Accounts Not Aggregated with Correlation Rule

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hello! Attempting to implement my first correlation rule in ISC, but hitting a unexpected issue after implementation.

Instead of correlating accounts (or even leaving them uncorrelated), the accounts that fall under the scope of the rule, are simply not created/aggregated into ISC. Most accounts are prefixed with US, but the identity attributes we need to match to (eg UID or activeDirectoryLogin) do not. The source creates accounts that do not meet the rule criteria, but any accounts starting with US/ are not created.

ISC is ‘scanning’ the correct number of accounts, but only creates accounts that do not meet the rule criteria below.

import java.util.HashMap;
import java.util.Map;
import java.lang.Character;
import sailpoint.tools.Util;

Map returnMap = new HashMap();

String accountName = account.getStringAttribute("name");
log.debug("account name is:" + accountName);

if (accountName.contains("US\\")) {
    log.debug("accountName Contains US\\");
    accountName = accountName.replaceAll("US\\", "").trim();
    log.debug("account name is:" + accountName);

    if (accountName.toLowerCase().contains("svc")) {
      log.debug("Service account. Correlating " + accountName + " to uid");
      returnMap.put("identityAttributeName", "uid");
      returnMap.put("identityAttributeValue", accountName);
    }
    else {
      log.debug("Standard AD account. Correlating " + accountName + " to activeDirectoryLogin");
      returnMap.put("identityAttributeName", "activeDirectoryLogin");
      returnMap.put("identityAttributeValue", accountName);
    }

    log.debug(returnMap);
}

return returnMap;

Any guidance would be super appreciated!

2

Hi Andrew,
You have put logger in the rule. can you please put log output here?
Thanks
Ritu

3

Hi @aberkey
I feel that it is not even going inside the if condition. as you mentioned its not even aggregating that could be only reason as it does not fulfill the if condition.

I know you are trying to do the escaping, but as per your question input will be something like: US/1001
Which should be transformed to 1001

I would suggest if you can try with the below if statement:

if(accountName.contains("US/")){
	        accountName = accountName.replace("US/", "").trim();        
	    }

I am thinking that the input id is not coming as escaped so once try with the above statement and let us know what logs reflect after that.

Hope this brings closer to the solution…

4

We found the issue!

Because I am trying to get rid of the US, I needed to use “US\” in the rule due to the \ escape character. This causes an error when attempting to use replaceAll(), which resulted in the account not being created in ISC.

Using substring() we were able to get the desired results, and bypass the error. The only change was to line 3:

accountName = accountName.substring(accountName.lastIndexOf("\\")+1);