Search query in sailpoint idn to get details of user’s disabled in last 24hrs,last 1week,last 1month.
attributes.isleaver:Yes
Hi @bpdhanya ,
Please find the query below.
type:provisioning AND source.name:*Active Directory* AND operation:DISABLE AND status:PASSED AND created:[now-24h TO now]
type:provisioning AND source.name:*Active Directory* AND operation:DISABLE AND status:PASSED AND created:[now-1M TO now]
type:provisioning AND source.name:*Active Directory* AND operation:DISABLE AND status:PASSED AND created:[now-7d TO now]
Thanks
1 Like
Welcome to the community.
Note that if you were basing this on a termination date for an ISC Identity attribute, your date format should be in the ISO-8601 (yyyy-MM-dd) format.
You may want to combine it with lifecycle data in your search to also investigate accounts out of bounds with their LCS values. Example would be if someone manually transitioned someone to a given LCS state.
Note Patrick’s comment on the thread.
1 Like
Hi @bpdhanya
You can use search queries to retrieve users. You can filter them by the “lastModified” field to target specific timeframes.
Query - “@accounts(disabled:true) AND (attributes.isleaver:Yes AND modified:[now-1M TO now])”
(status:“disabled”) AND (lastModified:[now-30d TO now])
(status:“disabled”) AND (lastModified:[now-7d TO now])
one week
(status:“disabled”) AND (lastModified:[now-1d TO now])
24 hours
I am not quite sure what do you here mean by Disabled? Like are you looking for a specific account that is disabled? Or the identity disabled itself?
If you are looking for identity disabled you should use this:
status:disabled
Refer this for more information:
Whereas if you are looking for identity’s certain account got disabled.
@accounts(disabled:true AND source.name:"<SourceName>")
And if you are looking for identity’s any account that got disabled.
@accounts(disabled:true)
And furthermore you can add your respective conditions based on your requirement.
Hope this helps 