I was running some tests, assigning administrator permissions (UserLevel:ORG_ADMIN) on some identities in my client’s Sandbox environment, in order to identify if I could detect these events (possibly through the “Identity Attributes Changeg” EventTrigger) to send them to an external system like a SIEM; However, I find that this Trigger does not detect these types of changes.
Is it possible to immediately identify when a user is assigned an administrator permission in IdentityNow and send it to a SIEM?
If i understand correctly you need to hit provisioning to and external source of Type SCIM based on attribute change in Identity, It my Understanding is correct this can be done when you configure LifeCycle State to trigger provisioning for SCIM source based on addition or changes in IdentityAttribute.
If you are just looking for access provisioning like in this case “ORG_ADMIN” for ISC then can you check this event “Provisioning Completed” and give it a try.
Let me know if I am missing anything in the use-case.
