using oracle casb cloud service · when casb cloud service is integrated with oracle identity cloud...
TRANSCRIPT
Oracle® CloudUsing Oracle CASB Cloud Service
Release 20.1.1.0E81916-66July 2020
Oracle Cloud Using Oracle CASB Cloud Service, Release 20.1.1.0
E81916-66
Copyright © 2016, 2020, Oracle and/or its affiliates.
Primary Author: John Wolley
This software and related documentation are provided under a license agreement containing restrictions onuse and disclosure and are protected by intellectual property laws. Except as expressly permitted in yourlicense agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license,transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverseengineering, disassembly, or decompilation of this software, unless required by law for interoperability, isprohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. Ifyou find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it onbehalf of the U.S. Government, then the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software,any programs embedded, installed or activated on delivered hardware, and modifications of such programs)and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Governmentend users are "commercial computer software" or “commercial computer software documentation” pursuantto the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such,the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works,and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programsembedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oraclecomputer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in thelicense contained in the applicable contract. The terms governing the U.S. Government’s use of Oracle cloudservices are defined by the applicable contract for such services. No other rights are granted to the U.S.Government.
This software or hardware is developed for general use in a variety of information management applications.It is not developed or intended for use in any inherently dangerous applications, including applications thatmay create a risk of personal injury. If you use this software or hardware in dangerous applications, then youshall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure itssafe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of thissoftware or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks oftheir respective owners.
Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks areused under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Epyc,and the AMD logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registeredtrademark of The Open Group.
This software or hardware and documentation may provide access to or information about content, products,and services from third parties. Oracle Corporation and its affiliates are not responsible for and expresslydisclaim all warranties of any kind with respect to third-party content, products, and services unless otherwiseset forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will notbe responsible for any loss, costs, or damages incurred due to your access to or use of third-party content,products, or services, except as set forth in an applicable agreement between you and Oracle.
Contents
Preface
Audience xxiii
Documentation Accessibility xxiii
Certified Browsers xxiii
Related Resources xxiii
Conventions xxiv
Part I Getting Started
1 Oracle CASB Cloud Service
Typical Workflow for Oracle CASB Cloud Service 1-1
How to Begin with Oracle CASB Cloud Service 1-2
Setting Up a Primary Tenant Administrator 1-3
Accessing Oracle CASB Cloud Service Using Universal Credits 1-4
Applications Available through Universal Credit Model (UCM) 1-6
When CASB Cloud Service Is Integrated with Oracle Identity Cloud Service 1-6
Migrating from Non-Metered to Metered Tenant 1-8
About Cloud Security Monitoring 1-10
Weak Security Control Values in Your Cloud Applications 1-12
Policy Alerts (Rule-Based Alerting) 1-13
Anomalous Behaviors and IP Addresses 1-14
About Risk Management and Incident Tracking 1-16
About Reports 1-16
About Data Retention 1-16
About Risk Detection in the Oracle CASB Cloud Service Console 1-17
A Tour of the Oracle CASB Cloud Service Console 1-17
Dashboard 1-17
Threats 1-19
Applications 1-21
Risk Events 1-23
Reports 1-25
iii
Users 1-25
Incidents 1-26
Jobs 1-27
Configuration 1-27
Administrator Management 1-28
Policy Management 1-29
Manage IP Addresses 1-30
Threat Intelligence Providers 1-30
Incident Management Providers 1-31
SIEM Providers 1-32
Threat Management 1-32
Task Overview: Starting to Monitor Cloud Applications 1-33
Part II Administrative Tasks
2 Signing In and Managing Your Account
Typical Workflow for Signing In and Managing Your Account 2-1
Signing In 2-2
Signing In for the First Time 2-2
Subsequent Logins 2-3
Lost Your Password? 2-4
Need Help with Signing In? 2-5
Viewing Your Role 2-5
Setting Your Preferences 2-6
3 Managing Oracle CASB Cloud Service Administrators
Typical Workflow for Managing Oracle CASB Cloud Service Administrators 3-1
About Administrator Roles 3-2
Adding Oracle CASB Cloud Service Administrators 3-3
Adding an Administrator through Oracle Cloud MyServices Dashboard 3-4
Adding an Administrator through the Oracle CASB Cloud Service Console 3-6
Resetting the Password for an Administrator 3-6
Modifying an Administrator's Privileges 3-7
Deleting an Administrator 3-7
4 Performing Miscellaneous Administrative Tasks
Typical Workflow for Miscellaneous Administrative Tasks 4-1
Setting Up Single Sign-on for Oracle CASB Cloud Service 4-1
iv
Copying Oracle CASB Cloud Service Metadata 4-2
Creating a SAML Application in Oracle Identity Cloud Service 4-2
Creating a Single Sign-on Application in Okta 4-4
Configuring Single Sign-on in Oracle CASB Cloud Service 4-5
Setting Up an Identity Provider Instance 4-7
Setting Up an Oracle Identity Cloud Service (IDCS) IDP Instance 4-8
Setting Up an Okta IDP Instance 4-10
Excluding Users from Data Reporting 4-11
Part III Setting Up Cloud Applications for Monitoring
5 Preparing Cloud Applications for Monitoring
Typical Workflow for Preparing Cloud Applications for Monitoring 5-1
Setting Up a Dedicated User Account 5-1
Single Sign-On for the Oracle CASB Cloud Service User 5-2
6 Registering Cloud Applications with Oracle CASB Cloud Service
Typical Workflow for Registering Cloud Services 6-1
Verifying Your Application Registration 6-2
Resuming Monitoring that Has Stopped 6-2
Updating an Application Instance 6-3
Updating Login Credentials for an Application Instance 6-3
Updating the Security Control Baseline for an Application Instance 6-4
Removing an Application Instance 6-5
7 Setting Up Amazon Web Services (AWS)
Typical Workflow for Amazon Web Services Security Monitoring 7-1
Preparing and Registering AWS 7-2
Using an IAM Role: Creating a Dedicated Service Role 7-3
Using an IAM Role: Enabling CloudTrail 7-3
Using an IAM Role: Creating and Registering a Dedicated Service Role 7-10
Using an IAM Role: Adding Source Dedicated Service Roles for Cross-AccountLogging 7-13
Using an IAM Role: Setting Up the First Source Dedicated Service Role 7-14
Using an IAM Role: Setting Up an Additional Source Dedicated Service Role 7-17
Using an IAM Role: Creating and Registering a Source Dedicated ServiceRole 7-23
Using an IAM User: Creating and Registering a Dedicated Service User 7-27
v
Using an IAM User: Enabling CloudTrail 7-27
Using an IAM User: Creating a Dedicated Service User 7-34
Using an IAM User: Registering the Dedicated Service User 7-36
Using an IAM User: Adding Source Dedicated Service Users for Cross-AccountLogging 7-38
Using an IAM User: Setting Up the First Source Dedicated Service User 7-38
Using an IAM User: Setting Up an Additional Source Dedicated ServiceUser 7-42
Using an IAM User: Registering an Additional Source Dedicated ServiceUser 7-44
Security Control Values for AWS (Monitor Only/Read Only) 7-46
Security Control Values for AWS (Push Controls/Read-Write) 7-50
AWS Registration Errors 7-56
Validation Failed: Credentials or Permissions Issues 7-56
Validation Failed: Permissions Issues 7-57
Validation Failed: Logging Configuration Issues 7-57
Validation Failed: Other Issues 7-58
Warning: Enable CloudTrail 7-58
Updating an AWS Instance 7-58
Updating the Credentials for an AWS Instance 7-58
Updating the Security Control Baseline for an AWS Instance 7-59
Updating the IDP Instance for an AWS Instance 7-61
Next Steps for AWS 7-61
8 Setting Up Azure
Typical Workflow for Azure Monitoring 8-1
Preparing Azure 8-1
Adding an Azure Instance 8-4
Updating the Credentials for an Azure Instance 8-5
Next Steps for Azure 8-6
9 Setting Up Box
Typical Workflow for Box Security Monitoring 9-1
Preparing Box 9-2
Verify the Oracle CASB Cloud Service User's Login Method 9-2
Configuring the Box Account for Monitoring 9-2
Requirements for the Oracle CASB Cloud Service User in the Account 9-3
Creating the Dedicated Oracle CASB Cloud Service User 9-3
What To Do Next 9-4
Using Okta Single Sign-On with Box 9-4
vi
Configuring an Oracle CASB Cloud Service User in Okta 9-5
Configuring an Okta Identity Provider Instance in Oracle CASB CloudService 9-5
What to Do Next 9-6
Using Ping Single Sign-On with Box 9-6
Adding a Box Instance 9-7
Adding a Box Instance (Monitor Only/Read Only) 9-7
Security Control Values for Box (Monitor Only/Read Only) 9-10
Adding a Box Instance (Push Controls/Read-Write) 9-14
Security Control Values for Box (Push Controls/Read-Write) 9-18
Example: Box Controls for SSL, Session Length, and Folder Sharing 9-21
Detecting and Managing Violations of Security Controls in Example 9-23
Updating a Box Instance 9-23
Updating the Credentials for a Box Instance 9-23
Updating the IDP Instance for a Box Instance 9-26
Updating the Security Control Baseline for a Box Instance 9-27
Updating Data Protection for a Box Instance 9-28
Updating the Reverse Proxy Configuration for a Box Instance 9-29
Next Steps for Box 9-31
10
Setting Up Custom Apps for AWS
Typical Workflow for Custom Apps for AWS Monitoring 10-1
Preparing Custom Apps for AWS 10-1
Formatting Logs for Cloudwatch 10-2
Adding a Custom Apps for AWS Instance 10-2
Updating the Credentials for a Custom Apps for AWS Instance 10-3
Next Steps for Custom Apps for AWS 10-4
11
Setting Up GitHub
Typical Workflow for GitHub Security Monitoring 11-1
Preparing GitHub 11-1
Preparing GitHub Using Basic Authentication 11-1
Preparing GitHub Using OAuth 2.0 11-2
Adding a GitHub Instance 11-2
Updating the Credentials for a GitHub Instance 11-3
Next Steps for GitHub 11-4
vii
12
Setting Up Google for Work
Typical Workflow for Google for Work Security Monitoring 12-1
Preparing Google for Work 12-1
Creating a Dedicated User in Google Apps 12-2
Downloading Oracle CASB Cloud Service for Google Apps 12-2
Adding a Google for Work Instance 12-3
Updating the Credentials for a Google for Work Instance 12-4
Next Steps for Google for Work 12-4
13
Setting Up Microsoft Office 365
Typical Workflow for Microsoft Office 365 Security Monitoring 13-1
Preparing Microsoft Office 365 13-2
Creating the Dedicated Oracle CASB Cloud Service User 13-2
Verifying That Credentials Propagate to Office 365 Logs and Reports 13-3
What To Do Next 13-4
Using Okta Single Sign-On with Office 365 13-4
Creating an Oracle CASB Cloud Service User in Okta 13-4
Creating an Okta Identity Provider Instance 13-5
What To Do Next 13-5
Adding an Office 365 Instance 13-5
Updating an Office 365 Instance 13-7
Updating the Credentials for an Office 365 Instance 13-7
Updating the IDP Instance for an Office 365 Instance 13-8
Updating Smart Configuration for Office 365 13-8
Next Steps for Office 365 13-9
14
Setting Up Oracle Cloud Infrastructure (OCI)
Typical Workflow for OCI Monitoring 14-1
Preparing OCI 14-2
Preparing a Public/Private Key Pair 14-5
Adding an OCI Instance 14-6
Adding an OCI Tenancy 14-7
Adding an OCI Compartment under a Registered Tenancy 14-9
Adding an OCI Standalone Compartment 14-10
Updating an OCI Instance 14-11
Updating the Credentials for an OCI Instance 14-12
Updating the Security Control Baseline for an OCI Instance 14-13
Updating Registered Compartments for an OCI Instance 14-15
Checking Status of Compartments Being Registered 14-16
viii
Working with OCI Security Control Baseline Settings and Templates 14-16
About Security Control Templates and Application Instances 14-17
Creating a Template 14-19
Attaching a Template to an OCI Application Instance 14-20
Using a Template as the Base for Custom Settings 14-21
Editing a Template 14-22
Updating a Security Control's Settings in Multiple Templates or ApplicationInstances 14-23
Updating an Exception Setting in Multiple Application Instances 14-25
Viewing an Inventory of Template Usage 14-26
Duplicating a Template 14-26
Deleting a Template 14-28
Next Steps for OCI 14-28
15
Setting Up Oracle Enterprise Resource Planning (ERP) Cloud
Typical Workflow for Oracle ERP Cloud Monitoring 15-1
Preparing Oracle ERP Cloud 15-2
Creating a Dedicated Oracle CASB Cloud Service User in Oracle ERP Cloud 15-2
Enabling Business Object Auditing for Oracle ERP Cloud 15-4
Enabling Role Auditing for Oracle ERP Cloud 15-5
Enabling Association of Oracle CASB Cloud Service with Oracle AccessManager (OAM) for ERP Cloud 15-6
Whitelisting Oracle CASB Cloud Service if Oracle ERP Cloud Fusion POD isWhitelisted 15-7
Adding an Oracle ERP Cloud Instance 15-8
Updating an Oracle ERP Cloud Instance 15-10
Updating the Credentials for an Oracle ERP Cloud Instance 15-10
Updating Monitoring Properties for an Oracle ERP Cloud Instance 15-11
Next Steps for Oracle ERP Cloud 15-11
16
Setting Up Oracle Human Capital Management (HCM) Cloud
Typical Workflow for Oracle HCM Cloud Monitoring 16-1
Preparing Oracle HCM Cloud 16-2
Creating a Dedicated Oracle CASB Cloud Service User in Oracle HCM Cloud 16-2
Enabling Business Object Auditing for Oracle HCM Cloud 16-4
Enabling Role Auditing for Oracle HCM Cloud 16-5
Enabling Association of Oracle CASB Cloud Service with Oracle AccessManager (OAM) for HCM Cloud 16-6
Whitelisting Oracle CASB Cloud Service if Oracle HCM Cloud Fusion POD isWhitelisted 16-7
Adding an Oracle HCM Cloud Instance 16-8
ix
Updating an Oracle HCM Cloud Instance 16-10
Updating the Credentials for an Oracle HCM Cloud Instance 16-10
Updating Monitoring Properties for an Oracle HCM Cloud Instance 16-11
Next Steps for Oracle HCM Cloud 16-11
17
Setting Up Oracle Identity Cloud Service (IDCS)
Typical Workflow for IDCS Monitoring 17-1
Preparing IDCS 17-2
Adding an IDCS Instance 17-3
Updating an IDCS Instance 17-5
Updating the Credentials for an IDCS Instance 17-5
Updating the Security Control Baseline for an IDCS Instance 17-5
Updating the IDP Instance for an IDCS Instance 17-7
Next Steps for IDCS 17-8
18
Setting Up Oracle Sales Cloud
Typical Workflow for Oracle Sales Cloud Monitoring 18-1
Preparing Oracle Sales Cloud 18-1
Creating a Dedicated Oracle CASB Cloud Service User in Oracle Sales Cloud 18-2
Enabling Role Auditing for Oracle Sales Cloud 18-4
Enabling Association of Oracle CASB Cloud Service with Oracle AccessManager (OAM) for Sales Cloud 18-5
Whitelisting Oracle CASB Cloud Service if Oracle Sales Cloud Fusion POD isWhitelisted 18-6
Adding an Oracle Sales Cloud Instance 18-6
Updating an Oracle Sales Cloud Instance 18-9
Updating the Credentials for an Oracle Sales Cloud Instance 18-9
Updating Monitoring Properties for an Oracle Sales Cloud Instance 18-9
Next Steps for Oracle Sales Cloud 18-10
19
Setting Up Salesforce Sales Cloud
Typical Workflow for Salesforce Monitoring 19-1
About Salesforce Security Monitoring 19-2
Preparing Salesforce 19-3
Creating a Dedicated Profile in Salesforce 19-3
Creating a Dedicated Oracle CASB Cloud Service User in Salesforce 19-4
Selecting the Salesforce Object Fields for Oracle CASB Cloud Service toMonitor 19-5
Viewing the Authentication Token in Salesforce 19-6
x
Allowing Requests from Oracle CASB Cloud Service’s IP Addresses 19-6
Using Okta Single Sign-On with Salesforce 19-6
What To Do Next 19-7
Monitoring Events in Salesforce 19-7
Monitoring Field-Level History in Salesforce 19-7
Adding a Salesforce Instance 19-8
Adding a Salesforce Instance (Monitor Only/Read Only) 19-8
Adding a Salesforce Instance (Monitor Only/Read Only, Direct Logins) 19-8
Adding a Salesforce Instance (Monitor Only/Read Only, IDCS Logins) 19-10
Adding a Salesforce Instance (Monitor Only/Read Only, Okta Logins) 19-11
Security Control Values for Salesforce (Monitor Only/Read Only) 19-13
Adding a Salesforce Instance (Push Controls/Read-Write) 19-15
Adding a Salesforce Instance (Push Controls/Read-Write, Direct Logins) 19-16
Adding a Salesforce Instance (Push Controls/Read-Write, IDCS Logins) 19-17
Adding a Salesforce Instance (Push Controls/Read-Write, Okta Logins) 19-18
Security Control Values for Salesforce (Push Controls/Read-Write) 19-20
Updating a Salesforce Instance 19-21
Updating the Credentials for a Salesforce Instance 19-22
Updating the Monitoring of Field-Level History in Salesforce 19-22
Updating the IDP Instance for a Salesforce Instance 19-23
Updating the Security Control Baseline for a Salesforce Instance 19-24
Troubleshooting for Salesforce 19-25
Blocked OAuth Token Error 19-25
Next Steps for Salesforce 19-25
20
Setting Up ServiceNow
Typical Workflow for ServiceNow Monitoring 20-1
About ServiceNow Security Monitoring 20-2
Preparing ServiceNow 20-2
Preparing the Oracle CASB Cloud Service User (Eureka) 20-3
Preparing the Oracle CASB Cloud Service User (Fuji, Geneva, Jakarta andKingston) 20-3
Preparing the ServiceNow Environment (Eureka, Fuji, Geneva, Jakarta andKingston) 20-4
Updating the System Tables in ServiceNow 20-4
(Optional) Configuring ServiceNow to Write Data Collector Script Events toIts Log 20-5
(Optional) Configuring ServiceNow to Write Client Script Events to Its Log 20-6
Adding a ServiceNow Instance 20-6
Updating the Credentials for a ServiceNow Instance 20-7
xi
Next Steps for ServiceNow 20-8
21
Setting Up Slack
Typical Workflow for Slack Monitoring 21-1
About Slack Cloud Security Monitoring 21-1
Preparing Slack 21-2
Adding a Slack Instance 21-2
Updating the Credentials for a Slack Instance 21-3
Next Steps for Slack 21-4
Part IV Enhancing Security
22
Creating Policies and Managing Policy Alerts
Typical Workflow for Creating Policies and Managing Policy Alerts 22-2
About Policy Alerts 22-3
Oracle CASB Cloud Service Administrator Roles and Policies 22-6
Getting Started with Policies 22-6
Working with Managed Policies 22-8
Managing Policy Alerts in Risk Events 22-10
Creating a Policy 22-11
Duplicating a Policy 22-19
Examples of Parameters in Free-Form Conditions 22-20
Modifying a Custom Policy 22-21
Example Alert: Changes to a Sensitive File 22-22
Creating Policy Alerts for AWS 22-23
Types of AWS Alerts 22-23
Creating an AWS Policy 22-33
Creating Alerts for IAM Users 22-36
Creating Alerts for Changes to IAM Instance Profiles 22-36
Creating Alerts for Operations Performed on IAM Users 22-37
Actions for IAM User Policies 22-38
Creating Alerts for Operations Performed by AWS Users 22-39
Creating Alerts for IAM Groups 22-40
Creating Alerts for Operations on IAM Groups 22-40
Actions for IAM Group Policies 22-41
Creating Alerts for Operations Performed by Users 22-42
Creating Alerts for the AWS Root User 22-42
Creating Alerts for Access and Federated Access 22-42
Creating Alerts for IAM User Access Key Changes 22-43
xii
Creating Alerts for Changes to Federated Access 22-43
Actions for IdProvider Policies 22-44
Creating Alerts for EC2 Instances and Networks 22-45
Creating Alerts for EC2 Starts and Terminations 22-45
Creating Alerts for EC2 Network ACL Modifications 22-46
Creating Alerts for Creating or Deleting EC2 Network ACL Entries 22-47
Creating Alerts for EC2 Network ACL Changes 22-48
Creating Alerts for EC2 Network ACL Rule Changes 22-49
Creating Alerts for EC2 Network Routing Changes 22-49
Actions for EC2 Instances and Networks 22-50
Creating Alerts for EC2 Security Groups 22-51
Creating Alerts for EC2 VPCs and VPNs 22-52
Creating Alerts for EC2 VPN Changes 22-53
Creating Alerts for EC2 VPC Changes 22-53
Creating Alerts for EC2 Internet Gateways 22-54
Creating Alerts Based on EC2 Tags 22-55
Creating Alerts for CloudTrail Changes 22-57
Creating Alerts for S3 Resources 22-58
Creating General S3 Bucket Policies 22-58
Detecting when an S3 Bucket Grants Access to Users in NonsanctionedAccounts 22-61
Creating Alerts for Setting AWS Roles 22-61
Creating Alerts for Cloud HSM 22-64
Creating Alerts for RDS 22-65
Creating Alerts for ACM 22-66
Creating Alerts for Auto Scaling 22-67
Creating Alerts for ELB 22-68
Creating Alerts for KMS 22-69
Creating Alerts for Redshift 22-70
Creating Alerts for Route 53 22-71
Creating Alerts for Direct Connect 22-72
Creating Alerts for Elastic Search 22-73
Condition Parameters for AWS Alerts 22-74
Sample AWS Alerts 22-75
Creating Policy Alerts for Azure 22-78
Creating an Azure Policy 22-78
Condition Parameters for Azure Alerts 22-80
Creating Alerts for Virtual Networks 22-81
Creating Alerts for Virtual Machines 22-82
Creating Alerts for Storage Account Disks 22-83
Creating Alerts for Storage Accounts 22-84
xiii
Creating Alerts for Storage 22-85
Creating Alerts for Key Vault 22-86
Creating Alerts for Disks 22-87
Creating Alerts for Classic Virtual Networks 22-88
Creating Alerts for Classic Virtual Machines 22-89
Creating Alerts for Classic Storage Accounts 22-91
Creating Alerts for Azure Users 22-92
Creating Policy Alerts for Box 22-93
Creating a Box Policy 22-93
Condition Parameters for Box Alerts 22-94
Creating Alerts for Editing Box Files 22-96
Creating Alerts for Sharing Box Files and Folders 22-97
Creating Alerts for Folder Sharing or Allowing Collaboration 22-98
Creating Alerts for Unwanted Sharing and Collaboration 22-99
Creating Alerts for Renaming or Deleting Folders in Box 22-100
Creating Alerts for Users Whose Box Credentials Should Be Revoked 22-101
Parameters for Sample Box Alerts 22-103
Creating Policy Alerts for Discovered Applications 22-106
Creating a Policy for Discovered Applications 22-106
Condition Parameters for Discovered Applications 22-108
Creating Policy Alerts for GitHub 22-109
Creating a GitHub Policy 22-109
Condition Parameters for GitHub 22-111
Creating Alerts for GitHub Organization Activity 22-111
Creating Alerts for GitHub Team Activity 22-112
Creating Alerts for GitHub Repository Activity 22-113
Creating Alerts for GitHub Account Activity 22-116
Creating Policy Alerts for Google for Work 22-117
Creating a Google for Work Policy 22-117
Condition Parameters for Google for Work 22-119
Creating Alerts for Granting Access to New Mobile Devices 22-120
Creating Alerts for Sharing Content and Calendars 22-121
Creating Alerts for Administrator Actions 22-123
Creating Policy Alerts for Office 365 22-125
Creating an Office 365 Policy 22-126
Condition Parameters for Office 365 22-127
Creating Policy Alerts for Office 365 Exchange Online 22-128
Creating Alerts for Sending and Receiving Email Using Exchange Online 22-128
Outlook Protection Rule Resources 22-130
Creating Alerts for Exchange Users, Admins, Roles, Contacts, and Groups 22-130
Creating Alerts for Actions Taken on Administrators 22-130
xiv
Creating Alerts for Changes to Administrative Groups 22-131
Creating Alerts for Changes to User Role Assignments 22-132
Creating Alerts for Other User, Group, Admin, Role, and Contact Resources 22-133
Creating Alerts for DLP, Malware, and Filtering 22-135
Additional DLP, Malware, and Filtering Resources 22-136
Creating Alerts for Exchange Information Rights Management 22-136
Creating Alerts for Exchange Online Access Rules 22-137
Other Exchange Online Access Resources 22-138
Creating Alerts for Exchange Mailboxes and Folders 22-139
Creating Alerts for Other Exchange Mailbox Actions 22-140
Creating Alerts for Exchange Email Retention Rule Changes 22-141
Creating Alerts for Journal Rule Changes 22-142
Creating Alerts for Mailbox Retention Rule Changes 22-143
Creating Alerts for Exchange Mobile Devices and ActiveSync 22-144
Creating Alerts for Other ActiveSync Device Actions 22-145
Other Alerts for Mobile Services and ActiveSync 22-146
Creating Alerts for Unified Messaging 22-146
Alerts for Other Exchange Online Resources 22-148
Subscriptions 22-148
Admin Audit Log 22-148
System Configuration 22-149
Migration and Move Requests 22-149
Organizations 22-150
Creating Policy Alerts for Office 365 SharePoint and OneDrive 22-150
Creating Alerts for SharePoint and OneDrive User and Group Management 22-151
Creating Alerts for SharePoint and OneDrive Files and Folders 22-152
Creating Alerts for SharePoint Application Management 22-156
Creating Alerts for SharePoint and OneDrive Site Management 22-157
Creating Alerts for SharePoint Evidence Management 22-158
Creating Policy Alerts for Office 365 Azure Active Directory 22-159
Creating Alerts for Azure AD User, Group, and Role Management 22-159
Creating Alerts for Azure AD Application and Directory Management 22-161
Creating Policy Alerts for Oracle Cloud Infrastructure (OCI) 22-162
Creating an OCI Policy 22-163
Condition Parameters for Oracle Cloud Infrastructure 22-164
Creating Alerts for Compute Images 22-165
Creating Alerts for Compute Instances 22-166
Creating Alerts for Database Systems 22-167
Creating Alerts for Dynamic Routing Gateways 22-168
Creating Alerts for Identity Groups 22-169
Creating Alerts for Identity Policies 22-170
xv
Creating Alerts for Identity Users 22-171
Creating Alerts for Identity Compartments 22-173
Creating Alerts for Identity Federations 22-173
Creating Alerts for Networking Internet Gateways 22-174
Creating Alerts for Networking Load Balancers 22-175
Creating Alerts for Networking Network Security Groups 22-176
Creating Alerts for Networking Security Lists 22-177
Creating Alerts for Networking Virtual Cloud Networks 22-178
Creating Alerts for Object Storage 22-179
Creating Alerts for Storage Block Volumes 22-180
Creating Policy Alerts for Oracle ERP Cloud 22-181
Creating an Oracle ERP Cloud Policy 22-182
Condition Parameters for Oracle ERP Cloud 22-183
Creating Alerts for Oracle ERP Cloud Roles 22-188
Creating Alerts for ERP Cloud Business Objects 22-189
Creating Alerts for Oracle ERP Cloud Login Events 22-191
Creating Policy Alerts for Oracle HCM Cloud 22-192
Creating an Oracle HCM Cloud Policy 22-192
Condition Parameters for Oracle HCM Cloud 22-194
Creating Alerts for Oracle HCM Cloud Roles 22-198
Creating Alerts for Oracle HCM Cloud Objects 22-199
Creating Alerts for Oracle HCM Cloud Login Events 22-200
Creating Policy Alerts for Oracle Identity Cloud Service (IDCS) 22-201
Creating an IDCS Policy 22-201
Condition Parameters for IDCS 22-203
Creating Policy Alerts for Oracle Sales Cloud 22-204
Creating an Oracle Sales Cloud Policy 22-204
Condition Parameters for Oracle Sales Cloud 22-206
Creating Alerts for Oracle Sales Cloud Roles 22-210
Creating Alerts for Oracle Sales Cloud Login Events 22-211
Creating Policy Alerts for Salesforce 22-212
Creating a Salesforce Policy 22-213
Creating Alerts for Standard Salesforce Objects 22-214
Creating Alerts for Custom Salesforce Objects 22-215
Creating Alerts for Changes to a Custom Object Configuration 22-216
Creating Alerts for Changes to a Custom Object Record 22-217
Creating Alerts for Configuration Changes: Setup Audit Trail 22-218
Creating Alerts for Configuration Changes to Any Salesforce Object 22-219
Creating Alerts for User Profiles 22-220
Creating Alerts for Roles 22-221
Creating Alerts for Object History Tracking 22-222
xvi
Creating Alerts for Mass Deletes and Transfers 22-224
Creating Alerts for Running and Exporting Custom Reports 22-225
Creating Alerts for Changes to Security Controls in Salesforce 22-226
Creating Alerts for User Privilege Updates 22-227
Condition Parameters for Salesforce Alerts 22-228
Creating Policy Alerts for ServiceNow 22-229
Creating a ServiceNow Policy 22-229
Condition Parameters for ServiceNow Alerts 22-231
Creating Alerts for ServiceNow Roles 22-237
Creating Alerts for ServiceNow Users 22-238
Creating Alerts for ServiceNow Incident Types 22-239
Creating Alerts for ServiceNow Assets 22-240
Creating Alerts for ServiceNow Scripts 22-242
Creating Alerts for Bulk Exports from ServiceNow 22-242
Creating Policy Alerts for Slack 22-244
Creating a Slack Policy 22-244
Creating Alerts for Slack Direct Messages 22-246
Creating Alerts for Slack Files 22-247
Creating Alerts for Slack Private Channels 22-248
Creating Alerts for Slack Public Channels 22-249
23
Maintaining Secure Configuration Settings
Typical Workflow for Maintaining Secure Configuration Settings 23-1
About Security Configuration Monitoring 23-2
Managing Weak or Noncompliant Security Controls 23-2
Putting IP Addresses on Blacklists or Whitelists 23-4
Pushing Security Control Values to an Application Instance 23-6
24
Discovering Shadow Applications
Typical Workflow for Discovering Shadow Applications 24-1
About Discovering Shadow Applications 24-2
Subscribing to Oracle CASB Cloud Service — Discovery 24-3
Updating an App Discovery Subscription 24-4
Ending an App Discovery Subscription 24-4
Manually Uploading a Log File 24-4
Setting Up Automatic Upload of Log Files 24-6
Viewing Discovered Applications and Understanding the Results 24-8
Working with the Key Security Indicators Tab 24-10
App Discovery Reference 24-12
xvii
Required Log Fields 24-12
Log File Processing Stages 24-14
25
Managing Data Protection
Typical Workflow for Managing Data Protection 25-1
Getting Started with Data Protection 25-2
Managing Named Conditions 25-3
Managing Information Types 25-4
Managing Information Groups 25-6
Managing Classifications 25-7
Managing Rules 25-7
Performing a Retroactive Scan 25-11
Viewing Scan Results 25-13
Viewing Scan Results in Risk Events 25-13
Viewing Scan Results in the Data Page 25-14
Data Protection Limitations 25-15
Part V Monitoring Cloud Applications
26
Creating and Running Reports
Typical Workflow for Creating and Running Reports 26-2
What's in Reports 26-2
Running Predefined Reports 26-4
User Activity Reports 26-4
User Details: Activity for One User 26-4
User Activity Report: Activity for All Users 26-5
System Audit Trail Report 26-6
Analyzing a Report 26-6
Creating a Custom New Report 26-7
Running an Ad Hoc Report: Report Builder 26-8
Viewing Predefined Application-Specific Reports 26-9
Viewing Reports for AWS 26-10
AWS Report Types 26-10
Viewing Reports for Azure 26-11
Viewing Reports for Box 26-11
Viewing Reports for Custom Apps for AWS 26-12
Viewing Reports for GitHub 26-12
Viewing Reports for Google for Work 26-13
Viewing Reports for Microsoft Office 365 26-14
xviii
Viewing Reports for Oracle Cloud Infrastructure (OCI) 26-16
Viewing Reports for Oracle ERP Cloud 26-17
Viewing Reports for Oracle HCM Cloud 26-18
Viewing Reports for Oracle Sales Cloud 26-18
Viewing Reports for Salesforce 26-19
Viewing Reports for ServiceNow 26-20
Viewing Reports for Slack 26-21
27
Analyzing User Activity Risks and Trends
Typical Workflow for Analyzing User Activity Risks and Trends 27-1
Different Types of Risk That Oracle CASB Cloud Service Monitors 27-2
Risk Summaries: The Dashboard Summary Tab 27-3
Overall Health of All Registered Services: The Health Summary Card 27-4
Incidents Summary 27-5
Risks Specific to Each Application: The Applications Page 27-5
Risks to Users 27-6
Identifying High Risk Users: User Risk Levels Card 27-6
Analyzing User Risks: The Users Page 27-7
Users with the Most Failed Logins Card 27-9
Users with the Most Logins Card 27-9
Risks for Access IPs and Clients 27-10
Suspicious and Normal Access IP Addresses: The Dashboard Access Map 27-10
The IP Addresses Analyzed Card 27-11
The Client and Device Access Card 27-12
Managing Different Types of Risks 27-12
Searching For and Viewing Risks 27-12
Viewing Risk Events from the Risk Events Page 27-13
Viewing Risk Events from the Dashboard 27-14
Viewing Risk Events from the Applications Page 27-14
Dismissing Risk Events 27-15
28
Managing Behavioral Anomalies and Threats
Typical Workflow for Managing Behavioral Anomalies and Threats 28-1
Dashboard View of User Risks and Threats 28-2
Finding and Analyzing Users at Risk 28-3
Finding Users at Risk 28-3
Processing Users with High Risk Scores 28-3
Analyzing Users at Risk 28-4
User Risk Factors 28-5
xix
General Risk Factors 28-5
AWS Risk Factors 28-8
Box Risk Factors 28-12
Google Apps Risk Factors 28-14
Office 365 Risk Factors 28-16
Salesforce Risk Factors 28-17
ServiceNow Risk Factors 28-21
Viewing Suspicious Activity Threats 28-24
Remediating and Dismissing a Suspicious Activity Threat 28-25
Monitoring Suspicious IP Addresses 28-25
Detecting Application-Specific Threats 28-26
Detecting Threats in AWS 28-26
Viewing Security Controls Monitored for AWS 28-26
Detecting Threats in Azure AD 28-30
Detecting Threats in Box 28-31
Behavioral Threats and Box 28-31
Viewing Security Controls Monitored for Box 28-31
Monitoring Drift from Your Security Settings for Box 28-35
Detecting threats in Custom Apps for AWS 28-36
Detecting Threats in GitHub 28-36
Detecting Threats in Google for Work 28-37
Detecting Threats in Office 365 28-37
Detecting Threats in Oracle Cloud Infrastructure (OCI) 28-37
Detecting Threats in Oracle ERP Cloud 28-38
Detecting Threats in Oracle HCM Cloud 28-38
Detecting Threats in Oracle Sales Cloud 28-38
Detecting Threats in Salesforce 28-39
Finding Weak Security Control Values in Salesforce 28-40
Monitoring Drift from Your Salesforce Baseline 28-41
Viewing Security Controls Monitored for Salesforce 28-42
Detecting Threats in ServiceNow 28-42
Detecting Threats In Slack 28-42
29
Tracking Incident Tickets
Typical Workflow for Tracking Incident Tickets 29-1
About Incident Management 29-1
Finding, Managing, and Resolving Incidents 29-2
Finding an Incident in the Dashboard 29-2
Finding an Incident in the Risk Events Page 29-2
Finding an Incident in the Incidents Page 29-2
xx
Managing an Incident in the Incidents Page 29-3
Resolving an Incident 29-4
Part VI Exporting Data
30
Exporting Data from Oracle CASB Cloud Service
Typical Workflow for Data Export Options 30-1
Exporting a Report 30-1
Exporting Risk Events to a CSV File 30-2
About Data Retention 30-4
Part VII Appendixes
A Troubleshooting Registration of Fusion Applications
An error occurred while connecting to the Oracle ERP Cloud instance A-1
Auditing is not enabled for OPSS A-1
Auditing is not enabled for these business objects... A-1
Authorization has failed A-2
Failed to get Audit API version A-2
Invalid hostname A-2
Invalid login credentials A-2
Invalid OAM hostname A-2
Oracle <Fusion Application type> instance you are trying to connect to is notavailable A-2
Unable to determine the OAM server hostname A-2
Unable to reach Oracle ERP Cloud instance, as CASB IPs are not whitelisted A-3
You have selected to associate CASB instance with OAM but OAM integration is notenabled A-3
B Objects Monitored by Application Type
Amazon Web Services (AWS) Objects B-1
Azure Objects B-2
Box Objects B-3
Custom Apps for AWS Objects B-3
GitHub Objects B-3
Google for Work Objects B-3
Microsoft Office 365 Objects B-4
Oracle Cloud Infrastructure (OCI) Objects B-9
xxi
Oracle Enterprise Resource Planning (ERP) Cloud Objects B-9
Oracle Human Capital Management (HCM) Cloud Objects B-10
Oracle Sales Cloud Objects B-11
Salesforce Sales Cloud Objects B-11
ServiceNow Objects B-11
Slack Objects B-12
C Third-Party and Open Source Software Attributions
MIT License C-1
Apache 2.0 License C-2
BSD License C-5
Jquery Serialize Object License C-6
D Managing Oracle CASB Cloud Service's Data Center Migration
E Removal of Incident Management Console and Related Integrations
xxii
Preface
Using Oracle CASB Cloud Service is comprehensive documentation that supports themonitoring and the remediation of security threats to cloud applications using OracleCASB Cloud Service.
AudienceOracle CASB Cloud Service Online Help is for anyone who wants toperform administrative tasks for cloud applications using Oracle CASB CloudService. Familiarity with cloud applications is helpful, but isn’t required.
Documentation AccessibilityFor information about Oracle's commitment to accessibility, visit theOracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Access to Oracle Support
Oracle customers that have purchased support have access to electronic supportthrough My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trsif you are hearing impaired.
Certified BrowsersFor the best user experience, and highest security protections, access Oracle CASBCloud Service through one of these certified browsers:
• Internet Explorer v. 11
• Google Chrome v. 50
• Mozilla Firefox v. 42
Related ResourcesFor more information, see these Oracle resources:
• What's New for Oracle CASB Cloud Service
• Known Issues for Oracle CASB Cloud Service
• Oracle CASB Cloud Service Videos
• Oracle Public Cloud
xxiii
ConventionsThe following text conventions are used in this document:
Convention Meaning
boldface Boldface type indicates graphical user interface elements associatedwith an action, or terms defined in text or the glossary.
italic Italic type indicates book titles, emphasis, or placeholder variables forwhich you supply particular values.
monospace Monospace type indicates commands within a paragraph, URLs, codein examples, text that appears on the screen, or text that you enter.
Preface
xxiv
Part IGetting Started
Learn about the first things you need or want to do with Oracle CASB Cloud Service.
Chapters:
• Oracle CASB Cloud Service
1Oracle CASB Cloud Service
Learn about the basic components of Oracle CASB Cloud Service and how theymonitor cloud services to identify suspicious activity early.
Topics:
• Typical Workflow for Oracle CASB Cloud Service
• How to Begin with Oracle CASB Cloud Service
• Setting Up a Primary Tenant Administrator
• Accessing Oracle CASB Cloud Service Using Universal Credits
• Migrating from Non-Metered to Metered Tenant
• About Cloud Security Monitoring
• About Risk Detection in the Oracle CASB Cloud Service Console
• A Tour of the Oracle CASB Cloud Service Console
• Task Overview: Starting to Monitor Cloud Applications
Typical Workflow for Oracle CASB Cloud ServiceWith Oracle CASB Cloud Service, you can perform tasks such as learning about cloudsecurity monitoring, risk detection, and the Oracle CASB Cloud Service console, andusing Oracle CASB Cloud Service.
Task Description Additional Information
Start using Oracle CASBCloud Service
You can learn what you needto do to begin using OracleCASB Cloud Service.
How to Begin with OracleCASB Cloud Service
Learn how to create a primarytenant administrator.
You can create anotherprimary tenant administratorfor your Oracle CASB CloudService tenant.
Setting Up a Primary TenantAdministrator
Use universal credits toaccess Oracle CASB CloudService
You can learn how to accessOracle CASB Cloud Serviceusing universal credits.
Accessing Oracle CASBCloud Service Using UniversalCredits
Understand migrating fromnon-metered service tometered service
You can learn how to migratefrom a non-metered service toa metered service.
Migrating from Non-Metered toMetered Tenant
Understand cloud securitymonitoring.
You can learn how OracleCASB Cloud Service givesyou visibility into the securityof your cloud applications andservices to help ensure thatyour critical data is secure.
About Cloud SecurityMonitoring
1-1
Task Description Additional Information
Understand managing risks You can learn the differenttypes of risks that OracleCASB Cloud Service detectsand how to manage them.
About Risk Detection in theOracle CASB Cloud ServiceConsole
Understand the Oracle CASBCloud Service Console.
You can learn about the majorscreens and the functions theyprovide in the Oracle CASBCloud Service console.
A Tour of the Oracle CASBCloud Service Console
Start monitoring cloudapplications..
You can get started withusing Oracle CASB CloudService to monitor your cloudapplications.
Task Overview: Starting toMonitor Cloud Applications
How to Begin with Oracle CASB Cloud ServiceTo get started with Oracle CASB Cloud Service, you must request a trial or paidsubscription.
To begin using Oracle CASB Cloud Service:
1. Sign up for a free credit promotion or purchase a subscription.
See Request and Manage Free Oracle Cloud Promotions or Buy an Oracle CloudSubscription in Getting Started with Oracle Cloud.
2. Access Oracle CASB Cloud service.
See Accessing Oracle CASB Cloud Service Using Universal Credits
3. Set up the primary tenant administrator for Oracle CASB Cloud Service user.
See Setting Up a Primary Tenant Administrator.
4. Learn more about user accounts and roles.
After you have set up the primary tenant administrator, you can set up additionaladministrators with limited privileges - or you can hand off that task to the primarytenant administrator you created.
See Managing Oracle CASB Cloud Service Administrators.
Oracle CASB Cloud Service can also be requested in non-metered model. See Buyinga Nonmetered Subscription to an Oracle Cloud Service in Getting Started with OracleCloud.
Chapter 1How to Begin with Oracle CASB Cloud Service
1-2
Setting Up a Primary Tenant AdministratorOne of the very first tasks to perform in Oracle CASB Cloud Service is to set up theperson who will have primary long-term responsible for managing the service as atenant administrator.
Note:
A primary tenant administrator can be set up automatically, by having thatperson be the first to log in to Oracle CASB Cloud Service after the personwho receives the welcome email logs in.
The first person who receives the initial email with the first login information for OracleCASB Cloud Service is designated as the root tenant administrator. Typically, thisperson is not the same person who will have primary long-term responsibility foradministering the service. If that is the case in your organization, it is important for thefirst person who works with Oracle CASB Cloud Service to correctly set up that secondperson - the primary long-term administrator - as a tenant administrator.
Note:
The tenant administrator role has full permissions to view and changeeverything in the service. See About Administrator Roles.
1. Identify the person who will have long-term responsibility for managing OracleCASB Cloud Service and gather this information:
• First name.
• Last name.
• Email address.
Note:
This email address must not contain the percent sign character(“%”).
2. Add the new tenant administrator as a user in Oracle Cloud My Services portal.
See Adding an Administrator through Oracle Cloud MyServices Dashboard.
Chapter 1Setting Up a Primary Tenant Administrator
1-3
Note:
If your organization is not currently using universal credits to subscribe toOracle CASB Cloud Service:
• See Migrating from Non-Metered to Metered Tenant if you want toswitch to universal credits.
• Without switching, you can access the Oracle CASB Cloud Serviceconsole from the Oracle Cloud My Services dashboard by followingsteps 5-7 in Accessing Oracle CASB Cloud Service Using UniversalCredits.
3. Create an administrator in Oracle CASB Cloud Service, with the tenantadministrator role.
See Adding an Administrator through the Oracle CASB Cloud Service Console.
Performing this task causes a "welcome" email to be sent to the new tenantadministrator, with the login URL and the login user name (the user's emailaddress).
Note:
The user's login credentials will be the same for Oracle CASB CloudService and for Oracle Cloud My Services dashboard. The passworddoes not appear in the "welcome" email.
4. Verify that the new tenant administrator is able to successfully log in to the OracleCASB Cloud Service console:
• Directly, using the login URL provided in the "welcome" email.
• Indirectly, through the Oracle Cloud My Services dashboard.
Accessing Oracle CASB Cloud Service Using UniversalCredits
Follow the directions in the “Welcome to Oracle Cloud” emails, then access OracleCASB Cloud Service by setting up an Oracle CASB account.
Although integrating Oracle CASB Cloud Service with Oracle Identity Cloud Service isnot required in order to access Oracle CASB Cloud Service using universal credits, itis recommended:
• If you need to integrate Oracle CASB Cloud Service with Oracle Identity CloudService, log in to My Oracle Support to log your service requests and get help.
• For information on other ways of contacting Oracle Support, see Contact OracleSupport.
If you are the initial identity domain administrator or service administrator, OracleCloud sends you a “Welcome to Oracle Cloud” email that lets you activate your
Chapter 1Accessing Oracle CASB Cloud Service Using Universal Credits
1-4
services. After your services are activated, Oracle Cloud sends you a second“Welcome to Oracle Cloud” email that contains your user name, your temporarypassword, the cloud account (identity domain), and the URL for the My Servicesapplication. The first email is optional and you may receive the second email with yourcredentials directly as well without any activation.
Through the cloud account (identity domain), you control the accounts of users whoneed access to service instances, as well as the features that authorized users canaccess.
1. When you receive your first “Welcome to Oracle Cloud” email (“Welcome to OracleCloud. Setup your account.”), click the Activate My Services button.
This causes the second email to be sent.
Note:
If you have just recently signed up on Oracle Cloud, you may not receivethe first “Welcome to Oracle Cloud” email, but only receive the secondemail with access credentials.
2. When you receive your “Welcome to Oracle Cloud!” email (“Welcome to OracleCloud. Your Oracle Public Cloud Services are ready for use…”):
a. Under Access Details, note the values of Username, Temporary Password,and Cloud Account.
You will need these values to log in to Oracle Public Cloud (My ServicesDashboard) and access Oracle CASB Cloud Service.
b. Click the Get Started with Oracle Cloud button.
3. In the Oracle Cloud Account Sign In dialog box, enter the User Name andPassword values from the email and click Sign In.
4. On your first login, you are prompted to change your password:
a. Enter your Old Password (the one you just used from the email).
b. Review the Password Criteria to the right.
c. Enter your New Password, then enter the same password in the ConfirmNew Password field, and click Submit.
5. After logging in, on the Dashboard for Oracle Cloud My Services, click theCustomize Dashboard tile.
6. In the Customize Dashboard dialog box:
a. Scroll down to the Security section.
b. Next to Oracle CASB, click Show.
c. Close the Customize Dashboard dialog box.
The Oracle CASB tile now appears on the Dashboard.
7. In the Oracle CASB tile, click the Menu icon and select Open ServiceConsole to access the Oracle CASB Cloud Service Console.
This logs you in to the Oracle CASB Cloud Service and takes you to theDashboard in the console.
Chapter 1Accessing Oracle CASB Cloud Service Using Universal Credits
1-5
8. If you are not logged in to the Oracle CASB Cloud Service console after theprevious step, but the Oracle CASB login screen appears, it means that OracleCASB Cloud Service is not integrated with Oracle Identity Cloud Service:
a. Do not click the Sign in with Oracle Cloud Account link.
b. Enter the Username from the second “Welcome...” email and click Next.
c. Enter the temporary Password from the second “Welcome...” email and clickSign in.
You can now create administrator accounts for Oracle CASB Cloud Service, addusers, and set permissions. See Adding an Administrator through the Oracle CASBCloud Service Console.
For instructions on logging in routinely to Oracle CASB Cloud Service, see Signing In.
Applications Available through Universal Credit Model (UCM)Learn which applications can be monitored in Oracle CASB Cloud Service throughUCM.
The applications listed below can be monitored by Oracle CASB Cloud Servicethrough a UCM subscription.
Category Applications
Infrastructure as a Service(IaaS)
• Amazon Web Services (AWS)• Azure• Oracle Cloud Infrastructure (OCI)
Software as a Service(SaaS)
• Box• GitHub• Google for Work• Office 365• Salesforce• ServiceNow• Slack
Oracle Software as aService (OSaaS)
• Oracle ERP Cloud• Oracle HCM Cloud• Oracle Sales Cloud
When CASB Cloud Service Is Integrated with Oracle Identity CloudService
Understand how users must be added, and how the user login experience is different,once CASB Cloud Service is integrated with Oracle Identity Cloud Service.
Adding Users and Assigning the Oracle CASB Application to the User
An Oracle Cloud Account administrator can add users and assign roles on the MyServices Dashboard. See Create a Cloud Account User and Assign Roles to a User.Please ensure you have assigned the CASB Administrator role to the user. To assignthe CASB Administrator role, while assigning roles to the user, filter the service list forCASB, click the box under CASB, and select the CASB_Adminstrator role. Follow thesteps below to add the CASB Application to the newly added User.
Chapter 1Accessing Oracle CASB Cloud Service Using Universal Credits
1-6
1. Log in to Oracle Identity Cloud Service.
• To log in from the Oracle CASB Cloud Services administrative console:
a. Click My Services from the Navigation menu. If the Navigation Menu isnot displayed, click the Navigation Menu icon to display it.
If you don't see the My Services menu option, you are not subscribedto Oracle CASB Cloud Service through universal credit model (UCM).To start subscribing, see Accessing Oracle CASB Cloud Service UsingUniversal Credits.
Note:
To open MyServices console in a new browser window or tab,right-click My Services and select Open Link in a New Windowor Open Link in a New Tab.
b. If you were not already logged in to Oracle Identity Cloud Service, enteryour login credentials when prompted.
• To login directly through your browser:
a. Navigate to https://cloud.oracle.com.
b. Click Sign In.
c. On the Cloud Account page, enter your cloud account name and clickMy Services.
d. At the Oracle Cloud Account Signin prompt, enter your User Name andPassword, then click Sign In.
• If you are not logged in to Oracle Identity Cloud Service, you are taken to theOracle Identity Cloud Service Sign In page. Enter your cloud account detailsfrom the "Welcome..." email. The Oracle Cloud My Services Dashboard isdisplayed.
2. On the Oracle Cloud My Services Dashboard, click Users, and then IdentityConsole.
3. On the Identity console, the Users page is displayed.
The newly added user appears in the list.
4. Click the row for the newly added user.
5. Click the Access tab, and then click +Assign .
6. In the Assign Applications tab, select the application with the name the beginswith casb_sso, and then click Assign.
The new user added on the My Services Dashboard will receive a “You've beengranted access to Oracle Cloud services” email with access credentials to MyServices Dashboard.
Any user added on the My Services Dashboard must also be added as anadministrator in the Oracle CASB Cloud Service console with the same email addressas the one used in My Services Dashboard. For information on adding Oracle CASBCloud Service administrators, see Adding an Administrator through the Oracle CASBCloud Service Console.
Chapter 1Accessing Oracle CASB Cloud Service Using Universal Credits
1-7
Note:
The role assigned to a user in Oracle Identity Cloud Service is independentof the role assigned to the user as an administrator in Oracle CASB CloudService. The role assigned in Oracle CASB Cloud Service determines thefunctions that the user is authorized to perform.
Any new user added through the Oracle CASB Cloud Service also console receivesa “Welcome to Oracle CASB Cloud Service” email, with a user name and a link toaccess Oracle CASB Cloud Service. Clicking the link takes the user to the OracleCloud Account Sign In dialog box, where the user enters the My Services credentialsreceived in the “You've been granted access to Oracle Cloud services” email. The useris then logged in to the CASB Cloud Service Console.
Accessing Oracle CASB Cloud Service
If you access Oracle CASB Cloud Service through bookmarks, or directly through theOracle CASB Cloud Service page link, you go through one of these actions:
• If you are already logged into Oracle Cloud My Services, then you are takendirectly to the Dashboard page in the Oracle CASB Cloud Service console.
• If you are not logged in to Oracle Cloud My Services, then you are taken toOracle Cloud sign in. At this point, enter your Oracle Cloud Account Usernameand password and click Sign In. You are now taken to the Dashboard page in theOracle CASB Cloud Service console.
• If you access Oracle CASB Cloud Service using links like https://loric.palerra.net or https://loriceu.palerra.net, then you will see theOracle CASB Cloud Service login page.
At this point, click Sign in with Oracle Cloud Account. You are taken to theOracle Cloud Sign In page. Then set the Account Type to Cloud Accountwith Identity Cloud Service and enter your cloud account details from the“Welcome...” email.
This takes you to the Oracle Cloud My Services login. Enter your My Servicescredentials. You are now taken to the Dashboard page in the Oracle CASB CloudService console.
If you have not integrated Oracle CASB Cloud Service with Oracle Identity CloudService, then login to Oracle CASB Cloud Service through bookmarks can only bedone by entering your Username and Password on the login screen. Do not click theSign in with Oracle Cloud Account link.
Migrating from Non-Metered to Metered TenantLearn how to migrate from a non-metered tenant to a metered tenant.
With metered service, you’re billed based on your actual usage. For details onmonitoring your cloud service usage, see Monitor Your Cloud Service Usage. Fordetails on the pricing, see Oracle CASB Cloud Service Pricing.
If your Oracle CASB Cloud Service has already been set up on a non-metered tenant,and you want to switch to metered service, you have to:
1. Set up Oracle CASB Cloud Service in a new tenant as a metered service.
Chapter 1Migrating from Non-Metered to Metered Tenant
1-8
2. Recreate all the application instances and integrations that you had on the non-metered tenant.
3. Validate that the new metered tenant is performing with full functionality.
4. Disconnect all of the applications and integrations from the old non-meteredtenant.
5. Request Oracle Support to remove the original non-metered tenant.
To migrate from a non-metered Oracle CASB Cloud Service tenant to a meteredOracle CASB Cloud Service tenant:
1. Obtain a metered tenant subscription to Oracle CASB Cloud Service.
See Buy a Prepaid Metered Subscription to an Oracle Cloud Service.
2. Configure your Oracle CASB Cloud Service.
This includes setting up your Oracle CASB Cloud Service Administrators, settingup your cloud applications for monitoring, managing your integrations and settingup discovery of shadow applications.
a. Set up your Oracle CASB Cloud Service Administrators. See Managing OracleCASB Cloud Service Administrators
The Cloud Account Administrator/Account Administrator is the root tenantadministrator (first Tenant Administrator) of your metered Oracle CASB CloudService tenant. See Learn About Cloud Account Roles for details about OracleCloud Account roles.
b. Set up your cloud applications for monitoring. For each application instanceon your old non-metered Oracle CASB Cloud Service tenant, register theapplication instance with the same settings in the new tenant.
In Setting Up Cloud Applications for Monitoring, see the Adding a(n) ...Instance topic in the Setting Up... chapter for the application type.
For example, if you have an Office 365 application in your existing tenant, seeSetting Up Microsoft Office 365.
c. Set up your integrations. This includes configuring identity providers,configuring incident management, and setting up discovery of shadowapplications.
• To configure identity providers, see Setting Up an Identity ProviderInstance.
Ensure that your identity provider points to the new metered tenant.
• To configure Incident Management, see About Incident Management.
• To configure discovery of shadow applications, see Discovering ShadowApplications.
d. Export the data from the old non-metered tenant.
See:
• Running an Ad Hoc Report: Report Builder for instructions on setting up acustom report that captures the data .
• Exporting a Report for instructions for exporting the report data.
• Exporting Risk Events to a CSV File for instruction for exporting the RiskEvents.
Chapter 1Migrating from Non-Metered to Metered Tenant
1-9
• Creating Policies and Managing Policy Alerts for instructions for creatingthe policies in the metered tenant.
Contact Oracle Support (http://support.oracle.com) for moving any pre-built policies from the old non-metered tenant to the new metered tenant.
• Putting IP Addresses on Blacklists or Whitelists for instructions on settingup the IP address list in the metered tenant.
• Excluding Users from Data Reporting for instructions on setting up theuser exclusion list in the metered tenant.
3. Validate that the new tenant is performing with full functionality.
This includes ensuring that risk events appears in the Risk Events page, ensuringthat the users appear in the Users page, ensuring that Report Builder is able togenerate required reports, and that security controls values are set up properly foryour applications.
4. Disconnect all of the applications and integrations from the old non-meteredtenant.
See Removing an Application Instance.
5. Confirm to Oracle Support that the existing tenant can be deleted.
Contact Oracle Support (http://support.oracle.com) and request that the old non-metered tenant be removed.
You are now ready to resume normal work with your Oracle CASB Cloud Servicetenant on the new metered tenant.
About Cloud Security MonitoringUnderstand key concepts in security monitoring, and how Oracle CASB Cloud Serviceprocesses different types of risks.
Oracle CASB Cloud Service gives you visibility into the security of your cloudapplications and services to help ensure that your critical data (for example, financialdata, communications, and personal information) is secure.
Oracle CASB Cloud Service has a lightweight ticketing system for security incidents,and it can also delegate tickets to an external ticketing system.
Oracle CASB Cloud Service classifies the risks that it detects into one of thesecategories:
Chapter 1About Cloud Security Monitoring
1-10
Risk Description
Weak or noncompliantSecurity control
These are security-related settings in the application.Examples: Short passwords, long idle session timeouts,permissions that need to be more restrictive, insecure AmazonWeb Services (AWS) S3 bucket encryption settings, weakAWS network ACLs, and AWS security groups with sensitiveports exposed to the internet.
Oracle CASB Cloud Service identifies security control valuesbased on either Oracle CASB Cloud Service's built-inrecommended values or baseline values that you control bypushing your preferred values to the application instance.
Note:
Monitoring for weak securitysettings is only supported forAmazon Web Services, Box, andSalesforce.
For more information, see Weak Security Control Values inYour Cloud Applications.
Policy alert A policy is a rule or a guideline (for example, "only peoplein Finance can view files in the Finance folder", or "anychange to network access rules must be reviewed"). In OracleCASB Cloud Service, you define policies based on particularcloud services (for example, Box), resources in the service(for example, a file or folder), actions (for example, share,download, or collaborate), and optionally items such as actors,recipients, whole groups of users, domains, and IP addresses.
Oracle CASB Cloud Service generates an alert when eventsthat match the policy occur. The console displays a descriptionof the policy violation and can provide recommendations forresponding to it. You can also configure the alert to be sent toyou through email or SMS.
Examples of conditions that generate an alert:
• Terminating critical servers or services• Sharing files tagged as "Confidential" with someone
outside of your organization's domain• Making changes to administrator profiles, access controls,
or network routing• Changing data loss prevention (DLP) policies or mail
routing• Assigning system administrator profilesFor more information, see Policy Alerts (Rule-Based Alerting).
Chapter 1About Cloud Security Monitoring
1-11
Risk Description
Anomalous behavior Oracle CASB Cloud Service identifies behavior that deviatesfrom the usual patterns for each user, and assigns a risk scoreto the user based on how significant the deviations are and thetype of activities the user is performing.
For example, a user who appears to be traveling largerdistances than normal and accessing their applications froma large number of new IP addresses will have a higher riskscore than a user who stays within the user’s usual locationsand access IPs.
For more information, see Finding and Analyzing Users atRisk.
Suspicious behavior Oracle CASB Cloud Service identifies unusual activity thatit classifies as suspicious, regardless of the user's normalactivity.
Oracle CASB Cloud Service also identifies suspicious IPaddresses where activity originates using third-party IPreputation and network information feeds, as well as yourown IP whitelist and blacklist data. Identifying suspicious IPaddresses can be a key element in discovering threats.
For more information, see Managing Behavioral Anomaliesand Threats
Weak Security Control Values in Your Cloud ApplicationsUnderstand the options available in Oracle CASB Cloud Service for detecting andremediating weak security controls.
Enterprise cloud applications have security-related settings, such as passwordcomplexity requirements and idle session timeouts. Oracle CASB Cloud Service candetect settings that aren’t strong enough.
Security settings protect both data and users. For example, when users are allowedto keep sessions idle for hours at a time, it increases the risk of their accounts beingcompromised.
Oracle CASB Cloud Service looks at cloud service configurations and identifiesweaknesses in security both up front (at registration time) and on an ongoing basis toidentify drift, or gradually increasing deviation, from the ideal configuration. There aretwo ways you can configure Oracle CASB Cloud Service to monitor for weak securitycontrols:
• Monitor-only. Oracle CASB Cloud Service reports on these security controlvalues, but doesn’t change them in the cloud application.
• Monitor and push preferred values to the cloud application. At registrationtime, Oracle CASB Cloud Service ensures that your cloud application has yourpreferred security configuration values. After registration, Oracle CASB CloudService reports on changes to these values.
Here are a few common settings:
Chapter 1About Cloud Security Monitoring
1-12
SecurityConfigurationCategory
Related Setting Types
User passwords • Required number of characters• Require one or more numbers• Require one or more special characters• Require users to reset passwords after a particular number of days
Links to files andfolders, sharing,collaboration
• Limit the ability of users to invite collaborators• Limit external user collaboration on folders and files• Limit use of external links• Automatically disable shared links after a particular amount of time
Infrastructure • Amazon Web Services (AWS) storage (bucket) encryption settings• Network access control lists (ACLs)• Secure ports for security groups (ports not exposed to the internet)
How Oracle CASB Cloud Service Helps with the Security Configuration of YourCloud Applications
By default, Oracle CASB Cloud Service alerts you when your applications' securityconfigurations deviate from a set of stringent values that Oracle CASB Cloud Servicemaintains for each supported cloud application.
As an alternative to using the default security configuration, you also can selectthe security configuration values that you want to standardize on, and have OracleCASB Cloud Service set these values in the application. Oracle CASB Cloud Servicesubsequently monitors for changes to these values.
Security configuration monitoring can be especially important if you have manyinstances of an application. Oracle CASB Cloud Service can help you be sure thateach application instance has the correct security controls in place.
Policy Alerts (Rule-Based Alerting)Understand how you can use policy alerts to identify known risks to critical resourcesin the cloud.
Each cloud application you register to be monitored by Oracle CASB Cloud Servicehas predefined policies that alert you to the most common types of suspicious activity,specific to that application type. You can also define policies to alert you to any type ofactivity that you consider to be suspicious in your particular environment.
Application Known Risk Characteristics of the Risk
Amazon WebServices
Changes to highlyprivileged identity andaccess management(IAM) user groups
Amazon Web Services is a platform for mission-critical operations. Proliferation of highly privilegedadministrators puts your organization at riskbecause it increases the chances that the wrongpeople can access your critical infrastructure.
Chapter 1About Cloud Security Monitoring
1-13
Application Known Risk Characteristics of the Risk
Box Collaboration orsharing files that haveconfidential information
Organizations increasingly rely on Box for cloudstorage.
When files and folders contain sensitive material(for example, financial statements or personalinformation), sharing and collaboration using Boxhave the potential to let the wrong people accessthis information.
Salesforce Cloning a systemadministrator profile
Salesforce contains mission-critical data.Proliferation of highly privileged administratorsincreases the chances of the wrong peopleaccessing this information.
ServiceNow Administratorsimpersonating otherusers
ServiceNow administrators typically impersonateother users to conduct tests. However,impersonation of highly privileged user oradministrator roles carries with it the same risks asproliferation of permanent profiles and roles.
Alerts Based on Policy Definitions
Oracle CASB Cloud Service can monitor for well-understood risks by comparing useractivity in the cloud with policies (sets of rules) that you define.
When Oracle CASB Cloud Service detects behaviors that correspond to these rules, itproduces alerts that describe the policy violation and can provide recommendations forresponding to them.
Policy alerts are important because extremely sensitive operations should be watchedclosely. For example, you need to know immediately if someone performs any of thefollowing actions:
• Modifying AWS identity and access management (IAM) security groups, roles,SAML identity providers, and assets tagged as "production"
• Sharing or inviting collaborators for sensitive files and folders in Box
• Modifying Office 365 data loss prevention policies or email routing configurations
• Modifying Salesforce system administrator profiles
Anomalous Behaviors and IP AddressesUnderstand what behavioral risks are and how Oracle CASB Cloud Service detectsthem.
Because your employee base, business partners, and vendors change continuously,and because attack patterns can be complex, Oracle CASB Cloud Serviceautomatically detects behavioral risks.
Oracle CASB Cloud Service monitors what every user is doing in and across yourcloud applications. By doing this, it builds a behavioral baseline or profile of what’snormal for each user (end users, privileged users, and API identities) that connectto the clouds. Oracle CASB Cloud Service alerts you when it detects any user whoperforms actions that deviate from the baseline of what is normal for that user.
Chapter 1About Cloud Security Monitoring
1-14
Even when Oracle CASB Cloud Service doesn’t have a baseline for a user (forexample, when it starts to monitor a new user), it can compare the user's behaviorwith a set of initial baselines.
Examples of anomalous behavior and other user behavior risks:
• A user logs in from multiple or unusual IP addresses and geographical locationswithin a short time. When a user or program accesses an application fromunexpected geographical locations, this is an indicator that an attacker is moving(hopping) around to different locations. Typically, this type of hopping is done as amasquerade; the attacker is actually stationary.
• The user has an unusual number of logins within a limited amount of time. Whenyou combine access from diverse geographical locations with rapid successivelogins to your cloud application, this could be a sign of trouble.
• An administrator makes an excessively large number of changes to anapplication's settings.
• A user logs in from an IP address that is on a public blacklist. It is known to be asource of malicious activity.
• A user logs in from a network that protects the user's actual location through useof anonymizing proxies.
• Users access your applications from locations where you know you don’t have anyusers.
• There’s a dramatic rise in the rate of administrative changes within an application.
• There’s a dramatic rise in the rate of access attempts by a user acrossgeographically dispersed locations.
Oracle CASB Cloud Service notifies you of these behaviors, with supporting data,content, and graphics to enable you to further investigate these activities. In addition,Oracle CASB Cloud Service automatically detects when a blacklisted IP addressaccesses a monitored application. You also can define new IP address black- andwhitelists in Oracle CASB Cloud Service. For more information, see Putting IPAddresses on Blacklists or Whitelists.
Finally, Oracle CASB Cloud Service can use directory metadata to track users acrosstheir different cloud applications as well as within a particular application.
Threat Categories
Oracle CASB Cloud Service threat categories include:
IP hopping. People and programs can make use of anonymizers that attempt todisguise the client computer that’s accessing a cloud application. Oracle CASB CloudService generates a threat event when it detects evidence of IP hopping, which is anindicator of anonymized access.
Brute force attacks. Failed logins are a common occurrence. However, a change inrate of failed logins or a very high number of them can indicate a common attackknown as a brute force attempt to guess a user's password.
User behavior risk. A combination of factors can draw suspicion, including theapparent geographical distance traveled, number of accessing IP addresses, andfailed logins in a particular time frame.
Administrator behavior risk. An unusual number of administrative changes can beindicative of an insider threat or a hijacked account.
Chapter 1About Cloud Security Monitoring
1-15
About Risk Management and Incident TrackingUnderstand how reports in Oracle CASB Cloud Service provide information on usagetrends, independent of risk detection.
In addition to identifying risks to your cloud applications, you must manage those risks.Oracle CASB Cloud Service helps you manage them through a lightweight incidenttracking system. You can export incident tickets from Oracle CASB Cloud Service to acentral ticketing system. For more information, see Finding, Managing, and ResolvingIncidents.
Automatically Generated Incident Tickets
When Oracle CASB Cloud Service detects a risk based on a threat, it automaticallycreates an incident ticket so that you can track the risk to its resolution. For moreinformation, see Anomalous Behaviors and IP Addresses.
Manually Created Incident Tickets
You can manually create incident tickets in the Oracle CASB Cloud Service consolefor security control risks and policy alerts. When you create a policy, you can includeinstructions about what action to take when the policy triggers an alert. This cangreatly reduce the time it can take to address the problem.
For more information, see:
• Weak Security Control Values in Your Cloud Applications
• Policy Alerts (Rule-Based Alerting)
• Creating a Policy
About ReportsUnderstand how reports in Oracle CASB Cloud Service provide information on usagetrends, independent of risk detection.
In addition to giving you insight into risks to your cloud applications, Oracle CASBCloud Service provides visibility into general usage patterns, regardless of whether anactual risk is detected. This insight helps you understand how your applications arebeing used.
You can run predefined global reports, plus reports on multiple indicators for registeredapplications. You can also create and run custom reports to analyze trends that aren’tprovided in the built-in reports.
For more information on reports, see Creating and Running Reports.
About Data RetentionUnderstand the time period covered for data displayed in Oracle CASB Cloud Service,and what happens to older data.
Oracle CASB Cloud Service continuously ingests new data for all the cloudapplications that you have registered. The time period for which you are viewing datain the console depends on how long ago you registered the application.
Chapter 1About Cloud Security Monitoring
1-16
• Initially you may see no data at all for an application, because events are beingingested only as they occur.
• After a while you see data from the time at which you registered the application,up to the present.
• After 90 days you see data from the past 90 days. Data older than 90 days isautomatically purged.
About Risk Detection in the Oracle CASB Cloud ServiceConsole
Understand the different types of risks that Oracle CASB Cloud Service detects, andhow you can search for and manage them.
All risks detected appear in Risk Events. Oracle CASB Cloud Service generates a riskevent for every type of security problem that it detects. It displays details about theseevents in the Risk Events page.
Related Topics:
• Risk Summaries: The Dashboard Summary Tab
• Risks Specific to Each Application: The Applications Page
• Risks to Users
• Risks for Access IPs and Clients
• Searching For and Viewing Risks
• Managing Different Types of Risks
A Tour of the Oracle CASB Cloud Service ConsoleGet familiar with the major screens and the functions they provide in the Oracle CASBCloud Service console.
DashboardGet familiar with the layout of the Dashboard, the Oracle CASB Cloud Service landingpage.
Accessing the Dashboard
After your first login to Oracle CASB Cloud Service, the Dashboard is the first thingyou see in the Oracle CASB Cloud Service in later logins. If the Dashboard is notdisplayed, select Dashboard from the Navigation menu. If the Navigation Menu isnot displayed, click the Navigation Menu icon to display it.
Working with the Dashboard
In the row of tiles at the top of the Dashboard, the Add/Modify App tile takes youto the Register an app instance wizard on the Applications page. There you canadd, or register a new application instance to be monitored, or select an applicationinstance to be updated.
Chapter 1About Risk Detection in the Oracle CASB Cloud Service Console
1-17
The rest of the tiles in the row at the top of the Dashboard provide counts of the totalnumber of registered application instances in each risk level or status. Click a tile witha non-zero entry to go to the Applications page, showing only registered applicationsin that risk level or status:
• — Status: Application instance is unreachable.
• — High risk level. A threat has been detected.
• — Medium risk level. Some items require investigation, but no behavioralthreats or malicious IP address accesses.
• — Low risk level. Few or no issues require attention.
• — Status: You or another administrator recently added this applicationinstance. Oracle CASB Cloud Service is collecting initial data.
The Access Map displays symbols that indicate points of origin for events:
• — Indicates a cluster of normal events. Click this symbol to see individualnormal events.
• — Indicates an individual normal event.
• — Indicates a cluster of suspicious events. Click this symbol to seeindividual suspicious events.
• — Indicates an individual suspicious event.
Click links in the summary information to see more details.
• Click a large circle symbol to zoom in until you can see smaller circle representingindividual events.
• Click a smaller circle symbol to see summary information about the access.
• Click links in the summary information to see more details.
• Select the type of events - all events, normal events, or suspicious events fromthe Filter drop-down list.
Note:
Oracle CASB Cloud Service remembers this selection for the currentsession.
Chapter 1A Tour of the Oracle CASB Cloud Service Console
1-18
• Click the Help icon in the upper-right corner to see online help about thesuspicious and normal IP addresses that are represented by the dots on theAccess Map.
The Health Summary: All Application Instances card summarizes potential threatinformation across all registered application instances.
• Click any non-zero entry in that Health Summary: All Application Instancescard to see a detailed report.
• Click the Help icon in the upper-right corner to see online help about thesuspicious and normal IP addresses that are represented by the dots on theAccess Map.
The other summary cards on the Dashboard, such as Suspicious and normal IPaddresses, display statistics for specific types of activity that may or may not besuspicious. For each summary card, you can:
• View the summary statistics displayed.
• Hover over parts of the card to see additional information in pop-ups, and toidentify links.
• Click any link in the card to see more detailed information.
• Click the Help icon in the upper-right corner to see online help about the typeof information displayed in the card.
Note:
If you total up the number users in the User risk levels tile, you willget the total number of users currently being monitored in all of the cloudapplications that are registered in Oracle CASB Cloud Service. This numbermay be much smaller than the total number of users in your organization,especially if your organization has just started using Oracle CASB CloudService.
You never have to create users in Oracle CASB Cloud Service, or importusers from some other source. Users automatically enter the system whenthey are detected in actions that they take in cloud applications that arebeing monitored. Typically the total number of users that appear in OracleCASB Cloud Service is a lot less than the total number of users in yourorganization.
ThreatsLearn how to filter threats that are displayed in Risk Events, and how to view detailsfor a threat.
Accessing the Threats Display for an Application Instance
To quickly display threats for a particular application instance:
1. To display the Health Summary card for an application instance, goto Applications and click the application instance tile.
Chapter 1A Tour of the Oracle CASB Cloud Service Console
1-19
2. Click the nonzero entry for Threats.
If the Threats entry is zero, there aren’t any threats that were detected for thatapplication instance at this time.
Working with the Threats Display for an Application Instance
The App Details page displays risk events for an application instance which OracleCASB Cloud Service has identified as threats.
• Filter the risk events that are displayed:
1. Click the Filter icon at the upper right.
2. Set any combination of filters to focus on specific groups of risk events.
– Risk Level — high-, medium-, or low-risk events.
– Category — a single risk event category.
– Date Range — risk events logged in a specific date range.
Note:
Date ranges labeled “Last # days” all start at midnight on the firstdate, and end at the present moment. “Last 1 day” includes all ofyesterday.
– Status — open or resolved risk events.
3. Click Search.
The search results now display all risk events matching your filter settings.
Note:
The filter icon is highlighted to indicate that you are viewing a subsetof the risk events. If you return to the Risk Events page in the samesession, or later in another session, the events remain filtered.
• Hover over icons in the RISK LEVEL column to see a description of the risk level.
• Click a column heading that has up and down arrows next to it to sort the table onthat column.
• Drop down the Action list in the ACTION column to see available actions for therisk event. Actions you will see:
– Dismiss — This option dismisses the risk event, when you do not view it as athreat.
– View incident — This option lets you view the indent ticket, where you canedit it, and then reassign it or mark it as resolved..
– View threat — This option details the reasons that the event appears to be athreat and shows charts and a map to help you analyze the threat.
• In the Top Risk Activities area at the top left:
Chapter 1A Tour of the Oracle CASB Cloud Service Console
1-20
– View summary statistics for the top risk activities.
– Filter the list of risk events by clicking Security controls, Threats, or Policyalerts.
– View incidents in the Incidents page by clicking Incidents.
• In the Risks by Category chart at the top:
– View the counts of different types of threats.
– Hover over a number to see the percentage value.
– Click a number to filter the list of risk events to show only that type of threat.
• View summary statistics for Data Processed in the Last 90 Days at the upperright.
For more information about threats, see Finding and Analyzing Users at Risk, andRemediating and Dismissing a Suspicious Activity Threat.
For definitions of the different risk types in Oracle CASB Cloud Service, see DifferentTypes of Risk That Oracle CASB Cloud Service Monitors.
ApplicationsLearn how the Applications page is used.
Accessing the Applications Page
If the Applications page is not displayed, select Applications from the Navigationmenu. If the Navigation Menu is not displayed, click the Navigation Menu icon todisplay it.
Working with the Applications Page
The Applicationspage is where you register and update the cloud applications thatOracle CASB Cloud Service monitors. Applications lets you register applicationinstances, modify the settings on an application instance that's already registered, andview the Health Summary for an application instance.
• Use the icons at the top to filter the list of application instances by risk level orstatus — click any icon with a non-zero number beside to show only:
– — Status: You or another administrator recently added this applicationinstance. Oracle CASB Cloud Service is collecting initial data.
– — Status: Application instance is unreachable.
– — High risk level. A threat has been detected.
– — Medium risk level. Some items require investigation, but no behavioralthreats or malicious IP address accesses.
– — Low risk level. Few or no issues require attention.
If you return to the Applications page in the same session, or later in anothersession, the application instances remain filtered.
Chapter 1A Tour of the Oracle CASB Cloud Service Console
1-21
• Use the Search icon to display only application instances with names thatcontain the text that you enter.
For example, enter aws to display only application instances with “aws” in theirnames. Depending on how you name your application instances, these may ormay not be AWS application instances.
• Explore the two different views available for the Applications page.
– The very first time you access the Applications page, it opens in card view,with each application displayed in a square card.
– In card view, you click the card for an application instance to view the HealthSummary information, which contains a menu that lets you modify settings forthe application instance.
– Use the view switcher tool to switch to grid view, with eachapplication instance displayed in a separate row.
– In grid view, the Health Summary information is displayed in the row for theapplication instance, and a drop-down Action menu lets you modify settingsfor the application instance.
– Use the view switcher tool again to switch back to card view.
When you return to the Applications page in the same session, or later inanother session, the last selected view is retained.
• In card view:
– View summary statistics at the top, indicating counts of new and unreachableapplication instances, and application instances with high, medium, and goodthreat levels.
– Click the Search icon to search for specific application instances.
– Hover over the risk indicator icon in the top left of an application instance cardto see a description of the risk level.
– Click the card for an application instance to display the Health Summary cardfor that instance.
From the Health Summary card:
* Click View Details to see a summary of all activity on that applicationinstance.
* Click one of the non-zero Top Risk Activities to see detailed informationfor that activity.
– To add or register a new application instance, click the Add/Modify App card.
– To modify settings for an existing application instance, click the card for theinstance to open its Health Summary card, and then click Modify to display alist of settings that you can select to modify.
– To delete an application instance, click the card for the instance to open itsHealth Summary card, and then click Remove.
• In grid view:
Chapter 1A Tour of the Oracle CASB Cloud Service Console
1-22
– View summary statistics at the top, indicating counts of new and unreachableapplication instances, and application instances with high, medium, and goodthreat levels.
– Click the Search icon to search for specific application instances.
– Click a column heading that has up and down arrows next to it to sort the tableon that column.
– Hover over the risk indicator icon in the Risk column for an applicationinstance to see a description of the risk level.
– Drop down the Action menu and select View details to see a summary of allactivity on that application instance.
– View the Health Summary information for that instance in the four columns tothe right of the Instance column.
Click a non-zero number in one of these columns to see detailed informationfor that activity.
– To add or register a new application instance, click Add/Modify App at the topleft.
– To modify settings for an existing application instance, drop down the Actionmenu and select an Update ... option.
– To delete an application instance, drop down the Action menu and selectRemove app instance.
Risk EventsLearn what information is available for each risk in Risk Events.
Accessing Risk Events Page
If the Risk Events page is not displayed, select Risk Events from the Navigationmenu. If the Navigation Menu is not displayed, click the Navigation Menu icon todisplay it.
Working with the Risk Events Page
Risk Events displays a risk level icon for every user that Oracle CASB Cloud Servicedetects. To view a breakdown of risk-related activity for an individual user, click theuser’s name.
• Set the type of name displayed in the SUMMARY column for risk events that aretriggered by a policy alert.
By default, an internally generated name is displayed. Choosing to display thepolicy alert name instead of the internally generated name lets you control whatyou see in the SUMMARY column for risk events that are triggered by a policyalert. See Setting Your Preferences.
• Filter the risk events that are displayed:
1. Click the Filter icon at the upper right.
2. Set any combination of filters to focus on specific groups of risk events.
– Risk Level — high-, medium-, or low-risk events.
Chapter 1A Tour of the Oracle CASB Cloud Service Console
1-23
– Category — a single risk event category.
– Date Range — risk events logged in a specific date range.
Note:
Date ranges labeled “Last # days” all start at midnight on the firstdate, and end at the present moment. “Last 1 day” includes all ofyesterday.
– Status — open or resolved risk events.
3. Click Search.
The search results now display all risk events matching your filter settings.
Note:
The filter icon is highlighted to indicate that you are viewing a subsetof the risk events. If you return to the Risk Events page in the samesession, or later in another session, the events remain filtered.
• Hover over icons in the RISK LEVEL column to see a description of the risk level.
• Click a column heading that has up and down arrows next to it to sort the table onthat column.
• Click any row to expand the row to show a detailed breakdown of the risk event,including a recommendation on what to do about it.
