Help - Trying to Get Last Sign in Date and then use it in Search

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi ISC community,

I’m relatively new to writing ISC transform operations etc, would like some help please.

We are reading the last sign in logs from Entra ID. These are mapped to an identity attribute and I’m applying a transform to convert it to UTC to AEST. If the answer is NULL, then this comes back as “Never”.

This transform works, however, I cannot seem to use range queries because I don’t believe I’ve used the DateFormat properly to get it to ISO8601.

Example Search: attributes.admLastInteractiveSignin: [now-30d TO now]

image
image1113×556 12.9 KB

(we should be getting quite a few results)

This is the transform I am applying, can anyone please help me with where I’m going wrong?

{
    "id": " ",
    "name": "Check and Convert to Local Time",
    "type": "firstValid",
      "attributes": {
        "ignoreErrors": "true",
        "values": [
            {
                "attributes": {
                    "input": {
                        "attributes": {
                            "expression": "+10h/s",
                            "roundUp": false
                        },
                        "type": "dateMath"
                    },
                    "inputFormat": "yyyy-MM-dd'T'HH:mm",
                    "outputFormat": "ISO8601"
                },
                "type": "dateFormat"
            },
            {
                "type": "static",
                "attributes": {
                    "value": "Never"
                }
            }
        ]
    },
    "internal": false
}

Cheers,

Sean

2

HI @SeanK-W , were you able to see the date in ISO format being populated for identities for admLastInteractiveSignin attribute? Format shouldn’t be a problem I believe.

3

Hi Theja C,

Yes the attribute appears without issue - so the datemath part is working.

image

However, when I try using the search query - I get no results… So I was assuming this is an issue with how I’ve applied the dateformat type? Or perhaps the search query itself?

4

Its working fine for me. Can you check the technical name of the attribute to see is its correct?

image
image1783×499 23.1 KB

5

Yeah it’s correct, double checked for sanity-sake:

image

6

It’s fine when I do EndDate/StartDate too… This is a recently created attribute, so it feels like I’ve missed something …

image
image488×323 6.54 KB

7

Ok, can you try “attributes.admLastInteractiveSignin: [now-30d/d TO now]“?

8

image
image605×472 9.4 KB

No dice :frowning:

9

It seems like the search is working OK because it works for other attributes… Just not this new attribute… I think it’s something to do with the transform perhaps I’ve made an error somewhere.

10

Omg… It’s because of this: Unable to perform date logic in custom identity attribute search - #4 by sup3rmark

I literally need to rename the identity attribute to have “DateType” at the end so SailPoint interprets this as a date rather than a string…

I renamed the identity attribute from admLastInteractiveSignin to admlastinteractivesignindatetype and it works… simply by adding “datetype”:

image
image536×229 6.91 KB

That’s unbelievable and almost nowhere in the documentation…

1 Like
11

Seems SailPoint will only know if we explicitly mention somewhere in the name as date. Damm! :grinning_face: . New learning

1 Like
12

The more we know! :slight_smile:

Thanks for jumping in and trying to help me. If anything - prompted me to dig around online further.

1 Like
13

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.