Create Account Native Change Not Detected - Am I doing something wrong?

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

I am trying to use Native Change Detection (NCD) to find accounts created directly in my AD source outside of IdN.

Here is the NCD config for that source
image

In addition, I’ve created a native-change-account-created trigger subscription

{
        "triggerId": "idn:native-change-account-created",
        "httpConfig": {
            "httpDispatchMode": "SYNC",
            "httpAuthenticationType": "NO_AUTH",
            "url": "https://webhook.site/REDACTED",
            "basicAuthConfig": null,
            "bearerTokenAuthConfig": null
        },
        "triggerName": "Native Change Account Created",
        "description": "Create operation for native change detection",
        "enabled": true,
        "id": "9d35d4af-d727-4688-829e-0a1b33ecf106",
        "type": "HTTP",
        "name": "Native Change Account Created"
}

To test this, I manually created an account in AD, then ran an account aggregation.

image
image784×53 2.38 KB

The aggregation picks up the newly created account (which is uncorrelated since this isn’t an authoritative source), and I can see it in the accounts list

image

image
image1070×142 6.6 KB

However, there is no audit event created for it

image
image701×359 8.05 KB

And there is also no trigger fired

image
image1113×426 19.3 KB

Am I grossly misunderstanding how this is supposed to work?

2

I have not walked through the steps, but is there an attribute that is being monitored as well?

image
image1134×328 29.9 KB

2 Likes
3

When in doubt, RTFM :expressionless:

Thanks @ethompson!

Weird that you must select an attribute to monitor if all you care about is “was an account created or not?”, but oh well.

4

Not sure who needs to hear this feedback, but the difference in the JSON you get from the event trigger vs the audit event leaves a bit to be desired.

From the event trigger, there is a property called singleValueAttributeChanges, which is structured very nicely

{
    "singleValueAttributeChanges": [
        {
            "name": "employeeType",
            "newValue": "EMP",
            "oldValue": null
        },
        {
            "name": "sAMAccountName",
            "newValue": "mc",
            "oldValue": null
        },
        {
            "name": "userPrincipalName",
            "newValue": "[email protected]",
            "oldValue": null
        }
    ]
}

When you look at the equivalent property in the event log… ew

{
    "singleValueAttributeChanges": "[{\"name\":\"employeeType\",\"newValue\":\"EMP\"},{\"name\":\"sAMAccountName\",\"newValue\":\"mc\"},{\"name\":\"userPrincipalName\",\"newValue\":\"[email protected]\"}]"
}
5

Hello Mark,

To search for an audit event, following Search query might help:

name:“Create Native Change Detected”

Also try viewing the Activity Log for that specific trigger under "Event Triggers > Activity Log " that might help:

ambassador
ambassador1241×517 49.4 KB

1 Like
6

I’m guessing the account might have to correlate to an identity for the event to be picked up as native change as you could have a ton of uncorrelated accounts potentially.

7

Hi Patrick,

I think it is not necessary for an account to be correlated to an identity, the native change event should be detected for uncorrelated accounts as well… Following image might help:

ambsador
ambsador727×441 20.9 KB

1 Like
8

Hi @mehuljogi and @patrickboston

Edward’s reply was the solution… I had to select one or more attributes to monitor.

Also this works on uncorrelated accounts

9

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.