• In the INCIDENT column, click Create to create an incident ticket for the riskevent. Click the incident number displayed to view the incident ticket that hasalready been created.
• Drop down the Action list in the Action column to see available actions for therisk event. Some of the actions you may see:
– Create incident — available if the risk event does not already have anassociated incident ticket. (This has the same effect as Create in the Incidentcolumn.
– Dismiss — available if an incident has not yet been created for the risk event.This option dismisses the risk event, when you do not view it as a threat.
– View incident — available if an incident has been created for the risk event.This option lets you view the indent ticket, where you can edit it, and thenreassign it or mark it as resolved..
– View threat — available when Oracle CASB Cloud Service has identified therisk event as a threat. This option details the reasons that the event appears tobe a threat and shows charts and a map to help you analyze the threat.
Chapter 1A Tour of the Oracle CASB Cloud Service Console
1-24
ReportsUnderstand what’s available on the Reports page.
Accessing the Reports Page
If the Reports page is not displayed, select Reports from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to display it.
Working with the Reports Page
Oracle CASB Cloud Service supplies predefined reports for auditing activity withinOracle CASB Cloud Service (an audit trail), risks shown in Risk Events. The Reportspage is where you access these reports.
• Click a column heading that has up and down arrows next to it to sort the table onthat column.
• Click the Run icon in the Action column to run the report.
• Click New Report at the top left to create a custom report that is saved in thereports list.
• Click Report Builder at the top left to create and run an ad hoc query. Ad hocqueries are not saved in the reports list.
UsersLearn what information is available for each user on the Users page.
Accessing the Users Page
If the Users page is not displayed, select Users from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to display it.
Working with the Users Page
The Users area displays a risk score for every user that Oracle CASB Cloud Servicemonitors. To view a breakdown of risk-related activity for an individual user.
• Click a column heading that has up and down arrows next to it to sort the table onthat column.
• Click a user’s name to view a breakdown of risk-related activity for that user.
• Click a link in the Reasons column to view detailed information about the reason.
Note:
You never have to create users in Oracle CASB Cloud Service, or importusers from some other source. Users automatically enter the system whenthey are detected in actions that they take in cloud applications that arebeing monitored. Typically the total number of users that appear in OracleCASB Cloud Service is a lot less than the total number of users in yourorganization.
Chapter 1A Tour of the Oracle CASB Cloud Service Console
1-25
IncidentsLearn how the Incidents page is used.
Accessing the Incidents Page
If the Incidents page is not displayed, select Incidents from the Navigation menu. Ifthe Navigation Menu is not displayed, click the Navigation Menu icon to displayit.
Working with the Incidents Page
The Incidents page lets you track each detected risk through to its resolution.
When Oracle CASB Cloud Service detects a threat or a weak security control, it addsan event in Risk Events, and generates a ticket in Incidents. You can also createyour own tickets.
• Filter the incidents that are displayed:
1. Click the Filter icon at the upper right.
2. Set any combination of filters to focus on specific groups of incidents.
– ID — an incident ID.
– App Instance — select a single application instance.
– Category — a single risk event category.
– Assigned to — user assigned to incident.
– Detected — date incident was detected.
– Priority — high-, medium, or low priority.
– Status — open, resolved, or pending.
3. Click Search.
The search results now display all incidents matching your filter settings.
Note:
The filter icon is highlighted to indicate that you are viewing a subsetof the incidents. If you return to the Incidents page in the samesession, or later in another session, the events remain filtered.
• Hover over icons in the PRIORITY column to see a description of the priority.
• Click a column heading that has up and down arrows next to it to sort the table onthat column.
• Click anywhere in the row for an incident to view incident details.
• In the ACTION column, click:
– Edit icon .
Chapter 1A Tour of the Oracle CASB Cloud Service Console
1-26
– Remediate icon — to remediate the incident. The dialog box that opensprovides recommended actions to take.
– Delete icon — to delete the incident.
• Click New Incident at the top left to manually create a new incident.
For more information on the Incidents page, see Finding, Managing, and ResolvingIncidents.
JobsLearn how the Jobs page is used.
Accessing the Jobs Page
If the Jobs page is not displayed, select Jobs from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to display it.
Working with the Jobs Page
Exports of more than 1,000 rows of report data to CSV files are processed in thebackground, through a job that’s listed in Jobs page. Bulk dismissals of more than 100risk events are also processed in the background through the Jobs page.
If there have been no recent large reports exported or bulk dismissals of risk events,the Jobs page is empty.
• Use the icons at the top to filter the list of jobs by the status — click any icon with anon-zero number beside to show only:
– — Status: New jobs that were created.
– — Status: Jobs that failed.
– — Status: Completed jobs.
• Use the Search icon for a text-based search.
For example, to search for jobs by a particular requestor, enter the email ID of therequestor.
• Hover over icons in the Status column to see a description of the status.
• Click a column heading that has up and down arrows next to it to sort the table onthat column.
• If the Results column displays a CSV icon for a job, click it to download thecomma-separated values file that you can open in a spreadsheet program.
For information about exporting large amounts of report data, see Exporting a Report.
ConfigurationLearn what functions are available in the Configuration menu.
The Configuration section lets you configure different components that supportOracle CASB Cloud Service:
Chapter 1A Tour of the Oracle CASB Cloud Service Console
1-27
• Admin Management: Add Oracle CASB Cloud Service administrators, andupdate their admin information or remove them.
• Policy Management: Create policy (rule-based) alerts that, when triggered, addentries in Risk Events, and optionally send email notifications.
• Import Enterprise Users: Upload directory information to populate user andgroup-related widgets, and enable cross-application threat analytics.
• Manage IP Addresses: Add to the suspicious IP addresses that Oracle CASBCloud Service ingests from third-party threat feeds, and whitelist IP addresses thatare trusted.
• Threat Intelligence Providers: View third-party threat intelligence providers thatcontribute to Oracle CASB Cloud Service's threat analytics (particularly in the areaof suspicious IP addresses).
• Incident Management Providers: View remediation providers that you canintegrate with the auto-remediation functionality in Incidents.
• Identity Management Providers: View identity providers that are available tosupport single sign-on (SSO) that’s implemented in your application instances.
• SIEM Providers: View security information and event management (SIEM)providers that are supported to receive Oracle CASB Cloud Service data forfurther analysis and consolidation with other systems.
• Threat Management: View thresholds that determine when alerts are triggered tobe displayed in Risk Events.
Administrator ManagementLearn how to add an administrative users and assign roles to the user.
This page lists the uses who have administrator privileges in Oracle CASB CloudService.
Accessing the Administrator Management Page
If the Administrator Managementpage is not visible, select Configuration,Administrator Managementfrom the Navigation menu. If the Navigation menu isnot displayed, click the Navigation menu icon to display it
Working with the Administrator Management Page
The Administrator Management displays the list of all the administrative users. Here,you can view the details of an administrator user, edit the users’ details, reset theusers’ password and delete the user.
To add new administrators, click New Administrator. See Adding an Administratorthrough the Oracle CASB Cloud Service Console.
To make changes to existing administrators, click an icon in the ACTION column forthat administrator:
• - to view detailed information for the administrator.
• - to reset the administrator's password.
• - to edit information for the administrator.
Chapter 1A Tour of the Oracle CASB Cloud Service Console
1-28
• - to delete the administrator.
Policy ManagementLearn about using the Policy Management page to create policy-based alerts.
The Policy Management page displays the existing policies. You can also create newpolicies.
Accessing the Policy Management Page
If the Policy Management page is not visible, select Configuration, PolicyManagement from the Navigation menu. If the Navigationmenu is not displayed,click the Navigation menu icon to display it.
Custom policies and Managed policies
The Policy Management page has separate tabs for Custom and Managed policies.The Custom tab is selected when you open the page.
• Custom policies are completely under your control - you can modify any custompolicy listed and you can create new custom policies.
• Managed policies are maintained by Oracle CASB Cloud Service. You can'tcreate or modify a custom policy. If you want to modify a managed policy, copy itas a custom policy and modify the copy.
Working with Custom Policies on the Policy Management Page
Click the Custom tab if it is not already selected.
• Search for custom policies within the list of custom policies displayed:
1. Click the Search icon at the upper right to bring up the Search field.
2. Enter a search text and then, press Enter.
The list of policies that match the search text is displayed.
• Toggle the switch in the ENABLED column to enable or disable a policy.
• The ACTION column lists the actions you can take on a policy:
– View: View the selected policy details
– Dismisses all risk events: Dismisses all risk events generated as a result ofthis policy.
– Edit: Edit the selected policy
– Delete: Delete the selected policy.
• Click New Policy to create a new policy definition. See Creating Policies andManaging Policy Alerts
Working with Managed Policies on the Policy Management Page
Click the Managed tab if it is not already selected.
• Search for managed policies within the list of policies displayed:
1. Click the Search icon at the upper right to bring up the Search field.
Chapter 1A Tour of the Oracle CASB Cloud Service Console
1-29
2. Enter a search text and then, press Enter.
The list of policies that match the search text is displayed.
• Toggle the switch in the SUBSCRIBED column to enable or disable a policy.
• In the ACTION column, drop down the Action list for a policy to see the actionsyou can take on it:
– View: View the selected policy details
– Dismiss all risk events: Dismisses all risk events generated as a result of thispolicy
– Copy to Custom: Delete the selected policy
For more information on managed policies, see Working with Managed Policies.
Manage IP AddressesLearn how to add to the suspicious IP addresses that Oracle CASB Cloud Serviceingests from third-party threat feeds, and whitelist IP addresses that are trusted.
When an IP addresses is blacklisted, an alert is automatically generated when that IPaddresses is detected. For IP addresses that are whitelisted, alerts are suppressed.
Accessing the Policy Management Page
If the Manage IP Addresses page is not visible, select Configuration, Manage IPAddresses from the Navigation menu. If the Navigationmenu is not displayed, clickthe Navigation menu icon to display it.
Working with the Manage IP Addresses Page
The two tabs on the Manage IP Addresses page — Blacklist and Whitelist lets you addIP addresses to the respective lists.
• Blacklist tab: Displays all the blacklisted IP addresses, IP address type, theapplications that the IP address applies to, and the date the IP address was addedto the list.
• Whitelist tab: Displays all the whitelisted IP addresses, IP address type, theapplications that the IP address applies to, and the date the IP address was addedto the list.
For detailed instructions on blacklisting or whitelisting IP addresses, see Putting IPAddresses on Blacklists or Whitelists.
Threat Intelligence ProvidersLearn how the Threat Intelligence Providers page is used.
Accessing the Threat Intelligence Providers Page
If the Threat Intelligence Providers page is not displayed, select Configuration,Threat Intelligence Providers from the Navigation menu. If the Navigation Menu isnot displayed, click the Navigation Menu icon to display it.
Chapter 1A Tour of the Oracle CASB Cloud Service Console
1-30
Working with the Threat Intelligence Providers Page
The Threat Intelligence Providers page subscribes your Oracle CASB Cloud Servicetenant to three of the most up-to-date threat intelligence services, provided out-of-the-box, at no additional cost.
The data provided by these threat intelligence services gives security administratorsand system and organization control (SOC) analysts additional visibility about threatalerts that are generated in their respective environments.
Three primary threat intelligence providers are enabled by default:
• Digital Element allows Oracle CASB Cloud Service to better resolve IP addressesto physical locations, as well as providing information about the relationshipbetween an IP address and the underlying domain name.
• Tor gives Oracle CASB Cloud Service insight into anonymous proxy usage.
• abuse.ch provides Oracle CASB Cloud Service with detailed information aboutURL classification, domain classification, and IP reputation.
It is recommended best practice to keep these threat intelligence services enabled, inorder to provide more details about the threats that are generated in the Oracle CASBconsole.
Incident Management ProvidersLearn how the Incident Management Providers page is used.
Accessing the Incident Management Providers Page
If the Incident Management Providers page is not displayed, select Configuration,Incident Management Providers from the Navigation menu. If the Navigation Menuis not displayed, click the Navigation Menu icon to display it.
Working with the Incident Management Providers Page
The Incident Management Providers page lists the incident management providersthat are registered in your Oracle CASB Cloud Service tenant.
Note:
ServiceNow is the only incident management provider supported by OracleCASB Cloud Service currently. It is not set up by default.
An incident management provider handles the incidents that you create from an eventin the Risk Events page or the Incidents page. See Risk Events and Incidents formore information about creating incidents. Also see About Risk Management andIncident Tracking for more information on incident management.
• To set up ServiceNow as the incident management provider in a new OracleCASB Cloud Service tenant:
1. On the Incident Management Providers page, click Add Provider.
Chapter 1A Tour of the Oracle CASB Cloud Service Console
1-31
2. In the Add new provider dialog box, enter the information for the ServiceNowaccount that you want to manage your incidents.
3. Select the Approval check box.
4. Click Save.
• To update the information for the ServiceNow account:, in the Action column, click
the Edit icon .
• To delete the ServiceNow account, in the Action column, click the Delete icon .
SIEM ProvidersLearn how the SIEM Providers (Security Information and Event Management) page isused.
Accessing the SIEM Providers Page
If the SIEM Providers page is not displayed, select Configuration, SIEM Providersfrom the Navigation menu. If the Navigation Menu is not displayed, click theNavigation Menu icon to display it.
Working with the SIEM Providers Page
The SIEM Providers page lists the SIEM providers registered with your Oracle CASBCloud Service. It is enabled by default.
You can't make any changes directly on the SIEM Providers page. To request thata different SIEM provider be enabled for your Oracle CASB Cloud Service tenant,contact Oracle Support (http://support.oracle.com). If you have not registered yet, youwill need your Customer Support Identifier (CSI) in order to register to submit servicerequest tickets. As an alternative, you can also contact your Oracle CASB CustomerSuccess Manager.
Threat ManagementLearn how the Threat Management page is used.
Accessing the Threat Management Page
If the Threat Management page is not displayed, select Configuration, ThreatManagement from the Navigation menu. If the Navigation Menu is not displayed,click the Navigation Menu icon to display it.
Working with the Threat Management Page
The Threat Management page lists the threat thresholds configured for your OracleCASB Cloud Service tenant.
You can't change threat thresholds directly on the Threat Management page. Torequest changes in any of the threat thresholds for your Oracle CASB Cloud Servicetenant, contact Oracle Support (http://support.oracle.com). If you have not registeredyet, you will need your Customer Support Identifier (CSI) in order to register to submitservice request tickets. As an alternative, you can also contact your Oracle CASBCustomer Success Manager.
Chapter 1A Tour of the Oracle CASB Cloud Service Console
1-32
Task Overview: Starting to Monitor Cloud ApplicationsFollow these steps to get started with monitoring your cloud application:
1. Create an Oracle CASB Cloud Service user within your cloud application.
2. Log in to Oracle CASB Cloud Service.
3. Register your cloud services with Oracle CASB Cloud Service.
4. After Oracle CASB Cloud Service completes the initial data collection, check theDashboard and Risk Events for visibility into security-related activity.
5. Take a tour of the Oracle CASB Cloud Service console for a quick overview ofwhat else you can do.
6. Add a backup tenant administrator.
Chapter 1Task Overview: Starting to Monitor Cloud Applications
1-33
Part IIAdministrative Tasks
Learn how to perform important administrative functions that you must do right away,and others that you will return to later.
Chapters:
• Signing In and Managing Your Account
• Managing Oracle CASB Cloud Service Administrators
• Performing Miscellaneous Administrative Tasks
2Signing In and Managing Your Account
Learn how to sign in to Oracle CASB Cloud Service, how to get help with sign-inproblems, and how to change you’re your user settings, including password.
Topics:
• Typical Workflow for Signing In and Managing Your Account
• Signing In
• Lost Your Password?
• Need Help with Signing In?
• Viewing Your Role
• Setting Your Preferences
Typical Workflow for Signing In and Managing Your AccountYou must sign in to access Oracle CASB Cloud Service. If you have problems signingin, then you can get help. After signing in successfully, you can configure settings foryour Oracle CASB Cloud Service account.
Task Description Additional Information
Sign in to Oracle CASB CloudService.
You can learn how to signin to Oracle CASB CloudService for the first time andfor subsequent logins.
Signing In
Recover your password. You can recover yourpassword if you forget it byrequesting a new one.
Lost Your Password?
Get help with signing in. You can learn about what todo if you can’t sign in to OracleCASB Cloud Service.
Need Help with Signing In?
View your Oracle CASB CloudService role
You can learn how to viewyour role after logging intoOracle CASB Cloud Service.
Viewing Your Role
Manage your account. You can change yourpassword, choose the timezone that Oracle CASB CloudService uses for time-stampedinformation, and activate ordeactivate email notificationsfrom Oracle CASB CloudService.
Setting Your Preferences
2-1
Signing InLearn how to sign in to Oracle CASB Cloud Service.
If your organization is using Oracle CASB Cloud Service for the first time, contacta Support representative or an authorized reseller for a login URL, credentials, andone-time login code. You will be the root tenant administrator.
If your organization is using Oracle CASB Cloud Service through Oracle Cloud , seeAccessing Oracle CASB Cloud Service Using Universal Credits.
If your organization is already using Oracle CASB Cloud Service, contact yourlocal Oracle CASB Cloud Service root tenant administrator for the login URL andcredentials.
Signing In for the First TimeLearn how to sign in to Oracle CASB Cloud Service for the first time.
Note:
If you are accessing Oracle CASB Cloud Service for the first time by signingup on Oracle Cloud, then follow the instructions in Accessing Oracle CASBCloud Service Using Universal Credits for your first time signing in.
If single sign-on is not enabled, then the first time that you sign in, you must providea confirmation code. You will receive an email that contains a confirmation code and afirst-time access URL.
1. Click the link for first-time access, enter your email address at the prompt and clickNext.
2. What you see next depends on whether single sign-on (SSO) has been enabledfor Oracle CASB Cloud Service by your root tenant administrator, and what yourrole is in Oracle CASB Cloud Service. After SSO is enabled, the root tenantadministrator always has the option of logging in with email and password, orlogging in through SSO.
If you see:
• A Welcome message with a password prompt, but no Sign-in with SSObutton, enter your password and click Sign-In.
When your password is accepted, you next see the Dashboard in the OracleCASB Cloud Service console.
• A Welcome message with a password prompt and a Sign-in with SSObutton:
– You may enter your password and click the Sign-In button.
When your password is accepted you next see the Dashboard inthe Oracle CASB Cloud Service console.
– You may also click the Sign-in with SSO button, to go to the singlesign-on identity provider login page. Log in to that identity provider.
Chapter 2Signing In
2-2
When your login credentials are accepted, you next see the Dashboard inthe Oracle CASB Cloud Service console.
• A single sign-on identity provider login page. Log in to that identity provider.
When your login credentials are accepted, you next see the Dashboard inthe Oracle CASB Cloud Service console.
3. If you see a prompt to Register an App or Run App Discovery when you reachthe Oracle CASB Cloud Service console:
• Select Register an App to go to the Register an App Instance page.
4. When you reach the Oracle CASB Cloud Service console, if you see a promptto Register an App or Run App Discovery:
• Select Run App Discovery to go to the Dashboard, App Discovery tab.
Go here if you want to use only Oracle CASB Cloud Service - Discovery.
• Select Register an App to go to the Register an App Instance page.
This is the normal first task for new users of the full functionality of OracleCASB Cloud Service. For instructions on preparing and registering anapplication instance, see Setting Up Cloud Applications for Monitoring.
Whether or not you are ready to add an application instance, if you are the firstperson in your organization to access this console you should add a backuptenant administrator. See Adding Oracle CASB Cloud Service Administrators.
5. If you do not see a prompt to Register an App or Run App Discovery whenyou reach the Oracle CASB Cloud Service console, here are some tasks you maywant to perform:
• View the Dashboard to see data that Oracle CASB Cloud Service hascollected.
• Set your notification preferences. See Setting Your Preferences.
• Take a tour of the Oracle CASB Cloud Service console.
Related Topics:
• Preparing Cloud Applications for Monitoring
• Registering Cloud Applications with Oracle CASB Cloud Service
• Dashboard
• Adding Oracle CASB Cloud Service Administrators
• A Tour of the Oracle CASB Cloud Service Console
Subsequent LoginsLearn how to sign in to Oracle CASB Cloud Service every time after your first login.
After the first time that you log in, you access Oracle CASB Cloud Service in much thesame way as you did on your first login. However, the details of your login steps maychange if:
• Your Organization starts using Oracle CASB Cloud Service through Oracle Cloud.
• Your Oracle CASB Cloud Service role changes.
• Single sign-on (SSO) has been enabled since your last login.
Chapter 2Signing In
2-3
• The first application was registered since your last login.
• Your company uses two-factor authentication.
The steps in Signing In for the First Time should always work, but your path throughthose steps might be different.
If SSO is not enabled and your company uses two-factor authentication, at some pointyou will be prompted for a confirmation code. See the steps below
Note:
If you are using only Oracle CASB Cloud Service - Discovery, as long as younever register an application instance in Oracle CASB Cloud Service, youwill always see the prompt to Register an App or Run App Discovery.
To supplement the security offered by your email and password credentials, if SSOis not enabled, your organization has the option of requiring two-factor authentication.This means that during a login you’ll sometimes be prompted for a new authenticationcode in addition to your email and password. Oracle CASB Cloud Service sends thatauthentication code to your email address and it’s valid one time only.
Note:
Even if SSO is enabled, if you are the root tenant administrator and you canstill log in using your email and password. If you do this, you will sometimesbe prompted for a new authentication code during login, if your companyuses two-factor authentication.
1. Follow the steps in Signing In for the First Time.
2. If at any point you receive a prompt to enter a confirmation code:
a. Check the email account you use to log in — look for an email with aconfirmation code.
b. Copy the confirmation code from the email and paste it into the confirmationpage.
c. If you’re sure that no one else can access the computer that you’re using tolog in, select the Trust this computer check box to store the authenticationcode, which will remain valid for 30 days.
If you are working from a shared computer, do not select this check box.
d. Click Confirm.
Lost Your Password?Learn what to do when you lose, or forget your password.
If you forget your password, you can request a new one.
1. Go to the Oracle CASB Cloud Service login page (typically, this URL isloric.palerra.net)
Chapter 2Lost Your Password?
2-4
2. Click Forgot password, enter your email address in the Forgot Password page,and then click Continue.
3. Check the email account that you provided to Oracle CASB Cloud Service, andlook for a Oracle CASB Cloud Service password reset message.
Important: If you don’t see this message, contact your local Oracle CASB CloudService tenant administrator or Oracle Support (http://support.oracle.com). If youhave not registered yet, you will need your Customer Support Identifier (CSI) inorder to register to submit service request tickets. As an alternative, you can alsocontact your Oracle CASB Customer Success Manager..
4. Open the email message, copy the confirmation code in the message body, andthen click the link for your unique password reset URL.
5. In the confirmation page, paste your confirmation code.
6. Create your new password.
7. Log in to Oracle CASB Cloud Service.
Need Help with Signing In?Learn how to get help if you have trouble signing in.
Help is available, if you need it.
Some common problems with signing in include:
• You must add a rule to your corporate firewall that allows access from*.palerra.net.
• You need similar permission changes to your corporate proxies, VPNs, and loadbalancers.
Important: If you continue to have problems with signing in, contact yourlocal Oracle CASB Cloud Service tenant administrator or Oracle Support (http://support.oracle.com). If you have not registered yet, you will need your CustomerSupport Identifier (CSI) in order to register to submit service request tickets. As analternative, you can also contact your Oracle CASB Customer Success Manager.
If you send email to Oracle Support, include “Need Help Signing In” in the subject line.
Viewing Your RoleLearn how to view your role after logging into Oracle CASB Cloud Service.
Different administrator roles let you access different features and perform differentfunctions in Oracle CASB Cloud Service. For more information on the differentadministrator roles and their associated privileges, see About Administrator Roles.
To see the administrator role for your login:
1. Log in to the Oracle CASB Cloud Service console.
2. Drop down the menu from the user icon on the top right.
Your administrator role is displayed below your name and login email address.
Chapter 2Need Help with Signing In?
2-5
Setting Your PreferencesLearn how to change your password and set preferences for notifications, risk events,and time format.
Note:
Previously these different preferences were separate items in the menuthat you drop down from your user name in the upper-right corner of theOracle CASB Cloud Service console. These options are now consolidatedinto a single menu item, with no change in functionality of the individualpreferences.
1. Click your user name in the upper-right corner of the Oracle CASB Cloud Serviceconsole and select Preferences from the drop-down menu.
The Preferences page opens.
2. To change your password:
a. Click Change Password in the row of options at the top.
b. Enter your New Password.
c. Enter your new password again in the Confirm Password box.
d. Click Change password.
3. To change your preference on notifications:
a. Click Notifications in the row of options at the top.
b. Change the High risk events setting.
When this setting is on, you receive email notifications for all high risk events.When it is off, you do not receive these notifications.
c. Click Confirm.
4. To change your preference for the summary displayed for a risk event generatedby a policy alert:
a. Click Risk Preference in the row of options at the top.
b. Select or deselect the For "Policy Alerts" in the Risk Events view, use thepolicy name as the Risk Event Summary check box.
When this option is selected, for policy alerts that generate alerts on the RiskEvents page, the policy name (which you can control) is displayed as the riskevent Summary. When it is deselected, risk events generated by policy alertsdisplay an internal name (which you can’t control) for the risk event Summary.
c. Click Confirm.
5. To change your preference on time format:
a. Click Time Format in the row of options at the top.
b. Select the format you want used:
• UTC — Universal time coordinates, also known as Greenwich mean time.
Chapter 2Setting Your Preferences
2-6
• Local time from my browser — the local time your browser uses, which isset in your computer or network.
c. Click Confirm.
6. To generate API credentials so that you can use the Oracle CASB Cloud ServiceAPIs:
a. Click API Credentials in the row of options at the top.
b. Click Generate Keys.
c. Click Download Keys.
Download the generated keys to a secure location where you will be able toaccess them when you need to use the Oracle CASB Cloud Service APIs.
Note:
You can also copy and paste the keys to a secure location.
d. Click Done.
Chapter 2Setting Your Preferences
2-7
3Managing Oracle CASB Cloud ServiceAdministrators
Add Oracle CASB Cloud Service administrators, reset their passwords as needed, andset their notification preferences.
Topics:
• Typical Workflow for Managing Oracle CASB Cloud Service Administrators
• About Administrator Roles
• Adding Oracle CASB Cloud Service Administrators
• Resetting the Password for an Administrator
• Modifying an Administrator's Privileges
• Deleting an Administrator
Typical Workflow for Managing Oracle CASB Cloud ServiceAdministrators
With the administrator management feature in Oracle CASB Cloud Service, you canperform tasks such as adding and managing administrators.
Task Description Additional Information
Understand the functions thatdifferent administrator rolescan perform.
The administrator role youassigned determines thefunctions that can beperformed.
About Administrator Roles
Add Oracle CASB CloudService administrators.
You can add administrators toOracle CASB Cloud Service.
Adding Oracle CASB CloudService Administrators
Reset the password for anadministrator.
You can reset the password foran administrator which forcesthe administrator to set a newpassword.
Resetting the Password for anAdministrator
Modify privileges of anadministrator
You can modify the privilegesof an administrator through theOracle CASB Cloud Serviceconsole.
Modifying an Administrator'sPrivileges
Delete administrator accounts You can delete anadministrator through theOracle CASB Cloud Serviceconsole.
See Deleting an Administrator.
3-1
About Administrator RolesUnderstand the functions that different administrator roles can perform in Oracle CASBCloud Service.
Oracle CASB Cloud Service provides different roles to make it possible to limit a newadministrator to particular cloud applications and functions in the Oracle CASB CloudService console.
If you are the first Oracle CASB Cloud Service user in your organization, you shouldadd a backup administrator as soon as possible.
Every Oracle CASB Cloud Service administrator is assigned one of these definedroles:
• Tenant Administrator: Has all administrator privileges, and adds and managesother administrators. Only a Tenant Administrator can add and removeother Oracle CASB Cloud Service users, so it is important to always have at leastone back-up tenant administrator.
The first Tenant Administrator in your organization is known as the root tenantadministrator. This special tenant administrator:
– Can’t be deleted.
– Is the only tenant administrator that can access Configuration, SSO Settingsto enable single sign-on for Oracle CASB Cloud Service.
• Security Analyst: Creates policies, reviews threat analytics, monitors the healthof your enterprise, and manages incidents. A Tenant Administrator can limita Security Analyst's view to particular application instances. This also limitsthe Security Analyst's ability to view policies to only those that apply to theseapplication instances.
• Compliance Manager: Reviews threat analytics, monitors the health andcompliance of your enterprise, and manages incidents. Compliance Managerscannot view policies.
• SOC Operator: Performs functions required for system and organization control(SOC) compliance, with limited capabilities.
– Can only access Summary on Dashboard, Apps, Risk Events, Reports,and Incidents sections of Oracle CASB Cloud Service.
– Can’t drill down from Access Map in Dashboard to see details of mappedactivity.
– Can view details of mapped activity in Risk Events and Incidents.
– Can’t view any personally identifiable information, including user names orIDs, IP addresses. resource names, and some activity identifiers. Exception:can view resource names in Risk Events.
– Can view details for incidents and threats, but any personally identifiableinformation, except for object names, is masked, represented by a string ofasterisks (“*****”).
– Can view on the Reports page only reports for Office 365 and ServiceNow,and for those reports that are generic for the system (not application-specific).
– Can view and create incidents.
Chapter 3About Administrator Roles
3-2
– Can only modify, resolve, or delete incidents that he or she has created.
In addition, all administrators have the option to automatically receive email notificationfor high risk events by setting a preference for notifications. See Setting YourPreferences.
Adding Oracle CASB Cloud Service AdministratorsAdd an administrator, with an assigned role and application instances.
Note:
A primary tenant administrator can be set up automatically, by having thatperson be the first to log in to Oracle CASB Cloud Service after that personreceives the welcome email:
1. Create the user in MyServices by following steps 1-13 in Adding anAdministrator through Oracle Cloud MyServices Dashboard.
2. Send email to that user with instructions to log in to the Oracle CloudMyServices dashboard.
On the first login, the user may be prompted to change the password.
3. While logged in to Oracle Cloud MyServices, on the dashboard, click theCustomize Dashboard tile.
4. In the Customize Dashboard dialog box:
a. Scroll down to the Security section.
b. Next to Oracle CASB, click Show.
c. Close the Customize Dashboard dialog box.
An Oracle CASB tile now appears on the dashboard.
5. In the Oracle CASB tile, click the menu icon and select Open ServiceConsole to access the Oracle CASB Cloud Service console.
That user is now created as a tenant administrator in both the OracleCASB Cloud Service console and in the MyServices dashboard.
In all other cases, all types of administrators must be created manually inboth environments. See:
• Adding an Administrator through Oracle Cloud MyServices Dashboard
•
Only a tenant administrator role can add and remove other Oracle CASB CloudService administrators. A tenant administrator can add other administrators, by usingboth the Oracle Cloud MyServices dashboard and the Oracle CASB Cloud Serviceconsole.
Chapter 3Adding Oracle CASB Cloud Service Administrators
3-3
Note:
Always have at least one backup tenant administrator role assigned, inaddition to the original (root) tenant administrator.
Caution:
You must add an administrator through both the Oracle Cloud MyServicesdashboard and the Oracle CASB Cloud Service console. If you skip eithertask, the new administrator will not be able to log in to Oracle CASB CloudService.
Adding an Administrator through Oracle Cloud MyServices DashboardAdd an administrator, with an assigned role, through Oracle Cloud MyServicesdashboard.
1. Log in to the Oracle Cloud MyServices dashboard.
a. To log in from Oracle CASB Cloud Services administrative console:
i. Click MyServices from the Navigation menu. If the Navigation Menu isnot displayed, click the Navigation Menu icon to display it.
If you don't see the MyServices menu option, you are not subscribedto Oracle CASB Cloud Service through universal credit model (UCM).To start subscribing, see Accessing Oracle CASB Cloud Service UsingUniversal Credits
Note:
To open MyServices console in a new browser window or tab,right-click My Services and select Open Link in a New Windowor Open Link in a New Tab.
ii. If you were not already logged into Oracle Identity Cloud Service, enteryour credentials when prompted.
b. To log in to directly through your browser:
i. Navigate to https://cloud.oracle.com.
ii. Click Sign In.
iii. On the Cloud Account page, enter your cloud account name and clickMyServices.
iv. At the Oracle Cloud Account Signin prompt, enter your User Name andPassword, then click Sign In.
2. Log in to your Oracle Cloud MyServices dashboard.
a. Navigate to https://cloud.oracle.com.
Chapter 3Adding Oracle CASB Cloud Service Administrators
3-4
b. Click Sign In.
c. On the Cloud Account page, enter your cloud account name and clickMyServices.
d. At the Oracle Cloud Account Signin prompt, enter your User Name andPassword, then click Sign In.
3. On the Dashboard, click Users at the top right.
4. On the User Management page, click Add at the top right.
5. On the Add User page, (User Details section):
a. Enter First Name, Last Name, and Email.
b. Leave Use Email as User Name selected.
c. Click Next.
6. In the Service Accounts section of the Add User page:
a. Enter Oracle CASB in the search box, to the left of the Search icon .
b. Click in the empty box below to show search results.
c. In the search results, select CASB_Administrator.
d. Click Finish at the top right.
Your Oracle Cloud user is now created. Next, you will use the Oracle IdentityCloud Service console to add the CASB application to this new user.
7. On the User Management page, click Dashboard at the top right.
8. On the Dashboard, click the Identity Cloud link.
9. On the Service: Oracle Identity Cloud Service page, in the Service Instancessection, click Open Service Console.
10. In the Identity Cloud Service console, locate the Users tile and click its icon.
11. On the Users page, click the row for the Oracle Cloud user you just added todisplay Details for that user.
12. Click the Access tab, and then click Assign.
13. In the Assign Applications dialog box, select casb-sso-idcs-app and then clickOK.
14. To return to the Dashboard, select MyServices from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
15. On the Dashboard, locate the Oracle CASB tile, click the menu icon in the lowerright corner, and select Open Service Console.
This takes you to the Oracle CASB Cloud Service console.
16. If you see a "Welcome to Oracle CASB Cloud Service" page, click Skip This.
This page only appears if you have never registered an application or accessedOracle CASB Cloud Service — Discovery.
17. Continue with Adding an Administrator through the Oracle CASB Cloud ServiceConsole.
Next you will configure this OCI user as an administrator in the Oracle CASBCloud Service console.
Chapter 3Adding Oracle CASB Cloud Service Administrators
3-5
Adding an Administrator through the Oracle CASB Cloud ServiceConsole
Add an administrator, with an assigned role, through the Oracle CASB Cloud Serviceadministrative console.
1. Select Configuration, Admin Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Admin.
3. In the New Admin dialog box, enter the administrator's first name, last name, andemail address.
Note:
The email address must not contain the percent sign character (“%”).
4. Select a Role for the administrator.
For descriptions of the roles available, see Managing Oracle CASB Cloud ServiceAdministrators.
For information on what policy alert features are accessible by differentadministrator roles, see Oracle CASB Cloud Service Administrator Roles andPolicies.
5. If you didn’t select the tenant administrator role, in the Application instance box,select the instances this administrator is permitted to monitor:
• Any (the default): Lets the administrator monitor all application instances
• One or more individual instances: Lets the administrator monitor just thoseinstances
6. Click Save.
The new administrator receives email with login instructions.
Resetting the Password for an AdministratorMake an administrator change his or her password.
Resetting the administrator's password forces the administrator to set a newpassword.
If an administrator's password may have been compromised, or it just needs to bechanged to comply with your organization's policy on frequency of password changes,then reset the password for that administrator. This forces that administrator to set anew password.
1. Select Configuration, Admin Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
Chapter 3Resetting the Password for an Administrator
3-6
2. In the row for the administrator whose password you want to reset, click the ResetPassword icon in the ACTION column.
3. To confirm that you want to reset the current password, click OK in the messagebox.
4. In the next message box, click OK.
The message box says that the reset message was sent. The reset messageprovides a link for the administrator to use to create a new password.
Modifying an Administrator's PrivilegesAssign or revoke privileges from an administrator through the Oracle CASB CloudService console.
1. Select Configuration, Administrator Management from the Navigation menu.If the Navigation Menu is not displayed, click the Navigation Menu icon todisplay it.
2. In the row for the administrator whose privileges you want to modify, click the Edit
icon in the ACTION column.
3. In the Edit Administrator dialog box, drop down the Role menu, and then selectthe role for the administrator.
For descriptions of the roles available, see Managing Oracle CASB Cloud ServiceAdministrators.
For information on what policy alert features are accessible by differentadministrator roles, see Oracle CASB Cloud Service Administrator Roles andPolicies.
4. If you didn’t select the tenant administrator role, in the Application instance box,select the instances this administrator is permitted to monitor:
• Any (the default): Lets the administrator monitor all application instances
• One or more individual instances: Lets the administrator monitor just thoseinstances
5. Click Save.
The new administrator receives email with login instructions.
Deleting an AdministratorDelete an administrator through the Oracle CASB Cloud Service console.
Note:
It is best practice to always have at least two tenant administrators. If youhave only two tenant administrators, you should not delete one before addinganother.
Chapter 3Modifying an Administrator's Privileges
3-7
1. Select Configuration, Administrator Management from the Navigation menu.If the Navigation Menu is not displayed, click the Navigation Menu icon todisplay it.
2. In the row for the administrator whom you want to delete, click the Delete icon inthe ACTION column.
3. In the Delete Administrator dialog box, click OK.
Chapter 3Deleting an Administrator
3-8
4Performing Miscellaneous AdministrativeTasks
Upload directory information for your users and set up Oracle Identity Cloud Serviceas an identity provider (IDP).
Perform these tasks if your environment requires the functionality.
Topics:
• Typical Workflow for Miscellaneous Administrative Tasks
• Setting Up Single Sign-on for Oracle CASB Cloud Service
• Setting Up an Identity Provider Instance
• Excluding Users from Data Reporting
Typical Workflow for Miscellaneous Administrative TasksWith Oracle CASB Cloud Service, set up Oracle Identity Cloud Service as an identityprovider.
Task Description Additional Information
Set up single sign-on You can enable single sign-onfor your Oracle CASB CloudService users, through eitherOracle Identity Cloud Serviceor Okta.
Setting Up Single Sign-on forOracle CASB Cloud Service
Set up an identity providerinstance
You can set up Oracle IdentityCloud Service or Okta to beused as an identity provider(IDP) by Oracle CASB CloudService. Oracle Identity CloudService can then use thatIDP to authenticate users toaccess applications that youregister on Oracle IdentityCloud Service.
Setting Up an Identity ProviderInstance
Setup specific users to beexcluded from data reporting
You can exclude certain users,such as trusted automatedprocesses, from Oracle CASBCloud Service data reporting.
Excluding Users from DataReporting
Setting Up Single Sign-on for Oracle CASB Cloud ServiceIf you use SAML 2.0-based single sign-on (SSO) in your company, then you canenable this option for logging in to Oracle CASB Cloud Service.
Prerequisite: You must be the root tenant administrator (RTA) in order to set up SSO.
4-1
Oracle CASB Cloud Service supports single sign-on through Oracle Identity CloudService and Okta. To enable single sign-on, you must:
1. Copy Oracle CASB Cloud Service metadata that you will need to create a singlesign-on application in your identity provider.
2. Depending on the SSO provider you are using, such as:
• Oracle Identity Cloud Service: create a SAML application in Oracle IdentityCloud.
• Okta: Create a single sign-on application in Okta.
3. Configure SSO settings in Oracle CASB Cloud Service.
Copying Oracle CASB Cloud Service MetadataCopy the metadata from Oracle CASB Cloud Service that you will need to create asingle sign-on application in an identity provider.
1. Log in to Oracle CASB Cloud Service.
2. Select Configuration, SSO Settings from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
3. Go to the ORACLE CASB SERVICE PROVIDER METADATA section at the top.
4. Copy these values somewhere that will be easily accessible when you need theinformation:
• Assertion Consumer URL
• Logout URL (if you want to enable single logout)
• Entity ID
• Tenant name: In the Entity ID value, this is the final portion after the equalssign.
For example, if the Entity ID value is https://mycompany.com?t=Saml2Sso,then the tenant name is Saml2Sso.
5. Click the Download icon next to the Oracle CASB Certificate heading.
Copy this file (CASBSSOCertificate.pem) somewhere that will be easilyaccessible when you need the information.
What to Do Next
Set up Oracle CASB Cloud Service single sign-on in the identity provider that you wantto use:
• Oracle Identity Cloud Service: see Creating a SAML Application in Oracle IdentityCloud Service.
• Okta: see Creating a Single Sign-on Application in Okta
Creating a SAML Application in Oracle Identity Cloud ServiceCreate and configure a SAML application in Oracle Identity Cloud Service to supportsingle sign-on for Oracle CASB Cloud Service.
Prerequisite:
Chapter 4Setting Up Single Sign-on for Oracle CASB Cloud Service
4-2
Ensure that you have completed the steps in Copying Oracle CASB Cloud ServiceMetadata.
1. Log in to Oracle Identity Cloud Service as a user with privileges to create a newapplication. account.
2. Select the Applications tab, and then click + Add.
3. In the Add Application dialog box, select SAML Application.
4. On the Details part of the Add SAML Application page:
a. In the Name field, enter a name for this application.
For example, casb-sso-idcs-app.
b. (Optional) Enter a Description for this application.
c. (Optional) Under Application Icon, click Upload to upload an image to use asthe icon for this application.
If you do not supply your own icon, a generic application icon will be used bydefault.
d. For Application URL / Relay State, enter the Tenant name from the OracleCASB Cloud Service metadata.
e. If you want this application to appear in the applications list, ensure thatDisplay in My Apps is selected.
f. Click Next.
5. On the SSO Configuration part of the Add SAML Application page:
a. In the Entity ID field, enter the Entity ID value from Oracle CASB CloudService metadata.
b. In the Assertion Consumer URL field, enter the Assertion Consumer URLfrom Oracle CASB Cloud Service metadata.
c. For the Signing Certificate field, enter the path to the Oracle CASB CloudService Certificate you downloaded and click Upload to upload the certificatehere.
d. For Email Address, select NameID Format.
e. For Primary Email, select NameID Value.
f. Click Advanced Settings.
6. On the Advanced Settings part of the of the Add SAML Application page:
a. Set Signed SSO to Assertion.
b. Select Include Signing Certificate in Signature.
c. Set Signature Hashing Algorithm to SHA-256.
d. (Optional) Select Enable Single Logout and specify parameters below.
If you select Enable Single Logout, when users log out of Oracle CASBCloud Service they will also be logged out of Okta single sign-on.
• Logout Binding: Select POST.
• Single Logout URL: Copy the Logout URL value from the Oracle CASBCloud Service metadata.
Chapter 4Setting Up Single Sign-on for Oracle CASB Cloud Service
4-3
• Logout Response URL: Copy the Logout URL value from the OracleCASB Cloud Service metadata. You use the same URL here as in SingleLogout URL.
7. At the top of the Add SAML Application page:
a. Click Download Signing Certificate.
Save this certificate where it will be accessible to upload as the IDPCertificate in the next task.
b. Click Download Identity Provider Metadata.
You will need this metadata later to complete the single sign-on setup process.
c. Click Finish.
8. Click Activate in the upper-right corner.
9. Assign users and groups.
• To assign users, click the Users tab for your application, and then clickAssign Users.
• To assign groups, click the Groups tab for your application, and then clickAssign Groups.
What to Do Next
Continue with Configuring Single Sign-on in Oracle CASB Cloud Service.
Creating a Single Sign-on Application in OktaCreate and configure a single sign-on application in Okta to support single sign-on forOracle CASB Cloud Service.
Prerequisite:
Ensure that you have completed the steps in Copying Oracle CASB Cloud ServiceMetadata.
1. Log in to your Okta account as a user with privileges to create new application.
2. From the administrative console, select Applications, Applications.
3. On the Applications page, click the Add Application button, then click theCreate New App button.
4. In the Create New Application Integration dialog box:
a. Set Platform to Web.
b. For Sign on method, select SAML 2.0.
c. Click Create.
5. On the General Settings page:
a. In the App name field, enter a name for this application.
For example, casb-sso-okta-app.
b. Click Next.
6. On the Configure SAML page:
a. In the Single sign on URL field, enter the Assertion Consumer URL fromthe Oracle CASB Cloud Service metadata.
Chapter 4Setting Up Single Sign-on for Oracle CASB Cloud Service
4-4
b. In the Audience URI (SP Entity ID) field, enter the Entity ID value from theOracle CASB Cloud Service metadata.
c. For Default RelayState, enter the Tenant name from the Oracle CASB CloudService metadata.
d. For Name ID format, select EmailAddress.
e. For Application username, select Email.
f. (Optional) If you want to enable single logout, click Show Advanced Settingsand specify these parameters:
• Enable Single Logout: Select Allow application to initiate SingleLogout.
• Single Logout URL: Enter the Logout URL value from the Oracle CASBCloud Service metadata.
• SP Issuer: Enter the Entity ID value from the Oracle CASB Cloud Servicemetadata.
g. Signature Certificate: Enter the path to the Signing Certificate youdownloaded from Oracle CASB Cloud Service, and then click UploadCertificate.
h. Click Finish.
7. Click the Sign On tab, and then click the View Setup Instructions button, andcapture the information there to complete the single sign-on setup process inOracle CASB Cloud Service.
• Identity Provider Single Sign-On URL: Copy this where it will be accessibleand identify it as the Single Sign-On URL in the next task.
• Identity Provider Single Logout URL: If you are enabling single logout, copythis where it will be accessible and identify it as the Single Logout URL in thenext task.
• SP Issuer: Copy this where it will be accessible and identify it as the ServiceProvider Issuer in the next task.
X.509 Certificate: Click Download Certificate and save this certificate whereit will be accessible to upload as the IDP Certificate in the next task.
What to Do Next
Continue with Configuring Single Sign-on in Oracle CASB Cloud Service.
Configuring Single Sign-on in Oracle CASB Cloud ServiceConnect the applications you created in Oracle Identity Cloud Service and Okta toOracle CASB Cloud Service to finish setting up single sign-on.
1. Log in to Oracle CASB Cloud Service, and select Configuration, SSO Settingsfrom the Navigation menu. If the Navigation Menu is not displayed, click theNavigation Menu icon to display it.
2. If you are using Oracle Identity Cloud Service, specify these settings in the YOURSAML IDENTITY PROVIDER CONFIGURATION section:
• Service Provider Issuer: Enter the Entity ID from the ORACLE CASBSERVICE PROVIDER METADATA section.
Chapter 4Setting Up Single Sign-on for Oracle CASB Cloud Service
4-5
• Single Sign-On URL: Copy this from the Oracle Identity Cloud ServiceIdentity Provider Metadata XML file.
Note:
The correct URL contains /idp/sso.
• Logout URL: If you are enabling single logout, copy this from the OracleIdentity Cloud Service Identity Provider Metadata XML file.
Note:
The correct URL contains /idp/slo.
• idP Certificate: Click the Upload icon and navigate to your Oracle IdentityCloud Service signing certificate.
3. If you are using Okta, specify these settings in the YOUR SAML IDENTITYPROVIDER CONFIGURATION section:
• Service Provider Issuer: Enter the Entity ID from the ORACLE CASBSERVICE PROVIDER METADATA section.
• Single Sign-On URL: Copy this from the Identity Provider Single Sign-OnURL that you recorded on the Okta Identity Provider Setup Instructions page.
Note:
The correct URL contains /idp/sso.
• Logout URL: If you are enabling single logout, copy this from the IdentityProvider Single Logout URL that you recorded on the Okta Identity ProviderSetup Instructions page.
Note:
The correct URL contains /idp/slo.
• idP Certificate: Click the Upload icon and navigate to your Okta signingcertificate.
4. Click Save.
5. At the top of the page, drag the slider to the right to enable SSO.
Chapter 4Setting Up Single Sign-on for Oracle CASB Cloud Service
4-6
Setting Up an Identity Provider InstanceTo accommodate single sign-on (SSO) for a cloud service you are registering in OracleCASB Cloud Service, configure one or more identity provider instances as the SSOprovider.
Managing Identity Providers (IDPs)
Oracle CASB Cloud Service provides two strategic options for setting up identityproviders (IDPs). These two options are mutually exclusive. You get one by default,and you can switch to the other by request.
1. Standalone IDP
• Okta and Oracle Identity Cloud Service (IDCS) are supported as IDPs.
• IDP is set up through the Configuration submenu, Identity ManagementProviders page.
• Oracle CASB Cloud Service tracks login events for registered applications thruthe IDP's API.
• This is the recommended IDP option, but it is not the default.
To enable this feature, contact Oracle Support (http://support.oracle.com). Ifyou have not registered yet, you will need your Customer Support Identifier(CSI) in order to register to submit service request tickets. As an alternative,you can also contact your Oracle CASB Cloud Service Customer SuccessManager.
2. IDP as a Managed Application
• Only IDCS is supported as IDP.
• IDCS is set up as an IDP is by registering an IDCS instance as a managedapplication, through the Add/Update Apps option on the Applications page.
• Oracle CASB Cloud Service tracks login events for registered applications thruthe IDP's API, as with the Standalone IDP option, and the service also trackssecurity controls, policy alerts, and other features deployed with the monitoringIDP.
• This is the default option that is enabled when your Oracle CASB CloudService tenant is first deployed.
Note:
Ping is supported as an IDP for Box instances only. If your users sign on toBox through Ping, see Using Ping Single Sign-On with Box.
Configuring the Recommended Standalone IDP Option
1. To enable the Standalone IDP option, contact Oracle Support (http://support.oracle.com). If you have not registered yet, you will need your CustomerSupport Identifier (CSI) in order to register to submit service request tickets. As analternative, you can also contact your Oracle CASB Customer Success Manager.
Chapter 4Setting Up an Identity Provider Instance
4-7
2. Specify the IDCS IDP when you add a new application instance, or update anexisting application instance.
Configuring the IDP as a Managed Application Opeion
1. Perform the setup steps required in the SSO provider.
2. Configure an IDP through the Configuration submenu, Identity ManagementProviders page.
• For IDCS, see Setting Up an Oracle Identity Cloud Service (IDCS) IDPInstance.
• For Okta, see Setting Up an Okta IDP Instance.
3. Specify the IDP instance you configured when you add a new application instance,or update an existing application instance.
Setting Up an Oracle Identity Cloud Service (IDCS) IDP InstanceCreate a trusted application in Oracle Identity Cloud Service, then configure an identityprovider (IDP) instance in Oracle CASB Cloud Service.
An Oracle Identity Cloud Service IDP instance enables communication betweenOracle CASB Cloud Service and Oracle Identity Cloud Service.
Prerequisite: We recommend that you prepare and register your cloud applicationbefore setting up Oracle Identity Cloud Service as an IDP. See Preparing CloudApplications for Monitoring and Registering Cloud Applications with Oracle CASBCloud Service.
1. Log in to the Oracle Identity Cloud Service console and select Applicationsfrom the Navigation menu. If the Navigation Menu is not displayed, click theNavigation Menu icon to display it.
2. Click Add.
3. On the Add Application page, select Confidential Application.
4. In the Add Confidential Application wizard's Detail page, in the AppDetails section, enter a Name for the application.
5. Click Next.
A confirmation message indicates that the application has been added in adeactivated state.
6. On the Add Confidential Application wizard’s Client page, click Configure thisapplication as a client now.
7. In the Authorization section that opens, select these two Allowed Grant Types:
• Client Credentials
• JWT Assertion
8. In the Grant the client access to Identity Cloud Service Admin APIs section atthe bottom, click Add.
9. In the Add App Role dialog box, select these roles:
• Identity Domain Administrator
• Me
Chapter 4Setting Up an Identity Provider Instance
4-8
10. Click Add to close the Add App Role dialog box.
11. At the top of the Add Confidential Application wizard’s Client page, click Next.
12. On the Add Confidential Application wizard’s Resources page, click Configurethis application as a resource server now.
13. In the Configure application APIs that need to be OAuth protected sectionthat opens, enter a Primary Audience description that indicates this is for useby Oracle CASB Cloud Service.
For example, you could enter OCCS here.
14. Click Next.
15. On the Add Confidential Application wizard’s Web Tier Policy page, click Next.
16. On the Add Confidential Application wizard’s Authorization page, click Finish.
You should see an Application Added message that contains values for a ClientID and a Client Secret.
17. Copy and paste the Client ID and Client Secret values somewhere for later use.
18. Copy the URL for the Oracle Identity Cloud Service console to the same locationfor later use.
Copy the first part of the URL, from https: through the port number. For example,this bolded portion:
https://myoracleidentitycloudservice.com:8943/ul/v1/adminconsole/?root=732
19. Click Close.
The new application’s details page is displayed.
20. At the top of the page, to the right of the application name, click Activate.
21. In the Activate Application? dialog box, click Activate Application.
You have now created and configured a confidential application in Oracle IdentityCloud Service. Next you must configure an identity provider (IDP) instance inOracle CASB Cloud Service.
22. Ensure that you have activated the trusted application that you set up in the OracleIdentity Cloud Service console.
23. In the Oracle CASB Cloud Service console, select Configuration, ManageIdentity Providers, then click Add IDP.
24. In the Add and IDP instance dialog box, from the Provider drop-down list,select Oracle Identity Cloud Service.
25. Copy and paste the three pieces of information you recorded when you set up theapplication in Oracle Identity Cloud Service: the Client ID, the Client Secret, andthe URL to the provider.
26. Enter descriptive labels in the Instance Name and Description fields, and thenclick Save.
For the IDP instance to be created:
• Both the client ID and client secret values must match the values from thetrusted application setup in Oracle Identity Cloud Service.
Chapter 4Setting Up an Identity Provider Instance
4-9
• The URL to the provider must access the Oracle Identity Cloud Serviceconsole.
• The server for the URL to the Oracle Identity Cloud Service console must beavailable.
Setting Up an Okta IDP InstanceConfigure a dedicated Oracle CASB Cloud Service user in Okta, and then configurean Okta identity provider instance (IDP) in Oracle CASB Cloud Service.
An Okta IDP instance enables communication between Oracle CASB Cloud Serviceand Okta.
Prerequisite: We recommend that you prepare and register your cloud applicationbefore setting up Oracle Identity Cloud Service as an IDP. See Preparing CloudApplications for Monitoring and Registering Cloud Applications with Oracle CASBCloud Service.
1. Log in to Okta as an admin user with Super Administrator authority.
2. In the Okta Dashboard, select Directory, People.
3. On the People page, click Add Person.
4. In the Add Person dialog, fill in the information for the new user that will serve asthe dedicated Oracle CASB Cloud Service user, and then click Add Person.
5. On the People page, select Security, Administrators, and then click AddAdministrator.
6. In the Add administrator dialog box, enter the name of the Oracle CASB CloudService user, select Super Administrator, and then click Add Administrator.
7. Log out of Okta and log back in as the Oracle CASB Cloud Service user you justcreated.
8. From the Okta Dashboard, select Security, API, and then click Create Token.
9. In the Create Token dialog box, enter a name for the token and click CreateToken.
Remember the token name. You will need it when you register your applicationinstance in the Oracle CASB Cloud Service console. For more information, seethe section for the application type you want to register, in Setting Up CloudApplications for Monitoring.
You have now configure a dedicated Oracle CASB Cloud Service user in Okta.Now you must configure an Okta IDP instance in Oracle CASB Cloud Service.
10. In the Oracle CASB Cloud Service console, select Configuration, IdentityProvider Management, and then click Add IDP.
11. In the Add an IDP instance dialog box:
a. Set Provider to Okta.
b. Enter an Instance Name and Description.
Chapter 4Setting Up an Identity Provider Instance
4-10
Note:
Important: The instance name should clearly identify the IDP andthe application type, so these are obvious later when you areconnecting an application instance to the IDP instance.
c. For API Key, enter the token name for the token you created for the OracleCASB Cloud Service user in Okta.
d. For URL to the provider, enter the URL that you accessed to create theOracle CASB Cloud Service user in Okta.
e. Click Save.
Excluding Users from Data ReportingSpecify users, such as trusted automated processes, to be excluded from OracleCASB Cloud Service data reporting.
To enable this feature, contact Oracle Support (http://support.oracle.com). If you havenot registered yet, you will need your Customer Support Identifier (CSI) in order toregister to submit service request tickets. As an alternative, you can also contact yourOracle CASB Cloud Service Customer Success Manager.
Among the users that appear in the activity that Oracle CASB Cloud Service monitorsfor your registered applications are many trusted automated processes. By default, theactivities of these users appear in Users, Risk Events, Reports, and elsewhere asif they were real human users. For purposes of assessing your security, you may notwant to consider these automated processes as regular users.
As you identify users in this category, you can exclude them from all data reporting.Data for these users is still collected and stored, but it does not appear anywhere inthe Oracle CASB Cloud Service console and it is not included in any calculations.
1. Identify a trusted automated software process that Oracle CASB Cloud Servicetreats as a user, or any other user that you wish to exclude from data reporting.
User IDs appear in:
• Risk Events: in the Actor entry when you show the detailed information for arow.
• Reports: in the USER ID column, if it is present.
• Users: in the USER NAME column.
• Incidents: in the User Id field of the View Incident and Edit Incident dialogboxes.
2. Copy the user ID to the clipboard.
3. In the Oracle CASB Cloud Service console, select Configuration, UserExclusion List from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it..
4. Click New Exclusion at the top right.
5. To exclude a single user:
Chapter 4Excluding Users from Data Reporting
4-11
a. Select Text.
b. Paste the user ID that you just copied into the text box.
c. Click Save.
6. To exclude multiple users whose IDs match a regular expression:
a. Select Regular Expression.
b. Paste the user ID that you just copied into the text box, or enter text that willbe the basis of a regular expression.
c. Edit the text in the text box to form a regular expression that matches multipleuser IDs that you wish to exclude.
For example:
• *@ABCservice.com excludes all users with an ID that is an emailaddress at ABCservice.com.
• [email protected] excludes all users with an ID that is anemail address at ABCservice.com that consists of “user9” followed by twocharacters.
• *admin*@ABCservice.com excludes all users with an ID that is anemail address at ABCservice.com which contains “admin” before theampersand.
Note:
You may use the full functionality supported by regular expressions.Only simple examples are listed above.
d. Click Save.
Activity for the user or users that you specified will no longer appear in the OracleCASB Cloud Service console and will not be included in any calculations.
Chapter 4Excluding Users from Data Reporting
4-12
Part IIISetting Up Cloud Applications forMonitoring
To monitor a cloud application in Oracle CASB Cloud Service, you must first preparethe application by setting up a dedicated user. Then, you must register an applicationinstance in Oracle CASB Cloud Service.
The first two chapters in this section provide a generic overview of the tasks involved.The rest of the chapters provide detailed instructions for each application type.
Chapters:
• Preparing Cloud Applications for Monitoring
• Registering Cloud Applications with Oracle CASB Cloud Service
• Setting Up Amazon Web Services (AWS)
• Setting Up Azure
• Setting Up Box
• Setting Up Custom Apps for AWS
• Setting Up GitHub
• Setting Up Google for Work
• Setting Up Microsoft Office 365
• Setting Up Oracle Cloud Infrastructure (OCI)
• Setting Up Oracle Enterprise Resource Planning (ERP) Cloud
• Setting Up Oracle Human Capital Management (HCM) Cloud
• Setting Up Oracle Identity Cloud Service (IDCS)
• Setting Up Oracle Sales Cloud
• Setting Up Salesforce Sales Cloud
• Setting Up ServiceNow
• Setting Up Slack
5Preparing Cloud Applications forMonitoring
Understand the general steps for preparing cloud applications, and then perform theapplication-specific steps for a supported application.
To use Oracle CASB Cloud Service, you must create a user in each cloud applicationor service that you want to monitor. For accountability purposes, this user must bededicated for use only by the Oracle CASB Cloud Service.
Topics:
• Typical Workflow for Preparing Cloud Applications for Monitoring
• Setting Up a Dedicated User Account
• Single Sign-On for the Oracle CASB Cloud Service User
Typical Workflow for Preparing Cloud Applications forMonitoring
With Oracle CASB Cloud Service, you can prepare cloud applications so that you canmonitor them.
Task Description Additional Information
Prepare cloud applications. You can set up an accountfor each cloud application thatyou want to monitor, and thenregister an instance for thatapplication in Oracle CASBCloud Service.
Setting Up a Dedicated UserAccount
Setup single sign-on (SSO) foruser accounts.
You can configure useraccounts so that users canuse their SSO credentials toaccess cloud applications.
Single Sign-On for the OracleCASB Cloud Service User
Setting Up a Dedicated User AccountIn the cloud application that you want to monitor, set up a user account that isdedicated for Oracle CASB Cloud Service use.
Before you begin adding cloud applications to Oracle CASB Cloud Service, youmust prepare each application to permit Oracle CASB Cloud Service to analyze userbehavior and the application's security configuration settings. Preparing the applicationlets Oracle CASB Cloud Service analyze activity and security configuration settings.
5-1
To prepare the application, you create a user in the application that is dedicated tocommunication with Oracle CASB Cloud Service. Do not log in as this user yourself orlet anyone else access this user's credentials.
Each application has unique requirements for the dedicated Oracle CASB CloudService service user.
Single Sign-On for the Oracle CASB Cloud Service UserUnderstand single sign-on support in Oracle CASB Cloud Service.
If your organization requires single sign-on to the cloud through Okta or Ping,the Oracle CASB Cloud Service user must also be configured for single sign-on.
Instructions for configuring the single sign-on options that are available with someapplications are included in the “Preparing...” topic for the application.
Chapter 5Single Sign-On for the Oracle CASB Cloud Service User
5-2
6Registering Cloud Applications with OracleCASB Cloud Service
.
Before you register a cloud application instance, you must create a dedicated OracleCASB Cloud Service user in the cloud application.
You add or register an application instance from Applications or from the Dashboard,Summary tab
Topics:
• Typical Workflow for Registering Cloud Services
• Verifying Your Application Registration
• Resuming Monitoring that Has Stopped
• Updating an Application Instance
• Removing an Application Instance
Typical Workflow for Registering Cloud ServicesWith the registration feature in Oracle CASB Cloud Service, you can register cloudservices.
Task Description Additional Information
Verify the registration of anapplication instance.
You can verify that anapplication instance isregistered in Oracle CASBCloud Service successfully.
Verifying Your ApplicationRegistration
Troubleshoot monitoring. You can troubleshoot issuesthat may arise whenmonitoring an application inOracle CASB Cloud Serviceso that you can resumemonitoring the application.
Resuming Monitoring that HasStopped
Modify credentials and thesecurity control baseline.
You can update logincredentials and the securitycontrol baseline for anapplication instance in OracleCASB Cloud Service.
Updating an ApplicationInstance
Remove an applicationinstance.
You can remove a registeredapplication instance fromOracle CASB Cloud Service.
Removing an ApplicationInstance
6-1
Verifying Your Application RegistrationAfter you finish registering an application, wait a few minutes, and then verify thatOracle CASB Cloud Service is monitoring data for your application.
After you add an application instance, the initial data sweep can take a few minutes,after which Oracle CASB Cloud Service should start to display information aboutaccount activity.
After successful registration of an Amazon Web Services instance, if CloudTrail isn’tenabled for one or more regions, then Oracle CASB Cloud Service issues an alert inRisk Events. Oracle CASB Cloud Service depends on CloudTrail to be able to collectlog information from the region.
1. Select the Dashboard from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Select or hover over the icon for the new application instance.
3. In the Health Summary card, check whether or not Oracle CASB Cloud Serviceappears to be collecting data.
If there’s any number other than zero (0) for Monitoring Failed, then click thenumber to view the alerts related to monitoring the application instance. Often,monitoring fails if the Oracle CASB Cloud Service user's password or access keysneed to be updated. Credentials may need to be updated in Oracle CASB CloudService, in the application instance, or both places.
4. If numbers appear for any risks in the Health Summary card, then you can clickthe numbers for details about the risks.
Resuming Monitoring that Has StoppedUnderstand how to tell that monitoring has stopped, and how to troubleshoot theproblem so that monitoring can resume.
Oracle CASB Cloud Service can, at times, be unable to monitor an applicationinstance after you register it, or monitoring can stop after working for some time.
Often, this is due to the Oracle CASB Cloud Service user's credentials expiring orbeing replaced in the application instance. At other times, this can be due to atransitory or more pervasive network issue.
When monitoring stops, Oracle CASB Cloud Service displays a “no” symbol belowthe application instance icon in the Dashboard. You or another administrator receivean email notification.
1. Select the Dashboard from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Hover over the tile for the application that is no longer being monitored.
This icon has a “no” symbol below it. The Health Summary card for theapplication appears.
3. For additional information about the inability to access the application instance,click the More > link in the monitoring failure message in the Health Summarycard .
Chapter 6Verifying Your Application Registration
6-2
The common issues include:
• Someone updated the credentials (for example, the password) for the OracleCASB Cloud Service user in the cloud service, but not in the Oracle CASBCloud Service console.
• The credentials for the Oracle CASB Cloud Service user expired in the cloudservice, and they need to be updated there and in the Oracle CASB CloudService console.
• The Oracle CASB Cloud Service user needs administrator privileges. SeePreparing Cloud Applications for Monitoring.
Updating an Application InstanceAfter an application instance is registered, change the credentials for the dedicateduser, or the security control baseline, or other settings for the application.
For all application types, periodically you must update the credentials for the OracleCASB Cloud Service user. Also, if you registered the application in Monitor Only mode,may want to change the baseline values for the application's security controls. Thischanges Oracle CASB Cloud Service's alerting threshold for the modified values.
Certain application types allow you to change other settings that you specified whenyou registered the application instance. See the application-specific topics with titlesthat begin with “Updating...”
Updating Login Credentials for an Application InstanceAfter an application instance is registered, update the login credentials whenevernecessary.
You should regularly update the login credentials for the Oracle CASB Cloud Serviceuser in your cloud applications. When this happens, you must also update thecredentials in the Oracle CASB Cloud Service console so that monitoring cancontinue.
Note:
Not all applications take a user name and password. For example, AmazonWeb Services credentials consist of a key pair (an access key and a secretkey).
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, select Modify, Update credentials.
• In grid view, drop down the Action list for the instance you want tomodify and select Update credentials.
Chapter 6Updating an Application Instance
6-3
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update credentials,and then select the application instance you want to modify and clickNext.
2. Enter the credentials for the dedicated service account for Oracle CASB CloudService.
These can be a user name and password, access keys, or other credentialsdepending on the application. For some applications (for example, Salesforce),you are directed to the application's login service. You return to the Oracle CASBCloud Service console after entering your credentials. For additional informationabout the Oracle CASB Cloud Service user's credentials, see Preparing CloudApplications for Monitoring.
3. If you see a Test Credential button, click it.
Some application types require you to test the credentials at this point, whileothers don’t.
It can take a minute to test your credentials.
4. When you see a success message for the test of your credentials, click Submit.
Updating the Security Control Baseline for an Application InstanceAfter an application instance is registered, update the security control baseline settingsas needed.
Oracle CASB Cloud Service generates alerts in the Risk Events page if thecorresponding security control value in the application differs from the Oracle CASBCloud Service baseline. To change these baseline values, you modify the applicationinstance.
Security controls (for example, minimum password and session length) are one ofthree primary types of risk that Oracle CASB Cloud Service monitors for. When youregister an application instance, you let Oracle CASB Cloud Service use its built-indefaults as a baseline, or you let Oracle CASB Cloud Service set various securitycontrol values in the application, after which Oracle CASB Cloud Service monitors fordrift from the new baseline.
Note:
You can’t change from monitor-only mode to "push-and-monitor" mode(having Oracle CASB Cloud Service set the baseline values in the cloudapplication). To switch monitoring modes, you must delete the instance in theOracle CASB Cloud Service console and re-register it.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, select Modify, Update credentials.
Chapter 6Updating an Application Instance
6-4
• In grid view, drop down the Action list for the instance you want tomodify and select Update credentials.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update credentials,and then select the application instance you want to modify and clickNext.
2. Select the baseline level that you want:
• Standard: Use the application's built-in defaults.
• Stringent: Use Oracle CASB Cloud Service's suggested defaults.
• Custom: Set the values that you want for each security control.
For information about the baselines for each application type, see thesetopics. For each registered application instance, the update wizard uses thesame security controls as the registration wizard:
– Security Control Values for AWS (Push Controls/Read-Write)
– Security Control Values for Box (Push Controls/Read-Write)
– Security Control Values for Salesforce (Push Controls/Read-Write)
3. When you are done, select the Confirmation check box, and then click Submit.
A confirmation message appears
Removing an Application InstanceAfter an application instance is registered, remove it if it is no longer needed.
You can remove an application instance that you have registered at any time.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click the tile for the application instance to open the Health Summary.
3. Click Remove on the Health Summary card.
4. Click OK when prompted to confirm the removal;
Chapter 6Removing an Application Instance
6-5
7Setting Up Amazon Web Services (AWS)
Prepare Amazon Web Services (AWS) for security monitoring and register yourapplication instance with Oracle CASB Cloud Service.
Security risks that Oracle CASB Cloud Service detects include noncompliant securitycontrol values within the administration console, activity within AWS that violates yourpolicies, and user behavior patterns that appear to be suspicious. Oracle CASB CloudService can monitor AWS within these AWS regions:
• AP: ap-northeast-1 and -2; ap-southeast-1 and -2
• CA: ca-central-1
• EU: eu-central-1; eu-west-1, -2, and -3
• SA: sa-east-1
• US: us-east-1 and -2; us-west-1 and -2
For more information on AWS regions, see the AWS documentation..
Topics:
• Typical Workflow for Amazon Web Services Security Monitoring
• Preparing and Registering AWS
• Updating an AWS Instance
Typical Workflow for Amazon Web Services SecurityMonitoring
With Oracle CASB Cloud Service, you can monitor Amazon Web Services (AWS) todetect potential risks.
Task Description Additional Information
Prepare and register AmazonWeb Services (AWS).
You can set up an OracleCASB Cloud Service accountin your AWS applicationinstance and register anAWS application instance inmonitoring-only mode, or pushsecurity controls mode.
Preparing and RegisteringAWS
Update an AWS instance. You can update thecredentials, IDP instance, andsecurity control baseline for anAWS instance.
Updating an AWS Instance
7-1
Preparing and Registering AWSConfigure AWS for authentication using an IAM User or an IAM role, using within-account or cross-account logging. Configure an identity provider (IDP) for single sign-on if users log in to AWS through an IDP.
The steps to connect your AWS accounts to Oracle CASB Cloud Service are different,depending on several parameters of your AWS architecture.
To watch a video that provides an overview of the different ways you can set up AWSto be monitored by Oracle CASB Cloud Service, see Configuring and Registering AWSVideo Key.
• Monitoring can be configured in two ways:
– By using an IAM User as the dedicated service account.
– By using an IAM Role in lieu of the dedicated service account.
• Logging can also be configured in two ways:
– Within-account logging, in which each AWS account maintains CloudTraillogs within that same account.
– Cross-account logging, in which some or all AWS source accounts (sourceaccounts) send their CloudTrail logs to a single target account’s S3 bucket.
To set up AWS for monitoring by Oracle CASB Cloud Service
If you prefer that Oracle CASB Cloud Service uses IAM Users to monitor your AWSinstances:
• If users log in to AWS using a supported IDP for single sign-on, start with SettingUp an Identity Provider Instance.
Note:
You can register your AWS instance without an IDP configured and addthe IDP at a future time. See Updating the IDP Instance for an AWSInstance.
• Then go to Using an IAM User: Creating and Registering a Dedicated ServiceUser.
• Then, if you use cross-account logging, continue with Using an IAM User: AddingSource Dedicated Service Users for Cross-Account Logging.
If your AWS architecture uses an IAM Role to monitor your AWS instances:
• If users log in to AWS using a supported IDP for single sign-on, start with SettingUp an Identity Provider Instance
Chapter 7Preparing and Registering AWS
7-2
Note:
You can register your AWS instance without an IDP configured and addthe IDP at a future time. See Updating the IDP Instance for an AWSInstance.
• Then go to Using an IAM Role: Creating a Dedicated Service Role.
• Then, if you use cross-account logging, continue with Using an IAM Role: AddingSource Dedicated Service Roles for Cross-Account Logging.
Using an IAM Role: Creating a Dedicated Service RoleEnable CloudTrail, and then create and register a dedicated account.
Using an IAM Role: Enabling CloudTrailIn order for CASB Cloud Service to monitor your AWS account, you must first enableboth CloudTrail and S3 services.
Enabling CloudTrail and S3 allows the IAM account to read the AWS service and theCloudTrail logs in S3.
To watch a video that provides an overview of the steps in this task, see EnablingCloudTrail and S3.
1. Log into your AWS console.
2. Select Services, and under Management Tools, click CloudTrail.
3. If CloudTrail is not enabled, then on the AWS CloudTrail screen you see a blueGet Started Now button.
If you do not see the blue Get Started Now button, CloudTrail is enabled — go tostep 4.
If you do see the blue Get Started Now button, CloudTrail is not enabled —continue with the substeps below:
a. Click the blue Get Started Now button to begin the process of enablingCloudTrail.
b. On the Turn on CloudTrail page, enter a Trail name.
Note:
Ensure that you note the region in the top right corner of the page.
This name can be anything you like, as long as it is unique within your AWSaccount.
c. Leave the default setting of Apply trail to all regions set to Yes, and Read/Write events set to All.
d. Scroll to the Storage location section at the bottom of the page.
Chapter 7Preparing and Registering AWS
7-3
e. To create a new bucket (note that your S3 bucket will be created in the regionin step 4b above):
i. Leave the default setting of Apply trail to all regions set to Yes, enter aname for the bucket in the S3 bucket field, and then click Advanced.
ii. If you want to use a log file prefix to change the default location of theCloudTrail logs, enter the prefix in the Log file prefix field.
This will change the path to the S3 bucket policy to include the prefix.
iii. If you want to encrypt CloudTrail, set Encrypt log files to Yes and selectYes to Create a new KMS key or No to use an existing key.
Note:
Your KMS (Key Management Service) must be in the same AWSregion as your S3 bucket (noted in step 4b above) where yourencrypted CloudTrail logs are stored.
iv. Click Create.
v. If you chose to encrypt your CloudTrail in step 4.e.ii above, validate yourKMS settings: The policy must contain the following statements. Youcan find the KMS policy by going to Services, IAM, Encryption Keys,changing the region to where you created your S3 bucket (step 4.b above)and clicking on the Key Name in the Alias column and reviewing the KeyPolicy:
{ "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<AWSaccountnumber>:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<AWSaccountnumber>:user/testLocalUser" }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*",
Chapter 7Preparing and Registering AWS
7-4
"kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::965634374182:user/testLocalUser" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Enable CloudTrail Encrypt Permissions", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "kms:GenerateDataKey*", "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:<AWSaccountnumber>:trail/*" } } }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<AWSaccountnumber>:user/testLocalUser" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": {
Chapter 7Preparing and Registering AWS
7-5
"Bool": { "kms:GrantIsForAWSResource": "true" } } } ]}
vi. Validate your CloudTrail settings:
i. On the Trails page, click the CloudTrail name.
ii. On the Configuration page, verify that the CloudTrail you just createdhas the settings specified in the previous steps.
iii. Ensure that the CloudTrail is enabled for all regions in Trail Settings,and is capturing all events in Management events.
vii. Validate your S3 settings:
i. Select Services, and under Storage, select S3.
ii. Click the bucket name to display four tabs across the top.
iii. Click the Permissions tab, and then click the Bucket Policy button.
The Bucket policy editor displays the policy in JSON format that wasautomatically created for your S3 bucket.
Ensure that the policy contains GetBucketAcl and PutObject, shownin bold below:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailAclCheck<AWSaccountnumber>", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::<bucket_name>" }, { "Sid": "AWSCloudTrailWrite<AWSaccountnumber>", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::<bucket_name>/LORIC/AWSLogs/<AWSaccountnumber>/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" }
Chapter 7Preparing and Registering AWS
7-6
} } ]}
f. To use an existing bucket:
i. Change the default setting of Create a new S3 bucket to No and enter aname for the bucket in the S3 bucket field and click Advanced.
ii. If you want to encrypt CloudTrail, set Encrypt log files to Yes.
i. Select Yes to Create a new KMS key or No to use an existing key.
Note:
Your KMS key must be in the same AWS region as your S3bucket where your encrypted CloudTrail logs are stored.
ii. Verify that your KMS policy contains the following statements by goingto Services, IAM, Encryption Keys and changing the region to whereyou are creating your S3 bucket (step 4b above):
{ "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<AWSaccountnumber>:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<AWSaccountnumber>:user/testLocalUser" }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource",
Chapter 7Preparing and Registering AWS
7-7
"kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::965634374182:user/testLocalUser" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Enable CloudTrail Encrypt Permissions", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "kms:GenerateDataKey*", "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:<AWSaccountnumber>:trail/*" } } }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<AWSaccountnumber>:user/testLocalUser" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } }
Chapter 7Preparing and Registering AWS
7-8
} ]}
iii. If you want to use a log file prefix to change the default location of theCloudTrail logs, enter the prefix in the Log File Prefix field.
This will change the path in the S3 bucket policy to include the prefix.
iv. To review the S3 bucket policy, select Services, and under Storage,select S3.
v. Click the bucket name, then click the Permissions tab, and click theBucket Policy button.
Ensure that the policy contains GetBucketAcl and PutObject, shown inbold below:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailAclCheck<AWSaccountnumber>", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::<bucket_name>" }, { "Sid": "AWSCloudTrailWrite<AWSaccountnumber>", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::<bucket_name>/LORIC/AWSLogs/<AWSaccountnumber>/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ]}
4. If CloudTrail is already enabled, follow the substeps below.
It is recommended that you enable CloudTrail for all regions.
Ensure that all events are being logged.
a. From the Dashboard page, select Trails on the left.
b. On the Trails page, in the Name column, click the name of the CloudTrail.
Chapter 7Preparing and Registering AWS
7-9
c. Ensure that Apply trail to all regions is set to Yes.
To change the setting, click the Edit icon to the right of Trail settings.
d. Ensure that Read/Write events is set to All.
To change the setting, click the Edit icon to the right of Managementevents.
e. Ensure that the S3 bucket name is what you want to use.
To create a new bucket to use, click the Edit icon to the right of Storagelocation.
f. If you want to encrypt CloudTrail, click the Edit icon to the right of Storagelocation, set Encrypt log files to Yes, and then set Create a new KMS keyto:
• Yes to create a new key.
• No to use the existing key that you specify in the KMS key field.
Note:
Your KMS (Key Management Service) key must be in the sameAWS region as your S3 bucket (noted in step 4b above) where yourencrypted CloudTrail logs are stored.
5. Ensure that you have clicked Save at the bottom of each section where you madea change before you leave this page.
What to Do Next
Continue with Using an IAM Role: Creating and Registering a Dedicated Service Role.
Using an IAM Role: Creating and Registering a Dedicated Service RoleCreate a dedicated AWS account and add or register the account with Oracle CASBCloud Service for monitoring.
To watch a video that provides an overview of the steps in this task, see Creating andRegistering a Target AWS Account using an IAM Role.
Prerequisites:
• You have successfully completed the steps in Using an IAM Role: EnablingCloudTrail.
• If users log in to AWS through an identity provider, you have already createdan identity provider instance in Oracle CASB Cloud Service. See Setting Up anIdentity Provider Instance.
1. Log in to the AWS account that you will be registering in Oracle CASB CloudService.
2. In the AWS console, select Services, then under Security, Identity andCompliance select IAM.
Chapter 7Preparing and Registering AWS
7-10
3. On the Welcome to Identity and Access Management page, select Roles in theleft navigation panel.
Here you will create the monitoring role for a stand-alone account, or the targetaccount in cross-account logging.
4. Click the Create role button above the list of roles.
5. On the Select type of trusted entity page, select Another AWS account.
The Oracle CASB Cloud Service can assume this role to monitor the AWSaccount.
Caution:
You must keep this AWS page open and active until you can return fromOracle CASB Cloud Service with the External ID and Account ID thatyou will paste here.
6. Open a new browser tab and log in to your Oracle CASB Cloud Service tenant.
7. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
8. Click Add/Modify App.
9. On the Select an app type page, click Amazon Web Services, and then clickNext.
10. On the Select an instance page:
a. Enter a name for this AWS instance.
Names of any existing instances are listed below your input.
b. If users log in to AWS through an identity provider, select The users of thisapp instance log in using single sign-on through an identity provider andselect the identity provider instance from the drop-down list.
Note:
The identity provider instance must already be defined. See SettingUp an Identity Provider Instance.
11. On the Select monitoring type page, select:
• Monitor only — if you want Oracle CASB Cloud Service to read data fromAWS, but not write security control settings back to AWS. For a descriptionof the security control settings that Oracle CASB Cloud Service automaticallyenforces when you select Monitor only, see Security Control Values for AWS(Monitor Only/Read Only).
• Push controls and monitor — if you want Oracle CASB Cloud Service towrite security control settings back to AWS, in addition to reading AWS data.When you selectPush controls and monitor, you specify the security controlsettings that you want Oracle CASB Cloud Service to enforce in the next step.
