I want to understand how to differentiate audit events for account-level changes—such as account create, modify, delete, entitlement add, and entitlement remove—based on whether they were triggered by an aggregation task, performed through the SailPoint UI, or caused by non-aggregation processes in the SailPoint.
Hello @shsakshi, we can see how it gets triggered. For example, I performed a Manager Transfer through the UI. After that, go to Intelligence → Advanced Analytics, set the Search Type to Audit, and the Action to Identity Event. This selection will show data such as account name, action, application, source, etc. You can also select the audit fields as per your requirements by choosing the options under Audit Fields. Please go through the SailPoint IIQ documentation for more details. I hope this information is what you were looking for and is helpful
Is there any configuration available that allows us to distinguish between different audit event actions?
Example:
For Application AlphaGlide: Entitlement Add operation was done through Sailpoint IdentityIQ UI.
For Application OrphanApp: Entitlement Added and Removed for different Accounts through Account Aggregation Job
For both cases, Action is same- EntitlementAdd or EntitlementRemove
data.pdf (37.4 KB)
We offer a plugin that can give you this type of information. Happy to provide a demo if you want to schedule it on our site.