

Query

Check results for specific source

Useful for Business Intelligence / Reporting / Trend Analysis

attributes.interface:"Attribute Sync" AND sourceName:"AD" 

Check results for specific source attribute

Useful for Business Intelligence / Reporting / Trend Analysis

attributes.interface:"Attribute Sync" AND sourceName:"AD" AND attributes.attributeName:extensionAttribute12

Check Sync failures in last day

Use this for monitoring. Requires action.

created:[now-1d TO now] AND attributes.interface:"Attribute Sync" AND NOT name:"Modify Account Passed"

Details

Query

All identities

Tip: Create a saved search of all/most columns available. Download the report and use a spreadsheet to slice and dice data; and see common values in certain columns (i.e., all locations).

*

Identities with specific Identity Profile

Focus on identities in a specific profile or use a NOT condition to filter out.

identityProfile.name:xyz

Specific Attribute with wildcard

Filter identities by specific identity attributes. Use AND / OR conditions as needed.

Can also be used in a Targeted Access Certification.

attributes.email:"*@acme.com"

Find all identities with a last name which starts with A through M (uses regex).

Note: Elasticsearch Regex Syntax

attributes.lastname:/[a-m].*/

Start Date within the next two weeks

Useful for Business Intelligence / Reporting 

attributes.startDate:[now TO now+2w]

Start Date within the last two weeks

Useful for Business Intelligence / Reporting 

attributes.startDate:[now-2w TO now]

Identities with specific Tag

Useful for Business Intelligence / Reporting 

tags:XYZ

Missing Key Data

Use this for monitoring. Requires action.

(NOT exists:attributes.lastname) OR (NOT exists:attributes.email) OR (NOT exists:attributes.uid)

Identities in Error

Use this for monitoring. Requires action.

processingState:ERROR

Identities with No Manager

Use this for monitoring. Requires action.

NOT exists:manager.id

Identities who are Managers

Useful for Business Intelligence / Reporting 

isManager:true

Identities recently modified

Useful for Business Intelligence / Reporting 

lastModified:>2018-04-19

Identities which were recently created

Useful for Business Intelligence / Reporting 

created:>2018-03-01 AND created:<2018-03-30

created:[2018-03-01 TO 2018-03-30]

Identities with a specific start date or end dates

Useful for Business Intelligence / Reporting 

attributes.startDate:[2018-08-01 TO 2018-10-01]

attributes.endDate:[2018-09-01 TO 2018-09-30]

Find common identities which share manager by display name or ID

Useful for Business Intelligence / Reporting 

manager.displayName:"Bill Lumbergh"

manager.id:2c918.....0d

Identities who have authenticated at least once.

Do not confuse this with Lifecycle Status.

NOTE: Useful for tracking who is using the system and who never has.

attributes.cloudStatus:ACTIVE

Identities with Manually Correlated Accounts

Useful for the System Administrator

@accounts(manuallyCorrelated:true)

Identities with AD accounts which have had a password set within a certain period (using AD passwordLastSet timestamp)

@accounts(source.name:"AD" AND passwordLastSet:[2017-08-01 TO 2023-09-01])

Active identities that have anything listed in their personal email attribute

attributes.cloudLifecycleState:active AND _exists_:attributes.personalEmail

Details

Query

Specific Access Search

@access(name:"XYZ")

Specific Role Search

@access(type:ROLE AND name:"<Role_Name>")

Specific Entitlement Search

@access(type:ENTITLEMENT AND name:"<Entitlement_Name>")

Conflicting Roles

Can be used in SoD General Policies

@access(name:<Role_Name> AND type:ROLE) AND @access(name: <Role_Name> AND type:ROLE)

Conflicting Access

Can be used in SoD General Policies

@access(id:<Access_ID> OR id:<Access_ID> AND @access(id:<Access_ID>)

Identities with many accounts

accountCount:>100

Details

Query

Identities Created by a specific Authoritative source in past 7 Days.

Useful for Business Intelligence / Reporting 

@accounts(source.name:"<Source_Name>") AND created:[now-7d TO now]

Identities with no AD account on specific Authoritative Source

Useful for Business Intelligence / Reporting / Compliance

@accounts(source.name:"<Authoritative_Source_Name>") AND NOT @accounts(source.name:"<AD_Source_Name>")

Recently dropped identities because of the account no longer appearing in the aggregation

Useful for Business Intelligence / Reporting 

created:[now-12h TO now] AND name:"Delete User Passed"

Details

Query

Query to see important Security events from the last day.

created:[now-1d TO now] AND (type:USER_MANAGEMENT OR type:AUTH OR type:PASSWORD_ACTIVITY) AND NOT (name:"Send Email Passed")

Track IP addresses of those attempted to start the SSO process in the last 48 hours.

created:[now-48h TO now] AND "Receive Saml Assertion Passed"

Users successfully authenticated in the last 48 hours.