Chapter 7Preparing and Registering AWS
7-11
Note:
Do not select Push controls and monitor if you selected only theReadAccessOnly policy in Using an IAM Role: Enabling CloudTrail.
After you make your selection, click Next.
12. If you selected Monitor only, skip this step — you will go directly to the Entercredentials page.
Make your selections on the Select security controls page:
a. Select Standard, Stringent, or Custom.
Each of these options provides a different set of security settings. For adescription of all the options, see Security Control Values for AWS (PushControls/Read-Write).
b. Examine the settings under Password Policies, Settings, and AccessControls, and make any changes you want to in those settings.
c. Click Next when you are done.
13. On the Enter credentials page, set Authentication type to IAM user role.
Note:
The read-only values for External ID and Account ID are automaticallygenerated when you select IAM user role.
Caution:
A different External ID value generated each time that you select IAMuser role. You must keep this Oracle CASB Cloud Service Page openand active until you can return and paste the User role ARN value intothe User role ARN field.
14. Copy the External ID and Account ID to a temporary location from which you cancopy and paste into the AWS console.
15. Switch back to the browser tab with your AWS account.
16. Paste the Account ID from the temporary location into the Account ID field inAWS.
17. Select Require external ID… and paste the External ID from the temporarylocation into the External ID field in AWS and click Next: Permissions.
18. On the Attach Policy page, select the policy that matches the Monitoring typeyou selected in the Oracle CASB Cloud Service registration process:
• If you selected Monitor only in Oracle CASB Cloud Service, selectReadOnlyAccess. (Scroll to the bottom of the list.)
• If you selected Push controls and monitor in Oracle CASB Cloud Service,you must select AdministratorAccess.
19. Click Next: Review.
Chapter 7Preparing and Registering AWS
7-12
20. On the Set role name and review page, enter a Role name, an optional Roledescription, and then click Create role.
21. Click the name of the role you just created.
22. On the Summary page, copy the Role ARN value.
23. Switch back to the Oracle CASB Cloud Service tab.
24. Paste the value from AWS into the User role ARN field.
25. If you want Oracle CASB Cloud Service to collect logs from an external account,slide the Collect logs from an external account switch to the right, then enterthe Name of the Cross-Account role and Account Number.
26. Click Test Credentials.
If all configurations are correct, you see a “Credentials are valid” message.
27. Click Submit.
You see a notification that is going through its first data ingestion on your OracleCASB Cloud Service tenant.
28. Click Done.
29. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
You see the AWS application tile displaying a gear icon. This indicates that theapplication is going through its first data ingestion.
When the registration process is complete, your application instance appears on theApplications page. You start to see data for this instance after 30 minutes or so;although a complete synchronization will take longer.
You have successfully registered your AWS account with Oracle CASB Cloud Service,using an IAM user role to authenticate.
Next Steps
• If you are setting up cross-account logging, you have completed setup of yourtarget account. Continue with Using an IAM Role: Adding Source DedicatedService Roles for Cross-Account Logging.
• If you do not want to set up cross-account logging, you are done.
Using an IAM Role: Adding Source Dedicated Service Roles forCross-Account Logging
For cross-account logging, add more AWS instances as source accounts and directtheir logs to the S3 bucket created for the first account, which now becomes the targetaccount.
The steps to add the first source account for cross-account logging are unique. Thesteps to add any number of additional source accounts for cross-account logging areall the same.
Chapter 7Preparing and Registering AWS
7-13
Using an IAM Role: Setting Up the First Source Dedicated Service RoleThe steps to add the first source account for cross-account logging are unique. Youperform these steps only once.
To watch a video that provides an overview of the steps in this task, see Creating andRegistering a Source AWS Account using an IAM Role.
Cross-account logging is a configuration in Amazon Web Services that allows users topipe CloudTrail log data from one account to another account’s S3 bucket.
The account that you set up in Using an IAM Role: Creating a Dedicated Service Rolebecomes the target account — all logs from the source accounts, the additional AWSaccounts you create and register with Oracle CASB Cloud Service, are piped into theS3 bucket of this target account.
Prerequisites: Before proceeding, you must:
• Complete all the tasks in Using an IAM Role: Creating a Dedicated Service Role.
• Create the source account in AWS.
• Get the Oracle CASB Cloud Service Account ID for the AWS source account forwhich you want logging to be consolidated into the S3 bucket in the hub accountthrough cross-account logging.
Note:
To complete this procedure, you will need to open the AWS console in twodifferent browsers. For example, Chrome and Firefox. You can’t access twodifferent accounts at the same time in the AWS account using the samebrowser in two different windows or tabs.
1. Open a browser window and log in to the target AWS account.
This is the account which has the S3 bucket that all other AWS accounts will usefor logging.
We will refer to this as the target account browser.
2. Open a window in a different browser and log into the source AWS account.
This is one of the other AWS accounts, which will use the S3 bucket from thetarget account for logging.
We will refer to this as the source account browser.
Note:
This must be a window in a different browser, not just a separate windowin the same browser. For example, if you the target account in Chrome,you might open the source account in Firefox.
3. Switch to the target account browser.
4. Select Services, and under Storage, select S3.
Chapter 7Preparing and Registering AWS
7-14
The policy on the target account must be modified to allow the source accounts towrite to it. If this is not done, the CloudTrail creation process in the source accountwill fail when it does not recognize the S3 bucket in the target account.
5. Click the bucket name to display four tabs across the top.
6. Click the Permissions tab, and then click the Bucket Policy button.
The Bucket policy editor displays the policy in JSON format that this S3 bucket isusing.
7. Make a copy of this policy before you modify it, in case you need to restore it later.
8. Look closely at the Resource statement near the bottom.
This is how that Resource statement looks before any source accounts have beenadded:
... "Action": "s3:PutObject", "Resource": "arn:aws:s3:::<target_bucket_name>/LORIC/AWSLogs/<target_account_number>/*", "Condition": { ...
9. In the Resource statement, add a left square bracket (“[“) after the colon, pressEnter, and press Tab several times:
... "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::<target_bucket_name>/LORIC/AWSLogs/<target_account_number>/*", "Condition": { ...
10. Press Enter at the end of the arn statement, then copy the entire arn statementand paste the copy directly below the original:
... "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::<target_bucket_name>/LORIC/AWSLogs/<target_account_number>/*", "arn:aws:s3:::<target_bucket_name>/LORIC/AWSLogs/<target_account_number>/*", "Condition": { ...
11. At the end of the copied arn statement, delete the comma, press Enter, and thentype a right square bracket (“]”) and a comma:
... "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::<target_bucket_name>/LORIC/AWSLogs/<target_account_number>/*",
Chapter 7Preparing and Registering AWS
7-15
"arn:aws:s3:::<target_bucket_name>/LORIC/AWSLogs/<target_account_number>/*" ], "Condition": { ...
12. In the copied arn statement, replace the <target_account_number> with the<source_account_number> for the AWS source account:
... "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::<target_bucket_name>/LORIC/AWSLogs/<target_account_number>/*", "arn:aws:s3:::<target_bucket_name>/LORIC/AWSLogs/<source_account_number>/*" ], "Condition": { ...
13. Click Save.
If there are any syntax errors in your changes, you will see a message saying thatthe policy contains invalid JSON.
If this happens, try to find and correct the error, or click Cancel, restore the originalpolicy that you saved, and start over with these instructions.
14. Select Services, and under Security, Identity & Compliance, select IAM.
You must now have the source account assume the IAM cross-account role thatallows it to read the S3 bucket.
15. On the Welcome to Identity and Access Management page, select Roles fromthe list on the left.
16. Click the Create role button above the list of roles.
17. On the Select type of trusted entity page, select Another AWS account.
This option allows IAM users or roles that you own to assume this cross-accountrole.
18. In the Account ID field, enter the source account number and click Next:Permissions.
19. On the Attach Policy page, select the AmazonS3ReadOnly policy and clickNext: Review.
20. On the Set role name and review page, in the Role name field, enter a name forthe role, an optional Role Description, and then click Create role.
21. Click the role name to display the Summary page for the role.
22. Click the Trust relationships tab.
This tab displays the information on the relationship you have established betweenthe target account and this source account.
23. Click the Edit trust relationship button.
Chapter 7Preparing and Registering AWS
7-16
On the Edit trust relationship page, you see the policy document for the trustrelationship between the target and source accounts:
{"Version": "2012-10-17","Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<source_account>:root" } "Action": "sts:AssumeRole" } ]}
24. In the Principal statement, change root to the Amazon resource name (ARN) ofthe IAM user in the target account that will be used to monitor the source AWSaccount in Oracle CASB Cloud Service.
... "Principal": { "AWS": "arn:aws:iam::<source_account>:role/<IAM_role>" } "Action": "sts:AssumeRole" ...
25. Click Save.
If there are any syntax errors in your changes, you will see a message saying thatthe policy contains invalid JSON.
If this happens, try to find and correct the error, or click Cancel, restore the originalpolicy that you saved, and start over with these instructions.
What to Do Next
Continue with Using an IAM Role: Creating and Registering a Source DedicatedService Role.
Using an IAM Role: Setting Up an Additional Source Dedicated Service RoleAfter you set up the first source account for cross-account logging, the steps to setup additional source accounts are the same. Repeat these steps for each additionalsource account.
To watch videos that provide an overview of the steps in this task, see:
• IAM Role: Turn on Cross-Account Logging in AWS
• Creating and Registering a Target AWS Account using an IAM Role
Prerequisites:
• Complete all the tasks in Using an IAM Role: Creating a Dedicated Service Role.
• Complete all the steps in Using an IAM Role: Setting Up the First SourceDedicated Service Role.
Chapter 7Preparing and Registering AWS
7-17
• Create the source account in AWS.
• Get the Oracle CASB Cloud Service Account ID for the AWS source account forwhich you want logging to be consolidated into the S3 bucket in the hub accountthrough cross-account logging.
Note:
To complete this procedure, you will need to open the AWS console in twodifferent browsers. For example, Chrome and Firefox. You can’t access twodifferent accounts at the same time in the AWS account using the samebrowser in two different windows or tabs.
1. Open a browser window and log in to the target AWS account.
This is the account which has the S3 bucket that all other AWS accounts will usefor logging.
We will refer to this as the target account browser.
2. Open a window in a different browser and log into the source AWS account.
This is one of the other AWS accounts, which will use the S3 bucket from thetarget account for logging.
We will refer to this as the source account browser.
Note:
This must be a window in a different browser, not just a separate windowin the same browser. For example, if you the target account in Chrome,you might open the source account in Firefox.
3. Switch to the target account browser.
4. Select Services, and under Storage, select S3.
The policy on the target account must be modified to allow the source accounts towrite to it. If this is not done, the CloudTrail creation process in the source accountwill fail when it does not recognize the S3 bucket in the target account.
5. Click the bucket name to display four tabs across the top.
6. Click the Permissions tab, and then click the Bucket Policy button.
The Bucket policy editor displays the policy in JSON format that this S3 bucket isusing.
7. Make a copy of this policy before you modify it, in case you need to restore it later.
8. Look closely at the Resource statement near the bottom.
This is how that Resource statement looks if one source account has been added:
... "Action": "s3:PutObject", "Resource":[ "arn:aws:s3:::<target_bucket_name>/LORIC/AWSLogs/
Chapter 7Preparing and Registering AWS
7-18
<target_account_number>/*", "arn:aws:s3:::<target_bucket_name>/LORIC/AWSLogs/<source1_account_number>/*" ],
"Condition": { ...
For each additional source account that is added, you see another arn statementin the “Resource”: statement list.
To keep things simple, our example will show a policy with two arn statements.The steps are exactly the same for any higher number of arn statements.
9. Copy the entire first arn statement and paste the copy directly under the original:
... "Action": "s3:PutObject", "Resource":[ "arn:aws:s3:::<target_bucket_name>/LORIC/AWSLogs/<target_account_number>/*", "arn:aws:s3:::<target_bucket_name>/LORIC/AWSLogs/<target_account_number>/*", "arn:aws:s3:::<target_bucket_name>/LORIC/AWSLogs/<source1_account_number>/*" ],
"Condition": { ...
10. In the copy of the arn statement, replace the <target_account_number>with the <source_account_number> that you are adding, in this example,<source_account2_number>:
... "Action": "s3:PutObject", "Resource":[ "arn:aws:s3:::<target_bucket_name>/LORIC/AWSLogs/<target_account_number>/*", "arn:aws:s3:::<target_bucket_name>/LORIC/AWSLogs/<source2_account_number>/*", "arn:aws:s3:::<target_bucket_name>/LORIC/AWSLogs/<source1_account_number>/*" ],
"Condition": { ...
11. Click Save.
If there are any syntax errors in your changes, you will see a message saying thatthe policy contains invalid JSON.
If this happens, try to find and correct the error, or click Cancel, restore the originalpolicy that you saved, and start over with these instructions.
Chapter 7Preparing and Registering AWS
7-19
12. Select Services, and under Security, Identity & Compliance, select IAM.
You must now have the source account assume the IAM cross-account role thatallows it to read the S3 bucket.
13. On the Welcome to Identity and Access Management page, select Roles fromthe list on the left.
14. Click the Create role button above the list of roles.
15. On the Select type of trusted entity page, select Another AWS account.
This option allows IAM users or roles that you own to assume this cross-accountrole.
16. In the Account ID field, enter the source account number and click Next Step.
17. On the Attach Policy page, select the AmazonS3ReadOnly policy and click NextStep.
18. On the Set role name and review page, in the Role name field, enter a name forthe role, an optional Role Description, and then click Create Role.
19. Click the role name to display the Summary page for the role.
20. Click the Trust relationships tab.
This tab displays the information on the relationship you have established betweenthe target account and this source account.
21. Click the Edit trust relationship button.
On the Edit trust relationship page, you see the policy document for the trustrelationship between the target and source accounts.
22. Look closely at the arn statements in the Principal statement in this policydocument.
{"Version": "2012-10-17","Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<source1_account>:role/<IAM_role>" } "Action": "sts:AssumeRole" } ]}
23. If the Principal statement has only one arn statement, as shown above:
a. After the "AWS":, enter a left square bracket (“]”), press Enter, and then pressTab several times:
{"Version": "2012-10-17","Statement": [ { "Sid": "",
Chapter 7Preparing and Registering AWS
7-20
"Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<source1_account>:role/<IAM_role>" } "Action": "sts:AssumeRole" } ]}
b. Enter a comma at the end of the arn statement line, then press Enter:
{"Version": "2012-10-17","Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<source1_account>:role/<IAM_role>", } "Action": "sts:AssumeRole" } ]}
c. Copy the entire arn statement and paste it directly below the original, thenenter a comma at the end of the original arn statement:
{"Version": "2012-10-17","Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<source1_account>:role/<IAM_role>", "arn:aws:iam::<source1_account>:role/<IAM_role>" } "Action": "sts:AssumeRole" } ]}
d. In the copied arn statement, replace the original source account number(<source1_account>) with the new source account you are adding(<source2_account>):
{"Version": "2012-10-17","Statement": [
Chapter 7Preparing and Registering AWS
7-21
{ "Sid": "", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<source1_account>:role/<IAM_role>", "arn:aws:iam::<source2_account>:role/<IAM_role>" } "Action": "sts:AssumeRole" } ]}
e. At the end of the copied arn statement, press Enter and enter a right squarebracket (“]”):
{"Version": "2012-10-17","Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<source1_account>:role/<IAM_role>", "arn:aws:iam::<source2_account>:role/<IAM_role>" ] } "Action": "sts:AssumeRole" } ]}
24. If the Principal statement has more than one arn statement:
a. At the end of the first arn statement, press Enter, and then copy the entire firstarn statement directly below itself:
{"Version": "2012-10-17","Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<source1_account>:role/<IAM_role>", "arn:aws:iam::<source1_account>:role/<IAM_role>", "arn:aws:iam::<source2_account>:role/<IAM_role>" ] } "Action": "sts:AssumeRole" } ]}
Chapter 7Preparing and Registering AWS
7-22
b. In the copied arn statement, replace the first source account number(<source1_account>) with the account number of the new account you areadding (<source_new_account>):
{"Version": "2012-10-17","Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<source1_account>:role/<IAM_role>", "arn:aws:iam::<source_new_account>:role/<IAM_role>", "arn:aws:iam::<source2_account>:role/<IAM_role>" ] } "Action": "sts:AssumeRole" } ]}
25. Click Save.
If there are any syntax errors in your changes, you will see a message saying thatthe policy contains invalid JSON.
If this happens, try to find and correct the error, or click Cancel, restore the originalpolicy that you saved, and start over with these instructions.
What to Do Next
Continue with Using an IAM Role: Creating and Registering a Source DedicatedService Role.
Using an IAM Role: Creating and Registering a Source Dedicated Service RoleCreate a role for the source account in AWS, begin registering the account in OracleCASB Cloud Service to get the External ID, return to AWS to enter the External ID andset necessary permissions, and then complete the registration.
To watch a video that provides an overview of the steps in this task, see Creating andRegistering a Source AWS Account using an IAM Role.
1. Log in to the AWS account that you will be registering in Oracle CASB CloudService.
2. In the AWS console, select Services, then under Security Identity andCompliance select IAM.
3. On the Welcome to Identity and Access Management page, select Roles in theleft navigation panel.
Here you will create the monitoring role for this AWS source account.
4. Click the Create role button above the list of roles.
5. On the Select type of trusted entity page, select Another AWS account.
Chapter 7Preparing and Registering AWS
7-23
The Oracle CASB Cloud Service can assume this role to monitor the AWSaccount.
Caution:
You must keep this AWS page open and active until you can return formOracle CASB Cloud Service with the External ID and Account ID thatyou will paste here.
6. Open a new browser tab and log in to your Oracle CASB Cloud Service tenant.
7. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
8. Click Add an App.
9. On the Select an app type page, click Amazon Web Services, and then clickNext.
10. On the Select an instance page:
a. Enter a name for this AWS instance.
Names of any existing instances are listed below your input.
b. If users log in to AWS through an identity provider, select The users of thisapp instance log in using single sign-on through an identity provider andselect the identity provider instance from the drop-down list.
Note:
The identity provider instance must already be defined. See SettingUp an Identity Provider Instance.
11. On the Select monitoring type page, select:
• Monitor only — if you want Oracle CASB Cloud Service to read data fromAWS, but not write security control settings back to AWS. For a descriptionof the security control settings that Oracle CASB Cloud Service automaticallyenforces when you select Monitor only, see Security Control Values for AWS(Monitor Only/Read Only).
• Push controls and monitor — if you want Oracle CASB Cloud Service towrite security control settings back to AWS, in addition to reading AWS data.When you selectPush controls and monitor, you specify the security controlsettings that you want Oracle CASB Cloud Service to enforce in the next step.
Note:
Do not select Push controls and monitor if you selected only theReadAccessOnly policy in Using an IAM Role: Enabling CloudTrail.
After you make your selection, click Next.
12. If you selected Monitor only, skip this step — you will go directly to the Entercredentials page.
Chapter 7Preparing and Registering AWS
7-24
Make your selections on the Select security controls page:
a. Select Standard, Stringent, or Custom.
Each of these options provides a different set of security settings. For adescription of all the options, see Security Control Values for AWS (PushControls/Read-Write).
b. Examine the settings under Password Policies, Settings, and AccessControls, and make any changes you want to in those settings.
c. Click Next when you are done.
13. On the Enter credentials page, set Authentication type to IAM user role.
Note:
The read-only values for External ID and Account ID are automaticallygenerated when you select IAM user role.
Caution:
A different External ID value generated each time that you select IAMuser role. You must keep this Oracle CASB Cloud Service Page openand active until you can return and paste the User role ARN value intothe User role ARN field.
14. Copy the External ID and Account ID to a temporary location from which you cancopy and paste into the AWS console.
15. Switch back to the browser tab with your AWS account.
16. Paste the Account ID from the temporary location into the Account ID field inAWS.
17. Select Require external ID… and paste the External ID from the temporarylocation into the External ID field in AWS and click Next: Permissions.
18. On the Attach Policy page, select the policy that matches the Monitoring typeyou selected in the Oracle CASB Cloud Service registration process:
• If you selected Monitor only in Oracle CASB Cloud Service, selectReadOnlyAccess. (Scroll to the bottom of the list.)
• If you selected Push controls and monitor in Oracle CASB Cloud Service,you must select AdministratorAcess.
19. Click Next: Review.
20. On the Set role name and review page, enter a Role name, an optional Roledescription, and then click Create role.
21. Click the name of the role you just created.
22. On the Summary page, copy the Role ARN value.
23. Switch back to the Oracle CASB Cloud Service tab.
24. Paste the value from AWS into the User role ARN field.
Chapter 7Preparing and Registering AWS
7-25
25. Slide the Collect logs from an external account switch to the right.
26. In the Name of Cross-Account role field, enter the name of your cross-accountrole.
27. In the Account number field, enter the account number of the target account.
This is the AWS account with the S3 bucket that is used for logging by all the AWSaccounts.
28. Switch back to the AWS browser tab.
You need to create an inline policy to allow the AWS role to assume the cross-account role in the target account.
Caution:
You must keep this Oracle CASB Cloud Service page open and activeuntil you can return and complete the registration process.
29. On the AWS Summary page, click the Permissions tab.
30. On the Permissions tab, click Inline Policies, and then click the click here link tocreate one.
31. On the Set Permissions page, expand Custom Policy, and then click the Selectbutton to the right of Use the policy editor to customize your own set ofpermissions.
32. On the Review Policy page, enter a Policy Name, and then copy and paste thetext below into the Policy Document window:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": "*" } ]}
33. Click the Validate Policy button at the bottom.
34. Click Apply Policy.
35. Switch back to the Oracle CASB Cloud Service tab where you are registering thisAWS instance.
36. Click Test Credentials.
If all configurations are correct, you see a “Credentials are valid” message.
37. Click Submit.
You see a notification that is going through its first data ingestion on your OracleCASB Cloud Service tenant.
Chapter 7Preparing and Registering AWS
7-26
38. Click Done.
39. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
You see the AWS application tile displaying a gear icon. This indicates that theapplication is going through its first data ingestion.
When the registration process is complete, your application instance appears on theApplications page. You start to see data for this instance after 30 minutes or so;although a complete synchronization will take longer.
You have successfully registered your AWS account with Oracle CASB Cloud Service,using an IAM user role to authenticate.
Next Steps
• If you need to set up another AWS source account, continue with Using an IAMRole: Setting Up an Additional Source Dedicated Service Role.
• If you do not need to set up another AWS source account, you are done.
Using an IAM User: Creating and Registering a Dedicated ServiceUser
This IAM User is the only account that you configure for within-account logging. Incross-account logging, this IAM User is the first, or target, AWS account that youconfigure.
Using an IAM User: Enabling CloudTrailIn order for CASB Cloud Service to monitor your AWS account, you must first enableCloudTrail.
Enabling CloudTrail allows the IAM account to monitor the AWS services from theCloudTrail logs stored in S3.
To watch a video that provides an overview of the steps in this task, see EnablingCloudTrail and S3.
1. Log into your AWS console.
2. Select Services, and under Management Tools, click CloudTrail.
3. If CloudTrail is not enabled, then on the AWS CloudTrail screen you see a blueGet Started Now button.
If you do not see the blue Get Started Now button, CloudTrail is enabled — go tostep 4.
If you do see the blue Get Started Now button, CloudTrail is not enabled —continue with the substeps below:
a. Click the blue Get Started Now button to begin the process of enablingCloudTrail.
b. On the Turn on CloudTrail page, enter a Trail name.
Chapter 7Preparing and Registering AWS
7-27
Note:
Ensure that you note the region in the top right corner of the page.
This name can be anything you like, as long as it is unique within your AWSaccount.
c. Leave the default setting of Apply trail to all regions set to Yes, and Read/Write events set to All.
d. Scroll to the Storage location section at the bottom of the page.
e. To create a new bucket (note that your S3 bucket will be created in the regionin step 4b above):
i. Leave the default setting of Apply trail to all regions set to Yes, enter aname for the bucket in the S3 bucket field, and then click Advanced.
ii. If you want to use a log file prefix to change the default location of theCloudTrail logs, enter the prefix in the Log file prefix field.
This will change the path to the S3 bucket policy to include the prefix.
iii. If you want to encrypt CloudTrail, set Encrypt log files to Yes and selectYes to Create a new KMS key or No to use an existing key.
Note:
Your KMS (Key Management Service) key must be in the sameAWS region as your S3 bucket (noted in step 4b above) whereyour encrypted CloudTrail logs are stored.
iv. Click Create.
v. If you chose to encrypt your CloudTrail in step 4.e.ii above, validate yourKMS settings: The policy must contain the following statements. Youcan find the KMS policy by going to Services, IAM, Encryption Keys,changing the region to where you created your S3 bucket (step 4.b above)and clicking on the Key Name in the Alias column and reviewing the KeyPolicy:
{ "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<AWSaccountnumber>:root" }, "Action": "kms:*", "Resource": "*" }, {
Chapter 7Preparing and Registering AWS
7-28
"Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<AWSaccountnumber>:user/testLocalUser" }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::965634374182:user/testLocalUser" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Enable CloudTrail Encrypt Permissions", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "kms:GenerateDataKey*", "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:<AWSaccountnumber>:trail/*" } } }, {
Chapter 7Preparing and Registering AWS
7-29
"Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<AWSaccountnumber>:user/testLocalUser" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } } ]}
vi. Validate your CloudTrail settings:
i. On the Trails page, click the CloudTrail name.
ii. On the Configuration page, verify that the CloudTrail you just createdhas the settings specified in the previous steps.
iii. Ensure that the CloudTrail is enabled for all regions in Trail Settings,and is capturing all events in Management events.
vii. Validate your S3 settings:
i. Select Services, and under Storage, select S3.
ii. Click the bucket name to display four tabs across the top.
iii. Click the Permissions tab, and then click the Bucket Policy button.
The Bucket policy editor displays the policy in JSON format that wasautomatically created for your S3 bucket.
Ensure that the policy contains GetBucketAcl and PutObject, shownin bold below:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailAclCheck<AWSaccountnumber>", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::<bucket_name>" }, {
Chapter 7Preparing and Registering AWS
7-30
"Sid": "AWSCloudTrailWrite<AWSaccountnumber>", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::<bucket_name>/LORIC/AWSLogs/<AWSaccountnumber>/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ]}
f. To use an existing bucket:
i. Change the default setting of Create a new S3 bucket to No and enter aname for the bucket in the S3 bucket field and click Advanced.
ii. If you want to encrypt CloudTrail, set Encrypt log files to Yes.
i. Select Yes to Create a new KMS key or No to use an existing key.
Note:
Your KMS (Key Management Service) key must be in thesame AWS region as your S3 bucket where your encryptedCloudTrail logs are stored.
ii. Verify that your KMS policy contains the following statements by goingto Services, IAM, Encryption Keys and changing the region to whereyou are creating your S3 bucket (step 4b above):
{ "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<AWSaccountnumber>:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<AWSaccountnumber>:user/
Chapter 7Preparing and Registering AWS
7-31
testLocalUser" }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::965634374182:user/testLocalUser" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Enable CloudTrail Encrypt Permissions", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "kms:GenerateDataKey*", "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:<AWSaccountnumber>:trail/*" } } }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": {
Chapter 7Preparing and Registering AWS
7-32
"AWS": "arn:aws:iam::<AWSaccountnumber>:user/testLocalUser" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } } ]}
iii. If you want to use a log file prefix to change the default location of theCloudTrail logs, enter the prefix in the Log File Prefix field.
This will change the path in the S3 bucket policy to include the prefix.
iv. To review the S3 bucket policy, select Services, and under Storage,select S3.
v. Click the bucket name, then click the Permissions tab, and click theBucket Policy button.
Ensure that the policy contains GetBucketAcl and PutObject, shown inbold below:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailAclCheck<AWSaccountnumber>", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::<bucket_name>" }, { "Sid": "AWSCloudTrailWrite<AWSaccountnumber>", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::<bucket_name>/LORIC/AWSLogs/<AWSaccountnumber>/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control"
Chapter 7Preparing and Registering AWS
7-33
} } } ]}
4. If CloudTrail is already enabled, follow the substeps below.
It is recommended that you enable CloudTrail for all regions.
Ensure that all events are being logged.
a. From the API activity history page, select Trails on the left.
b. On the Trails page, in the Name column, click the name of the CloudTrail.
c. Ensure that Apply trail to all regions is set to Yes.
To change the setting, click the Edit icon to the right of Trail settings.
d. Ensure that Read/Write events is set to All.
To change the setting, click the Edit icon to the right of Managementevents.
e. Ensure that S3 bucket name is what you want to use.
To create a new bucket to use, click the Edit icon to the right of Storagelocation.
f. If you want to encrypt CloudTrail, set Encrypt log files to Yes and select Yesto Create a new KMS key or No to use an existing key.
Note:
Your KMS (Key Management Service) key must be in the sameAWS region as your S3 bucket (noted in step 4b above) where yourencrypted CloudTrail logs are stored.
5. Click Save at the bottom of the page.
What to Do Next
Continue with Using an IAM User: Creating a Dedicated Service User.
Using an IAM User: Creating a Dedicated Service UserCreate the IAM user for Oracle CASB Cloud Service to monitor a standalone or targetAWS account.
To watch a video that provides an overview of the steps in this task, see Creating aDedicated Service Account for monitoring AWS (Target).
The IAM user account you create is called a dedicated service account because itshould be reserved exclusively for use by Oracle CASB Cloud Service. No human, orother automated process should ever log into this account.
Prerequisites:
Chapter 7Preparing and Registering AWS
7-34
• You have successfully completed the steps in Using an IAM User: EnablingCloudTrail.
• If users log in to AWS through an identity provider, you have already createdan identity provider instance in Oracle CASB Cloud Service. See Setting Up anIdentity Provider Instance.
Note:
You can register your AWS instance without an IDP configured and addthe IDP at a future time. See Updating the IDP Instance for an AWSInstance.
1. Log in to the AWS account that you will be registering in Oracle CASB CloudService.
2. In the AWS console, select Services, then under Security Identity andCompliance select IAM.
3. Select Users from the Navigation menu. If the Navigation Menu is not displayed,click the Navigation Menu icon to display it.
4. Click the Add user button at the top.
5. On the Add user page, in the User name field, enter a name for the user
6. Under Access type, select Programmatic access, and then click Next
7. On the Set permissions… page, click Attach existing policies directly.
8. Select the policy based on how you plan to register this AWS account with OracleCASB Cloud Service:
• Monitor only (read only) – select the ReadOnlyAccess policy. (Scroll to thebottom of the list.)
• Push controls and monitor (read/write) – select the AdministratorAccesspolicy.
9. Click Next.
10. On the Review page, verify:
• User name of the IAM user.
• AWS access type is set to Programmatic access – with an access key.
• Under Permissions summary, in the Name column, the correct policy thatyou selected appears – either ReadOnlyAccess or AdministratorAccess.
11. Click Create user.
12. On the Success page, click the Download .csv button.
This is the only time you will be able to do this. Best practice is to rotate thesekeys every 90 days by regenerating them and update the keys in Oracle CASBCloud Service. If you lose these keys, you will have to do that in order to haveOracle CASB Cloud Service continue monitoring this AWS account.
13. After keys are downloaded, click Close.
The user you just created should now appear in the AWS list of users.
What to Do Next
Chapter 7Preparing and Registering AWS
7-35
Continue with Using an IAM User: Registering the Dedicated Service User.
Using an IAM User: Registering the Dedicated Service UserRegister the AWS account for the dedicated service user, that you just created, inOracle CASB Cloud Service.
To watch a video that provides an overview of the steps in this task, see Registeringan AWS Account using a Dedicated Service Account (Target).
Prerequisites:
You have successfully completed the steps in Using an IAM User: Creating aDedicated Service User.
1. Open a new browser tab and log in to your Oracle CASB Cloud Service.
2. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
3. Click Add/Modify App to display the Application Management page.
Note:
If this is the first application that you are registering, the ApplicationManagement page is displayed automatically.
4. On the Select an app type page, click Amazon Web Services and then clickNext.
5. On the Select an instance page:
a. Enter a name for this AWS instance.
Names of any existing instances are listed below your input.
b. If users log in to AWS through an identity provider, select The users of thisapp instance log in using single sign-on through an identity provider andselect the identity provider instance from the drop-down list.
Note:
The identity provider instance must already be defined. See SettingUp an Identity Provider Instance.
c. Click Next.
6. On the Select monitoring type page, select:
• Monitor only (read only) — if you want Oracle CASB Cloud Service to readdata from AWS, but not write security control settings back to AWS. For adescription of the security control settings that Oracle CASB Cloud Serviceautomatically enforces when you select Monitor only, see Security ControlValues for AWS (Monitor Only/Read Only).
• Push controls and monitor (read–write) — if you want Oracle CASB CloudService to write security control settings back to AWS, in addition to readingAWS data. When you selectPush controls and monitor, you specify the
Chapter 7Preparing and Registering AWS
7-36
security control settings that you want Oracle CASB Cloud Service to enforcein the next step.
Note:
Do not select Push controls and monitor if you selected only theReadAccessOnly policy in Using an IAM Role: Enabling CloudTrail.
After you make your selection, click Next.
7. If you selected Monitor only, skip this step — you will go directly to the Entercredentials page.
Make your selections on the Select security controls page:
a. Select Standard, Stringent, or Custom.
Each of these options provides a different set of security settings. For adescription of all the options, see Security Control Values for AWS (PushControls/Read-Write).
b. Examine the settings under Password Policies, Settings, and AccessControls, and make any changes you want to in those settings.
c. Click Next when you are done.
8. On the Enter credentials page, in the Access key and Secret key fields, enterthe access key and secret key for the Oracle CASB Cloud Service user in theAWS account being registered.
You can get these keys from the CSV file that you downloaded when you createdthe IAM user.
9. If you want Oracle CASB Cloud Service to collect logs from an external source,then slide the Collect logs from an external account switch to the right. Then,enter the Name of the Cross-Account role and the Account Number.
10. Click Test Credentials.
If all configurations are correct, you see a “Credentials are Valid” message.
11. Click Submit.
You see a notification that is going through its first data ingestion on your OracleCASB Cloud Service tenant.
12. Click Done.
13. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
You see the AWS application tile displaying a gear icon. This indicates that theapplication is going through its first data ingestion.
When the registration process is complete, your application instance appears on theApplications page. You start to see data for this instance after 30 minutes or so;although a complete synchronization will take longer.
You have successfully registered your AWS account with Oracle CASB Cloud Service,using an IAM user role to authenticate.
Next Steps
Chapter 7Preparing and Registering AWS
7-37
• If you are setting up cross-account logging, you have completed setup of yourtarget account. Continue with Using an IAM User: Adding Source DedicatedService Users for Cross-Account Logging
• If you do not want to set up cross-account logging, you are done.
Using an IAM User: Adding Source Dedicated Service Users forCross-Account Logging
For cross-account logging, add more AWS accounts as source accounts and directtheir logs to the S3 bucket created for the target account.
Using an IAM User: Setting Up the First Source Dedicated Service UserCreate the IAM user for Oracle CASB Cloud Service to monitor of source AWSaccounts.
The account you create is called a dedicated service account because it should bereserved exclusively for use by Oracle CASB Cloud Service. No human, or otherautomated process should ever log into this account.
The steps to add the first source account for cross-account logging are unique. Youperform these steps only once.
Cross Account logging is a configuration in AWS that allows users to log CloudTraildata from one AWS account to another AWS account’s S3 bucket.
The account that you set up in Using an IAM User: Creating a Dedicated Service Userbecomes the target account — all logs from the source accounts, the additional AWSaccounts you create and register with Oracle CASB Cloud Service, are sent to the S3bucket of this target account.
Prerequisites:
• Complete all the tasks in Using an IAM User: Creating and Registering aDedicated Service User.
• Get the Oracle CASB Cloud Service Account ID for the AWS source account forwhich you want logging to be consolidated into the S3 bucket in the target accountthrough cross-account logging.
Note:
To complete this procedure, you may want to open the AWS console in twodifferent browsers. For example, Chrome and Firefox. You can’t access twodifferent AWS accounts at the same time in the AWS account using thesame browser.
Using an IAM User: Setting Up Cross-Account LoggingSet up cross-account logging, often referred to as x-acct logging.
To watch a video that provides an overview of the steps in this task, see DSA: Turn onCross-Account Logging in AWS.
Chapter 7Preparing and Registering AWS
7-38
1. Open a browser window and log in to the target AWS account.
This is the account which has the S3 bucket that all other AWS accounts will usefor logging.
We will refer to this browser window as the “target account browser.”
2. Open a window in a different browser and log into the source AWS account.
This is an AWS account that which will use the S3 bucket from the target accountfor logging.
We will refer to this browser window as the “source account browser.”
Note:
This must be a window in a different browser, not just a separate windowin the same browser. For example, if you open the target account inChrome, you might open the source account in Firefox.
3. Switch to the target account browser.
4. Select Services, and under Storage, select S3.
The policy on the target account must be modified to allow the source accounts towrite to it. If this is not done, the CloudTrail creation process in the source accountwill fail when it does not recognize the S3 bucket in the target account.
5. Click the bucket name to display four tabs across the top.
6. Click the Permissions tab, and then click the Bucket Policy button.
The Bucket policy editor displays the policy in JSON format that this S3 bucket isusing.
7. Make a copy of this policy before you modify it, in case you need to restore it later.
8. Look closely at the Resource statement near the bottom.
This is how that Resource statement looks before any source accounts have beenadded:
... "Action": "s3:PutObject", "Resource": "arn:aws:s3:::<target_bucket_name>/[<optional_prefix>/]AWSLogs/<target_account_number>/*", "Condition": { ...
9. In the Resource statement, add a left square bracket ([) after the colon, pressEnter, and press Tab several times:
... "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::<target_bucket_name>/[<optional_prefix>/]AWSLogs/<target_account_number>/*", "Condition": { ...
Chapter 7Preparing and Registering AWS
7-39
10. Press Enter at the end of the arn statement, then copy the entire arn statementand paste the copy directly below the original:
... "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::<target_bucket_name>/[<optional_prefix>/]AWSLogs/<target_account_number>/*", "arn:aws:s3:::<target_bucket_name>/[<optional_prefix>/]AWSLogs/<target_account_number>/*", "Condition": { ...
11. At the end of the copied arn statement, delete the comma, press Enter, and thentype a right square bracket (]”) and a comma:
... "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::<target_bucket_name>/[<optional_prefix>/]AWSLogs/<target_account_number>/*", "arn:aws:s3:::<target_bucket_name>/[<optional_prefix>/]AWSLogs/<target_account_number>/*", ], "Condition": { ...
12. In the copied arn statement, replace the <target_account_number> with the<source_account_number> for the AWS source account:
... "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::<target_bucket_name>/[<optional_prefix>/]AWSLogs/<target_account_number>/*", "arn:aws:s3:::<target_bucket_name>/[<optional_prefix>/]AWSLogs/<source_account_number>/*", ], "Condition": { ...
13. Click Save.
If there are any syntax errors in your changes, you will see a message saying thatthe policy contains invalid JSON.
If this happens, try to find and correct the error, or click Cancel, restore the originalpolicy that you saved, and start over with these instructions.
What to Do Next
Continue with Using an IAM User: Creating the First Source Dedicated Service User.
Chapter 7Preparing and Registering AWS
7-40
Using an IAM User: Creating the First Source Dedicated Service UserSet up the IAM User dedicated service account for cross-account logging, oftenreferred to as x-acct logging.
To watch a video that provides an overview of the steps in this task, see Registeringan AWS Account using a Dedicated Service Account (Source).
1. Select Services, and under Security, Identity & Compliance, select IAM.
You must now have the source account assume the IAM cross-account role thatallows it to read the S3 bucket.
2. On the Welcome to Identity and Access Management page, select Roles fromthe list on the left.
3. Click the Create new role button at the top left.
4. On the Select role type page, drop down the Role for cross-account accesslist and click the Select button for Provide access between AWS accounts youown.
This option allows IAM users or roles that you own to assume this cross-accountrole.
5. In the Account ID field, enter the source account number and click Next Step.
6. On the Attach Policy page, select the AmazonS3ReadOnly policy and click NextStep.
7. On the Set role name and review page, in the Role name field, enter a name forthe role, an optional Role Description, and then click Create Role.
8. Click the role name to display the Summary page for the role.
9. Click the Trust relationships tab.
This tab displays the information on the relationship you have established betweenthe target account and this source account.
10. Click the Edit trust relationship button.
11. On the Edit trust relationship page, you see the policy document for the trustrelationship between the target and source accounts:
{"Version": "2012-10-17","Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<source_account>:root" } "Action": "sts:AssumeRole" } ]}
Chapter 7Preparing and Registering AWS
7-41
12. In the Principal statement, change root to the Amazon resource name (ARN) ofthe IAM user in the target account that will be used to monitor the source AWSaccount in Oracle CASB Cloud Service:
... "Principal": { "AWS": "arn:aws:iam::<source_account>:<IAM_role_ARN>" } "Action": "sts:AssumeRole" ...
13. Click Save.
If there are any syntax errors in your changes, you will see a message saying thatthe policy contains invalid JSON.
If this happens, try to find and correct the error, or click Cancel, restore the originalpolicy that you saved, and start over with these instructions.
What to Do Next
Continue with Using an IAM User: Registering an Additional Source Dedicated ServiceUser.
Using an IAM User: Setting Up an Additional Source Dedicated Service UserSet up another source account to be used in cross-account logging.
The account you create is called a dedicated service account because it should bereserved exclusively for use by Oracle CASB Cloud Service. No human, or otherautomated process should ever log into this account.
To watch a video that provides an overview of the steps in this task, see Registeringan AWS Account using a Dedicated Service Account (Source).
Prerequisites: Create and register the first source account, by completing the stepsin:
1. Using an IAM User: Setting Up the First Source Dedicated Service User
2. Using an IAM User: Registering an Additional Source Dedicated Service User
Set Up an Additional Source Dedicated Service User
1. Log in to your source AWS account.
2. Select Services, and under Security, Identity & Compliance, select IAM.
3. On the Welcome to Identity and Access Management page, select Users onthe left side, and then click the Add user button at the top.
4. On the Add user page, enter a User name.
5. Under Access type, select Programmatic access, and click Next.
6. On the Set permissions… page, click Attach existing policies directly.
7. Select the policy based on how you plan to register this AWS account with OracleCASB Cloud Service:
• Monitor only (read only) — select the ReadOnlyAccess policy. (Scroll to thebottom of the list.)
Chapter 7Preparing and Registering AWS
7-42
• Push controls and monitor (read-write) — select the AdministratorAccesspolicy.
8. Click Next.
9. On the Review page, verify:
• User name of the IAM user.
• AWS access type is set to Programmatic access – with an access key.
• Under Permissions summary, in the Name column, the correct policy thatyou selected appears – either ReadOnlyAccess or AdministratorAccess.
10. Click Create user.
11. On the Success page, click the Download .csv button.
This is the only time you will be able to do this. Best practice is to rotate thesekeys every 90 days by regenerating them and update the keys in Oracle CASBCloud Service. If you lose these keys, you will have to do that in order to haveOracle CASB Cloud Service continue monitoring this AWS account.
12. After keys are downloaded, click Close.
The user you just created should now appear in the AWS list of users.
13. If you selected the ReadOnlyAccess policy in step 7 above:
a. In the User name column, click the user you just created.
b. On the Summary page, on the Permissions tab, click the Add inline policylink in the lower right corner.
c. On the Set Permissions page, select Custom Policy., and then click Selectto the right of Use the policy editor to customize your own set ofpermissions.
d. On the Review Policy page, enter a Policy Name, and then copy and pastethe text below into the Policy Document window:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": "*" } ]}
e. Click the Validate Policy button at the bottom.
f. Click Apply Policy.
The policy now appears on the Summary page, Permissions tab, in the list ofpolicies that are Attached directly.
What to Do Next
Chapter 7Preparing and Registering AWS
7-43
Continue with Using an IAM User: Registering an Additional Source Dedicated ServiceUser.
Using an IAM User: Registering an Additional Source Dedicated Service UserRegister the source account, that you just created, for monitoring by Oracle CASBCloud Service.
To watch a video that provides an overview of the steps in this task, see Registeringan AWS Account using a Dedicated Service Account (Source).
Prerequisites: You should have just completed the steps in either Using an IAM User:Setting Up the First Source Dedicated Service User, or Using an IAM User: Setting Upan Additional Source Dedicated Service User.
1. Open a new browser tab and log in to your Oracle CASB Cloud Service tenant.
2. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
3. Click Add/Modify App to display the Application Management page.
Note:
If this is the first application that you are registering, the ApplicationManagement page is displayed automatically.
4. On the Select an app type page, click Amazon Web Services and then clickNext.
5. On the Select an instance page:
a. Enter a name for this AWS instance.
Names of any existing instances are listed below your input.
b. If users log in to AWS through an identity provider, select The users of thisapp instance log in using single sign-on through an identity provider andselect the identity provider instance from the drop-down list.
Note:
The identity provider instance must already be defined. See SettingUp an Identity Provider Instance.
c. Click Next.
6. On the Select monitoring type page, select:
• Monitor only (read only) — if you want Oracle CASB Cloud Service to readdata from AWS, but not write security control settings back to AWS. For adescription of the security control settings that Oracle CASB Cloud Serviceautomatically enforces when you select Monitor only, see Security ControlValues for AWS (Monitor Only/Read Only).
• Push controls and monitor (read–write) — if you want Oracle CASB CloudService to write security control settings back to AWS, in addition to reading
Chapter 7Preparing and Registering AWS
7-44
AWS data. When you selectPush controls and monitor, you specify thesecurity control settings that you want Oracle CASB Cloud Service to enforcein the next step.
Note:
Do not select Push controls and monitor if you selected only theReadAccessOnly policy in Using an IAM User: Enabling CloudTrail .
After you make your selection, click Next.
7. If you selected Monitor only, skip this step — you will go directly to the Entercredentials page.
Make your selections on the Select security controls page:
a. Select Standard, Stringent, or Custom.
Each of these options provides a different set of security settings. For adescription of all the options, see Security Control Values for AWS (PushControls/Read-Write).
b. Examine the settings under Password Policies, Settings, and AccessControls, and make any changes you want to in those settings.
c. Click Next when you are done.
8. On the Enter credentials page, in the Access key and Secret key fields, enterthe access key and secret key for the Oracle CASB Cloud Service user in theAWS account being registered.
You can get these keys from the CSV file that you downloaded when you createdthe IAM user.
9. Slide the Collect logs from an external account selector to the right.
10. In the Name of Cross-Account role field, enter the name of the cross-accountrole that you created in the target account.
11. In the Account number field, enter the account number of the target account.
12. Click Test Credentials.
If all configurations are correct, you see a “Credentials are Valid” message.
13. Click Submit.
You see a notification that this AWS instance is going through its first dataingestion on your Oracle CASB Cloud Service tenant.
14. Click Done.
15. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
You see the new AWS application tile displaying a gear icon. This indicates thatthe application is going through its first data ingestion.
When the registration process is complete, your application instance appears on theApplications page. You start to see data for this instance after 30 minutes or so;although a complete synchronization will take longer.
Chapter 7Preparing and Registering AWS
7-45
You have successfully registered your AWS account with Oracle CASB Cloud Service,using an IAM user role to authenticate.
Next Steps
• If you need to set up another AWS source account, continue with Using an IAMUser: Setting Up an Additional Source Dedicated Service User.
• If you do not need to set up another AWS source account, you are done.
Security Control Values for AWS (Monitor Only/Read Only)Review the AWS security controls that Oracle CASB Cloud Service monitors inmonitor-only mode, together with the values for their stringent settings.
After registering the AWS instance in monitor-only mode, Oracle CASB Cloud Servicedisplays security control alerts if the security control values in AWS deviate from theOracle CASB Cloud Service baseline values for these controls.
These settings appear in the following locations in AWS:
• Password policies: The IAM, Account settings section of the AWS administrationconsole.
• SSH and user keys: Oracle CASB Cloud Service checks the age of all user andEC2 SSH keys.
• Multifactor authentication: The IAM, Users section of the AWS administrationconsole.
• Encryption and secure ports: Oracle CASB Cloud Service checks the encryptionand port settings in network access control lists (ACLs) for all EC2 instances in anaccount.
The following describes Oracle CASB Cloud Service's default settings. In general,these settings are more stringent than the default settings within AWS.
SecurityControl Type
SecurityControl Name
StringentSettings:Alert WhenThis Value IsChanged
Description
Passwordpolicy
Minimumpasswordlength
10 characters The longer a password is, the harder it is tocrack.
Passwordpolicy
Require atleast oneuppercaseletter
On The more complex a password is, the harder itis to crack.
Passwordpolicy
Require atleast onelowercase letter
On The more complex a password is, the harder itis to crack.
Passwordpolicy
Require atleast onenumber
On The more complex a password is, the harder itis to crack.
Chapter 7Preparing and Registering AWS
7-46
SecurityControl Type
SecurityControl Name
StringentSettings:Alert WhenThis Value IsChanged
Description
Passwordpolicy
Require atleast one non-alphanumericcharacter
On The more complex a password is, the harder itis to crack.
Passwordpolicy
Allow users tochange theirown password
On Users are more likely to update passwordswhen this activity is under their control.
Passwordpolicy
Passwordexpirationperiod (in days)
30 The more frequently a password is updated,the harder it is to crack.
Passwordpolicy
Number ofpasswords toremember
10 Reused passwords open a window for anattacker to make use of an old password.
Passwordpolicy
Passwordexpirationrequiresadministratorreset
On When passwords expire, this indicates anunused account. It’s a best practice to not letaccounts sit idle.
Setting Number ofdays for anSSH key to beconsidered old
30 SSH keys authenticate AWS EC2 instances.The more frequently these keys are updated,the harder they are to crack.
Setting Number ofdays for an IAMkey to beconsidered old
90 IAM keys authenticate AWS administrativeusers. The more frequently these keys areupdated, the harder they are to crack.
Accesscontrols
Require theroot user to usemulti-factorauthentication
On Multifactor authentication requires a user toenter more than one credential when loggingin (for example, a password and a one-timecode).
This setting and the other access controls onthis page aren’t available as a security settingin the AWS administration console. However,when enabled, Oracle CASB Cloud Servicemonitors this resource and generates an alertwhen the feature isn’t enabled.
Accesscontrols
Require theadmin users touse multi-factorauthentication
Off The setting above applies only to the rootuser. This setting applies to all other adminusers.
Accesscontrols
Make sure thatall S3 serverbuckets areencrypted
On It’s a best practice to keep data at rest inencrypted form.
This setting and the other access controls onthis page aren’t available as a security settingin the AWS administration console. However,when enabled, Oracle CASB Cloud Servicemonitors this resource and generates an alertwhen the feature isn’t enabled.
Chapter 7Preparing and Registering AWS
7-47
SecurityControl Type
SecurityControl Name
StringentSettings:Alert WhenThis Value IsChanged
Description
Accesscontrols
Check publicaccess aclenabled s3buckets
On This setting enables monitoring of S3 bucketswith public access enabled through an ACL.
Accesscontrols
Check cloudtrails thosestores logs lessthan two weeks
On This setting requires at least two weeksof data to be retained in CloudTrail logs.There are two ways to retain data: throughCloudTrail's configured S3 bucket, andthrough CloudTrail's configured CloudWatchlogs.
Accesscontrols
Require multi-factorauthenticationwhen deletingan S3 bucket
On Deleting an S3 bucket means removing a datastore. This is a sensitive operation and shouldrequire the extra security that multifactorauthentication provides.
This setting and the other access controls onthis page aren’t available as a security settingin the AWS administration console. However,when enabled, Oracle CASB Cloud Servicemonitors this resource and generates an alertwhen the feature isn’t enabled.
Accesscontrols
VPCs whoseflow logs arenot stored asper standard
On This setting causes Oracle CASB CloudService to flag VPCs whose flow logs are notstored according to standard guidelines.
Accesscontrols
Check ec2instancesterminationprotection
On This setting enables monitoring of terminationprotection for EC2 instances.
Accesscontrols
Requiresecurity groupchecking forunsecuredports
Off AWS manages critical organizationalinfrastructure. Security group checkingprovides an additional layer of security in theevent that a port was left open to the internet.
This setting and the other access controls onthis page aren’t available as a security settingin the AWS administration console. However,when enabled, Oracle CASB Cloud Servicemonitors this resource and generates an alertwhen the feature isn’t enabled.
Chapter 7Preparing and Registering AWS
7-48
SecurityControl Type
SecurityControl Name
StringentSettings:Alert WhenThis Value IsChanged
Description
Accesscontrols
Requirenetwork ACLsto use secureopen ports
Off AWS services listen for traffic on ports.These ports should require secure (encrypted)communication so that sensitive informationisn’t transmitted in the clear.
This setting and the other access controls onthis page aren’t available as a security settingin the AWS administration console. However,when enabled, Oracle CASB Cloud Servicemonitors this resource and generates an alertwhen the feature isn’t enabled.
This setting can only be enabled when thesecurity control baseline for the applicationinstance is set to Custom.
Accesscontrols
Do not letnetwork ACLshave Allow Allset as thedefault
On Allow All means that the access control list(ACL) provides access to anyone on theinternet.
This setting and the other access controls onthis page aren’t available as a security settingin the AWS administration console. However,when enabled, Oracle CASB Cloud Servicemonitors this resource and generates an alertwhen the feature isn’t enabled.
Accesscontrols
Check use ofRoute 53hosted zones
On Amazon's Route 53 service maps domainname system (DNS) queries to numeric IPaddresses. It routes end users to Internetapplications by translating domain names (forexample, www.example.com) into numericIP addresses (for example, 192.0.2.1) thatcomputers use to connect to each other.Route 53 works with external domain names.It also works with Amazon Virtual PrivateClouds (VPCs), which allows custom domainnames for your internal AWS resourceswithout exposing them to the public internet.Consider using Route 53 service as a cost-effective solution for DNS routing that also canbe extended to your VPCs.
This setting and the other access controls onthis page aren’t available as a security settingin the AWS administration console. However,when enabled, Oracle CASB Cloud Servicemonitors this resource and generates an alertwhen the feature isn’t enabled.
Chapter 7Preparing and Registering AWS
7-49
SecurityControl Type
SecurityControl Name
StringentSettings:Alert WhenThis Value IsChanged
Description
Accesscontrols
Check use ofRoute 53health checks
On Amazon Route 53 maps domain name system(DNS) queries to numeric IP addresses.Route 53 health checks ensure that your webresources that reside at these IP addressesare functional before directing traffic to them.
Oracle CASB Cloud Service doesn’t monitorfor Route 53 health checks in private hostedzones.
This setting and the other access controls onthis page aren’t available as a security settingin the AWS administration console. However,when enabled, Oracle CASB Cloud Servicemonitors this resource and generates an alertwhen the feature isn’t enabled.
Accesscontrols
Check EBSvolumeencryptionstatus
On Amazon Elastic Block Store (EBS) volumesprovide incremental backup for AmazonElastic Compute Cloud (EC2) instances.Encryption of these volumes preventsunauthorized access to the data on them.
This setting and the other access controls onthis page aren’t available as a security settingin the AWS administration console. However,when enabled, Oracle CASB Cloud Servicemonitors this resource and generates an alertwhen the feature isn’t enabled.
Accesscontrols
Check RDSencryptionstatus
On Amazon Relational Database Service (RDS)is a relational database in the cloud. Ensurethat RDS encryption is enabled to preventunauthorized access to the information storedin the database. Amazon RDS handlesauthentication, access, and decryption ofdata transparently with minimal impact onperformance. Amazon RDS encryption alsohelps to fulfill compliance requirements fordata-at-rest encryption.
This setting and the other access controls onthis page aren’t available as a security settingin the AWS administration console. However,when enabled, Oracle CASB Cloud Servicemonitors this resource and generates an alertwhen the feature isn’t enabled.
Security Control Values for AWS (Push Controls/Read-Write)Review the AWS security controls that Oracle CASB Cloud Service monitors for push-controls mode, together with the values for their stringent settings.
After you register the AWS instance in push controls mode, Oracle CASB CloudService pushes your selected security control values to the related AWS account.Later, it displays security control alerts if anyone changes these values.
Chapter 7Preparing and Registering AWS
7-50
These settings appear in the following locations in AWS:
• Password policies: The IAM, Account settings section of the AWS administrationconsole.
• SSH and user keys: Oracle CASB Cloud Service checks the age of all user andEC2 SSH keys.
• Multifactor authentication: The IAM, Users section of the AWS administrationconsole.
• Encryption and secure ports: Oracle CASB Cloud Service checks the encryptionand port settings in network access control lists (ACLs) for all EC2 instances in anaccount.
After registration, if anyone lowers these values in the application, Oracle CASB CloudService generates a risk event in Risk Events and a ticket in the Incidents section ofthe console.
The following describes Oracle CASB Cloud Service's default settings. In generalthese are more stringent than the default settings within AWS. You also can definecustom settings for these controls.
SecurityControlType
Security ControlName
StringentSettings: Alertwhen this ValueIs Changed
Description
Passwordpolicy
Minimumpassword length
10 characters The longer a password is, the harder it isto crack.
Passwordpolicy
Require at leastone uppercaseletter
On The more complex a password is, theharder it is to crack.
Passwordpolicy
Require at leastone lowercaseletter
On The more complex a password is, theharder it is to crack.
Passwordpolicy
Require at leastone number
On The more complex a password is, theharder it is to crack.
Passwordpolicy
Require atleast onenon-alphanumericcharacter
On The more complex a password is, theharder it is to crack.
Passwordpolicy
Allow users tochange their ownpassword
On Users are more likely to updatepasswords when this activity is undertheir control.
Passwordpolicy
Passwordexpiration period(in days)
30 The more frequently a password isupdated, the harder it is to crack.
Passwordpolicy
Number ofpasswords toremember
10 Reused passwords open a window for anattacker to make use of an old password.
Passwordpolicy
Passwordexpirationrequiresadministratorreset
On When passwords expire, this indicatesan unused account. It’s a best practiceto not let accounts sit idle.
Chapter 7Preparing and Registering AWS
7-51
SecurityControlType
Security ControlName
StringentSettings: Alertwhen this ValueIs Changed
Description
Setting Number of daysfor an SSH key tobe considered old
30 SSH keys authenticate AWS EC2instances. The more frequently thesekeys are updated, the harder they are tocrack.
Setting Number of daysfor an IAM key tobe considered old
90 IAM keys authenticate AWSadministrative users. The morefrequently these keys are updated, theharder they are to crack.
Accesscontrols
Require theroot user touse multi-factorauthentication
On Multifactor authentication requires a userto more than one credential whenlogging in (for example, a password anda one-time code).
This setting and the other accesscontrols on this page aren’t availableas a security setting in the AWSadministration console. However, whenenabled, Oracle CASB Cloud Servicemonitors this resource and generates analert when the feature isn’t enabled.
Accesscontrols
Require theadmin users touse multi-factorauthentication
Off The setting above applies only to theroot user. This setting applies to all otheradmin users.
When the security control baselinefor the application instance is set toCustom, you can specify IAM groupsto which this setting applies. ExpandIAM group name(s) allowed and enterone or more admin group names in theIAM admin groups which need to beconsidered field.
Accesscontrols
Make sure all S3server buckets areencrypted
On It’s a best practice to keep data at rest inencrypted form.
Accesscontrols
Check publicaccess aclenabled s3buckets
On This setting enables monitoring of S3buckets with public access enabledthrough an ACL.
Accesscontrols
Check cloud trailsthose stores logsless than twoweeks
On This setting requires at least two weeksof data to be retained in CloudTraillogs. There are two ways to retaindata: through CloudTrail's configuredS3 bucket, and through CloudTrail'sconfigured CloudWatch logs.
Chapter 7Preparing and Registering AWS
7-52
SecurityControlType
Security ControlName
StringentSettings: Alertwhen this ValueIs Changed
Description
Accesscontrols
Requiremulti-factorauthenticationwhen deleting anS3 bucket
On Deleting an S3 bucket means removing adata store. This is a sensitive operationand should require the extra security thatmultifactor authentication provides.
This setting and the other accesscontrols on this page aren’t availableas a security setting in the AWSadministration console. However, whenenabled, Oracle CASB Cloud Servicemonitors this resource and generates analert when the feature isn’t enabled.
Accesscontrols
VPCs whose flowlogs are notstored as perstandard
On This setting causes Oracle CASB CloudService to flag VPCs whose flow logsare not stored according to standardguidelines.
Accesscontrols
Check EC2instanceterminationprotection
On This setting enables monitoring oftermination protection for EC2 instances.
Accesscontrols
Require securitygroup checking forunsecured ports
On AWS manages critical organizationalinfrastructure. Security group checkingprovides an additional layer of security inthe event that a port was left open to theinternet.
This setting and the other accesscontrols on this page aren’t availableas a security setting in the AWSadministration console. However, whenenabled, Oracle CASB Cloud Servicemonitors this resource and generates analert when the feature isn’t enabled.
Accesscontrols
Require networkACLs to usesecure open ports
On AWS services listen for traffic on ports.These ports should require secure(encrypted) communication so thatsensitive information is not transmitted inthe clear.
This setting and the other accesscontrols on this page aren’t availableas a security setting in the AWSadministration console. However, whenenabled, Oracle CASB Cloud Servicemonitors this resource and generates analert when the feature isn’t enabled.
This setting can only be enabled whenthe security control baseline for theapplication instance is set to Custom.
Chapter 7Preparing and Registering AWS
7-53
SecurityControlType
Security ControlName
StringentSettings: Alertwhen this ValueIs Changed
Description
Accesscontrols
Do not let networkACLs have AllowAll set as thedefault
On Allow All means that the access controllist (ACL) provides access to anyone onthe internet.
This setting and the other accesscontrols on this page aren’t availableas a security setting in the AWSadministration console. However, whenenabled, Oracle CASB Cloud Servicemonitors this resource and generates analert when the feature isn’t enabled.
Accesscontrols
Check use ofRoute 53 hostedzones
On Amazon's Route 53 service mapsdomain name system (DNS) queriesto numeric IP addresses. It routesend users to internet applications bytranslating domain names (for example,www.example.com) into numeric IPaddresses (for example, 192.0.2.1) thatcomputers use to connect to each other.Route 53 works with external domainnames. It also works with Amazon VirtualPrivate Clouds (VPCs), which allowscustom domain names for your internalAWS resources without exposing them tothe public internet. Consider using Route53 service as a cost-effective solution forDNS routing that also can be extended toyour VPCs.
This setting and the other accesscontrols on this page aren’t availableas a security setting in the AWSadministration console. However, whenenabled, Oracle CASB Cloud Servicemonitors this resource and generates analert when the feature isn’t enabled.
Accesscontrols
Check use ofRoute 53 healthchecks
On Amazon Route 53 maps domain namesystem (DNS) queries to numeric IPaddresses. Route 53 health checksensure that your web resources thatreside at these IP addresses arefunctional before directing traffic to them.
Oracle CASB Cloud Service doesn’tmonitor for Route 53 health checks inprivate hosted zones.
This setting and the other accesscontrols on this page aren’t availableas a security setting in the AWSadministration console. However, whenenabled, Oracle CASB Cloud Servicemonitors this resource and generates analert when the feature isn’t enabled.
Chapter 7Preparing and Registering AWS
7-54
SecurityControlType
Security ControlName
StringentSettings: Alertwhen this ValueIs Changed
Description
Accesscontrols
Check EBSvolume encryptionstatus
On Alert if Elastic Block Store (EBS) is notencrypted.
Exceptions for Instances: Enter volumeID of AWS instance. Separate multiplevolume IDs with commas.
Exceptions for Tags: Enter <tag-key-name>:[<value>]. Separatemultiple values with commas. Separatemultiple tag key names andvalue lists with commas: <tag-key-name1>:[<key1-value1>,<key1-value2>, ...], <tag-key-name1>:[<key1-value1>,<key1-value2>, ...]
Background Information: AmazonElastic Block Store (EBS) volumesprovide incremental backup for AmazonElastic Compute Cloud (EC2) instances.Encryption of these volumes preventsunauthorized access to the data onthem.
This setting and the other accesscontrols on this page aren’t availableas a security setting in the AWSadministration console. However, whenenabled, Oracle CASB Cloud Servicemonitors this resource and generates analert when the feature isn’t enabled.
Chapter 7Preparing and Registering AWS
7-55
SecurityControlType
Security ControlName
StringentSettings: Alertwhen this ValueIs Changed
Description
Accesscontrols
Check RDSencryption status
On Alert if Relational Database Service(RDS) is not encrypted.
Exceptions for Instances: Enter volumeID of AWS instance. Separate multiplevolume IDs with commas.
Exceptions for Tags: Enter <tag-key-name>:[<value>]. Separatemultiple values with commas. Separatemultiple tag key names andvalue lists with commas: <tag-key-name1>:[<key1-value1>,<key1-value2>, ...], <tag-key-name1>:[<key1-value1>,<key1-value2>, ...]
Background Information: AmazonRelational Database Service (RDS)is a relational database in thecloud. Ensure that RDS encryptionis enabled to prevent unauthorizedaccess to the information stored inthe database. Amazon RDS handlesauthentication, access, and decryptionof data transparently with minimalimpact on performance. Amazon RDSencryption also helps to fulfill compliancerequirements for data-at-rest encryption.
This setting and the other accesscontrols on this page aren’t availableas a security setting in the AWSadministration console. However, whenenabled, Oracle CASB Cloud Servicemonitors this resource and generates analert when the feature isn’t enabled.
AWS Registration ErrorsLearn how to troubleshoot the errors you may receive when you add or register anAWS instance.
Validation Failed: Credentials or Permissions IssuesTroubleshoot errors about invalid keys, inadequate permissions, or a cross-accountlogging problem.
Message text: Validation failed for one of these reasons:
• Invalid access key or secret key.
• This user needs additional permissions to access the AWS logs.
• If you set up cross-account logging, ensure that this user has a cross-account rolein the target account.
Chapter 7Preparing and Registering AWS
7-56
Description: To successfully register this application instance, ensure that all of thefollowing are done:
• In each AWS account that you want Oracle CASB Cloud Service to monitor, youneed to create a dedicated identity and access management (IAM) user. Yousupply this user's access key and secret key when you register the account withOracle CASB Cloud Service. If you received this message, this user's keys mayhave expired, or you may have supplied incorrect keys for this user.
For more information about creating the Oracle CASB Cloud Service user and theuser's access keys, see Using an IAM User: Creating a Dedicated Service User ifyou are using IAM users to monitor your AWS instances, or Using an IAM Role:Creating and Registering a Dedicated Service Role if you are using IAM users tomonitor your AWS instances.
• User must have permissions to access the logs from a single account. Ensurethat this user has the correct privileges for accessing logs in this single AWSaccount. See Using an IAM User: Creating a Dedicated Service User if you areusing IAM users to monitor your AWS instances, or Using an IAM Role: Creatingand Registering a Dedicated Service Role if you are using IAM users to monitoryour AWS instances.
• User must have permissions to access cross-account logs. Make sure that thisuser has the correct privileges for cross-account logging. See Using an IAM User:Adding Source Dedicated Service Users for Cross-Account Logging if you areusing IAM users to monitor your AWS instances, or Using an IAM Role: AddingSource Dedicated Service Roles for Cross-Account Logging if you are using IAMusers to monitor your AWS instances.
Validation Failed: Permissions IssuesTroubleshoot errors about user needing additional AWS permissions.
Message text: This user needs additional permissions to access the AWS logs.
Description: Ensure that this user has the correct privileges according to the user’srole. See the topic referenced below for the way Oracle CASB Cloud Service ismonitoring your AWS instances, and the context for the account you are tryingto register (standalone or first cross-account instance vs. additional cross-accountinstances).
AWSMonitoredby
Standalone AWS Instance or FirstInstance in Cross-Account Logging
Additional AWS Instances in Cross-Account Logging
User Using an IAM User: Creating aDedicated Service User
Using an IAM User: Adding SourceDedicated Service Users for Cross-Account Logging
Role Using an IAM Role: Creating andRegistering a Dedicated Service Role
Using an IAM Role: Adding SourceDedicated Service Roles for Cross-Account Logging
Validation Failed: Logging Configuration IssuesTroubleshoot errors about CloudTrail or S3 bucket.
Message text: Validation failed for one of these reasons:
Chapter 7Preparing and Registering AWS
7-57
• CloudTrail is off.
• You set up cross-account logging but not every region is sending its logs to thesame target S3 bucket.
Description: Ensure that CloudTrail is turned on. See Using an IAM User: EnablingCloudTrail if you are using IAM users to monitor your AWS instances, or Using an IAMRole: Enabling CloudTrail if you are using IAM roles. If you are doing cross-accountlogging, ensure every that region's logs are going to the same bucket.
Validation Failed: Other IssuesTroubleshoot errors that refer you to the AWS documentation.
This an error that appears when a more precise diagnosis isn’t possible. You willprobably need help to troubleshoot the problem.
Message text: AWS error {0}. Refer to the AWS documentation for more informationor contact Oracle CASB Cloud Service support for help.
Description: Some registration errors are generated directly from AWS. In this case,you can either consult the AWS documentation to diagnose the error, or contact OracleCASB Cloud Service support to have a support representative help investigate theissue.
Warning: Enable CloudTrailYour registration completed successfully, but CloudTrail is not enabled for all S3buckets..
Message text: Warning: Credentials are valid for this user and you can complete appregistration. However, you need to enable CloudTrail for one or more S3 buckets inthis account.
Description: Oracle CASB Cloud Service ingests AWS CloudTrail log data anduses the information in the logs to analyze different types of risk. To provideOracle CASB Cloud Service with this data, you must ensure that CloudTrail is enabledfor each S3 bucket in the monitored AWS account.
See Using an IAM User: Enabling CloudTrail if Oracle CASB Cloud Service is usingIAM users to monitor your AWS instances, or Using an IAM Role: Enabling CloudTrailif IAM roles are used..
Updating an AWS InstanceModify settings for an existing AWS instance.
Updating the Credentials for an AWS InstanceChange the credentials for an AWS instance.
If you need to change the credentials for an AWS instance, then you must changethem in both AWS and in Oracle CASB Cloud Service.
When the authentication information that you used to register an AWS instancechanges, you must also update it in the Oracle CASB Cloud Service console.
Chapter 7Updating an AWS Instance
7-58
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, select Modify, Update credentials.
• In grid view, drop down the Action list for the instance you want tomodify and select Update credentials.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update credentials,and then select the application instance you want to modify and clickNext.
2. In the Update Credentials page, select the authentication type:
• If your AWS instance uses an IAM user to authenticate, drop down theAuthentication type list, select Access key and secret key and then, enterthe Access Key and Secret Key.
• If your AWS instance users an IAM role to authenticate, drop down theAuthentication type list, select IAM user role and then enter the User roleARN, External ID, and Account ID.
3. If you want Oracle CASB Cloud Service to collect logs from an external account,slide the Collect logs from an external account switch to the right. Then, enterthe Name of Cross-Account role and Account Number.
4. Click Test Credentials.
5. If the test is successful, click Next to view the confirmation page.
Updating the Security Control Baseline for an AWS InstanceChange security control baseline settings for an AWS instance that was added ineither monitor-only mode or push controls mode.
When you register an AWS account in push controls mode, Oracle CASB CloudService sets the specified values in your account. You can change these values later ifyou need to.
When you register an AWS account in default, monitor-only mode, Oracle CASB CloudService automatically monitors for security-related configurations and generates analert when a security control value doesn’t match the Oracle CASB Cloud Servicestringent setting. For example, if an AWS administrator permits users to have 5-character passwords, then Oracle CASB Cloud Service generates an alert. For moreinformation, see Security Control Values for AWS (Monitor Only/Read Only).
You also can register an AWS account in push controls mode, in which case OracleCASB Cloud Service sets the desired values in your account and then generatesalerts when these values are changed. For more information, see Security ControlValues for AWS (Push Controls/Read-Write).
Chapter 7Updating an AWS Instance
7-59
After you register your application, you can modify the alerting baseline that OracleCASB Cloud Service uses. For example, you can change the baseline for minimumpassword length from 10 to 12 characters.
Note:
You can enforce the configuration of AWS IAM role definitions using a policy.See Creating Alerts for Setting AWS Roles.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update security control baseline.
• In grid view, drop down the Action list for the instance you want tomodify and select Update security control baseline.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update securitycontrol baseline, and then select the application instance you want tomodify and click Next.
2. Click the baseline type that you want: Standard, Stringent, or Custom.
• Standard: Oracle CASB Cloud Service uses the AWS defaults.
• Stringent: Oracle CASB Cloud Service uses its own stringent values, whichare more stringent than the AWS defaults.
• Custom: You set the exact values that you want Oracle CASB Cloud Serviceto enforce, and you can specify additional options that are not available underStandard or Stringent settings.
Note:
Only the Custom baseline option’s Access Controls section allowsyou to specify exceptions, and offers the following settings can only bespecified if you select the Custom baseline type:
• Require security group checking for unsecured ports.
• Require network ACLs to use secure open ports.
• Specify IAM admin groups to which the setting applies, when youenable Require the admin users to use multi-factor authentication.
You must select the Custom baseline type if you want these features.
For descriptions of the AWS security controls that you can configure, see SecurityControl Values for AWS (Push Controls/Read-Write).
Chapter 7Updating an AWS Instance
7-60
Oracle CASB Cloud Service generates a security control alert in Risk Eventswhenever it detects a mismatch of any kind between the selections that you makeon this page and the actual settings in the AWS instance.
Updating the IDP Instance for an AWS InstanceChange the way an AWS instance communicates with an identity provider (IDP).
You can update the way that an AWS instance communicates with an identity provider(IDP) in several ways:
• You can change an existing AWS instance that is authenticating to an IDPinstance, so that it authenticates to a different IDP instance.
• You can switch an AWS instance from authenticating directly with the IDP toauthenticating with the IDP through an IDP instance.
• You can’t switch an AWS instance that is authenticating with the IDP through anIDP instance to directly authenticating to the IDP.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update IDP Instance.
• In grid view, drop down the Action list for the instance you want tomodify and select Update IDP Instance.
Tip:
Alternatively, from the Dashboard or the Applications page, youcan select Add/Modify App, Modify an app instance, Update IDPInstance, and then select the application instance you want to modifyand click Next.
2. In the Update IDP instance page, change the different IDP instance, the activeapplication defined in the identity provider, or both, and then click Next.
3. In the Success page, click Done.
Next Steps for AWSNow that you have finished setting up your AWS instance for monitoring, you can takeadditional steps to enhance its security, or you can start viewing and analyzing themonitored data right away.
Follow one of the links below to start working with your new AWS instance:
• Creating Policy Alerts for AWS — to create custom customized alerts for situationsthat you specify, make your configuration settings more secure, and enablemonitoring of shadow applications that are operating in the same environmentas your application instance.
See the opening sections of the Creating Policies and Managing PolicyAlertschapter for general information about creating and managing policy alerts.
• Viewing Reports for AWS — to view predefined reports for AWS.
Chapter 7Next Steps for AWS
7-61
See the opening sections of the Creating and Running Reports chapter for generalinformation about creating and running reports.
• Analyzing User Activity Risks and Trends, Managing Behavioral Anomalies andThreats, and Tracking Incident Tickets chapters — for general information aboutanalyzing and managing the information on security threats that Oracle CASBCloud Service provides.
Chapter 7Next Steps for AWS
7-62
8Setting Up Azure
Prepare Azure and register your application instance with Oracle CASB Cloud Servicefor security monitoring.
Topics:
• Typical Workflow for Azure Monitoring
• Preparing Azure
• Adding an Azure Instance
• Updating the Credentials for an Azure Instance
Typical Workflow for Azure MonitoringWith Oracle CASB Cloud Service, you can monitor Azure to detect potential risks.
Task Description Additional Information
Prepare an Azure account. You can ensure that yourAzure account is ready tomonitor in Oracle CASBCloud.
Preparing Azure
Add an Azure instance. You can register an Azureapplication instance inmonitoring-only mode.
Adding an Azure Instance
Update credentials for anAzure instance.
You can update the credentialsfor an Azure instance.
Updating the Credentials foran Azure Instance
Preparing AzureBefore registering your Azure application instance with Oracle CASB Cloud Service,ensure that you have an Azure account that is properly configured.
Prerequisite: In order to be monitored by Oracle CASB Cloud Service, your Azureinstance must be running under an E5 license if you want to monitor Azure AD events.If you are not monitoring Azure AD events, your Azure instance only needs to have anS3 .license.
1. Log in to the Azure portal with Global Administrative privileges.
2. Enter app in the search box and select App registration from the search results.
3. On the App registrations page, after Still want to use App registration(Legacy)?, click the Go back and tell us why link.
4. (Optional) Enter a reason in the Could you let us know why… box. You couldenter something like, “Following 3rd party instructions that tell me to use thelegacy steps.”
8-1
You could enter something like, Following 3rd party instructions thattell me to use the legacy steps.
5. Click Continue.
6. In the App registrations (Legacy) panel, click New application registration atthe top.
7. In the Create panel on the right:
a. In the Name box, enter the name for your application.
b. Leave Application type as Web app / API.
c. For Sign-on URL, enter the URL where the user signs on.
This is the base URL of the Oracle CASB Cloud Service whereyou plan to register the application: https://loric.palerra.net,https://loric-eu.palerra.net, https://loric-ca.palerra.net,or https://trial.palerra.net.
d. Click Create at the bottom.
Your application is created and an information panel for it replaces the Createpanel.
e. In the information panel for your application, copy the Application ID value(to right of Display Name) and save it somewhere safe, where you can easilyretrieve it later when you register your Azure instance in Oracle CASB CloudService.
8. Click Settings at the top of the information panel.
9. In the Settings panel that opens, under API ACCESS, click Keys.
10. In the Keys panel that opens:
a. Click under Description and enter a description for this key.
b. Under EXPIRES, select Never expires.
The VALUE field remains empty until you click Save.
c. Click Save.
d. Copy the VALUE generated for the key and save it somewhere safe, whereyou can easily retrieve it later when you register your Azure instance in OracleCASB Cloud Service.
Caution:
Verify that the value that you paste matches exactly what is in theVALUE field.
Once you close this panel, you will not be able to retrieve this valuelater from the Azure portal. If you can’t match this value later, you willhave to create a new key and rotate keys to replace the old one.
11. In the Settings panel, click Required permissions.
12. In the Required permissions panel that opens, click Add at the top.
13. In the Add API access panel that opens, click Select an API.
Chapter 8Preparing Azure
8-2
14. In the Select an API panel that opens:
a. Scroll down.
b. Select Microsoft Graph.
c. Click Select at the bottom.
15. In the Add API access panel, click Select permissions .
16. In the Enable Access panel that opens:
a. Scroll down.
b. Select Read all audit log data.
c. Click Select at the bottom.
The Required permissions panel now lists Microsoft Graph, in addition toWindows Azure Active Directory, which is always there by default.
17. In the Add API access panel, click Done at the bottom.
18. In the Required permissions panel, click on Windows Azure Active Directory.
19. Under Application Permission, select Read directory data, then click Save.
20. In the Required permissions panel:
a. Click Grant permissions at the top.
b. Click Yes when prompted to grant permissions.
21. In the left navigation panel, select All services, then:
a. Enter subs in the search box.
b. Select Subscriptions from the list.
22. In the Subscriptions panel, select the subscription to use with Oracle CASBCloud Service.
a. Copy the Subscription ID value for the selected subscription and save itsomewhere safe, where you can easily retrieve it later when you register yourAzure instance in Oracle CASB Cloud Service.
b. Select the domain name after “default directory” under the Directory heading.
c. Hover over the user name at the top right.
The last line of text displayed contains the domain name.
d. Verify that the domain name after “default directory” under the Directoryheading matches the domain name displayed when you hover over the username at the top right.
e. If the domain names match, copy the domain name after “default directory”under the Directory heading and save it somewhere safe, where you caneasily retrieve it later when you register your Azure instance in Oracle CASBCloud Service.
23. In the information panel that opens for the subscription, select Access control(IAM) on the left.
24. Click +Add.
25. In the Add permissions panel that opens:
a. In the Role box, enter read.
Chapter 8Preparing Azure
8-3
b. Select Reader from the list.
c. In the Select box, start typing the name of the application you created above.
d. When your application appears below, select it.
e. Click Save at the bottom.
Your application now appears in the READER section.
You are ready to register your Azure instance with Oracle CASB Cloud Service.
Adding an Azure InstanceAfter completing the necessary configurations in Azure, add or register the Azureinstance in Oracle CASB Cloud Service.
Prerequisites: Complete the steps in Preparing Azure.
Note:
You can only register Azure in monitor-only mode.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click Add/Modify App.
3. In the Select an app type page, click the Azure icon, and then click Next.
4. In the Select an instance page, enter a unique name for your applicationinstance.
Any existing names appear below the name field.
