Delete Account Passed & Failed Audit Events | SailPoint Ideas Portal
Today in SailPoint, if you change an action in a before provisioning rule to delete, it doesn’t get recorded in the audit events. Events like disable are recorded for audit events. Deletes, which are just as critical, are not. How are you guys recording these audit events?
You can leverage custom audits to track delete events, especially if such functionality is not available out-of-the-box (OOTB).
Sorry, I was referring to Identity Security Cloud - I believe custom audits are only a feature in IdentityIQ.
@adunker did you ever find a solution to this? We are running into the same issue. If an Identity terms with a last day worked within the last 14 days the AD account disables and that gets logged. Once the last date worked is greater than 14 days the account goes to a terminated deleted LCS and AD is deleted. In some situations the Identity terms with the last day worked greater than 14 days ago so the disable step “gets missed” and the account is just deleted. Audit is looking for proof that we disabled or deleted the account but since the delete doesn’t get logged I can’t prove it. If the action happened in the last 90 days i can pull logs from our SIEM but some of the events that they want proof on are greater than 90 days ago.
Still pending in the backlog for SailPoint - we are using Splunk in the meantime to correlate the actions. We set extra retention for any actions in the AD logs taken by the SailPoint service accounts.
Thanks @adunker, we also use Splunk. I looking at getting a report on the first of every month that shows all accounts SailPoint deleted the prior month. Not a great solution but will help with an audit.
I wonder if there is anything in the audit logs on the VA? I have a ticket open so i will ask that question there also.