mcheek
(Mark Cheek)
February 23, 2024, 3:30pm
1
I am trying to use Native Change Detection (NCD) to find accounts created directly in my AD source outside of IdN.
Here is the NCD config for that source
In addition, I’ve created a native-change-account-created trigger subscription
{
"triggerId": "idn:native-change-account-created",
"httpConfig": {
"httpDispatchMode": "SYNC",
"httpAuthenticationType": "NO_AUTH",
"url": "https://webhook.site/REDACTED",
"basicAuthConfig": null,
"bearerTokenAuthConfig": null
},
"triggerName": "Native Change Account Created",
"description": "Create operation for native change detection",
"enabled": true,
"id": "9d35d4af-d727-4688-829e-0a1b33ecf106",
"type": "HTTP",
"name": "Native Change Account Created"
}
To test this, I manually created an account in AD, then ran an account aggregation.
The aggregation picks up the newly created account (which is uncorrelated since this isn’t an authoritative source), and I can see it in the accounts list
However, there is no audit event created for it
And there is also no trigger fired
Am I grossly misunderstanding how this is supposed to work?
ethompson
(Edward Thompson)
February 23, 2024, 6:50pm
2
I have not walked through the steps, but is there an attribute that is being monitored as well?
4 Likes
mcheek
(Mark Cheek)
February 23, 2024, 7:23pm
3
When in doubt, RTFM
Thanks @ethompson !
Weird that you must select an attribute to monitor if all you care about is “was an account created or not?”, but oh well.
mcheek
(Mark Cheek)
February 23, 2024, 7:33pm
4
Not sure who needs to hear this feedback, but the difference in the JSON you get from the event trigger vs the audit event leaves a bit to be desired.
From the event trigger, there is a property called singleValueAttributeChanges, which is structured very nicely
{
"singleValueAttributeChanges": [
{
"name": "employeeType",
"newValue": "EMP",
"oldValue": null
},
{
"name": "sAMAccountName",
"newValue": "mc",
"oldValue": null
},
{
"name": "userPrincipalName",
"newValue": "[email protected] ",
"oldValue": null
}
]
}
When you look at the equivalent property in the event log… ew
{
"singleValueAttributeChanges": "[{\"name\":\"employeeType\",\"newValue\":\"EMP\"},{\"name\":\"sAMAccountName\",\"newValue\":\"mc\"},{\"name\":\"userPrincipalName\",\"newValue\":\"[email protected] \"}]"
}
mehuljogi
(Mehul Jogadia)
February 23, 2024, 7:45pm
5
Hello Mark,
To search for an audit event, following Search query might help:
name:“Create Native Change Detected”
Also try viewing the Activity Log for that specific trigger under "Event Triggers > Activity Log " that might help:
2 Likes
I’m guessing the account might have to correlate to an identity for the event to be picked up as native change as you could have a ton of uncorrelated accounts potentially.
mehuljogi
(Mehul Jogadia)
February 23, 2024, 8:22pm
7
Hi Patrick,
I think it is not necessary for an account to be correlated to an identity, the native change event should be detected for uncorrelated accounts as well… Following image might help:
3 Likes
mcheek
(Mark Cheek)
February 23, 2024, 8:33pm
8
Hi @mehuljogi and @patrickboston
Edward’s reply was the solution… I had to select one or more attributes to monitor.
Also this works on uncorrelated accounts
system
(system)
Closed
April 23, 2024, 8:33pm
9
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.