5. Click Next.
6. On the Enter credentials page:
a. For Client ID, copy into this box the Application ID that you savedsomewhere safe when you prepared this Azure instance.
b. For Client Secret, copy into this box the key value that you saved somewheresafe when you prepared this Azure instance.
c. For Client Domaincopy into this box the key value that you saved somewheresafe when you prepared this Azure instance.
d. For Subscription ID, copy into this box the Subscription ID value that yousaved somewhere safe when you prepared this Azure instance.
e. Leave Azure Environment set to Azure.
f. Set the Monitor Azure AD option:
• Leave this option selected to enable monitoring of Azure AD events.
Chapter 8Adding an Azure Instance
8-4
Note:
Monitoring Azure AD events requires an Azure E5 license.
• Deselect this option to skip monitoring of AzureAD events.
This requires only an E3 license for Azure.
g. Click Test Credentials.
h. When you see the “Credentials are valid” message, click Submit.
7. On the Success page, click Done.
When the registration process is complete, your application instance appears on theApplications page. You start to see data for this instance after 30 minutes or so;although a complete synchronization will take longer.
Updating the Credentials for an Azure InstanceChange the login credentials for an Azure instance.
When the login credentials that you used to register an Azure instance expire or areupdated, you must update these credentials both in Oracle Cloud Infrastructure and inthe Oracle CASB Cloud Service console.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, select Modify, Update credentials.
• In grid view, drop down the Action list for the instance you want tomodify and select Update credentials.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update credentials,and then select the application instance you want to modify and clickNext.
2. In the Update Credentials page, enter the current values for all the fields:
• Client ID
• Client Secret
• Client Domain
• Subscription ID
For information on where to get current values for these credentials, see Addingan Azure Instance.
3. Click Test Credentials.
4. After the credentials are verified, click Submit to view a verification page.
Chapter 8Updating the Credentials for an Azure Instance
8-5
Next Steps for AzureNow that you have finished setting up your Azure instance for monitoring, you can takeadditional steps to enhance its security, or you can start viewing and analyzing themonitored data right away.
Follow one of the links below to start working with your new Azure instance:
• Creating Policy Alerts for Azure — to create custom customized alerts forsituations that you specify, make your configuration settings more secure,and enable monitoring of shadow applications that are operating in the sameenvironment as your application instance.
See the opening sections of the Creating Policies and Managing PolicyAlertschapter for general information about creating and managing policy alerts.
• Viewing Reports for Azure — to view predefined reports for Azure.
See the opening sections of the Creating and Running Reports chapter for generalinformation about creating and running reports.
• Analyzing User Activity Risks and Trends, Managing Behavioral Anomalies andThreats, and Tracking Incident Tickets chapters — for general information aboutanalyzing and managing the information on security threats that Oracle CASBCloud Service provides.
Chapter 8Next Steps for Azure
8-6
9Setting Up Box
Prepare Box and register your application instance with Oracle CASB Cloud Servicefor security monitoring.
Oracle CASB Cloud Service detects potential risks in the Box cloud service, includingnoncompliant security control values within the Box administration console, activitywithin Box that violates your policies (for example, sharing sensitive files), and userbehavior patterns that appear to be suspicious.
Note:
Box defines managed users, who are registered within the Box application,and external users who are not registered. Oracle CASB Cloud Servicedoes not monitor the external users. Although external users can be targetusers for shared files and folders, they do no initiate actions and so are notmonitored directly. External users do show up when they are recorded inthe actions of managed users, but it is the managed users who are beingmonitored.
Topics:
• Typical Workflow for Box Security Monitoring
• Preparing Box
• Adding a Box Instance
• Updating a Box Instance
Typical Workflow for Box Security MonitoringWith Oracle CASB Cloud Service, you can monitor the Box cloud service to detectpotential risks.
Task Description Additional Information
Prepare the Box cloud service. You can set up an OracleCASB Cloud Service accountin your Box applicationinstance.
Preparing Box
Add a Box instance. You can register a Boxapplication instance inmonitoring-only mode, or pushsecurity controls to Box duringregistration.
Adding a Box Instance
Update a Box instance. You can update the credentialsand IDP instance for a Boxinstance.
Updating a Box Instance
9-1
Preparing BoxCreate a dedicated Box user account, and configure Okta or Ping single sign-on ifusers log in to Box through either of those services.
Prerequisite: In order to be monitored by Oracle CASB Cloud Service, your Boxinstance must be running under:
• An Enterprise license, or
• A developer account on developer.box.com that has at least one application withEnterprise Management enabled, in addition to a non-Enterprise box.com account.
Ensure that you have the correct account type and prepare a dedicated Oracle CASBCloud Service user in your Box account.
If your Box users log in through a single sign-on (SSO) service, you must also set upSSO for the Oracle CASB Cloud Service user.
Verify the Oracle CASB Cloud Service User's Login MethodDetermine whether users log in to box directly, or through Okta or Ping.
Users can log in to most cloud applications several ways. You must register anapplication instance with Oracle CASB Cloud Service to use the same login methodthat its users actually use.
These are the three ways to register a Box account with Oracle CASB Cloud Service:
• Direct login to Box.
• If you use Okta, then see Using Okta Single Sign-On with Box to set up OracleCASB Cloud Service's method for logging in to Box. Note that you must alsocreate an Oracle CASB Cloud Service user in your Box account.
• If you use Ping, then see Using Ping Single Sign-On with Box to set up OracleCASB Cloud Service's method for logging in to Box. Note that you must alsocreate an Oracle CASB Cloud Service user in your Box account.
Note:
It can be helpful to create an email alias for the Oracle CASB Cloud Serviceuser and forward email from this alias to your own email so that you canreceive notifications that are sent to Oracle CASB Cloud Service.
Configuring the Box Account for MonitoringEnsure that you have a Box account type that will work with Oracle CASB CloudService, and then configure that account for monitoring.
Your Box application instance must be either:
• An enterprise account on box.com.
Chapter 9Preparing Box
9-2
• A developer account on developer.box.com that has at least one application withenterprise management enabled in addition to a non enterprise box.com account.
1. Log in to developer.box.com.
2. View your applications.
If you don’t have an application yet, create one.
3. Select Edit Application for one of your applications, and in the settings page,OAuth2 Parameters section, select Manage an enterprise.
4. Save your changes.
An Admin Console tab is now added to your main Box.com account.
Requirements for the Oracle CASB Cloud Service User in the AccountUnderstand the requirements for the dedicated user in the Box account.
Your Box.com account must have a new user that represents the Oracle CASB CloudService monitoring service. Here are the requirements for this new user:
• To enure that auditing is unambiguous, don’t share the Oracle CASB CloudService user's credentials.
• The Oracle CASB Cloud Service user must be an administrator with read or read/write privileges. Read-only access allows Oracle CASB Cloud Service to monitoruser activity. Read/write access allows Oracle CASB Cloud Service to also pushsecurity settings to the application.
• Create the Oracle CASB Cloud Service user directly in Box.
• The Oracle CASB Cloud Service user can authenticate using single sign-on orfederated authentication through Okta or Ping. See Using Okta Single Sign-Onwith Box or Using Ping Single Sign-On with Box.
• Don’t configure two-step authentication in Box for the Oracle CASB Cloud Serviceuser. If you use the following instructions for creating the Oracle CASB CloudService user, two-step authentication will not be enabled.
Creating the Dedicated Oracle CASB Cloud Service UserCreate a dedicated user for Oracle CASB Cloud Service in the Box account that youwant to monitor.
This user is dedicated for use by Oracle CASB Cloud Service and shouldn’t be usedfor any other purpose.
Important: Don’t share this user's credentials.
1. Log in to the Box enterprise or developer account.
2. Select the Admin Console tab.
3. Click the Users icon.
4. Click the + Users button.
5. In the Name field, give the service account an identifier (example:occs.trialservice).
Chapter 9Preparing Box
9-3
6. If you are going to be the tenant master administrator for Oracle CASB CloudService, then provide your email address in the Email field.
7. Click Add user.
8. In the users list, select the Oracle CASB Cloud Service user that you just created.
9. In the edit user page, grant this user the Co-Admin role.
This account must have either the Admin or Co-Admin role.
10. Assign additional privileges to this user.
At a minimum, the user should be able to run new reports and access existingreports. If you want to be able to push security controls from Oracle CASB CloudService to this Box instance, then this user must also have these privileges:
• Users and Groups, Manage users
• Users and Groups, Manage groups
• Reports and Settings, View settings for your company
• Reports and Settings, Edit settings for your company
• Reports and Settings, Run new reports and access existing reports
If your organization requires two-step verification for unrecognized logins, then theuser permissions will have one additional option: Login verification: Exempt thisuser from 2-step verification. Ensure that this option is selected.
For details about setting administrator privileges in Box, see the online help in Box.
11. Check the email account that you provided in Step 6.
You should have a message from Box telling you to set a password for this user.
12. Create a complex password for this account.
For example, at least 12 characters in length, with a combination of uppercase andlowercase letters, numbers, and special characters.
You will use this user name and password to register your Box instance in OracleCASB Cloud Service. Have a recovery procedure in case there are issues with theaccount.
What To Do NextWhat you do next depends on how users log in to Box.
• If users log in through Okta, then see Using Okta Single Sign-On to set up OracleCASB Cloud Service’s method for logging in to Box.
• If users log in through Ping, then see Using Ping Single Sign-On to set up OracleCASB Cloud Service’s method for logging in to Box.
• If users log in directly to Box, go to Adding a Box instance.
Using Okta Single Sign-On with BoxIf users log in to Box through Okta single sign-on, then add the Oracle CASB CloudService user to Okta.
Prerequisite: Complete the steps in Preparing Box.
Chapter 9Preparing Box
9-4
When you register the Box instance with Oracle CASB Cloud Service, you provide thesingle sign-on credentials from Okta to permit Oracle CASB Cloud Service to monitorthe Box account.
Okta provides documentation about single sign-on. Here are the general steps tocreate the Oracle CASB Cloud Service user in Okta. See the Okta documentation fordetails.
Configuring an Oracle CASB Cloud Service User in OktaCreate a dedicated user in Okta for communication with Oracle CASB Cloud Service.
1. Log in to the Okta administration console.
2. Select Directory, People, and add a user with the username and password of theOracle CASB Cloud Service user.
3. Select Applications, Applications, Box.com, General, and under the AppEmbed Link field, copy the Box application ID portion of the link.
For example, in the link https://dev-2222222.okta.com/home/salesforce/0oa4a1a2a3a4a5a6a7/24, the number 0oa4a1a2a3a4a5a6a7 is the application ID.
4. Also copy the identity URLunder Admin, Applications, Applications, Box.com, SignOn, settings link, Identity Provider Login URL.
In this example: https://dev-2222222.okta.com/app/salesforce/ex12ex34ex56ex7/sso/saml
Configuring an Okta Identity Provider Instance in Oracle CASB Cloud ServiceCreate an Okta identity provider (IDP) instance for your cloud application.
1. Select Configuration, Identity Provider Management from the Navigationmenu. If the Navigation Menu is not displayed, click the Navigation Menu icon
to display it.
2. Click Add IDP.
3. In the Add an IDP instance dialog box:
• Set Provider to Okta.
• Enter an Instance Name and Description.
Important: The instance name should clearly identify the IDP and theapplication type, so that these are obvious later, when you’re connecting anapplication instance to the IDP instance.
• For API Key, enter the token name for the token you created for the OracleCASB Cloud Service user in Okta.
• For URL to the provider, enter the URL that you accessed to createthe Oracle CASB Cloud Service user in Okta.
• Click Save.
Chapter 9Preparing Box
9-5
What to Do NextWith Okta configured, you’re ready to add a Box instance.
Go to Adding a Box Instance.
Using Ping Single Sign-On with BoxIf users log in to Box through Ping, then add the Oracle CASB Cloud Service user toPing's form-based authentication.
Prerequisite: Complete the steps in Preparing Box.
Using this authentication scheme, when the Oracle CASB Cloud Service user triesto access the Box service, Ping passes the Oracle CASB Cloud Service user'scredentials to Ping, which verifies the credentials.
After the verification is complete, the Oracle CASB Cloud Service user can monitor theBox account.
1. Copy the form-based authentication parameters in Ping.
a. Log in to PingFederate.
b. In the Manage IdP Adapter Instances section, Login Template field, identifythe login template file.
The default file name is html.form.login.template.html. It’s located inthe Ping Federate home/server/default/conf/template directory. Often,organizations use a custom login template file. Ping provides informationabout configuring this file here:
• https://documentation.pingidentity.com/pingfederate/pf80/index.shtml#adminGuide/concept/htmlFormAdapterConfiguration.html
• https://documentation.pingidentity.com/pingfederate/pf80/index.shtml#adminGuide/concept/customizingUserFacingScreens.html
c. Locate and open the login template file, and copy the parameter names for theuser name and password fields.
2. Get the application ID and identity provider URLs for PingOne
a. Log in to PingOne.
b. In the PingOne Dashboard, ensure that you have SAML authenticationenabled and that it’s active between PingOne and Box.
Note:
The Security Assertion Markup Language (SAML) is the basis forfederated authentication between Ping and Box.
c. In the details for the Box SAML entry, copy the values for these items:
• saasID
• Initiate Single Sign-On (SSO) URL
Chapter 9Preparing Box
9-6
d. In the details for the Box SAML entry, under “You may need to configure theseparameters as well,” copy the values for:
• saasID
• Initiate Single Sign-On (SSO) URL
Important: When you register your Box account in Oracle CASB Cloud Service,you will need the values of the saasID field (in Oracle CASB Cloud Service, thisfield name is Application ID) and the Initiate Single Sign-On (SSO) URL field (inOracle CASB Cloud Service, this will be the Identity Provider URL field).
Adding a Box InstanceAfter completing the necessary configurations in Box, add or register the Box instancein Oracle CASB Cloud Service.
You can register a Box account in Oracle CASB Cloud Service in one of two ways:
• In monitor-only mode, Oracle CASB Cloud Service notifies you when varioussecurity configuration settings in AWS deviate from Oracle CASB Cloud Service'sstringent values.
• In push security controls mode, Oracle CASB Cloud Service sets security controlvalues (for example, values for password complexity, password history, usersessions, and multi-factor authentication) at registration time, and then laterprovides alerts when these settings deviate from your preferred values.
Adding a Box Instance (Monitor Only/Read Only)Add or register your Box instance to Oracle CASB Cloud Service to be monitored,without the capability to push security configuration settings.
To register a Box instance with Oracle CASB Cloud Service, you need the user IDand password that belongs to a Box administrator with the appropriate privileges in theaccount that you want to monitor. This user must be dedicated to Oracle CASB CloudService.
Note:
This user must not be set up in Box to use multifactor authentication (MFA).
In monitor-only mode, Oracle CASB Cloud Service notifies you when various securityconfiguration settings in Box fall below Oracle CASB Cloud Service's preferreddefaults. Oracle CASB Cloud Service monitors these settings in Box:
• Password policies, authentication policies, and session settings: These are in theBox business settings page, Security tab.
• Settings: These additional security settings are in the Box business settings page,Content & Sharing tab.
For more information, see Security Control Values for Box (Monitor Only/Read Only)
Chapter 9Adding a Box Instance
9-7
Note:
You should not add, or register, the same application instance more thanonce. An additional registration seriously impacts performance and doesn’tprovide any additional information.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click Add/Modify App.
3. In the Select an app type page, click the Oracle Cloud Infrastructure icon, andthen click Next.
4. On the Select an instance page:
a. Enter a name for the instance in the Type a unique name... box.
Any existing names appear below the name field.
b. If users of this instance use an identity provider to log in, select The users ofthis app instance log in using single sign-on... and select the IDP instancefrom the Select an Identity Provider (IDP) instance list.
Note:
The identity provider instance must already be defined. See SettingUp an Identity Provider Instance.
c. Click Next.
5. In the Select monitoring type page, select Monitor only to have Oracle CASBCloud Service monitor this application using its stringent settings.
For more information, see Security Control Values for Box (Monitor Only/ReadOnly). Oracle CASB Cloud Service generates a security control alert in RiskEvents whenever it detects a mismatch of any kind between its stringent settingsand the actual settings in the Box instance.
6. Click Next.
7. In the Enter credentials page, your selections depend on how users log in to Box.
How theOracle CASBCloud ServiceUser Signs Into Box
What You Enter in the Credentials Page
Directly Sign Into Box
a. Click the Sign in with Box username and password option.
b. Enter the credentials for the dedicated admin or co-admin that youset up to communicate with Oracle CASB Cloud Service.
• User name. The username of the Oracle CASB Cloud Serviceuser.
• Password. The password of the Oracle CASB Cloud Serviceuser.
Chapter 9Adding a Box Instance
9-8
How theOracle CASBCloud ServiceUser Signs Into Box
What You Enter in the Credentials Page
Single sign-onthrough Okta
a. Click the Single sign-on option button.
b. Click the Single Sign-on provider drop-down list, and then selectOkta.
c. Enter the credentials for the dedicated admin or co-admin that youset up to communicate with Oracle CASB Cloud Service.• Username. The username of the Oracle CASB Cloud Service
user.• Password. The password of the Oracle CASB Cloud Service
user.
d. Enter the Application ID. You can find this in the Oktaconsole as follows: Go to Applications, Applications, Box.com,General, and under the App Embed Link field, copy theBox application ID portion of the link (for example, inthe link https://dev-2222222.okta.com/home/salesforce/0oa4a1a2a3a4a5a6a7/24, the number 0oa4a1a2a3a4a5a6a7 isthe application ID).
e. In the API key field, paste the API key that you created in Security,API.
f. In the Identity provider URL field, paste the identityURL from Okta under Admin, Applications, Applications,Box.com, Sign On, settings link, Identity Provider LoginURL (example: https://2222222.okta.com/app/salesforce/ex12ex34ex56ex7/sso/saml).
Single sign-onthrough PingIdentity
a. Click the Single sign-on option.
b. Click the Single Sign-on provider drop-down list, and then selectPing.
c. Enter the credentials for the dedicated admin or co-admin that youset up to communicate with Oracle CASB Cloud Service.• Username. The username of the Oracle CASB Cloud Service
user.• Password. The password of the Oracle CASB Cloud Service
user.
d. In the Username form field text box, enter the username form fieldparameter that’s used in your Ping Federate login template.
e. In the Password form field text box, enter the password form fieldparameter that’s used in your Ping Federate login template.
f. In the Application ID field, enter the SAML ID for your Box accountin PingOne. You can find this in the saasID field in PingOne, underconnection parameters.
g. In the Identity provider URL field, paste the value of the InitiateSingle Sign-On (SSO) URL field of the connection parameters inPingOne.
Chapter 9Adding a Box Instance
9-9
8. If you want to enable this Box instance to bypass restrictions against third-partyapplications that exfiltrate data (transmit data back out of your firewall), copy theAPI key value to a temporary location where it will be available in a few steps.
9. When you are done entering your credentials, click Test Credentials. It can take aminute or two for the application to receive and accept your credentials.
10. When testing is done, you see a success message. Click Next.
11. Click Done.
When the registration process is complete, your application instance appears onthe Applications page. You start to see data for this instance after 30 minutes orso; although a complete synchronization will take longer.
12. If you copied the API key value so that you can enable the Box instance you justcreated to bypass restrictions against third-party applications that exfiltrate data:
a. Copy the API key value from the temporary location.
b. Log in to your Box account and go to the administrative console.
c. Click the gear icon in the upper right corner to open the Settings menu,and then select Business Settings.
d. Click Apps in the row of options below the Box header.
e. In the Application Settings section, next to Unpublished Applications,select Disable apps by default.
f. Paste the API key value into the Except for box and click Save.
Security Control Values for Box (Monitor Only/Read Only)Review the AWS security controls that Oracle CASB Cloud Service monitors inmonitor-only mode, together with the values for their stringent settings.
After registering the Box instance in monitor-only mode, Oracle CASB Cloud Servicescans the following security control values in Box and displays security control alertsif your values are different from Oracle CASB Cloud Service's preferred values. Thesevalues correspond to the Stringent setting when you register this application instancein push control values mode.
Note:
A few of the security controls that Oracle CASB Cloud Service monitorsfor might not be available in your account, depending on whether this is adeveloper account, an enterprise account, and whether the account has theBox Governance Package.
Chapter 9Adding a Box Instance
9-10
SecurityControl Type
SecurityControl Name
Oracle CASBCloud Service Baseline(Stringent)Value
Description
Passwordpolicy
Minimumrequiredcharacters
10 The larger the value for minimumpassword length, the harder the passwordis to crack, particularly if you also requirespecial characters, numbers, and otherrecommended best practices.
Passwordpolicy
Requirenumber(s)
2 Requiring numbers in users' passwordor passphrases makes them harder tocrack. Box provides the ability to force atleast one number in user passwords orpassphrases. This is a best practice.
Passwordpolicy
Require specialcharacter(s)
1 Requiring symbols (special characters)in users password or passphrasesmakes them harder to crack. AWSprovides the ability to force at least onespecial character in user passwords orpassphrases. This is a best practice.
Passwordpolicy
Require at leastone uppercaseletter
On Requiring uppercase letters in users'passwords or passphrases makes themharder to crack. Box provides the abilityto force at least one uppercase letter inusers' passwords or passphrases. This isa best practice.
Passwordpolicy
Prevent commonwords / emailaddress as apassword
On Limiting the use of common words andemail addresses in passwords makesthem harder to crack. This is a bestpractice.
Passwordpolicy
Passwordresets: Requireusers to resetpasswords every
30 days Password expiration limits your exposureto credential compromise by limitingthe time available to a hacker tobreak hashed or encrypted credentials.Password expiration dates limits the timethat a malicious actor can keep a footholdin your systems and networks.
Passwordpolicy
Prevent reusingpasswords from
Last 10 times Limiting users' ability to reuse previouspasswords and passphrases helpsincrease their variations and uniquenessover time, and makes it harder for amalicious actor to use password dumpsfound online and in rainbow tables (atable often used to crack encryptedpasswords).
Passwordpolicy
Notify adminswhen usersrequest a forgetpassword email
On You can configure Box to notifyadministrators whenever users initiate apassword reset flow.
Passwordpolicy
Notify adminswhen userschangepasswords inSettings
On You can configure Box to notify adminswhen users change their passwords.
Chapter 9Adding a Box Instance
9-11
SecurityControl Type
SecurityControl Name
Oracle CASBCloud Service Baseline(Stringent)Value
Description
Passwordpolicy
Require strongpasswords forexternalcollaborators
On You can configure Box to require externalcollaborators to use strong (complex)passwords. Complexity in passwords orpassphrases makes them harder to crack
Authenticationpolicies
The number offailed loginattempts beforeadmin is notified
3 You can configure Box to notifyadministrators after any Box user hashad a particular number of failed logins.Multiple and frequent failed logins canindicate a brute-force attack (an attemptto gain control of a password by guessingit).
Authenticationpolicies
Prevent usersfrom using the"Keep me signedin" feature
On Limiting the duration of user sessions alsolimits the amount of time a hacker has tohijack the session.
Sessionpolicies
Duration a usercan remainlogged in withoutactivity beforebeing logged out
30 minutes You can set limits on the amount of timea session can be idle before locking outthe user. This limits the amount of time ahacker has to hijack the session.
Settings Allow users tosign up on theirown
Off You can configure Box to allow users tosign up instead of requiring them to askan administrator to sign them up.
Settings When new usersare added, emailadmins
Immediately You can configure Box to notifyadministrators whenever someone addsa new user to your Box account. Thenotification can be immediate or after adelay.
Settings Prevent usersfrom changingtheir primaryemail address
On You can prevent users from changingtheir primary email address.
Settings Enable externallinks to
Nothing, restrictsharing
You can prevent users from sharing linkswith people who are external to this Boxaccount.
Settings Enable externallinks with theseaccess options
People in thefolder only
Box lets you disable the ability of usersto share link URLs to anyone the userschoose.
Settings Default new linksto
People in thisfolder
Box allows you to give access to newlinks to people who already have accessto the parent folder or to anyone who isgiven a link to the folder.
Settings Let link viewers Preview theshared itemsonly
You can allow people who have links toitems in Box to either preview the itemsonly, or both preview and download theshared item.
Chapter 9Adding a Box Instance
9-12
SecurityControl Type
SecurityControl Name
Oracle CASBCloud Service Baseline(Stringent)Value
Description
Settings Allow customshared linkURLs for linkswith openaccess
Off You can allow people who have links toitems in Box to either preview the itemsonly, or both preview and download theshared item.
Settings Show yourcustom domainin shared linkURLs
Off You can prevent users from displayingcustom domain URLs when they sharelinks to Box resources.
Settings Restrict tagcreation
admins and co-admins only
You can control the tags in use in yourorganization by restricting tag creation toadministrators.
Settings Enable tagfiltering
On Box gives users the ability to filter filesand folders by tag and by name.
Settings Number of daysafter whichshared links areautomaticallydisabled
30 days Box lets you set an expiration period forshared links.
Settings Number of daysbefore you notifyusers of linkexpiration
7 days Box lets you specify how soon users arenotified after a link expires.
Settings Enable Trash On Box lets you give users the ability todelete files through the Trash function.
Settings People who canpermanentlydelete content inTrash
Admin only Box lets you control which users areallowed to permanently empty the Trashfolder.
Settings Trash isautomaticallydeleted after
90 days Box lets you set a time interval forautomatically emptying the Trash folder.
Settings Allow users tosee all managedusers
Off Box lets you restrict the ability of users toview other Box users.
Settings Device limits -exempt usersfrom Max # ofdevice logins
1 Box lets you override device pinning,which means limiting the number ofdevices that users can log in from.
Settings Restrict externalcollaboration
On Box lets you restrict collaboration (sharingfiles and folders) with users outside ofyour Box account.
Settings Require Apps touse SSL
On Box lets you require SSL to encryptcommunications between Box andintegrated web applications.
Settings Save files ondevice
Restrict Box lets you prevent users fromdownloading files for offline use.
Chapter 9Adding a Box Instance
9-13
SecurityControl Type
SecurityControl Name
Oracle CASBCloud Service Baseline(Stringent)Value
Description
Settings Require appspassword lock
After 1 minute ofinactivity
Box lets you force users to re-authenticate frequently on mobile devicesto prevent data breaches if the device islost or stolen.
Settings Allow externalusers tocollaborate onfolders/files
Off Box lets you restrict sharing files andfolders with users outside of this Boxaccount.
Settings Restrict Invites On Box allows you to restrict this permissionto only owners and co-owners of a folder.
Settings Enable Invitelinks (Allowusers to invitecollaboratorsusing links)
Off Box allows you to control whether userscan invite collaborators using links to Boxresources.
Adding a Box Instance (Push Controls/Read-Write)Add or register your Box instance to Oracle CASB Cloud Service to be monitored, andwith the capability to push security configuration settings.
To register a Box instance with the Oracle CASB Cloud Service, you need the user IDand password that belongs to a Box administrator with the appropriate privileges in theaccount that you want to monitor. This user must be dedicated to the Oracle CASBCloud Service.
Note:
This user must not be set up in Box to use multifactor authentication (MFA).
In push security controls mode, Oracle CASB Cloud Service checks various securitycontrol values in the Box instance, and sets them to the values that you set atregistration time. Later, you receive notifications when these security configurationsettings change.
Oracle CASB Cloud Service monitors these settings in Box:
• Password policies, authentication policies, and session settings: These are in theBox business settings page, Security tab.
• Settings: These additional security settings are in the Box business settings page,Content & Sharing tab.
For more information about the security controls that can be pushed to Box, seeSecurity Control Values for Box (Push Controls/Read-Write).
Chapter 9Adding a Box Instance
9-14
Note:
You should not add, or register, the same application instance more thanonce. An additional registration seriously impacts performance and doesn’tprovide any additional information.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click Add/Modify App.
3. In the Select an app type page, click the icon for the type of application you wantto register and click Next.
4. On the Select an instance page:
a. Enter a name for the instance in the Type a unique name... box.
Any existing names appear below the name field.
b. If users of this instance use an identity provider to log in, select The users ofthis app instance log in using single sign-on... and select the IDP instancefrom the Select an Identity Provider (IDP) instance list.
Note:
The identity provider instance must already be defined. See SettingUp an Identity Provider Instance.
c. Click Next.
5. In the Select monitoring type page, select Push controls and monitor to haveOracle CASB Cloud Service set your preferred values in the application andsubsequently monitor for deviations from these values.
Oracle CASB Cloud Service generates a security control alert in RiskEvents whenever it detects a mismatch between the selections that you makeon this page and the settings in the Box instance.
6. Click Next.
7. In the Select security controls page, select the type of security controls you wantOracle CASB Cloud Service to push:
• Standard. Ensure that these values are set to the application's own defaults.
• Stringent. Ensure that these values are set to stronger-than-default values.
• Custom. Lets you set the values.
8. Click Next.
9. In the Enter credentials page, your selections depend on how users log in to Box.
Chapter 9Adding a Box Instance
9-15
How UsersSign In to Box
What You Enter in the Oracle CASB Cloud Service RegistrationPage
Directly Sign Into Box
a. Select Sign in with Box username and password.
b. Enter the credentials for the dedicated admin or co-admin that youset up to communicate with Oracle CASB Cloud Service.• User name. The username of the Oracle CASB Cloud Service
user.• Password. The password of the Oracle CASB Cloud Service
user.
Single sign-onthrough Okta
a. Select Single sign-on.
b. Set Single Sign-on provider to Okta.
c. Enter the credentials for the dedicated admin or co-admin that youset up to communicate with Oracle CASB Cloud Service.• User name. The username of the Oracle CASB Cloud Service
user.• Password. The password of the Oracle CASB Cloud Service
user.
d. Enter the Application ID. You can find this in the Okta consoleas follows: Go to Applications, Applications, Box.com, General,and under the App Embed Link field, copy the Boxapplication ID portion of the link (for example, inthe link https://dev-2222222.okta.com/home/salesforce/0oa4a1a2a3a4a5a6a7/24, the number 0oa4a1a2a3a4a5a6a7 isthe application ID).
e. In the API key field, paste the API key that you createdin Security, API.
f. In the Identity provider URL field, paste the identity URL thatfrom Okta under Admin, Applications, Applications, Box.com, Sign On, settings link, Identity Provider Login URL (example:https://2222222.okta.com/app/salesforce/ex12ex34ex56ex7/sso/saml).
g. In the Identity provider URL field, paste the identity URL thatfrom Okta under Admin, Applications, Applications, Box.com, Sign On, settings link, Identity Provider Login URL (example:https://2222222.okta.com/app/salesforce/ex12ex34ex56ex7/sso/saml).
Chapter 9Adding a Box Instance
9-16
How UsersSign In to Box
What You Enter in the Oracle CASB Cloud Service RegistrationPage
Single sign-onthrough PingIdentity
a. Select Single sign-on.
b. Set Single Sign-on provider to Ping.
c. Enter the credentials for the dedicated admin or co-admin that youset up to communicate with Oracle CASB Cloud Service.• User name. The username of the Oracle CASB Cloud Service
user.• Password. The password of the Oracle CASB Cloud Service
user.
d. In the Username form field text box, enter the username form fieldparameter that is used in your Ping Federate login template.
e. In the Password form field text box, enter the password form fieldparameter that is used in your Ping Federate login template.
f. In the Application ID field, enter the SAML ID for your Box accountin PingOne. You can find this in the saasID field in PingOne,under connection parameters.
g. In the Identity provider URL field, paste the value of the InitiateSingle Sign-On (SSO) URL field of the connection parametersin PingOne.
10. If you want to enable this Box instance to bypass restrictions against third-partyapplications that exfiltrate data (transmit data back out of your firewall), copy theAPI key value to a temporary location where it will be available in a few steps.
11. When you are done entering your credentials, click Test Credentials.
It can take a minute or two for the application to receive and accept yourcredentials.
12. When testing is done, you see a success message. Click Next.
13. Click Done.
When the registration process is complete, your application instance appears onthe Applications page. You start to see data for this instance after 30 minutes orso; although a complete synchronization will take longer.
14. If you copied the API key value so that you can enable the Box instance you justcreated to bypass restrictions against third-party applications that exfiltrate data:
a. Copy the API key value from the temporary location.
b. Log in to your Box account and go to the administrative console.
c. Click the gear icon in the upper right corner to open the Settings menu,and then select Business Settings.
d. Click Apps in the row of options below the Box header.
e. In the Application Settings section, next to Unpublished Applications,select Disable apps by default.
f. Paste the API key value into the Except for box and click Save.
Chapter 9Adding a Box Instance
9-17
Security Control Values for Box (Push Controls/Read-Write)Review the Box security controls that Oracle CASB Cloud Service monitors for push-controls mode, together with the values for their stringent settings.
After you register the Box instance in push controls mode, Oracle CASB Cloud Servicesets your selected security control values in the Box instance. Later, it displayssecurity control alerts if anyone changes the values.
The following describes stringent settings. You also can define custom settings.
Note:
A few of the security controls that Oracle CASB Cloud Service monitorsfor might not be available in your account, depending on whether this is adeveloper account, an enterprise account, and whether the account has theBox Governance Package.
SecurityControl Type
SecurityControl Name
Oracle CASBCloudService Baseline (Stringent)Value
Description
Passwordpolicy
Minimumrequiredcharacters
10 The larger the value for minimumpassword length, the harder the passwordis to crack, particularly if you also requirespecial characters, numbers, and otherrecommended best practices.
Passwordpolicy
Requirenumber(s)
2 Requiring numbers in users' passwordsor passphrases makes them harder tocrack. Box provides the ability to force atleast one number in user passwords orpassphrases. This is a best practice.
Passwordpolicy
Require specialcharacter(s)
1 Requiring symbols (special characters)in users password or passphrasesmakes them harder to crack. AWSprovides the ability to force at least onespecial character in user passwords orpassphrases. This is a best practice.
Passwordpolicy
Require at leastone uppercaseletter
On Requiring uppercase characters in users'passwords or passphrases makes themharder to crack. Box provides the ability toforce at least one uppercase character inusers' passwords or passphrases. This isa best practice.
Passwordpolicy
Prevent commonwords / emailaddress as apassword
On Limiting the use of common words andemail addresses in passwords makesthem harder to crack. This is a bestpractice.
Chapter 9Adding a Box Instance
9-18
SecurityControl Type
SecurityControl Name
Oracle CASBCloudService Baseline (Stringent)Value
Description
Passwordpolicy
Passwordresets: Requireusers to resetpasswords every
30 days Password expiration limits your exposureto credential compromise by limitingthe time available to a hacker tobreak hashed or encrypted credentials.Password expiration dates limit the timethat a malicious actor can keep a footholdin your systems and networks.
Passwordpolicy
Prevent reusingpasswords from
Last 10 times Limiting users' ability to reuse previouspasswords and passphrases helpsincrease their variations and uniquenessover time, and makes it harder for amalicious actor to use password dumpsfound online and in rainbow tables (a tableoften used to crack encrypted passwords).
Passwordpolicy
Notify adminswhen usersrequest a forgetpassword email
On You can configure Box to notifyadministrators whenever users initiate apassword reset flow.
Passwordpolicy
Notify adminswhen userschangepasswords inSettings
On You can configure Box to notify adminswhen users change their passwords.
Passwordpolicy
Require strongpasswords forexternalcollaborators
On You can configure Box to require externalcollaborators to use strong (complex)passwords. Complexity in passwords orpassphrases makes them harder to crack
Authenticationpolicies
The number offailed loginattempts beforeadmin is notified
3 You can configure Box to notifyadministrators after any Box user hashad a particular number of failed logins.Multiple and frequent failed logins canindicate a brute-force attack (an attemptto gain control of a password by guessingit).
Authenticationpolicies
Prevent usersfrom using the"Keep me signedin" feature
On Limiting the duration of user sessions alsolimits the amount of time a hacker has tohijack the session.
Sessionpolicies
Duration a usercan remainlogged in withoutactivity beforebeing logged out
30 minutes You can set limits on the amount of timea session can be idle before locking outthe user. This limits the amount of time ahacker has to hijack the session.
Settings Allow users tosign up on theirown
Off You can configure Box to allow users tosign up instead of requiring them to askan administrator to sign them up.
Chapter 9Adding a Box Instance
9-19
SecurityControl Type
SecurityControl Name
Oracle CASBCloudService Baseline (Stringent)Value
Description
Settings When new usersare added, emailadmins
Immediately You can configure Box to notifyadministrators whenever someone addsa new user to your Box account. Thenotification can be immediate or after adelay.
Settings Prevent usersfrom changingtheir primaryemail address
On You can prevent users from changing theirprimary email address.
Settings Enable externallinks to
Nothing, restrictsharing
You can prevent users from sharing linkswith people who are external to this Boxaccount.
Settings Enable externallinks with theseaccess options
People in thefolder only
Box lets you disable the ability of usersto share URLs with anyone the userschoose.
Settings Default new linksto
People in thisfolder
Box allows you to default new links topeople who already have access to theparent folder or to anyone who is given alink to the folder.
Settings Let link viewers Preview theshared itemsonly
You can allow people who have links toitems in Box to either preview the itemsonly, or both preview and download theshared item.
Settings Allow customshared linkURLs for linkswith openaccess
Off You can allow people who have links toitems in Box to either preview the itemsonly or both preview and download theshared item.
Settings Show yourcustom domainin shared linkURLs
Off You can prevent users from displayingcustom domain URLs when they sharelinks to Box resources.
Settings Restrict tagcreation
admins and co-admins only
You can control the tags in use in yourorganization by restricting tag creation toadministrators.
Settings Enable tagfiltering
On Box gives users the ability to filter filesand folders by tag and by name.
Settings Number of daysafter whichshared links areautomaticallydisabled
30 days Box lets you set an expiration period forshared links.
Settings Number of daysbefore you notifyusers of linkexpiration
7 days Box lets you specify how soon users arenotified after a link expires.
Settings Enable Trash On Box lets you give users the ability todelete files through the Trash function.
Chapter 9Adding a Box Instance
9-20
SecurityControl Type
SecurityControl Name
Oracle CASBCloudService Baseline (Stringent)Value
Description
Settings People who canpermanentlydelete content inTrash
Admin only Box lets you control which users areallowed to permanently empty the Trash.
Settings Trash isautomaticallydeleted after
90 days Box lets you set a time interval forautomatically emptying the Trash.
Settings Allow users tosee all managedusers
Off Box lets you restrict the ability of users toview other Box users.
Settings Device limits -exempt usersfrom Max # ofdevice logins
1 Box lets you override device pinning,which means limiting the number ofdevices that users can log in from.
Settings Restrict externalcollaboration
On Box lets you restrict collaboration (sharingfiles and folders) with users outside ofyour Box account.
Settings Require Apps touse SSL
On Box lets you require SSL to encryptcommunications between Box andintegrated web applications.
Settings Save files ondevice
Restrict Box lets you prevent users fromdownloading files for offline use.
Settings Require appspassword lock
After 1 minuteof inactivity
Box lets you force users to re-authenticatefrequently on mobile devices to preventdata breaches if the device is lost orstolen.
Settings Allow externalusers tocollaborate onfolders/files
Off Box lets you restrict sharing files andfolders with users outside of this Boxaccount.
Settings Restrict Invites On Box allows you to restrict this permissionto only owners and co-owners of a folder.
Settings Enable Invitelinks (Allowusers to invitecollaboratorsusing links)
Off Box allows you to control whether userscan invite collaborators using links to Boxresources.
Example: Box Controls for SSL, Session Length, and Folder SharingView an example of steps to set custom specific security control values.
Organizations frequently require Box files to be encrypted in transit, require usersessions to have a 30-minute timeout, and restrict Box file and folder sharing unlessan administrator grants specific permissions to select users and groups.
You can push security controls to Box to require SSL, limit session length, and controlfolder sharing.
Chapter 9Adding a Box Instance
9-21
Note:
After configuring these settings in Oracle CASB Cloud Service, you mustthen configure access rights in Box. Create groups in Box, set the accessrights for each folder, and then grant membership to users who are allowedto access the folder.
1. In the Oracle CASB Cloud Service console, select Applications, Add/ModifyApp, Register an app instance.
2. On the Select an app type page, click the Box icon, and click Next.
3. On the Select an instance page, enter a name for your Box instance and clickNext.
Names of any existing Box application instances appear below your entry.
4. On the Select monitoring type page, select Push controls and monitoring, andthen click Next.
5. On the Select security controls page, select Custom:
• To limit session duration, expand Session Policies, and set the Duration auser can remain logged in without activity before being logged out to 30minutes.
• To force the user of SSL, expand Settings and ensure that Require Apps touse SSL is enabled.
• To enforce file and folder sharing restrictions, expand the Settings accordionand configure these settings:
– Set Restrict external collaboration to On (default).
– Set Allow external users to collaborate on folders/files to Off.
– Set Enable Invite links (Allow users to invite collaborators usinglinks) to Off.
Note:
After completing this task, to allow users to work on Box files andfolders, you must add them to privileged groups in the target Boxaccount.
• When your Custom security control selections are complete, select the Iunderstand and explicitly approve. . . check box, and then click Next.
6. On the Enter credentials page, select the user sign-on method, enter the requiredinformation, and then click Test Credentials.
7. When testing is completed successfully, click Submit.
8. Your security control settings are pushed out to the Box instance. If, at anytime someone changes these settings in Box, then you are notified through RiskEvents in the Oracle CASB Cloud Service console.
Chapter 9Adding a Box Instance
9-22
Detecting and Managing Violations of Security Controls in ExampleFind violations in Risk Events, view the details, and resolve violations appropriately.
After you set up security controls, you must manage any violations.
After you add the application instance with the example security controls, the servicedetects when violations occur. You can have Oracle CASB Cloud Service lock outusers who are logged in too long, or you can manually lock out the users.
1. In your Box account, mimic a user who is logged in for more than 30 minutes.
2. In the Oracle CASB Cloud Service console, select Risk Events, and search forevents related to your application instance.
3. Click anywhere in an event of interest to expand it.
4. Determine whether the event appears to violate your security settings.
For example, look for the Box user whose session is longer than 30 minutes.
5. If the event is of interest:
• Select Action, View Incident.
• In the View Incident dialog box, click Edit Incident.
• In the Edit Incident dialog box, click Resolve.
• In the Incident#... dialog box, if Oracle CASB Cloud Service oranother system can resolve the incident automatically, then the Autoremediation option is available. To delegate remediation to Oracle CASBCloud Service, select Auto remediation. If the Auto remediation optionis not available, or you want to fix the Box instance setting manually, thenselect Manual remediation.
• Click Resolve Incident. If you selected Manual remediation, then rememberto fix the Box instance setting manually.
Updating a Box InstanceModify settings for an existing Box instance.
Updating the Credentials for a Box InstanceChange the login credentials for a Box instance.
When the login credentials that you used to register a Box instance expire, then youmust update these credentials both in Box and in the Oracle CASB Cloud Serviceconsole. If you replace the credentials in Box (regardless of whether they haveexpired), then you also must replace them in the Oracle CASB Cloud Service console.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, select Modify, Update credentials.
• In grid view, drop down the Action list for the instance you want tomodify and select Update credentials.
Chapter 9Updating a Box Instance
9-23
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update credentials,and then select the application instance you want to modify and clickNext.
2. Enter the current values for all the fields.
Note:
If you haven’t yet updated the credentials in Box, do this first, and thenmodify the credentials in the Oracle CASB Cloud Service console.
How UsersSign In toBox
What You Enter in the Oracle CASBCloud Service Registration Page
Description
Users SignIn directlyinto Box
a. Select Sign in with Box usernameand password .
b. Enter the credentials for the dedicatedadmin or co-admin that you set up tocommunicate with Oracle CASB CloudService.• User name. The username of the
Oracle CASB Cloud Service user.• Password. The password of the
Oracle CASB Cloud Service user.
The Oracle CASB CloudService user providescredentials directly to Box.
Chapter 9Updating a Box Instance
9-24
How UsersSign In toBox
What You Enter in the Oracle CASBCloud Service Registration Page
Description
Users havesingle sign-on throughOkta
a. Select Single sign-on .
b. Enter the credentials for the dedicatedadmin or co-admin that you set up tocommunicate with Oracle CASB CloudService.• User name. The username of the
Oracle CASB Cloud Service user.• Password. The password of the
Oracle CASB Cloud Service user.
c. Enter the Application ID. You can findthis in the Okta console as follows: Goto Applications, Applications, Box.com, General, and under the AppEmbed Link field copy the Boxapplication ID portion of the link (forexample, in the link https://dev-2222222.okta.com/home/salesforce/0oa4a1a2a3a4a5a6a7/24, thenumber 0oa4a1a2a3a4a5a6a7 is theapplication ID).
d. In the API key field, paste the API keythat you created in Security, API.
e. In the Identity provider URL field,paste the identity URL from Oktaunder Admin, Applications, Applications, Box.com, Sign On, settings link, Identity Provider LoginURL (example: https://2222222.okta.com/app/salesforce/ex12ex34ex56ex7/sso/saml).
For more information, seeUsing Okta Single Sign-Onwith Box.
Chapter 9Updating a Box Instance
9-25
How UsersSign In toBox
What You Enter in the Oracle CASBCloud Service Registration Page
Description
Users havesingle sign-on throughPing Identity
a. Select Single sign-on option.
b. Enter the credentials for the dedicatedadmin or co-admin that you set up tocommunicate with Oracle CASB CloudService.• User name. The username of the
Oracle CASB Cloud Service user.• Password. The password of the
Oracle CASB Cloud Service user.
c. Enter the Application ID. You can findthis in the saasID field in PingOne,under connection parameters.
d. In the API key field, paste thevalue of the Results field whenyou create the authentication selectorinstance for Oracle CASB CloudService. The Results field is inthe Authentication Selector section ofthis Ping page.
e. In the Identity provider URL field,paste the value of the Initiate SingleSign-On (SSO) URL field of theconnection parameters.
For more information, seeUsing Ping Single Sign-On withBox.
After your credentials are validated, then you return to the Oracle CASB CloudService console.
3. Click Next to view the verification page.
Updating the IDP Instance for a Box InstanceChange the way a Box instance communicates with an identity provider (IDP).
You can update the way that a Box instance communicates with an identity provider(IDP) in several ways:
• You can change an existing Box instance that is authenticating to an IDP instance,so that it authenticates to a different IDP instance.
• You can also switch a Box instance from authenticating directly with the IDP toauthenticating with the IDP through an IDP instance.
• You can’t switch a Box instance that is authenticating with the IDP through an IDPinstance to directly authenticate to the IDP.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update IDP Instance.
• In grid view, drop down the Action list for the instance you want tomodify and select Update IDP Instance.
Chapter 9Updating a Box Instance
9-26
Tip:
Alternatively, from the Dashboard or the Applications page, youcan select Add/Modify App, Modify an app instance, Update IDPInstance, and then select the application instance you want to modifyand click Next.
2. In the Update IDP Instance page, change the different identity provider (IDP)instance, the active application defined in the identity provider, or both, thenclick Next.
3. In the Success page, click Done.
Updating the Security Control Baseline for a Box InstanceChange security control baseline settings for a Box instance that was added in eithermonitor-only mode or push controls mode.
When you register a Box account, in default, Oracle CASB Cloud Serviceautomatically monitors for security-related configurations and generates an alertwhen a security control value doesn’t match Oracle CASB Cloud Service's ownstringent setting. For example, if a Box administrator permits users to have 5-character passwords, then Oracle CASB Cloud Service generates an alert. For moreinformation, see Adding a Box Instance (Monitor Only/Read Only).
You also can register a Box account in , in which case Oracle CASB Cloud Servicesets the desired values in your account and then generates alerts when these valuesare changed. For more information, see Adding a Box Instance (Monitor Only/ReadOnly).
After application registration, you can modify the alerting baseline that Oracle CASBCloud Service uses. For example, you can change the baseline for minimum passwordlength from 10 to 12 characters.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update security control baseline.
• In grid view, drop down the Action list for the instance you want tomodify and select Update security control baseline.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update securitycontrol baseline, and then select the application instance you want tomodify and click Next.
2. Click the baseline type that you want: Standard, Stringent, or Custom. Fordescriptions of the Box security controls that you can configure, see Adding aBox Instance (Push Controls/Read-Write).
Chapter 9Updating a Box Instance
9-27
Updating Data Protection for a Box InstanceEnable or disable data protection for a Box instance.
Prerequisites:
• Contact your Oracle CASB Cloud Service Customer Success Manager if DataProtection is not available in your instance.
• Register the Box instance. See Adding a Box Instance (Monitor Only/Read Only)or Adding a Box Instance (Push Controls/Read-Write).
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update Data Protection.
• In grid view, drop down the Action list for the instance you want tomodify and select Update Data Protection.
Tip:
Alternatively, from the Dashboard or the Applications page, youcan select Add/Modify App, Modify an app instance, Update DataProtection, and then select the application instance you want to modifyand click Next.
2. To specify domains as internal, for assigning the sharing level in retroactive scans,enter the domains in the Internal Domains box, separated by commas.
Retroactive scans will automatically assign the sharing level of internal to filesshared with these domains. The sharing level appears in the SHARING column onthe Data page after a retroactive scan runs. See Viewing Scan Results in the DataPage.
Note:
This setting is independent of your Enable DLP selection. SelectingEnable DLP enables ongoing DLP scans. Internal Domains affectretroactive scans. See Performing a Retroactive Scan.
3. To enable data protection (Enable DLP is not selected):
a. Select Enable DLP.
b. Set Root folder to Monitor to the top-level folder or folders where content willbe monitored.
You can select multiple root folders from the list. For root folders that havesub-folders, click the Drop-Down icon to select sub-folders individually.
c. Click Next.
d. On the Success page, click Done.
Chapter 9Updating a Box Instance
9-28
4. To disable data protection (Enable DLP is selected):
a. Deselect Enable DLP.
b. Click Next.
c. On the Success page, click Done.
Updating the Reverse Proxy Configuration for a Box InstanceEnable or disable a reverse proxy for a Box instance that has data protection enabled.
Prerequisites:
• Contact your Oracle CASB Cloud Service Customer Success Manager if DataProtection is not available in your instance.
• Register the Box instance, with users logging in using Okta single sign-on. SeeAdding a Box Instance (Monitor Only/Read Only) or Adding a Box Instance (PushControls/Read-Write).
• Enable data protection for the Box instance. See Updating Data Protection for aBox Instance.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update Reverse Proxy.
• In grid view, drop down the Action list for the instance you want tomodify and select Update Reverse Proxy.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update ReverseProxy, and then select the application instance you want to modify andclick Next.
2. In the CASB as IdP section:
a. In the Box Login URL field, enter the URL you use to log in to Box.
b. In the Entity ID field, enter the entity ID you use in Box.
c. Click Download to download the certificate that Box will need.
Note the path to this downloaded certificate so that you can upload it to Box ina later step.
d. Copy the Redirect URL value to the clipboard.
3. In a separate browser window, log in to the Okta console.
a. Select My Applications.
b. Click Admin at the far right, top of page, to go to the Okta Dashboard.
c. From the Navigation menu, select Applications, Applications.
Chapter 9Updating a Box Instance
9-29
d. Select your application in the list.
e. Click General at the lower left.
f. Scroll down to SAML Settings and click Edit.
g. On the General Settings page, click Next, at the lower right.
h. On the SAML Settings page, paste the Redirect URL value that you copied(from Oracle CASB Cloud Service), into the Single sign on URL box.
i. Scroll down to the ATTRIBUTE STATEMENTS (OPTIONAL) section and setthe Value for the email attribute to user.login.
This selects the email ID to be used as the user name.
j. Scroll to the bottom of the page and click Next.
k. On the Feedback page, click Finish.
You are returned to your application’s detail page, Sign On tab.
l. Scroll down in the Settings section to SAML 2.0 is not configured until youcomplete the setup instructions and click View Setup Instructions.
m. Copy the Identity Provider Single Sign-On URL value to the clipboard.
n. Scroll down to the X.509 Certificate section and click Download certificate.
Note where you save this file. You will need to navigate back to that location inthe next few steps.
4. Switch back to the browser window where you started the Update Reverse Proxyprocess in Oracle CASB Cloud Service.
5. In the CASB as SP section:
a. Paste the Identity Provider Single Sign-On URL value that you copied fromOkta into the IdP Login URL box.
b. Click Upload and navigate to the certificate file that you just downloaded fromOkta.
6. Switch back to the browser window where you are logged in to Box.
7. Copy the Security Token Consumer URL value to the clipboard.
8. Switch back to the browser window where you started the Update Reverse Proxyprocess in Oracle CASB Cloud Service.
9. In the CASB as IdP section, From Box, paste the Security Token ConsumerURL that you just copied from Box into the Box Login URL field in the From Boxsection.
10. In the CASB options section, select Reverse Proxy.
11. If you want reverse proxy to apply only to select users, select Group-basedredirection.
12. Click Next.
13. On the Success page, click Done.
To disable data protection (in CASB options section, Reverse Proxy is selected):
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
Chapter 9Updating a Box Instance
9-30
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update Reverse Proxy.
• In grid view, drop down the Action list for the instance you want tomodify and select Update Reverse Proxy.
2. In the CASB options section, deselect Reverse Proxy.
3. Click Next.
4. On the Success page, click Done.
Next Steps for BoxNow that you have finished setting up your Box instance for monitoring, you can takeadditional steps to enhance its security, or you can start viewing and analyzing themonitored data right away.
Follow one of the links below to start working with your new Box instance:
• Creating Policy Alerts for Box — to create custom customized alerts for situationsthat you specify, make your configuration settings more secure, and enablemonitoring of shadow applications that are operating in the same environmentas your application instance.
See the opening sections of the Creating Policies and Managing PolicyAlertschapter for general information about creating and managing policy alerts.
• Viewing Reports for Box — to view predefined reports for Box.
See the opening sections of the Creating and Running Reports chapter for generalinformation about creating and running reports.
• Analyzing User Activity Risks and Trends, Managing Behavioral Anomalies andThreats, and Tracking Incident Tickets chapters — for general information aboutanalyzing and managing the information on security threats that Oracle CASBCloud Service provides.
Chapter 9Next Steps for Box
9-31
10Setting Up Custom Apps for AWS
Prepare Custom Apps for AWS and register your application instance with OracleCASB Cloud Service for security monitoring.
Oracle CASB Cloud Service detects potential risks in your Custom Apps for AWSaccount.
To enable this feature, contact Oracle Support (http://support.oracle.com). If you havenot registered yet, you will need your Customer Support Identifier (CSI) in order toregister to submit service request tickets. As an alternative, you can also contact yourOracle CASB Cloud Service Customer Success Manager.
Topics:
• Typical Workflow for Custom Apps for AWS Monitoring
• Preparing Custom Apps for AWS
• Adding a Custom Apps for AWS Instance
• Updating the Credentials for a Custom Apps for AWS Instance
Typical Workflow for Custom Apps for AWS MonitoringWith Oracle CASB Cloud Service, you can monitor Custom Apps for AWS to detectpotential risks.
Task Description Additional Information
Prepare a Custom Apps forAWS account.
You can set up an OracleCASB Cloud Service accountin Custom Apps for AWS.
Preparing Custom Apps forAWS
Add a Custom Apps for AWSinstance.
You can register a CustomApps for AWS applicationinstance in monitoring-onlymode.
Adding a Custom Apps forAWS Instance
Update credentials for aCustom Apps for AWSinstance.
You can update the credentialsfor a Custom Apps for AWSinstance.
Updating the Credentials fora Custom Apps for AWSInstance
Preparing Custom Apps for AWSCreate a dedicated AWS account and set up logging.
1. Depending on whether you want Oracle CASB Cloud Service to use IAM users orIAM roles to monitor your AWS instances, set up a dedicated AWS account for usewith your AWS CustomApp by perform the steps in:
• Using an IAM User: Creating and Registering a Dedicated Service User — ifyou want Oracle CASB Cloud Service to use IAM users.
10-1
• Using an IAM Role: Creating a Dedicated Service Role — if you want OracleCASB Cloud Service to use IAM roles.
2. In the AWS console, select Services, Cloudwatch, Logs.
3. Create a log group named CASB_customapp_group
Formatting Logs for CloudwatchEnsure that Cloudwatch logs are formatted properly for Oracle CASB Cloud Service toprocess.
The logs from Cloudwatch cannot be processed if they are not properly formatted. Thesample log listing below illustrates the expected format – bolded items indicate theinformation that Oracle CASB Cloud Service extracts. For information on formattinglogs, see the AWS documentation.
{ "urlIn": "/api/v2/users/user/b00d8543-3fbf-414a-9dfe-58dcadfe9ce3", "timeIn": 1467547359746, "timeOut": 1467547359750, "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36", "ipAddress": "198.179.137.241", "filterTracers": [ { "filterName": "frontendPreFilter", "timeIn": 1467547359746, "timeOut": 0, "status": -1 }, { "filterName": "userProfilev2Service", "timeIn": 1467547359746, "timeOut": 1467547359749, "status": -1 }, { "filterName": "sendErrorFilter", "timeIn": 1467547359746, "timeOut": 1467547359749, "status": 401, "url": "/api/v2/users/user/b00d8543-3fbf-414a-9dfe-58dcadfe9ce3" } ] }
Adding a Custom Apps for AWS InstanceAfter completing the necessary configurations in AWS, add or register the CustomApps for AWS instance in Oracle CASB Cloud Service.
Prerequisites: Ensure that you have completed all the required tasks in PreparingCustom Apps for AWS.
To register Custom Apps for AWS with Oracle CASB Cloud Service, you need the userID and password that belongs to the member with admin or owner privileges that youspecified when you prepared Custom Apps for AWS.
Chapter 10Adding a Custom Apps for AWS Instance
10-2
Note:
You should not add, or register, the same application instance more thanonce. An additional registration seriously impacts performance and doesn’tprovide any additional information.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click Add/Modify App.
3. In the Select an app type page, click the CustomApp icon, then click Next.
4. In the Select an instance page, type a unique name for your application instance.
Any existing names appear below the name field.
5. Click Next.
6. In the Enter credentials page, in the Access key and Secret key fields, enterthe access key and secret key for the Oracle CASB Cloud Service user in theAWS account being registered.
This user must have access to the “CASB_customapp_group” log group youcreated in Preparing a Custom Apps for AWS account.
7. Click Test Credentials.
8. When testing is done you see a success message. Click Submit.
9. When you are done, click Save and complete registration.
10. Go to the Applications page and locate your CustomApp to verify that it isproperly registered.
When the registration process is complete, your application instance appears onthe Applications page. You start to see data for this instance after 30 minutes orso; although a complete synchronization will take longer.
a. If you see “Working” in your CustomApp’s icon, then your CustomApp isproperly registered – you have successfully completed this task.
b. If you see “Failed” in your CustomApp’s icon, then click the icon to display theapplication’s Health Summary card:
• Click the More > link to see additional information.
• Review the “Possible causes” listed.
• Carefully repeat the steps in Preparing Custom Apps for AWS to correctthe problem.
Updating the Credentials for a Custom Apps for AWSInstance
Change the login credentials for a Custom Apps for AWS instance.
When the login credentials that you used to register a Custom Apps for AWS instanceexpire or are updated, you must update these credentials both in Custom Apps for
Chapter 10Updating the Credentials for a Custom Apps for AWS Instance
10-3
AWS and in the Oracle CASB Cloud Service console. The Custom Apps for AWS usershould never be demoted to a role lower than admin.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, select Modify, Update credentials.
• In grid view, drop down the Action list for the instance you want tomodify and select Update credentials.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update credentials,and then select the application instance you want to modify and clickNext.
2. In the Update credentials page, enter the new Access key and Secret key, andthen click Test Credentials.
3. If the test is successful, click Next to view the confirmation page.
Next Steps for Custom Apps for AWSNow that you have finished setting up your Custom Apps for AWS instance formonitoring, you can take additional steps to enhance its security, or you can startviewing and analyzing the monitored data right away.
Follow one of the links below to start working with your new Custom Apps for AWSinstance:
• Enhancing Security — to create custom customized alerts for situations that youspecify, make your configuration settings more secure, and enable monitoringof shadow applications that are operating in the same environment as yourapplication instance. The Creating Policies and Managing Policy Alerts chapterhas application-specific sections on creating custom alerts for particular situationsthat you define.
• Monitoring Cloud Applications — to start running predefined reports and customreports, analyze potential threats and risky user behavior, and create and trackincident tickets. The Managing Behavioral Anomalies and Threats chapter hasapplication-specific sections on detecting threats, and the Creating and RunningReports chapter has application-specific sections on viewing predefined reports.
Chapter 10Next Steps for Custom Apps for AWS
10-4
11Setting Up GitHub
Set up GitHub for security monitoring.
Topics:
• Typical Workflow for GitHub Security Monitoring
• Preparing GitHub
• Adding a GitHub Instance
• Updating the Credentials for a GitHub Instance
Typical Workflow for GitHub Security MonitoringWith Oracle CASB Cloud Service, you can monitor GitHub to detect potential risks.
Task Description Additional Information
Prepare GitHub. You can create a dedicatedGitHub service account thatis reserved for communicationwith Oracle CASB CloudService.
Preparing GitHub
Add a GitHub instance. You can register a GitHubapplication instance withOracle CASB Cloud Service.
Adding a GitHub Instance
Update the credentials for aGitHub instance.
You can update the credentialsfor a GitHub instance whenthe login credentials that youused to register the instanceare no longer valid.
Updating the Credentials for aGitHub Instance
Preparing GitHubYou can set up GitHub to be monitored by Oracle CASB Cloud Service can monitorGitHub using either basic authentication or OAuth 2.0.
To use basic authentication, you must create a dedicated GitHub account. OAuth 2.0allows you to use any GitHub user account that has sufficient permissions.
Preparing GitHub Using Basic AuthenticationCreate a dedicated GitHub service account that’s reserved for communication withOracle CASB Cloud Service.
The account you create must:
• Access a cloud instance of GitHub.
• Use basic authentication.
11-1
• Have owner/admin privileges to all organizations to be monitored.
• Access private repositories for Oracle CASB Cloud Service to monitor. (OracleCASB Cloud Service can’t monitor public repositories.)
Be sure that you don’t use these credentials to log in.
Note:
It can be helpful to create an email alias for the Oracle CASB Cloud Serviceuser, and forward email from this alias to your own email so that you canreceive notifications that are sent to the Oracle CASB Cloud Service user.
1. Access GitHub and sign up for a new user account.
Give the user a name (example: OCCSAdmin), and provide an email address thatyou have access to.
2. Respond to the email from GitHub to complete the user account registration.
The new user's account password should be complex and follow yourorganization's password policy guidelines.
3. Log in to GitHub, this time as an account owner or a member of the accountowner's team.
4. Add the new Oracle CASB Cloud Service account, with the Owner role, to eachorganization to be monitored.
Oracle CASB Cloud Service will monitor the activity in all private repositories forthese organizations that the new Oracle CASB Cloud Service account belongs to.
5. Have a recovery procedure in place in case there are issues with the account.
6. Have the Oracle CASB Cloud Service user's login credentials and email addresson hand when you register the account in the Oracle CASB Cloud Serviceconsole.
Preparing GitHub Using OAuth 2.0Select a user account with owner/administrator privileges and use that account whenyou register GitHub with Oracle CASB Cloud Service..
Because GitHub uses OAuth 2.0, you do not need to set up a special user account tosupport monitoring by Oracle CASB Cloud Service. You can use the credentials of anyuser registered in the GitHub organization who has owner/administrator privileges.
Adding a GitHub InstanceAdd or register your GitHub instance to Oracle CASB Cloud Service.
To register a GitHub instance with Oracle CASB Cloud Service, you need the username and password for a dedicated GitHub administrator account.
Chapter 11Adding a GitHub Instance
11-2
Note:
You should not add, or register, the same application instance more thanonce. An additional registration seriously impacts performance and doesn’tprovide any additional information.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click Add/Modify App.
3. In the Select an app type page, click the GitHub icon, and then click Next.
4. In the Select an instance page, enter a unique name for your applicationinstance. Any existing names appear below the Name field.
5. Click Next.
6. In the Enter credentials page, enter the user name and password that you set upin GitHub for the Oracle CASB Cloud Service. Don’t share these credentials withany other service or user.
7. After entering your credentials, click Test Credential. It can take a minute or twofor the application to receive and accept your credentials.
8. When testing is done, you see a success message. Click Next.
9. Click Done.
When the registration process is complete, your application instance appears on theApplications page. You start to see data for this instance after 30 minutes or so;although a complete synchronization will take longer.
Updating the Credentials for a GitHub InstanceUpdate the user name and password for the dedicated Oracle CASB Cloud Serviceuser.
When the login credentials that you used to register a GitHub instance are no longervalid (for example, the password expired), you must also update the credentials in theOracle CASB Cloud Service console.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, select Modify, Update credentials.
• In grid view, drop down the Action list for the instance you want tomodify and select Update credentials.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update credentials,and then select the application instance you want to modify and clickNext.
Chapter 11Updating the Credentials for a GitHub Instance
11-3
2. Enter the Oracle CASB Cloud Service user's user name and password in the textfields, and then click Test Credentials.
3. After the credentials are verified, click Next to view a verification page.
Next Steps for GitHubNow that you have finished setting up your GitHub instance for monitoring, you cantake additional steps to enhance its security, or you can start viewing and analyzingthe monitored data right away.
Follow one of the links below to start working with your new GitHub instance:
• Creating Policy Alerts for GitHub — to create custom customized alerts forsituations that you specify, make your configuration settings more secure,and enable monitoring of shadow applications that are operating in the sameenvironment as your application instance.
See the opening sections of the Creating Policies and Managing PolicyAlertschapter for general information about creating and managing policy alerts.
• Viewing Reports for GitHub — to view predefined reports for GitHub.
See the opening sections of the Creating and Running Reports chapter for generalinformation about creating and running reports.
• Analyzing User Activity Risks and Trends, Managing Behavioral Anomalies andThreats, and Tracking Incident Tickets chapters — for general information aboutanalyzing and managing the information on security threats that Oracle CASBCloud Service provides.
Chapter 11Next Steps for GitHub
11-4
12Setting Up Google for Work
Prepare Google for Work and register your application instance with Oracle CASBCloud Service for security monitoring.
Oracle CASB Cloud Service detects potential risks in your Google for Work accountsuch as activity within a Google for Work application that violates your policies (forexample, sharing information with people outside of your organization), and userbehavior patterns that appear to be suspicious.
Topics:
• Typical Workflow for Google for Work Security Monitoring
• Preparing Google for Work
• Adding a Google for Work Instance
• Updating the Credentials for a Google for Work Instance
Typical Workflow for Google for Work Security MonitoringWith Oracle CASB Cloud Service, you can monitor Google for Work to detect potentialrisks.
Task Description Additional Information
Prepare Google Apps. You can create a GoogleApps user that is dedicatedfor use with Oracle CASBCloud Service, and downloadOracle CASB Cloud Servicefor Google Apps.
Preparing Google for Work
Add a Google for Workinstance.
You can register a GoogleApps account as an instanceso that Oracle CASB CloudService can monitor it.
Adding a Google for WorkInstance
Preparing Google for WorkCreate a dedicated Google for Work account that is reserved for communication withOracle CASB Cloud Service.
Prerequisite: Not all Google editions are supported for all users. The table belowshows Google editions supported for different user types.
Google Edition General Support Administrator DriveEvents
Drive Events forOther Users
G Suite BusinessEdition
Yes Yes Yes
12-1
Google Edition General Support Administrator DriveEvents
Drive Events forOther Users
G Suite EnterpriseEdition
Yes Yes No
G Suite Basic Edition Yes No No
G Suite EducationEdition
Yes Yes Yes
To prepare for monitoring Google Apps, you must create a user that is dedicated to theOracle CASB Cloud Service in your Google Apps account. The Oracle CASB CloudService user can’t use multifactor or federated authentication (for example, through asingle sign-on service) at this time. The Oracle CASB Cloud Service user needs thesuper administrator role to be able to monitor the activity of all users in the account.
Oracle CASB Cloud Service uses the super administrator's privileges to pull theGoogle Apps logs (authorized applications logs, calendar logs, mobile added logs,login and failed login logs, and admin change logs) and read user activity data.Oracle CASB Cloud Service also uses the service user account to get individualadministrative user logs and to access Google Drive using Change, Activity, andPermissions APIs. (Currently, Oracle CASB Cloud Service monitors Google Drive,including Google Docs, Sheets, Slides, and content that you upload to Drive.)
Oracle CASB Cloud Service monitoring is currently supported for unlimited/Workedition accounts with WebOAuth 2.0 service account authentication.
To get started, you create an Oracle CASB Cloud Service user, install an Oracle CASBCloud Service app from the Google Apps Marketplace, and then register your GoogleApps account with Oracle CASB Cloud Service.
Creating a Dedicated User in Google AppsCreate a Google Apps user that is dedicated for use with Oracle CASB Cloud Service.
1. Log in to https://admin.google.com/AdminHome with a super administrator role.
2. In the landing page for the admin console, select Users, and then add a user.
3. In the details page for this user select Show more, select Manage this user'sroles and privileges, and then click MANAGE ROLES.
4. Assign a Super Admin role to this user.
5. Save this user's credentials.
You will need them when you register Google Apps with Oracle CASB CloudService.
Downloading Oracle CASB Cloud Service for Google AppsDownload Oracle CASB Cloud Service for Google Apps from Google AppsMarketplace.
You must download Oracle CASB Cloud Service for Google Apps before you canregister a Google application instance with Oracle CASB Cloud Service.
Chapter 12Preparing Google for Work
12-2
1. Copy and paste the following into yourbrowser: https://chrome.google.com/webstore/detail/palerra-loric-for-google/belcgkapolfclmgnghpcbigoaehjebed
2. In the Google Apps Marketplace page, click Install App.
3. Authenticate to Google, if needed.
4. At the ready to install prompt, click Continue.
5. At the prompt to grant privileges to Palerra, select the I agree check box, and thenclick Accept.
6. At the installation confirmation prompt, click Next.
7. At the step 2 of 3 prompt, click Next again.
8. At the final prompt, click Launch App.
9. Log in to Oracle CASB Cloud Service.
10. When you are done, you can register your Google Apps account with OracleCASB Cloud Service. SeeAdding a Google for Work Instance.
Adding a Google for Work InstanceAdd or register your Google for Work instance to Oracle CASB Cloud Service.
Prerequisites: Ensure that you have completed the tasks in Preparing Google forWork.
Note:
You should not add, or register, the same application instance more thanonce. An additional registration seriously impacts performance and doesn’tprovide any additional information.
.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click Add/Modify App.
3. Select the icon for Google Apps and click Next.
4. Enter a unique name for your application instance. Existing names appear belowthe Name field.
5. Click Next.
6. In the Enter credentials page, select the I confirm Oracle CASB Cloud Servicefor Google Apps is installed from Marketplace check box, enter the domainname, and then click Submit.
7. The Google user management service takes over and prompts you for an emailaddress or phone number.
8. Enter the email address for the Google Apps user with Super Admin privileges,and then click Next.
Chapter 12Adding a Google for Work Instance
12-3
9. Enter the password for the user, and then click Next.
If you previously registered Google Apps using this service user, you are promptedto give it offline access. Accept this prompt.
10. After Google Apps validates the user, you return to the Oracle CASB CloudService application registration wizard and click Done.
When the registration process is complete, your application instance appears on theApplications page. You start to see data for this instance after 30 minutes or so;although a complete synchronization will take longer.
Updating the Credentials for a Google for Work InstanceChange the login credentials for a Google for Work instance.
When the login credentials that you used to register a Google for Work instance are nolonger valid (for example, the password expired), you must also update the credentialsin the Oracle CASB Cloud Service console.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, select Modify, Update credentials.
• In grid view, drop down the Action list for the instance you want tomodify and select Update credentials.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update credentials,and then select the application instance you want to modify and clickNext.
2. In the Update credentials page, select the I confirm Oracle CASB CloudService for Google Apps is installed from Marketplace check box, enter thedomain name, and then click Submit.
3. After a brief wait, you are directed to the Google Apps site and prompted toverify your credentials. After completing Google Apps authentication, you areautomatically sent back to the Oracle CASB Cloud Service console.
4. Click Done.
Next Steps for Google for WorkNow that you have finished setting up your Google for Work instance for monitoring,you can take additional steps to enhance its security, or you can start viewing andanalyzing the monitored data right away.
Follow one of the links below to start working with your new Google for Work instance:
• Creating Policy Alerts for Google for Work — to create custom customized alertsfor situations that you specify, make your configuration settings more secure,
Chapter 12Updating the Credentials for a Google for Work Instance
12-4
and enable monitoring of shadow applications that are operating in the sameenvironment as your application instance.
See the opening sections of the Creating Policies and Managing PolicyAlertschapter for general information about creating and managing policy alerts.
• Viewing Reports for Google for Work — to view predefined reports for Google forWork.
See the opening sections of the Creating and Running Reports chapter for generalinformation about creating and running reports.
• Analyzing User Activity Risks and Trends, Managing Behavioral Anomalies andThreats, and Tracking Incident Tickets chapters — for general information aboutanalyzing and managing the information on security threats that Oracle CASBCloud Service provides.
Chapter 12Next Steps for Google for Work
12-5
13Setting Up Microsoft Office 365
Prepare Microsoft Office 365 and register your application instance with Oracle CASBCloud Service for security monitoring.
Oracle CASB Cloud Service’s monitoring of Office 365 focuses on these applications:
• Exchange
• SharePoint and OneDrive
• Azure Active Directory (AD)
Note:
Oracle CASB Cloud Service monitors all Exchange users, including any whoare using Exchange under a limited functionality Exchange online plan. Ifyour organization has people who are using Office 365 under an Exchangeonline plan, there is no way to exclude those users from monitoring.
Topics:
• Typical Workflow for Microsoft Office 365 Security Monitoring
• Preparing Microsoft Office 365
• Adding an Office 365 Instance
• Updating an Office 365 Instance
Typical Workflow for Microsoft Office 365 SecurityMonitoring
With Oracle CASB Cloud Service, you can monitor Microsoft Office 365 to detectpotential risks.
Task Description Additional Information
Prepare Microsoft Office 365. You can set up a dedicatedOracle CASB Cloud Serviceuser in the Microsoft Office365 account.
Preparing Microsoft Office 365
Add an Office 365 instance. You can register an Office 365instance with Oracle CASBCloud Service.
Adding an Office 365 Instance
Update an Office 365instance.
You can update the credentialsand IDP instance for an Office365 instance.
Updating an Office 365Instance
13-1
Preparing Microsoft Office 365Create a dedicated Office 365 account that is reserved for communication with OracleCASB Cloud Service.
Prerequisites:
• In order to be monitored by Oracle CASB Cloud Service, your Office 365 instancemust be running under at least an E3 license.
• If your users authenticate to Office 365 using the Okta identity provider, then youmust also configure Okta.
Creating the Dedicated Oracle CASB Cloud Service UserCreate and configure a dedicated Office 365 user that is reserved for communicationwith Oracle CASB Cloud Service.
This login is reserved for Oracle CASB Cloud Service. To maintain accurate activityrecords, the Oracle CASB Cloud Service user's login must never be shared.
Note:
It can be helpful to create an email alias for the Oracle CASB Cloud Serviceuser, and forward email from this alias to your own email so that you canreceive notifications that are sent to Oracle CASB Cloud Service.
1. Log in to Office 365, click the Apps icon, then click Admin to access the Admincenter.
Note:
If you log in to Office 365 as a global administrator, the Office 365application that Oracle CASB Cloud Service creates in Office 365 duringintegration is validated automatically. If you log in with less that globaladministrator privileges, a global administrator will have to validate theapplication manually to enable the connection to Oracle CASB CloudService.
2. In the left navigation panel, expand Users and select Active users.
3. On the Active users page, click + Add a user.
4. In the Set up the basics page:
• Enter a Display name.
• For User name, enter the first part of the email address for this user (omit the"@" and domain).
• Do not change the email domain default value.
This domain will be combined with the User name entry to create the full emailaddress.
Chapter 13Preparing Microsoft Office 365
13-2
5. Under Password settings:
• Select Let me create the password.
• Enter and confirm a strong password for this user, and then copy thispassword for later use.
The account password should be complex (for example, at least 12characters, with a combination of letters and numbers). As a result, you shouldlog in one time on behalf of this account to set an appropriate password beforeregistering it with Oracle CASB Cloud Service. Oracle CASB Cloud Servicewill monitor the activity of all users in the account that this administratorbelongs to. Have this user's login credentials on hand when you register theaccount in the Oracle CASB Cloud Service console
• Disable the check box (ensure that it is not selected): Require this user tochange their password when they first sign in.
6. Click Next.
7. On the Assign product licenses page:
• Drop down the Select location list and select the country of your license.
• Ensure that Assign user a product license is selected, and then select theappropriate licensing option.
• Click Next.
8. On the Assign product licenses page:
• Select User (no administrator access).
Note:
If you prefer, a user with additional privileges that Oracle CASBCloud Service doesn't require can be used instead. Security bestpractice is to provide only the minimal privileges that are required.
• Click Next.
9. On the You’re almost done… page:
• Review the settings you’ve assigned to this user.
• Click Edit below any item to change the setting.
10. Click Finish adding.
11. Click Close.
Next Steps
If you didn't log in to Office 365 as a global administrator before you performed thesteps above, the Office 365 application that Oracle CASB Cloud Service creates inOffice 365 during integration must be validated manually by an Office 365 globaladministrator.
Verifying That Credentials Propagate to Office 365 Logs and ReportsEnsure that the new user's credentials are propagated throughout Office 365.
Chapter 13Preparing Microsoft Office 365
13-3
1. Go to this URL: https://reports.office365.com
2. When you are prompted, enter the credentials for the Oracle CASB Cloud Serviceuser.
3. If you receive an HTTP 401 error, wait for an hour and retry the login.
If you see a screen with plain text data (which can include actual report data,depending on the amount of time elapsed between creating the Oracle CASB CloudService user and logging in), the Oracle CASB Cloud Service user is now able tocollect log data.
What To Do NextWhat you do next depends on how users log in to Office 365.
• If users log in through Okta, then see Using Okta Single Sign-On with Office365 to set up Oracle CASB Cloud Service's method for logging in to Office 365.
• If users log in directly to Office 365, then go to Adding an Office 365 Instance.
Using Okta Single Sign-On with Office 365If users log in to Box through Okta single sign-on, then add the Oracle CASB CloudService user to Okta.
Creating an Oracle CASB Cloud Service User in OktaCreate a dedicated user in Okta for communication with Oracle CASB Cloud Service.
1. Log in to Okta as an admin user with Super Administrator privilege.
2. In the Okta Dashboard, select Directory, People.
3. On the People page, click Add Person.
4. In the Add Person dialog box, fill in the information for the new user that will serveas the dedicated Oracle CASB Cloud Service user, and then click Add Person.
5. On the People page, select Security, Administrators, and then click AddAdministrator.
6. In the Add administrator dialog box, enter the name of the Oracle CASB CloudService user, select Super Administrator, and then click Add Administrator.
7. Log out of Okta and log back in as the Oracle CASB Cloud Service user you justcreated.
8. From the Okta Dashboard, select Security, API, and then click Create Token.
9. In the Create Token dialog box, enter a name for the token and click CreateToken.
Remember the token name. You will need it when you register your Office 365instance in the Oracle CASB Cloud Service console.
Chapter 13Preparing Microsoft Office 365
13-4
Creating an Okta Identity Provider InstanceCreate and configure an Okta identity provider (IDP) instance in Oracle CASB CloudService.
To complete the connection between Okta and Oracle CASB Cloud Service, you mustconfigure an Okta identity provider (IDP) instance in Oracle CASB Cloud Service. TheOkta IDP instance completes the connection between Okta and Oracle CASB CloudService.
1. Select Configuration, Identity Provider Management from the Navigationmenu. If the Navigation Menu is not displayed, click the Navigation Menu icon
to display it.
2. Click Add IDP.
3. In the Add an IDP instance dialog box:
a. Set Provider to Okta.
b. Enter an Instance Name and Description.
Note:
Important: The instance name should clearly identify the IDP andthe application type, so these are obvious later when you areconnecting an application instance to the IDP instance.
c. For API Key, enter the token name for the token you created for the OracleCASB Cloud Service user in Okta.
d. For URL to the provider, enter the URL that you accessed to create theOracle CASB Cloud Service user in Okta.
e. Click Save.
What To Do NextWith Okta single sign-on configured, you are ready to register an Office 365 instance.
Go to Adding an Office 365 Instance.
Adding an Office 365 InstanceAfter completing the necessary configurations in Office 365, add or register the Office365 instance in Oracle CASB Cloud Service.
Prerequisite: You have completed the steps in Creating the Dedicated Oracle CASBCloud Service User. You have now:
• Created an Office 365 user with minimum privileges for dedicated use with OracleCASB Cloud Service
• Obtained the credentials for an Office 365 user with global administrator privilegesthat you can use to register the Office 365 instance.
Chapter 13Adding an Office 365 Instance
13-5
Additionally, if your users authenticate to Office 365 using the Okta identity providerservice, then you need to do additional setup. See Using Okta Single Sign-On withOffice 365.
Currently, Oracle CASB Cloud Service notifies you when various security configurationsettings in Office 365 fall below Oracle CASB Cloud Service's preferred defaults.
Note:
You should not add, or register, the same application instance more thanonce. An additional registration seriously impacts performance and doesn’tprovide any additional information.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click Add/Modify App.
