Adding identity attribute to Correlation rule for entra accounts

RAKOWPA · June 25, 2025, 11:50am

Hello,

have written a correlation rule which works, but I would like to improve it, specifically to handle exceptional cases.

Currently, we have exceptional identities with emails in the format @ext.testcompany.com, while Entra creates accounts only with @testcompany.com. I initially considered using the mailNickname attribute from the Entra account (typically formatted as name.surname, sometimes prefixed with adm, aws, or onmicrosoft for privileged accounts) and the email identity attribute

The main challenge I’m facing is accessing or matching the email identity attribute within the correlation rule.

If anyone is willing to review the rule or provide suggestions, it would be greatly appreciated.

Map returnMap = new HashMap();

String calculatedmailNickname = account.getStringAttribute("mailNickname");
calculatedmailNickname = calculatedmailNickname.replaceFirst("(?i)^adm.", "");
calculatedmailNickname = calculatedmailNickname.replaceFirst("(?i)^aws.", "");
calculatedmailNickname = calculatedmailNickname.replaceFirst("(?i)onmicrosoft.", "");

String identityAttributeName = "email";
String identityAttributeValue = identity.getAttribute(identityAttributeName);

if (calculatedmailNickname != null && identityAttributeValue != null) {
    if (identityAttributeValue.contains("@ext.testcompany.com")) {
        calculatedmailNickname = calculatedmailNickname + "@ext.testcompany.com";
    } else if (identityAttributeValue.contains("@testcompany.com")) {
        calculatedmailNickname = calculatedmailNickname + "@testcompany.com";
    }
}

returnMap.put("identityAttributeName", identityAttributeName);
returnMap.put("identityAttributeValue", calculatedmailNickname);

return returnMap;

validator error:

[RegExRuleValidator(598)] <Rule> tag: Rule name defined within the Rule tag does not match name defined in the file name
  Line 19 - [LintBSHMethodInvocation(93)] null Exception: Could not retrieve definition for variable name 'identity'
    19: String identityAttributeValue = identity .getAttribute ( identityAttributeName )


    Variables may be injected by IDN, these variables can be injected into the rule by modifying the Rule's XML Signature, Add an Argument to the Input Section.  Example adding a variable 'academicLevel':
    <Inputs>
      <Argument name="academicLevel" type="java.lang.String"...

gmilunich · June 25, 2025, 3:23pm

I don’t believe that the Correlation Rule has access to the ‘identity’ object within it, based on the documentation for the Rule and the available input variables:

You’ll likely have to use the idnRuleUtil ‘idn’ to search for the identity to compare to based on the possibly name options.

system · August 24, 2025, 3:23pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
IdentityNow Correlation Rule ISC Discussion and Questions rules , aggregation , identity-security-cloud , correlation	6	2060	July 27, 2023
Correlation Rule issues ISC Discussion and Questions rules , identity-security-cloud , correlation	9	204	September 21, 2024
Is this possible in a complex correlation rule? ISC Discussion and Questions identity-security-cloud	2	46	July 28, 2025
Identity Corelation issue in Sailpoint IIQ 8.3p2 IIQ Discussion and Questions identityiq	5	27	April 14, 2025
Email as a correlation attribute ISC Discussion and Questions identity-security-cloud , correlation	6	471	October 3, 2023

Adding identity attribute to Correlation rule for entra accounts

Related topics