Skip to content

Managing Native Change Detection

Native change detection detects when accounts have been created, updated, or deleted out-of-band. You can use native change detection to remediate incidents where accounts are changed or entitlements are assigned outside the Identity Security Cloud. The changes are detected on aggregation by comparing stored information with newly read information.

Enabling Native Change Detection

  1. Go to Admin > Connections > Sources.

  2. In Table View, select Actions > Edit for a source. Alternatively, in Cards view, select the Edit button for a source.

    You can also enable native change detection when you create a new source.

  3. In the Aggregation and Provisioning section, select Native Change Detection.

  4. Select the Enable Native Change Detection toggle to enable native change detection.

  5. Choose which account operations to monitor.

  6. Choose which attributes to monitor.

    Notes

    • The options you select will have an AND relationship. For example, if you choose to monitor account creations and the memberOf entitlement attribute, Identity Security Cloud will only detect newly created accounts with the memberOf entitlement attribute.
    • You can also use the Native Change Detection API to choose which operations and attributes to monitor.

  7. Select Save.

After you have enabled native change detection for a source, you must run an aggregation to discover native changes.

Notes

  • Native Change Detection is not available for Non-Employee Lifecycle Management sources.

  • To enable Native Change Detection for SAML Just-in-Time sources, submit an API call with the Put Native Change Detection Config endpoint.

Configuring Native Change Event Triggers

You can set up the following event triggers to listen for native changes:

Each event contains information about the attributes and operations you have selected. Events may include the following information:

  • The account, source, and identity with the change.
  • The entitlements that were added or removed.
  • The non-entitlement attributes that changed.

Notes

  • One event is fired per account when a change is detected. For example, if Identity Security Cloud detects that 5 accounts have native changes in an aggregation, 5 events will be fired.
  • Events are fired for both correlated and uncorrelated accounts.

Configuring Native Change Detection Workflows

You can use workflows to remediate native changes.

  1. Go to Admin > Workflows.

  2. Select + New Workflow.

  3. Choose Select a Template.

  4. Choose one of the following templates:

    • Revoke Entitlement Additions Detected as Native Change Account Created - This workflow initiates when a Native Change Account Created event containing entitlement additions is detected. Each new entitlement is revoked, and a summary email is sent to the source owner.

    • Revoke Entitlement Additions Detected as Native Change Account Updated - This workflow initiates when a Native Change Account Updated event containing entitlement additions is detected. Each new entitlement is revoked, and a summary email is sent to the source owner.

    Note

    These workflows will skip entitlements with null IDs. Revocation requests require a valid Entitlement ID.

To use these templates, select the recommended default configuration for native change detection—to monitor changes to all entitlement attributes for all account operations.

Searching for Native Change Detection Audit Events

You can search for the following audit events to report on native changes:

To search audit events:

  1. Select Search.

  2. Enter one of the following search queries:

    • name:"Create Native Change Detected"

    • name:"Update Native Change Detected"

    • name:"Delete Native Change Detected"

  3. Select the Search icon .