3. In the Select an app type page, click the Office 365 icon and then click Next.
4. In the Select an app instance page:
a. Enter a name for the instance in the Type a unique name... box.
Any existing names appear below the name field.
b. If users of this instance use an identity provider to log in, select The users ofthis app instance log in using single sign-on... and select the IDP instancefrom the Select an Identity Provider (IDP) instance list.
Note:
The identity provider instance must already be defined. See SettingUp an Identity Provider Instance.
c. Click Next.
5. In the Enter credentials page, enter the user name and password for theOracle CASB Cloud Service administrator that you set up in Office 365, and thenclick Test Credentials.
6. When testing is done, you see a success message. Click Submit.
After a brief wait, you are directed to the Office 365 site and prompted toverify your credentials. After completing the Office 365 authentication, you areautomatically sent back to the Oracle CASB Cloud Service console.
Note:
If you don’t complete this step, registration will complete with only limitedfunctionality. Oracle CASB Cloud Service will only be able to monitorOffice 365 Exchange messaging.
7. When you see the Please Wait... message, click Continue.
Chapter 13Adding an Office 365 Instance
13-6
8. In the Pick an account dialog box, select the global administrator account forwhich you have login credentials.
9. When the list of permissions is displayed, click Accept.
10. When you return to the Oracle CASB Cloud Service console, click Done.
When the registration process is complete, your application instance appears on theApplications page. You start to see data for this instance after 30 minutes or so;although a complete synchronization will take longer.
Next Steps
If you are implementing smart configuration for this Office 365 instance, then performthe steps in Updating Smart Configuration for Office 365.
Updating an Office 365 InstanceModify application settings for an existing Office 365 instance.
Updating the Credentials for an Office 365 InstanceChange the login credentials for an Office 365 instance.
When the login credentials that you used to register an Office 365 instance are nolonger valid (for example, the password expired), you must also update the credentialsin the Oracle CASB Cloud Service console.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, select Modify, Update credentials.
• In grid view, drop down the Action list for the instance you want tomodify and select Update credentials.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update credentials,and then select the application instance you want to modify and clickNext.
2. In the Update credentials page, enter the user name and password in the textfields, and then click Test Credentials.
3. When testing is done you see a success message. Click Submit. After abrief wait, you are directed to the Office 365 site and prompted to verify yourcredentials. After completing Office 365 authentication, you are automatically sentback to the Oracle CASB Cloud Service console.
4. Click Next to view the confirmation page.
Chapter 13Updating an Office 365 Instance
13-7
Updating the IDP Instance for an Office 365 InstanceChange the way an Office 365 instance communicates with an identity provider (IDP).
You can update the way that an Office 365 instance communicates with an identityprovider (IDP):
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update IDP Instance.
• In grid view, drop down the Action list for the instance you want tomodify and select Update IDP Instance.
Tip:
Alternatively, from the Dashboard or the Applications page, youcan select Add/Modify App, Modify an app instance, Update IDPInstance, and then select the application instance you want to modifyand click Next.
2. In the Update IDP instance page, change the different identity provider (IDP)instance, the active application defined in the identity provider, or both, and thenclick Next.
3. In the Success page, click Done.
Updating Smart Configuration for Office 365Disable or enable categories of security control baseline settings for which OracleCASB Cloud Service generates security control alerts in Risk Events.
Prerequisite: Register the Office 365 instance. See Adding an Office 365 Instance.
By default, all configuration monitoring settings are on after you enable configurationmonitoring. Follow the steps below to disable, or later reenable, particular settings.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update config monitoring.
• In grid view, drop down the Action list for the instance you want tomodify and select Update config monitoring.
Chapter 13Updating an Office 365 Instance
13-8
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update configmonitoring, and then select the application instance you want to modifyand click Next.
2. On the Update config monitoring page, disable or enable any of the categoriesby changing the New setting threshold setting.
If you disable a category, risk events for that category will no longer be generatedin Risk Events.
3. When you have finished making changes, select Use the new threshold valuesin the lower left corner, and then click Next.
Next Steps for Office 365Now that you have finished setting up your Office 365 instance for monitoring, you cantake additional steps to enhance its security, or you can start viewing and analyzingthe monitored data right away.
Follow one of the links below to start working with your new Office 365 instance:
• Creating Policy Alerts for Office 365, Creating Policy Alerts for Office 365Exchange Online, Creating Policy Alerts for Office 365 SharePoint and OneDrive,and Creating Policy Alerts for Office 365 Azure Active Directory — to createcustom customized alerts for situations that you specify, make your configurationsettings more secure, and enable monitoring of shadow applications that areoperating in the same environment as your application instance.
See the opening sections of the Creating Policies and Managing PolicyAlertschapter for general information about creating and managing policy alerts.
• Viewing Reports for Microsoft Office 365 — to view predefined reports for Office365.
See the opening sections of the Creating and Running Reports chapter for generalinformation about creating and running reports.
• Analyzing User Activity Risks and Trends, Managing Behavioral Anomalies andThreats, and Tracking Incident Tickets chapters — for general information aboutanalyzing and managing the information on security threats that Oracle CASBCloud Service provides.
Chapter 13Next Steps for Office 365
13-9
14Setting Up Oracle Cloud Infrastructure(OCI)
Prepare Oracle Cloud Infrastructure (OCI) and register your application instance withOracle CASB Cloud Service for security monitoring.
Oracle CASB Cloud Service detects potential risks in your Oracle CloudInfrastructure account, including activity within Oracle Cloud Infrastructure that violatesyour policies and user behavior patterns that appear to be suspicious.
Note:
If you already have an OCI account that you have created through SigningUp for Oracle Cloud Infrastructure using either the "Pay as You Go" or the"Bring Your Own License" option, you can access the Oracle CASB CloudService console from the Oracle Cloud My Services dashboard by followingsteps 5-7 in Accessing Oracle CASB Cloud Service Using Universal Credits.
Topics:
• Typical Workflow for OCI Monitoring
• Preparing OCI
• Adding an OCI Instance
• Updating an OCI Instance
• Working with OCI Security Control Baseline Settings and Templates
Typical Workflow for OCI MonitoringWith Oracle CASB Cloud Service, you can monitor Oracle Cloud Infrastructure todetect potential risks.
Task Description Additional Information
Prepare a public/private keypair.
You need to have a public/private key pair available towork with OCI.
Preparing a Public/Private KeyPair
Prepare an OCI account. You can ensure that yourOracle Cloud Infrastructureaccount is ready to monitor inOracle CASB Cloud.
Preparing OCI
Add an OCI instance. You can register anOracle Cloud Infrastructureapplication instance inmonitoring-only mode.
Adding an OCI Instance
14-1
Task Description Additional Information
Update credentials for anOracle Cloud Infrastructureinstance.
You can update the credentialsfor an Oracle CloudInfrastructure instance.
Updating the Credentials foran OCI Instance
Update security controlbaseline settings for groupsof OCI instances and fortemplates.
You can update securitycontrol baseline settings forgroups of OCI instancesdirectly, and templates thatcontrol these settings formultiple OCI instances.
Working with OCI SecurityControl Baseline Settings andTemplates
Preparing OCIBefore registering your Oracle Cloud Infrastructure (OCI) application instancewith Oracle CASB Cloud Service, create and configure a dedicated OCI user account.
Prerequisite: Ensure that you have a public/private key pair available to use with OCI.
The steps below guide you through performing four tasks in OCI:
1. Creating an identity account, or user.
2. Getting the public key for the user from Oracle CASB Cloud Service.
3. Creating an identity group.
4. Assigning the identity account, or user to the identity group.
5. Creating an identity policy to grant access privileges to the group that includes theuser.
a. This is the simplest policy, very convenient for non-production environments:
Allow group YourGroupNameGoesHere to read all-resources in tenancy
b. These are the entries for the tightest policy, with the minimal set of privilegesrequired for production:
Allow group YourGroupNameGoesHere to inspect all-resources intenancy
Allow group YourGroupNameGoesHere to read audit-events in tenancy
Allow group YourGroupNameGoesHere to read object-family in tenancywhere request. operation='GetBucket'
Allow group YourGroupNameGoesHere to read instance-familyin tenancy where any { request.operation-'ListInstances',request.operation='GetInstance }
Allow group YourGroupNameGoesHere to read usersin tenancy where any { request.operation-'ListApiKeys',request.operation=ListSwiftPasswords }
Chapter 14Preparing OCI
14-2
Note:
Oracle CASB Cloud Service uses OCI SDK 1.2.28 to monitor the us-ashburn-1, us-phoenix-1, and eu-frankfurt-1 regions.
1. Log in to your OCI account as an administrator, with privileges to create a userand assign privileges.
2. From the Navigation Drawer, select Identity, Users.
3. On the Users page, click the Create User button.
4. In the Create User dialog box:
a. Enter MY_CASB_ACCOUNT for the Name.
If you wish to use a different name, ensure that you select that user name inthe next step below.
b. Enter something like Oracle CASB Service Account for the Description.
You may enter whatever you like here.
c. Click Create.
5. On the Users page, locate the user you just created and click the user name link.
6. On the user details page, in the Resources panel on the left, click API Keys.
7. Click Add Public Key, below the API Keys header.
Now, you need to get the public key from Oracle CASB Cloud Service.
8. Open the Oracle CASB Cloud Service admin console in a separate browserwindow.
9. Click the Navigation Menu icon , then select Configuration, and then CASBKey-Pair Management.
10. Click the Copy to Clipboard icon to copy the key.
11. Switch back to the browser window with the OCI admin console.
12. Paste the public key in the Public Key field, and then click Add.
13. From the Navigation Drawer, select Identity, Groups.
14. Click the Create Group button.
15. In the Create Group dialog box:
a. Enter MY_CASB_GROUP for the Name.
If you wish to use a different name, you must match what you enter here forName in the Create Policy dialog box step below.
b. Enter something like Oracle CASB Service Account Group for theDescription.
You may enter whatever you like here.
c. Click Submit.
16. From the Navigation Drawer, select Identity, Users.
Chapter 14Preparing OCI
14-3
17. Click the name link for the user you just created.
MY_CASB_ACCOUNT, or the user name you used in place of this.
18. From the Navigation Drawer, select Identity, Groups.
19. Click the Add User to Group button.
20. Select MY_CASB_GROUP from the drop-down list to add the user to this group.
If you gave your group a different name when you created the group in the stepabove, ensure that you select that name here.
21. From the Navigation Drawer, select Identity, Policies.
22. Click the Create Policy button.
23. In the Create Policy dialog box:
a. Enter MY_CASB_POLICY for the Name.
b. Enter something like Oracle CASB Service Account Group Policy forthe Description.
You may enter whatever you like here.
c. Switch back to the browser window with the Oracle CASB Cloud Serviceconsole.
d. In the informational message at the bottom of the CASB Key-PairManagement page, click the "here" link.
The Creating a functional OCI Service Account dialog box opens.
e. In line 3, enter the name of the identity group you just created in OCI.
24. If this is a production environment:
a. Click the Copy to Clipboard icon to the right of the first/next statement insection 5-b.
b. Switch back to the browser window with the OCI console where the CreatePolicy dialog box is still open.
c. In the Policy Statements section, paste the copied statement into theSTATEMENT box.
d. If you didn't name your group MY_CASB_GROUP, replace MY_CASB_GROUP in thepasted statement with the group name you created.
e. If this wasn't the last of the 5 statements under 5-b in the Oracle CASB CloudService Creating a functional OCI Service Account dialog box:
i. Click the plus sign below the statement you just pasted to open anothertext box.
ii. Switch back to the browser window with the Oracle CASB Cloud Serviceconsole.
iii. Repeat the production environment sub-steps above.
25. If this is not a production environment:
a. Click the Copy to Clipboard icon to the right of the statement in section5-a.
b. In the Policy Statements section, paste the copied statement into theSTATEMENT box.
Chapter 14Preparing OCI
14-4
c. If you didn't name your group MY_CASB_GROUP, replace MY_CASB_GROUP in thepasted statement with the group name you created.
26. Click Create.
Preparing a Public/Private Key PairEnsure that you have a public/private key pair available for use by Oracle CloudInfrastructure (OCI) before you prepare and register an OCI instance to be monitoredby Oracle CASB Cloud Service.
1. Select Configuration from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. From the Configuration submenu, select CASB Key-Pair Management.
3. If the Key generation date is not new enough, according to your organization'ssecurity policies, click Create new keys.
4. Click Generate new keys.
The User public key field is updated with a new key value.
5. Click the Copy to Clipboard icon to copy the User public key value to theclipboard.
You can also use the Download icon to download the public key to a file.
6. Log in to the OCI console using the credentials for the dedicated Oracle CASBCloud Service account user.
7. Drop down the menu from the user icon in the top right corner and select the userID.
8. On the User Details page, under API Keys, click Add Public Key.
Note:
OCI allows a maximum of three public keys to be added. If the OCIconsole displays an error message indicating that the maximum numberhas already been reached, delete one of the keys listed under API Keys,and then add the new key.
9. In the Add Public Key dialog box, paste the public key you just copied from theCASB Key-Pair Management page into the PUBLIC KEY box.
If you downloaded the key to a file, open the oci_api_key_public.pem file,copy the entire contents, and then paste into the PUBLIC KEY box.
10. When you have completed the steps above in the OCI console, return to theCASB Key-Pair Management page and click Install new keys.
Chapter 14Preparing OCI
14-5
Caution:
If another person, such as an admin, performs the steps above in theOCI console, ensure that those steps have been completed beforeyou click Install new keys. Clicking Install new keys before the newpublic key has been added in the OCI console will disable all currentlyregistered OCI application instances.
Adding an OCI InstanceAfter completing the necessary configurations in Oracle Cloud Infrastructure, add orregister the OCI instance in Oracle CASB Cloud Service.
Prerequisites: Complete the steps in Preparing a Public/Private Key Pair andPreparing OCI.
Note:
• Only OCI administrator users should register an OCI instance withOracle CASB Cloud Service.
• You should not add, or register, the same application instance morethan once. An additional registration seriously impacts performance anddoesn’t provide any additional information.
• You can only register Oracle Cloud Infrastructure in monitor-only mode.
You have several options when you add an OCI instance in Oracle CASB CloudService, based on the type of OCI compartment that is monitored - in each instance, asingle compartment is monitored:
• OCI Tenancy - the root compartment that contains all of your organization'scompartments and other Oracle Cloud Infrastructure cloud resources.
See Adding an OCI Tenancy.
• Compartment under a registered Tenancy - a specified compartment undera registered OCI tenancy. Only the collection of related resources within thespecified compartment, which are accessible only by certain groups that havebeen given permission by an administrator in your organization, are monitored.
Chapter 14Adding an OCI Instance
14-6
Note:
If bulk registration of OCI compartments is enabled on your OracleCASB Cloud Service tenant, this option of registering one component ata time is no longer available. Instead, after you register the OCI tenancy(Adding an OCI Tenancy), you register multiple compartments that youwant Oracle CASB Cloud Service to monitor in that tenancy (UpdatingRegistered Compartments for an OCI Instance).
To enable bulk registration of OCI compartments, contact Oracle Support(http://support.oracle.com). If you have not registered yet, you will needyour Customer Support Identifier (CSI) in order to register to submitservice request tickets. As an alternative, you can also contact yourOracle CASB Customer Success Manager.
When you register a compartment inside a tenancy that is already registered inOracle CASB Cloud Service, the compartment inherits access credentials from theparent tenancy, so you only have to specify the compartment name.
See Adding an OCI Compartment under a Registered Tenancy.
Note:
If the OCI instance for the parent tenancy is ever deleted from OracleCASB Cloud Service, the Compartment under a registered Tenancyautomatically becomes a Standalone Compartment that retains thecredentials from the parent tenancy.
• A Standalone Compartment – an OCI compartment that is accessed directly,without first registering the OCI tenancy in Oracle CASB Cloud Service. As with acompartment under a registered tenancy, only the collection of related resourceswithin the specified compartment, which are accessible only by certain groupsthat have been given permission by an administrator in your organization, aremonitored.
When you register a standalone compartment, you have to specify all thecredentials required to access the parent tenancy.
See Adding an OCI Standalone Compartment.
Adding an OCI TenancyAdd an OCI instance with tenancy as the type of OCI compartment that Oracle CASBCloud Service monitors.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click Add/Modify App.
3. In the Select an app type page, click the Oracle Cloud Infrastructure icon, andthen click Next.
4. On the Select an instance page:
Chapter 14Adding an OCI Instance
14-7
a. Enter a name for the instance in the Type a unique name... box.
Any existing names appear below the name field.
b. If users of this instance use an identity provider to log in, select The users ofthis app instance log in using single sign-on... and select the IDP instancefrom the Select an Identity Provider (IDP) instance list.
Note:
The identity provider instance must already be defined. See SettingUp an Identity Provider Instance.
c. Click Next.
5. In the Enter credentials page, under Select the type of OCI Compartment thatOracle CASB Cloud will monitor, select Tenancy.
If bulk registration of compartments is enabled, the label for this option is Tenancy(modify OCI Tenancy Instance to register Compartments).
6. To see the list of regions that will be monitored for this OCI instance, click thenumber to the right of Regions monitored.
7. In a separate browser window, log in to your OCI account.
8. In the OCI console, drop down the menu from the User icon in the top right cornerand select Tenancy: <tenancy_name>.
9. On the tenancy details page, on the Tenancy Information tab, click the Copy linkfor the OCID value.
10. Switch back to the Oracle CASB Cloud Service console, Enter credentials page.
11. Paste the tenancy OCID value from the OCI console into the Tenancy OCID box.
12. Switch back to the OCI console.
13. Drop down the menu from the User icon in the top right corner and select the userlogin name.
14. On the User Details page, on the User Information tab, click the Copy link forthe user OCID value.
15. Switch back to the Oracle CASB Cloud Service console, Enter credentials page.
16. Paste the user OCID value from the OCI console into the User OCID box.
17. Click Test Credentials.
18. When you see the “Successfully initiated direct connection” message, clickSubmit.
When the registration process is complete, your application instance appears on theApplications page. You start to see data for this instance after 30 minutes or so;although a complete synchronization will take longer.
Next Steps
If you want to customize the security control baseline settings for this OCI instance,perform the steps in Updating the Security Control Baseline for an OCI Instance.
Chapter 14Adding an OCI Instance
14-8
If bulk registration of compartments is enabled, you can specify the exact combinationof compartments you want Oracle CASB Cloud Service to Monitor for this OCIinstance. Perform the steps in Updating Registered Compartments for an OCIInstance.
Adding an OCI Compartment under a Registered TenancyAdd an OCI instance with compartment as the type of OCI compartment that OracleCASB Cloud Service monitors.
Note:
If bulk registration of OCI compartments is enabled on your Oracle CASBCloud Service tenant, this option of registering one component at a timeis no longer available. Instead, after you register the OCI tenancy (Addingan OCI Tenancy), you register multiple compartments that you want OracleCASB Cloud Service to monitor in that tenancy (Updating RegisteredCompartments for an OCI Instance).
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click Add/Modify App.
3. In the Select an app type page, click the Oracle Cloud Infrastructure icon, andthen click Next.
4. On the Select an instance page:
a. Enter a name for the instance in the Type a unique name... box.
Any existing names appear below the name field.
b. If users of this instance use an identity provider to log in, select The users ofthis app instance log in using single sign-on... and select the IDP instancefrom the Select an Identity Provider (IDP) instance list.
Note:
The identity provider instance must already be defined. See SettingUp an Identity Provider Instance.
c. Click Next.
5. In the Enter credentials page, under Select the type of OCI Compartmentthat Oracle CASB Cloud will monitor, select Compartment under a registeredTenancy.
6. Drop down the OCI Application instance list and select the parent tenancy.
The Tenancy and Tenancy OCID values from the parent tenancy areautomatically populated.
7. Click Test Credentials.
Chapter 14Adding an OCI Instance
14-9
When the “Successfully initiated direct connection” message appears, two newfields, Compartment and Compartment OCID are displayed.
8. Drop down the Compartment list and select the compartment that you wantOracle CASB Cloud Service to monitor.
The Compartment OCID is automatically populated.
Note:
• You can register a compartment under a tenancy only once.
• However, you can register a multiple tenancy instances with thesame Tenancy OCID.
9. Click Test Credentials.
10. When you see the “Successfully initiated direct connection” message, clickSubmit.
When the registration process is complete, your application instance appears on theApplications page. You start to see data for this instance after 30 minutes or so;although a complete synchronization will take longer.
Next Steps
If you want to customize the security control baseline settings for this OCI instance,perform the steps in Updating the Security Control Baseline for an OCI Instance.
Adding an OCI Standalone CompartmentAdd an OCI instance with standalone compartment as the type of OCI compartmentthat Oracle CASB Cloud Service monitors.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click Add/Modify App.
3. In the Select an app type page, click the Oracle Cloud Infrastructure icon, andthen click Next.
4. On the Select an instance page:
a. Enter a name for the instance in the Type a unique name... box.
Any existing names appear below the name field.
b. If users of this instance use an identity provider to log in, select The users ofthis app instance log in using single sign-on... and select the IDP instancefrom the Select an Identity Provider (IDP) instance list.
Note:
The identity provider instance must already be defined. See SettingUp an Identity Provider Instance.
Chapter 14Adding an OCI Instance
14-10
c. Click Next.
5. In the Enter credentials page, under Select the type of OCI Compartmentthat Oracle CASB Cloud will monitor, select Standalone Compartment(Advanced).
6. To see the list of regions that will be monitored for this OCI instance, click thenumber to the right of Regions monitored.
7. In a separate browser window, log in to your OCI account with credentials for thededicated Oracle CASB Cloud Service user account.
8. In the OCI console, drop down the menu from the User icon in the top left cornerand select Tenancy: <tenancy_name>.
9. On the tenancy details page, on the Tenancy Information tab, click the Copy linkfor the OCID value.
10. Switch back to the Oracle CASB Cloud Service console, Enter credentials page.
11. Paste the Tenancy OCID value from the OCI console into the Tenancy OCID box.
12. Switch back to the OCI console.
13. Select the Compartment OCID value and click the Copy link.
14. Switch back to the Oracle CASB Cloud Service console, Enter credentials page.
15. Paste the Compartment OCID value from the OCI console into the CompartmentOCID box.
16. Switch back to the OCI console.
17. On the User Information tab, click the Copy link for the user OCID value.
18. Switch back to the Oracle CASB Cloud Service console, Enter credentials page.
19. Paste the user OCID value from the OCI console into the User OCID box.
20. Click Test Credentials.
21. When you see the “Successfully initiated direct connection” message, clickSubmit.
When the registration process is complete, your application instance appears on theApplications page. You start to see data for this instance after 30 minutes or so;although a complete synchronization will take longer.
Next Steps
If you want to customize the security control baseline settings for this OCI instance,perform the steps in Updating the Security Control Baseline for an OCI Instance.
If bulk registration of compartments is enabled, you can specify the exact combinationof compartments you want Oracle CASB Cloud Service to Monitor for this OCIinstance. Perform the steps in Updating Registered Compartments for an OCIInstance.
Updating an OCI InstanceModify settings for an existing OCI instance.
Chapter 14Updating an OCI Instance
14-11
Updating the Credentials for an OCI InstanceChange the login credentials for an Oracle Cloud Infrastructure instance.
When the login credentials that you used to register an Oracle CloudInfrastructure instance expire or are updated, you must update these credentials bothin Oracle Cloud Infrastructure and in the Oracle CASB Cloud Service console.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, select Modify, Update credentials.
• In grid view, drop down the Action list for the instance you want tomodify and select Update credentials.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update credentials,and then select the application instance you want to modify and clickNext.
2. In the Update Credentials page, enter the current values for all the fields.
The combination of fields required depends on the selection made under Selectthe type of OCI Compartment that Oracle CASB Cloud Service will monitor.
For instructions on where to get the current values for the required fields, seethe topic linked below for adding an OCI instance that corresponds to the Selectthe type of OCI Compartment that Oracle CASB Cloud Service will monitorsetting.
Note:
You can't change the Select the type of OCI Compartment thatOracle CASB Cloud Service will monitor selection when you updatecredentials. To change the type of OCI compartment with which this OCIinstance is registered, remove the OCI instance.
• Adding an OCI Tenancy
• Adding an OCI Compartment under a Registered Tenancy (option notavailable if your Oracle CASB Cloud Service tenant has bulk registration ofOCI components enabled)
Chapter 14Updating an OCI Instance
14-12
Note:
An OCI compartment under a registered tenancy inherits credentialsfrom the parent tenancy. So you can test the credentials here, butyou can't update them on this page. If the credentials test fails, orif you want to update the credentials, repeat the instructions on thispage for the parent OCI tenancy.
• Adding an OCI Standalone Compartment
3. To see the list of regions that will be monitored for this OCI instance, click thenumber to the right of Regions monitored.
4. When you have finished filling in current values for all required fields, click TestCredentials.
5. When you see the “Successfully initiated direct connection” message, clickSubmit.
Updating the Security Control Baseline for an OCI InstanceChange security control baseline settings for an OCI instance.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update security control baseline.
• In grid view, drop down the Action list for the instance you want tomodify and select Update security control baseline.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update securitycontrol baseline, and then select the application instance you want tomodify and click Next.
2. Make changes as needed in the security control settings.
Note:
The OCI security control templates feature must be enabled byrequest. To enable this feature, contact Oracle Support (http://support.oracle.com). If you have not registered yet, you will need yourCustomer Support Identifier (CSI) in order to register to submit servicerequest tickets. As an alternative, you can also contact your OracleCASB Customer Success Manager.
Chapter 14Updating an OCI Instance
14-13
• If one or more OCI security control templates have been defined in yourOracle CASB Cloud Service tenant, you can drop down the Template list andselect a template to attach to this OCI instance.
When you attach a template, all the security control settings (except forException) are loaded into the Update security control baseline page.
If you need to create a template, see Creating a Template.
• To understand how each security control behaves, and to how to enterexceptions or configurations where those are supported, click the Help icon
to the right of the security control name.
• To enable editing of a security control, click the Edit icon in the ACTIONcolumn for the security control.
Note:
If there is an Exception section for the security control, that isalways editable. All other settings for a security control require you to
click the Edit icon before you can make changes.
• To enable or disable a security control, click the selector tool in the Monitoringstatus column.
• To change the risk level for a security control, click the icon in the Risk Level
column and make a different selection.
• To update templates or OCI instances with the current settings for a securitycontrol, click the Bulk Update icon to the right of the selector tool, andfollow the prompts.
For more information on updating multiple templates or OCI instances withthe current settings for a security control, see Updating a Security Control'sSettings in Multiple Templates or Application Instances.
• To update OCI instances that you select with the current Exception setting fora security control, click the Bulk Update icon to the right of the Do notalert for box for the Exception, and follow the prompts.
For more information on updating multiple OCI instances with the currentException setting for a security control, see Updating an Exception Setting inMultiple Application Instances.
3. When you are ready to save your changes:
a. Scroll to the bottom of the page and look at the prompt under theConfirmation heading.
• If the prompt just says only, "Use the new threshold values," your changeswill only update only the current OCI instance.
• If the prompt says, "Use the new threshold values and update template<template_name>," your changes will also update the settings in theattached template.
Chapter 14Updating an OCI Instance
14-14
Updating the settings in the attached template will update the settings inall the OCI instances that have that template attached.
b. When you are sure that your changes will update exactly what you want toupdate (just the OCI instance, or the OCI instance plus the attached template),select Use the new threshold values....
This enables the Submit button.
c. Click Submit.
Updating Registered Compartments for an OCI InstanceIf bulk registration of compartments is enabled, you can specify the exact combinationof compartments you want Oracle CASB Cloud Service to Monitor.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, select Modify, Register compartments.
• In grid view, drop down the Action list for the instance you want tomodify and select Register compartments.
Tip:
Alternatively, from the Dashboard or the Applications page, youcan select Add/Modify App, Modify an app instance, Registercompartments, and then select the application instance you want tomodify and click Next.
2. To see the list of regions that will be monitored for this OCI instance, click thenumber to the right of Regions monitored.
3. Click Test Credentials.
After the credentials are confirmed, a Compartment list appears.
4. Drop down the Compartment list and select the combination of compartments youwant Oracle CASB Cloud Service to monitor.
Selecting a compartment at a higher level in the hierarchy selects all thecompartments below it.
5. After compartments are selected, click Next.
6. (Optional) On the Map Instances page, change display names of anycompartments that you want to display a different, more meaningful name whenwill be displayed.
You can give any compartment a different name, to be used in pace of theactual name when Oracle CASB Cloud Service displays information about thecompartment:
a. Click the Edit icon in the Action column for the compartment name.
b. Edit the name in the Instance name column.
Your Instance name entry can be up to 30 characters long.
Chapter 14Updating an OCI Instance
14-15
7. Click Submit when you are ready to go on from the Map Instances page.
8. On the Complete page, click Done.
You will not be able to register additional compartments on the same OCI instanceuntil processing has been completed for all the compartments specified in the previousrequest. To check the status of your request, see Checking Status of CompartmentsBeing Registered.
Checking Status of Compartments Being RegisteredIf you are registering a large number of compartments at one time, you can check onthe progress of the registration process to determine when it has completed.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, select Modify, Register compartments.
• In grid view, drop down the Action list for the instance you want tomodify and select Register compartments.
Tip:
Alternatively, from the Dashboard or the Applications page, youcan select Add/Modify App, Modify an app instance, Registercompartments, and then select the application instance you want tomodify and click Next.
2. On the Register compartments page, click the View icon to the right ofExisting bulk registration request.
3. In the Bulk Registration request... dialog box, check the STATUS column.
• Check mark: registration has completed.
• "X": registration failed.
• Ellipsis ("…"): registration is still in process.
4. Click OK to close the Bulk Registration request... dialog box.
Working with OCI Security Control Baseline Settings andTemplates
Learn about the different ways you can use OCI security templates to manage securitycontrol settings across OCI instances.
Chapter 14Working with OCI Security Control Baseline Settings and Templates
14-16
Note:
The OCI security control templates feature must be enabled by request. Toenable this feature, contact Oracle Support (http://support.oracle.com). Ifyou have not registered yet, you will need your Customer Support Identifier(CSI) in order to register to submit service request tickets. As an alternative,you can also contact your Oracle CASB Customer Success Manager.
Topics:
• About Security Control Templates and Application Instances
Review this topic first to get oriented to the available features.
• Creating a Template
If you want to use templates, the first thing to do is to create a template one.
• Attaching a Template to an OCI Application Instance
To use a template, you attach it to OCI instances.
• Using a Template as the Base for Custom Settings
You can use the security control settings from a template as the starting pointfor an OCI instance's security control settings, without permanently attaching thetemplate.
• Editing a Template
Make changes in a template's security control settings whenever you need to.
• Updating a Security Control's Settings in Multiple Templates or ApplicationInstances
Use the settings for a security control in one OCI instance to update, in oneprocess, the same security control in multiple templates or multiple OCI instances.
• Updating an Exception Setting in Multiple Application Instances
Use the Exceptions settings for a security control in one OCI instance to update,in one process, the same security control's Exceptions settings in multiple OCIinstances.
• Viewing an Inventory of Template Usage
See which security control templates are attached to which OCI instances.
• Duplicating a Template
Create a new security control template from an existing template. This is useful ifyou want to create a new template that will have similar settings.
• Deleting a Template
If you no longer need a template, you can delete it.
About Security Control Templates and Application InstancesUnderstand the security control template features that are available to make it easierto manage security control baseline settings across multiple OCI application instances.
Chapter 14Working with OCI Security Control Baseline Settings and Templates
14-17
When you are monitoring a lot of OCI instances in Oracle CASB Cloud Service,security control templates make it easy to manage the security control baselinesettings for groups of instances that should have the same settings, in order to complywith your security policies. Even if you do not create security control templates, youcan use the related bulk update feature to copy a security control setting from one OCIinstance to multiple instances at once.
Security Control Templates
A security control template contains settings for all the security controls for an OCIapplication instance that is registered in Oracle CASB Cloud Service.
• No predefined security control templates are provided in Oracle CASB CloudService - you have to create them. See Creating a Template.
• A security control template contains settings for all the security controls foran OCI application instance that is registered in Oracle CASB Cloud Service.
• Attaching a template to an OCI instance causes all the security control settingsfrom the template to be copied into the OCI instance, where they become read-only. The template settings are in control, as long as the OCI instance has thetemplate attached. See Attaching a Template to an OCI Application Instance.
• Exceptions settings are an exception. Some security controls have anExceptions section. Any settings in these Exceptions sections are only storedfor the individual OCI instances. Exceptions settings are not affected when youattach a template to an OCI instance - they remain editable.
Whether or not you use security control templates, you can copy the Exceptionssettings from a single security control in an OCI instance to multiple OCIinstances.
Bulk Updates of Security Control Settings
You can use the current settings for a security control from one OCI instance toupdate the same security control in multiple templates or multiple OCI instances. SeeUpdating a Security Control's Settings in Multiple Templates or Application Instances.
• Open the source OCI instance, from which you wish to update multipletemplates or OCI instances, on the Update security contol baseline page.
• Select the individual templates or OCI instances to be updated. You canupdate the same security control setting in multiple templates or OCI instances atthe same time.
• Exceptions settings are an exception. Bulk updates of securitycontrolExceptions settings must be done separately - see the next section below.
Bulk Updates of Exceptions Settings
You can use the current Exceptions settings for a security control from one OCIinstance to update the Exceptions settings for the same security control in multipleOCI instances. See Updating an Exception Setting in Multiple Application Instances.
• Open the source OCI instance, from which you wish to update multiple OCIinstances, on the Update security contol baseline page.
• Select the individual OCI instances to be updated. You can update the samesecurity control Exceptions settings in multiple OCI instances at the same time.
Chapter 14Working with OCI Security Control Baseline Settings and Templates
14-18
• The Exceptions settings only are updated. Bulk updates of other securitycontrol settings must be done separately - see the section above.
Creating a TemplateCreate a template from the security control baseline settings for an OCI instance.
Prerequisite: You must have an OCI instance registered in Oracle CASB CloudService. See Adding an OCI Instance.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update security control baseline.
• In grid view, drop down the Action list for the instance you want tomodify and select Update security control baseline.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update securitycontrol baseline, and then select the application instance you want tomodify and click Next.
2. To the right of the Template box at the top of the page, click the Plus Sign icon
.
3. Enter a name for the new template in the box that appears.
Note:
After you press Enter on the new template's name, no changes areapparent at the top of the page. If you scroll to the bottom of the page,you'll see the new template's name in the Confirmation prompt.
4. Make any changes needed in the security control settings in the OCI instance, sothat they are exactly what you want the template to have.
Click the Edit icon to make the setttings editable for the security control.
The new template will pick up all the settings from the OCI instance except thosein Exception sections.
5. When you are ready to create the new template, using the current security controlsettings for the OCI instance:
a. Scroll to the bottom of the page and look at the prompt under theConfirmation heading.
The prompt should say, "Use the new threshold values and update template<template_name>," where <template_name> is the name you entered at thetop of the page.
Chapter 14Working with OCI Security Control Baseline Settings and Templates
14-19
b. When you have verified the confirmation prompt, select Use the newthreshold values and update template <template_name>..
This enables the Submit button.
c. Click Submit.
The name of the template you just created now appears in the Template boxat the top of the page. This indicates that the new template is now attached tothis OCI instance.
6. If you do not want the new template to be attached to the OCI instance:
a. Reopen the OCI instance in the Update security control baseline page.
b. Drop down the Template list at the top of the page.
c. Select:
• Custom to detach the OCI instance from all templates, or
• Another template name, to attach that template to the OCI instance.
d. Scroll to the bottom of the page and look at the prompt under theConfirmation heading.
e. When you are sure that the prompt indicates that you will be making thechange that you want to for this OCI instance, select Use the new thresholdvalues....
This enables the Submit button.
f. Click Submit.
The Template box at the top of the page now shows either "Custom" or thename of the newly attached template.
Attaching a Template to an OCI Application InstanceAttach an existing template to an OCI instance.
Prerequisites:
• You must have an OCI instance registered in Oracle CASB Cloud Service. SeeAdding an OCI Instance.
• You must have created an OCI security control template in Oracle CASB CloudService. See Creating a Template.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update security control baseline.
• In grid view, drop down the Action list for the instance you want tomodify and select Update security control baseline.
Chapter 14Working with OCI Security Control Baseline Settings and Templates
14-20
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update securitycontrol baseline, and then select the application instance you want tomodify and click Next.
2. Drop down the Template list at the top of the page.
3. Select the template you wish to attach.
The security control settings from the selected template now appear in all thesecurity controls for the OCI instance. All settings are read-only, except for settingsin Exception sections.
4. Scroll to the bottom of the page and look at the prompt under the Confirmationheading.
The prompt should say, "Use the new threshold values."
5. When you have verified the confirmation prompt, select Use the new thresholdvalues and click Submit.
The OCI instance now will always use the current security control settings fromthe template. Any changes made in the template's security control settings areautomatically reflected in the settings for all OCI instances to which the template isattached.
Using a Template as the Base for Custom SettingsYou can attach a template to an OCI instance, then modify the settings from thetemplate as a quick way to create custom settings that are similar to the templatesettings.
Prerequisites:
• You must have an OCI instance registered in Oracle CASB Cloud Service. SeeAdding an OCI Instance.
• You must have created an OCI security control template in Oracle CASB CloudService. See Creating a Template.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update security control baseline.
• In grid view, drop down the Action list for the instance you want tomodify and select Update security control baseline.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update securitycontrol baseline, and then select the application instance you want tomodify and click Next.
Chapter 14Working with OCI Security Control Baseline Settings and Templates
14-21
2. Drop down the Template list at the top of the page.
3. Select the template you wish to use as the basis for custom settings.
The security control settings from the selected template now appear in all thesecurity controls for the OCI instance, except for those in the Exception sections.
4. Drop down the Template list at the top of the page and select Custom.
5. Make any changes you wish to in the security control settings from the template, toget exactly what you want in the custom settings for the OCI instance .
See Updating the Security Control Baseline for an OCI Instance.
6. Scroll to the bottom of the page and look at the prompt under the Confirmationheading.
The prompt should say, "Use the new threshold values."
7. When you have verified the confirmation prompt, select Use the new thresholdvalues and click Submit.
The OCI instance now will always use the custom security control settings that youcreated from the template, with whatever modifications you made.
Editing a TemplateYou can edit a security control template by clicking the edit icon for a security control inan OCI instance that has the template attached.
Prerequisites:
• You must have an OCI instance registered in Oracle CASB Cloud Service. SeeAdding an OCI Instance.
• You must have created an OCI security control template in Oracle CASB CloudService. See Creating a Template.
• The security control template that you want to edit must be attached to the OCIinstance that you open on the Update security control baseline page. SeeAttaching a Template to an OCI Application Instance.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update security control baseline.
• In grid view, drop down the Action list for the instance you want tomodify and select Update security control baseline.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update securitycontrol baseline, and then select the application instance you want tomodify and click Next.
2. Locate a security control that you want to change in the template, and:
a. Click the Edit icon to make the security control editable.
Chapter 14Working with OCI Security Control Baseline Settings and Templates
14-22
b. Make change in the settings for the security control.
Remember that settings in Exception sections are not stored in templates.
See Updating the Security Control Baseline for an OCI Instance.
3. Repeat the previous step until you have made all the changes you wish to in theattached template's settings.
4. Scroll to the bottom of the page and look at the prompt under the Confirmationheading.
The prompt should say, "Use the new threshold values and update template<template_name>."
5. When you have verified the confirmation prompt, select Use the new thresholdvalues and update template <template_name> and click Submit.
You have edited the settings in the attached template, and those changes willautomatically be picked up by all other OCI instances that have the template attached.
Updating a Security Control's Settings in Multiple Templates orApplication Instances
You can update multiple templates or OCI instance at once, with the settings from asecurity control in one OCI instance.
Note:
All the settings for the security control, except for those in an Exceptionsection, update the same security control in the templates or applicationinstances that you select. To update multiple OCI instances with theException settings for a security control, see Updating an Exception Settingin Multiple Application Instances.
Prerequisites:
• To update multiple OCI instances you must have multiple OCI instance registeredin Oracle CASB Cloud Service. See Adding an OCI Instance.
• To update multiple security control templates, you must have created multiple OCIsecurity control template in Oracle CASB Cloud Service. See Creating a Template.
• The security control setting that you want to use to update multiple templates orOCI instances must be set in the OCI instance that you open on the Updatesecurity control baseline page (before or after you open it).
Chapter 14Working with OCI Security Control Baseline Settings and Templates
14-23
Note:
When you update multiple templates or OCI instances with the settings froma specific security control from the Update security control baseline page,all the settings for the security control - except those in Exception sections- are copied into the same security control in the target templates or OCIinstances.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update security control baseline.
• In grid view, drop down the Action list for the instance you want tomodify and select Update security control baseline.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update securitycontrol baseline, and then select the application instance you want tomodify and click Next.
2. Locate the security control whose settings you wish to use to update multipletemplates or OCI instances.
Remember that any Exception settings will not be updated by this process.
3. Click the Bulk Update icon at the right end of the line with the security controllabel, to open the Push Security Control Settings dialog box.
4. To update multiple templates with this security control's settings:
a. On the Templates tab, select one or more templates to update.
b. Verify and select the Confirmation prompt at the bottom of the dialog box.
c. Click Submit.
The selected templates are updated with the settings from the security controlin the OCI instance on the Update security control baseline page.
5. To update multiple OCI instances with this security control's settings:
a. On the Instances tab, select one or more OCI instances to update.
b. Verify and select the Confirmation prompt at the bottom of the dialog box.
c. Click Submit.
The selected OCI instances are updated with the settings from the securitycontrol in the OCI instance on the Update security control baseline page.
6. Scroll to the bottom of the page and look at the prompt under the Confirmationheading.
Chapter 14Working with OCI Security Control Baseline Settings and Templates
14-24
If you made any changes in security control settings before you updated multipletemplates or OCI instances, you can now select the Confirmation prompt andclick Submit to save those changes.
Updating an Exception Setting in Multiple Application InstancesYou can use the Exception portion of a specific security control for one OCI instanceto update the same setting in multiple OCI instances at once.
Prerequisites:
• To update multiple OCI instances you must have multiple OCI instance registeredin Oracle CASB Cloud Service. See Adding an OCI Instance.
• The security control setting that you want to use to update multiple templates orOCI instances must have an Exception section.
• The security control setting that you want to use to update multiple OCI instancesmust be set in the OCI instance that you open on the Update security controlbaseline page (before or after you open it).
When you update multiple OCI instances with the exceptions settings from a specificsecurity control from the Update security control baseline page, settings in theException section are copied into the same security control in the target OCIinstances. Other settings for the security control are not copied.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update security control baseline.
• In grid view, drop down the Action list for the instance you want tomodify and select Update security control baseline.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update securitycontrol baseline, and then select the application instance you want tomodify and click Next.
2. Locate the security control whose Exception settings you wish to use to updatemultiple OCI instances.
3. Click the Bulk Update icon on the right side of the Exception section.
4. In the Push Security Control Settings dialog box, select one or more OCIinstances to update.
5. Verify and select the Confirmation prompt at the bottom of the dialog box.
6. Click Submit.
The selected OCI instances are updated with the settings from the Exceptionsection of the security control in the OCI instance on the Update security controlbaseline page.
Chapter 14Working with OCI Security Control Baseline Settings and Templates
14-25
7. Scroll to the bottom of the page and look at the prompt under the Confirmationheading.
If you made any changes in security control settings before you updated multipletemplates or OCI instances, you can now select the Confirmation prompt andclick Submit to save those changes.
Viewing an Inventory of Template UsageThe Security Control Templates page lists all security control templates that havebeen created, and shows the OCI instances to which are currently using them.
As you define more security control templates, and attach them to OCI applicationinstances, you will want to see how your security templates are being used. TheSecurity Control Templates page lists all the templates that have been defined,along with any OCI instances to which they are currently attached.
1. Select Configuration, Security Control Templates from the Navigation menu.If the Navigation Menu is not displayed, click the Navigation Menu icon todisplay it.
2. Locate a template in the TEMPLATE NAME column.
3. Look in the INSTANCE(S) column to see the OCI application instances to whichthis template is currently attached.
Duplicating a TemplateYou can duplicate a template that's attached to an OCI instance by "detaching" thetemplate, then saving the settings with a new template name.
Tip:
Duplicating an existing template is a quickly way to create a new templatewith similar settings. You only have to change settings that will be different inthe new template.
Prerequisites:
• You must have an OCI instance registered in Oracle CASB Cloud Service. SeeAdding an OCI Instance.
• You must have created an OCI security control template in Oracle CASB CloudService. See Creating a Template.
• The template that you want to duplicate must be attached to an OCI instance thatyou open in the Update security control baseline page (before or after you openit).
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update security control baseline.
• In grid view, drop down the Action list for the instance you want tomodify and select Update security control baseline.
Chapter 14Working with OCI Security Control Baseline Settings and Templates
14-26
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update securitycontrol baseline, and then select the application instance you want tomodify and click Next.
2. Verify that the Template box at the top of the page displays the name of thetemplate that you want to duplicate.
3. Drop down the Template list and select Custom.
4. To the right of the Template box at the top of the page, click the Plus Sign icon
.
5. Enter a name for the new template.
6. Make any changes needed in the security control settings in the OCI instance, sothat those settings are exactly what you want the new template to have.
See Editing a Template. The new template will pick up all the settings from the OCIinstance except Exceptions.
7. When you are ready to create the new template with the current security controlsettings:
a. Scroll to the bottom of the page and look at the prompt under theConfirmation heading.
The prompt should say, "Use the new threshold values and update template<template_name>," where <template_name> is the name you entered at thetop of the page.
b. When you have verified the confirmation prompt, select Use the newthreshold values and update template <template_name>..
This enables the Submit button.
c. Click Submit.
The name of the template you just created now appears in the Template boxat the top of the page. This indicates that the new template is now attached tothis OCI instance.
8. If you do not want the new template to be attached to the OCI instance:
a. Reopen the OCI instance in the Update security control baseline page.
b. Drop down the Template list at the top of the page.
c. Select:
• Custom to detach the OCI instance from all templates, or
• Another template name, to attach that template to the OCI instance.
d. Scroll to the bottom of the page and look at the prompt under theConfirmation heading.
e. When you are sure that the prompt indicates that you will be making thechange that you want to for this OCI instance, select Use the new thresholdvalues....
This enables the Submit button.
Chapter 14Working with OCI Security Control Baseline Settings and Templates
14-27
f. Click Submit.
The Template box at the top of the page now shows either "Custom" or thename of the newly attached template.
Deleting a TemplateIf you no longer need a security control template, you can delete it from the SecurityControl Templates page.
Note:
If a security control template is currently attached to one or more OCIinstances, you can still delete it. When you delete the template, for eachOCI instance where the template was attached:
• The OCI instance retains all the security control settings from thetemplate.
• The Template setting for each OCI instance changes to Custom.
1. Select Configuration, Security Control Templates from the Navigation menu.If the Navigation Menu is not displayed, click the Navigation Menu icon todisplay it.
2. Locate the template you want to delete in the TEMPLATE NAME column.
3. In the ACTION column for the template, drop down the Action list and selectDelete.
4. Confirm the deletion when prompted.
The security control template is deleted. Any application instances that had it attachedretain the security control settings from the template, but now have the Template valueon the Update security control baseline page set to Custom.
Next Steps for OCINow that you have finished setting up your Oracle Cloud Infrastructure instance formonitoring, you can take additional steps to enhance its security, or you can startviewing and analyzing the monitored data right away.
Follow one of the links below to start working with your new OCI instance:
• Creating Policy Alerts for Oracle Cloud Infrastructure (OCI) — to create customcustomized alerts for situations that you specify, make your configuration settingsmore secure, and enable monitoring of shadow applications that are operating inthe same environment as your application instance.
See the opening sections of the Creating Policies and Managing PolicyAlertschapter for general information about creating and managing policy alerts.
• Viewing Reports for Oracle Cloud Infrastructure (OCI) — to view predefinedreports for OCI.
See the opening sections of the Creating and Running Reports chapter for generalinformation about creating and running reports.
Chapter 14Next Steps for OCI
14-28
• Analyzing User Activity Risks and Trends, Managing Behavioral Anomalies andThreats, and Tracking Incident Tickets chapters — for general information aboutanalyzing and managing the information on security threats that Oracle CASBCloud Service provides.
Chapter 14Next Steps for OCI
14-29
15Setting Up Oracle Enterprise ResourcePlanning (ERP) Cloud
Prepare Oracle ERP Cloud and register your application instance with Oracle CASBCloud Service for security monitoring.
Oracle CASB Cloud Service detects potential risks in your Oracle ERP Cloud account,including activity within Oracle ERP Cloud that violates your policies and user behaviorpatterns that appear to be suspicious.
Note:
In order to be monitored by Oracle CASB Cloud Service, Oracle ERP Cloudmust be version R12 BP7.
Topics:
• Typical Workflow for Oracle ERP Cloud Monitoring
• Preparing Oracle ERP Cloud
• Adding an Oracle ERP Cloud Instance
• Updating an Oracle ERP Cloud Instance
Typical Workflow for Oracle ERP Cloud MonitoringWith Oracle CASB Cloud Service, you can monitor Oracle ERP Cloud to detectpotential risks.
Task Description Additional Information
Prepare an Oracle ERP Cloudaccount.
You can set up an OracleCASB Cloud Service accountin Oracle ERP Cloud.
Preparing Oracle ERP Cloud
Add an Oracle ERP Cloudinstance.
You can register an OracleERP Cloud applicationinstance in monitoring-onlymode.
Adding an Oracle ERP CloudInstance
Update credentials for anOracle ERP Cloud instance.
You can update the credentialsfor an Oracle ERP Cloudinstance.
Updating the Credentials foran Oracle ERP Cloud Instance
15-1
Preparing Oracle ERP CloudBefore registering your Oracle ERP Cloud application instance with Oracle CASBCloud Service, you need to create a dedicated administrative user within Oracle ERPCloud and ensure that Oracle ERP Cloud auditing is enabled.
Creating a Dedicated Oracle CASB Cloud Service User in Oracle ERPCloud
Create a dedicated user account for Oracle CASB Cloud Service in the Oracle ERPCloud account that you want to monitor.
The user cannot use multifactor or federated authentication (for example, through asingle sign-on service). You will use the login credentials for this user to allow OracleCASB Cloud Service to connect to Oracle ERP Cloud and retrieve system events.
Note:
If you have already created a dedicated Oracle CASB Cloud Serviceadministrative user account for another application within Oracle ApplicationsCloud, it is not necessary to create another user now.
• You can use that existing user for all Oracle Applications Cloud servicesto communicate with Oracle CASB Cloud Service.
• Or you can create a new user for individual Oracle Applications Cloudservices, if you prefer.
1. Log into the Oracle Fusion Applications console as an administrator withpermission to create other administrators.
2. In the Oracle Fusion Applications console home page:
a. Open the Navigator.
b. Scroll to the bottom.
c. Click More.
d. In the left panel, click Security Console.
3. In the left navigation panel, click Users.
4. On the User Accounts page, click Add User Account in the upper-right corner.
5. On the Add User Account page:
a. Set the Person Type field to None.
b. Enter a First Name for the user (for example, CASB).
c. Enter a Last Name to describe the account (for example, Oracle CASBService Account).
d. Enter a User Name to identify the account (for example, CASB).
Chapter 15Preparing Oracle ERP Cloud
15-2
You will use this name when you register the application instance in OracleCASB Cloud Service.
e. Enter a Password, and then re-enter it in Confirm Password.
f. Click Add Role.
6. In the Add Role Membership dialog box:
a. Paste this role code into the Search box.
ORA_FND_CASB_AUDIT_ACCESS_DISCRETIONARY
b. Click the Search icon .
c. Select the ORA_FND_CASB_AUDIT_ACCESS_DISCRETIONARY_ DISCRETIONARYcode returned in the search results.
d. Click Add Role Membership.
This assigns the Audit Access for Cloud Access Security Broker role.
e. Click OK on the confirmation message.
f. Click Done in the Add Role Membership dialog box.
7. On the Add User Account page, click Save and Close.
8. In the left navigation panel, click Roles.
9. On the Roles page, click Create Role in the upper-right corner.
10. On the Create Role : Basic Information page:
a. Enter a Role Name (for example, CASB_MANAGE_AUDIT_ROLE).
b. Copy that entry into the Role Code box.
c. Set Role Category to Setup - Job Roles.
d. Click Next.
11. On the Function Security page, Privileges tab, click Add Function SecurityPolicy.
12. In the Add Function Security Policy dialog box:
a. Paste FND_MANAGE_AUDIT_POLICIES_PRIV into the Search box.
b. Click the Search icon .
c. Select the Manage Audit Policies privilege returned in the search results.
d. Click Add Privilege to Role.
e. Click OK on the confirmation message.
f. Click Done in the Add Function Security Policy dialog box.
13. Click Next until you reach the Summary page, then click Save and Close, andOK the confirmation message.
14. In the left navigation panel, click Users.
15. On the User Accounts page:
a. Enter the name of the CASB service user you created in the Search box.
b. Click the Search icon .
Chapter 15Preparing Oracle ERP Cloud
15-3
c. In the search results, locate the user you created and click the link next toUser Name.
16. On the User Account Details page, click Edit.
17. On the Edit User Account page, click Add Role.
18. In the Add Role Membership dialog box:
a. Enter the name of the role you created (CASB_MANAGE_AUDIT_ROLE) in theSearch box.
b. Click the Search icon .
c. Select the role in the search results.
d. Click Add Role Membership.
e. Click OK on the confirmation message.
f. Click Done in the Add Role Membership dialog box.
19. On the Edit User Account page, click Save and Close in the upper-right corner.
Note:
It takes up to 10 minutes for the changes to take effect. Please wait for aminimum of 10 minutes before you try to register an application instance,or update credentials for an existing application instance, in the CASBCloud Service console.
Enabling Business Object Auditing for Oracle ERP CloudConfigure auditing on business objects.
This task is necessary to enable business object auditing, so that you can customizethe list of business objects that you want to monitor Oracle CASB Cloud Service tomonitor for each Fusion Application instance that you register.
Note:
You must perform this task for each Fusion Application instance that youregister. If you do not perform this task for a Fusion Application instance,Oracle CASB Cloud Service can't monitor business objects for that instance.
1. In the Oracle Fusion Applications console home page:
a. Open the Navigator.
b. Scroll down.
c. Click Setup and Maintenance in the lower-right corner.
2. On the Setup: Compensation Management page:
a. Enter manage audit policies in the Search Tasks box.
Chapter 15Preparing Oracle ERP Cloud
15-4
b. Click the Search icon
c. In the search results, click Manage Audit Policies.
3. On the Manage Audit Policies page:
a. At the right end of the Oracle Fusion Applications row, set AuditLevel to Auditing.
b. Click Save and Close at the top right.
Note:
The required business objects will be enabled for monitoring, based onthe options you select when you register a new application instance,or update the credentials for an existing application instance. There isno need to enable individual business objects for auditing, within OracleFusion Applications.
Enabling Role Auditing for Oracle ERP CloudSet the security level for Oracle Platform Security Services (OPSS) auditing to captureall of the security events for the role changes that you want Oracle CASB CloudService to audit.
The default OPSS audit level for Oracle Fusion Applications is “none” — you mustchange this setting to Low - Critical Events Only, in order to fully enable roleauditing.
Note:
You only need to set the OPSS audit level once, to support role auditing forall the application instances from the same Fusion Applications POD that areregistered in the same Oracle CASB Cloud Service tenant.
1. Log in to the Oracle Fusion Applications console.
2. In the Oracle Fusion Applications console home page:
a. Open the Navigator.
b. Scroll down.
c. Click Setup and Maintenance in the lower-right corner.
3. On the Setup: Compensation Management page:
a. In the Search Tasks box, enter manage audit policies.
b. Click the Search icon .
c. In the search results, select Manage Audit Policies.
4. On the Manage Audit Policies page:
a. At the right end of the Oracle Platform Security Services row, set AuditLevel to Low - Critical Events Only.
Chapter 15Preparing Oracle ERP Cloud
15-5
b. Click Save and Close.
Enabling Association of Oracle CASB Cloud Service with OracleAccess Manager (OAM) for ERP Cloud
If you want to enable OAM association Oracle CASB Cloud Service, submit an OracleService Request.
This task is necessary to ensure that auditing is enabled for login and logout events forFusion Application instances that Oracle ERP Cloud monitors.
Note:
You only need to enable OAM association once for the same FusionApplications POD in the same Oracle CASB Cloud Service tenant. TheOAM association option is then available to all instances of Oracle FusionApplications (such as Oracle ERP Cloud, Oracle HCM Cloud, or OracleSales Cloud) in that Fusion Applications POD on that Oracle CASB CloudService tenant.
Enabling OAM association with Oracle CASB Cloud Service is a two-step process:
1. First, you must submit an Oracle Service Request, as described in the next sectionbelow.
2. After that request is fulfilled, you must enable OAM once for a Fusion Applicationin Oracle CASB Cloud Service.
You can do this when you register your Oracle ERP Cloud instance (see Addingan Oracle ERP Cloud Instance), or after registration (see Updating the Credentialsfor an Oracle ERP Cloud Instance).
Submitting an Oracle Support Service Request to enable OAM
Note:
In order to associate with OAM, you must be using Oracle Access Managerversion R13 18.02 and you must request that your Oracle CASB CloudService tenant be enabled. To enable association with Oracle AccessManager, contact Oracle Support (http://support.oracle.com). If you havenot registered yet, you will need your Customer Support Identifier (CSI) inorder to register to submit service request tickets. As an alternative, you canalso contact your Oracle CASB Customer Success Manager.
1. Log in to the Oracle Support Portal.
2. On the Dashboard, under the Technical Service Requests section, click CreateTechnical SR.
3. Enter a Problem Summary and a Problem Description.
Chapter 15Preparing Oracle ERP Cloud
15-6
4. Enter the Service Type Ex: Oracle Fusion Global Human Resource CloudService.
5. For Problem Type, select Cloud Hosting Service (Outage,P2T/T2T,EnableSSO,Resize,CloudPortal,MyServices,User/Password,Network,ScheduleMaintenance).
6. Specify your Support Identifier.
7. Select the appropriate Severity.
8. Click Next.
9. For Question 1, select Service Entitlements (Includes Federated SSO,Language Pack Installs, Data Masking, Break Glass etc.) as the area ofconcern.
10. From Question 2, select Configure Oracle Cloud Access Security Broker(CASB).
11. For Question Set 3, provide the following information:
• The POD name and the Fusion home page URL for which you want to enableOracle CASB Cloud Service
For example, https://<POD_Name>.fs.ap1.oraclecloud.com/homePage/faces/AtkHomePageWelcome
• The Service User ID that you created in Creating a Dedicated Oracle CASBCloud Service User in Oracle ERP Cloud.
• If you are using a Fusion Applications version earlier than R-13.18.05, providethe start time and the time zone for a 90 minute window during which yourFusion Application will not be available. Configuring this change requires adowntime of up to 90 minutes in versions earlier than R-13.18.05.
12. Click Continue.
13. Review your Support Request for completeness, and then click Submit.
Whitelisting Oracle CASB Cloud Service if Oracle ERP Cloud FusionPOD is Whitelisted
If Oracle ERP Cloud Fusion POD is whitelisted, you must whitelist some IP addressesfor Oracle CASB Cloud Service.
Note:
You must perform this task for each Fusion Application instance that youregister, if the Fusion Application POC is whitelisted. If you do not performthis task for a Fusion Application instance, Oracle CASB Cloud Service can'tmonitor that instance.
1. Browse to the Oracle Knowledge Base article, How To Integrate Oracle FusionCloud With Oracle CASB.
2. Scroll down to the section titled, Deployment Considerations If Fusion POD iswhitelisted.
Chapter 15Preparing Oracle ERP Cloud
15-7
3. Whitelist the IP address listed there for the URL where your Oracle CASB CloudService tenant is hosted.
Adding an Oracle ERP Cloud InstanceAfter completing the necessary configurations in Oracle ERP Cloud, add or registerthe Oracle ERP Cloud instance in Oracle CASB Cloud Service.
Prerequisites: Complete the steps in Preparing Oracle ERP Cloud. You need the userID and password that belongs to the dedicated user account that you created.
Note:
You should not add, or register, the same application instance more thanonce. An additional registration seriously impacts performance and doesn’tprovide any additional information.
You can only register Oracle ERP Cloud in monitor-only mode.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click Add/Modify App.
3. In the Select an app type page, click the Oracle Enterprise Resource PlanningCloud icon, and then click Next.
4. On the Select an instance page:
a. Enter a name for the instance in the Type a unique name... box.
Any existing names appear below the name field.
b. If users of this instance use an identity provider to log in, select The users ofthis app instance log in using single sign-on... and select the IDP instancefrom the Select an Identity Provider (IDP) instance list.
Note:
The identity provider instance must already be defined. See SettingUp an Identity Provider Instance.
c. Click Next.
5. In the Select monitoring type page:
a. Select the Monitor ERP cloud role, role memberships and privilegescheck box.
b. Select the objects to be monitored.
c. Select the I understand and explicitly approve enabling auditing... checkbox and then, click Next.
6. In the Enter credentials page, enter the information you specified when youcreated the dedicated Oracle ERP Cloud user:
Chapter 15Adding an Oracle ERP Cloud Instance
15-8
a. In the Host name field, enter the host name of the Oracle ERP Cloud servicehost.
For example, myerphost.com.
b. In the Username field, enter the name you entered in the User Name fieldwhen you created the dedicated user (Service User).
c. In the Password field, enter the password you entered when you created thededicated user.
Do not share these credentials with another user or service.
d. If Oracle Access Manager (OAM) integration is enabled, there is an Associatewith Oracle Access Manager Integration option:
• Select this option if you want this application instance to associate withOAM integration.
Note:
Ensure that you do not select this option for more than oneinstance of an Oracle Fusion Application (such as Oracle ERPCloud, Oracle HCM Cloud, or Oracle Sales Cloud) in the sameOracle CASB Cloud Service tenant. Selecting this option oncecovers all instances of Oracle Fusion Applications on the tenant.If you select this option more than once, you will receive multipleOAM notifications for the same event.
• Otherwise, deselect this option.
Note:
You must be using Oracle Access Manager version R13 18.02 andyou must request that your Oracle CASB Cloud Service tenant beenabled to associate with OAM. To enable association with OracleAccess Manager, contact Oracle Support (http://support.oracle.com). If you have not registered yet, you will need your Customer SupportIdentifier (CSI) in order to register to submit service request tickets. As an alternative, you can also contact your Oracle CASB CustomerSuccess Manager.
e. Click Test Credentials.
• If you see a message indicating that OAM integration has notbeen enabled, deselect the Associate with Oracle Access ManagerIntegration option. You can add OAM integration later, after it has beenenabled.
• If you selected Associate with Oracle Access Manager Integration,and Oracle CASB Cloud Service can’t resolve the OAM host name fromthe Host name you entered, an OAM Host name box appears withan explanatory message. enter the OAM Host name from the ServiceRequest message response that you received in reply to the ServiceRequest you submitted to enable OAM integration.
Chapter 15Adding an Oracle ERP Cloud Instance
15-9
• Click Test Credentials again when you are ready to proceed.
f. After credentials are successfully validated you see a success message. ClickNext.
g. Click Done.
When the registration process is complete, your application instance appears on theApplications page. You start to see data for this instance after 30 minutes or so;although a complete synchronization will take longer.
Next Steps
By default, all business objects available for monitoring by Oracle CASB Cloud Serviceare selected to be monitored. If you want to modify the list of business objects tobe monitored for this Oracle ERP Cloud instance, perform the steps in UpdatingMonitoring Properties for an Oracle ERP Cloud Instance.
Updating an Oracle ERP Cloud InstanceModify application settings for an existing Oracle ERP Cloud instance.
Updating the Credentials for an Oracle ERP Cloud InstanceChange the login credentials for an Oracle ERP Cloud instance.
When the login credentials that you used to register an Oracle ERP Cloud instanceexpire or are updated, you must update these credentials both in Oracle ERPCloud and in the Oracle CASB Cloud Service console.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, select Modify, Update credentials.
• In grid view, drop down the Action list for the instance you want tomodify and select Update credentials.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update credentials,and then select the application instance you want to modify and clickNext.
2. In the Update Credentials page, ensure that the values for all the fields arecurrent:
• Host name at for the ERP Cloud service host.
• Username and new Password for the Oracle CASB CloudService administrative user in Oracle ERP Cloud.
3. Click Test Credentials.
4. After the credentials are verified, click Submit to view a verification page.
Chapter 15Updating an Oracle ERP Cloud Instance
15-10
Updating Monitoring Properties for an Oracle ERP Cloud InstanceChange the combination of business objects that are monitored for Oracle ERP Cloud.
By default, when you add an Oracle ERP Cloud instance, all available businessobjects are monitored.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update monitoring properties.
• In grid view, drop down the Action list for the instance you want tomodify and select Update monitoring properties.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update monitoringproperties, and then select the application instance you want to modifyand click Next.
2. In the Update monitoring properties page:
a. Expand the hierarchy as needed so you can see all the options.
b. Select or deselect options until you have selected the combination ofmonitoring options that you want.
Selecting or deselecting a parent option in the hierarchy selects or deselectsall the subordinate options.
3. When you have finished selecting the desired combination of options, select theApproval check box and click Next.
Next Steps for Oracle ERP CloudNow that you have finished setting up your Oracle ERP Cloud instance for monitoring,you can take additional steps to enhance its security, or you can start viewing andanalyzing the monitored data right away.
Follow one of the links below to start working with your new Oracle ERP Cloudinstance:
• Creating Policy Alerts for Oracle ERP Cloud — to create custom customized alertsfor situations that you specify, make your configuration settings more secure,and enable monitoring of shadow applications that are operating in the sameenvironment as your application instance.
See the opening sections of the Creating Policies and Managing PolicyAlertschapter for general information about creating and managing policy alerts.
• Viewing Reports for Oracle ERP Cloud — to view predefined reports for OracleERP Cloud.
Chapter 15Next Steps for Oracle ERP Cloud
15-11
See the opening sections of the Creating and Running Reports chapter for generalinformation about creating and running reports.
• Analyzing User Activity Risks and Trends, Managing Behavioral Anomalies andThreats, and Tracking Incident Tickets chapters — for general information aboutanalyzing and managing the information on security threats that Oracle CASBCloud Service provides.
Chapter 15Next Steps for Oracle ERP Cloud
15-12
16Setting Up Oracle Human CapitalManagement (HCM) Cloud
Prepare Oracle HCM Cloud and register your application instance with Oracle CASBCloud Service for monitoring.
Oracle CASB Cloud Service detects potential risks in your Oracle HCM Cloud account,including activity within that violates your policies and user behavior patterns thatappear to be suspicious.
Note:
In order to be monitored by Oracle CASB Cloud Service, Oracle HCM Cloudmust be version R12 BP7.
Topics:
• Typical Workflow for Oracle HCM Cloud Monitoring
• Preparing Oracle HCM Cloud
• Adding an Oracle HCM Cloud Instance
• Updating an Oracle HCM Cloud Instance
Typical Workflow for Oracle HCM Cloud MonitoringWith Oracle CASB Cloud Service, you can monitor Oracle HCM Cloud to detectpotential risks.
Task Description Additional Information
Prepare an Oracle HCM Cloudaccount.
You can set up an OracleCASB Cloud Service accountin Oracle HCM Cloud.
Preparing Oracle HCM Cloud
Add an Oracle HCM Cloudinstance.
You can register an OracleHCM Cloud applicationinstance in monitoring-onlymode.
Adding an Oracle HCM CloudInstance
Update credentials for anOracle HCM Cloud instance.
You can update the credentialsfor an Oracle HCM Cloudinstance.
Updating the Credentialsfor an Oracle HCM CloudInstance
16-1
Preparing Oracle HCM CloudBefore registering your Oracle HCM Cloud application instance with Oracle CASBCloud Service, you need to create a dedicated administrative user within Oracle HCMCloud and ensure that Oracle HCM Cloud auditing is enabled.
Creating a Dedicated Oracle CASB Cloud Service User in OracleHCM Cloud
Create a dedicated user account for Oracle CASB Cloud Service in the Oracle HCMCloud account that you want to monitor.
The user cannot use multifactor or federated authentication (for example, through asingle sign-on service). You will use the login credentials for this user to allow OracleCASB Cloud Service to connect to Oracle ERP Cloud and retrieve system events.
Note:
If you have already created a dedicated Oracle CASB Cloud Serviceadministrative user account for another application within Oracle ApplicationsCloud, it is not necessary to create another user now.
• You can use that existing user for all Oracle Applications Cloud servicesto communicate with Oracle CASB Cloud Service.
• Or you can create a new user for individual Oracle Applications Cloudservices, if you prefer.
1. Log into the Oracle Fusion Applications console as an administrator withpermission to create other administrators.
2. In the Oracle Fusion Applications console home page:
a. Open the Navigator.
b. Scroll to the bottom.
c. Click More.
d. In the left panel, click Security Console.
3. In the left navigation panel, click Users.
4. On the User Accounts page, click Add User Account in the upper-right corner.
5. On the Add User Account page:
a. Set the Person Type field to None.
b. Enter a First Name for the user (for example, CASB).
c. Enter a Last Name to describe the account (for example, Oracle CASBService Account).
d. Enter a User Name to identify the account (for example, CASB).
Chapter 16Preparing Oracle HCM Cloud
16-2
You will use this name when you register the application instance in OracleCASB Cloud Service.
e. Enter a Password, and then re-enter it in Confirm Password.
f. Click Add Role.
6. In the Add Role Membership dialog box:
a. Paste this role code into the Search box.
ORA_FND_CASB_AUDIT_ACCESS_DISCRETIONARY
b. Click the Search icon .
c. Select the ORA_FND_CASB_AUDIT_ACCESS_DISCRETIONARY_ DISCRETIONARYcode returned in the search results.
d. Click Add Role Membership.
This assigns the Audit Access for Cloud Access Security Broker role.
e. Click OK on the confirmation message.
f. Click Done in the Add Role Membership dialog box.
7. On the Add User Account page, click Save and Close.
8. In the left navigation panel, click Roles.
9. On the Roles page, click Create Role in the upper-right corner.
10. On the Create Role : Basic Information page:
a. Enter a Role Name (for example, CASB_MANAGE_AUDIT_ROLE).
b. Copy that entry into the Role Code box.
c. Set Role Category to Setup - Job Roles.
d. Click Next.
11. On the Function Security page, Privileges tab, click Add Function SecurityPolicy.
12. In the Add Function Security Policy dialog box:
a. Paste FND_MANAGE_AUDIT_POLICIES_PRIV into the Search box.
b. Click the Search icon .
c. Select the Manage Audit Policies privilege returned in the search results.
d. Click Add Privilege to Role.
e. Click OK on the confirmation message.
f. Click Done in the Add Function Security Policy dialog box.
13. Click Next until you reach the Summary page, then click Save and Close, andOK the confirmation message.
14. In the left navigation panel, click Users.
15. On the User Accounts page:
a. Enter the name of the CASB service user you created in the Search box.
b. Click the Search icon .
Chapter 16Preparing Oracle HCM Cloud
16-3
c. In the search results, locate the user you created and click the link next toUser Name.
16. On the User Account Details page, click Edit.
17. On the Edit User Account page, click Add Role.
18. In the Add Role Membership dialog box:
a. Enter the name of the role you created (CASB_MANAGE_AUDIT_ROLE) in theSearch box.
b. Click the Search icon .
c. Select the role in the search results.
d. Click Add Role Membership.
e. Click OK on the confirmation message.
f. Click Done in the Add Role Membership dialog box.
19. On the Edit User Account page, click Save and Close in the upper-right corner.
Note:
It takes up to 10 minutes for the changes to take effect. Please wait for aminimum of 10 minutes before you try to register an application instance,or update credentials for an existing application instance, in the CASBCloud Service console.
Enabling Business Object Auditing for Oracle HCM CloudConfigure auditing on business objects.
This task is necessary to enable business object auditing, so that you can customizethe list of business objects that you want to monitor Oracle CASB Cloud Service tomonitor for each Fusion Application instance that you register.
Note:
You must perform this task for each Fusion Application instance that youregister. If you do not perform this task for a Fusion Application instance,Oracle CASB Cloud Service can't monitor business objects for that instance.
1. In the Oracle Fusion Applications console home page:
a. Open the Navigator.
b. Scroll down.
c. Click Setup and Maintenance in the lower-right corner.
2. On the Setup: Compensation Management page:
a. Enter manage audit policies in the Search Tasks box.
Chapter 16Preparing Oracle HCM Cloud
16-4
b. Click the Search icon
c. In the search results, click Manage Audit Policies.
3. On the Manage Audit Policies page:
a. At the right end of the Oracle Fusion Applications row, set AuditLevel to Auditing.
b. Click Save and Close at the top right.
Note:
The required business objects will be enabled for monitoring, based onthe options you select when you register a new application instance,or update the credentials for an existing application instance. There isno need to enable individual business objects for auditing, within OracleFusion Applications.
Enabling Role Auditing for Oracle HCM CloudSet the security level for Oracle Platform Security Services (OPSS) auditing to captureall of the security events for the role changes that you want Oracle CASB CloudService to audit.
The default OPSS audit level for Oracle Fusion Applications is “none” — you mustchange this setting to Low - Critical Events Only, in order to fully enable roleauditing.
Note:
You only need to set the OPSS audit level once, to support role auditing forall the application instances from the same Fusion Applications POD that areregistered in the same Oracle CASB Cloud Service tenant.
1. Log in to the Oracle Fusion Applications console.
2. In the Oracle Fusion Applications console home page:
a. Open the Navigator.
b. Scroll down.
c. Click Setup and Maintenance in the lower-right corner.
3. On the Setup: Compensation Management page:
a. In the Search Tasks box, enter manage audit policies.
b. Click the Search icon .
c. In the search results, select Manage Audit Policies.
4. On the Manage Audit Policies page:
a. At the right end of the Oracle Platform Security Services row, set AuditLevel to Low - Critical Events Only.
Chapter 16Preparing Oracle HCM Cloud
16-5
b. Click Save and Close.
Enabling Association of Oracle CASB Cloud Service with OracleAccess Manager (OAM) for HCM Cloud
If you want to enable OAM association Oracle CASB Cloud Service, submit an OracleService Request.
This task is necessary to ensure that auditing is enabled for login and logout events forFusion Application instances that Oracle CASB Cloud Service monitors.
Note:
You only need to enable OAM association once for the same FusionApplications POD in the same Oracle CASB Cloud Service tenant. TheOAM association option is then available to all instances of Oracle FusionApplications (such as Oracle ERP Cloud, Oracle HCM Cloud, or OracleSales Cloud) in that Fusion Applications POD on that Oracle CASB CloudService tenant.
Enabling OAM association with Oracle CASB Cloud Service is a two-step process:
1. First, you must submit an Oracle Service Request, as described in the next sectionbelow.
2. After that request is fulfilled, you must enable OAM once for a Fusion Applicationin Oracle CASB Cloud Service.
You can do this when you register your Oracle HCM Cloud instance (see Addingan Oracle ERP Cloud Instance), or after registration (see Updating the Credentialsfor an Oracle ERP Cloud Instance).
Submitting an Oracle Support Service Request to enable OAM
Note:
In order to associate with OAM, you must be using Oracle Access Managerversion R13 18.02 and you must request that your Oracle CASB CloudService tenant be enabled. To enable association with Oracle AccessManager, contact Oracle Support (http://support.oracle.com). If you havenot registered yet, you will need your Customer Support Identifier (CSI) inorder to register to submit service request tickets. As an alternative, you canalso contact your Oracle CASB Customer Success Manager.
1. Log in to the Oracle Support Portal.
2. On the Dashboard, under the Technical Service Requests section, click CreateTechnical SR.
3. Enter a Problem Summary and a Problem Description.
Chapter 16Preparing Oracle HCM Cloud
16-6
4. Enter the Service Type Ex: Oracle Fusion Global Human Resource CloudService.
5. For Problem Type, select Cloud Hosting Service (Outage,P2T/T2T,EnableSSO,Resize,CloudPortal,MyServices,User/Password,Network,ScheduleMaintenance).
6. Specify your Support Identifier.
7. Select the appropriate Severity.
8. Click Next.
9. For Question 1, select Service Entitlements (Includes Federated SSO,Language Pack Installs, Data Masking, Break Glass etc.) as the area ofconcern.
10. From Question 2, select Configure Oracle Cloud Access Security Broker(CASB).
11. For Question Set 3, provide the following information:
• The POD name and the Fusion home page URL for which you want to enableOracle CASB Cloud Service
For example, https://<POD_Name>.fs.ap1.oraclecloud.com/homePage/faces/AtkHomePageWelcome
• The Service User ID that you created in Creating a Dedicated Oracle CASBCloud Service User in Oracle ERP Cloud.
• If you are using a Fusion Applications version earlier than R-13.18.05, providethe start time and the time zone for a 90 minute window during which yourFusion Application will not be available. Configuring this change requires adowntime of up to 90 minutes in versions earlier than R-13.18.05.
12. Click Continue.
13. Review your Support Request for completeness, and then click Submit.
Whitelisting Oracle CASB Cloud Service if Oracle HCM Cloud FusionPOD is Whitelisted
If Oracle HCM Cloud Fusion POD is whitelisted, you must whitelist some IP addressesfor Oracle CASB Cloud Service.
1. Browse to the Oracle Knowledge Base article, How To Integrate Oracle FusionCloud With Oracle CASB.
2. Scroll down to the section titled, Deployment Considerations If Fusion POD iswhitelisted.
3. Whitelist the IP address listed there for the URL where your Oracle CASB CloudService tenant is hosted.
Chapter 16Preparing Oracle HCM Cloud
16-7
Adding an Oracle HCM Cloud InstanceAfter completing the necessary configurations in Oracle HCM Cloud, add or registerthe Oracle HCM Cloud instance in Oracle CASB Cloud Service.
Prerequisites: Complete the steps in Preparing Oracle HCM Cloud. You needthe user ID and password that belongs to the dedicated user account that you created.
Note:
You should not add, or register, the same application instance more thanonce. An additional registration seriously impacts performance and doesn’tprovide any additional information.
You can only register Oracle HCM Cloud in monitor-only mode.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click Add/Modify App.
3. In the Select an app type page, click the Oracle HCM Cloud icon, and thenclick Next.
4. On the Select an instance page:
a. Enter a name for the instance in the Type a unique name... box.
Any existing names appear below the name field.
b. If users of this instance use an identity provider to log in, select The users ofthis app instance log in using single sign-on... and select the IDP instancefrom the Select an Identity Provider (IDP) instance list.
Note:
The identity provider instance must already be defined. See SettingUp an Identity Provider Instance.
c. Click Next.
5. In the Select monitoring type page:
a. Select the Monitor ERP cloud role, role memberships and privilegescheck box.
b. Select the objects to be monitored.
c. Select the I understand and explicitly approve enabling auditing... checkbox and then, click Next.
6. In the Enter credentials page, enter the information you specified when youcreated the dedicated Oracle HCM Cloud user:
a. In the Host name field, enter the host name of the Oracle HCM Cloud servicehost.
Chapter 16Adding an Oracle HCM Cloud Instance
16-8
For example, myhcmhost.com.
b. In the Username field, enter the name you entered in the User Name fieldwhen you created the dedicated user (Service User).
c. In the Password field, enter the password you entered when you created thededicated user.
Do not share these credentials with another user or service.
d. If Oracle Access Manager (OAM) integration is enabled, there is an Associatewith Oracle Access Manager Integration option:
• Select this option if you want this application instance to associate withOAM integration.
Note:
Ensure that you do not select this option for more than oneinstance of an Oracle Fusion Application (such as Oracle ERPCloud, Oracle HCM Cloud, or Oracle Sales Cloud) in the sameOracle CASB Cloud Service tenant. Selecting this option oncecovers all instances of Oracle Fusion Applications on the tenant.If you select this option more than once, you will receive multipleOAM notifications for the same event.
• Otherwise, deselect this option.
Note:
You must be using Oracle Access Manager version R13 18.02 andyou must request that your Oracle CASB Cloud Service tenant beenabled to associate with OAM. To enable association with OracleAccess Manager, contact Oracle Support (http://support.oracle.com). If you have not registered yet, you will need your Customer SupportIdentifier (CSI) in order to register to submit service request tickets. As an alternative, you can also contact your Oracle CASB CustomerSuccess Manager.
e. Click Test Credentials.
• If you see a message indicating that OAM integration has notbeen enabled, deselect the Associate with Oracle Access ManagerIntegration option. You can add OAM integration later, after it has beenenabled.
• If you selected Associate with Oracle Access Manager Integration,and Oracle CASB Cloud Service can’t resolve the OAM host name fromthe Host name you entered, an OAM Host name box appears withan explanatory message. enter the OAM Host name from the ServiceRequest message response that you received in reply to the ServiceRequest you submitted to enable OAM integration.
• Click Test Credentials again when you are ready to proceed.
f. When testing is done you see a success message. Click Next.
Chapter 16Adding an Oracle HCM Cloud Instance
16-9
g. Click Done.
