Skip to main content
Skip table of contents

How to Sync Integration Logs to SIEM Based on the Integration Action

This document explains how to retrieve action-specific integration logs for synchronization with your SIEM.

On the MonoSync platform, whenever an action is successfully completed, its corresponding log entry is written to the IntIntegrationActionStat table.

Below is an example demonstrating how to query logs based on the action name and integration ID.

  1. Flex Cube Application

SQL 
SELECT 
    'Flex User Create'           AS "FlexActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = '457772bc-5c91-4ec9-84d3-8a60f2c70c7d'
  AND "ActionName" = 'object_update'
UNION ALL
SELECT 
    'Flex User Modification'    AS "FlexActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = '86b12833-76d3-4fd0-bf7b-da9094811751'
  AND "ActionName" = 'object_update'
UNION ALL
SELECT 
    'Flex User Termination'     AS "FlexActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = 'e79b1a5b-a6eb-4963-bb72-a2ccc4b624ec'
  AND "ActionName" = 'object_update'
ORDER BY  -- ORDER BY string alias works because format is ISO-like
    "ActionDate" DESC;
CleanShot 2025-12-10 at 04.09.31-20251210-010941.png

Flex Cube Application Logs

  1. RTPS Application

SQL 
SELECT 
    'RTPS User Create'           AS "RTPSActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = 'dae6e35b-49e9-4966-a0f1-8a17346b9281'
  AND "ActionName" = 'execute_script'
UNION ALL
SELECT 
    'RTPS User Modification'    AS "RTPSActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = '593e2ff9-ebe6-44b5-94b5-c324b50cf12e'
  AND "ActionName" = 'execute_script'
UNION ALL
SELECT 
    'RTPS User Termination'     AS "RTPSActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = '9676b6ee-95eb-4372-9f06-875266c38ebe'
  AND "ActionName" = 'execute_script'
ORDER BY  -- ORDER BY string alias works because format is ISO-like
    "ActionDate" DESC;
CleanShot 2025-12-10 at 04.18.25-20251210-011830.png

RTPS Application Logs

  1. CMS Application

SQL 
SELECT 
    'CMS User Create'           AS "CMSActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = '349d2b9f-e3fe-41b2-a1e7-ff0a97dbefe2'
  AND "ActionName" = 'execute_script'
UNION ALL
SELECT 
    'CMS User Modification'    AS "CMSActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = '93516efe-c82b-4e44-a9fe-fe35ed4e8640'
  AND "ActionName" = 'execute_script'
UNION ALL
SELECT 
    'CMS User Termination'     AS "CMSActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = '8337a1b9-38ad-4548-ae79-34ab04413fa3'
  AND "ActionName" = 'execute_script'
ORDER BY  -- ORDER BY string alias works because format is ISO-like
    "ActionDate" DESC;
CleanShot 2025-12-10 at 04.20.25-20251210-012030.png

CMS Application Logs

  1. CMS/AMS LDAP Application

SQL 
SELECT 
    'CMS/AMS LDAP User Create'           AS "CMSAMSLDAPActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = '83484df1-7273-4488-a6d0-0eb296d68fff'
  AND "ActionName" = 'execute_script'
UNION ALL
SELECT 
    'CMS/AMS LDAP User Modification'    AS "CMSAMSLDAPActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = 'eb76c191-2f9b-4104-898f-e58ac011da87'
  AND "ActionName" = 'execute_script'
UNION ALL
SELECT 
    'CMS/AMS LDAP User Termination'     AS "CMSAMSLDAPActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = '54340586-065d-45d3-bbe4-15ad2b078445'
  AND "ActionName" = 'execute_script'
ORDER BY  -- ORDER BY string alias works because format is ISO-like
    "ActionDate" DESC;
CleanShot 2025-12-10 at 04.24.26-20251210-012438.png

CMS/AMS LDAP Action Logs

If an application requires its logs to be collected separately, the SQL scripts provided above can be used individually for SIEM integration.

However, if the SIEM platform needs to retrieve logs from all core system applications, all SQL scripts can be executed together to collect the full set of integration logs.

