Native Change Account Created
Event Context
Important Setup Steps
You must have at least one source configured for Native Change Detection (NCD) before you will receive events from this trigger. There are two ways you can configure a source for NCD:
- Invoke the update native change detection configuration for each source you want to receive events for NCD.
- Configure the NCD options on the source in the source configuration UI.
The Native Change Account Created trigger fires after Account Aggregations detects that a new account is created external to Identity Security Platform on sources where:
- Native Change Detection is enabled
- Account Create operations are monitored
- at least one attribute that is selected for monitoring changed.
This event trigger can be used to immediately notify interested parties and remediate accounts that are created directly on the source. Some examples of how this trigger can be used are as follows:
- Notify the identity's manager and the source owner of the new account
- Create a micro-certification for the identity to review their new account access
- Automatically disable or lock accounts created directly on a source
This is an example input from this trigger:
{
"identity": {
"manager": {
"name": "Martena Heath",
"id": "2c91808378eb9fa30178fb8caf90097f",
"type": "IDENTITY",
"email": "martena.heath@sample_email.com"
},
"name": "peter.williams",
"alias": "peter.williams",
"id": "e43ba47b265b4baf943efe3aaef886c8",
"type": "IDENTITY",
"email": "peter.williams@sample_email.com"
},
"singleValueAttributeChanges": [
{
"newValue": "Peter Williams",
"name": "cn",
"oldValue": null
},
{
"newValue": "Peter Williams",
"name": "displayName",
"oldValue": null
},
{
"newValue": "CN=Peter Williams,OU=Austin,OU=Americas,OU=Demo,DC=seri,DC=sailpointdemo,DC=com",
"name": "distinguishedName",
"oldValue": null
},
{
"newValue": "Peter",
"name": "givenName",
"oldValue": null
}
],
"entitlementChanges": [
{
"removed": [],
"added": [
{
"owner": {
"id": "2c91808978eb9fab0178fb8ca9280919",
"name": "Gregory Brooks",
"type": "IDENTITY"
},
"name": "ProductionManagement",
"id": "2c91808778eb9fa30178fb9482f00c60",
"value": "CN=ProductionManagement,OU=Groups,OU=Demo,DC=seri,DC=sailpointdemo,DC=com"
},
{
"owner": null,
"name": "Employees",
"id": "2c91808378eb9fa30178fb94818e0af8",
"value": "CN=Employees,OU=BirthRight,OU=Groups,OU=Demo,DC=seri,DC=sailpointdemo,DC=com"
},
{
"owner": null,
"name": "WindowsAdministration",
"id": "2c91808378eb9fa30178fb9481c30b02",
"value": "CN=WindowsAdministration,OU=Groups,OU=Demo,DC=seri,DC=sailpointdemo,DC=com"
}
],
"attributeName": "memberOf"
}
],
"eventType": "ACCOUNT_CREATED",
"source": {
"owner": {
"name": "Aaron Andrew",
"id": "2c9180867a7c46d0017a7ca099d50531",
"type": "IDENTITY",
"email": "aaron.andrew@sample_email.com"
},
"name": "Active Directory",
"alias": "Active Directory [source]",
"id": "2c91808a78efc63e0178fb8624b248c5",
"type": "SOURCE",
"governanceGroup": {
"id": "fd0d1393-35fb-47d8-9809-0e385b73f25e",
"name": "Active Directory Owners",
"type": "GOVERNANCE_GROUP"
}
},
"accountChangeTypes": ["ATTRIBUTES_CHANGED", "ENTITLEMENTS_ADDED"],
"multiValueAttributeChanges": [
{
"removedValues": [],
"addedValues": ["top", "person", "organizationalPerson", "user"],
"name": "objectClass"
},
{
"removedValues": [],
"addedValues": [
"Normal User Account",
"Password Cannot Expire",
"User Account is Disabled"
],
"name": "accountFlags"
}
],
"account": {
"name": "peter.williams",
"id": "b3b17b0072f04da39b41e8802aaff01b",
"type": "ACCOUNT",
"uuid": "{615ebfa6-3d21-484e-9e67-01bd4e20c3da}",
"correlated": true,
"nativeIdentity": "CN=Peter Williams,OU=Austin,OU=Americas,OU=Demo,DC=seri,DC=sailpointdemo,DC=com"
}
}
identityThe identity correlated to this account. Ifaccount.correlatedisfalse, then this will be a system generated identity, not a real identity. For uncorrelated accounts, this system generated identity can be used to revoke entitlements on the account, or in any other API request that requires an identity ID.singleValueAttributeChangesContains a list of account attributes that have changed. During an account created event, all aggregated account attributes will be listed, and theiroldValuewill be null.- it will include ALL account attributes if the config is
"allNonEntitlementAttributes": true - it will include the enumerated list of attributes contained in
"selectedNonEntitlementAttributes": []
- it will include ALL account attributes if the config is
entitlementChangesContains a list of entitlements that have been aggregated with the account. theremovedlist will always be empty for an account created event.eventTypeWill always beACCOUNT_CREATEDfor account created events.sourceThe source where this account originated from.accountChangeTypesA list of change types you can expect to see in the event input.- Possible values are
ATTRIBUTES_CHANGEDandENTITLEMENTS_ADDED. - The above example lists both change types since both attributes and entitlements were added. If an event payload only contains attributes added, then this list will only contain the
ATTRIBUTES_CHANGEDvalue. This can be useful when filtering events based on change types, or quickly checking what types of objects changed in the account before continuing to process the input.
- Possible values are
multiValueAttributeChangesList of multivalued attributes that were aggregated with the account. OnlyaddedValueswill appear for account created events.- it will include ALL account attributes if the config is
"allNonEntitlementAttributes": true - it will include the enumerated list of attributes contained in
"selectedNonEntitlementAttributes": []
- it will include ALL account attributes if the config is
accountThe details of the account as it appears in Identity Security Cloud. This information can be used to query the account API for more information.
Additional Information and Links
- Trigger Type: FIRE_AND_FORGET