Anonymous_User Absent Member.
Absent Member.
356 views

IDM 4.5 + Sentinel 7.3 Identity Tracking not enriching event


Hi ALL,

I have an IDM 4.5 + Sentinel 7.3 Identity Tracking configured. Users are
provisioned fine on Sentinel. eDirectory is instrumented and events are
linked with identity data:

[image: https://dl.dropboxusercontent.com/u/4163327/edir_works.png]

.... but events from IDM collector doesn't link targetUserName or
initiatorUserName with the sentinel provisioned Identity.

[image: https://dl.dropboxusercontent.com/u/4163327/idm_fail.png]

Could someone please help?

Thanks,
Ivan


--
ivangotti
------------------------------------------------------------------------
ivangotti's Profile: https://forums.netiq.com/member.php?userid=3495
View this thread: https://forums.netiq.com/showthread.php?t=53018

0 Likes
7 Replies
Anonymous_User Absent Member.
Absent Member.

Re: IDM 4.5 + Sentinel 7.3 Identity Tracking not enriching event


There are 3 pieces of information needed to do IdT matching.... The
UserName, the UserDomain, and the Tenant....these must match the values
set in identityAccounts.csv in your map_data directory. By the looks of
your screen shot, the "default" tenant is not being added to IDM
events....check your collecotr.


--
-"Also now available in 'G+'
(https://plus.google.com/u/0/112362149544381813153) and 'Website'
(https://www.isam.kiwi/) format".- 😉
------------------------------------------------------------------------
ScorpionSting's Profile: https://forums.netiq.com/member.php?userid=469
View this thread: https://forums.netiq.com/showthread.php?t=53018

0 Likes
ivangotti Absent Member.
Absent Member.

Re: IDM 4.5 + Sentinel 7.3 Identity Tracking not enriching event


Dear Mr. Scorpion,

I have fixed the tenant but it keeps not enriching the events even on
the same event. Am I missing something? The IDTracking driver is ok and
the solution pack is installed.



Regards,
Ivan


--
ivangotti
------------------------------------------------------------------------
ivangotti's Profile: https://forums.netiq.com/member.php?userid=3495
View this thread: https://forums.netiq.com/showthread.php?t=53018

0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: IDM 4.5 + Sentinel 7.3 Identity Tracking not enriching event


Ivan,

Pick an event that is not working.....then take the Initiator/Target
Username and check your identityAccountMap.csv....check that the related
Userdomain and the Tenant from the event are populated in the output.

e.g.


Code:
--------------------
cd /var/opt/novell/sentinel/data/map_data/
grep -Hni "myusername" identityAccountMap.csv
--------------------


--
-"Also now available in 'G+'
(https://plus.google.com/u/0/112362149544381813153) and 'Website'
(https://www.isam.kiwi/) format".- 😉
------------------------------------------------------------------------
ScorpionSting's Profile: https://forums.netiq.com/member.php?userid=469
View this thread: https://forums.netiq.com/showthread.php?t=53018


Visit my Website for links to Cool Solution articles.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: IDM 4.5 + Sentinel 7.3 Identity Tracking not enriching event


The identityAccountMap.csv is auto populated by Sentinel from data in
the PostgreSQL database [SIEM].[public].[usr_account] which is in turn
populated by the IdT driver (which also populates the other usr_account*
and usr_identity* tables).


--
-"Also now available in 'G+'
(https://plus.google.com/u/0/112362149544381813153) and 'Website'
(https://www.isam.kiwi/) format".- 😉
------------------------------------------------------------------------
ScorpionSting's Profile: https://forums.netiq.com/member.php?userid=469
View this thread: https://forums.netiq.com/showthread.php?t=53018


Visit my Website for links to Cool Solution articles.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: IDM 4.5 + Sentinel 7.3 Identity Tracking not enriching event


Got your Cool Solution's message....what I can't see from the screen
shots is the event TargetUserDomain....can you please SS or double check
that value? There was an issue with the prefix slash on the eDir
domainname which I suspect may be what is happening here....or the
domains are different.


--
-"Also now available in 'G+'
(https://plus.google.com/u/0/112362149544381813153) and 'Website'
(https://www.isam.kiwi/) format".- 😉
------------------------------------------------------------------------
ScorpionSting's Profile: https://forums.netiq.com/member.php?userid=469
View this thread: https://forums.netiq.com/showthread.php?t=53018


Visit my Website for links to Cool Solution articles.
0 Likes
ivangotti Absent Member.
Absent Member.

Re: IDM 4.5 + Sentinel 7.3 Identity Tracking not enriching event


ScorpionSting;260573 Wrote:
> Got your Cool Solution's message....what I can't see from the screen
> shots is the event TargetUserDomain....can you please SS or double check
> that value? There was an issue with the prefix slash on the eDir
> domainname which I suspect may be what is happening here....or the
> domains are different.


Thank you for your help. Figured out that current eDirectory collector
has a bug. see Bugzilla – Bug 910328 - eDirectory collector truncating
TargetTrustDomain, TargetUserDomain on certain events
There is an attached internal build collector that works!


--
ivangotti
------------------------------------------------------------------------
ivangotti's Profile: https://forums.netiq.com/member.php?userid=3495
View this thread: https://forums.netiq.com/showthread.php?t=53018

0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: IDM 4.5 + Sentinel 7.3 Identity Tracking not enriching event


Good to hear you got it working and that it was that known issue.


--
-"Also now available in 'G+'
(http://plus.google.com/+BenWalter-Kiwi) and 'Website'
(https://www.isam.kiwi/) format".- 😉
------------------------------------------------------------------------
ScorpionSting's Profile: https://forums.netiq.com/member.php?userid=469
View this thread: https://forums.netiq.com/showthread.php?t=53018


Visit my Website for links to Cool Solution articles.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.