Tip: This is helpful to monitor traffic by end Users and ensure only authorized users are accessing the system.

created:[now-48h TO now] AND "Request Authentication Passed"

Track successful Step-up MFA authentication for users.

created:[now-12h TO now] AND "Setup User Authentication Step_up Passed"

API Credential Updates

technicalName:API_*

Details

Query

Identities with Elevated Permissions

@access(type:ENTITLEMENT AND source.name:IdentityNow)

Identities withSpecific Elevated Permissions

Example: Org Admin. Swap ORG_ADMIN with any other User Permission.

@access(value:(ORG_ADMIN) AND type:ENTITLEMENT AND source.name:IdentityNow)

Events: IdentityNow Permissions Granted to Users by whom.

name:"Grant User Role"

Identities who are not active and have elevated permissions.

Use this for internal governance.

@access(type:ENTITLEMENT AND source.name:IdentityNow) AND NOT attributes.cloudLifecycleState:active

Details

Query

All email sent in the last hour

created:[now-1h TO now] AND name:"Send Email Passed"

Specific email subject line sent

name:"Send Email Passed" AND attributes.info:"[email subject line]"

Send to specific email address

name:"Send Email Passed" AND target.name:"[email address]"

Details

Query

Specific Emails Sent

Useful to see Approval Notifications, Reminders etc.

created:[now-1d TO now] AND name:"Send Email Passed" AND attributes.info:"[email subject line]"

SDIM Ticket Requests Pending

Tip: Useful to see track manual tickets.

action:"Access Request" AND sources:"SDIM Name" AND status:Pending

Specific Requestor

Useful to track requests by a specific identity.

requester.name:"xyz"

Access Request Approval Forwarded

name:"Forward Access Request Approval Passed"

Access Sunset Removal

Temporary Access removed after expiry.

action:acesss-sunrise-sunset

All Access Request Activity

Tip: This is a useful catch-all.

type:ACCESS_REQUEST

Specific Source

type:ACCESS_REQUEST AND attributes.sourceName:"[sourcename]"

Details

Query

All Certification Events

type:CERTIFICATION

All Access Certification Events and Activity

(name:"Certification" OR action:"Certification")

Sign-offs from the last day.

created:[now-1d TO now] AND (name:"Certification" OR action:"Certification") AND name:"Signoff"

Reassignment

(name:"Certification" OR action:"Certification") AND name:"Reassign"

Campaign Creation

(name:"Certification" OR action:"Certification") AND name:"Create"

Campaign Completion

(name:"Certification" OR action:"Certification") AND name:"Complete"

Access Remediation

(name:"Certification" OR action:"Certification") AND name:"Remediate"

Campaign Activation

(name:"Certification" OR action:"Certification") AND name:"Activate"

Campaign Deletion

(name:"Certification" OR action:"Certification") AND name:"Delete"

Update Certification Campaign Filter

(name:"Certification" OR action:"Certification") AND name:"Update"

Pending Revokes (usually disconnected SDIM sources)

action:"Certification" AND status:Pending

Provisioning Activity, not Pending and not successful (i.e., Failed).

action:"Certification" AND NOT status:Pending AND NOT status:Complete

Details

Query

Failed Aggregations

Tip: Add this to Automated Monitoring and Alerting.

type:SOURCE_MANAGEMENT AND name:"Failed" AND operation:AGGREGATE

8am and 8pm Scheduled Refresh not Started or Completed

Useful for tracking (average) durations and (average) number of identities updated. 

name:"Scheduled Identity Processing" AND NOT status:PASSED AND NOT status:STARTED

Search Subscription Executed

Information only.

name:"Execute Subscription"

Details

Query

Creation/Update/Deletion of Access Items like Roles and Access Profiles in them last 90 days.

created:[now-90d TO now] AND type:ACCESS_ITEM AND NOT name:Add AND NOT name:Remove AND NOT name:Forward AND NOT name:Set

Non-Employee Lifecycle Management (NELM)

type:NON_EMPLOYEE

Source Configuration Events in the last 90 days

created:[now-90d TO now] AND type:SOURCE_MANAGEMENT AND NOT name:Aggregate

All main System Config with certain events excluded.

(type:SYSTEM_CONFIG AND NOT name:"Execute Subscription Started" AND NOT name:"Email Subscription Recipient Excluded" AND NOT name:"Delete Task Result Passed" AND NOT actor.name:"MantisTaskScheduler") OR type:SEGMENT OR type:ACCESS_PROFILE OR type:ROLE OR type:GOV_WORK_REASSIGNMENT OR type:TENANT_CONFIG

Workflow Configuration

type:WORKFLOW*