Finding recently terminated identities using search?

Is there IDN Search criteria that can find recently terminated identities?

I’m currently using

{
  "indices": ["identities"],
  "query": {
    "query": "(attributes.cloudLifecycleState:terminated) AND (modified:>$($lookback)) AND ((@accounts(source.name:\"AD\")) OR (@accounts(source.name:\"AD - Admins\")))"
  },
  "includeNested": true,
  "sort": ["name"]
}

where lookback is set to 1 day

This is assuming that the termination event is the only thing modifying the identity.

I’ve recently had an account show up in a subsequent run of this search, because their already terminated identity was modified for some other reason a few weeks later.

Is there a better query for finding recently terminated accounts?
For Example, Is there a lastLifecycleStateChangeDate or something similar?

I think only way to write what you are looking for using API call . or using Poweshell

Hi @ccarlton ,

name:“Change Identity State Passed” AND “terminated” AND created:[now-1d TO now]

Can you try this query once ?

When you enter this query in Search, make sure you add “info” column from the column chooser. The column has new cloudlifecyclestate information.

Thank you,
Vaibhav

This query did not work for me from the IDN Search input bar. Could you please provide more details on setting it up?

@ccarlton
if you are directly copy pasting the command, make sure the quote marks are coming up properly.

The quotes should come as " , if you copy paste then in Search UI quote symbol is coming up differently and the query is yielding all the events.

Filter results to see only Events.

Add a column called “info” from column chooser.

You should be able to see the UI something like this.

image1845×593 47.5 KB

@ccarlton
You can also try using “Cloud Automated <LCS_NAME_HERE>”

You can try below query -
attributes.cloudLifecycleState:“Terminated” AND modified:[now-1d TO now]