What is the expected return value of the idn.attrSearchGetIdentityName() method? Is this the Account ID or Account Name of the account? Is it the identity “name” or “alias” of the correlated identity?
After getting the value of this object? What other method could be used to obtain the identity or account object?
I’m trying to write a correlation rule for accounts that may hold an older, outdated email address. In theory, I will promote the proxyAddresses account attribute of Active Directory and use that for lookup. Once I find the account or identity that holds the proxyAddress, I’ll be able to pull identifying information to be used in the correlation rule.
Based on the search results, attrSearchGetIdentityName() returns the identity “name” (not alias), which is the unique identity ID in ISC. After obtaining this value, you can use idn.getIdentityById(identityName) to retrieve the full identity object for further processing.
For your AD proxyAddresses correlation scenario, consider using idn.searchIdentities(queryString) to search across identity attributes for matching email addresses, then extract correlation details from the returned identity objects.
Thanks for the detailed reply. Can you link the documentation for the idn.searchIdentities(queryString) method? I can’t seem to find that.
I’m concerned with promoting the proxyAddresses as an identity attribute to be searched since it is a multivalued field. In my experience, idn.attrSearchCountAccounts() will detect the multivalued proxyAddresses correctly.
I don’t see an idn.searchIdentities(queryString) method in the IdnRuleUtil public JavaDocs, so I don’t think there’s official documentation for that specific call.
For your AD proxyAddresses use case, I agree with your point: keep proxyAddresses as a searchable account attribute (not an identity attribute). The IdnRuleUtil search-attribute methods are designed for exactly this, and attrSearchCountAccounts() can handle multi-valued attributes.
For correlation, attrSearchGetIdentityName(...) returns the correlated identity name (per the JavaDocs: “Get the identity name for the account matching the specified criteria.”). Use that returned value directly in your correlation rule returnMap as the identity “name”.
If you still need account context after you get the identity name, use getFirstAccount() / getAllAccounts() for the application + identityName. I would not use getIdentityById() here because the JavaDocs state it fetches by internal id**,** which is a different identifier than identity “name”.