SailPoint Audit Queries

AnnamicaP · August 1, 2025, 11:56am

Please help me with below questions which need to be presented for audit:

If any users log in locally to SailPoint:
-Evidence of local password parameters
-Observe a user log in locally

2)List of everyone who can log in locally and C&A evidence:
-Query used to generate the listing
-One full record in the system
-Row count in the system
-Exported report in excel

3)Exception waiver if password standards not compliant with Client password standards

4)Observe the list of all privileged roles within SailPoint and description of those roles.

5)Observe the list of users and accounts with privileged roles assigned, with C&A evidence :-
-Query used to generate the listing
-One full record in the system
-Row count in the system
-Exported report in excel

6)Observe the list of users who have had privileged access provisioned to the system, with C&A evidence :-
-Query used to generate the listing
-One full record in the system
-Row count in the system
-Exported report in excel

7)Exported report of the list of users with privileged access provisioned to SailPoint

Please help us with search queries or on SailPoint UI.

zachm117 · August 1, 2025, 1:55pm

Hi @AnnamicaP,

You can use the search documentation for information about how to build different search queries based on what you are looking for. It sounds like you may want to focus on building searches for Event Data and possibly Account Activity Data.

Additionally, you can use this list of Audit Events to help you figure out the types of Events you are looking for to fit your requirements.

Please let me know if this is helpful!

Zach

AnnamicaP · August 1, 2025, 2:26pm

Hi Zach,

Thankyou for your reply. It is really helpful.
But I am not sure which query to check exactly for list user who can login locally.

zachm117 · August 1, 2025, 2:46pm

In reading the documentation the Bypassing the Identity Provider, if this box is checked under your security settings in ISC, " users with an access level beyond “user” can bypass the identity provider", so you would want to search for any users with elevated ISC access as they would have the ability to login locally.

Topic		Replies	Views
How to Extract privileged access profiles from the search query ISC Discussion and Questions identity-security-cloud	6	114	September 14, 2024
Sailpoint IDN search queries ISC Discussion and Questions identity-security-cloud , my-sailpoint	3	278	November 26, 2024
API to get users who have a particular Access Profile ISC Discussion and Questions	5	1388	July 19, 2023
Help getting audit logs via API ISC Discussion and Questions apis , identity-security-cloud , audit	4	1267	September 26, 2023
API \search not working in Production. Any other endpoints? ISC Discussion and Questions apis , identity-security-cloud	11	54	June 21, 2025

SailPoint Audit Queries

Related topics