When the registration process is complete, your application instance appears on theApplications page. You start to see data for this instance after 30 minutes or so;although a complete synchronization will take longer.
Next Steps
By default, all business objects available for monitoring by Oracle CASB Cloud Serviceare selected to be monitored. If you want to modify the list of business objects tobe monitored for this Oracle ERP Cloud instance, perform the steps in UpdatingMonitoring Properties for an Oracle HCM Cloud Instance.
Updating an Oracle HCM Cloud InstanceModify application settings for an existing Oracle HCM Cloud instance.
Updating the Credentials for an Oracle HCM Cloud InstanceChange the login credentials for an Oracle HCM Cloud instance.
When the login credentials that you used to register an Oracle HCM Cloud instanceexpire or are updated, you must update these credentials both in Oracle HCMCloud and in the Oracle CASB Cloud Service console.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, select Modify, Update credentials.
• In grid view, drop down the Action list for the instance you want tomodify and select Update credentials.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update credentials,and then select the application instance you want to modify and clickNext.
2. In the Update Credentials page, ensure that the values for all the fields arecurrent:
• Host name at for the Oracle HCM Cloud service host.
• Username and new Password for the Oracle CASB CloudService administrative user in Oracle HCM Cloud.
3. Click Test Credentials.
4. After the credentials are verified, click Submit to view a verification page.
Chapter 16Updating an Oracle HCM Cloud Instance
16-10
Updating Monitoring Properties for an Oracle HCM Cloud InstanceChange the combination of business objects that are monitored for Oracle HCMCloud.
By default, when you add an Oracle ERP Cloud instance, all available businessobjects are monitored.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update monitoring properties.
• In grid view, drop down the Action list for the instance you want tomodify and select Update monitoring properties.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update monitoringproperties, and then select the application instance you want to modifyand click Next.
2. In the Update monitoring properties page:
a. Expand the hierarchy as needed so you can see all the options.
b. Select or deselect options until you have selected the combination ofmonitoring options that you want.
Selecting or deselecting a parent option in the hierarchy selects or deselectsall the subordinate options.
3. When you have finished selecting the desired combination of options, select theApproval check box and click Next.
Next Steps for Oracle HCM CloudNow that you have finished setting up your Oracle HCM Cloud instance for monitoring,you can take additional steps to enhance its security, or you can start viewing andanalyzing the monitored data right away.
Follow one of the links below to start working with your new Oracle HCM Cloudinstance:
• Creating Policy Alerts for Oracle HCM Cloud — to create custom customizedalerts for situations that you specify, make your configuration settings moresecure, and enable monitoring of shadow applications that are operating in thesame environment as your application instance.
See the opening sections of the Creating Policies and Managing PolicyAlertschapter for general information about creating and managing policy alerts.
• Viewing Reports for Oracle HCM Cloud — to view predefined reports for OracleHCM Cloud.
Chapter 16Next Steps for Oracle HCM Cloud
16-11
See the opening sections of the Creating and Running Reports chapter for generalinformation about creating and running reports.
• Analyzing User Activity Risks and Trends, Managing Behavioral Anomalies andThreats, and Tracking Incident Tickets chapters — for general information aboutanalyzing and managing the information on security threats that Oracle CASBCloud Service provides.
Chapter 16Next Steps for Oracle HCM Cloud
16-12
17Setting Up Oracle Identity Cloud Service(IDCS)
Prepare Oracle Identity Cloud Service and register your application instance withOracle CASB Cloud Service for monitoring.
To enable this feature, contact Oracle Support (http://support.oracle.com). If you havenot registered yet, you will need your Customer Support Identifier (CSI) in order toregister to submit service request tickets. As an alternative, you can also contact yourOracle CASB Cloud Service Customer Success Manager.
Note:
If IDCS does not appear as an option when you start to add an applicationinstance, this indicates that your Oracle CASB Cloud Service tenant isconfigured with the "Standalone IDP" option for setting up identity providers(IDPs). To set up IDCS as your IDP with this configuration, see Setting Up anIdentity Provider Instance.
If users log in through IDCS to application instances that are monitored by OracleCASB Cloud Service, you should register IDCS as an application in Oracle CASBCloud Service. After registering an Oracle IDCS instance, IDCS appears in the listof identity providers that are available when you are registering other applicationinstances for monitoring. Oracle CASB Cloud Service can then connect login activity inIDCS with the application instances that your users are attempting to access.
Topics:
• Typical Workflow for IDCS Monitoring
• Preparing IDCSPreparing IDCS
• Adding an IDCS Instance
• Updating an IDCS Instance
Typical Workflow for IDCS MonitoringWith Oracle CASB Cloud Service, you can monitor Oracle Cloud Infrastructure todetect potential risks.
Task Description Additional Information
Prepare an IDCS account. You can ensure that yourOracle IDCS account is readyto monitor in Oracle CASBCloud Service.
Preparing IDCS
17-1
Task Description Additional Information
Add an IDCS instance. You can register an OracleIDCS application instance inmonitoring-only mode.
Adding an IDCS Instance
Update credentials andsecurity control baseline for anIDCS instance.
You can update the credentialsand the security controlbaseline values for an OracleIDCS instance.
Updating an IDCS Instance
Preparing IDCSBefore registering your Oracle Cloud Infrastructure (IDCS) application instancewith Oracle CASB Cloud Service, ensure that you have a private and public key pairconfigured in IDCS.
Prerequisites:
• Enable IDCS in your Oracle CASB Cloud Service tenant.
To enable this feature, contact Oracle Support (http://support.oracle.com). If youhave not registered yet, you will need your Customer Support Identifier (CSI) inorder to register to submit service request tickets. As an alternative, you can alsocontact your Oracle CASB Cloud Service Customer Success Manager.
• Administrative access to an IDCS account.
• An existing application in that account that provides single sign-on access to userslogging in to other applications.
For information on setting up applications in IDCS, see Oracle Identity CloudService - Application Catalog. Go to the chapter for the application for which youwant to create an SSO IDCS application.
• Full administrator privileges assigned to that account (Identity DomainAdministrator, Security Administrator, Application Administrator, UserAdministrator, Audit Administrator). If any of these administrator roles are omitted,the information provided to Oracle CASB Cloud Service will be incomplete.
Prepare IDCS for Monitoring
1. Log in to your Oracle Cloud account as an administrator.
2. Navigate to the IDCS console:
a. From the menu, select Users.
b. From the User Management page, click Identity Console in the upper rightcorner.
3. Drop down the menu from your initials in the upper right corner and select AdminConsole.
Chapter 17Preparing IDCS
17-2
Note:
If you do not see Admin Console in the drop-down menu, you are notlogged in as an administrator. Log out and log back in as a different userwith administrator privileges.
4. In the Admin Console, open Applications.
5. On the Applications page, click the application that you want to use with OracleCASB Cloud Service.
The details page for the application opens.
This must be an application that provides single sign-on (SSO) access to userslogging in to one or more other applications that Oracle CASB Cloud Serviceis monitoring. Later you will connect this IDCS SSO application to those otherapplications in Oracle CASB Cloud Service, so that logins through IDCS arecorrectly counted as logins to the other applications.
6. On the Details tab, record the Name of the application.
You will need to provide this later, to connect the IDCS SSO application to otherapplications that Oracle CASB Cloud Service is monitoring.
7. Click the Configuration tab.
8. Record information that you will need to register this IDCS instance in OracleCASB Cloud Service.
You will need to provide this information later, to connect the IDCS SSOapplication to other applications that Oracle CASB Cloud Service is monitoring.
a. Record the first part of the IDCS console URL.
From the browser’s address bar, select everything from the start of the URLthrough the .com:
https://idcs-...identy.oraclecloud.com
This is the value for the Customer Login URL when you register this IDCSinstance.
b. Expand the General Information section and record the Client ID.
c. Click the Show Secret button and record the Client Secret.
d. Close the Client Secret message box.
9. Log out of your IDCS account.
Adding an IDCS InstanceAfter completing the necessary configurations in Oracle Cloud Infrastructure, add orregister the IDCS instance in Oracle CASB Cloud Service.
Prerequisites: Complete the steps in Preparing IDCS.
Chapter 17Adding an IDCS Instance
17-3
Note:
• Only IDCS administrator users should register an IDCS instance withOracle CASB Cloud Service.
• If you use more than one IDCS application to provide users with singlesign-on (SSO) login to other applications, you must register an IDCSinstance in Oracle CASB Cloud Service for each IDCS application that isused.
• You can only register Oracle Cloud Infrastructure in monitor-only mode.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click Add/Modify App.
3. In the Select an app type page, click the Oracle Identity Cloud Service icon,and then click Next.
4. In the Select an instance page, enter a unique name for your applicationinstance.
Any existing names appear below the name field.
Note:
Although this name does not have to match the Name defined forthe IDCS SSO application, it is recommended that you use that namehere, or a similar name that you can easily identify as referring to thatapplication.
5. Click Next.
6. On the Enter credentials page, where you enter three of the four values that yourecorded in Preparing IDCS:
• Customer Login URL — the first part of the IDCS console URL that youwere logged into when you recorded the IDCS SSO application information inPreparing IDCS.
• Client ID — the Client ID value that you recorded from the IDCS SSOapplication information in Preparing IDCS.
• Client Secret — the Client Secret value that you recorded from the IDCSSSO application information in Preparing IDCS.
7. Click Test Credentials.
8. When you see the “Credentials are valid” message, click Next.
9. On the Success page, click Done.
When the registration process is complete, your application instance appears on theApplications page, and the IDCS SSO application is available to be connected to theapplications that Oracle CASB Cloud Service monitors, for which that IDCS applicationis used to log in.
Chapter 17Adding an IDCS Instance
17-4
Next Steps
If you want to customize the security control baseline settings for this IDCS instance,perform the steps in Updating the Security Control Baseline for an IDCS Instance.
Updating an IDCS InstanceModify settings for an existing IDCS instance.
Updating the Credentials for an IDCS InstanceChange the login credentials for an Oracle Identity Cloud Service (IDCS) instance.
When the login credentials that you used to register an IDCS instance expire or areupdated, you must update these credentials both in Oracle Cloud Infrastructure and inthe Oracle CASB Cloud Service console.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, select Modify, Update credentials.
• In grid view, drop down the Action list for the instance you want tomodify and select Update credentials.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update credentials,and then select the application instance you want to modify and clickNext.
2. In the Update Credentials page, enter the current values for all the fields:
• Customer Login URL
• Client ID
• Client Secret
For information on where to get current values for these credentials, see Addingan IDCS Instance.
3. Click Test Credentials.
4. After the credentials are verified, click Submit to view a verification page.
Updating the Security Control Baseline for an IDCS InstanceChange security control baseline settings for an Oracle Identity Cloud Service (IDCS)instance.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
Chapter 17Updating an IDCS Instance
17-5
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update security control baseline.
• In grid view, drop down the Action list for the instance you want tomodify and select Update security control baseline.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update securitycontrol baseline, and then select the application instance you want tomodify and click Next.
2. Make changes as needed in the security control settings.
You can change the risk level for any security control by clicking the icon in
the Risk Level column and making a differentselection.
Refer to the tables below to understand how each security control behaves, and tohow to customize the settings.
Password Policy
Security ControlName
Description
Minimum PasswordLength
Alert when required password length is less than this value.
Maximum PasswordLength
Alert when required password length is greater than this value.
Minimum NumeralsRequired
Alert when the minimum number of numeric characters required in apassword is less than this value.
Number ofprevious passwordsdisallowed to beused when settingnew Password
Alert when number of previous passwords that are disallowed whenuser is setting a new password is less than this value.
Number of daysafter whichPassword getsexpired
Alert when the number of days after which a password automaticallyexpires is less than this value.
Maximum incorrectAttempts Allowedbefore User AccountLocked
Alert when the maximum number of incorrect attempts that areallowed before the user account is locked is greater than this value.
Minimum UppercaseCharactersRequired
Alert when the minimum number of uppercase characters requiredin a password is less than this value.
Minimum LowercaseCharactersRequired
Alert when the minimum number of lowercase characters required ina password is less than this value.
Chapter 17Updating an IDCS Instance
17-6
Security ControlName
Description
Minimum AlphabeticCharactersRequired
Alert when the minimum number of alphabetic characters required ina password is less than this value.
Disallow thesecharacters to use inPassword
Alert when any of the characters listed are allowed in a password..
Disallow users touse Last Name inPassword
Alert when user’s last name is allowed in a password.
Disallow users touse First Name inPassword
Alert when user’s first name is allowed in a password.
Disallow users touse Username inPassword
Alert when user’s user name is allowed in a password.
Access Control
Security ControlName
Description
Require all users tohave Multi FactorAuthentication(MFA) Enabled
Alert when multi-factor authentication is not enabled for a user. Multi-factor authentication sends a code to the user in email or text, afterthe user has entered valid ID and password pair, and then requiresthe user to enter that code before granting access.
IAM Password olderthan 90 days
Alert when a password is found that was created more than 90 daysago.
3. When you are ready to save your changes, select Use the new threshold valuesand then click Submit.
Updating the IDP Instance for an IDCS InstanceAdd or change the identity provider (IDP) for an IDCS instance.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update IDP Instance.
• In grid view, drop down the Action list for the instance you want tomodify and select Update IDP Instance.
Tip:
Alternatively, from the Dashboard or the Applications page, youcan select Add/Modify App, Modify an app instance, Update IDPInstance, and then select the application instance you want to modifyand click Next.
Chapter 17Updating an IDCS Instance
17-7
2. In the Update IDP instance page, drop down the list of identity providers andselect the IDCS SSO application that you want to use with this IDCS instance.
Look for the Name you recorded from the IDCS SSO application information inPreparing IDCS.
3. Click Next.
4. In the Success page, click Done.
Next Steps for IDCSNow that you have finished setting up your Oracle IDCS instance, you can connect itsIDCS application to monitored application instances which use it for SSO login.
To connect a monitored application instance to the IDCS SSO application:
1. Go to Setting Up Cloud Applications for Monitoring.
2. Locate the chapter for the application type which you want to connect to the IDCSapplication defined in the IDCS instance that you just registered.
3. Under that chapter, locate the appropriate topic for what you want to do:
• “Updating the IDP Instance for a(n) <application_type> Instance” — toconnect the IDCS application to an application instance that has already beenregistered.
• “Adding a(n) <application_type> Instance” — to connect the IDCS applicationto an new application instance when you register it.
Note:
For Amazon Web Services (AWS), see the Preparing andRegistering AWS topic.
Chapter 17Next Steps for IDCS
17-8
18Setting Up Oracle Sales Cloud
Prepare Oracle Sales Cloud and register your application instance with Oracle CASBCloud Service for monitoring.
Oracle CASB Cloud Service detects potential risks in your Oracle SalesCloud account, including activity within that violates your policies and user behaviorpatterns that appear to be suspicious.
Note:
In order to be monitored by Oracle CASB Cloud Service, Oracle Sales Cloudmust be version R12 BP7.
Topics
• Typical Workflow for Oracle Sales Cloud Monitoring
• Preparing Oracle Sales Cloud
• Adding an Oracle Sales Cloud Instance
• Updating an Oracle Sales Cloud Instance
Typical Workflow for Oracle Sales Cloud MonitoringWith Oracle CASB Cloud Service, you can monitor Oracle Sales Cloud to detectpotential risks.
Task Description Additional Information
Prepare an Oracle SalesCloud account.
You can set up an OracleCASB Cloud Service accountin Oracle Sales Cloud.
Preparing Oracle Sales Cloud
Add an Oracle Sales Cloudinstance.
You can register an OracleSales Cloud applicationinstance in monitoring-onlymode.
Adding an Oracle Sales CloudInstance
Update credentials for anOracle Sales Cloud instance.
You can update the credentialsfor an Oracle Sales Cloudinstance.
Updating the Credentialsfor an Oracle Sales CloudInstance
Preparing Oracle Sales CloudBefore registering your Oracle Sales Cloud application instance with Oracle CASBCloud Service, you need to create a dedicated administrative user within Oracle SalesCloud and ensure that Oracle Sales Cloud auditing is enabled.
18-1
Creating a Dedicated Oracle CASB Cloud Service User in OracleSales Cloud
Create a dedicated user account for Oracle CASB Cloud Service in the Oracle SalesCloud account that you want to monitor.
The user cannot use multifactor or federated authentication (for example, through asingle sign-on service). You will use the login credentials for this user to allow OracleCASB Cloud Service to connect to Oracle ERP Cloud and retrieve system events.
Note:
If you have already created a dedicated Oracle CASB Cloud Serviceadministrative user account for another application within Oracle ApplicationsCloud, it is not necessary to create another user now.
• You can use that existing user for all Oracle Applications Cloud servicesto communicate with Oracle CASB Cloud Service.
• Or you can create a new user for individual Oracle Applications Cloudservices, if you prefer.
1. Log into the Oracle Fusion Applications console as an administrator withpermission to create other administrators.
2. In the Oracle Fusion Applications console home page:
a. Open the Navigator.
b. Scroll to the bottom.
c. Click More.
d. In the left panel, click Security Console.
3. In the left navigation panel, click Users.
4. On the User Accounts page, click Add User Account in the upper-right corner.
5. On the Add User Account page:
a. Set the Person Type field to None.
b. Enter a First Name for the user (for example, CASB).
c. Enter a Last Name to describe the account (for example, Oracle CASBService Account).
d. Enter a User Name to identify the account (for example, CASB).
You will use this name when you register the application instance in OracleCASB Cloud Service.
e. Enter a Password, and then re-enter it in Confirm Password.
f. Click Add Role.
6. In the Add Role Membership dialog box:
a. Paste this role code into the Search box.
Chapter 18Preparing Oracle Sales Cloud
18-2
ORA_FND_CASB_AUDIT_ACCESS_DISCRETIONARY
b. Click the Search icon .
c. Select the ORA_FND_CASB_AUDIT_ACCESS_DISCRETIONARY_ DISCRETIONARYcode returned in the search results.
d. Click Add Role Membership.
This assigns the Audit Access for Cloud Access Security Broker role.
e. Click OK on the confirmation message.
f. Click Done in the Add Role Membership dialog box.
7. On the Add User Account page, click Save and Close.
8. In the left navigation panel, click Roles.
9. On the Roles page, click Create Role in the upper-right corner.
10. On the Create Role : Basic Information page:
a. Enter a Role Name (for example, CASB_MANAGE_AUDIT_ROLE).
b. Copy that entry into the Role Code box.
c. Set Role Category to Setup - Job Roles.
d. Click Next.
11. On the Function Security page, Privileges tab, click Add Function SecurityPolicy.
12. In the Add Function Security Policy dialog box:
a. Paste FND_MANAGE_AUDIT_POLICIES_PRIV into the Search box.
b. Click the Search icon .
c. Select the Manage Audit Policies privilege returned in the search results.
d. Click Add Privilege to Role.
e. Click OK on the confirmation message.
f. Click Done in the Add Function Security Policy dialog box.
13. Click Next until you reach the Summary page, then click Save and Close, andOK the confirmation message.
14. In the left navigation panel, click Users.
15. On the User Accounts page:
a. Enter the name of the CASB service user you created in the Search box.
b. Click the Search icon .
c. In the search results, locate the user you created and click the link next toUser Name.
16. On the User Account Details page, click Edit.
17. On the Edit User Account page, click Add Role.
18. In the Add Role Membership dialog box:
a. Enter the name of the role you created (CASB_MANAGE_AUDIT_ROLE) in theSearch box.
Chapter 18Preparing Oracle Sales Cloud
18-3
b. Click the Search icon .
c. Select the role in the search results.
d. Click Add Role Membership.
e. Click OK on the confirmation message.
f. Click Done in the Add Role Membership dialog box.
19. On the Edit User Account page, click Save and Close in the upper-right corner.
Note:
It takes up to 10 minutes for the changes to take effect. Please wait for aminimum of 10 minutes before you try to register an application instance,or update credentials for an existing application instance, in the CASBCloud Service console.
Enabling Role Auditing for Oracle Sales CloudSet the security level for Oracle Platform Security Services (OPSS) auditing to captureall of the security events for the role changes that you want Oracle CASB CloudService to audit.
The default OPSS audit level for Oracle Fusion Applications is “none” — you mustchange this setting to Low - Critical Events Only, in order to fully enable roleauditing.
Note:
You only need to set the OPSS audit level once, to support role auditing forall the application instances from the same Fusion Applications POD that areregistered in the same Oracle CASB Cloud Service tenant.
1. Log in to the Oracle Fusion Applications console.
2. In the Oracle Fusion Applications console home page:
a. Open the Navigator.
b. Scroll down.
c. Click Setup and Maintenance in the lower-right corner.
3. On the Setup: Compensation Management page:
a. In the Search Tasks box, enter manage audit policies.
b. Click the Search icon .
c. In the search results, select Manage Audit Policies.
4. On the Manage Audit Policies page:
a. At the right end of the Oracle Platform Security Services row, set AuditLevel to Low - Critical Events Only.
Chapter 18Preparing Oracle Sales Cloud
18-4
b. Click Save and Close.
Enabling Association of Oracle CASB Cloud Service with OracleAccess Manager (OAM) for Sales Cloud
If you want to enable OAM association Oracle CASB Cloud Service, submit an OracleService Request.
This task is necessary to ensure that auditing is enabled for login and logout for FusionApplication instances that Oracle Sales Cloud monitors.
Note:
You only need to enable OAM association once for the same FusionApplications pod in the same Oracle CASB Cloud Service tenant. TheOAM association option is then available to all instances of Oracle FusionApplications (such as Oracle ERP Cloud, Oracle HCM Cloud, or OracleSales Cloud) in that Fusion Applications pod on that Oracle CASB CloudService tenant.
Enabling OAM association is a two-step process:
1. First, you must submit an Oracle Service Request.
2. After that request is fulfilled, you must enable OAM once for a Fusion Applicationin Oracle CASB Cloud Service.
You can do this when you register your Oracle Sales Cloud instance (see Addingan Oracle ERP Cloud Instance), or after registration (see Updating the Credentialsfor an Oracle ERP Cloud Instance).
Submitting an Oracle Support Service Request to enable OAM
Note:
In order to associate with OAM, you must be using Oracle Access Managerversion R13 18.02 and you must request that your Oracle CASB CloudService tenant be enabled. To enable association with Oracle AccessManager, contact Oracle Support (http://support.oracle.com). If you havenot registered yet, you will need your Customer Support Identifier (CSI) inorder to register to submit service request tickets. As an alternative, you canalso contact your Oracle CASB Customer Success Manager.
1. Log in to the Oracle Support Portal.
2. On the Dashboard, under the Technical Service Requests section, click CreateTechnical SR.
3. Enter a Problem Summary and a Problem Description.
4. Enter the Service Type Ex: Oracle Fusion Global Human Resource CloudService.
Chapter 18Preparing Oracle Sales Cloud
18-5
5. For Problem Type, select Cloud Hosting Service (Outage,P2T/T2T,EnableSSO,Resize,CloudPortal,MyServices,User/Password,Network,ScheduleMaintenance).
6. Specify your Support Identifier.
7. Select the appropriate Severity.
8. Click Next.
9. For Question 1, select Service Entitlements (Includes Federated SSO,Language Pack Installs, Data Masking, Break Glass etc.) as the area ofconcern.
10. From Question 2, select Configure Oracle Cloud Access Security Broker(CASB).
11. For Question Set 3, provide the following information:
• The POD name and the Fusion home page URL for which you want to enableOracle CASB Cloud Service
For example, https://<POD_Name>.fs.ap1.oraclecloud.com/homePage/faces/AtkHomePageWelcome
• The Service User ID that you created in Creating a Dedicated Oracle CASBCloud Service User in Oracle ERP Cloud.
• If you are using a Fusion Applications version earlier than R-13.18.05, providethe start time and the time zone for a 90 minute window during which yourFusion Application will not be available. Configuring this change requires adowntime of up to 90 minutes in versions earlier than R-13.18.05.
12. Click Continue.
13. Review your Support Request for completeness, and then click Submit.
Whitelisting Oracle CASB Cloud Service if Oracle Sales Cloud FusionPOD is Whitelisted
If Oracle Sales Cloud Fusion POD is whitelisted, you must whitelist some IPaddresses for Oracle CASB Cloud Service.
1. Browse to the Oracle Knowledge Base article, How To Integrate Oracle FusionCloud With Oracle CASB.
2. Scroll down to the section titled, Deployment Considerations If Fusion POD iswhitelisted.
3. Whitelist the IP address listed there for the URL where your Oracle CASB CloudService tenant is hosted.
Adding an Oracle Sales Cloud InstanceAfter completing the necessary configurations in Oracle Sales Cloud, add or registerthe Oracle Sales Cloud instance in Oracle CASB Cloud Service.
Prerequisites: Complete the steps in Preparing Oracle Sales Cloud. You needthe user ID and password that belongs to the dedicated user account that you created.
Chapter 18Adding an Oracle Sales Cloud Instance
18-6
Note:
You should not add, or register, the same application instance more thanonce. An additional registration seriously impacts performance and doesn’tprovide any additional information.
You can only register Oracle Sales Cloud in monitor-only mode.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click Add/Modify App.
3. In the Select an app type page, click the Oracle Sales Cloud icon, and thenclick Next.
4. On the Select an instance page:
a. Enter a name for the instance in the Type a unique name... box.
Any existing names appear below the name field.
b. If users of this instance use an identity provider to log in, select The users ofthis app instance log in using single sign-on... and select the IDP instancefrom the Select an Identity Provider (IDP) instance list.
Note:
The identity provider instance must already be defined. See SettingUp an Identity Provider Instance.
c. Click Next.
5. In the Select monitoring type page:
a. Select the Monitor ERP cloud role, role memberships and privilegescheck box.
b. Select the objects to be monitored.
c. Select the I understand and explicitly approve enabling auditing... checkbox and then, click Next.
6. In the Enter credentials page, enter the information you specified when youcreated the dedicated Oracle Sales Cloud user:
a. In the Host name field, enter the host name of the Sales Cloud service host.
For example, mysaleshost.com.
b. In the Username field, enter the name you entered in the User Name fieldwhen you created the dedicated user (Service User).
c. In the Password field, enter the password you entered when you created thededicated user.
Do not share these credentials with another user or service.
d. If Oracle Access Manager (OAM) integration is enabled, there is an Associatewith Oracle Access Manager Integration option:
Chapter 18Adding an Oracle Sales Cloud Instance
18-7
• Select this option if you want this application instance to associate withOAM integration.
Note:
Ensure that you do not select this option for more than oneinstance of an Oracle Fusion Application (such as Oracle ERPCloud, Oracle HCM Cloud, or Oracle Sales Cloud) in the sameOracle CASB Cloud Service tenant. Selecting this option oncecovers all instances of Oracle Fusion Applications on the tenant.If you select this option more than once, you will receive multipleOAM notifications for the same event.
• Otherwise, deselect this option.
Note:
You must be using Oracle Access Manager version R13 18.02 andyou must request that your Oracle CASB Cloud Service tenant beenabled to associate with OAM. To enable association with OracleAccess Manager, contact Oracle Support (http://support.oracle.com). If you have not registered yet, you will need your Customer SupportIdentifier (CSI) in order to register to submit service request tickets. As an alternative, you can also contact your Oracle CASB CustomerSuccess Manager.
e. Click Test Credentials.
• If you see a message indicating that OAM integration has notbeen enabled, deselect the Associate with Oracle Access ManagerIntegration option. You can add OAM integration later, after it has beenenabled.
• If you selected Associate with Oracle Access Manager Integration,and Oracle CASB Cloud Service can’t resolve the OAM host name fromthe Host name you entered, an OAM Host name box appears withan explanatory message. enter the OAM Host name from the ServiceRequest message response that you received in reply to the ServiceRequest you submitted to enable OAM integration.
• Click Test Credentials again when you are ready to proceed.
f. When testing is done you see a success message. Click Next.
g. Click Done.
When the registration process is complete, your application instance appears on theApplications page. You start to see data for this instance after 30 minutes or so;although a complete synchronization will take longer.
Next Steps
By default, all business objects available for monitoring by Oracle CASB Cloud Serviceare selected to be monitored. If you want to modify the list of business objects to
Chapter 18Adding an Oracle Sales Cloud Instance
18-8
be monitored for this Oracle ERP Cloud instance, perform the steps in UpdatingMonitoring Properties for an Oracle Sales Cloud Instance.
Updating an Oracle Sales Cloud InstanceModify application settings for an existing Oracle Sales Cloud instance.
Updating the Credentials for an Oracle Sales Cloud InstanceChange the login credentials for an Oracle Sales Cloud instance.
When the login credentials that you used to register an Oracle Sales Cloud instanceexpire or are updated, you must update these credentials both in Oracle SalesCloud and in the Oracle CASB Cloud Service console.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, select Modify, Update credentials.
• In grid view, drop down the Action list for the instance you want tomodify and select Update credentials.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update credentials,and then select the application instance you want to modify and clickNext.
2. In the Update Credentials page, ensure that the values for all the fields arecurrent:
• Host name at for the Sales Cloud service host.
• Username and new Password for the Oracle CASB CloudService administrative user in Oracle Sales Cloud.
3. Click Test Credentials.
4. After the credentials are verified, click Submit to view a verification page.
Updating Monitoring Properties for an Oracle Sales Cloud InstanceChange the combination of business objects that are monitored for Oracle SalesCloud.
By default, when you add an Oracle ERP Cloud instance, all available businessobjects are monitored.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update monitoring properties.
Chapter 18Updating an Oracle Sales Cloud Instance
18-9
• In grid view, drop down the Action list for the instance you want tomodify and select Update monitoring properties.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update monitoringproperties, and then select the application instance you want to modifyand click Next.
2. In the Update monitoring properties page:
a. Expand the hierarchy as needed so you can see all the options.
b. Select or deselect options until you have selected the combination ofmonitoring options that you want.
Selecting or deselecting a parent option in the hierarchy selects or deselectsall the subordinate options.
3. When you have finished selecting the desired combination of options, select theApproval check box and click Next.
Next Steps for Oracle Sales CloudNow that you have finished setting up your Oracle Sales Cloud instance formonitoring, you can take additional steps to enhance its security, or you can startviewing and analyzing the monitored data right away.
Follow one of the links below to start working with your new Oracle Sales Cloudinstance:
• Creating Policy Alerts for Oracle Sales Cloud — to create custom customizedalerts for situations that you specify, make your configuration settings moresecure, and enable monitoring of shadow applications that are operating in thesame environment as your application instance.
See the opening sections of the Creating Policies and Managing PolicyAlertschapter for general information about creating and managing policy alerts.
• Viewing Reports for Oracle Sales Cloud — to view predefined reports for OracleSales Cloud.
See the opening sections of the Creating and Running Reports chapter for generalinformation about creating and running reports.
• Analyzing User Activity Risks and Trends, Managing Behavioral Anomalies andThreats, and Tracking Incident Tickets chapters — for general information aboutanalyzing and managing the information on security threats that Oracle CASBCloud Service provides.
Chapter 18Next Steps for Oracle Sales Cloud
18-10
19Setting Up Salesforce Sales Cloud
Prepare Salesforce Sales Cloud and register your application instance with OracleCASB Cloud Service for security monitoring.
Oracle CASB Cloud Service detects potential risks in your Salesforce account,including noncompliant security control values within the administration console,activity within Salesforce that violates your policies (for example, changes to criticalobject definitions by people in a workgroup that aren’t authorized), and user behaviorpatterns that appear to be suspicious.
Topics:
• Typical Workflow for Salesforce Monitoring
• About Salesforce Security Monitoring
• Preparing Salesforce
• Monitoring Events in Salesforce
• Monitoring Field-Level History in Salesforce
• Adding a Salesforce Instance
• Updating a Salesforce Instance
• Troubleshooting for Salesforce
Typical Workflow for Salesforce MonitoringWith Oracle CASB Cloud Service, you can monitor Salesforce Sales Cloud to detectpotential risks.
Task Description Additional Information
Understand Salesforce SalesCloud security.
You can learn about howOracle CASB Cloud Servicemonitors a wide variety ofrisks in the Salesforce SalesCloud.
About Salesforce SecurityMonitoring
Prepare Salesforce. You can set up a dedicateduser for Oracle CASB CloudService in Salesforce.
Preparing Salesforce
Understand Salesforce eventmonitoring
You can learn about howSalesforce monitors events.
Monitoring Events inSalesforce
Monitor field-level history inSalesforce.
You can use Oracle CASBCloud Service to monitorthe field-level history inSalesforce, disable field-levelhistory tracking for OracleCASB Cloud Service duringapp registration, and re-enableit after registration.
Monitoring Field-Level Historyin Salesforce
19-1
Task Description Additional Information
Add a Salesforce instance. You can register a Salesforceapplication instance inmonitoring-only mode, or pushsecurity controls to Salesforceduring registration.
Adding a Salesforce Instance
Update a Salesforce instance. You can update thecredentials, monitoring of field-level history, IDP instance, andthe security control baselinefor a Salesforce instance.
Updating a SalesforceInstance
Troubleshoot Salesforce. You can troubleshoot problemsthat you may encounter withSalesforce in Oracle CASBCloud Service.
Troubleshooting for Salesforce
About Salesforce Security MonitoringLearn about the different types of security monitoring Oracle CASB Cloud Serviceperforms for Salesforce.
Oracle CASB Cloud Service monitors a wide variety of risks in the Salesforce SalesCloud. The risks monitored include the following:
• Security controls monitoring: For example, weak password and session policies.
• Benchmark monitoring: This includes benchmark monitoring, for example, lookingat administrator activity in the Setup section of Salesforce or a high-level view ofSetup and the most frequently created and updated objects. Oracle CASB CloudService shows trend data in Risk Events and detailed information about thesebenchmarks in various reports.
• Policy alerts: You can define a wide variety of alerts related to Salesforce,including unusual assignment of privileges (profiles and roles), actions related tostandard and custom objects (down to field-level details in these objects), runningand exporting reports, or configuration changes in Setup. You can track theseactivities across specific users, groups, and IP addresses.
• Threat monitoring: Oracle CASB Cloud Service flags observed unusual behaviors,including unusual logins and failed logins, IP address hopping, geolocationhopping, Salesforce access from blacklisted IPs, and cross-cloud activity (forexample, tracking a user across their Salesforce and Microsoft Office 365accounts).
Oracle CASB Cloud Service has a built-in incident management system to manageremediation tickets for risks that appear in the console. This ticketing systemintegrates with ServiceNow.
When Oracle CASB Cloud Service detects an event in the cloud that matches thepolicy, Oracle CASB Cloud Service updates the Policy Alerts count in the Dashboard(both the global and instance-specific Health Summary widgets). Oracle CASB CloudService also generates an entry in the Risk Events page. The alert describes theaffected resource, the person or agent that performed the action, and additional datafrom the application's own event logs.
Chapter 19About Salesforce Security Monitoring
19-2
Preparing SalesforceCreate a dedicated Salesforce user account, and configure Okta single sign-on ifusers log in to Salesforce through that service.
Prerequisites — In order to be monitored by Oracle CASB Cloud Service:
• Your Azure instance must be running under a Lightning Professional orEnterprise license.
• The event monitoring API must be enabled in Salesforce.
This allows Oracle CASB Cloud Service to collect information about Salesforcereports; most Salesforce events can be monitored using default account settings.
Creating a Dedicated Profile in SalesforceCreate a dedicated profile for Oracle CASB Cloud Service in the Salesforce accountthat you want to monitor.
The Oracle CASB Cloud Service user can’t use multifactor authentication to accessSalesforce, as noted in the following procedure.
Note:
Don’t share the user name and password of this Salesforce account or reusethe account because other users or services using this Salesforce accountcan skew the data that Oracle CASB Cloud Service collects.
1. In Salesforce, go to Setup and expand Manage Users, and then select Profiles.
2. In the Profiles page, click New Profile.
3. In the Clone Profile page, find the System Administrator profile, and then give ita name to identify it as the Oracle CASB Cloud Service user profile.
4. Click Save.
5. In the Profiles page, select the new profile.
6. Scroll to the Administrative Permissions section, and ensure API Enabled isselected.
This prevents the user who is assigned this profile from accessing the Salesforceweb-based console, which isn’t needed for collecting log and API data.
7. If you purchased the event log API option, scroll to the General UserPermissions section and ensure that the View event log files option is selected.
This permission allows Oracle CASB Cloud Service to display security trends andreports related to users who run and export public reports in Salesforce. You musthave previously purchased this permission from Salesforce to be able to enable itfor the Oracle CASB Cloud Service user. If you haven’t purchased this option, skipthis step.
8. Scroll to the bottom of the page and then click Save.
Chapter 19Preparing Salesforce
19-3
Creating a Dedicated Oracle CASB Cloud Service User in SalesforceCreate a dedicated user for Oracle CASB Cloud Service in the Salesforce account thatyou want to monitor.
This user must have a direct login to Oracle CASB Cloud Service or federatedauthentication through Okta. The Oracle CASB Cloud Service user can’t usemultifactor authentication to access Salesforce, as noted in the following procedure.
Note:
Don’t share the user name and password of this Salesforce account or reusethe account because other users or services using this Salesforce accountcan skew the data that Oracle CASB Cloud Service collects.
1. In Salesforce, go to Setup and expand Manage Users.
2. In Manage Users, select Users, and then click New User.
• For Username, give the user a unique login ID. This provides a dedicatedaccount for the Oracle CASB Cloud Service user.
• For Email, provide the email address that you want to use to manage theOracle CASB Cloud Service user (for example, [email protected]). Thisaccount will generate the OAuth token for Oracle CASB Cloud Service.
• In the User License list, select a license type that permits you to use theSystem Administrator profile (example: the Salesforce user license).
• In the Profile list, select the profile that is based on the SystemAdministrator profile.
Note:
As mentioned, this profile shouldn’t be enabled for multifactorauthentication. If you want to check, view the profile, selectGeneral User Permissions section, and ensure that Two-FactorAuthentication for API Logins and Two-Factor Authentication forUser Interface Logins are not selected.
3. Click Save. Salesforce will send a confirmation email to the address that yousupplied.
4. Respond to the email from Salesforce to finish the setup for the new Oracle CASBCloud Service user. You must create a login password and a password retrievalquestion.
5. Before registering this Salesforce instance with Oracle CASB Cloud Service,ensure that you log out from this and other Salesforce accounts, and clear thebrowser cache.
Chapter 19Preparing Salesforce
19-4
6. If you are using password management tools (for example, LastPass orRoboForm) with your Salesforce logins, disable it for Salesforce until after youregister your Salesforce instance with Oracle CASB Cloud Service.
Selecting the Salesforce Object Fields for Oracle CASB Cloud Serviceto Monitor
Learn about the object fields that you can select for monitoring.
After you register your cloud application, our security service automatically tracks theSetup audit trail (edits to the setup configuration) and login history (which includes IPaddresses, browser types used for logging in, and whether the login is by a user or anAPI).
You can also select object fields to be monitored. Salesforce maintains documentationabout tracking (or logging) object fields. To track field history for standard objects, seeTracking Field History for Standard Objects. Any modifications to a field adds a newentry to the history list for an object.
You can track standard and custom Salesforce objects and up to 20 fields per object.We recommend you at least enable these for history tracking:
Account Case Contact Lead Opportunity
Account Name Account Name Birthdate Address Account Name
Annual Revenue Contact Name Data.com Key Annual Revenue Amount
Billing Address Email Data.com Key OpportunityName
Data.com Key Home Phone Email OpportunityOwner
Phone Mailing Address Mobile Probability (%)
Mobile Name Stage
Name Phone
Phone
Oracle CASB Cloud Service can track these standard objects (up to 20 fields perobject):
• Accounts
• Cases
• Contacts
• Entitlements
• Service contracts
• Contract line items
• Contracts
• Leads
• Opportunities
• Articles
Chapter 19Preparing Salesforce
19-5
• Solutions
Viewing the Authentication Token in SalesforceView the authentication token of (OAuth) that Salesforce creates when it and OracleCASB Cloud Service establish communication.
If you want to disconnect from Oracle CASB Cloud Service, you can revoke this token.
1. In the Salesforce navigation pane, select Manage Apps, Connected AppsOAuth Usage.
2. In the Connected App column, find your Oracle CASB Cloud Service name, andthen click the link in the User Count field.
3. In the Connected App User's Usage page, you should be able to see the userthat you created to communicate with Oracle CASB Cloud Service.
Allowing Requests from Oracle CASB Cloud Service’s IP AddressesLearn what you must do if your organization limits Salesforce access to specific IPaddresses.
In Salesforce, you have the option to limit access to a select set of IP addresses.If you use this feature, you must add Oracle CASB Cloud Service IP addressesto a Salesforce profile. For more information, contact Oracle Support (http://support.oracle.com). If you have not registered yet, you will need your CustomerSupport Identifier (CSI) in order to register to submit service request tickets. As analternative, you can also contact your Oracle CASB Customer Success Manager..
Using Okta Single Sign-On with SalesforceIf users log in to Salesforce through Okta single sign-on, add the Oracle CASB CloudService user to Okta.
If your organization uses single Okta single sign-on, you also must add the OracleCASB Cloud Service user to Okta. When you register the Salesforce instance withOracle CASB Cloud Service, you provide the single sign-on credentials from Okta topermit Oracle CASB Cloud Service to monitor the Salesforce account.
Both Salesforce and Okta provide documentation about single sign-on. Here arethe general steps to create the Oracle CASB Cloud Service user in Okta. See theSalesforce and Okta documentation for details.
Note:
Use this configuration only if your organization requires sign-on to be initiatedby Okta (the identity provider). If you’re permitted to use the Oracle CASBCloud Service user's Salesforce credentials, we recommend that you followthe instructions in .
1. Log in to the Okta administration console.
2. Select Directory, People, and add a user with the username and password of theOracle CASB Cloud Service user.
Chapter 19Preparing Salesforce
19-6
3. Select Applications, Applications, Salesforce.com, General, and under theApp Embed Link field, copy the Salesforce application ID portion of thelink (for example, in the link https://dev-2222222.okta.com/home/salesforce/0oa4a1a2a3a4a5a6a7/24, the number 0oa4a1a2a3a4a5a6a7 is the application ID).
4. Copy the identity URL under Admin, Applications, Applications,Salesforce.com, Sign On, settings link, Identity Provider Login URL (example:https://dev-2222222.okta.com/app/salesforce/ex12ex34ex56ex7/sso/saml).
5. Create an API key in Security, API.
6. Ensure you have the user name, password, application ID, identity URL, and APIkey when you .
What To Do NextWhat you do next depends on how users log in to Salesforce.
• If users log in through Okta, see Using Okta Single Sign-On with Salesforce.
• If users log in directly to Salesforce, go to Adding a Salesforce Instance.
Monitoring Events in SalesforceUnderstand the Salesforce event monitoring option.
By default, Salesforce only reports on user activity that changes data. It doesn’t reportthe copying of data, and doesn’t record the pages in the consoles that a user views.Event Monitoring provides much richer information on user activities and other eventswithin Salesforce. This includes information on reports being run, by whom, fromwhere, which pages are being accessed, and many other details.
Oracle CASB Cloud Service uses the data from Salesforce Event Monitoring, togetherwith data from the default logs, to build more accurate profiles on the user's activitieswithin Salesforce. More accurate profiles make it easier to spot changes that mayindicate risk. With Event Monitoring enabled, it is possible to identify people stealingdata from Salesforce, as might happen as they are preparing to leave for a new job.Without Event Monitoring, data theft can’t be spotted because the stolen data is onlycopied, not changed.
You must enable event monitoring in Salesforce in order to enable it in OracleCASB Cloud Service. For information on enabling and disabling event monitoring inSalesforce, see the Salesforce documentation.
Monitoring Field-Level History in SalesforceUnderstand the Salesforce option to monitor field-level history.
Salesforce let’s you maintain a history of changes that users make to fields in standardand custom objects (for example, Leads, Contacts, and Contracts). Salesforcesupports history tracking for up to 20 fields in an object.
If you enable monitoring of field-level history, you may choose to display or not displayold and new values of changed fields displayed in reports. You would choose todisplay data changes only if the data is not sensitive enough that it should only be
Chapter 19Monitoring Events in Salesforce
19-7
viewed by authorized persons. See the instructions for your configuration in Adding aSalesforce Instance.
By default, Oracle CASB Cloud Service monitors the field-level history in Salesforce.You can disable field-level history tracking for Oracle CASB Cloud Service during theapplication registration, You also can reenable it after registration.
You must enable field-level history in Salesforce in order to enable it in OracleCASB Cloud Service. For information on enabling and disabling field-level history forstandard and custom objects in Salesforce, see the Salesforce documentation.
Adding a Salesforce InstanceAfter completing the necessary configurations in Salesforce, add or register theSalesforce instance in Oracle CASB Cloud Service.
Any Salesforce instance you add will be monitored. Optionally, you can also haveOracle CASB Cloud Service push security control values to the instance.
There are two options for registering a Salesforce instance for monitoring by OracleCASB Cloud Service:
• In monitor-only mode, Oracle CASB Cloud Service notifies you when varioussecurity configuration settings in the Salesforce Sales Cloud deviate from OracleCASB Cloud Service's stringent values.
• In push security controls mode, Oracle CASB Cloud Service sets security controlsvalues (for example, values for password complexity, password history, usersessions, and multifactor authentication) at registration time, and then laterprovides alerts when these settings deviate from your preferred values.
Adding a Salesforce Instance (Monitor Only/Read Only)To register Salesforce with the Oracle CASB Cloud Service, you need the credentialsfor the Oracle CASB Cloud Service user.
The credentials for the Oracle CASB Cloud Service user are either the user'sSalesforce login or the user's single sign-on credentials if Salesforce authenticationis done through Okta.
Adding a Salesforce Instance (Monitor Only/Read Only, Direct Logins)Add or register your Salesforce instance to Oracle CASB Cloud Service to bemonitored, without the capability to push security configuration settings.
Prerequisites: Make sure you have completed the tasks in Preparing Salesforce.
In monitor-only mode, Oracle CASB Cloud Service notifies you when various securityconfiguration settings in Salesforce fall below the Oracle CASB Cloud Servicepreferred defaults. These security configuration values are set in the Salesforce Setupconsole, under Administration, Security Controls. In particular, Oracle CASB CloudService monitors the settings in Password Policies and Session Settings.
For more information about these settings, see Security Control Values for Salesforce(Monitor Only/Read Only)
Chapter 19Adding a Salesforce Instance
19-8
Note:
You can register the same application instance more than once. However,it will result in duplicate data collection. Before registering the Salesforceinstance, log out of Salesforce in the browser that you used for registrationand clear the browser cache.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click Add/Modify App.
3. In the Select an app type page, click the icon for Salesforce and enter a uniquename for this instance.
4. In the Select an instance page:
a. Enter a unique name for this instance. Existing instance names appear at thebottom of the page.
b. If you are registering a Salesforce sandbox, then select the This is asandbox check box below the instance name field. This enables theregistration wizard to recognize your sandbox credentials in a later stepbecause this check box sets the login URL to test.salesforce.com instead ofthe usual salesforce.com.
c. If you don’t want Oracle CASB Cloud Service to track changes downto the level of object fields, then deselect the option for history tracking (Monitor field-level history for Salesforce objects). For more information,see Monitoring Field-Level History in Salesforce.
If you want old and new values of changed fields displayed in field-level historyreports, then select Report and store values changed from/to. Do this if thedata is sensitive enough that it should only be viewed by authorized persons.
d. Leave the check box for The users of this app instance log in using singlesign-on through an identity provider unchecked.
e. Click Next.
5. In the Select monitoring type page, select Monitoring only to have OracleCASB Cloud Service monitor this application using its stringent settings forsecurity configuration values, and then click Next.
Oracle CASB Cloud Service generates a security control alert in Risk Eventswhenever it detects a mismatch between its internal stringent settings and theactual settings in the Salesforce instance.
6. In the Enter credentials page:
a. Select Sign in with Salesforce username and password.
b. Click Submit. You are temporarily sent to the Salesforce login screen.
c. Enter the user name and password that the Oracle CASB Cloud Service userwill use and click Login. After your credentials are accepted, you’re returnedto the Oracle CASB Cloud Service Success page.
d. Click Done.
Chapter 19Adding a Salesforce Instance
19-9
When the registration process is complete, your application instance appears on theApplications page. You start to see data for this instance after 30 minutes or so;although a complete synchronization will take longer.
Currently, to be able to parse the Salesforce logs, Oracle CASB Cloud Service resetsthe default language for the account to English and the default locale to English(United States) regardless of the original language and locale.
Adding a Salesforce Instance (Monitor Only/Read Only, IDCS Logins)Add or register your Salesforce instance to Oracle CASB Cloud Service to bemonitored, with users logging in to Salesforce through IDCS, without the capabilityto push security configuration settings.
Prerequisites: Make sure you have completed the tasks in Preparing Salesforce.
Note:
If your Oracle CASB Cloud Service tenant does not automatically enableOracle Identity Cloud Service as an IDP, follow the instructions in Setting Upan Oracle Identity Cloud Service (IDCS) IDP Instance.
In monitor-only mode, Oracle CASB Cloud Service notifies you when various securityconfiguration settings in Salesforce fall below the Oracle CASB Cloud Servicepreferred defaults. These security configuration values are set in the Salesforce Setupconsole, under Administration, Security Controls. In particular, Oracle CASB CloudService monitors the settings in Password Policies and Session Settings.
For more information about these settings, see Security Control Values for Salesforce(Monitor Only/Read Only)
Note:
You can register the same application instance more than once. However,it will result in duplicate data collection. Before registering the Salesforceinstance, log out of Salesforce in the browser that you used for registrationand clear the browser cache.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click Add/Modify App.
3. In the Select an app type page, click the icon for Salesforce and enter a uniquename for this instance.
4. In the Select an instance page:
a. Enter a unique name for this instance. Existing instance names appear at thebottom of the page.
b. If you are registering a Salesforce sandbox, then select the This is asandbox check box below the instance name field. This enables theregistration wizard to recognize your sandbox credentials in a later step
Chapter 19Adding a Salesforce Instance
19-10
because this check box sets the login URL to test.salesforce.com instead ofthe usual salesforce.com.
c. If you don’t want Oracle CASB Cloud Service to track changes downto the level of object fields, then deselect the option for history tracking (Monitor field-level history for Salesforce objects). For more information,see Monitoring Field-Level History in Salesforce.
If you want old and new values of changed fields displayed in field-level historyreports, then select Report and store values changed from/to. Do this if thedata is sensitive enough that it should only be viewed by authorized persons.
d. Select the check box for The users of this app instance log in using singlesign-on through an identity provider. drop down the Select an IdentityProvider (IDP) instance list, and select the IDCS option.
Note:
The identity provider instance must already be defined. See SettingUp an Identity Provider Instance.
e. Click Next.
5. In the Select monitoring type page, select Monitoring only to have OracleCASB Cloud Service monitor this application using its stringent settings forsecurity configuration values, and then click Next.
Oracle CASB Cloud Service generates a security control alert in Risk Eventswhenever it detects a mismatch between its internal stringent settings and theactual settings in the Salesforce instance.
6. In the Enter credentials page:
a. Select Sign in with Salesforce username and password.
b. Click Submit. You are temporarily sent to the Salesforce login screen.
c. Enter the user name and password that the Oracle CASB Cloud Service userwill use and click Login. After your credentials are accepted, you’re returnedto the Oracle CASB Cloud Service Success page.
d. Click Done.
Adding a Salesforce Instance (Monitor Only/Read Only, Okta Logins)Add or register a monitor-only Salesforce instance, with users logging in to Salesforcethrough Okta.
Note:
If your Oracle CASB Cloud Service tenant has is configured with theStandalone IDP option, the option to use Okta as the IDP for a newSalesforce is not available.
Chapter 19Adding a Salesforce Instance
19-11
Prerequisites: Ensure you complete the tasks in Preparing Salesforce and UsingOkta Single Sign-On with Salesforce.
1. Select Configuration, Identity Management Providers, from the Navigationmenu. If the Navigation Menu is not displayed, click the Navigation Menu icon
to display it.
2. Click Add IDP.
3. In the Add IDP instance dialog box, in the Provider field, select Okta.
4. In the Instance Name field, enter a name for this provider instance.
Note:
The instance name should clearly identify the IDP and the applicationtype, so these are obvious later when you are connecting an applicationinstance to the IDP instance.
5. In the Description field, enter a short description for the provider.
6. In the API key field, enter the API key for the Okta account that suppliesauthentication to the Salesforce instance that Oracle CASB Cloud Service is goingto monitor.
7. In the URL to the provider field, enter the URL you used to access Okta to createthe Oracle CASB Cloud Service user.
8. Click Save
9. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
10. Click Add/Modify App, then Register an app instance.
11. In the Select an app type page, click the Salesforce icon, and then click Next.
12. On the Select an instance page:
a. In the Type a unique name field, enter a unique name for your applicationinstance. Existing names appear below the name field.
b. If you are registering a Salesforce sandbox, select the This is a sandboxcheck box below the instance name field. This enables the registrationwizard to recognize your sandbox credentials in a later step because thischeck box sets the login URL to test.salesforce.com instead of the usualsalesforce.com.
c. If you do not want Oracle CASB Cloud Service to track changes down tothe level of object fields, deselect the option for history tracking (Monitorfield-level history for Salesforce objects).
If you want old and new values of changed fields displayed in field-level historyreports, select Report and store values changed from/to. Do this if data maybe sensitive enough that it should only be viewed by authorized persons.
d. Select the check box labeled The users of this app instance log in usingsingle sign-on through an identity provider.
e. In the Select an Identity Provider (IDP) instance drop-down menu, selectthe Okta identity provider that you created in the first steps at the start of thistask.
Chapter 19Adding a Salesforce Instance
19-12
f. In the Select an active application defined in the identity provider drop-down menu, select the name of the application that provides the authenticationcredentials for users of the Salesforce instance being registered.
g. When you are done, click Next.
13. In the Enter credentials page, enter the user name and password for the GlobalAdministrator that you set up in Salesforce. Don’t share these credentials with anyother user or service.
14. When you are done entering your credentials, click Test Credentials.
15. When testing is done, you see a success message. Click Submit.
After a brief wait, you are directed to the Salesforce site and prompted to verifyyour credentials. After completing Salesforce authentication, you are automaticallysent back to the Oracle CASB Cloud Service console.
Note:
If you don’t complete this step, you can still complete the applicationregistration successfully. However, Oracle CASB Cloud Service willonly be able to monitor Salesforce Exchange. It will not be able toaccess SharePoint/OneDrive or Azure AD. (Authentication within theSalesforce website provides the Oracle CASB Cloud Service user withan authentication token that’s required for these additional applications.)
16. When you return to the Oracle CASB Cloud Service console, click Done.
When the registration process is complete, your application instance appears on theApplications page. You start to see data for this instance after 30 minutes or so;although a complete synchronization will take longer.
Security Control Values for Salesforce (Monitor Only/Read Only)Review the Salesforce security controls that Oracle CASB Cloud Service monitors inmonitor-only mode, together with the values for their stringent settings.
After registering the Salesforce instance in monitor-only mode, Oracle CASB CloudService scans the following security control values in Salesforce and displays securitycontrol alerts if your values are different from Oracle CASB Cloud Service's preferredvalues. These correspond to the Stringent setting when you register this applicationinstance in push control values mode.
SecurityControl Type
SecurityControlName
ConsoleNotificationWhen This ValueIs Set toAnything OtherThan
Description
Passwordpolicy
Userpasswordexpires in
30 days Password expiration limits the timeavailable to a hacker to break hashed orencrypted credentials, and makes it moredifficult for a malicious actor to keep afoothold in your systems and networks.
Chapter 19Adding a Salesforce Instance
19-13
SecurityControl Type
SecurityControlName
ConsoleNotificationWhen This ValueIs Set toAnything OtherThan
Description
Passwordpolicy
Enforcepasswordhistory
5 passwordsremembered
When you limit users' ability to reuseprevious passwords and passphrases, ithelps increase variation and uniquenessof the passwords, and makes it harderfor a malicious actor to use passworddumps found online and in rainbow tables(a table often used to crack encryptedpasswords).
Passwordpolicy
Minimumpasswordlength
10 characters The longer the password, the harder it isto crack, particularly if you also requirespecial characters, numbers, and otherrecommended best practices.
Passwordpolicy
Passwordcomplexityrequirement
Must mixalphabetic,numeric, andspecial characters
A combination of alphabetic and numericcharacters in users' passwords orpassphrases makes them harder tocrack.
Passwordpolicy
Passwordquestionrequirement
Cannot containthe password
Using an existing password in thepassword retrieval question gives awaythe password to malicious actors.
Passwordpolicy
Maximuminvalid loginattempts
3 Limiting the permitted number ofsuccessive failed login attempts is adeterrent for malicious actors who try torandomly guess user passwords (bruteforce attack).
Passwordpolicy
Lockouteffectiveperiod
60 minutes The lockout effective period preventsmalicious actors from flooding the systemby bombarding it with login attempts.
Passwordpolicy
Obscuresecret answerfor passwordresets
On Obscuring the secret answer forpassword resets makes it more difficultfor malicious actors to use screen captureto collect information that can enableaccount hijacking.
Session setting Timeout value 30 minutes Session timeout values make it moredifficult for malicious actors to attemptsession hijacking.
Session setting Disablesessiontimeoutwarningpopup
On The session timeout warning notifiesusers when their sessions are idle for atleast half of the available session time.
Session setting Lock sessionsto the IPaddress fromwhich theyoriginated
On This setting allows you to lock sessionsto the IP address from which theyoriginated.
Chapter 19Adding a Salesforce Instance
19-14
SecurityControl Type
SecurityControlName
ConsoleNotificationWhen This ValueIs Set toAnything OtherThan
Description
Session setting Force reloginafter Login-As-User
On This setting allows you to forceadministrators to log in with their accountcredentials after performing a Login-As-User, which allows them to assumeanother person's identity.
Session setting Enablecaching andautocompleteon login page
Off This setting lets you prevent the user'sbrowser from caching account credentialsand enabling autocomplete on the loginpage.
Session setting Enableclickjackprotection forcustomerVisualforcepages withstandardheaders (limitsor preventsuse of hiddeniframes)
On This setting limits or prevents the use ofhidden iframes.
Session setting Enableclickjackprotection forcustomerVisualforcepages withheadersdisabled(limits orprevents useof hiddeniframes)
On This setting limits or prevents the use ofhidden iframes.
Adding a Salesforce Instance (Push Controls/Read-Write)Add or register your Salesforce instance to Oracle CASB Cloud Service to bemonitored, and with the capability to push security configuration settings.
To register Salesforce with Oracle CASB Cloud Service, you need the credentialsfor the Oracle CASB Cloud Service user. The credentials for the Oracle CASBCloud Service user are either the user's Salesforce login or the user's single sign-oncredentials if Salesforce authentication is done through Okta.
In push security controls mode, Oracle CASB Cloud Service checks various securitycontrol values in the Salesforce instance, and sets them to the values that you setat registration time. Later, you receive notifications when these security configurationsettings change.
Chapter 19Adding a Salesforce Instance
19-15
These security configuration values are set in the Salesforce Setup console, underAdministration, Security Controls. In particular, Oracle CASB Cloud Servicemonitors the settings in Password Policies and Session Settings.
For more information about the security controls that can be pushed to Salesforce, seeSecurity Control Values for Salesforce (Monitor Only/Read Only).
Note:
You can register the same application instance more than once. However,you should do this with caution because it will result in duplicate datacollection. Before registering the Salesforce instance, ensure that you arelogged out of Salesforce in the browser that you use for registration and clearthe browser cache after logging out.
Adding a Salesforce Instance (Push Controls/Read-Write, Direct Logins)Add or register a push-controls Salesforce instance, with users logging in directly toSalesforce.
Prerequisites: Make sure you have completed the tasks in Preparing Salesforce.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click Add/Modify App.
3. In the Select an app type page, click the icon for Salesforce and click Next.
4. In the Select an instance page:
a. Enter a unique name for this instance. Existing instance names appear at thebottom of the page.
b. If you are registering a Salesforce sandbox, then select the This is asandbox check box below the instance name field. This enables theregistration wizard to recognize your sandbox credentials in a later stepbecause this check box sets the login URL to test.salesforce.com instead ofthe usual salesforce.com.
c. If you don't want Oracle CASB Cloud Service to track changes down to thelevel of object fields, deselect the option for history tracking (Monitor field-level history for Salesforce objects).
If you want old and new values of changed fields displayed in field-level historyreports, select Report and store values changed from/to. Do this if datamay be sensitive enough that it should only be viewed by authorized persons.
d. Leave the check box for The users of this app instance log in using singlesign-on through an identity provider unchecked.
e. Click Next.
5. In the Select monitoring type page, select Push controls and monitor.
Oracle CASB Cloud Service generates a security control alert in Risk Eventswhenever it detects a mismatch between the selections that you make on thispage and the actual settings in the Salesforce instance.
Chapter 19Adding a Salesforce Instance
19-16
6. Click Next.
7. In the Select Security Controls page, select one of the following:
• Standard. Ensure that these values are set to the application's own defaults.
• Stringent. Ensure that these values are set to stronger-than-default values.
• Custom. Lets you set the values. For additional details, see Security ControlValues for Salesforce (Push Controls/Read-Write).
8. In the Enter credentials page, if the Oracle CASB Cloud Service user logs indirectly to Salesforce:
a. Select Sign in with Salesforce username and password.
b. Click Submit. You are temporarily sent to the Salesforce login screen.
c. Enter the user name and password that the Oracle CASB Cloud Service userwill use and click Login. After your credentials are accepted, you are returnedto the Oracle CASB Cloud Service Success page.
d. Click Done.
When the registration process is complete, your application instance appears on theApplications page. You start to see data for this instance after 30 minutes or so;although a complete synchronization will take longer.
Currently, to be able to parse the Salesforce logs, Oracle CASB Cloud Service resetsthe default language for the account to English and the default locale to English(United States) regardless of the original language and locale.
Adding a Salesforce Instance (Push Controls/Read-Write, IDCS Logins)Add or register a push-controls Salesforce instance, with users logging in throughOracle Identity Cloud Service (IDCS).
Prerequisites: Make sure you have completed the tasks in Preparing Salesforce.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click Add/Modify App.
3. In the Select an app type page, click the icon for Salesforce and click Next.
4. In the Select an instance page:
a. Enter a unique name for this instance. Existing instance names appear at thebottom of the page.
b. If you are registering a Salesforce sandbox, then select the This is asandbox check box below the instance name field. This enables theregistration wizard to recognize your sandbox credentials in a later stepbecause this check box sets the login URL to test.salesforce.com instead ofthe usual salesforce.com.
c. If you don't want Oracle CASB Cloud Service to track changes down to thelevel of object fields, deselect the option for history tracking (Monitor field-level history for Salesforce objects).
If you want old and new values of changed fields displayed in field-level historyreports, select Report and store values changed from/to. Do this if datamay be sensitive enough that it should only be viewed by authorized persons.
Chapter 19Adding a Salesforce Instance
19-17
d. Select the check box for The users of this app instance log in using singlesign-on through an identity provider. drop down the Select an IdentityProvider (IDP) instance list, and select the IDCS option.
Note:
The identity provider instance must already be defined. See SettingUp an Identity Provider Instance.
e. Click Next.
5. In the Select monitoring type page, select Push controls and monitor.
Oracle CASB Cloud Service generates a security control alert in Risk Eventswhenever it detects a mismatch between the selections that you make on thispage and the actual settings in the Salesforce instance.
6. Click Next.
7. In the Select Security Controls page, select one of the following:
• Standard. Ensure that these values are set to the application's own defaults.
• Stringent. Ensure that these values are set to stronger-than-default values.
• Custom. Lets you set the values. For additional details, see Security ControlValues for Salesforce (Push Controls/Read-Write).
8. In the Enter credentials page, if the Oracle CASB Cloud Service user logs indirectly to Salesforce:
a. Select Sign in with Salesforce username and password.
b. Click Submit. You are temporarily sent to the Salesforce login screen.
c. Enter the user name and password that the Oracle CASB Cloud Service userwill use and click Login. After your credentials are accepted, you are returnedto the Oracle CASB Cloud Service Success page.
d. Click Done.
Adding a Salesforce Instance (Push Controls/Read-Write, Okta Logins)Add or register a push-controls Salesforce instance, with users logging in toSalesforce through Okta.
Note:
If your Oracle CASB Cloud Service tenant has is configured with theStandalone IDP option, the option to use Okta as the IDP for a newSalesforce is not available.
Prerequisites: Ensure that you complete the tasks in Preparing Salesforce and UsingOkta Single Sign-On with Salesforce.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
Chapter 19Adding a Salesforce Instance
19-18
2. Click Add/Modify App.
3. In the Select an app type page, click the Salesforce icon and then click Next.
4. In the Select an instance page,
• In the Type a unique name field, enter a unique name for your applicationinstance. Existing names appear below the name field.
• If you are registering a Salesforce sandbox, select the This is a sandboxcheck box below the instance name field. This enables the registration wizardto recognize your sandbox credentials in a later step because this check boxsets the login URL to test.salesforce.com instead of the usual salesforce.com.
• If you do not want Oracle CASB Cloud Service to track changes down tothe level of object fields, deselect the option for history tracking (Monitorfield-level history for Salesforce objects).
If you want old and new values of changed fields displayed in field-level historyreports, select Report and store values changed from/to. Do this if datamay be sensitive enough that it should only be viewed by authorized persons.
5. If users will log in through an identity provider (IDP):
Note:
The identity provider instance must already be defined. See Setting Upan Identity Provider Instance.
• Select The users of this app instance log in using single sign-on throughan identity provider.
• Select the Okta option from the list.
6. Click Next.
7. In the Enter credentials page, enter the user name and password for the GlobalAdministrator that you set up in Salesforce.
Don't share these credentials with any other user or service.
8. When you are done entering your credentials, click Test Credentials.
9. When testing is done you see a success message. Click Submit. After abrief wait, you are directed to the Salesforce site and prompted to verify yourcredentials. After completing Salesforce authentication, you are automatically sentback to the Oracle CASB Cloud Service console.
Note:
If you don't complete this step, you can still complete the applicationregistration successfully. However, Oracle CASB Cloud Service willonly be able to monitor Salesforce Exchange. It will not be able toaccess SharePoint/OneDrive or Azure AD. (Authentication within theSalesforce website provides the Oracle CASB Cloud Service user withan authentication token that's required for these additional applications.)
10. When you return to the Oracle CASB Cloud Service console, click Done.
Chapter 19Adding a Salesforce Instance
19-19
When the registration process is complete, your application instance appears on theApplications page. You start to see data for this instance after 30 minutes or so;although a complete synchronization will take longer.
Security Control Values for Salesforce (Push Controls/Read-Write)Review the Salesforce security controls that Oracle CASB Cloud Service monitors,together with the values for their stringent settings.
After registering the Salesforce instance in push controls mode, Oracle CASB CloudService sets your preferred values in the application instance. Oracle CASB CloudService scans the security control values in Salesforce and displays security controlalerts if its values are different from the values you set at registration time.
The following are Oracle CASB Cloud Service's baseline settings. In general, thesesettings are more stringent than the default settings in Salesforce. You also can defineyour own custom settings.
SecurityControl Type
SecurityControlName
StringentValues
Description
Passwordpolicy
Userpasswordexpires in
30 days Password expiration limits the time availableto a hacker to break hashed or encryptedcredentials and makes it more difficult for amalicious actor to keep a foothold in yoursystems and networks.
Passwordpolicy
Enforcepasswordhistory
5 passwordsremembered
When you limit the users' ability to reuseprevious passwords and passphrases, ithelps increase variation and uniqueness ofthe passwords, and makes it harder for amalicious actor to use password dumps foundonline and in rainbow tables (a table oftenused to crack encrypted passwords).
Passwordpolicy
Minimumpasswordlength
10 characters The longer the password, the harder it is tocrack, particularly if you also require specialcharacters, numbers, and other recommendedbest practices.
Passwordpolicy
Passwordcomplexityrequirement
Must mixalphabetic,numeric, andspecialcharacters
A combination of alphabetic and numericcharacters in users' passwords orpassphrases makes them harder to crack.
Passwordpolicy
Passwordquestionrequirement
Cannotcontain thepassword
Using an existing password in the passwordretrieval question gives away the password tomalicious actors.
Passwordpolicy
Maximuminvalid loginattempts
3 Limiting the permitted number of successive,failed login attempts is a deterrent formalicious actors who try to randomly guessuser passwords (brute-force attack).
Passwordpolicy
Lockouteffectiveperiod
60 minutes The lockout effective period preventsmalicious actors from flooding the system bybombarding it with login attempts.
Chapter 19Adding a Salesforce Instance
19-20
SecurityControl Type
SecurityControlName
StringentValues
Description
Passwordpolicy
Obscuresecret answerfor passwordresets
On Obscuring the secret answer for passwordresets makes it more difficult for maliciousactors to use screen capture to collectinformation that can enable account hijacking.
Sessionsetting
Timeout value 30 minutes Session timeout values make it more difficultfor malicious actors to attempt sessionhijacking.
Sessionsetting
Disablesessiontimeoutwarningpopup
On The session timeout warning notifies userswhen their sessions are idle for at least halfof the available session time.
Sessionsetting
Lock sessionsto the IPaddress fromwhich theyoriginated
On This setting allows you to lock sessions to theIP address from which they originated.
Sessionsetting
Force reloginafter Login-As-User
On This setting allows you to force administratorsto log in with their normal account credentialsafter performing a Login-As-User, which allowsthem to assume another person's identity.
Sessionsetting
Enablecaching andautocompleteon login page
Off This setting lets you prevent the user'sbrowser from caching account credentials andenabling autocomplete on the login page.
Sessionsetting
Enableclickjackprotection forcustomerVisualforcepages withstandardheaders
On This setting limits or prevents the use ofhidden iframes.
Sessionsetting
Enableclickjackprotection forcustomerVisualforcepages withheadersdisabled
On This setting limits or prevents the use ofhidden iframes.
Updating a Salesforce InstanceModify settings for an existing Salesforce instance.
Chapter 19Updating a Salesforce Instance
19-21
Updating the Credentials for a Salesforce InstanceChange the user name and password for a Salesforce instance.
When the login credentials that you used to register a Salesforce instance expire,you must update these credentials both in Salesforce and in the Oracle CASB CloudService console. If you replace the credentials in Salesforce (regardless of whetherthey have expired), then you also must replace them in the Oracle CASB CloudService console.
In some rare cases, a Salesforce administrator might revoke an item known asan OAuth token for the Oracle CASB Cloud Service account. In this case, OracleCASB Cloud Service may stop monitoring this Salesforce instance, but you can re-establish the connection using the following procedure, which reestablishes your logincredentials.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, select Modify, Update credentials.
• In grid view, drop down the Action list for the instance you want tomodify and select Update credentials.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update credentials,and then select the application instance you want to modify and clickNext.
2. In the Update credentials page, enter the user name and password in the textfields, and then click Test Credentials.
3. When testing is done, you see a success message. Click Submit. After abrief wait, you are directed to the Office 365 site and prompted to verify yourcredentials. After completing the Office 365 authentication, you are automaticallysent back to the Oracle CASB Cloud Service console.
4. Click Next to view the confirmation page.
Updating the Monitoring of Field-Level History in SalesforceChange the field-level history monitoring setting in Salesforce.
Salesforce lets you maintain a history of changes that users make to fields in standardand custom objects (for example, Leads, Contacts, and Contracts). Salesforcesupports history tracking for up to 20 fields in an object.
By default, Oracle CASB Cloud Service monitors the field-level history in Salesforce.You can disable field-level history tracking for Oracle CASB Cloud Service, or re-enable it after registration.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
Chapter 19Updating a Salesforce Instance
19-22
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update monitoring properties.
• In grid view, drop down the Action list for the instance you want tomodify and select Update monitoring properties.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update monitoringproperties, and then select the application instance you want to modifyand click Next.
2. In the Update monitoring properties page:
• Select or deselect the check box for Monitor field-level history forSalesforce objects, as required.
• If you selected Monitor field-level history for Salesforce objects, and youwant old and new values of changed fields displayed in reports, select Reportand store values changed from/to. Do this only if data is not sensitiveenough that it should only be viewed by authorized persons.
• When done making changes, click Next.
3. On the Success page, click Done.
Updating the IDP Instance for a Salesforce InstanceChange the way a Salesforce instance communicates with an identity provider (IDP).
You can update the way that a Salesforce instance communicates with an identityprovider (IDP) in several ways:
• You can change an existing Salesforce instance that is authenticating to an IDPinstance so that it authenticates to a different IDP instance.
• You can also switch a Salesforce instance from authenticating directly with the IDPto authenticating with the IDP through an IDP instance.
• You can't switch a Salesforce instance that is authenticating with the IDP throughan IDP instance to directly authenticating to the IDP.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update IDP Instance.
• In grid view, drop down the Action list for the instance you want tomodify and select Update IDP Instance.
Chapter 19Updating a Salesforce Instance
19-23
Tip:
Alternatively, from the Dashboard or the Applications page, youcan select Add/Modify App, Modify an app instance, Update IDPInstance, and then select the application instance you want to modifyand click Next.
2. In the Update IDP instance page, change the different identity provider (IDP)instance, the active application defined in the identity provider, or both, and thenclick Next.
3. In the Success page, click Done.
Updating the Security Control Baseline for a Salesforce InstanceChange security control baseline settings for a Salesforce instance that was added ineither monitor-only mode or push controls mode.
When you register a Salesforce account in default monitor-only mode, OracleCASB Cloud Service automatically monitors for security-related configurations, andgenerates an alert when a security control value doesn't match the Oracle CASBCloud Service stringent setting. For example, if an AWS administrator permits users tohave 5-character passwords, then Oracle CASB Cloud Service generates an alert.
You also can register a Salesforce account in push controls mode, in which caseOracle CASB Cloud Service sets the desired values in your account, and thengenerates alerts when these values are changed.
After application registration, you can modify the alerting baseline that Oracle CASBCloud Service uses. For example, you can change the baseline for minimum passwordlength from 10 to 12 characters.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance that you want to modify, and thenin the Health Summary, select Modify, Update security control baseline.
• In grid view, drop down the Action list for the instance you want tomodify and select Update security control baseline.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update securitycontrol baseline, and then select the application instance you want tomodify and click Next.
2. In the Update Security Control Baseline page, select the baseline type that youwant. For more information about these options, see Security Control Values forSalesforce (Push Controls/Read-Write)).
• Stringent. Oracle CASB Cloud Service uses its own stringent values.
• Default. Oracle CASB Cloud Service uses the Salesforce defaults.
Chapter 19Updating a Salesforce Instance
19-24
• Custom. You set the values that you want Oracle CASB Cloud Service tomonitor for.
3. Save your changes.
Oracle CASB Cloud Service now generates a security control alert in Risk Eventswhenever it detects a mismatch of any kind between the saved baseline and the actualsettings in the Salesforce instance.
Troubleshooting for SalesforceReview error messages and actions for problems you may encounter with Salesforcein Oracle CASB Cloud Service.
Blocked OAuth Token ErrorAn administrator has set the Oracle CASB Cloud Service account's OAuth tokenstatus to Blocked.
Error: The Salesforce administrator has blocked the OAuth token. Cannot access theapplication.
Action:
1. In Salesforce, go to Setup, Administrator, Manage Apps, Connected AppsOAuth Usage.
2. In OAuth usage page, Action column for Oracle CASB Cloud Service Platform,click Unblock.
Next Steps for SalesforceNow that you have finished setting up your Salesforce instance for monitoring, you cantake additional steps to enhance its security, or you can start viewing and analyzingthe monitored data right away.
Follow one of the links below to start working with your new Salesforce instance:
• Creating Policy Alerts for Salesforce — to create custom customized alertsfor situations that you specify, make your configuration settings more secure,and enable monitoring of shadow applications that are operating in the sameenvironment as your application instance.
See the opening sections of the Creating Policies and Managing PolicyAlertschapter for general information about creating and managing policy alerts.
• Viewing Reports for Salesforce — to view predefined reports for Salesforce.
See the opening sections of the Creating and Running Reports chapter for generalinformation about creating and running reports.
• Analyzing User Activity Risks and Trends, Managing Behavioral Anomalies andThreats, and Tracking Incident Tickets chapters — for general information aboutanalyzing and managing the information on security threats that Oracle CASBCloud Service provides.
Chapter 19Troubleshooting for Salesforce
19-25
20Setting Up ServiceNow
Prepare ServiceNow and register your application instance with Oracle CASB CloudService for security monitoring.
Oracle CASB Cloud Service detects potential risks in your ServiceNow account,including activity within ServiceNow that violates your policies (for example, changesto user roles) and user behavior patterns that are suspicious.
Topics:
• Typical Workflow for ServiceNow Monitoring
• About ServiceNow Security Monitoring
• Preparing ServiceNow
• Adding a ServiceNow Instance
• Updating the Credentials for a ServiceNow Instance
Typical Workflow for ServiceNow MonitoringWith Oracle CASB Cloud Service, you can monitor ServiceNow to detect potentialrisks.
Task Description Additional Information
Understand ServiceNow cloudsecurity.
You can learn howOracle CASB CloudService automatically detectsthreats to your ServiceNowenvironment such as possiblehijacking of accounts anddevices, insider threatsfrom escalated privileges,and unattended (inactive)accounts.
About ServiceNow SecurityMonitoring
Prepare ServiceNow. You can set up an OracleCASB Cloud Service accountin your ServiceNow applicationinstance.
Preparing ServiceNow
Add a ServiceNow instance. You can register a ServiceNowapplication instance.
Adding a ServiceNow Instance
Update the credentials for aServiceNow instance.
You can update a ServiceNowinstance when the logincredentials that you used toregister the instance expire orare updated.
Updating the Credentials for aServiceNow Instance
20-1
About ServiceNow Security MonitoringLearn about the different types of security monitoring Oracle CASB Cloud Serviceperforms for ServiceNow.
ServiceNow provides cloud services for IT operations. Oracle CASB Cloud Serviceautomatically detects threats to your ServiceNow environment such as possiblehijacking of accounts and devices, insider threats from escalated privileges, andunattended (inactive) accounts.
You can define alerts for issues that are unique to your environment, including actionstaken on ServiceNow roles, users, incident tickets.
How Oracle CASB Cloud Service Helps Protect ServiceNow Resources
Risk How You Can Use Oracle CASB Cloud Service toManage the Risk
Privileged insider abuse throughoverly privileged roles, impersonation,and role escalation
Oracle CASB Cloud Service monitors the most highlyprivileged users and provides alerts when it detectsoverly-privileged accounts.
Data breach through oversharing andcompromised customer data (socialsecurity numbers, credit card-relatedinformation)
Oracle CASB Cloud Service automatically detectswhen user activity appears to be unusual. You can alsodefine alerts that are triggered when users are grantedexcessive permissions.
Unauthorized external accessthrough credential sharing, credentialhijacking, brute-force attacks, andsuspicious IP addresses.
Oracle CASB Cloud Service automatically detectsaccess from blacklisted IP addresses. It also classifiesvarious behavioral patterns as threats, includingrequests from suspicious geographical locations, failedlogins followed by a successful login and a seriesof suspicious actions, and the same IP addressattempting to log in from multiple locations in a shorttime span.
Tampering with critical systems suchas task tables and scripts
You can use ServiceNow tags in alerts that you definein Oracle CASB Cloud Service to identify sensitiveactions taken on critical systems.
Weak security configurations Oracle CASB Cloud Service identifies a preferredsecurity baseline for ServiceNow and lets you knowwhen the actual configuration deviates from thebaseline.
Preparing ServiceNowCreate a dedicated ServiceNow account that is reserved for communication withOracle CASB Cloud Service.
Before registering your ServiceNow application instance with Oracle CASB CloudService, you must create a dedicated administrative user within ServiceNow andensure that the system tables record the types of data that Oracle CASB CloudService requires.
The user can't use multi-factor or federated authentication (for example, through asingle sign-on service). You will use the login credentials for this user to allow OracleCASB Cloud Service to connect to ServiceNow and retrieve system events.
Chapter 20About ServiceNow Security Monitoring
20-2
You also must configure ServiceNow so that it writes events to a log file (for OracleCASB Cloud Service's consumption).
Preparing the Oracle CASB Cloud Service User (Eureka)Create a dedicated user with administrative privileges in ServiceNow for the Eurekarelease.
1. Log in to the ServiceNow account as an administrator with permission to createother administrators.
2. Select User Administration, select Users, click New, and in the new user page,give the user a user ID (for example, OCCSuser), and provide an email addresswhere you want email for this user to be sent. Ensure that you can access thisemail account.
3. Supply a user name and then click Submit.
4. In the Users listing page, select the Oracle CASB Cloud Service user that you justcreated (for example, OCCSuser).
5. In the Roles section for the user, click Edit.
6. In the role Collection list, search for the admin role, and then click the Add arrowto assign the role to this user.
Note:
With the Eureka release of ServiceNow, administrator privileges arerequired for this user, in order for Oracle CASB Cloud Service to read thesysevents table, which provides the auditing information for most of theobjects that need to be monitored. Eureka does not provide a read-onlyrole that can access this table.
