Search query is identity attribute like department get changed

Can a search query be written to get list of identities, if identity attribute department get changed in last 24 hrs

Hi @mahimas_chordia,

Find below query to fetch list of identities recently changed:
attributes.department:* AND modified:[now-24h TO now]

Thank You.

4 Likes

The query:

attributes.department:* AND modified:[now-24h TO now]

is going to show all users who have department value and that were modified within the last 24 hours. It is not going to show only those who department value has changed.

You can use event triggers though on identity attribute change to see if particular attribute has changed. For example, this is how to trigger a specific certification on department move.

Using Event Triggers - SailPoint Identity Services

You can also use the API to look for Identity History. From there, you should be able to look for department changes as well.

Identity History | SailPoint Developer Community

1 Like

Hi @mahimas_chordia,

If you are syncing the department value to a source (eg. Active Directory attribute - department) you can make use of the event search to get the results

attributes.attributeName:"department" AND created:[now-24h TO now]

The query should fetch you all modify account events where the department value is being modified and synced to AD.

2 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.