Problem
New to IDN / ISC and need assistance understanding search criteria within the User Interface.
Solution
Below are search examples and a description of what the search does. Note that value data would need to be substituted for what is in your own tenant.
attributes.department:Sales AND @accounts(source.name:webex) AND NOT @access(value:"MeetingType 220")
Searches for identities in the Sales department who have a Webex account but do not have access to “MeetingType 220”.
attributes.cloudStatus:PENDING OR attributes.cloudStatus:UNREGISTERED
Searches for identities with a cloudStatus attribute of either “PENDING” or “UNREGISTERED”.
attributes.cloudLifecycleState:inactive AND @accounts(disabled:false)
Searches for identities with a cloudLifecycleState attribute of “inactive” and have at least one account that is not disabled.
identityProfile.name:contractors AND attributes.cloudLifecycleState:inactive transition) AND @access(value:EXCHANGESERVER*)
Searches for contractor identities with a cloudLifecycleState attribute of “inactive transition” and have access to an Exchange server.
manager.name:brandy.smith
Searches for identities whose manager’s name is “brandy.smith”.
@access(type:ROLE AND name:Inventory*)
Searches for identities with access to a role that starts with “Inventory”.
attributes.location:London
Searches for identities with a location attribute of “London”.
attributes.location:London AND created:[2021-01-01 TO now]
Searches for identities with a location attribute of “London” and were created between January 1, 2021 and the current date/time.
identityProfile.name: TST AND attributes.cloudLifecycleState: (onLeave)
Searches for identities with an identity profile name of “TST” and a cloudLifecycleState attribute of “onLeave”.
created:[now-1M TO now], created:[now-24h TO now], created:[now-1w TO now]
Searches for identities created within the last month, last 24 hours, or last week, respectively.
NOT _exists_:attributes.cloudLifecycleState
Searches for identities that do not have a cloudLifecycleState attribute.
@accounts(disabled:false AND locked:false) AND (NOT attributes.cloudLifecycleState:"Inactive")
Searches for identities with at least one account that is not disabled or locked, and do not have a cloudLifecycleState attribute of “Inactive”.
attributes.endDate:[now-1y TO now]
Searches for identities with an endDate attribute between one year ago and the current date/time.
attributes.titleChangeDate:[*now TO now*], attributes.titleChangeDate:[*now-7d TO now*] && NOT created:[now-1M TO now]
Searches for identities with a titleChangeDate attribute on the current date or within the last 7 days, respectively, excluding identities created within the last month.
attributes.managerChangeDate:[*now-7d TO now*] && attributes.costCenterChangeDate:[*now-7d TO now*] && NOT created:[now-1M TO now]
Searches for identities with both a managerChangeDate and costCenterChangeDate attribute within the last 7 days, excluding identities created within the last month.
attributes.adou:"NO-CONTAINER" && attributes.cloudLifecycleState:"active"
Searches for identities with an adou attribute of “NO-CONTAINER” and a cloudLifecycleState attribute of “active”.
attributes.managerChangeDate:[*now-1M TO now*] && attributes.costCenterChangeDate:[*now-1M TO now*] && NOT created:[now-1M TO now] && identityProfile.name: TST
Searches for identities with both a managerChangeDate and costCenterChangeDate attribute within the last month, excluding identities created within the last month, and have an identity profile name of “TST”.
attributes.titleChangeDate:[*now-1M TO now*] && NOT created:[now-1M TO now] && identityProfile.name: TST
attributes.titleChangeDate:[*now-1M TO now*] && attributes.cloudLifecycleState:active && identityProfile.name: TST
attributes.titleChangeDate:[*now-1M TO now*] && attributes.cloudLifecycleState:active && identityProfile.name: TST && NOT created:[now-7d TO now]
Searches for identities with a titleChangeDate attribute within the last month, excluding identities created within the last month or last 7 days, have an identity profile name of “TST”, and optionally have a cloudLifecycleState attribute of “active”.
identityProfile.name: Workday && attributes.officeName: "NO OFFICE NAME" && (attributes.campus: "01" || attributes.campus: "04")
Searches for identities with an identity profile name of “Workday”, an officeName attribute of “NO OFFICE NAME”, and a campus attribute of either “01” or “04”.
"Create Account Failed"
Searches for the exact phrase “Create Account Failed”.
attributes.primaryJobCode:1000235 && identityProfile.name:TST
Searches for identities with a primaryJobCode attribute of “1000235” and an identity profile name of “TST”.
name:"Send Email Passed" AND target.name:"[email protected]"
Searches for sent emails with the name “Send Email Passed” and a target email address of “[email protected]”.
attributes.cloudLifecycleState:inactivedelete AND @accounts(source.name:"Production AD Connector")
Searches for identities with a cloudLifecycleState attribute of “inactivedelete” and have an account in the “Production AD Connector” source.
NOT(attributes.adAccountExpires:"never") AND _exists_:attributes.adAccountExpires AND attributes.cloudLifecycleState:"active" AND @accounts(source.name:"Production AD Connector")
Searches for identities with a cloudLifecycleState attribute of “active”, have an adAccountExpires attribute that is not set to “never”, and have an account in the “Production AD Connector” source.
((@accountRequests(op:modify && attributeRequests.name:"cloudLifecycleState") AND NOT requester.name:"System"))
Searches for account requests that modify the cloudLifecycleState attribute and were not requested by a user named “System”.
attributes.cloudLifecycleState:terminatedHold AND @accounts(source.name:"Active Directory - Prod"), attributes.cloudLifecycleState:terminatedRemove AND @accounts(source.name:"Active Directory - Prod")
Searches for identities with a cloudLifecycleState attribute of “terminatedHold” or “terminatedRemove”, respectively, and have an account in the “Active Directory - Prod” source.
attributes.cloudLifecycleState:prehire || attributes.cloudLifecycleState:earlyStart || attributes.cloudLifecycleState:"Future Start" || attributes.cloudLifecycleState:futureStudent || attributes.cloudLifecycleState:INVALID
Searches for identities with a cloudLifecycleState attribute of “prehire”, “earlyStart”, “Future Start”, “futureStudent”, or “INVALID”.
attributes.cloudLifecycleState:active && @accounts(disabled:true)
Searches for identities with a cloudLifecycleState attribute of “active” and have at least one disabled account.
@roles(id:123abc OR name:"Admin Role")
Searches for identities with a role that has an ID of “123abc” or a name of “Admin Role”.
@entitlements(application.name:"Salesforce" AND value:"Manager")
Searches for identities with an entitlement in the Salesforce application with a value of “Manager”.
@accessProfiles(name:"Contractor Access Profile" AND priority:high)
Searches for identities with an access profile named “Contractor Access Profile” and a priority of “high”.
@accessRequests(requestedFor.name:"john.doe" AND requestType:grant)
Searches for access requests made for the identity “john.doe” with a request type of “grant”.
@certifications(type:manager AND signed:true)
Searches for identities with a manager certification that has been signed.
attributes.department:/Engineering/Software Development/
Searches for identities in the “Software Development” department within the “Engineering” department hierarchy.
attributes.jobTitle:"Manager" OR attributes.jobTitle:"Director"
Searches for identities with a job title of either “Manager” or “Director”.