7. Click Save.
8. Perform the remaining steps, in Preparing the ServiceNow Environment (Eureka,Fuji, Geneva, Jakarta and Kingston).
Preparing the Oracle CASB Cloud Service User (Fuji, Geneva, Jakartaand Kingston)
Create a dedicated user with sufficient privileges in ServiceNow for the Fuji, Geneva,Jakarta and Kingston releases.
1. Log in to the ServiceNow account as an administrator with permission to createother administrators.
2. Select User Administration, select Users, click New, and in the new user page,give the user a user ID (for example, OCCSuser), and provide an email addresswhere you want email for this user to be sent. Ensure that you can access thisemail account.
3. Supply a user name and then click Submit.
4. In the Users listing page, select the Oracle CASB Cloud Service user that you justcreated (for example, OCCSuser).
Chapter 20Preparing ServiceNow
20-3
5. In the Roles section for the user, click Edit.
6. In the role Collection list, search for the snc_read_only role, and then click theAdd arrow to assign the role to this user.
7. Click Save.
8. Perform the remaining steps, in Preparing the ServiceNow Environment (Eureka,Fuji, Geneva, Jakarta and Kingston).
Preparing the ServiceNow Environment (Eureka, Fuji, Geneva,Jakarta and Kingston)
Perform additional tasks required by Eureka, Fuji, Geneva, Jakarta and Kingstonversions of ServiceNow.
Updating the System Tables in ServiceNowUpdate the ServiceNow (Eureka, Fuji, and Jakarta) system tables to work with OracleCASB Cloud Service.
1. In ServiceNow, go to System Properties, select UI Properties, and then scrolldown the page to the List of system tables.
2. In the text field, add the following tables: sys_attachment,sys_script_client.
3. In the text field, verify that these tables are present:
• sys_user
• sys_user_group
• sys_user_role
• sys_user_has_role
• sys_user_grmember
• sys_group_has_role
If the sys_user_role table is not present, add it. This table is required in order toaudit delete events for roles.
4. For Jakarta and later versions of ServiceNow, if you want to use thesnc_read_only role for Oracle CASB Cloud Service to monitor ServiceNow, youneed to enable that role for each of the following tables:
• sysevent
• sys_audit_role
• sys_audit_delete
• syslog_transaction
In the ServiceNow console, search for “table” and select System Definition,Tables in the search results, then perform the following steps for each of thetables listed above:
a. Open table details.
i. Type the table name in the box at the top and press Enter.
Chapter 20Preparing ServiceNow
20-4
ii. In the Name column, locate the table name you entered and click theEvent link in that row.
b. On the TableAudit Roles page, scroll down to the Controls section.
c. Select the check box for Create access controls.
d. In the User role field, set snc_read_only role.
i. Click the Lookup using list icon to the right of the User role box,
ii. In the Roles dialog box, type snc_read_only and press Enter.
iii. Select snc_read_only from the list.
e. Click Update in the top right corner to update the record.
(Optional) Configuring ServiceNow to Write Data Collector Script Events to ItsLog
Configure ServiceNow (Eureka, Fuji, and Jakarta) to write data collector script eventsto its log, for Oracle CASB Cloud Service to pick up.
This task is necessary for Oracle CASB Cloud Service to monitor the ServiceNow datacollector. If you do not use the ServiceNow data collector, do not want it audited, ordon’t have data collector policies in place, you can skip this task.
1. In ServiceNow, go to System Definition, and then select Business Rules.
2. In the business rules page, click New.
3. In the create rule page, enter a name (for example, DataCollectorEventLogs).
4. In the Table drop-down menu, select Script [pa_scripts].
5. Select the Advanced check box. The focus of the page shifts to the Advancedsection.
6. Scroll up the page to the When to run section. Click the When drop-down menuand select the option After, and then select the check boxes for Insert, Update,and Delete. Note that you had to select the Advanced check box in the previousstep for these options to appear.
7. Scroll down to the Advanced section and paste the following in the code boxbetween the braces:
function onAfter(current, previous) { if (current.operation() == 'insert') { gs.eventQueue("script.insert", current, gs.getUserID(), gs.getUserName()); } else if (current.operation() == 'update') { gs.eventQueue("script.update", current, gs.getUserID(), gs.getUserName()); } else if (current.operation() == 'delete') { gs.eventQueue("script.delete", current, gs.getUserID(), gs.getUserName()); }}
Chapter 20Preparing ServiceNow
20-5
8. Click Submit.
(Optional) Configuring ServiceNow to Write Client Script Events to Its LogConfigure ServiceNow (Eureka, Fuji, and Jakarta) to write client script events to its log,for Oracle CASB Cloud Service to pick up.
This task is necessary for Oracle CASB Cloud Service to monitor ServiceNow clientscript events. If you do not use the ServiceNow client script, do not want it audited, ordon’t have client script policies in place, you can skip this task.
1. In ServiceNow, go to System Definition, and then select Business Rules.
2. In the business rules page, click New.
3. In the create rule page, enter a name for the rule (for example, ClientEventLogs).
4. In the Table drop-down menu, select Client Script [sys_script_client].
5. Select the Advanced check box. The focus of the page shifts to the Advancedsection.
6. Scroll up the page to the When to run section. Click the When drop-down menuand select the option After, and then select the check boxes for Insert, Update,and Delete. Note that you had to select the Advanced check box in the previousstep for these options to appear.
7. Scroll down to the Advanced section and paste the following in the code boxbetween the braces:
function onAfter(current, previous) { if (current.operation() == 'insert') { gs.eventQueue("script.insert", current, gs.getUserID(), gs.getUserName()); } else if (current.operation() == 'update') { gs.eventQueue("script.update", current, gs.getUserID(), gs.getUserName()); } else if (current.operation() == 'delete') { gs.eventQueue("script.delete", current, gs.getUserID(), gs.getUserName()); }}
8. Click Submit.
You can now add or register this ServiceNow account with Oracle CASB CloudService. See Adding a ServiceNow Instance.
Adding a ServiceNow InstanceAdd or register your ServiceNow instance to Oracle CASB Cloud Service.
Prerequisites: Ensure that you have completed all the required tasks in PreparingServiceNow.
Chapter 20Adding a ServiceNow Instance
20-6
To register ServiceNow with the Oracle CASB Cloud Service, you need the user IDand password. The user ID and password belong to the Oracle CASB Cloud Serviceadministrator account that you created in ServiceNow.
Note:
You should not add, or register, the same application instance more thanonce. An additional registration seriously impacts performance and doesn’tprovide any additional information.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click Add/Modify App.
3. In the Select an app type page, click the ServiceNow icon, and then click Next.
4. In the Select an instance page, enter a unique name for your applicationinstance. Any existing names appear below the name field.
5. Click Next.
6. In the Enter credentials page, provide the user ID and password for the OracleCASB Cloud Service administrator account that you created in ServiceNow. Don'tshare these credentials with another user or service.
7. Click Test Credentials.
When the registration process is complete, your application instance appears on theApplications page. You start to see data for this instance after 30 minutes or so;although a complete synchronization will take longer.
Updating the Credentials for a ServiceNow InstanceUpdate the user ID and password for the dedicated Oracle CASB Cloud Service user.
When the login credentials that you used to register a ServiceNow instance expire orare updated, you must update these credentials both in ServiceNow and in the OracleCASB Cloud Service console.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, select Modify, Update credentials.
• In grid view, drop down the Action list for the instance you want tomodify and select Update credentials.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update credentials,and then select the application instance you want to modify and clickNext.
Chapter 20Updating the Credentials for a ServiceNow Instance
20-7
2. In the Update Credentials page, enter the current values for all the fields:
• Instance name at service-now.com (<instancename>.service-now.com)
• Username and new Password for the Oracle CASB Cloud Serviceadministrative user in ServiceNow.
3. Click Test Credentials.
4. After the credentials are verified, click Submit to view a verification page.
Next Steps for ServiceNowNow that you have finished setting up your ServiceNow instance for monitoring,you can take additional steps to enhance its security, or you can start viewing andanalyzing the monitored data right away.
Follow one of the links below to start working with your new ServiceNow instance:
• Creating Policy Alerts for ServiceNow — to create custom customized alertsfor situations that you specify, make your configuration settings more secure,and enable monitoring of shadow applications that are operating in the sameenvironment as your application instance.
See the opening sections of the Creating Policies and Managing PolicyAlertschapter for general information about creating and managing policy alerts.
• Viewing Reports for ServiceNow — to view predefined reports for ServiceNow.
See the opening sections of the Creating and Running Reports chapter for generalinformation about creating and running reports.
• Analyzing User Activity Risks and Trends, Managing Behavioral Anomalies andThreats, and Tracking Incident Tickets chapters — for general information aboutanalyzing and managing the information on security threats that Oracle CASBCloud Service provides.
Chapter 20Next Steps for ServiceNow
20-8
21Setting Up Slack
Prepare Slack and register your application instance with Oracle CASB Cloud Servicefor security monitoring.
Topics:
• Typical Workflow for Slack Monitoring
• About Slack Cloud Security Monitoring
• Preparing Slack
• Adding a Slack Instance
• Updating the Credentials for a Slack Instance
Typical Workflow for Slack MonitoringWith Oracle CASB Cloud Service, you can monitor Slack to detect potential risks.
Task Description Additional Information
Understand Slack cloudsecurity.
You can learn about howOracle CASB Cloud Servicemonitors a wide variety ofrisks in the Slack cloud.
About Slack Cloud SecurityMonitoring
Prepare Slack. You can set up an OracleCASB Cloud Service accountin Slack.
Preparing Slack
Add a Slack instance. You can register a Slackapplication instance in OracleCASB Cloud Service.
Adding a Slack Instance
Update the credentials for aSlack instance.
You can update a Slackinstance when the logincredentials that you used toregister the instance expire orare updated.
Updating the Credentials for aSlack Instance
About Slack Cloud Security MonitoringLearn about the different types of security monitoring Oracle CASB Cloud Serviceperforms for Slack.
Slack provides cloud messaging services for teams. Oracle CASB Cloud Serviceautomatically detects threats to your Slack environment such as making changes touser roles or a public channel.
21-1
Note:
Oracle CASB Cloud Service supports only Standard and Plus editions ofSlack. Free and Enterprise Grid editions are not supported.
Preparing SlackSelect a Slack user account to be used for communication with Oracle CASB CloudService.
Prerequisite: In order to be monitored by Oracle CASB Cloud Service, the edition ofSlack that you are using must be Standard or Plus. Free and Enterprise Grid editionsare not supported.
Because Slack uses OAuth 2.0, you don't need to set up a special user account tosupport monitoring by Oracle CASB Cloud Service. You can use the credentials of anyuser registered in the Slack team who has owner privileges.
Adding a Slack InstanceAdd or register your Slack instance to Oracle CASB Cloud Service.
To register Slack with Oracle CASB Cloud Service, you need the user ID andpassword that belongs to the member with admin or owner privileges that youspecified when you prepared Slack.
Note:
You should not add, or register, the same application instance more thanonce. An additional registration seriously impacts performance and doesn’tprovide any additional information.
You can only register Slack in Monitor-Only mode.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click Add/Modify App.
3. In the Select an app type page, click the Slack icon, then click Next.
4. In the Select an instance page, enter a unique name for your applicationinstance. Any existing names appear below the name field.
5. Click Next.
You are sent to slack.com to log in as the user you chose in Preparing Slack .
6. On slack.com, ensure that you are signed in to the team you want to usewith Oracle CASB Cloud Service, using the user ID and password for the useryou chose in Preparing Slack .
This user can continue to use the Slack team messaging, but don't share thesecredentials with any other user or service.
Chapter 21Preparing Slack
21-2
7. On the next page, click Authorize to return to Oracle CASB Cloud Service.
• If Slack accepts your credentials, you see a Success message, and your Slackinstance is now added.
• If Slack rejects your credentials, you see an error message saying that theuser must be an admin or owner. Slack may reject you if you are a guest useror a member without admin privileges.
When the registration process is complete, your application instance appears on theApplications page. You start to see data for this instance after 30 minutes or so;although a complete synchronization will take longer.
Updating the Credentials for a Slack InstanceUpdate the user ID and password for the Oracle CASB Cloud Service user.
When the login credentials that you used to register a Slack instance expireor are updated, you must update these credentials both in Slack and in theOracle CASB Cloud Service console.
The Slack user should never be demoted to a role lower than admin.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, select Modify, Update credentials.
• In grid view, drop down the Action list for the instance you want tomodify and select Update credentials.
Tip:
Alternatively, from the Dashboard or the Applications page, you canselect Add/Modify App, Modify an app instance, Update credentials,and then select the application instance you want to modify and clickNext.
2. In slack.com, make sure you are signed in to the team you want to usewith Oracle CASB Cloud Service, using the user ID and password for the useryou chose in Preparing Slack .
3. On the next page, click Authorize to return to Oracle CASB Cloud Service.
• If Slack accepts your credentials, you see a Success message, and your Slackinstance is now added.
• If Slack rejects your credentials, then you see an error message saying theuser must be an admin or owner. Slack may reject you if you are a guest useror a member without admin privileges.
Chapter 21Updating the Credentials for a Slack Instance
21-3
Next Steps for SlackNow that you have finished setting up your Slack instance for monitoring, you can takeadditional steps to enhance its security, or you can start viewing and analyzing themonitored data right away.
Follow one of the links below to start working with your new Slack instance:
• Creating Policy Alerts for Slack — to create custom customized alerts forsituations that you specify, make your configuration settings more secure,and enable monitoring of shadow applications that are operating in the sameenvironment as your application instance.
See the opening sections of the Creating Policies and Managing PolicyAlertschapter for general information about creating and managing policy alerts.
• Viewing Reports for Slack — to view predefined reports for Slack.
See the opening sections of the Creating and Running Reports chapter for generalinformation about creating and running reports.
• Analyzing User Activity Risks and Trends, Managing Behavioral Anomalies andThreats, and Tracking Incident Tickets chapters — for general information aboutanalyzing and managing the information on security threats that Oracle CASBCloud Service provides.
Chapter 21Next Steps for Slack
21-4
Part IVEnhancing Security
Implement additional security screening for an application after you set up theapplication for monitoring in Oracle CASB Cloud Service.
Chapters:
• Creating Policies and Managing Policy Alerts
• Maintaining Secure Configuration Settings
• Discovering Shadow Applications
22Creating Policies and Managing PolicyAlerts
Create custom policies for alerts to supplement the predefined policies provided witheach application that you add.
A policy is a rule or a guideline, such as, "only people in Finance can view files in theFinance folder" or "any change to network access rules must be reviewed." You candefine policies based on particular cloud services, resources in the service, actions onthe resource, and optionally items such as actors, recipients, whole groups of users,domains, and IP addresses. In Oracle CASB Cloud Service, you define policies basedon:
• Particular cloud services, such as Box, GitHub, or ServiceNow
• Particular resources in the service, such as a file or folder, or any resource in theservice
• Particular actions on the resource or resources, such as share, download, orcollaborate
• Optionally, items such as actors, recipients, whole groups of users, domains, andIP addresses
Oracle CASB Cloud Service generates an alert whenever an event that matchesthe policy occurs. The console displays a description of the policy violation and canprovide recommendations for responding to it. You can also configure the alert to besent to you over email or SMS.
Topics:
• Typical Workflow for Creating Policies and Managing Policy Alerts
• About Policy Alerts
• Getting Started with Policies
• Oracle CASB Cloud Service Administrator Roles and Policies
• Working with Managed Policies
• Managing Policy Alerts in Risk Events
• Creating a Policy
• Modifying a Custom Policy
• Example Alert: Changes to a Sensitive File
Application-Specific Topics:
• Creating Policy Alerts for AWS
• Creating Policy Alerts for Azure
• Creating Policy Alerts for Box
22-1
• Creating Policy Alerts for Discovered Applications
• Creating Policy Alerts for GitHub
• Creating Policy Alerts for Google for Work
• Creating Policy Alerts for Office 365
• Creating Policy Alerts for Office 365 Exchange Online
• Creating Policy Alerts for Office 365 SharePoint and OneDrive
• Creating Policy Alerts for Office 365 Azure Active Directory
• Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)
• Creating Policy Alerts for Oracle ERP Cloud
• Creating Policy Alerts for Oracle HCM Cloud
• Creating Policy Alerts for Oracle Identity Cloud Service (IDCS)
• Creating Policy Alerts for Oracle Sales Cloud
• Creating Policy Alerts for Salesforce
• Creating Policy Alerts for ServiceNow
• Creating Policy Alerts for Slack
Typical Workflow for Creating Policies and Managing PolicyAlerts
With Oracle CASB Cloud Service, you can create policies and manage policy alerts.
Task Description Additional Information
Understand policy alerts. You can learn about howOracle CASB Cloud Servicecan compare activity in thecloud with policies that youdefine, and generate an alertany time a policy it detects apolicy violation.
About Policy Alerts
Understand managed policiesand custom policies
You can learn about managedpolicies that are available andany custom policies alreadycreated.
Getting Started with Policies
Understand administrator rolesand policies.
You can learn about differentadministrator roles in OracleCASB Cloud Service and theadministrative rights they havewith policies.
Oracle CASB Cloud ServiceAdministrator Roles andPolicies
Understand managed policies. You can learn how managedpolicy alerts are updated, andhow to change subscriptionstatus and create modifiablecopies.
Working with ManagedPolicies
Chapter 22Typical Workflow for Creating Policies and Managing Policy Alerts
22-2
Task Description Additional Information
Manage policy alerts. You can view the log datafor events to determine howserious they are, view theincident for the event, createa new incident, or, if you feelthat an incident does not needfurther attention, then you candismiss it.
Managing Policy Alerts in RiskEvents
Create a policy. You can create a policy forany application instances, orall instances of the sameapplication type.
Creating a Policy
Modify a policy. You can change the rules ofa policy so that it is moreinclusive or restrictive in termsof the alerts that it generates.
Modifying a Custom Policy
See how to create a samplepolicy alert.
You can review steps forcreating a specific policy togenerate an alert when aparticular file is shared.
Example Alert: Changes to aSensitive File
Create custom policy alerts forspecific application types.
See how you can createcustom policy alerts for avariety of situations that arespecific to different applicationtypes.
• Creating Policy Alerts forAWS
• Creating Policy Alerts forBox
• Creating Policy Alerts forGitHub
• Creating Policy Alerts forGoogle for Work
• Creating Policy Alertsfor Office 365 ExchangeOnline
• Creating Policy Alerts forOffice 365 SharePointand OneDrive
• Creating Policy Alerts forOffice 365 Azure ActiveDirectory
• Creating Policy Alerts forSalesforce
• Creating Policy Alerts forServiceNow
• Creating Policy Alerts forSlack
About Policy AlertsLearn about the different types of policies you can use to generate alerts for suspiciousactivity.
Managed Policies
Oracle CASB Cloud Service provides a predefined set of policies, called "managedpolicies," for most application types.
Managed policies are a new generation of policies that are refined to provide:
Chapter 22About Policy Alerts
22-3
• Better, higher value alerts — configured for real vulnerabilities
• Actionable outcomes — clear guidance on actions to take
• Reduced “noise” — fewer alerts that are “false positives”
• “Expertise out-of-the-box” — you don’t have to be a security expert in order to setup useful alerts
Some managed policies require you to provide environment-specific information inorder for them to operate properly.
For more information on managing managed policies, see Working with ManagedPolicies.
Custom Policies
To supplement the alerts provided by managed policies, you can create custompolicies that will generate alerts whenever the exact conditions that you specify aremet. These include specific actions on specific resources, and optionally you mayspecify users or groups taking the actions, or other specific conditions under which theactions are taken. Policies are defined for a single application type, but they can be setto apply to one instance, all instances, or a specific list of instances of the applicationthat are registered in your Oracle CASB Cloud Service tenant.
For more information on creating custom policies, see Creating a Policy.
Policy Alerts in Risk Score Computations
To have policy alert violations included in the computation of the riskscore for individual users, when you create or modify a policy, on the policywizard's Name page select the Include in user risk score check box when you createa custom policy.
Policy Names on the Risk Events Page
By default, when a policy alert generates a risk event, an internally generated nameis displayed in the SUMMARY column on the Risk Events page. You can set apreference to display the policy name instead of the internally generated name. Thislets you control what you see in the SUMMARY column for risk events that aretriggered by a policy alert. See Setting Your Preferences.
Components of Policies
As described in Policy Alerts (Rule-Based Alerting), Oracle CASB Cloud Service cancompare activity in the cloud with policies, or sets of rules, that you define, andgenerate an alert any time it detects a policy violation. Examples:
• Detect when users share a Box file that is tagged "Confidential" with someoneoutside of the organization.
• Detect when someone adds users to an AWS security group that should belocked.
When Oracle CASB Cloud Service detects behaviors that correspond to these rules, itproduces alerts that describe the policy violation and can provide recommendations forresponding to them.
Each policy has these components:.
Resources
Chapter 22About Policy Alerts
22-4
Every cloud application has resources that people use in some way. As a securityprecaution, you might want to monitor particular types of resources. Here are someexamples:
• Amazon Web Services: S3 (storage) containers, EC2 (web server) instances, IAM(identity and access) users, access controls
• Box: Files and folders (especially those that are tagged as sensitive orconfidential, or are known to have personal information)
• Salesforce: Standard and custom object definitions, actions taken on sensitiveobjects (for example, leads or contracts), system setup
Actions on the Resources
Every cloud application allows its users and administrators to do things with theresources. Here are some examples:
• Sharing, sending, or permitting collaboration with other people (inside or outsidethe organization).
• Creating, modifying, and deleting resources (servers, user accounts, accesscontrol lists)
• Starting or stopping services
Options for Narrowing the Policy Definition
You might be interested in particular events no matter where or when they take place.However, if needed you can qualify a policy according to these criteria:
• People or groups who perform the action (for example, someone who shares asensitive file)
• Domains that shouldn't receive a shared resource
• IP addresses that aren't sanctioned by your organization
• Unusual times of day (after-hours events)
Notifications When a Policy Violation Is Detected
You might be interested in particular events no matter where or when they take place.However, if needed, you can qualify a policy according to these criteria:
• By default, Oracle CASB Cloud Service displays a total count of policy alerts in theHealth Summary widget on the Dashboard, and a count of policy alerts for eachapplication on the Applications page: (when you click an application icon).
– In card view on the Applications page, click an application tile to see theHealth Summary card for that application.
– In grid view on the Applications page, a count of policy alerts for eachapplication appears in the POLICY ALERTS column for the application.
Details for policy alerts display on the Risk Events page. Sort on theCATEGORIES column and locate the “Policy alert” entries.
• Optionally, Oracle CASB Cloud Service also can send policy violation alertsthrough email.
Chapter 22About Policy Alerts
22-5
Oracle CASB Cloud Service Administrator Roles and PoliciesUnderstand permissions granted to different administrator roles in viewing, creating,and modifying policies to generate alerts.
Your ability to view and work with policy alerts depends on your assigned role. Thedifferent administrator roles are allowed to perform different combinations of tasks inOracle CASB Cloud Service:
• Tenant Administrators. If you have this role, you can create, view, modify, anddelete all policies. You also can optionally receive email notifications of new policyviolation alerts.
• Security Administrators. If you have this role, you can create, view, modify, anddelete all policies for application instances that you have access to . You also haveread-only access to policies that are assigned to "any" application instance if youhave permission to view at least one instance of that type (for example, AWS).
• Compliance Administrators. If you have this role, you can't view policies.
• SOC Operator: If you have this role, you can't view policies.
To enable this feature, contact Oracle Support (http://support.oracle.com). If youhave not registered yet, you will need your Customer Support Identifier (CSI) inorder to register to submit service request tickets. As an alternative, you can alsocontact your Oracle CASB Cloud Service Customer Success Manager.
Getting Started with PoliciesReview both the managed policies that are available and any custom policies alreadycreated before creating custom policies.
Oracle CASB Cloud Service provides a predefined set of managed policies for eachapplication type. It is also possible that others have already added custom policiesto the predefined set. You should examine the existing policies for your applicationtype, and ensure that relevant managed policies are enabled, before creating yourown custom policy alerts.
Reviewing Your Predefined Managed Policies (Smart Policies)
To review the current configuration of managed policies for a particular application typein your Oracle CASB Cloud Service tenant:
1. From the Oracle CASB Cloud Service console, select Configuration, PolicyManagement.
2. Click the Managed tab.
3. Click the Filter icon next to the APPLICATION column header and select theapplication type, then click Filter.
If no managed policies are listed, it means that managed policies are notyet available for this application type. Continue with the next section below,"Reviewing Existing Custom Policies."
4. To see how a particular managed policy is defined, drop down the ACTION menuin the row for that policy and select View.
The Policy Details page displays the details about the selected managed policy.
Chapter 22Getting Started with Policies
22-6
Before you start to create custom policies:
• Ensure that managed policies have been configured for your Oracle CASB CloudService tenant.
In a new Oracle CASB Cloud Service tenant, all managed policies are enabled bydefault, except for those that need additional, tenant-specific information in orderto operate properly.
• Review the details of the managed policies that are available to see if any of thoseare already generating the type of alert you need, or can be easily modified tomeet your needs.
Although you can’t modify managed policies directly, you can copy a managedpolicy into a custom policy and then make changes in the copy.
For instructions on configuring managed policies, see Working with Managed Policies.
Reviewing Existing Custom Policies
To supplement the alerts provided by managed policies, you can create custompolicies that will generate alerts whenever the exact conditions that you specify aremet. These include specific actions on specific resources, and optionally you mayspecify users or groups taking the actions, or other specific conditions under which theactions are taken. And the alert can apply to one instance, all instances, or a specificlist of instances of the same application type.
To review the current list of custom policies for a particular application type in yourOracle CASB Cloud Service tenant:
1. From the Oracle CASB Cloud Service console, select Configuration, PolicyManagement.
2. Click the Custom tab.
If no custom policies are listed, it means that no custom policies have beencreated for any application type.
3. Click the Filter icon next to the APPLICATION column header and select theapplication type, then click Filter.
If no custom policies are listed, it means that no custom policies have beencreated for this application type.
4. To see how a particular custom policy is defined, drop down the ACTION menu inthe row for that policy and select View.
The Policy Details page displays the details about the selected custom policy.
Creating New Custom Policies
If none of the available managed policies or existing custom policies meet your needs,create a new custom policy that precisely targets the combination of resources,actions, and other conditions for which you want to be alerted. For detailedinstructions, see the "Creating Policy Alerts for..." topic for the application typeinvolved, linked from the first page of the Creating Policies and Managing Policy Alertschapter.
Chapter 22Getting Started with Policies
22-7
Note:
You can create custom policies by supplying all the details yourself, or youcan copy an existing custom or managed policy that is similar, and then justmake a few changes. See:
• Working with Managed Policies — to start with a managed policy.
• Duplicating a Policy — to start with another custom or predefined policy.
Working with Managed PoliciesUnderstand how managed policies are updated, and how to change subscriptionstatus and create modifiable copies.
Managed policies come in two types:
• Tier 1 policies
– Focus on information security-related events or changes
– Are unsubscribed (disabled) by default for every instance of an applicationtype
– Provide administrator instructions on actions that should be taken
• Tier 2 policies
– Include information technology (IT)-related events, and information securityevents that may require context in order to be valuable. For example, adomain name that is unique to your organization may be needed.
1. Click the Name of the policy
2. Check the Description for instructions for what context needs to be addedin order for the managed policy to generate alerts
3. Then copy the managed policy to a custom policy where you can makethe changes
– Are subscribed (enabled) by default
– Generally need to be customized to provide context before enabling
To view details, configure, and copy managed policies:
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click the Managed tab.
3. To enable a managed policy:
• Ensure that the SUBSCRIBED column setting is ON.
By default, tier 1 smart policies are ON, and tier 2 smart policies are OFF.
Chapter 22Working with Managed Policies
22-8
Note:
If you turn the SUBSCRIBED setting is ON for a tier 2 smart policy,you may still have to supply some context information in order togenerate alerts:
i. Click the row for the policy.
ii. Check the text in the Description.
iii. If additional information is required in order for the policy togenerate alerts, make a copy of the policy and modify the copyin the Custom tab. See next step below, “To make a copy of amanaged policy...”
4. To make a copy of a managed policy that you can modify as a custom policy alert:
a. Ensure that the SUBSCRIBED status for the managed policy you are copyingis set to OFF.
Caution:
If the managed policy is left with SUBSCRIBED status ON, itcontinues to generate alerts. This is usually undesirable. Ensure thatyou really do want both versions of the policy to generate alerts ifyou leave managed policy SUBSCRIBED status ON.
b. In the row for the managed policy that you want to copy, drop down the Actionmenu and select Copy to Custom.
c. Click the Custom tab and locate the copied policy.
The copied policy:
• Has the same NAME as the managed policy, with a time stamp appended.
• Is not enabled, even if the managed policy SUBSCRIBED setting is ON.
d. In the row for the copied policy, drop down Action menu and select Edit tomake changes.
e. In the New Policy wizard, navigate to the settings that you want to change forthis version, and make the changes.
• Click Next to work your way through the pages in sequence.
• Click a page name, such as Condition or Action, in the column on theleft, to go directly to that page.
• Click Review and Submit whenever you have made all the changes youwant to, then click Submit on that page to save your changes.
For information on the different global settings in the New Policy wizard, seeCreating a Policy. For information on Resource and Action settings that arespecific to an application type, see the Creating Policy Alerts for... topic for thatapplication type, in the Creating Policies and Managing Policy Alerts chapter.
Chapter 22Working with Managed Policies
22-9
Managing Policy Alerts in Risk EventsUnderstand how to view and resolve the alerts that both managed and custom policiesgenerate.
As you monitor the alerts generated by both managed policies and by custom policiesyou set up, you can view the log data for events to determine how serious theyare. Then, you can view the incident (ticket) for the event, if one exists, or create anew incident. If you feel that an incident doesn't need further attention, then you candismiss it.
Managed policies automatically generate alerts, if they are enabled by beingsubscribed. See Working with Managed Policies.
After you configure a custom policy, as described in Creating a Policy, Oracle CASBCloud Service generates alerts when conditions in the application match the policyconditions. For example, you can create policies to detect when users share restrictedinformation or when administrators modify a cloud service's access controls, andOracle CASB Cloud Service will generate an alert when it detects these activities.
Both types of policy alerts produce risk events that appear on the Risk Events page.
1. From the Dashboard, click the policy alerts number in the Health Summary cardto view policy alerts for all applications on the Risk Events page.
2. From the Applications page, to view all policy alerts for a single application on theRisk Events page:
a. In grid view, click the count of policy alerts for an application that appears inthe POLICY ALERTS column for the application.
b. In card view, click an application tile to see the Health Summary card for thatapplication, then click the “Policy alerts” number.
3. Click an entry in the Risk Events list to view details about the alert:
• The actor is usually the user whose actions triggered the alert. Click the emailaddress for the Actor to view an Activity report for that user.
• Click the link for the related policy name to view the rules that triggered thealert.
• Click View log data to see the event information that triggered the alert.
Note:
Policy alerts for some application types have additional information ondetails that appear in Risk Events. Look for a topic titled "Risk EventDetails Specific to <application_type>" in the "Creating Policy Alerts for<application_type>" section for that application type.
4. To manage the alert, click the Actions drop-down menu and do one of thefollowing:
• If a ticket already exists for this risk, click View incident.
• To create a ticket, click Create incident. Oracle CASB Cloud Servicepopulates the incident ticket with information from the risk event, and you can
Chapter 22Managing Policy Alerts in Risk Events
22-10
add details about the incident. When you are done, click New incident. OracleCASB Cloud Service creates a new incident ticket that you can manage fromthe Incidents section of the console. See Finding, Managing, and ResolvingIncidents.
• If you feel the risk doesn't merit attention at this time, click Dismiss. If therules that triggered the alert are too inclusive, modify the related policy so thatit only picks up events that you are interested in (for example, change theresource definition in the policy to include only one or two actions of interest,or make the resource name more specific).
• You can also dismiss all risk events for a policy alert at the same time:
– On the Risk Events page, click the drop-down menu in the ACTIONcolumn for the event, select Dismiss, and then select Dismiss all ... openrisk events created by the policy ....
– On the Policy Management page (select Policy Management from theNavigation menu. If the Navigation Menu is not displayed, click theNavigation Menu icon to display it.), for any policy that has a non-zero entry in the RISK EVENTS column, drop down the Action menu forthe policy, select Dismiss, and then select Dismiss all risk events.
Note:
If the number of risk events dismissed at one time is 100 or more, ajob is created on the Jobs page. See Jobs.
Creating a PolicyUnderstand the general procedure for creating a custom policy to generate an alert.
Note:
The steps in this topic create a completely new custom policy. You can alsocreate a new custom policy by copying an existing custom, predefined, ormanaged policy that is similar, and then just making a few changes. See:
• Working with Managed Policies — to start with a managed policy.
• Duplicating a Policy — to start with another custom or predefined policy.
For any application (for example, Box or AWS) or an application instance, you cancreate a policy that causes Oracle CASB Cloud Service to issue alerts. A policyconsist of these components:
• Actions that users or administrators perform (for example, creating or deleting).
• Resources that these users act upon (for example, files, folders, or EC2instances).
• Optionally, you can identify additional filters such as people or groups whoperform the action, the IP address of the actor, and the recipient of the action(for actions such as sharing and collaboration).
Chapter 22Creating a Policy
22-11
• You can also add instructions for the person who reads the alert. For example,if you create an alert related to deleting access control lists, then you can addinstructions to inform the group that is responsible for managing the access controllists.
• You can set up email notifications when the alert is triggered. This supplementsthe ability of users to request notifications for all high-risk events through SettingYour Preferences.
Alerts appear in Risk Events. Oracle CASB Cloud Service can also send emailnotifications for an alert.
Note:
Unlike other automatically detected risks types, a policy alert doesn'tautomatically generate a ticket in the Incidents section of the console.However, you can create a ticket manually.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click the Custom tab.
Note:
You can’t create managed policies.
3. Click New Policy.
4. In the Name page:
a. Enter a name for the policy.
Policy names can only contain the characters a-z, A-Z, 0-9, underscore (_),space ( ) and dash (-). Oracle CASB Cloud Service automatically removes anycharacters that can't be used in a policy name.
b. (Optional) Enter a description.
c. Select a Priority.
d. If you want policy violations to included in user risk score computations, selectInclude in user risk score.
e. Click Next.
Chapter 22Creating a Policy
22-12
Note:
As you complete each page in the policy wizard, the highlight movesthrough the numbered tasks at the top. Before you complete a task, the
icon displays a number .
After a task is completed, a check mark icon replaces the tasknumber.
Use the Next and Previous buttons at the bottom to move through thetasks in sequence. You can also click a check mark icon to go directly tothat task.
5. In the Resource page, provide the following information, and then click Next.
Field Description
Application type The application type to be monitored
Application instance The application instances. Select Any if youwant the alert to apply to every registeredinstance of the selected application type.Otherwise, select one or more individualinstances.
Resource Select the resource for the applicationtype and instance. Different applicationtypes have different resources that you canmonitor. For example, an EC2 instance inAWS or a file in Box.
Resource name or tag A filter to identify particular instances of theresource type. For example, for a resourcetype of File, you can enter a full or partial filename, or a tag name.
The Tag option is only available for theapplication types that support tags: AWS,Box, and ServiceNow.
Select Text or Regular expression, andthen enter all or part of the name. Ifyou're entering only part of the name,select Contains, Begins with, or Endswith to specify the part of the name entered.
Chapter 22Creating a Policy
22-13
Field Description
If you choose Resource name In the Resource name section, you canfilter the resource in one of two ways:
• The Text option lets you enter theexact name (Equal to) or part ofthe name (Contains, Begins with,or Ends with). For example, to matchall Box folders that begin with "Finance,"you select Begins with and thenenter Finance in the text entry field.
• A Regular expression can bean efficient way to match multiplenames. You enter type .* to matcheverything. However, this can generatetoo many alerts.
Note:
For AWS resources thatuse IDs instead of names(for example, VPCs, VPNs,routes, and subnets), use theresource ID as the name.
If you choose Tag Enter a tag name as follows:
• For Box or ServiceNow, enterthe tag name. Example: Fora ServiceNow database incident withthe tag "Escalate," enter escalate inthe text field.
• For AWS, enter an AWS EC2 instancetag key. (Although you specify the tagas a key/value pair in AWS, you onlyspecify the key on the Resource page.)
Note:
Don't use the Tag option witha Delete action. This is becausethe tag is deleted along with theresource, and there are no logentries.
Chapter 22Creating a Policy
22-14
Field Description
Action on this resource An action that someone takes on theresource (for example, if the applicationinstance is Salesforce, and the resourcetype is Profile, then you can select theaction Assign).
For a policy to be useful, it shouldn'tgenerate too many alerts. If you select afrequently performed action (for example,viewing a resource), then this can generatemany alerts, so specify additional filters inthe next pages of the policy wizard asdescribed in the following steps.
If you select Any, this may produce morealerts than is practical. You can reduce thenumber of alerts by setting filters in laterpages of this wizard.
6. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
Exception: If the resource action is Login, you identify the user who is logging inthe previous step (the Resources page) and skip this step.
7. (Optional) On the Conditions page, specify conditions to limit when the alert istriggered. Use either one or both of these options, and then click Next.
You can specify a condition using either of these types of conditions multiple times,and you can specify either type of condition in any order, freely mixing the twotypes.
Note:
When you specify multiple conditions, the conditions are ANDed. Thealert is triggered only if all of the conditions are met. If you need to ORmultiple conditions, create a separate policy for each condition.
• Click Add condition and select parameters from a list. Use the following tableas a guide.
Note:
If a particular parameter doesn't appear on the Conditions page, itis because the parameter doesn't apply to the resource and actionsthat you selected previously.
Chapter 22Creating a Policy
22-15
Parameter Operator Description
IP address v4 Trigger the alertif the IP addressappears (In or Equal to)or if the IP address doesn'tmatch the value (Not inor Not equal to).
A comma-separated list ofIPv4 addresses.
Device Include or exclude theselected device type.
This applies to Salesforceapplication instances only.
Values: Mobileor Desktop.
SSH Key Used The drop-down listdetermines whether youare setting a minimum,maximum, or exact value.
Applies to AmazonWeb Services applicationinstances only.
The number of days SSHkeys may be kept beforerotating them.
Timestamp The drop-down listdetermines whether thetime is exact, later thanthe time you entered, orearlier (given a 24-hourtime frame).
Oracle CASB CloudService evaluatesthe timestamp usingGreenwich Mean Time(GMT).
A value as a time in 24-hour HH:MM:SS format.
CASB threat intelligence IPreputation
Equal to is the only option. To flag events from IPaddresses with bad or goodreputations, select:– Suspicious for bad
reputations.– Regular for good
reputations.
City, State, or Country – Equal to requiresmatching the nameyou enter in Value.
– Not Equal to requiresnot matching the nameyou enter in Value.
– In requires matchingany one of severalnames you enter inValue.
– Not in requiresmatching none ofseveral names youenter in Value.
The name of the city, orthe state or province, inthe physical address that’sassociated with the IPaddress.
Chapter 22Creating a Policy
22-16
Parameter Operator Description
Tag Trigger the alert basedon the appearance or non-appearance of this tag(Equal to or Not equal to).
Select In or Not in if youwant to enter a list of tags.
You don't need to repeata selection of Tag if youalready entered tags in anearlier step.
This applies to Box andAmazon Web Services(AWS).
Box: A single tag name,or a comma-separated listof tag names. The list istreated as a logical OR.
AWS: A complete key/valuepair for the AWS tag, asingle key name, or acomma-separated list ofkey names or key/valuepairs. The list is treated asa logical OR.
Recipients Trigger the alert if thisuser or users are therecipient (Contains) or arenot the recipient (Does notcontain).
Available for collaborativeactions (for example,sending email or sharinga file). Takes a stringthat matches one or moreusers.
For example, to flagany Box file beingshared outside ofmycompany.com, youcan select Does notcontain as the operatorand type a valueof mycompany.com.
The following resource typeand action combinationsapply to the Recipientparameter:
– AWS: Applies tosharing EC2 resources(the EC2 resourcetype). Requires a key/value pair.
– Box: Applies to sharingor unsharing files(the File resourcetype), collaboration,sharing, or unsharingfolders (the Folderresource type).
– Office 365: Appliesto ExchangeMailFlowresources.
Permission Trigger the alert if thenamed permission isaffected (Equal to).
Only applies to policy alertsfor Salesforce profiles.
• Click Add Free-form condition, and then:
– Using View Log Data information from an item in Risk Events thatreflects the details you want to filter, enter the name of a Parameter. Toensure the exact, case-sensitive match that's required, copy and paste the
Chapter 22Creating a Policy
22-17
parameter from a Risk Event item to the View Log Data display, wherethis information appears.
– Select an Operator from the list.
– Enter a Value to compare against from the same View LogData information. To ensure the exact, case-sensitive match that'srequired, copy and paste the value from a Risk Event item to the ViewLog Data display, where this information appears.
Note:
Comparisons are made on string data, regardless of the originaldata type. Comparison of string conversions of date and numericvalues may not produce the same results as the original datatypes.
Note:
The easiest way to add a free-form condition is to first create thealert with no conditions, or with only conditions that you add usingthe Add condition option, and then:
a. Wait until you get an alert that you don't want from the policy.
b. In Reports, locate the unwanted policy alert, and click View LogData for the alert.
c. Carefully copy the parameter and the value from that view topaste into the Parameter and Value fields. Note: If the text youcopy for the parameter or value contains a comma, enclose itwithin quotation marks after pasting. This isn't necessary for textthat contains spaces.
8. On the Actions page, set your notifications and click Next:
• Show a risk event in Risk Events. When an event matches the policy,Oracle CASB Cloud Service creates a risk event in Risk Events.
• Display a recommendation in the risk event. Select this option toadd instructions for the person who reads an alert related to this policy.The recommendation can help speed up issue resolution.
• Send email to this address. Send email to the designated address.
9. When you are done, click Next, review your settings, and then click Submit.
Chapter 22Creating a Policy
22-18
Duplicating a PolicyIf you want to create a policy that is very similar to an existing policy, you can savetime by duplicating the existing policy, then making a few changes.
Note:
The instructions below are for duplicating a custom policy as the template forcreating a new custom policy. If you want to use a managed policy as thetemplate for your new custom policy, see Working with Managed Policies.
Sometimes you may need to create several versions of the same policy that differ fromeach other in only a few details. Whenever this happens, you can simply duplicate thefirst policy and use it as a template for the next one. Duplicating a policy makes anexact copy, and then you only have to make the few changes that are needed for thenew version.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Locate the policy that you want to use as a template for another policy.
3. In the row for that policy, drop down the Action list and select Duplicate.
The New Policy wizard opens to the Name page, with all the settings copied fromthe selected policy. Only the policy Name is changed, adding the word “copy” tothe end.
Tip:
Name related policies so that they list together in a sequence when yousort your policies on the Name column.
4. In the New Policy wizard, navigate to the settings that you want to change for thisversion, and make the changes.
• Click Next to work your way through the pages in sequence.
• Click a page name, such as Condition or Action, in the column on the left, togo directly to that page.
• Click Review and Submit whenever you have made all the changes you wantto, then click Submit on that page to save your changes.
For information on the different global settings in the New Policy wizard, seeCreating a Policy. For information on Resource and Action settings that arespecific to an application type, see the Creating Policy Alerts for... topic for thatapplication type, in the Creating Policies and Managing Policy Alerts chapter.
Chapter 22Creating a Policy
22-19
Examples of Parameters in Free-Form ConditionsLearn how to use more complex free-form conditions, based on information in ViewLog Data for an event.
Here are more examples, increasing in complexity, for determining the free-formcondition parameters to enter, based on information in View Log Data for an event.
Any parameter displayed in View Log Data parameters for an incident can be usedto filter policy alerts so that unwanted false alarms aren't triggered. If you determinethat an incident that was triggered by a policy alert didn't, in reality, need to be broughtto your attention and you do not want to see future alerts for this same situation,then locate the alert in Risk Events and examine the View Log Data information forthe incident to locate parameters that you can use to filter out future alerts.
Simple Example
Some parameters and values are easy to see in the View Log Data information. Insimple cases like this, it's easy to locate the parameter and value information, andcopy it directly from View Log Data tabular view into your free-form condition:
• Parameter - Application
• Operator - Equal to, to include this application as an alert trigger; Not Equal to,to exclude this application from triggering the alert
• Value - Workbench
Do you want to combine several applications in this condition, to either include orexclude both as alert triggers? Just separate the additional applications with commasin the Value field. For example, to specify that Workbench, XXX, or YYY should trigger(or not trigger) the alert:
• Parameter - Application
• Operator - In, to include these applications as alert triggers; Not in,to exclude these applications from triggering the alert
• Value - Workbench, XXX, YYY The space after the comma is optional. Ifmultiple entries are listed in the Value field, the OR operator is applied to thevalues - a match on any one or more value tells the Operator to either trigger thealert (In operator) or not trigger the alert (Not in operator).
Note:
Remember that all comparisons are made on string data, regardless ofthe original data type. A comparison of the string conversions of date andnumeric values may not produce the same results as the original data types.
More Complex Example
You might think of Slack as an application, but you will not find a parameter namedApplication in the View Log Data information for a policy alert triggered by Slack.Instead, you must use the information provided for the additional_details parameter:
Chapter 22Creating a Policy
22-20
In this case, it's easier to see how the parameter and value information must beentered as a free-form condition if you turn off tabular view and examine the raw data.
From the raw data, you can more easily determine these correct entries for yourfree-form condition:
• Parameter - additional_details.service_name (including the period, but not thequotation mark (") or the left brace ({)
• Value - Slack
Even More Complex Example — Response Contains Array
A response from Google Apps contains array data, so the policy alert definitionmust provide the array index as part of the identifying information. In this case, youmust use both Tabular and raw data views of the View Log Data information. TheTabular view displays the array index values: 0 for events and 7 for doc_id.
In the raw data, you might be able to determine the correct parameter andvalue entries for your free-form condition.
Combining the information from the raw data with the index values displayed in tabularview, you can determine these correct entries for your free-form condition:
• Parameter - events.0.parameters.7.value
• Value - 1xgwbui_zMqaNMN7BdiDMEu9G5zZC_5xmxUvnd3Qnvkw
Modifying a Custom PolicyModify an existing custom policy.
You can change the rules of a policy so that it's more inclusive or more restrictive interms of the alerts that it generates.
Note:
If you wish to modify a managed policy, you must make a copy of it as acustom policy. See Working with Managed Policies.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click the Custom tab.
3. Locate the policy you want to modify, and then click the Edit icon (right end of row,under ACTION).
4. Follow the policy wizard as described in Creating a Policy.
Chapter 22Modifying a Custom Policy
22-21
Note:
When modifying a policy, the navigation labels on the left (for example,2. Resource) are also buttons. You can click these buttons to navigatethe wizard if you want to skip pages. The Next and Previous buttons arealso available for page-at-a-time navigation.
Example Alert: Changes to a Sensitive FileReview the steps for creating a specific policy, to generate an alert when a particularfile is shared.
In this hypothetical scenario, the files being monitored contain data that should bemodified only by authorized people. The example illustrates some of the ways in whichyou can use all four components of a policy.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, type a name for the policy (for example, Modify sensitive filesalert), a description, and then click Next.
4. In the Resource page, set the following:
Field Description
Application type Select Box.
Application instance Select an instance from the drop-down list. If you select Any,then ensure that you set additional filters on the policy to preventgenerating too many alerts.
Resource Select File.
Identify resource byname or tag
Select Name.
Resource name Select Text or Regular expression and then enter a value thatmatches the names of the files that you don't want people to edit.
Examples:
• Select Text, select Contains, and then enter a full or partial filename, for example, quarterly-results-final.xls.
• Select Regular expression and enter a regular expression, forexample, Chronic\sDisease\s. A regular expression of .*matches all files, but if you specify this, you should filter thepolicy further in later pages of this wizard.
Action Select Share.
When you are done, click Next.
5. (Optional) Filter the policy according to a particular Username who edits this file.
When you are done, click Next.
6. (Optional) Specify conditions to narrow the range of the policy.
Chapter 22Example Alert: Changes to a Sensitive File
22-22
For example, if you selected a sharing or collaboration action for the file, as inCreating Alerts for Folder Sharing or Allowing Collaboration, then you can selectthe Recipients option in the Parameter field on this page, an operator of Not,and then specify the email addresses of people who are permitted to receive aninvitation to share the file. When you are done, click Next.
7. (Optional) In the Action page, select Display a recommendation in the riskevent and enter a recommendation.
For example, Contact finance immediately or Block sharing withanyone outside of the Epidemiology Department.
8. When you are ready to complete the policy, click Next; After reviewing yoursettings, click Done.
Creating Policy Alerts for AWSCreate custom policies to generate alerts for actions on resources that are specific toyour AWS environment.
Prerequisite: Ensure that you have followed the instructions in Getting Started withPolicies to review available managed policies, and any custom policies that alreadyexist, before creating a new custom policy.
Types of AWS AlertsUnderstand the most common types of alerts you can generate.
This table summarizes the types of policy alerts available for actions that users andservices can take on sensitive AWS resources.
Note:
This table omits Describe actions. These are requests to view a resource.These actions can trigger too many alerts to be practical, unless they’rerestricted to particular addresses or users. Similarly, Any action is omitted.Any means that Oracle CASB Cloud Service is to monitor all of the actionsthat can be taken on a resource, which can be too broad to be practical.
Chapter 22Creating Policy Alerts for AWS
22-23
ResourceType
Actions That Can Be Taken Description
EC2addresses
• AllocateAddress. Acquire an elasticIP address.
• AssignPrivateIPAddresses. AllowAWS to automatically assign an EC2VPC address.
• AssociateAddress. Assign one ormore secondary private IP addresses toa network interface.
• DescribeAddresses. Display theconfiguration information for theaddress.
• DissociateAddress. Disconnect theaddress from the instance or networkinterface.
• ReleaseAddress. Dissociate theaddress and releases it to a public pool,potentially making it unavailable to you.
• UnassignPrivateIPAddress.Unassign the IP address.
EC2 addresses are used inthe EC2 Classic platform orin a virtual private cloud(VPC). They are secondaryprivate IP addresses in a networkinterface.
Use these policies whenyou need to ensure thatonly authorized users performthese actions.
EC2 image • CopyImage. Initiate the copy of anAmazon Machine Image (AMI) from asource region to the current region.
• DeregisterImage. After deregistration,you can no longer use the AMI to startnew instances. This doesn't affect theinstances. If you no longer need them,then you should terminate them.
• DescribeImageAttribute. Show theattribute value, for example, itsdescription, start permissions (who ispermitted to start it), or kernel ID.
• ModifyImageAttribute. Updates theattribute value, for example, itsdescription, start permissions (who ispermitted to start it), or kernel ID.
• RegisterImage. Register a new AMI.• ResetImageAttribute. Restores the
default value of the attribute.
These are Amazon MachineImages (AMIs). These provide theinformation needed to start anEC2 instance.
You can monitor when usersassign or remove the permissionto start the image, add orremove products from the image,and make the image private orpublic.
You can user policies of this typeto ensure that only authorizedpeople are managing yourimages.
Chapter 22Creating Policy Alerts for AWS
22-24
ResourceType
Actions That Can Be Taken Description
EC2instance
• BundleInstance. Prepare acustomized instance for uploading to anS3 bucket in preparation for starting anew AMI.
• DescribeInstanceAttribute. Viewattributes of an instance, for example,the security groups attached to it.
• DescribeInstances. View basicproperties of an instance, for example,the public DNS name, the security groupassigned to it, and its profile.
• ImportInstance. Imports a virtualmachine (VM) into an EC2 instance.
• ModifyInstanceAttribute. Modifyattributes of an instance, for example,the security groups attached to it.
• MonitorInstances. Initiates instancemonitoring.
• RebootInstances. Shuts down andrestarts the instance.
• ReportInstanceStatus. Returns thestatus of a running instance (forexample, whether it's stuck orunresponsive).
• ResetInstanceAttribute. Returnattributes of an instance to their defaultstates.
• RunInstances. Start instances usingan AMI.
• StartInstance. Restart a stoppedinstance.
• StartInstance. Shut down aninstance, but doesn't shut down its rootdevice and other attached devices.
• TerminateInstances. Shut down aninstance, its root device, and otherattached devices.
• UnmonitorInstances. Stop instancemonitoring.
These are Amazon virtual serversin the EC2. These servers let yourun applications in the Amazoncloud.
You can monitor when userscreate or modify these virtualservers.
You can use policies of this typeto ensure that only authorizedpeople are managing yourimages.
EC2 key pair • CreateKeyPair. Generate a key pairthat allows a user to log in to an EC2instance.
• DeleteKeyPair. Delete the key pair.• ImportKeyPair. Import keys that you
generate using a third-party tool.
These policies let you monitoractivity related to keys forauthenticating EC2 instances.
Chapter 22Creating Policy Alerts for AWS
22-25
ResourceType
Actions That Can Be Taken Description
EC2network
• AttachNetworkInterface. Attach anetwork interface in an EC2 instancesubnet with a primary private IP addressand secondary private IP addresses.
• CreateNetworkACL. Create an accesscontrol list (ACL) for an EC2 network.
• CreateNetworkACLEntry. Create anentry in an ACL for an EC2 network.
• CreateNetworkInterface. Create anetwork interface to an EC2 instance.
• DeleteNetworkACL. Delete a networkinterface to an EC2 instance.
• DeleteNetworkACLEntry. Delete anetwork inbound or outbound rule froma network ACL.
• DeleteNetworkInterface. Delete anetwork interface to an EC2 instance.
• DetachNetworkInterface. Detache anetwork interface from an EC2 instance.
• ModifyNetworkInterfaceAttribute.Modify an attribute of a networkinterface, for example, whether source ordestination checking is turned on for theassociated security groups.
• ReplaceNetworkACLAssociation.Change the network ACL associatedwith a subnet.
• ReplaceNetworkACLEntry. Replace anetwork ACL rule.
• ResetNetworkInterfaceAttribute.Replace an attribute such as theconnection timeout value or the accesskeys.
These policies let you monitoractivity related to creating thenetwork on which EC2 instancesrun and policies (interfaces andaccess control lists) that controlthe traffic into and out of thenetwork.
Chapter 22Creating Policy Alerts for AWS
22-26
ResourceType
Actions That Can Be Taken Description
EC2reservedinstance
• CancelReservedInstancesListing.Cancel a listing in the ReservedInstance Marketplace.
• CreateReservedInstancesListing.Create a listing in the Reserved InstanceMarketplace.
• DescribeReservedInstances. Showthe attributes of a purchased reservedinstance.
• DescribeReservedInstancesListings. Describe your accounts listings inthe Reserved Instance Marketplace.
• DescribeReservedInstancesOfferings. Describe listings available in theReserved Instance Marketplace.
• ModifyReservedInstances. Changesthe zone, EC2 type (VPC or Classic), orinstance type of a reserved instance.
• PurchaseReservedInstancesOfferings. Purchase a listing in the ReservedInstance Marketplace.
The reserved instanceMarketplace matches buyers whowant additional capacity withpeople who have excess capacity.
All reserved instances mustbe identical with the exceptionof Availability Zone, networkplatform, and instance type.
Use these policies to monitorreserved instances, including theAvailability Zone, instance count,instance type, or network platform(EC2-Classic or EC2-VPC) ofyour reserved instances.
EC2 route • AssociateRouteTable. Associate asubnet with a route table in thesame VPC.
• CreateRoute. Create a route in aroute table. The route directs traffic toa destination (for example, an internetgateway or a virtual private gateway)
• CreateRouteTable. Create a routetable for a VPC. The table containsroutes and is associated with a subnet.
• DeleteRoute. Delete a route in a routetable. The route directs traffic to adestination (for example, an internetgateway or a virtual private gateway)
• DeleteRouteTable. Delete a routetable for a VPC. The table containsroutes and is associated with a subnet.
• DisableVgwRoutePropagation.Disable a virtual private gateway fromsending routes to a VPC's route table.
• DissociateRouteTable. Disconnect aroute table for a VPC.
• EnableWgwRoutePropagation. Allowa virtual private gateway to send routesto a VPC's route table.
• ReplaceRoute. Change a route in aroute table.
• ReplaceRouteTableAssociation.Change the route table for a subnet in aVPC or the main route table for the VPC.
Use these policies to monitorrouting in a VPC.
EC2 routes control the flow oftraffic on your network. Youmay want to ensure that onlyauthorized people manage EC2routes, and that these routes areonly open to authorized subnets.
Chapter 22Creating Policy Alerts for AWS
22-27
ResourceType
Actions That Can Be Taken Description
EC2 securitygroup
• AuthorizeSecurityGroupEgress.Permit EC2 instances to send traffic toone or more destination CIDR IPaddress ranges. Not applicable to EC2-Classic.
• AuthorizeSecurityGroupIngress.Permit one or more CIDR IP addressranges to access a security group inan EC2-Classic account. For an EC2-VPC, this permits one or more CIDR IPaddress ranges or other security groups(also called source groups) permissionto access a security group for yourVPC.
• CreateSecurityGroup. Create asecurity group.
• DeleteSecurityGroup. Delete asecurity group.
• RevokeSecurityGroupEgress.Revoke a security group.
A security group is a virtualfirewall.
These resources control egress(outbound) and ingress (inbound)traffic to EC2 VPCs.
You may want to monitorany tightening or looseningof restrictions on traffic toand from an EC2 instanceand make sure that changesare necessary. Also, if a securitygroup isn’t actively being used,then it's best to remove it.
EC2snapshot
• CopySnapshot. Duplicate a snapshot.• CreateSnapshot. Create a snapshot.• DeleteSnapshot. Delete a snapshot.• ModifySnapshotAttribute. Add or
remove permissions for a snapshot.• ResetSnapshotAttribute. Restore
default permissions for a snapshot.
You use snapshots for backups, tomake copies of EBS volumes, andto save data before shutting downan instance.
Use policies of this type to be surethat these actions are authorized.
Also, your EBS volumes shouldhave snapshots taken at leastevery few weeks to ensure thatsystems can be restored easily.
EC2 subnet • CreateSubnet. Create a subnet for aVPC.
• DeleteSubnet. Administratorsmust terminate all running instances ina subnet before deleting the subnet.
An Amazon VPC is an isolatedarea where you can start AWSresources in a virtual network. Asubnet directs traffic in the VPC.
Use this type of policy to ensurethat this action is authorized anddoesn't create issues with access.
EC2 tags • CreateTags. Create a tag for an EC2resource.
• DeleteTags. Delete a tag for an EC2resource.
Tags identify EC2 resources suchas Amazon Machine Images(AMIs) and EC2 instances. Ifyour organization uses tags forparticularly important resources,then you may want policies thatspecifically modify changes tothese tags.
Chapter 22Creating Policy Alerts for AWS
22-28
ResourceType
Actions That Can Be Taken Description
EC2 Tasks • CancelBundleTask. Cancel bundlingfor a Windows-based instance.
• CancelConversionTask. Cancelimporting an EC2 instance or volume.
• CancelExportTask. Cancel an exporttask, along with partially created S3objects.
• CancelInstanceExportTask. Cancelexport of an EC2 instance to an S3bucket.
• CreateInstanceExportTask. Exportan EC2 instance to an S3 bucket.
Tasks allow you to run Dockercontainers in an Amazon EC2Container Service (ECS).
Some tasks are particularlysensitive. For example, you maywant to keep track of peoplewho are exporting your Amazonresources, including S3 objectsand buckets. (These are includedin an EC2 export.)
EC2 VPC • CreateVPC. Create a VPC.• DeleteVPC. Delete a VPC.• ModifyVPCAttribute. Modify a VPC
attribute, for example, the connectiontimeout, your access keys, or the URLfor the web service entry point.
An Amazon VPC is an isolatedarea where you can start AWSresources in a virtual network.
These actions are highlysensitive. For example, to deletea VPC a user will have alsodetached or deleted all gateways,terminated all instances runningin the VPC, deleted all securitygroups associated with theVPC (except the default one),and deleted all routing tablesassociated with the VPC (exceptthe default one).
Ensure that these actions areauthorized, particularly if this alertappears for different VPCs.
EC2 VPN • AttachVPNGateway• CreateVPNConnection• CreateVPNConnectionRoute• CreateVPNGateway• DeleteVPNConnection• DeleteVPNConnectionRoute• DetachVPNGateway
A VPN controls access toyour resources. A virtual privategateway is the endpoint on theside of your VPN connection.These gateways control access toyour resources.
These policies help you ensurethat these actions are necessaryand authorized.
EC2 volume • AttachVolume. Attach an Elastic BlockStore (EBS) volume to an EC2 instance.
• CreateVolume. Create a volume.• DeleteVolume. Delete a volume.• DetachVolume. Detach a volume.• ImportVolume. Import a volume.• ModifyVolumeAttributes. Modify a
volume's attributes, for example, itsregion, access URL, or the connectiontimeout.
You can use these policies toensure that this EBS volume wasset to use data at rest encryptionat creation time.
EBS volumes that are createdwithout encryption can’t beencrypted later.
Ensure that snapshots are takenof this volume at least every fewweeks.
Chapter 22Creating Policy Alerts for AWS
22-29
ResourceType
Actions That Can Be Taken Description
IAM account • CreateAccountAlias. Create acustomized URL to your sign-in page foryour AWS account.
• DeleteAccountAlias. Remove thealias.
• GetAccountSummary. Get informationabout IAM entity use and IAM quotas inthe account.
• ListAccountAliases. List the accountaliases.
Use this type of policy tobe notified whenever thisaction occurs. Ensure thatonly authorized people havepermission to perform thesefunctions.
IAMcertificate
• DeleteServerCertificate. Deletethe server certificate. Deleting thecertificate can cause elastic loadbalancing to stop accepting traffic.
• GetServerCertificate. List servercertificates (Windows).
• ListServerCertificate. List servercertificates.
• ListSigningCertificates. Listsigning certificates.
• UpdateServerCertificate. Replaceserver certificates.
• UpdateSigningCertificate. Replacesigning certificates.
• UploadServerCertificate. Uploadserver certificates.
• UploadSigningCertificate. Uploada signing certificate and associate it witha user.
X.509 signingcertificates permit the user to usethe EC2 command line and AMItools.
Server certificates permit the EC2server to authenticate and useencrypted transmission.
Use this type of policy tobe notified whenever thisaction occurs. Ensure thatonly authorized people havepermission to perform thesefunctions.
IAM group • AddUserToGroup. Add a user toa group. The group's policies(permissions) apply to all users in thegroup.
• CreateGroup. Add a group.• DeleteGroup. Delete a group.• DeleteGroupPolicy. Delete a policy (a
set of permissions) from the group.• GetGroup. Describe a group.• GetGroupPolicy. Describe a policy (a
set of permissions) associated with agroup.
• PutGroupPolicy. Add a policy (a set ofpermissions) to a group.
• RemoveUserFromGroup. Delete a userfrom a group.
• UpdateGroup.Modify the group name orpath.
IAM groups are collections ofprivileges that you can assign tousers.
Use this type of policy to ensurethat this action is authorized, andthe group has only the privilegesthat its members need.
Chapter 22Creating Policy Alerts for AWS
22-30
ResourceType
Actions That Can Be Taken Description
IAM IDprovider
• CreateSAMLProvider. Create anidentity that you can use in a role's trustpolicy to create trust between AWS andthe provider.
• DeleteSAMLProvider. Delete theprovider's definition.
• GetSAMLProvider. Get informationabout a provider.
• ListSAMLProvider. List providers.• UpdateSAMLProvider. Modify a
provider.
Someone deleted an identityprovider that was set up usingthe Security Access MarkupLanguage (SAML). SAML accesspermits users from externaldomains (federated users) accessto your resources.
You use these policies tobe notified about creatingSAML providers. Deleting themcan also be problematic. Forexample, when deleted, the AWSadministrator must also deletethe identity provider manuallyfrom any IAM user rolesthat reference it. (The providerremains in policies that areattached to a role.) Users can’tassume any role that referencesthis provider.
IAM MFAdevice
• CreateVirtualMFADevice. Create avirtual multi-factor authentication (MFA)device.
• DeactivateMFADevice. Deactivate anMFA device.
• EnableMFADevice. Enable an MFAdevice.
Multifactor authentication (MFA)provides an extra layer of security,protecting against a single lost orstolen authentication credential.
Use this policy when you wantto monitor MFA, for example, tobe aware of deactivation of anMFA device for sensitive usersand roles.
IAMpasswordpolicy
• DeletePasswordPolicy. Delete thepassword rules (policy) for the account.
• GetPasswordPolicy. Show thepassword rules (policy) for the account.
• UpdatePasswordPolicy. Modify thepassword rules (policy) for the account.
Use this type of policy to monitorthe password policy for the AWSaccount.
Your password policies helpusers keep their accountssecure. Ensure that thesechanges conform to your securityrequirements.
IAM role • AttachRolePolicy. Add accessprivileges (a policy) for a role.
• CreateRole. Create an IAM role thatcan be assigned to a user or group(along with the role's policies).
• DeleteRole. Delete an IAM role.• DeleteRolePolicy. Delete an inline
policy.• DetachRolePolicy. Remove a policy
from a role.• PutRolePolicy. Add an inline policy to
a role.• UpdateAssumeRolePolicy. Modify a
policy that allows an entity to use aparticular role.
Identity and access management(IAM) roles provide users withaccess to sensitive resourcesin your AWS account. Assumedroles give users permission totemporarily acquire privileges thatthey don’t ordinarily have.
Ensure that new roles andassumed roles are necessary.Also ensure that the user isauthorized to perform this action.
Chapter 22Creating Policy Alerts for AWS
22-31
ResourceType
Actions That Can Be Taken Description
IAM user • ChangePassword. Update a user'spassword.
• ConsoleLoginFailure. A failed loginto the AWS administration console.
• ConsoleLoginSuccess. A login to theAWS administration console.
• CreateAccessKey. Generateauthentication keys for a user.
• CreateUser. Add an IAM user.• CreateUserPolicy. Create a set
of permissions that can be assigned toa user.
• DeleteAccessKey. Remove the user'saccess keys.
• DeleteUser. Remove the user.• GetUserPolicy. Show the user's
permissions.• PutUserPolicy. Assign a policy to a
user.• UpdateAccessKey. Replace a user's
keys.• UpdateUser. Update the user's name or
path.
Identity and access management(IAM) users are the peoplewho are authorized to accessyour AWS account. User policiescontrol what users are allowed todo in AWS.
Use this type of policy to monitoruser creation. Typically, only alimited number of people shouldhave access to AWS resources.
S3 bucket • Get, put bucket, bucket ACL, or bucketCORS
• Get, put bucket location, logging,notification, policy, or website
• Get, put bucket request payment
AWS simple storage solution (S3)saves information in containersknown as buckets.
Use these policies to monitoractivity related to creating anddeleting these buckets.
For example cross-origin resourcesharing (CORS) for an S3bucket opens the bucket torequests from identified locations.For example, this type ofsharing can open a bucketat my.example.bucket.comto requests fromwww.example.com. A policy thatmonitors for this action can helpyou identify the recipient of ashared resource and verify boththe recipients and the user who ispermitting sharing.
S3 object Delete, get, put object or object ACL This type of policy lets youmonitor sensitive objects that youstore in S3 buckets (for example,a document with personallyidentifiable information in it).
Note that for delete actions, theAWS administrator can restore theobject if versioning was enabledfor it.
Chapter 22Creating Policy Alerts for AWS
22-32
Creating an AWS PolicyFollow these general steps for any policy you create to generate an alert for actions inAWS.
Oracle CASB Cloud Service displays an alert in Risk Events whenever an eventoccurs that matches the policy conditions.
The following are general steps for creating a AWS policy that generates an alertwhenever an event occurs that matches the policy conditions. Oracle CASB CloudService displays all alerts in Risk Events. Optionally, you can also choose to receivean email notification.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page:
a. Enter a name for the policy.
Policy names can only contain the characters a-z, A-Z, 0-9, underscore (_),space ( ) and dash (-). Oracle CASB Cloud Service automatically removes anycharacters that can't be used in a policy name.
b. (Optional) Enter a description.
c. Select a Priority.
d. If you want policy violations included in user risk score computations, select Include in user risk score.
e. Click Next.
4. In the Resource page, make these selections:
Field Value(s)
Application type Select AWS.
Application instance The application instance(s). Select Any if you want thealert to apply to every registered instance of the selectedapplication type. Otherwise, select one or more individualinstances.
Resource The type of resource you want to monitor.
Chapter 22Creating Policy Alerts for AWS
22-33
Field Value(s)
Identify resource by name ortag
To identify the resource by its name, select Name, thenselect one of these options:• Text — then select a comparison from the drop-down
list, and enter text in the box below.• Regular expression — then enter the regular
expression in the box below.
To identify the resource by a tag, select Tag, then enter thefull tag name in the box below.
Note:
Some resources do not have a tag option.
Go to a topic that follows in this section, which has instructions for the specificactions available on your selected resource, and select the Action on thisresource there.
Continue with the next step below after you have selected the action and clickedNext to proceed to the Username page.
5. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
6. (Optional) On the Conditions page, filter your policy so it is triggered only underthe conditions that you specify.
The table below lists the parameters you can configure in the Conditions page ofan AWS policy alert.
Note:
Some parameters may not be available, depending on your Resourceand Action on this resource selections.
Parameter Operator Value
IP address v4 Include this list of addresses (Inor Equal to) or exclude them(Not in or Not equal to).
A comma-separated list of IPv4addresses.
SSH Key Used The drop-down list determineswhether you are setting aminimum, maximum, or exactvalue.
The number of days SSH keys maybe kept before rotating them.
Timestamp The drop-down list determineswhether the time is exact, laterthan the time you entered, orearlier (given a 24-hour timeframe).
A value as a time in 24-hourHH:MM:SS format.
Chapter 22Creating Policy Alerts for AWS
22-34
Parameter Operator Value
CASB threatintelligence IPreputation
Equal to is the only option. To flag events from IP addresses withbad or good reputations, select:• Suspicious for bad reputations.• Regular for good reputations.
City, State, orCountry
• Equal to requires matchingthe name you enter inValue.
• Not Equal to requires notmatching the name youenter in Value.
• In requires matching anyone of several names youenter in Value.
• Not in requires matchingnone of several names youenter in Value.
The name of the city, or the stateor province, in the physical addressthat’s associated with the IP address.
Tag Include or exclude this tag(Equal to or Not equal to).
Select In or Not in if you wantto enter a list of tags.
You do not need to repeat aselection of Tag if you alreadyentered tags in an earlier step.
There are a few ways to specify anAWS tag:
• As a complete key:value pair forthe AWS tag.
• As a single key name.• As a comma-separated list of key
names or key:value pairs. Thelist is treated as a logical OR.
Recipient (orAudience)
Include or exclude this user(Contains or Does notcontain).
Available for AWS if on theResources page of the policy wizardyou selected S3 resources and theShare action. Takes a string thatmatches one or more users.
For example, to flag any Boxfile being shared outside ofmycompany.com, you can selectDoes not contain as theoperator and type a value ofmycompany.com.
When you are done, click Next.
7. Set your notifications:
• Show a risk event in the Monitor. When an event matches the policy, OracleCASB Cloud Service creates a risk event in the Risk Events page.
• Display a recommendation in the risk event. Select this option to addinstructions for the person who might read an alert related to this policy.
• Send email to this address. Send email to the designated address.
• Show a risk event in the Monitor. When an event matches the policy, OracleCASB Cloud Service creates a risk event in the Risk Events page.
• Display a recommendation in the risk event. Select this option to addinstructions for the person who might read an alert related to this policy.
• Send email to this address. Send email to the designated address.
When you are done, click Next.
8. After reviewing your settings, click Next to submit the policy.
Chapter 22Creating Policy Alerts for AWS
22-35
9. Click Done.
Creating Alerts for IAM UsersCreate alerts for operations performed on or by IAM users, and actions for IAM userpolicies.
AWS administrators add and manage users and other administrators in the Identityand Access Management (IAM) Users section of the administration console.
You can create policy alerts for actions taken on IAM users (for example, adding ordeleting users), and actions performed by users (for example logins or failed logins).
Note:
In the following procedures, if you select the action of Any, or a commonaction such as GetUser or GetUserPolicy, then you can trigger more alertsthan you intended. However, this can be manageable if you filter the alert byuser or group, or add other conditions in later pages of this wizard.
Creating Alerts for Changes to IAM Instance ProfilesCreate policy alerts that flag changes to IAM instance profiles.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:
Field Value
Application Type AWS
Instance The application instance(s). Select Any if you want the alert toapply to every registered instance of the selected application type.Otherwise, select one or more individual instances.
Resource IAM InstanceProfile
Resource name Select Name, then select one of these options:• Text — then select a comparison from the drop-down list, and
enter text in the box below.• Regular expression — then enter the regular expression in the
box below.
5. Drop down the Action on this resource list and select an action:
Chapter 22Creating Policy Alerts for AWS
22-36
Action on this Resource Description
Any Any of the available actions taken on the specified DirectConnect.
AddRoleToInstanceProfile A role has been added to the IAM instance profile.
For additional information about Direct Connect actions, see Amazon's onlinedocumentation.
6. (Optional) Click the plus sign and repeat the step above to configure additionalactions for this resource.
7. Complete the alert as shown in the previous procedures.
Creating Alerts for Operations Performed on IAM UsersCreate alerts for operations performed on IAM users, such as deleting a user oradministrator.
You may want to create alerts if people perform sensitive operations on users, forexample, deleting users or user policies. You can also restrict these alerts to particularusers (for example, to be alerted if someone deletes an AWS administrator).
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the resource page, select AWS as the application type, select an instance, andthen specify a resource. For operations on particular users, specify the resource:
Field Value
Resource IAM User (a user created in the Identity and Access Management(IAM) section of AWS.
Resource name ortag
IAM users can only be identified by their names.
Select Text, select Contains from the drop-down list, and entera partial string to match a set of users. If you select Regularexpression, then enter a regular expression to match one or moreusers.
Action Select an action. For example, if you are concerned aboutmodifications to your administrative users, then you could selectUpdateUser. For a description of available actions, see Actions forIAM User Policies.
An action of Any, or a common action such as GetUseror GetUserPolicy, may trigger more alerts than you intended.However, this can be manageable if you filter the alert by user orgroup, or add other conditions in later pages of this wizard.
When you are done, click Next.
5. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
Chapter 22Creating Policy Alerts for AWS
22-37
6. When you are done, click Next. For a description of the additional policy filters(parameters), see Condition Parameters for AWS Alerts.
7. Click Next and set your Action notifications:
• Show an alert in the Risk Events page is always selected. When an eventmatches the policy, Oracle CASB Cloud Service adds an alert to the RiskEvents page.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
• Send email to this address. Send email to the designated address.
8. When you are done, click Next , and after reviewing your settings, click Next tosubmit the policy.
9. Click Done.
Actions for IAM User PoliciesReview the actions that are available in the Resources page of the policy creationwizard when the Resource is IAM user.
For additional documentation about IAM user actions, see Amazon's onlinedocumentation.
The table below lists the actions that are available when the Resource is IAM user.
Action Description
ChangePassword Triggers an alert when the password is updated for theIAM users. You supply a full user name, a partial nameto match one or more users, or enter the .* regularexpression to match all users.
ConsoleLoginFailure |ConsoleLoginSuccess
Triggers an alert when an IAM user logs in successfullyor the login fails. You supply a full user name, a partialname to match one or more users, or enter the .* regularexpression to match all users.
CreateAccessKey |DeleteAccessKey |UpdateAccessKey
Triggers an alert when someone generates, deletes, orupdates access keys for an IAM user. You supply a fulluser name, a partial name to match one or more users, orenter the .* regular expression to match all users.
The default status for new keys is Active. Depending onthis user's role, these keys provide access to importantresources, including EC2 instances and S3 servers.
CreateUser | DeleteUser |UpdateUser
Triggers an alert when someone creates, deletes, orupdates an IAM user. You supply a full user name, apartial name to match one or more users, or type the .*regular expression to match all users.
Chapter 22Creating Policy Alerts for AWS
22-38
Action Description
CreateUserPolicy |DeleteUserPolicy |UpdateUserPolicy |PutUserPolicy
Triggers an alert when someone creates, deletes, orupdates an inline policy document for an IAM user. Yousupply a full policy name, a partial name to match one ormore users, or enter the .* regular expression to match allusers.
An inline policy document for a user sets the user'spermissions to access important resources, including EC2instances and S3 servers.
Note: You can configure Oracle CASB Cloud Service toautomatically reset modified IAM user policies to yourpreferred definition.
ListUsers |ListUserPolicies
Triggers an alert when someone views users and userpolicies. This action can be too commonplace to be usedon its own in a policy. If you select this action, thenfurther limit the alert by adding more actions and filters,or restricting the action to particular users.
Creating Alerts for Operations Performed by AWS UsersCreate alerts for operations performed on IAM users on any resource.
Use the Username page of the policy wizard to filter any policy according to AWSusers or group members who perform an action on any resource.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, select AWS as the application type, select an instance,select a resource, action, and the resource name.
For EC2 resources, you can also identify the resource by its tag.
When you are done, click Next.
5. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
6. When you are done, click Next.
The Conditions page is optional. For a description of available parameters, seeCondition Parameters for AWS Alerts.
7. Click Next, and in the Actions page, set one or more notifications.
8. When you are done, click Next, and after reviewing your settings, click Next tosubmit the policy.
9. Click Done.
Chapter 22Creating Policy Alerts for AWS
22-39
Creating Alerts for IAM Groups
You can create policy alerts for the Resource type Identity and Access Management(IAM) group. For example, you can create an after-hours alert related to the additionand deletion of IAM groups.
Also, you can filter any policy alert according to group members who perform anaction.
Note:
In the following procedure, if you select the action of Any, or a commonaction such as GetGroup or GetGroupPolicy, then you can trigger morealerts than you intended. However, this can be manageable if you filter thealert by user or group, or add other conditions in later pages of this wizard.
Creating Alerts for Operations on IAM GroupsCreate alerts for operations performed on IAM groups, such as deleting a group.
AWS administrators add AWS groups in the IAM groups section of the AWSadministration console. You can create policy alerts for actions taken on IAM groups.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, select AWS as the application type, select an instance, andthen specify a resource.
For operations on IAM groups, specify the resource:
Field Value
Resource IAM Group
Action Select an action. For a description of available actions, see Actionsfor IAM User Policies.
Match. . .Name If you select Text, then select Contains from the drop-down list andenter a partial string to match a set of users. If you select Regularexpression, then enter a regular expression to match one or moreIAM groups.
When you are done, click Next.
5. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
When you are done, click Next.
Chapter 22Creating Policy Alerts for AWS
22-40
6. (Optional) On the Conditions page, filter your policy so it is triggered only underthe conditions that you specify.
For a description of the additional policy conditions (parameters), see ConditionParameters for AWS Alerts.
When you are done, click Next.
7. Set your notifications:
• Show a risk event in the Monitor. When an event matches the policy, OracleCASB Cloud Service creates a risk event in the Risk Events page.
• Display a recommendation in the risk event. Select this option to addinstructions for the person who might read an alert related to this policy.
• Send email to this address. Send email to the designated address.
When you are done, click Next.
8. After reviewing your settings, click Next to submit the policy.
9. Click Done.
Actions for IAM Group PoliciesReview the actions that are available in the Resources page of the policy creationwizard when the Resource is IAM group.
For additional documentation about IAM goup actions, see Amazon's onlinedocumentation.
The table below lists the that actions are available in the Resources page of the policycreation wizard when the Resource is IAM group.
Action Description
AddUserToGroup |RemoveUserFromGroup
Triggers an alert when an IAM user is added to or deleted from agroup. You supply a full group name, a partial name to match one ormore groups, or enter the .* regular expression to match all groups.
CreateGroup |DeleteGroup
Triggers an alert when someone creates or deletes a group. Yousupply a full group name, a partial name to match one or moregroups, or enter the .* regular expression to match all groups.
AttachGroupPolicy |CreateGroupPolicy|DeleteGroupPolicy|UpdateGroupPolicy| PutGroupPolicy
Triggers an alert when someone attaches, creates, deletes, orupdates an inline policy document for an IAM group. You supply afull group name, a partial name to match one or more groups, orenter the .* regular expression to match all groups.
You can configure Oracle CASB Cloud Service to automatically resetmodified IAM user policies, but it can’t currently reset group policies.You must do that manually
GetGroup |ListGroup |GetGroupPolicy |ListGroupPolicy
These actions display the group and its policies. They are performedtoo frequently to be useful on their own. Use these actions for onlyparticular groups or policies, or in conjunction with additional actionson this resource type.
Chapter 22Creating Policy Alerts for AWS
22-41
Creating Alerts for Operations Performed by UsersUse the Username page of the wizard to filter a policy according to users who performan action on the resource.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. On the Resource page, select AWS as the application type, select an instance,specify a resource, enter a text string to match the name or names of a selectedresource (for example, an EC2 instance name), select an action on this resource,and then click Next.
5. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
6. When you are done, click Next.
The conditions page is optional. For a description of available parameters, seeCondition Parameters for AWS Alerts.
