Audit Events name under Advanced Analytics

Which IIQ version are you inquiring about?

8.4

Hi Everyone,

We have enabled the below list in audit configuration page of IIQ but unable to understand what we need select in the Action tab under Audit in Advanced Analytics,

  1. Certification Signoff (not found)
  2. Role sunrise (Not found)
  3. Role sunset (Not found)
  4. Allow Exception on Violation (Not found)
  5. Correct Violation(Not found)
  6. Plugin Installed (Not found)
  7. Plugin Upgraded(Not found)
  8. Plugin Uninstalled(Not found)
  9. Entitlements Request Started (Not found)
  10. Identity Edit Request Started (Not found)
  11. Manual Provisioning( not found)
  12. Roles Request Started (Not found)
  13. Unlock (Not found)
  14. Identity Locked (not found)
  15. Identity Unlocked (not found)
  16. Authentication Answer Incorrect (not found)
  17. Password Policy Changed (not found)
  18. API Configuration Changed (not found)
  19. Privileged Account (Not found)
  20. Assigned Roles (Not found)
  21. Capabilities (Not found)
  22. Authorized Scopes (Not found)
  23. Password (Not found)
  24. Assigned Scope (Not found)
  25. Correlation Status (Not found)
  26. EmailTemplate (Not found)
  27. UIConfig (Not found)
  28. Workflow (Not found)

We need to know under which “Action” item we will find these.

Hi @schaudhury,

Go to Debug page, select the AuditConfig object and open the AuditConfig.
you can find the name of audit action. Same name should be selected in the Action tab under adavanced analytics

1 Like

@Arun-Kumar I have the below items enabled in Audit Config but I dont see them in debug page Audit config.

For example, Role Sunrise, Role Sunset

Hi @schaudhury,

Will you able to see below entries in Audit config?

 <AuditAction displayName="audit_action_identityLifecycleEvent" enabled="true" name="identityLifecycleEvent"/>    Identity Event
	<AuditAction displayName="audit_action_activate" enabled="true" name="activate"/>                                Role Sunrise
    <AuditAction displayName="audit_action_deactivate" enabled="true" name="deactivate"/>                            Role Sunset
	<AuditAction displayName="audit_action_violationAllowException" enabled="true" name="violationAllowException"/>  Allow Exception on violation
    <AuditAction displayName="audit_action_violationCorrection" enabled="true" name="violationCorrection"/>          Correction violation
	<AuditAction displayName="audit_action_plugin_installed" enabled="true" name="PluginInstalled"/>
    <AuditAction displayName="audit_action_plugin_upgraded" name="PluginUpgraded"/>
    <AuditAction displayName="audit_action_plugin_uninstalled" name="PluginUninstalled"/>
1 Like

@Arun-Kumar thanks for the clarification. The names are not straight forward. Even with the same name i don’t see anything in advanced analytics → audit → action. Is it named enable disable there in UI?

To view the audit action in advanced analytics:

  1. Enable the action in Audit configuration.
  2. Need to generate the event post that you will see acion in drop down.
3 Likes

Hi @schaudhury,

These labels are not directly changeable from UI. Hope you would have went through below link to get more insights about audit configuration.

https://community.sailpoint.com/t5/Technical-White-Papers/Audit-Configuration-in-IdentityIQ/ta-p/74075

Thanks

Hi @schaudhury,

You can perform a simple test by enabling the Login Failure Audit event in audit configuration. First, log out of SailPoint and attempt to log in with incorrect credentials. After that, log in with the correct credentials and check for an audit action named ‘loginFailure.’ This exact name can be found in the AuditConfig object on the debug page.

In short, make sure to trigger the event after enabling the audit event.

@ashutosh08 yes I have gone through the document.

@Arun-Kumar is there any way to generate all the events at once to test if the events are appearing in Advanced Analytics

Hi @schaudhury,

There is no option to generate all the events at once. For testing, you can create a dummy event from debug. Once the dummy event created, you can able to view from Advanced Analytics.

Use below XML to create a PluginInstalled event.

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE AuditEvent PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<AuditEvent action="PluginInstalled" created="" id="" serverHost="Test" source="Test"/>

@sagar_kamalakar Is there any way to generate all the events at once to check if the audit action is appearing in Advanced Analytics

Anyone has idea on how to test the below events, as these are not part of Audit actions
Privileged Account (Not found)
Assigned Roles (Not found)
Capabilities (Not found)
Authorized Scopes (Not found)
Password (Not found)
Assigned Scope (Not found)
Correlation Status (Not found)
EmailTemplate (Not found)
UIConfig (Not found)
Workflow (Not found)

Create a dummy event from debug. Refer the below xml. Replace the action with actual one.

assignedRoles
capabilities
controlledScopes
password
scope
correlationStatus

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE AuditEvent PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<AuditEvent action="assignedRoles" created="" id="" serverHost="Test" source="Test"/>

EmailTemplate (Not found)
UIConfig (Not found)
Workflow (Not found)


<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE AuditEvent PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<AuditEvent action="update" clientHost="" created="" id="" serverHost="Test" source="spadmin" target="UIConfig:UIConfig"/>
1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.