Search query - SailPoint

kaiolima · August 8, 2024, 8:25pm

Search query

Is there a query that returns all active identities in the environment on different dates?

adunker · August 8, 2024, 8:48pm

To clarify - are you looking for a query that returns the identities that were active on a given date in the past? That wouldn’t quite be possible - as the search is going to give you results on the current state.

You could take those results - and then search for events for people changing status and build to that previous state perhaps. But that would involve some processing/scripting.

For an individual user you can check against Access History or events.

shekhardas1825 · August 9, 2024, 3:57am

Use following

Id:* AND attributes.cloudLifecycleState:active

PrashantMishra · August 9, 2024, 3:59am

Hi @kaiolima ,

You can use the search query to return the active identities with the specific dates as per the below provided sample query :

attributes.cloudLifecycleState:active AND created:2020-05-01 OR created:<=2020-04-05

Created date can also be specific as - created:[now-1M TO now] or any other dates in place of now.

I hope this might help!

Thanks,
Prashant

GOKUL_ANANTH_M · August 9, 2024, 4:34am

Hi @kaiolima ,

Query that return active identity is,

attributes.cloudLifecycleState:active

For created date,

created:2023-08-09

This returns all identities that were created on August 9, 2023.

(Or)

created:<=2015-02-04

This returns all identities created on or before February 4, 2015.

(Or)

created:[now-1M TO now]

You can specify the dates using a Range queries and Date Maths. This returns objects created within the last month.

Yeah. Use AND and OR to build the query as like @PrashantMishra said, as per your requirement.

For further reference, take a look at below link:

You can also have a look at suggested searches for reference too.

GOKUL_ANANTH_M · August 9, 2024, 6:40am

@PrashantMishra , Just small correction in your search query. The condition after AND should be enclosed within brackets. It should be like below.

attributes.cloudLifecycleState:active AND (created:2024-01-01 OR created<=2024-01-01)

Thanks!!

PrashantMishra · August 9, 2024, 7:15am

Yes @GOKUL_ANANTH_M that’s correct.

Here I just provided the query on a high-level. Rest it’s always advisable to use brackets in case of having multiple operators check throughout the conditions.

Thanks,
Prashant

adunker · August 9, 2024, 1:38pm

Prashant - this would only return identities who were active now and created in a time span, but not who all who were active during that time period.

PrashantMishra · August 9, 2024, 3:52pm

Hi @adunker ,

Yes result will be fetched out based on current state of an identity with a specific date.

To find the identities based on their LifecycleStatus on past date can’t be retrieved via a search query. It would need an extra efforts comparing the current data with the audit report etc.

Thanks,
Prashant

system · October 8, 2024, 3:53pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need a search query ISC Discussion and Questions identity-security-cloud	3	53	December 29, 2024
POST /api/v2/search/identities Non-Public API Deprecations deprecated	0	379	February 16, 2024
Identitynow Search ISC Discussion and Questions	4	1325	July 19, 2023
GET /api/v2/search/identities/runExport Non-Public API Deprecations deprecated	0	476	November 9, 2023
Use search to retrieve all identities that changed LifeCicleState within last 7 days ISC Discussion and Questions identity-security-cloud , identityiq	11	577	June 1, 2024

Search query - SailPoint

Related topics