SQL 
SELECT 
    'Flex User Create'           AS "ActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = '457772bc-5c91-4ec9-84d3-8a60f2c70c7d'
  AND "ActionName" = 'object_update'
UNION ALL
SELECT 
    'Flex User Modification'    AS "ActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = '86b12833-76d3-4fd0-bf7b-da9094811751'
  AND "ActionName" = 'object_update'
UNION ALL
SELECT 
    'Flex User Termination'     AS "ActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = 'e79b1a5b-a6eb-4963-bb72-a2ccc4b624ec'
  AND "ActionName" = 'object_update'
UNION ALL
SELECT 
    'RTPS User Create'           AS "ActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = 'dae6e35b-49e9-4966-a0f1-8a17346b9281'
  AND "ActionName" = 'execute_script'
UNION ALL
SELECT 
    'RTPS User Modification'    AS "ActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = '593e2ff9-ebe6-44b5-94b5-c324b50cf12e'
  AND "ActionName" = 'execute_script'
UNION ALL
SELECT 
    'RTPS User Termination'     AS "ActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = '9676b6ee-95eb-4372-9f06-875266c38ebe'
  AND "ActionName" = 'execute_script'
UNION ALL
SELECT 
    'CMS User Create'           AS "ActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = '349d2b9f-e3fe-41b2-a1e7-ff0a97dbefe2'
  AND "ActionName" = 'execute_script'
UNION ALL
SELECT 
    'CMS User Modification'    AS "ActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = '93516efe-c82b-4e44-a9fe-fe35ed4e8640'
  AND "ActionName" = 'execute_script'
UNION ALL
SELECT 
    'CMS User Termination'     AS "ActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = '8337a1b9-38ad-4548-ae79-34ab04413fa3'
  AND "ActionName" = 'execute_script'
UNION ALL
SELECT 
    'CMS/AMS LDAP User Create'           AS "ActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = '83484df1-7273-4488-a6d0-0eb296d68fff'
  AND "ActionName" = 'execute_script'
UNION ALL
SELECT 
    'CMS/AMS LDAP User Modification'    AS "ActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = 'eb76c191-2f9b-4104-898f-e58ac011da87'
  AND "ActionName" = 'execute_script'
UNION ALL
SELECT 
    'CMS/AMS LDAP User Termination'     AS "ActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = '54340586-065d-45d3-bbe4-15ad2b078445'
  AND "ActionName" = 'execute_script'
ORDER BY  -- ORDER BY string alias works because format is ISO-like
    "ActionDate" DESC;
CleanShot 2025-12-10 at 05.00.17-20251210-020026.png

All Application Action Logs

Other applications such as Active Directory, ACS Application, Flex Cube DB, RTPS DB, CMS DB, AMS DB, ACS DB and Postgresql DB will be shared as the new scripts as soon as possible.

Note: Each log entry contains a unique Integration Action Stat ID.

If needed, you can include this value in your query by adding the following column to the SQL script:

"IntegrationActionStatId" AS "Integration Action Stat Id"

SQL 
SELECT 
    'Flex User Create'           AS "FlexActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate",
    "IntegrationActionStatId" AS "Integration Action Stat Id"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = '457772bc-5c91-4ec9-84d3-8a60f2c70c7d'
  AND "ActionName" = 'object_update'
UNION ALL
SELECT 
    'Flex User Modification'    AS "FlexActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate",
    "IntegrationActionStatId" AS "Integration Action Stat Id"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = '86b12833-76d3-4fd0-bf7b-da9094811751'
  AND "ActionName" = 'object_update'
UNION ALL
SELECT 
    'Flex User Termination'     AS "FlexActionDescription",
    "PrimaryKey"                 AS "EmployeeId",
    TO_CHAR(("CreatedDate" + INTERVAL '4 hours'), 'YYYY-MM-DD HH24:MI:SS') AS "ActionDate",
    "IntegrationActionStatId" AS "Integration Action Stat Id"
FROM "IntIntegrationActionStat"
WHERE "IntegrationId" = 'e79b1a5b-a6eb-4963-bb72-a2ccc4b624ec'
  AND "ActionName" = 'object_update'
ORDER BY  -- ORDER BY string alias works because format is ISO-like
    "ActionDate" DESC;

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close