IDN mass update alerting

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Just want to ask, can IDN detect any mass update (unusual attribute modifications) from an authorative source (e.g. Cornerstone, Workday, etc). Like if the termination date of a massive number of users suddenly got updated or similar cases, IDN will send out an alert to Admins?

Played around with the Workflow triggers but I can’t find any way around this.

Thanks a lot!

2

@renzambos here is what you can do

  1. Create endDate identity attribute and map it to your account attribute (endDate).
  2. Build a search query with a range for example attributes.endDate:[now-1M TO now] and save it and subscribe it with required recipients. It will send an email with count and users going to be terminated.

Below link will help you build the date range:

By this you will get notification how many users are getting terminated in near future for example you are querying endDate within 30 days.

Hope it works for you!

Regards,
Shekhar Das

3

@renzambos You can do following

  1. Write a PowerShell script (Or any other language script), the first step would be to call search API.
  2. Do the API call to search for the identities modified in last 60 minutes: modified:[now-1h TO now].
  3. Count how many identities modified by constructing the logic in the script (V3 search API give 250 records at a time, so you need to call till all the results are achieved).
  4. If you see massive count, (you can hardcode this value, lets say you got count more than 1000 accounts, then admins should get alerted by sending an email using the same script.
  5. You can schedule the script on client’s server on hourly basis.

From SailPoint Workflow, thought we could use scheduled trigger to get result of the same search query, we can’t add condition of sending email only if there are more than n number of identities modified in the system.

Let me know if it helps.
Thanks,
Vaibhav

4

You could create a workflow that uses the Accounts Collected for Aggregation trigger. This trigger will start the workflow when Identity Security Cloud has gathered the accounts on a source and is prepared to aggregate them. It provides a stat before the aggregation starts that tells you how many accounts were changed.

{
    "source":{
        "id":"4e4d982dbdff4267ab16f0f1e72b5c6d",
        "name":"Corporate Active Directory",
        "type":"SOURCE"
    },
    "status":"Success",
    "started":"2020-06-29T22:01:50.474Z",
    "completed":"2020-06-29T22:02:04.090Z",
    "errors":[
    ],
    "warnings":[
        "Account skipped"
    ],
    "stats":{
        "scanned":200,
        "unchanged":190,
        "changed":6,
        "added":4,
        "removed":3
    }
}

You can create an even trigger filter that filters only on the authoritative source(s) you are interested in being alerted on, as well as filters on any aggregation event that is above a certain changed threshold. The trigger filter would look something like this:

$[?($.trigger.source.name == "Corporate Active Directory" && $.trigger.stats.changed > 1000)]

If the filter passes, then you can add a send email step to send out an alert to a list of admins with the number of accounts being changed.

The only downside is that this does not tell you what attributes are changing. You could instead use the Account Aggregation Completed trigger with the same filter, and then run a search query as proposed in the replies above to get a list of attributes that actually changed and send that in an email.

4 Likes
5

A post was split to a new topic: How to cancel an in-progress source aggregation

6

Thanks! this might actually work. I will test this out.

7

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.