Managing Native Change Detection

Native change detection detects when accounts have been created, updated, or deleted out-of-band. You can use native change detection to remediate incidents where accounts are changed or entitlements are assigned outside the Identity Security Cloud. The changes are detected on aggregation by comparing stored information with newly read information.

Enabling Native Change Detection

1. Go to Admin > Connections > Sources.

2. Select or edit the source you want to enable native change detection on.

   You can also enable native change detection when you create a source.

3. In the Account Management section, select Native Change Detection.

4. Select the Enable Native Change Detection toggle to enable native change detection.

5. Choose which account operations to monitor.

6. Choose which attributes to monitor.

   Notes

   • The options you select will have an AND relationship. For example, if you choose to monitor account creations and the memberOf entitlement attribute, Identity Security Cloud will only detect newly created accounts with the memberOf entitlement attribute.
   • You can also use the Native Change Detection API to choose which operations and attributes to monitor.

7. Select Save.

After you have enabled native change detection for a source, you must run an aggregation to discover native changes.

Notes

• Native Change Detection is not available for Non-Employee Lifecycle Management sources.

• To enable Native Change Detection for SAML Just-in-Time sources, submit an API call with the Put Native Change Detection Config endpoint.

Configuring Native Change Event Triggers

A Native Change event trigger fires after an account aggregation detects that an account has been created, updated, or deleted outside of Identity Security Cloud. To configure the event trigger, the relevant source must have:

• Native Change Detection enabled.
• An account operation selected for monitoring.
• An attribute selected for monitoring.

The following triggers can listen for native changes:

• Native Change Account Created events are fired for sources configured to monitor Account Creations.

• Native Change Account Updated events are fired for sources configured to monitor Account Updates.

• Native Change Account Deleted events are fired for sources configured to monitor Account Deletions.

Each event contains information about the selected attributes and operations. Events may also include the following information:

• The account, source, and identity with the change.
• The entitlements that were added or removed.
• The non-entitlement attributes that changed.

Notes

• One event is fired per account when a change is detected. For example, if Identity Security Cloud detects that 5 accounts have native changes in an aggregation, 5 events will be fired.
• Events are fired for both correlated and uncorrelated accounts.

Configuring Native Change Detection Workflows

You can use workflows to remediate native changes.

1. Go to Admin > Workflows.

2. Select + New Workflow.

3. Choose Select a Template.

4. Choose one of the following templates:

   • Revoke Entitlement Additions Detected as Native Change Account Created - This workflow initiates when a Native Change Account Created event containing entitlement additions is detected. Each new entitlement is revoked, and a summary email is sent to the source owner.

   • Revoke Entitlement Additions Detected as Native Change Account Updated - This workflow initiates when a Native Change Account Updated event containing entitlement additions is detected. Each new entitlement is revoked, and a summary email is sent to the source owner.

   Note

   These workflows will skip entitlements with null IDs. Revocation requests require a valid Entitlement ID.

To use these templates, select the recommended default configuration for native change detection—to monitor changes to all entitlement attributes for all account operations.

Searching for Native Change Detection Audit Events

You can search for the following audit events to report on native changes:

• Create Native Change Detected is audited after the Native Change Account Created trigger fires alongside Account Creation operations.

• Update Native Change Detected is audited after the Native Change Account Updated trigger fires alongside Account Update operations.

• Delete Native Change Detected is audited after the Native Change Account Deleted trigger fires alongside Account Deletion operations.

To search audit events:

1. Select Search.

2. Enter one of the following search queries:

   • name:"Create Native Change Detected"

   • name:"Update Native Change Detected"

   • name:"Delete Native Change Detected"

3. Select the Search icon .

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.