How to generate report for deleted accounts

jasmedina · September 20, 2024, 6:49pm

Hi All,

Does anyone know how to generate a report and query the users who are deleted today in a specific application? Thank you!

liamkokeeffe · September 20, 2024, 10:04pm

Hi Jasmine,

Are you looking for identities that had an account deleted by a SailPoint provisioning plan? Or those that were dropped from an aggregation because they were deleted natively in the source?

Thanks,

Liam

shekhardas1825 · September 21, 2024, 4:51am

Hi @jasmedina,

Usually there are two events that you can query in the search, one will account deletion and other will give you identity deletion events with user details, PFB:

“Delete User Passed” and “Delete Identity Passed” but this you cannot search with regards to some source (application).

"delete user passed" AND created:[now-1d TO now]

"delete user passed" AND created:<date>

I would recommend you to a excellent feature “Native Change Detection” by this you can monitor following:

Account Creation
Account Update
Account Deletion

Please find the SailPoint document to enable this feature in your source and steps how you can search these events.

Enhancement: Audit Events for Native Change Detection - Announcements / Product News - SailPoint Developer Community

Native Change Account Deleted | SailPoint Developer Community

Hope this will help!

gourab · September 21, 2024, 7:29am

Hi @jasmedina
This might work

@accountRequests(op:delete) AND @accountRequests(source.name:"source name")

vinnysail · September 21, 2024, 9:54am

Hi @jasmedina, Using source account deleted trigger you can check. If the account is deleted for a particular application.

jasmedina · September 24, 2024, 1:48pm

Hi Liam,

I am looking for accounts deleted by a SailPoint provisioning plan. I have a rule that will delete all inactive accounts and accounts with no last login date, and want to have some sort of report to list all those deleted accounts

nikhleshsdg · September 24, 2024, 1:55pm

As @gourab mentioned, this query will work for your case.

@accountRequests(op:Delete) AND @accountRequests(source.name:“<source_name>”)

jasmedina · September 24, 2024, 2:04pm

I tried the query but it didn’t return the correct results I was expecting

jasmedina · September 24, 2024, 2:17pm

Hi Gourab, I tried this but it looks like it can only output the deleted accounts from a lifecycle state change. I have a rule that will delete all inactive accounts and accounts with no last login date. The query wasn’t able to capture the deleted accounts from that rule.

udayputta · September 24, 2024, 2:25pm

hi @jasmedina,

Can you try with this search query.

name:"Remove Source Account Passed" AND operation:"REMOVE"

you can add the date you can add an AND condition and this “created:[now-1d TO now]”

Thanks,
Uday

system · November 23, 2024, 2:26pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Generate Report on source side Groupmembership addition ISC Discussion and Questions aggregation , identity-security-cloud , reports , entitlements	2	19	November 30, 2024
Identity deletions - Delete Identity Passed events showing ISC Discussion and Questions identity-security-cloud	8	526	June 16, 2024
IDN delete accounts on connected systems? ISC Discussion and Questions identity-security-cloud , provisioning , connectors	2	144	August 18, 2024
Detect deleted accounts from an aggregation IIQ Discussion and Questions aggregation , identityiq	5	571	January 23, 2024
Get report of identities already deleted in IIQ IIQ Discussion and Questions identityiq , reports	2	869	July 19, 2023

How to generate report for deleted accounts

Related topics