Just want to ask, can IDN detect any mass update (unusual attribute modifications) from an authorative source (e.g. Cornerstone, Workday, etc). Like if the termination date of a massive number of users suddenly got updated or similar cases, IDN will send out an alert to Admins?
Played around with the Workflow triggers but I can’t find any way around this.
Create endDate identity attribute and map it to your account attribute (endDate).
Build a search query with a range for example attributes.endDate:[now-1M TO now] and save it and subscribe it with required recipients. It will send an email with count and users going to be terminated.
Below link will help you build the date range:
By this you will get notification how many users are getting terminated in near future for example you are querying endDate within 30 days.
Write a PowerShell script (Or any other language script), the first step would be to call search API.
Do the API call to search for the identities modified in last 60 minutes: modified:[now-1h TO now].
Count how many identities modified by constructing the logic in the script (V3 search API give 250 records at a time, so you need to call till all the results are achieved).
If you see massive count, (you can hardcode this value, lets say you got count more than 1000 accounts, then admins should get alerted by sending an email using the same script.
You can schedule the script on client’s server on hourly basis.
From SailPoint Workflow, thought we could use scheduled trigger to get result of the same search query, we can’t add condition of sending email only if there are more than n number of identities modified in the system.
You could create a workflow that uses the Accounts Collected for Aggregation trigger. This trigger will start the workflow when Identity Security Cloud has gathered the accounts on a source and is prepared to aggregate them. It provides a stat before the aggregation starts that tells you how many accounts were changed.
You can create an even trigger filter that filters only on the authoritative source(s) you are interested in being alerted on, as well as filters on any aggregation event that is above a certain changed threshold. The trigger filter would look something like this:
$[?($.trigger.source.name == "Corporate Active Directory" && $.trigger.stats.changed > 1000)]
If the filter passes, then you can add a send email step to send out an alert to a list of admins with the number of accounts being changed.
The only downside is that this does not tell you what attributes are changing. You could instead use the Account Aggregation Completed trigger with the same filter, and then run a search query as proposed in the replies above to get a list of attributes that actually changed and send that in an email.