Use search to retrieve all identities that changed LifeCicleState within last 7 days

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hello Team,
I’d like to create a Search query, that will return me all identities that had LifeCicleState change from active to inactive within last 7 day.

I figured out there is an event for this: IdentityStateChange
So, i imagine search query something like this:

@IdentityStateChange(info:“newState:inactive previousState:active”): [now-7D TO now]

This gives me error - Invalid search query.

Any tips, suggestion here :slight_smile:

Thank you in advance,

Regards,
Aleksandra

2

Hi @karapuuzina,

You can try this one and see if it helps :

attributes.oldState:“active” AND attributes.attributeValue:“inactive” AND created: [now-7d TO now]

Here is an updated one too :

name:“Change Identity State Passed” AND attributes.oldState:“active” AND attributes.newState:“inactive” AND created: [now-7d TO now]

1 Like
3

Do you want events or identities as with this scenarios you need to filter events rather an identites

4

try FilterString as below, let me know if this works:

public static Date generateDate(int daysToSet) {
Calendar cal = Calendar.getInstance();
cal.setTime(new Date());

if (daysToSet != 0) {
cal.add(Calendar.DAY_OF_YEAR, daysToSet);
}
return (cal.getTime());
}


String summaryMessage = "";
String status = "Completed";
int completionCount = 0;
int startDaysInPast=(-7);

QueryOptions qo = new QueryOptions();
List filters = new ArrayList();
Filter.add(Filter.eq("action","IdentityStateChange"));
filters.add(Filter.ge("created", generateDate( startDaysInPast )));
Filter f=Filter.and(filters);
qo.addFilter( f );
Iterator it = context.search(AuditEvent.class, options);
while (it.hasNext()) {

// logic

}
sailpoint.tools.Util.flushIterator(it);

}
5

@dheerajk27 this solution how this will work in identity now can you tell me? may work in iiq

6

Hi @karapuuzina

can you please try this query and check:
@IdentityStateChange AND info:“newState:inactive previousState:active” AND timestamp:[now-7d TO now]

7

HI @schattopadhy , it was my bad, i though this question was for IIQ.

8

Hello, thank you for reply, but this doesn’t return any results, even if i remove the timestamp…

9

attributes.oldState:“active” AND attributes.attributeValue:“inactive” AND created: [now-7d TO now] - this works great, but indeed as someone mentioned in this thread it would be perfect if i can actually get identities. Any ideas on that?

10

You are right, indeed getting identities would be much more preferred. I was looking into doing this with “Seach” functionality, because i can subscribe for “Search” and get weekly reports.
If there is any other option for this i will be glad to know :slight_smile:

11

Hi @karapuuzina,

I don’t think you can use search on Identities as these LCS changes are event based.