7. Click Next, and in the actions page, select and set one or more notifications.
8. When you are done, click Next, and after reviewing your settings, click Next tosubmit the policy.
9. Click Done.
Creating Alerts for the AWS Root UserIf your organization uses an alias for your AWS account, create policies thatspecifically identify this user by the alias instead of root.
Having the root user not show up as root can create confusion in the policy alerts thatyou see in Risk Events, because alerts against the root user will show the accountalias in the Actor field.
To make it easier to identify actions taken by the root user, you can create one or morepolicies that specifically identify this user. This policy is identical to any other AWSpolicy; however, in the Username page of the policy wizard, you can select the optionSelect by username, the Contains operator, and the account alias (case-sensitive).
Creating Alerts for Access and Federated AccessCreate policy alerts for resources related to access privileges in AWS, includingauthentication keys and identity service providers.
For example, you can create a policy for adding and deleting federated access groups,known as Security Assertion Markup Language (SAML) providers.
You can filter these policies according to who performs an action and who is affectedby it.
Chapter 22Creating Policy Alerts for AWS
22-42
Creating Alerts for IAM User Access Key ChangesCreate a policy alert for changes in IAM user access keys.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resources page, set the following:
• Application type: AWS.
• Application instance: Select Any if you want the alert to apply to everyregistered instance of the selected application type. Otherwise, select one ormore individual instances.
• Resource: IAM User
• Resource name: Select Text, select Contains, and then enter the full orpartial user name (example: OCCSAdministrator). To match all users, selectRegular expression and then enter .* in the input field.
• Action on the resource: DeleteAccessKey. For an explanation of this andother actions for IAM users, see Types of AWS Alerts.
• When you are done, click Next.
5. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
6. Click Next. Conditions are optional. For a description of available parameters, seeCondition Parameters for AWS Alerts.
7. Click Next, and set your Action notifications:
• Show an alert in the Risk Events page. When an event matches the policy,Oracle CASB Cloud Service creates a risk event in Risk Events.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
• Send email to this address (one address only). Select this option to sendan email to the designated address, with the message that you enter.
8. Click Next, review your settings, and then click Next to submit your policy.
9. Click Done.
Creating Alerts for Changes to Federated AccessCreate policy alerts for various changes to federated access.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
Chapter 22Creating Policy Alerts for AWS
22-43
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resources page, set the following:
Select the plus sign to create additional resource entries. For example, you canadd an entry for the same resource paired with an UpdateSAMLProvider orDeleteSAMLProvider action.
• Application type: AWS
• Application instance: Select the name of your AWS application instance orAny.
• Resource: IAM IdProvider
• Resource name: Select Text, select Contains, and enter the full or partialprovider name. To match all providers, use a regular expression with thevalue .*.
• Action on this resource: CreateSAMLProvider. For a description of actionsfor SAML providers, see Condition Parameters for AWS Alerts.
• When you are done, click Next.
5. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
6. Click Next and optionally select condition parameters such as IP addresses. For adescription of the additional policy conditions (parameters), see Creating Alerts forAccess and Federated Access.
7. Click Next, and set your Action notifications:
• Show an alert in the Risk Events page. When an event matches the policy,Oracle CASB Cloud Service creates a risk event in Risk Events.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
• Send email to this address (one address only). Select this option to sendan email to the designated address, with the message that you enter.
8. When you are done, click Next, review your settings, and then click Next to submitthe policy.
9. Click Done.
Actions for IdProvider PoliciesReview the actions that are available in the Resources page of the policy creationwizard when the Resource is IAM IdProvider.
The table below lists the actions that are available in the Resource page of the policycreation wizard when the Resource type is IAM IdProvider.
Action Description
CreateSAMLProvider |DeleteSAMLProvider |UpdateSAMLProvider
Triggers an alert when someone creates, deletes, or modifiesan identity provider. You supply a full provider name, a partialname to match one or more providers, or enter the .* regularexpression to match all providers.
Chapter 22Creating Policy Alerts for AWS
22-44
Action Description
GetSAMLProvider |ListSAMLProvider |
These actions display the provider. They are performed toofrequently to be useful on their own. Use these actions for onlyparticular providers, or in conjunction with additional actions onthis resource type.
Creating Alerts for EC2 Instances and NetworksCreate policy alerts for EC2 (Elastic Compute Cloud) starts and terminations, EC2ACL network changes, and changes to EC2 instances and networks.
You can configure alerts for such activities as startup of EC2 instances. This canindicate unwanted extra expense or unwanted exposure of AWS network resources.Similarly, terminations of EC2 instances should be done seldom, and network updatescan be sensitive.
An action of Any, or a common action such as DescribeInstance, can trigger morealerts than you intended. However, this can be manageable if you filter the alert byuser or group, or add other conditions in later pages of this wizard.
Note:
When creating an alert for an AWS EC2 route, subnet, VPC, or VPN, youneed to specify an ID instead of a resource name.
Creating Alerts for EC2 Starts and TerminationsCreate policy alerts that flag both EC2 starts and EC2 terminations.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the resource page, specify the resource as follows:
Field Value
Application Type AWS
Instance The application instance(s). Select Any if you want the alert to applyto every registered instance of the selected application type. Otherwise,select one or more individual instances.
Resource EC2 Instance
Identify resourceby name or tag
Select Name if you want to match (filter the policy by) an EC2 instancename.
Select Tag if you want to match the EC2 instance tag. In this case, thetag refers only to the key (in AWS, a tag can be a key: value pair).
Chapter 22Creating Policy Alerts for AWS
22-45
Field Value
Resource name If you chose to identify the EC2 instance by its name, select Text, selectContains from the drop-down, and enter a full or partial string to matchan EC2 instance name.
If you select Regular expression, type a regular expression to matchone or more EC2 instances.
Action on thisresource
Select StartInstances. An action of Any, or a common action such asDescribeInstance, can trigger more alerts than you intended. However,this can be manageable if you filter the alert by user or group, or addother conditions in later pages of this wizard.
For a complete list of actions, see Actions for EC2 Instances andNetworks.
Click the plus sign and create another resource entry, this time selectingTerminateInstances as the action.
When you are done, click Next.
5. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
6. Click Next. The condition settings are optional.
For a description of the additional policy conditions (parameters), see ConditionParameters for AWS Alerts.
7. Click Next and set your Action notifications:
• Show an alert in the Risk Events page is always selected.
When an event matches the policy, Oracle CASB Cloud Service always addsan alert to Risk Events.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
• Send email to this address. Send email to the designated address.
8. When you are done, click Next, review your settings, click Next to submit yourpolicy.
9. Click Done.
Creating Alerts for EC2 Network ACL ModificationsConfigure policy alerts for any type of modifications to the EC2 ACL network.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next..
4. In the resource page, specify the resource as follows:
Chapter 22Creating Policy Alerts for AWS
22-46
Field Value
Application Type AWS
Instance Select an instance name, or select Any to match allinstances.
Resource EC2 Network
Identify resource by name ortag
Select Name if you want to match (filter the policy by) anEC2 network name. Select Tag if you want to match the EC2network tag (key only).
Resource name If you chose to match the EC2 network's name, select Text,select Contains from the drop-down, and enter a full orpartial string to match an EC2 network name.
If you select Regular expression, type a regular expressionto match one or more EC2 instances.
Action on this resource Select CreateNetworkAcl.
Note: The following actions may generate toomany alerts to be useful: DescribeNetworkAcls,DescribeNetworkInterfaceAttribute.
For a complete list of actions, see Actions for EC2 Instancesand Networks.
Click the plus sign and create additionalresource entries for these actions:DeleteNetworkAcl,CreateNetworkInterface, ResetNetworkInterfaceAttribute,DeleteNetworkInterface, DetachNetworkInterface, ReplaceNetworkInterface.
5. When you are done, click Next. The Username settings are optional.
6. Click Condition and optionally set conditional filters (for example, a time of day) orskip them. When you are done, click Next.
7. Click Next and set your Action notifications:
• Show an alert in the Risk Events page is always selected. When an eventmatches the policy, Oracle CASB Cloud Service always adds an alert to RiskEvents.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
• Send email to this address. Send email to the designated address.
8. When you are done, click Review & Submit, and after reviewing your settings,click Submit.
Creating Alerts for Creating or Deleting EC2 Network ACL EntriesCreate policy alerts that will flag both creating and deleting of EC2 network ACLentries.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
Chapter 22Creating Policy Alerts for AWS
22-47
4. In the resource page, specify the resource as follows:
Field Value
Application Type AWS
Instance Select an instance name, or select Any to match all instances.
Resource EC2 Network
Identify resourceby name or tag
Select Name if you want to match (filter the policy by) an EC2network name. Select Tag if you want to match the EC2 network tag(key only).
Resource name If you chose to match the resource name, select Text, selectContains from the drop-down, and enter a full or partial string tomatch an EC2 network name.
If you select Regular expression, type a regular expression to matchone or more EC2 networks.
To match a tag, type the exact tag key (not the whole key:value pair).
Action on thisresource
Select CreateNetworkAclEntry.
Note: the following actions can generate too many alerts:DescribeNetworkAcls, DescribeNetworkInterfaceAttribute.
For a complete list of actions, see Actions for EC2 Instances andNetworks.
5. Click the plus sign and add the DeleteNetworkAclEntry action for this resource.
6. Complete the policy as shown in the previous procedures.
Creating Alerts for EC2 Network ACL ChangesCreate policy alerts that will flag any changes to the EC2 network ACL entries.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the resource page, select AWS as the application type, select an instance (orAll), and then select the resource type EC2 Network.
5. In the resources page, Action field, select CreateNetworkAcl.
For a complete list of actions, see Actions for EC2 Instances and Networks.
6. Enter a full or partial network ACL name as described in the procedure above.
7. Click the plus sign to configure these actions for the resource: DeleteNetworkAcl,CreateNetworkInterface, DeleteNetworkInterface, DetachNetworkInterface,ResetNetworkInterfaceAttribute.
8. Complete the alert as shown in the previous procedures.
Chapter 22Creating Policy Alerts for AWS
22-48
Creating Alerts for EC2 Network ACL Rule ChangesCreate policy alerts that will flag both creating and replacing EC2 network ACL entries.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the resource page, follow the steps for other EC2 network changes above, butselect this resource type EC2 Network and actions CreateNetworkAclEntry.
For a complete list of actions, see Actions for EC2 Instances and Networks.
5. Click the plus sign to create an entry for the same resource with the actionReplaceNetworkAclEntry.
6. Complete the alert as shown in the previous procedures.
Creating Alerts for EC2 Network Routing ChangesCreate policy alerts that will flag any change in EC2 network routing.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, enter the following:
Field Value
Application Type AWS
Instance Select an instance name, or select Any to match all instances.
Resource EC2 Route
Identify resource byname or tag
Select Name if you want to match (filter the policy by) an EC2 routeID. For AWS resources that use IDs instead of names (for example,routes, VPNs, VPCs, and subnets), you use the resource's ID inthis field.)
Select Tag if you want to match the EC2 route tag (key only).
Resource name If you chose to match the EC2 route ID, select Text, selectContains from the drop-down, and enter a full or partial string tomatch a route ID.
If you select Regular expression, type a regular expression tomatch one or more EC2 route IDs.
Chapter 22Creating Policy Alerts for AWS
22-49
Field Value
Action on thisresource
Select AssociateRouteTable.
For a complete list of actions, see Actions for EC2 Instances andNetworks.
5. To add actions for this resource, click the plus sign and set one or more additionalactions for the EC2 route: CreateRoute, DisableVgwRoutePropagation,CreateRouteTable, DeleteRoute, DeleteRouteTable, DisassociateRouteTable,ReplaceRoute, ReplaceRouteTableAssociation.
Actions for EC2 Instances and NetworksReview the actions that are available in the Resources page of the policy creationwizard when the Resource is EC2 instance.
For additional information about EC2 actions, see Amazon's online documentation.
The table below lists the actions that are available in the Resources page of the policycreation wizard when the Resource type is EC2 instance.
Action Description
BundleInstance This action is related to bundling (compressing, encrypting,and otherwise prepareing a storgage-enabled) a WindowsAmazon Machine Image (AMI). It is important to be surethat only authorized people perform these actions.
You supply a full instance name, a partial name to matchone or more instances, or type the .* regular expression tomatch all instances.
ImportInstance This action refers to creating an import instance task usingmetadata from the disk image. It is important to be surethat only authorized people perform these actions.
You supply a full instance name, a partial name to matchone or more instances, or type the .* regular expression tomatch all instances.
ModifyInstanceAttribute |ResetInstanceAttribute
This action refers to modifying or reversing an instancecharacteristic (attribute). Some modify actions requirestopping the image.
Image definitions should be relatively stable; multiplechanges to an image can indicate a security risk.
RebootInstances | RunInstances |StartInstances | StopInstances |TerminateInstances
These actions refer to starting up and stopping EC2instances. These are critical actions on critical resources.Multiple instance starts or stops may indicate a securityrisk, an unstable environment, or an unwise use ofresources.
UnmonitorInstances This refers to turning off monitoring for an instance. Allrunning instances should be monitored.
DescribeInstanceAttribute |DescribeInstances |MonitorInstances |ReportInstanceStatus
These actions display the instance. They are performedtoo frequently to be useful on their own. Use theseactions for only particular instances, or in conjunction withadditional actions on this resource type.
These actions are available in the resources page of the policy creation wizard whenthe resource type is EC2 network.
Chapter 22Creating Policy Alerts for AWS
22-50
Action Description
AttachNetworkInterface |CreateNetworkInterface |DeleteNetworkInterface |DetachNetworkInterface |ModifyNetworkInterfaceAttribute |ResetNetworkInterfaceAttribute
Network interfaces are a set of private IP addresses. Youshould make sure that anyone who performs these actionsis authorized to do so and the action does not create issueswith access.
You supply a full interface name, a partial name to matchone or more interfaces, or type the .* regular expression tomatch all interfaces.
CreateNetworkACL |CreateNetworkACLEntry |DeleteNetworkACL |DeleteNetworkACLEntry |ReplaceNetworkACLAssociation |ReplaceNetworkACLEntry
Network ACLs provide an optional layer of security (inaddition to security groups) for the instances in your VirtualPrivate Cloud (VPC). You should make sure that anyonewho performs these actions is authorized and the actiondoes not create issues with access to your VPCs. ACLsgenerally are stable and seldom modified.
DescribeNetworkACLs |DescribeNetworkInterfaceAttribute
These actions display the ACL or interface or its attributes.They are performed too frequently to be useful on theirown. Use these actions for only particular interfaces, or inconjunction with additional actions on this resource type.
Creating Alerts for EC2 Security GroupsCreate policy alerts for specified actions on EC2 security groups.
AWS EC2 security groups control access to networks and resources in your VirtualPrivate Clouds (VPCs). Security groups should be closed to all but required traffic.
A security group definition describes IP addresses, address ranges, ports, andprotocols that are permitted to send traffic to and from a VPC.
You should know when people create ingress (inbound) and egress (outbound) rulesfor a security group, particularly as they relate to clouds with mission-critical orsensitive data.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:
Field Value
Application Type AWS
Instance The application instance(s). Select Any if you want the alert toapply to every registered instance of the selected application type.Otherwise, select one or more individual instances.
Resource EC2 SecurityGroup
Identify resource byname or tag
To match by security group name, select Name, and then selectContains.
Chapter 22Creating Policy Alerts for AWS
22-51
Field Value
Resource name To match the security group name, select Text, select Containsfrom the drop-down, and enter a full or partial string to match anEC2 Security Group name.
If you select Regular expression, type a regular expression tomatch one or more EC2 Security Group names.
5. Drop down the Action on this resource list and select an action:
Action on this Resource Description
Any Any of the available actions taken on the specified EC2security group.
Associate IAM instance profile An IAM instance profile has been associated with thespecified EC2 security group.
Authorize security group egress An egress rule has been added to the specified EC2security group for use with a VPC.
Authorize security groupingress
An ingress rule has been added to the specified EC2security group for use with a VPC.
Create security group An EC2 security group has been created.
Delete security group An EC2 security group has been deleted.
Describe security groups An EC2 security group has been described.
Disassociate IAM instanceprofile
An IAM instance profile has been disassociated from thespecified EC2 security group.
Replace IAM instance profileassociation
An IAM instance profile associated from the specifiedEC2 security group has been replaced.
Revoke security group egress An egress rule has been revoked from the specified EC2security group for use with a VPC.
Revoke security group ingress An ingress rule has been revoked from the specified EC2security group for use with a VPC.
For additional information about EC2 actions, see Amazon's online documentation.
6. (Optional) Click the plus sign and repeat the step above to configure additionalactions for this resource.
7. Complete the alert as shown in the previous procedures.
Creating Alerts for EC2 VPCs and VPNsCreate policy alerts for changes to EC2 VPS and EC2 VPNs.
You can configure alerts for such activities as changes to EC2 Virtual Private Clouds(VPCs) and EC2 Virtual Private Networks (VPNs).
EC2 VPNs are similar to network access control lists (ACLs). They control traffic intoand out of AWS subnets (equivalent to access rules with a firewall). These updatescan produce service interruptions and enable data breaches.
Chapter 22Creating Policy Alerts for AWS
22-52
Note:
When creating an alert for an AWS EC2 route, subnet, VPC, or VPN, youneed to specify an ID instead of a resource name.
Creating Alerts for EC2 VPN ChangesConfigure policy alerts for specified changes to EC2 VPNs.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the resource page, set the resource as follows:
Field Value
Application Type AWS
Instance The application instance(s). Select Any if you want the alert toapply to every registered instance of the selected applicationtype. Otherwise, select one or more individual instances
Resource EC2 VPN
Identify resource byname or tag
To match by security VPN ID, select Name, select Contains, andthen type the VPN ID. (VPNs have IDs instead of names.)
Resource name If you chose Name, select Text, select Contains from the drop-down, and enter a full or partial string to match an EC2 VPN ID.(When creating an alert for an AWS EC2 route, subnet, VPC, orVPN, you need to specify an ID instead of a resource name.)
If you select Regular expression, type a regular expression tomatch one or more EC2 VPN IDs.
Action on this resource Select AttachVpnGateway.
For additional information about EC2 actions, see Amazon'sonline documentation.
5. Click the plus sign to configure additional actions for the resource:CreateVpnConnection, DetachVpnGateway, CreateVpnConnectionRoute,CreateVpnGateway, DeleteVpnConnection, DeleteVpnConnectionRoute,DeleteVpnGateway.
6. Complete the policy as shown in other AWS policy topics.
Creating Alerts for EC2 VPC ChangesConfigure policy alerts for specified changes to EC2 VPCs.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
Chapter 22Creating Policy Alerts for AWS
22-53
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, set the following:
Field Value
Application Type AWS
Instance The application instance(s). Select Any if you want the alert toapply to every registered instance of the selected applicationtype. Otherwise, select one or more individual instances.
Resource EC2 VPC
Identify resource byname or tag
To match by security VPC ID, select Name, and then selectContains and then type the VPC ID. (When creating an alertfor an AWS EC2 route, subnet, VPC, or VPN, you need tospecify an ID instead of a resource name.)
Resource name To match the ID, select Text, select Contains from the drop-down, and enter a full or partial string to match an EC2 VPCID. To match the tag, enter the exact tag key (key only, not thevalue).
If you select Regular expression, type a regular expression tomatch one or more EC2 VPC IDs.
5. Drop down the Action on this resource list and select an action:
Action on this Resource Description
Any Any of the available actions taken on the specified E2Csecurity group.
Create VPC An E2C VPC was created.
Create VPC peering connection A VPC peering connection has been created between thespecified EC2 VPC and another VPC.
Delete VPC An E2C VPC was deleted.
Describe VPC attribute An attribute of the specified EC2 VPC was described.
Describe VPCs The specified EC2 VPC was described.
Modify VPC attribute An attribute of the specified EC2 VPC was modified.
For additional information about EC2 actions, see Amazon's online documentation.
6. (Optional) Click the plus sign and repeat the step above to configure additionalactions for this resource.
7. Complete the policy as shown in the help for configuring other AWS policies.
Creating Alerts for EC2 Internet GatewaysConfigure policy alerts for specified changes to EC2 Internet gateways.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
Chapter 22Creating Policy Alerts for AWS
22-54
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, set the following:
Field Value
Application Type AWS
Instance The application instance(s). Select Any if you want the alert toapply to every registered instance of the selected applicationtype. Otherwise, select one or more individual instances.
Resource EC2 InternetGateway
Resource name To specify the resource name, select Text, select Containsfrom the drop-down, and enter a full or partial string to match aresource name.
If you select Regular expression, type a regular expression tomatch one or more resource names.
5. Drop down the Action on this resource list and select an action:
Action on this Resource Description
Any Any of the available actions taken on the resource.
CreateInternetGateway The Internet gateway was created.
AttachInternetGateway The Internet gateway was attached to an AWS virtualprivate cloud.
DetachInternetGateway The Internet gateway was detached from an AWS virtualprivate cloud.
For additional information about EC2 actions, see Amazon's online documentation.
6. (Optional) Click the plus sign and repeat the step above to configure additionalactions for this resource.
7. Complete the policy as shown in the help for configuring other AWS policies.
Creating Alerts Based on EC2 TagsUse EC2 tags to identify resources when you configure policy alerts.
AWS provides tagging to help you with managing instances, images, and otherAmazon EC2 resources.
A general description of tagging is available on the AWS blog site. An AWS tag is akey:value pair. If you use AWS tags, you can create alerts based on either the fullkey:value pair or just the key in these tags. For example, you can create an alertto generate a risk event whenever someone modifies an EC2 instance with the key"production" or the key-value pair "production:server1".
You can apply a tag to specific resources in a policy (in the Resources page of thewizard) or to all of the items that you configure on the Resources page. In the lattercase, you define the tag in the Condition page of the wizard.
Chapter 22Creating Policy Alerts for AWS
22-55
Note:
In the following procedure, if you select an action of Any, or a commonaction such as DescribeInstance, you can trigger more alerts than youintended. However, this can be manageable if you filter the alert by user orgroup, or add other conditions in later pages of this wizard.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the resource page, do the following:
• Application type: AWS
• Application instance: {{snipt.Pol-AppInstance-Multi}}
• Resource: Select an EC2 resource type, for example, EC2 Instance.
• Identify by Name or Tag: Select Name or Tag.
If you select Name, you still can specify a tag on a later page of this wizard.This permits filtering a resource of a particular name according to whether ornot it also has a particular tag.
If you select Tag, type the exact tag key, for example, Production. If you inputa tag key on this page, the policy matches any instance with this tag key.(Although you specify the tag as a key:value pair in AWS, you only specify thekey here.)Note: Do not use the Tag option with "delete" actions because AWSdoes not record the deleted tag in its logs.
• Action: Select an action of interest, for example, StartInstances.
Note:
An action of Any, or a common action such as DescribeInstance,can trigger more alerts than you intended, unless you filter the alertby user or group, or add other conditions in later pages of thiswizard. For additional information about EC2 actions, see Amazon'sonline documentation.
5. Repeat step 3, but this time select the action TerminateInstances.
When you are done, click Next.
6. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
Click Next and in the condition step:
• If you selected Tag in step 3, you would probably not specify a tag in this step.
Chapter 22Creating Policy Alerts for AWS
22-56
• If you selected Name in step 3, click + Add condition. In the Parameterdrop-down select Tag, in the Operator drop-down, select Equal to, and in theValue drop-down type a complete key:value pair for the AWS tag, or a singlekey name.
If you want Oracle CASB Cloud Service to create an alert based on any of severaltags, select an Operator of In and then type a comma-separated list of values.(This is a logical OR.)
To generate the alert only when the resource contains more than one type of tag(for example, an instance with both Production and Deployment tags), click theplus sign and then add a second parameter-operator-value triplet. (This is a logicalAND.)
Note:
If you set a tag on the resource page, do not also set a tag on this page.The Tag condition on this page allows you to select a resource type byname (for example, EC2 instances named LatAm) and further filter themby tag (for example, Production).
7. Click Next and set your Action notifications:
• Show an alert in the Risk Events page is always selected. When an eventmatches the policy, Oracle CASB Cloud Service always adds an alert to RiskEvents.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
• Send email to this address. Send email to the designated address.
8. When you are done, click Next, and after reviewing your settings, click Next tosubmit your policy.
9. Click Done.
Creating Alerts for CloudTrail ChangesReview the actions and conditions that are available in the Resources page of thepolicy creation wizard when the Resource selected is CloudTrail.
Prerequisites:
• You have started creating an AWS policy alert in Creating an AWS Policy.
• On the Resource page in the policy creation wizard, you have set the Resourcetype to CloudTrail.
• You are ready to select the Action on this resource.
1. In the policy creation Resource page, after you have selected CloudTrail as theResource type, select one of the options below from the Action on this resourcedrop-down list:
Action on this Resource Description
Any Any of the available actions taken on the specifiedCloudTrail.
Chapter 22Creating Policy Alerts for AWS
22-57
Action on this Resource Description
Add Tags A tag has been added to the specified CloudTrail.
Create Trail A trail has been created in the specified CloudTrail.
Delete Trail A trail has been created in the specified CloudTrail.
Put Event Selectors An event selector has been put to the specifiedCloudTrail.
Remove Tags A tag has been removed from the specified CloudTrail.
Start Logging Logging has been started for the specified CloudTrail.
Stop Logging Logging has been started for the specified CloudTrail.
Update Trail A trail has been updated in the specified CloudTrail.
2. Click Next to proceed to the Username page.
3. Return to Creating an AWS Policy and continue with step 4 there.
Creating Alerts for S3 ResourcesConfigure policy alerts for activities that affect AWS Simple Storage Service (S3)resources.
All Amazon S3 resources, such as buckets, are by default only available to the AWSaccount owners who created them. Because S3 resources can contain mission-criticalinformation, it is important to monitor operations such as creating and deleting S3resources, and changes regarding who has permission to access these resourcesthrough changes to access control lists (ACLs).
Creating General S3 Bucket PoliciesCreate policies to alert for actions taken on S3 bucket objects and on the bucketsthemselves.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, do the following:
• Application type: AWS
• Application instance: The application instance(s). Select Any if you want thealert to apply to every registered instance of the selected application type.Otherwise, select one or more individual instances.
• Resource: Select S3 Bucket or S3 Object.
• Identify by Name or Tag: Lets you specify a full or partial name, or an entiretag name, expressed as the key part of an S3 key:value pair. Note that if youtype a name on this page, you can refine the filter by a tag in a later page ofthis wizard.
Chapter 22Creating Policy Alerts for AWS
22-58
• Action: Select a Get (read) or Put (write) action of interest. For additionalinformation about actions, see Amazon's reference documentation for bucketoperations and S3 operations.
Note:
An action of Any can trigger more alerts than you intended, unlessyou filter the alert by user or group, or add other conditions in laterpages of this wizard. These are the specific actions.
Action Description
Any Get Bucket orGet Object action
Get (view) actions can be performed very often, so to makethis policy meaningful you should restrict it to only buckets withhighly sensitive resources, to watch users of interest, or use theequivalent Put action in the policy.
Put Bucket | PutObject
This action can alert you when someone creates a new S3 cloudstorage bucket. This type of policy can help you be sure that thisoperation is authorized and is worth incurring additional storagecosts. Also, it can help you verify that encryption and multi-factorauthentication are enabled for this bucket.
This action can also alert you when someone creates a newtype of S3 object. This type of policy can be useful for aparticularly sensitive object (for example, a document withpersonally identifiable information) because you may want toinvestigate the user named in alerts that this type of policygenerates.
Put Bucket ACL |Put Object ACL
This action can alert you when someone adds access controllist (ACL) permissions for an S3 bucket or object. This typeof policy can help you be sure that the ACL conforms to yourorganization's policies. In general, ACLs should be stable andrarely modified.
Put Bucket CORS This action can alert you when someone enables cross-originresource sharing (CORS) for an S3 bucket. This opens thebucket to requests from identified locations. For example, thistype of sharing can open a bucket at my.example.bucket.comto requests from www.example.com. If a CORS configurationexists, this operations replaces it.
An alert based on this policy can make sure that you verify therecipient of the shared resource. If an alert based on this policyappears multiple times for different S3 buckets, you should verifyboth the recipients and the user who is permitting sharing.
Put Bucket Policy| Put Object Policy
This action can alert you when someone adds to or replacesa policy (a set of rules that control who can access resources)for an S3 bucket or object. If the bucket or object already has apolicy, the one in this request completely replaces it. In general,S3 policies should be stable and rarely modified.
Put BucketRequest Payment
This action can alert you when an owner of an S3 storagebucket modifies the payment process and is sending charges fordownloads to the person who requests the download. By default,the owner of an S3 bucket pays for downloads from the bucket.
Chapter 22Creating Policy Alerts for AWS
22-59
Action Description
Delete Object This action can alert you when someone deletes an object (forexample, a document) or a type of object from an S3 cloudstorage bucket. The AWS administrator can restore the object ifversioning was enabled for it.
When you enable this policy for a particularly sensitive objects(for example, a document with personally identifiable informationin it), you can then investigate users named in any alerts that thistype of policy generates.
Create Bucket This action can alert you when someone creates a bucket.
When you are done, click Next.
5. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
6. Click Next and in the conditions page, Parameter drop-down, select anyadditional filter that you want to apply, an operator, and a value for the filter.
For example, to filter the policy according to an S3 tag, select Tag, in the Operatordrop-down, select an operator (for example, Equal to), and in the Value drop-down type a completekey:value pair for the AWS tag, or a single key name.
If you want Oracle CASB Cloud Service to create an alert based on any of severaltags, select an Operator of In and then type a comma-separated list of values.(This is a logical OR.)
To generate the alert only when the resource contains more than one type of tag(for example, an instance with both Production and Deployment tags), click theplus sign and then add a second parameter-operator-value triplet. (This is a logicalAND.)
Note:
If you set a tag on the resource page, do not also set a tag on this page.The Tag condition on this page allows you to select a resource type byname (for example, EC2 instances named LatAm) and further filter themby tag (for example, Production). For additional information about filters,see Creating a Policy
.
7. Click Next and set your Action notifications:
• Show an alert in the Risk Events page is always selected. When an eventmatches the policy, Oracle CASB Cloud Service always adds an alert to RiskEvents.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
• Send email to this address. Send email to the designated address.
8. When you are done, click Next, and after reviewing your settings, click Next tosubmit your policy.
9. Click Done.
Chapter 22Creating Policy Alerts for AWS
22-60
Detecting when an S3 Bucket Grants Access to Users in NonsanctionedAccounts
Understand how to configure policy alerts for S3 bucket policy changes that grantaccess to users in non-sanctioned AWS accounts.
In AWS, S3 bucket access is controlled by policies.
In Oracle CASB Cloud Service, you can create a policy that generates an alert whenan S3 bucket policy grants access to users in non-sanctioned AWS accounts. Youconfigure these alerts in the Oracle CASB Cloud Service console, policy Conditionspage. In this page, to generate an alert when an S3 bucket policy grants access to anon-sanctioned account, you configure the condition as follows:
• Parameter: AWS account
• ID Operator: Not Equals
• Value: account ID1, account ID2
Where account ID1 and account ID2 are sanctioned (permissible) accounts (forexample, 113122223861,133122223862). This is a logical OR, so that Oracle CASBCloud Service generates an alert when it detects S3 bucket policies that contain anyaccount ID other than the ones mentioned in the Oracle CASB Cloud Service policy.
Currently, you can select the AWS account ID parameter for resources other than S3buckets. However, this parameter applies only to S3 buckets.
Creating Alerts for Setting AWS RolesCreate a policy alert to maintain control over role definitions, which in turn control userpermissions.
For this type of policy to take effect, you must register the AWS application instance in"push controls" mode. See Using an IAM User: Creating a Dedicated Service User, orUsing an IAM Role: Creating a Dedicated Service Role.
Every user defined in the Identity and Access Management (IAM) component of AWShas a role with a set of permissions.
Within the policy definition, you can set Oracle CASB Cloud Service to automaticallyreset the IAM role to a set of permissions that you define. Unlike other types of policyalerts, Oracle CASB Cloud Service automatically creates incident tickets for policyalerts of this type.
1. Get a text file with the policy definition that you want to enforce:
In the AWS command line, type:
aws iam get-account-authorization-details --filter Role
Note:
This is based on command line version 1.7.31. Earlier versions might notsupport this command.
Chapter 22Creating Policy Alerts for AWS
22-61
Here is an example of an AWS role and corresponding policy document. Note thatthe details for the role must be specific to your environment; reusing this examplewill not match anything in your account.
{ "RoleDetailList": [ { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": "ec2.amazonaws.com" }, "Effect": "Allow", "Sid": "" } ] }, "RoleId": "AROAIQ7QZ3VGHPLAGAEE6A", "CreateDate": "2015-06-30T21:11:12Z", "InstanceProfileList": [ { "InstanceProfileId": "AIPAISYI4XOL4IQAGJIRW", "Roles": [ { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": "ec2.amazonaws.com" }, "Effect": "Allow", "Sid": "" } ] }, "RoleId": "AROAIQ7QZ4VGHPLGAEE6A", "CreateDate": "2015-06-30T21:11:12Z", "RoleName": "auditorRole", "Path": "/", "Arn": "arn:aws:iam::012345678901:role/auditorRole" } ], "CreateDate": "2015-06-30T21:11:12Z", "InstanceProfileName": "auditorRole", "Path": "/", "Arn": "arn:aws:iam::012345678901:instance-profile/auditorRole" } ], "RoleName": "auditorRole",
Chapter 22Creating Policy Alerts for AWS
22-62
"Path": "/", "AttachedManagedPolicies": [ { "PolicyName": "SecurityAudit", "PolicyArn": "arn:aws:iam::aws:policy/SecurityAudit" } ], "RolePolicyList": [], "Arn": "arn:aws:iam::012345678901:role/auditorRole" } ], "GroupDetailList": [], "UserDetailList": [], "Policies": [], "IsTruncated": false}
2. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
3. Click New Policy.
4. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
5. In the Resources page, do the following:
• Application type:AWS
• Application instance: The application instance(s). Select Any if you want thealert to apply to every registered instance of the selected application type.Otherwise, select one or more individual instances.
• Resource: Select IAM role.
• Identify the name of the role (for example, auditorRole).
• Action: Select UpdateAssumeRolePolicy, DeleteRole, DeleteRolePolicy,DetachRolePolicy, AttachRolePolicy, or PutRolePolicy.
These actions trigger the alert when someone updates an IAM role's definition(its associated policy). This is the complete result returned from this AWScommand:
aws iam get-account-authorization-details --filter Role
Note:
To be able to reset the role definition in addition to generating thealert, do not configure any other actions in this policy
• When you are done, click Next.
6. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
7. Click Next and in the conditions page, Parameter drop-down, select anyadditional filter that you want to apply, an operator, and a value for the filter.
Chapter 22Creating Policy Alerts for AWS
22-63
You probably want to skip this step so that this policy applies to all IAM users withthis role. For additional information about filters, see Creating a Policy.
8. Click Next and set your Action notifications:
• Show an alert in the Risk Events page is always selected. When an eventmatches the policy, Oracle CASB Cloud Service always adds an alert to RiskEvents.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
• Send email to this address. Send email to the designated address.
9. To reset the role, in the actions page, select the Reset the role checkbox and thenpaste the AWS IAM role policy that you want to enforce.
10. When you are done, click Next, and after reviewing your settings, click Next.
11. Click Done. Oracle CASB Cloud Service now monitors for changes to the role.
When it detects a change, Oracle CASB Cloud Service attempts to reset the roledefinition. It also creates a risk event in Risk Events and an incident ticket to showwhether it successfully reset the role.
12. To find alerts that this policy has triggered:
a. In the Oracle CASB Cloud Service console, select Risk Events.
b. Drop down the Status list and select:
• Resolved - to view role updates that Oracle CASB Cloud Service resolvedautomatically.
• Open - to view role updates that Oracle CASB Cloud Service was unableto resolve.
c. If you need additional filtering for the list of events, type the policy name oraction in the search field.
Creating Alerts for Cloud HSMCreate policy alerts for specified actions on Cloud Hardware Security Module (HSM).
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:
Field Value
Application Type AWS
Instance The application instance(s). Select Any if you want the alert toapply to every registered instance of the selected application type.Otherwise, select one or more individual instances.
Chapter 22Creating Policy Alerts for AWS
22-64
Field Value
Resource Cloud HSM
Identify resource byname or tag
To identify the resource by its name, select Name, then select one ofthese options:• Text — then select a comparison from the drop-down list, and
enter text in the box below.• Regular expression — then enter the regular expression in the
box below.
To identify the resource by a tag, select Tag, then enter the full tagname in the box below.
Note:
Some resources do not have a tag option.
5. Drop down the Action on this resource list and select an action:
Action on this Resource Description
Any Any of the available actions taken on the specified CloudHSM.
Create HSM An HSM has been created.
Create cluster An HSM cluster has been created.
Delete HSM An HSM has been deleted.
Delete cluster An HSM cluster has been deleted.
Describe backups HSM backups have been described.
Describe clusters HSM clusters have been described.
Initialize cluster An HSM cluster has been created.
List tags HSM tags have been listed.
Tag resource An HSM resource has been tagged.
Untag resource An HSM resource has been untagged.
For additional information about HSM actions, see Amazon's onlinedocumentation.
6. (Optional) Click the plus sign and repeat the step above to configure additionalactions for this resource.
7. Complete the alert as shown in the previous procedures.
Creating Alerts for RDSCreate policy alerts for specified actions on Relational Database Service (RDS).
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
Chapter 22Creating Policy Alerts for AWS
22-65
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:
Field Value
Application Type AWS
Instance The application instance(s). Select Any if you want the alert toapply to every registered instance of the selected application type.Otherwise, select one or more individual instances.
Resource Relational Database Service
Identify resource byname or tag
To identify the resource by its name, select Name, then select one ofthese options:• Text — then select a comparison from the drop-down list, and
enter text in the box below.• Regular expression — then enter the regular expression in the
box below.
To identify the resource by a tag, select Tag, then enter the full tagname in the box below.
5. Drop down the Action on this resource list and select an action:
Action on this Resource Description
Any Any of the available actions taken on the specified RDS.
Delete DB cluster An RDS cluster has been deleted.
Delete DB snapshot An RDS snapshot has been deleted.
Modify DB cluster An RDS cluster has been modified.
Modify DB instance An RDS instance has been modified.
For additional information about RDS actions, see Amazon's onlinedocumentation.
6. (Optional) Click the plus sign and repeat the step above to configure additionalactions for this resource.
7. Complete the alert as shown in the previous procedures.
Creating Alerts for ACMCreate policy alerts for specified actions on AWS Certificate Manager (ACS).
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:
Chapter 22Creating Policy Alerts for AWS
22-66
Field Value
Application Type AWS
Instance The application instance(s). Select Any if you want the alert toapply to every registered instance of the selected application type.Otherwise, select one or more individual instances.
Resource AWS Certificate Manager
Identify resource byname or tag
To identify the resource by its name, select Name, then select one ofthese options:• Text — then select a comparison from the drop-down list, and
enter text in the box below.• Regular expression — then enter the regular expression in the
box below.
To identify the resource by a tag, select Tag, then enter the full tagname in the box below.
5. Drop down the Action on this resource list and select an action:
Action on this Resource Description
Any Any of the available actions taken on the specified ACM.
Delete certificate A certificate has been deleted.
For additional information about ACM actions, see Amazon's onlinedocumentation.
6. (Optional) Click the plus sign and repeat the step above to configure additionalactions for this resource.
7. Complete the alert as shown in the previous procedures.
Creating Alerts for Auto ScalingCreate policy alerts for specified actions on AWS Auto Scaling.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:
Field Value
Application Type AWS
Instance The application instance(s). Select Any if you want the alert toapply to every registered instance of the selected application type.Otherwise, select one or more individual instances.
Resource Auto Scaling
Chapter 22Creating Policy Alerts for AWS
22-67
Field Value
Identify resource byname or tag
To identify the resource by its name, select Name, then select one ofthese options:• Text — then select a comparison from the drop-down list, and
enter text in the box below.• Regular expression — then enter the regular expression in the
box below.
To identify the resource by a tag, select Tag, then enter the full tagname in the box below.
5. Drop down the Action on this resource list and select an action:
Action on this Resource Description
Any Any of the available actions taken on the specified AutoScaling.
Delete auto scaling group An Delete auto scaling group has been deleted.
For additional information about AWS Auto Scaling actions, see Amazon's onlinedocumentation.
6. (Optional) Click the plus sign and repeat the step above to configure additionalactions for this resource.
7. Complete the alert as shown in the previous procedures.
Creating Alerts for ELBCreate policy alerts for specified actions on AWS Elastic Load Balancing (ELB).
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:
Field Value
Application Type AWS
Instance The application instance(s). Select Any if you want the alert toapply to every registered instance of the selected application type.Otherwise, select one or more individual instances.
Resource Elastic Load Balancing
Chapter 22Creating Policy Alerts for AWS
22-68
Field Value
Identify resource byname or tag
To identify the resource by its name, select Name, then select one ofthese options:• Text — then select a comparison from the drop-down list, and
enter text in the box below.• Regular expression — then enter the regular expression in the
box below.
To identify the resource by a tag, select Tag, then enter the full tagname in the box below.
5. Drop down the Action on this resource list and select an action:
Action on this Resource Description
Any Any of the available actions taken on the specified ELB.
Apply security groups to loadbalancer
One or more security groups have been applied to theELB.
Create listener A listener has been created on the ELB.
Delete listener A listener has been deleted from the ELB.
Modify listener A listener has been modified on the ELB.
Register instances with loadbalancer
One or more instances have been registered with theELB.
For additional information about ELB actions, see Amazon's online documentation.
6. (Optional) Click the plus sign and repeat the step above to configure additionalactions for this resource.
7. Complete the alert as shown in the previous procedures.
Creating Alerts for KMSCreate policy alerts for specified actions on AWS Key Management Service (KMS).
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:
Field Value
Application Type AWS
Instance The application instance(s). Select Any if you want the alert toapply to every registered instance of the selected application type.Otherwise, select one or more individual instances.
Resource Key Management Service
Chapter 22Creating Policy Alerts for AWS
22-69
Field Value
Identify resource byname or tag
To identify the resource by its name, select Name, then select one ofthese options:• Text — then select a comparison from the drop-down list, and
enter text in the box below.• Regular expression — then enter the regular expression in the
box below.
To identify the resource by a tag, select Tag, then enter the full tagname in the box below.
5. Drop down the Action on this resource list and select an action:
Action on this Resource Description
Any Any of the available actions taken on the specified RDS.
Create key A key has been created.
Import key material Key material has been imported.
Put key policy A key policy has been attached.
For additional information about KMS actions, see Amazon's onlinedocumentation.
6. (Optional) Click the plus sign and repeat the step above to configure additionalactions for this resource.
7. Complete the alert as shown in the previous procedures.
Creating Alerts for RedshiftCreate policy alerts for specified actions on Redshift.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:
Field Value
Application Type AWS
Instance The application instance(s). Select Any if you want the alert toapply to every registered instance of the selected application type.Otherwise, select one or more individual instances.
Resource Redshift
Chapter 22Creating Policy Alerts for AWS
22-70
Field Value
Identify resource byname or tag
To identify the resource by its name, select Name, then select one ofthese options:• Text — then select a comparison from the drop-down list, and
enter text in the box below.• Regular expression — then enter the regular expression in the
box below.
To identify the resource by a tag, select Tag, then enter the full tagname in the box below.
5. Drop down the Action on this resource list and select an action:
Action on this Resource Description
Any Any of the available actions taken on the specifiedRedshift.
Delete cluster A Redshift cluster has been deleted.
For additional information about RDS actions, see Amazon's onlinedocumentation.
6. (Optional) Click the plus sign and repeat the step above to configure additionalactions for this resource.
7. Complete the alert as shown in the previous procedures.
Creating Alerts for Route 53Create policy alerts for specified actions on Route 53.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:
Field Value
Application Type AWS
Instance The application instance(s). Select Any if you want the alert toapply to every registered instance of the selected application type.Otherwise, select one or more individual instances.
Resource Route 53
Chapter 22Creating Policy Alerts for AWS
22-71
Field Value
Identify resource byname or tag
To identify the resource by its name, select Name, then select one ofthese options:• Text — then select a comparison from the drop-down list, and
enter text in the box below.• Regular expression — then enter the regular expression in the
box below.
To identify the resource by a tag, select Tag, then enter the full tagname in the box below.
5. Drop down the Action on this resource list and select an action:
Action on this Resource Description
Any Any of the available actions taken on the specified RDS.
Delete health check A health check has been deleted.
Delete hosted zone A hosted zone has been deleted.
Delete traffic policy A traffic policy has been deleted.
Delete traffic policy instance A traffic policy instance has been deleted.
Disassociate VPC from hostedzone
A VPC has been disassociated from a hosted zone.
For additional information about Route 53 actions, see Amazon's onlinedocumentation.
6. (Optional) Click the plus sign and repeat the step above to configure additionalactions for this resource.
7. Complete the alert as shown in the previous procedures.
Creating Alerts for Direct ConnectCreate policy alerts for specified actions on Direct Connect.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:
Field Value
Application Type AWS
Instance The application instance(s). Select Any if you want the alert toapply to every registered instance of the selected application type.Otherwise, select one or more individual instances.
Resource Direct Connect
Chapter 22Creating Policy Alerts for AWS
22-72
Field Value
Identify resource byname or tag
To identify the resource by its name, select Name, then select one ofthese options:• Text — then select a comparison from the drop-down list, and
enter text in the box below.• Regular expression — then enter the regular expression in the
box below.
To identify the resource by a tag, select Tag, then enter the full tagname in the box below.
5. Drop down the Action on this resource list and select an action:
Action on this Resource Description
Any Any of the available actions taken on the specified DirectConnect.
Confirm connection A connection has been confirmed.
Create BGP peer A BGP peer has been created.
Create connection A connection has been created.
Create direct connect gateway A Direct Connect gateway has been created.
Delete BGP peer A BGP peer has been deleted.
Create interconnect An interconect has been created.
Delete connection A connection has been deleted.
Delete direct connect gateway A Direct Connect gateway has been deleted.
Delete interconnect An interconect has been deleted.
Describe connections One or more connections have been described.
Describe direct connectgateways
One or more Direct Connect gateways have beendescribed.
Describe interconnects One or more interconnects have been described.
For additional information about Direct Connect actions, see Amazon's onlinedocumentation.
6. (Optional) Click the plus sign and repeat the step above to configure additionalactions for this resource.
7. Complete the alert as shown in the previous procedures.
Creating Alerts for Elastic SearchCreate policy alerts for specified actions on Elastic Search.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, specify the resource as follows:
Chapter 22Creating Policy Alerts for AWS
22-73
Field Value
Application Type AWS
Instance The application instance(s). Select Any if you want the alert toapply to every registered instance of the selected application type.Otherwise, select one or more individual instances.
Resource Elastic Search
Identify resource byname or tag
To identify the resource by its name, select Name, then select one ofthese options:• Text — then select a comparison from the drop-down list, and
enter text in the box below.• Regular expression — then enter the regular expression in the
box below.
To identify the resource by a tag, select Tag, then enter the full tagname in the box below.
5. Drop down the Action on this resource list and select an action:
Action on this Resource Description
Any Any of the available actions taken on the specified CloudHSM.
Update elastic search domainconfig
An Elastic Search domain configuration has beenupdated.
For additional information about Elastic Search actions, see Amazon's onlinedocumentation.
6. (Optional) Click the plus sign and repeat the step above to configure additionalactions for this resource.
7. Complete the alert as shown in the previous procedures.
Condition Parameters for AWS Alerts
The table below lists the parameters you can configure in the Conditions page of anAWS policy alert.
Parameter Operator Value
IP address v4 Include this list of addresses (Inor Equal to) or exclude them(Not in or Not equal to).
A comma-separated list of IPv4addresses.
SSH Key Used The drop-down list determineswhether you are setting aminimum, maximum, or exactvalue.
The number of days SSH keys may bekept before rotating them.
Timestamp The drop-down list determineswhether the time is exact, laterthan the time you entered, orearlier (given a 24-hour timeframe).
A value as a time in 24-hourHH:MM:SS format.
Chapter 22Creating Policy Alerts for AWS
22-74
Parameter Operator Value
City, State, orCountry
• Equal to requires matchingthe name you enter in Value.
• Not Equal to requires notmatching the name you enterin Value.
• In requires matching any oneof several names you enter inValue.
• Not in requires matchingnone of several names youenter in Value.
The name of the city, or the state orprovince, in the physical address that’sassociated with the IP address.
Tag Include or exclude this tag (Equalto or Not equal to).
Select In or Not in if you want toenter a list of tags.
You do not need to repeat aselection of Tag if you alreadyentered tags in an earlier step.
There are a few ways to specify anAWS tag:
• As a complete key:value pair forthe AWS tag.
• As a single key name.• As a comma-separated list of key
names or key:value pairs. The listis treated as a logical OR.
Recipient (orAudience)
Include or exclude this user(Contains or Does not contain).
Available for AWS if on the Resourcespage of the policy wizard you selectedS3 resources and the Share action.Takes a string that matches one ormore users.
For example, to flag any Box file beingshared outside of mycompany.com,you can select Does not containas the operator and type a value ofmycompany.com.
Sample AWS AlertsView sample alert data as templates for your own alerts.
Note:
Unlike automatically detected risks, a policy alert does not generate acorresponding ticket in the Incidents section of the console.
Chapter 22Creating Policy Alerts for AWS
22-75
Name Description Resource User orGroup
Condition Action (RiskEvents AreMandatory;Email IsOptional)
AWS: TrackEC2 afterhours instancetermination
Track any afterhours (after8:00 p.m.)termination ofan EC2instance
Type: EC2InstanceAction:TerminateInstances
Select: NameRegularexpression:i-.*
(leave blank) Parameter:TimestampOperator:Greater thanValue: 20:00
Create a riskevent Sendemail
AWS: TrackSSH keyrotations
Monitorrotation ofAWS SSHkeys
Type: EC2InstanceAction: Any
Select: NameRegularexpression: .*
(leave blank) Parameter:SSH KeyUsedOperator:Greater thanValue: 14
Create a riskevent
AWS: Trackafter hoursaccess S3
Track afterhours (after8:00 p.m.)access to S3resources
Type: S3Object Action:Any
Select: NameRegularexpression: .*
(leave blank) Parameter:TimestampOperator:Greater thanValue: 20:00
Create a riskevent
AWS: Firewall- change toinboundconfiguration
Track anychange to asecurity group(an EC2firewall)ingress(allowedincomingports/protocols)
Type: EC2SecurityGroupResourceaction:AuthorizeSecurityGroupIngress
Select: NameRegularexpression: .*
(leave blank) (leave blank) Create a riskevent
AWS: Firewall- Change tooutboundconfiguration
Track anychange to asecurity group(an EC2firewall)egress(allowedoutgoingports/protocols)
Type: EC2SecurityGroupResourceaction:AuthorizeSecurityGroupEgress
Select: NameRegularexpression: .*
(leave blank) (leave blank) Create a riskevent
Chapter 22Creating Policy Alerts for AWS
22-76
Name Description Resource User orGroup
Condition Action (RiskEvents AreMandatory;Email IsOptional)
AWS: Newfirewall
Track creationof any newsecurity group(an EC2firewall)
Type: EC2SecurityGroup Action:CreateSecurityGroup
Select: NameRegularexpression: .*
(leave blank) (leave blank) Create a riskevent
AWS: Newnetwork ACL
Track creationof a networkACL (VPCfirewall)
Type: EC2NetworkAction:CreateNetworkAcl
Select: NameRegularexpression: .*
(leave blank) (leave blank) Create a riskevent
AWS: Newnetwork ACLrule
Track additionof a rule tonetwork ACL(VPC firewall)
Type: EC2NetworkAction:CreateNetworkAclEntry
Select: NameRegularexpression: .*
(leave blank) (leave blank) Create a riskevent
Send email
AWS: Deletenetwork ACL
Track deletionof a networkACL (VPCfirewall)
Type: EC2NetworkAction:DeleteNetworkAcl
Select: NameRegularexpression: .*
(leave blank) (leave blank) Create a riskevent
Send email
AWS: CreateSAML IdP
Track creationof any SAMLIdentityProvider(reminder toconfirm thatIdP hasauthorizedaccess)
Type: IAMIdProviderAction:CreateSAMLProvider
Select: NameRegularexpression: .*
(leave blank) (leave blank) Create a riskevent
Send email
AWS: DeleteSSH key
Track deletionof any SSHkeypair(possible lossof access tosystemresources)
Type: EC2KeyPairAction:DeleteKeyPair
Select: NameRegularexpression: .*
(leave blank) (leave blank) Create a riskevent
Send email
Chapter 22Creating Policy Alerts for AWS
22-77
Name Description Resource User orGroup
Condition Action (RiskEvents AreMandatory;Email IsOptional)
AWS: DeleteVPC
Track deletionof virtualprivate cloud(VPC)because VPSare isolatedand typicallylow-changeconfigurations.
Type: EC2VPC Action:DeleteVpc
Select: NameRegularexpression: .*
(leave blank) (leave blank) Create a riskevent
Send email
AWS: CreateVPC
Track creationof virtualprivate cloud(VPC)because VPSare isolatedand typicallylow-changeconfigurations.
Type: EC2VPC Action:CreateVpc
Select: NameRegularexpression: .*
(leave blank) (leave blank) Create a riskevent
Send email
Creating Policy Alerts for AzureCreate custom policies to generate alerts for actions on resources that are specific toyour Azure environment.
Prerequisite: Ensure that you have followed the instructions in Getting Started withPolicies to review available managed policies, and any custom policies that alreadyexist, before creating a new custom policy.
Creating an Azure PolicyFollow these general steps for any policy you create to generate an alert for actions inAzure.
The following are general steps for creating an Azure policy. Once created, when thepolicy conditions are met, Oracle CASB Cloud Service displays an alert in RiskEvents and optionally can send the alert through email.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page:
a. Enter a name for the policy.
b. (Optional) Enter a description.
c. Select a Priority.
Chapter 22Creating Policy Alerts for Azure
22-78
d. If you want policy violations to be included in user risk score computations,select Include in user risk score.
e. Click Next.
4. On the Resource page, make these selections.
Field Value(s)
Application type Select Azure.
Application instance The application instance(s). Select Any if you want thealert to apply to every registered instance of the selectedapplication type. Otherwise, select one or more individualinstances.
5. To complete the selections on the Resource page, follow a link below to locate thetopic for the particular resource type on which you want to trigger this alert.
• Creating Alerts for Virtual Networks
• Creating Alerts for Virtual Machines
• Creating Alerts for Storage Account Disks
• Creating Alerts for Storage Accounts
• Creating Alerts for Storage
• Creating Alerts for Key Vault
• Creating Alerts for Disks
• Creating Alerts for Classic Virtual Networks
• Creating Alerts for Classic Virtual Machines
• Creating Alerts for Classic Storage Accounts
• Creating Alerts for Azure Users
When you finish making the rest of the selections on the Resource page, followthe link at the end of that topic to return to this page and continue with the nextstep below.
6. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set on the Resource page.
a. In the drop-down list, select Username contains or Username does notcontain.
b. In the text box to the right, enter one or more text strings that the user namemust contain, or not contain, in order to trigger the alert.
Separate multiple entries with commas. With multiple entries, if any one entryis contained, or not contained, in the name of the user who took the action, thealert is triggered.
c. Click Next to go on to the next page.
7. (Optional) On the Conditions page, set conditions so that an alert is triggered onlyif the specified conditions are met.
For information on condition parameters available for use in policy alerts forAzure, see Condition Parameters for Azure Alerts. For information on free-formconditions, see Examples of Parameters in Free-Form Conditions.
Chapter 22Creating Policy Alerts for Azure
22-79
a. Click Add condition or Add Free-From Condition.
b. Select a Parameter, an Operator, and a Value from the drop-down lists.
In free-form conditions, you enter values for Parameter and Value.
c. To add another condition or free-form condition, repeat the 3 steps above.
Note:
When you specify multiple conditions, the conditions are ANDed.The alert is triggered only if all of the conditions are met. If youneed to OR multiple conditions, create a separate policy for eachcondition.
d. Click Next to go on to the next page.
8. On the Action page, set your notifications:
• Show an alert in the Risk Events page is always selected. When an eventmatches the policy, Oracle CASB Cloud Service always adds an alert to RiskEvents.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
9. When you are done, click Next, review your settings, then click Submit.
Condition Parameters for Azure AlertsReview the parameters and operators that are available in the Conditions page of thepolicy creation wizard for Azure.
These parameters and operators are available on the Conditions page of the NewPolicy wizard to fine tune your alerts for Azure.
Note:
The exact list of parameters that you see on the Conditions page dependson the resource details that you specify on the Resource page. Not allparameters are available with all resources.
Parameter Operator Value
IP address v4 Include this list of addresses (In or Equalto) or exclude them (Not in or Not equalto).
A comma-separated list ofIPv4 addresses.
Device Include or exclude the selected device type. Select Desktop, Mobile, APICall, or Other.
Timestamp The drop-down list determines whetherthe time is exact, later than the timeyou entered, or earlier (given a 24-hourtime frame). Oracle CASB Cloud Serviceevaluates the timestamp using GreenwichMean Time (GMT).
A value as a time in 24-hourHH:MM:SS format.
Chapter 22Creating Policy Alerts for Azure
22-80
Parameter Operator Value
CASB threatintelligence IPreputation
Equal to is the only option. To flag events from IPaddresses with bad or goodreputations, select:• Suspicious for bad
reputations.• Regular for good
reputations.
City, State, orCountry
• Equal to requires matching the nameyou enter in Value.
• Not Equal to requires not matching thename you enter in Value.
• In requires matching any one of severalnames you enter in Value.
• Not in requires matching none ofseveral names you enter in Value.
The name of the city,or the state or province,in the physical addressthat’s associated with the IPaddress.
Creating Alerts for Virtual NetworksReview the actions that are available in the Resources page of the policy creationwizard when the Resource is Virtual Networks.
Prerequisite: You must start creating your new policy in Creating an Azure Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Virtual Networks
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this Resource Description
Any Any action taken on this resource, as identified inthe Criteria field of the Resource page.
Delete The virtual network has been deleted.
Delete virtual network subnet A subnet for the virtual network has been deleted.
Delete virtual network peering Peering for the virtual network has been deleted.
Join The virtual network has been joined.
Chapter 22Creating Policy Alerts for Azure
22-81
Action on this Resource Description
Join subnet via service tunnel A subnet for the virtual network has been joined througha service tunnel.
Peer The virtual network has been peered.
Write The virtual network has been written to.
Write virtual network peering Peering for the virtual network has been written to.
Write virtual network subnet A subnet for the virtual network has been written to.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an Azure Policy and finish the steps to complete your policyalert, resuming at step 6.
Creating Alerts for Virtual MachinesReview the actions that are available in the Resources page of the policy creationwizard when the Resource is Virtual Machines.
Prerequisite: You must start creating your new policy in Creating an Azure Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Virtual Machines
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this Resource Description
Any Any action taken on this resource, as identified inthe Criteria field of the Resource page.
Chapter 22Creating Policy Alerts for Azure
22-82
Action on this Resource Description
Capture The virtual machine has been captured.
Convert to managed disks The virtual machine has been converted to manageddisks.
Deallocate The virtual machine has been deallocated.
Delete The virtual machine has been deleted.
Delete extensions One or more extensions for the virtual machine havebeen deleted.
Power off The virtual machine was powered off.
Redeploy The virtual machine has been redeployed.
Restart The virtual machine has been restarted.
Start The virtual machine has been started.
Write The virtual machine has been written to.
Write extensions One or more extensions for the virtual machine havebeen written to.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an Azure Policy and finish the steps to complete your policyalert, resuming at step 6.
Creating Alerts for Storage Account DisksReview the actions that are available in the Resources page of the policy creationwizard when the Resource is Storage Account Disks.
Prerequisite: You must start creating your new policy in Creating an Azure Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Storage Account Disks
Chapter 22Creating Policy Alerts for Azure
22-83
Field Value
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this Resource Description
Any Any action taken on this resource, as identified inthe Criteria field of the Resource page.
Delete The storage account disk has been deleted.
Write The storage account disk has been written to.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an Azure Policy and finish the steps to complete your policyalert, resuming at step 6.
Creating Alerts for Storage AccountsReview the actions that are available in the Resources page of the policy creationwizard when the Resource is Storage Account.
Prerequisite: You must start creating your new policy in Creating an Azure Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Storage Account
Chapter 22Creating Policy Alerts for Azure
22-84
Field Value
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this Resource Description
Any Any action taken on this resource, as identified inthe Criteria field of the Resource page.
Delete storage The storage account has been deleted.
List keys Keys have been listed for the storage account.
List SAS accounts SAS accounts for the storage account have been listed.
List Service SAS The service SAS for the storage account has been listed.
Regenerate key A key has been regenerated for the storage account.
Register The storage account has been registered.
Write diagnostic settings Diagnostic settings have been written for the storageaccount.
Write storage Storage has been written for the storage account.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an Azure Policy and finish the steps to complete your policyalert, resuming at step 6.
Creating Alerts for StorageReview the actions that are available in the Resources page of the policy creationwizard when the Resource is Storage.
Prerequisite: You must start creating your new policy in Creating an Azure Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Chapter 22Creating Policy Alerts for Azure
22-85
Field Value
Resource Storage
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this Resource Description
Any Any action taken on this resource, as identified inthe Criteria field of the Resource page.
Delete virtual network orsubnets
One or more virtual networks or subnets for storage havebeen deleted.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an Azure Policy and finish the steps to complete your policyalert, resuming at step 6.
Creating Alerts for Key VaultReview the actions that are available in the Resources page of the policy creationwizard when the Resource is Key Vault.
Prerequisite: You must start creating your new policy in Creating an Azure Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Key Vault
Chapter 22Creating Policy Alerts for Azure
22-86
Field Value
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this Resource Description
Any Any action taken on this resource, as identified inthe Criteria field of the Resource page.
Delete The key vault has been deleted.
Read secrets One or more secrets from the key vault have been read.
Regenerate key A key from the key vault has been regenerated.
Write The key vault has been written to.
Write access policy An access policy from the key vault has been written to.
Write secrets One or more secrets from the key vault has been writtento.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an Azure Policy and finish the steps to complete your policyalert, resuming at step 6.
Creating Alerts for DisksReview the actions that are available in the Resources page of the policy creationwizard when the Resource is Disks.
Prerequisite: You must start creating your new policy in Creating an Azure Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Chapter 22Creating Policy Alerts for Azure
22-87
Field Value
Resource Disks
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this Resource Description
Any Any action taken on this resource, as identified inthe Criteria field of the Resource page.
Delete The disk has been deleted.
Get SAS URI An SAS URI for the disk has been obtained.
Revoke SAS URI An SAS URI for the disk has been revoked.
Write The disk has been written to.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an Azure Policy and finish the steps to complete your policyalert, resuming at step 6.
Creating Alerts for Classic Virtual NetworksReview the actions that are available in the Resources page of the policy creationwizard when the Resource is Classic Storage Accounts.
Prerequisite: You must start creating your new policy in Creating an Azure Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Classic Storage Accounts
Chapter 22Creating Policy Alerts for Azure
22-88
Field Value
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this Resource Description
Any Any action taken on this resource, as identified inthe Criteria field of the Resource page.
Delete The classic virtual network has been deleted.
Join The classic virtual network has been joined.
Peer The classic virtual network has been peered.
Write The classic virtual network has been written.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an Azure Policy and finish the steps to complete your policyalert, resuming at step 6.
Creating Alerts for Classic Virtual MachinesReview the actions that are available in the Resources page of the policy creationwizard when the Resource is Classic Virtual Machines.
Prerequisite: You must start creating your new policy in Creating an Azure Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Classic Virtual Machines
Chapter 22Creating Policy Alerts for Azure
22-89
Field Value
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this Resource Description
Any Any action taken on this resource, as identified inthe Criteria field of the Resource page.
Attach disk A disk has been attached to the classic virtual machine.
Associate NSG to a networkinterface
A network security group for the classic virtual machinehas been associated to a network interface.
Delete The classic virtual machine has been deleted.
Delete network security group A network security group for the classic virtual machinehas been deleted.
Delete NSG from networkinterface
A network security group for the classic virtual machinehas been deleted from a network interface.
Detach disk A disk has been detached from the classic virtualmachine.
DownloadRemoteDesktopConnectionFile
A remote desktop connection file for the classic virtualmachine has been downloaded.
Redeploy The classic virtual machine has been redeployed.
Restart The classic virtual machine has been restarted.
Start The classic virtual machine has been started.
Write extensions One or more extensions for the classic virtual machinehave been written.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an Azure Policy and finish the steps to complete your policyalert, resuming at step 6.
Chapter 22Creating Policy Alerts for Azure
22-90
Creating Alerts for Classic Storage AccountsReview the actions that are available in the Resources page of the policy creationwizard when the Resource is Classic Storage Accounts.
Prerequisite: You must start creating your new policy in Creating an Azure Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Classic Storage Accounts
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this Resource Description
Any Any action taken on this resource, as identified inthe Criteria field of the Resource page.
Delete The classic storage account has been deleted.
List keys Keys have been listed for the classic storage account.
Regenerate key Keys have been regenerated for the classic storageaccount.
Register The classic storage account has been registered.
Write storage Storage has been written for the classic storage account.
Write diagnostic settings Diagnostic settings have been written for the classicstorage account.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
Chapter 22Creating Policy Alerts for Azure
22-91
5. Return to Creating an Azure Policy and finish the steps to complete your policyalert, resuming at step 6.
Creating Alerts for Azure UsersReview the actions that are available in the Resources page of the policy creationwizard when the Resource is Azure AD User.
Prerequisite: You must start creating your new policy in Creating an Azure Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Azure AD User
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this Resource Description
Any Any action taken on this resource, as identified inthe Criteria field of the Resource page.
Failed login The Azure AD User has attempted to log in and failed.
Login The Azure AD User has successfully logged in.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an Azure Policy and finish the steps to complete your policyalert, resuming at step 6.
Chapter 22Creating Policy Alerts for Azure
22-92
Creating Policy Alerts for BoxCreate custom policies to generate alerts for actions on resources that are specific toyour Box environment.
Prerequisite: Ensure that you have followed the instructions in Getting Started withPolicies to review available managed policies, and any custom policies that alreadyexist, before creating a new custom policy.
Creating a Box PolicyFollow these general steps for any policy you create to generate an alert for actions inBox.
The following are general steps for creating a Box policy. Once created, when thepolicy conditions are met, Oracle CASB Cloud Service displays an alert in RiskEvents and optionally can send the alert through email.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. On the Custom tab, click New Policy.
3. In the Name page:
a. Enter a name for the policy.
b. (Optional) Enter a description.
c. Select a Priority.
d. If you want policy violations to be included in user risk score computations,select Include in user risk score.
e. Click Next.
4. On the Resource page, make these selections.
Field Value(s)
Application type Select Box.
Application instance The application instance(s). Select Any if you want thealert to apply to every registered instance of the selectedapplication type. Otherwise, select one or more individualinstances.
5. To complete the selections on the Resource page, follow a link below to locate thetopic for the particular resource type on which you want to trigger this alert.
• Creating Alerts for Editing Box Files
• Creating Alerts for Sharing Box Files and Folders
• Creating Alerts for Folder Sharing or Allowing Collaboration
• Creating Alerts for Unwanted Sharing and Collaboration
• Creating Alerts for Renaming or Deleting Folders in Box
• Creating Alerts for Users Whose Box Credentials Should Be Revoked
Chapter 22Creating Policy Alerts for Box
22-93
When you finish making the rest of the selections on the Resource page, followthe link at the end of that topic to return to this page and continue with the nextstep below.
6. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set on the Resource page.
a. In the drop-down list, select Username contains or Username does notcontain.
b. In the text box to the right, enter one or more text strings that the user namemust contain, or not contain, in order to trigger the alert.
Separate multiple entries with commas. With multiple entries, if any one entryis contained, or not contained, in the name of the user who took the action, thealert is triggered.
c. Click Next to go on to the next page.
7. (Optional) On the Conditions page, set conditions so that an alert is triggered onlyif the specified conditions are met.
For information on condition parameters available for use in policy alerts for Box,see Condition Parameters for Box Alerts. For information on free-form conditions,see Examples of Parameters in Free-Form Conditions.
a. Click Add condition or Add Free-From Condition.
b. Select a Parameter, an Operator, and a Value from the drop-down lists.
In free-form conditions, you enter values for Parameter and Value.
c. To add another condition or free-form condition, repeat the 3 steps above.
Note:
When you specify multiple conditions, the conditions are ANDed.The alert is triggered only if all of the conditions are met. If youneed to OR multiple conditions, create a separate policy for eachcondition.
d. Click Next to go on to the next page.
8. On the Action page, set your notifications:
• Show an alert in the Risk Events page is always selected. When an eventmatches the policy, Oracle CASB Cloud Service always adds an alert to RiskEvents.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
9. When you are done, click Next, review your settings, then click Submit.
Condition Parameters for Box AlertsReview the parameters and operators that are available in the Conditions page of thepolicy creation wizard for Box.
When you create a policy alert for Box, you can specify these parameters in theConditions page.
Chapter 22Creating Policy Alerts for Box
22-94
Parameter Operator Value
IP address v4 Include this list of addresses (In or Equalto) or exclude them (Not in or Not equalto).
A comma-separated list ofIPv4 addresses.
Device Include or exclude the selected device type. Select Desktop, Mobile, APICall, or Other.
Timestamp The drop-down list determines whether thetime is exact, later than the time youentered, or earlier (given a 24-hour timeframe).
Oracle CASB Cloud Service evaluates thetimestamp using Greenwich Mean Time(GMT).
A value as a time in 24-hourHH:MM:SS format.
CASB threatintelligence IPreputation
Equal to is the only option. To flag events from IPaddresses with bad or goodreputations, select:• Suspicious for bad
reputations.• Regular for good
reputations.
Tag Include or exclude this tag (Equal to or Notequal to).
Select In or Not in if you want to enter a listof tags.
This is a single tag name ora comma-separated list of tagnames. The list is treated asa logical OR.
You don’t need to repeata selection of Tag if youalready entered tags in anearlier step.
File Size Specify Equal toor Not Equal to. Enter a number, and selectthe units from the drop-downlist.
City, State, orCountry
• Equal to requires matching the nameyou enter in Value.
• Not Equal to requires not matching thename you enter in Value.
• In requires matching any one of severalnames you enter in Value.
• Not in requires matching none ofseveral names you enter in Value.
The name of the city,or the state or province,in the physical addressthat’s associated with the IPaddress.
Chapter 22Creating Policy Alerts for Box
22-95
Parameter Operator Value
Recipient (orAudience)
Include or exclude this user (Contains orDoes not contain).
Available for collaborativeactions (for example, sendingemail or sharing a file). Takesa string that matches one ormore users.
For example, to flag anyBox file being shared outsideof mycompany.com, you canselect Does not contain asthe operator and enter avalue of mycompany.com.
This parameter applies to aresource type of File and ashare or unshare action, ora resource type of Folderresource and any collaborate,share, or unshare action.
Creating Alerts for Editing Box FilesCreate alerts for operations that edit Box files.
Prerequisite: You must start creating your new policy in Creating a Box Policy in orderto be ready to be ready to follow the steps below to specify the resource and actionthat should trigger the alert.
People can upload any type of file to Box, including documents with sensitive data(for example, tax reports, sales data, employee records with personally identifiableinformation). You can configure Oracle CASB Cloud Service to issue an alert whenanyone edits a sensitive document as identified by its name, a partial name, or a Boxtag.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource File
Chapter 22Creating Policy Alerts for Box
22-96
Field Value
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
As an alternative, you can identify the resource by a tag:
a. Drop down the Identify resource by name or tag list andselect Tag.
b. Enter the complete tag name.
For more flexibility in using tag names to target resources,select Tag as a Parameter in the Conditions step in ConditionParameters for Box Alerts.
2. For Action on this resource, select Edit.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Box Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Sharing Box Files and FoldersCreate a policy to generate an alert when Box files and folders are shared.
Prerequisite: You must start creating your new policy in Creating a Box Policy in orderto be ready to be ready to follow the steps below to specify the resource and actionthat should trigger the alert.
You can upload any type of file to Box, including documents with sensitive data(for example, tax reports, sales data, employee records with personally identifiableinformation). You can configure Oracle CASB Cloud Service to issue an alert whenanyone shares a sensitive document as identified by its name, a partial name, or aBox tag.
You can identify the person or group doing the sharing and who the document is beingshared with (the recipient) as being a particular user, a particular domain, or outside aparticular domain.
In addition, at the folder level, Box users can share folders with others and invite otherpeople to collaborate on a folder, which gives access to files in the folder.
Chapter 22Creating Policy Alerts for Box
22-97
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource File
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
As an alternative, you can identify the resource by a tag:
a. Drop down the Identify resource by name or tag list andselect Tag.
b. Enter the complete tag name.
For more flexibility in using tag names to target resources,select Tag as a Parameter in the Conditions step in ConditionParameters for Box Alerts.
2. For Action on this resource, select Share.
You can also create an alert for an Unshare action, which can be useful if youwant to ensure that particular people have access to the material.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Box Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Folder Sharing or Allowing CollaborationCreate a policy to generate an alert when a folder is shared or collaboration is allowed.
Prerequisite: You must start creating your new policy in Creating a Box Policy in orderto be ready to be ready to follow the steps below to specify the resource and actionthat should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Chapter 22Creating Policy Alerts for Box
22-98
Field Value
Resource File
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
As an alternative, you can identify the resource by a tag:
a. Drop down the Identify resource by name or tag list andselect Tag.
b. Enter the complete tag name.
For more flexibility in using tag names to target resources,select Tag as a Parameter in the Conditions step in ConditionParameters for Box Alerts.
2. For Action on this resource, select Share or Collaborate.
You can also create an alert for an Unshare action, which can be useful if youwant to ensure that particular people have access to the material.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Box Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Unwanted Sharing and CollaborationCreate a policy to trigger an alert when sharing occurs with nonsanctioned people.
Prerequisite: You must start creating your new policy in Creating a Box Policy in orderto be ready to be ready to follow the steps below to specify the resource and actionthat should trigger the alert.
A primary area of concern for many organizations is sharing and collaboration thatoccurs with nonsanctioned people. For example, your Tax group may want to onlyshare year-end data files among themselves.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Chapter 22Creating Policy Alerts for Box
22-99
Field Value
Resource File
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
As an alternative, you can identify the resource by a tag:
a. Drop down the Identify resource by name or tag list andselect Tag.
b. Enter the complete tag name.
For more flexibility in using tag names to target resources,select Tag as a Parameter in the Conditions step in ConditionParameters for Box Alerts.
2. For Action on this resource, select Share.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Box Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Renaming or Deleting Folders in BoxCreate a policy to trigger an alert when a folder is renamed or deleted.
Prerequisite: You must start creating your new policy in Creating a Box Policy in orderto be ready to be ready to follow the steps below to specify the resource and actionthat should trigger the alert.
There are numerous folder activities that you can monitor. Some of the folder activitiesare similar to the file activities described in Creating Alerts for Editing Box Files.
If you want to maintain a consistent folder structure in Box, then you can configure apolicy alert to be notified when someone changes a folder name or deletes a folder.
Chapter 22Creating Policy Alerts for Box
22-100
Note:
If you select Any as the resource type or a common action such as Preview,then you may trigger more alerts than you intended. However, this can bemanageable if you filter the alert by user or group, or add other conditions inlater pages of this wizard.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Folder
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
As an alternative, you can identify the resource by a tag:
a. Drop down the Identify resource by name or tag list andselect Tag.
b. Enter the complete tag name.
For more flexibility in using tag names to target resources,select Tag as a Parameter in the Conditions step in ConditionParameters for Box Alerts.
2. For Action on this resource, select Rename or Delete.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Box Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Users Whose Box Credentials Should Be RevokedCreate a policy to generate an alert for activity by a user whose Box credentials shouldbe revoked.
Chapter 22Creating Policy Alerts for Box
22-101
Prerequisite: You must start creating your new policy in Creating a Box Policy in orderto be ready to be ready to follow the steps below to specify the resource and actionthat should trigger the alert.
You can monitor for Box activity on the part of a particular user. For example,employees who left the organization and should no longer have access to their Boxaccount. However, sometimes accounts are left open, in which case you need to knowif someone hijacks the dormant account.
Note:
You currently must revoke these users manually. Unlike automaticallydetected risks, a policy alert doesn’t generate a corresponding ticket in theIncidents section of the console.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource User
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
As an alternative, you can identify the resource by a tag:
a. Drop down the Identify resource by name or tag list andselect Tag.
b. Enter the complete tag name.
For more flexibility in using tag names to target resources,select Tag as a Parameter in the Conditions step in ConditionParameters for Box Alerts.
2. For Action on this resource, select Login or Failed Login.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
Chapter 22Creating Policy Alerts for Box
22-102
5. Return to Creating a Box Policy and finish the steps to complete your policy alert,resuming at step 6.
Parameters for Sample Box AlertsView sample alert data that you can use as templates for your own alerts.
Note:
Unlike automatically detected risks, a policy alert doesn’t generate acorresponding ticket in the Incidents section of the console.
Name Description Resource User orGroup
Condition Action (RiskEvents AreMandatory;Email IsOptional)
Box:Downloadprotected files
Track anydownloads offiles thatmatchprotectednames(medical_research,pharma_research)
Type: FileAction:Download
Optional filterfor user orgroupperforming theaction.
(leave blank) Create a riskevent; sendemail
Box: Acceptinvitation tocollaborate(externalsharing) forprotectedfolder
Track whensomeoneaccepts aninvitation tocollaborate fora sensitivefolder(example: MySensitiveFolder).
Type: FolderAction:Collaborationaccept
(leave blank) Optionally, youcan setsomething likethe following:Parameter:AudienceCondition:Does notcontainValue: Someexamplevalues wouldbe anacceptableemail domainor a particularalias toexcludeeveryoneexcept theserecipients.
Create a riskevent
Chapter 22Creating Policy Alerts for Box
22-103
Name Description Resource User orGroup
Condition Action (RiskEvents AreMandatory;Email IsOptional)
Box: Sendinvitation tocollaborate(externalsharing) forprotectedfolder
Track whensomeonesends aninvitation tocollaborate fora sensitivefolder(example: MySensitiveFolder).
Type: FolderAction:Collaborationinvite
Optional filterfor user orgroupperforming theaction.
Optionally, youcan setsomething likethe following:Parameter:AudienceCondition:Does notcontainValue: Someexamplevalues wouldbe anacceptableemail domainor a particularalias toexcludeeveryoneexcept theserecipients.
Create a riskevent
Box: Changeof an externalcollaborator'spermissions
Track allchanges to anexternalcollaborator'srole(permissions)
Type: FolderAction:Collaborationrole change
(leave blank) (leave blank) Create a riskevent
Box: Changeof an externalcollaborator'spermissionsfor a sensitivefolder
Track allchanges to anexternalcollaborator'srole(permissions)for a sensitivefolder(example: MySensitiveFolder).
Type: FolderAction:Collaborationrole change
(leave blank) (leave blank) Create a riskevent
Box: Copy asensitivefolder and itscontents
Trackwheneversomeonecopies asensitivefolder and itscontents
Type: FolderAction: Copy
(leave blank) (leave blank) Create a riskevent
;send email
Chapter 22Creating Policy Alerts for Box
22-104
Name Description Resource User orGroup
Condition Action (RiskEvents AreMandatory;Email IsOptional)
Box: Copy oneof severalfoldersmatching oneof severalnames
Track copyingone of severalfoldersmatching oneof a series ofnames (MyLegal Folder,My MedicalFolder, or MyFinanceFolder) wherethe names ofthe folders usea similarstructure
Type: FolderAction: Copy
(leave blank) (leave blank) Create a riskevent
Send email
Box: Lockedfolder
Track when asensitivefolder(example: my-sensitive-folder) islocked(preventingchanges to itsfiles and thefolder)
Type: FolderAction: Lock
(leave blank) (leave blank) Create a riskevent
Box:Renamedfolder
Track when asensitivefolder(example: my-sensitive-folder) isrenamed(violation ofstandards)
Type: FolderAction:Rename
(leave blank) (leave blank) Create a riskevent
Box:Renamedfolder group
Track whenany of severalsensitivefolders(example: MyLegal Folder,My FinanceFolder, My HRFolder) isrenamed(violation ofstandards)
Type: FolderAction:Rename
(leave blank) (leave blank) Create a riskevent
Box: Sharing asensitivefolder withintheorganization
Track internalsharing of my-sensitive-folder
Type: FolderAction: Share
(leave blank) (leave blank) Create a riskevent
;send email
Chapter 22Creating Policy Alerts for Box
22-105
Name Description Resource User orGroup
Condition Action (RiskEvents AreMandatory;Email IsOptional)
Box: Alertwhen aparticular userlogs in
Track accessby user whoshould nolonger haveaccess.
Type: UserAction: Login
(leave blank) Set the IPaddress ofconcern.
Create a riskevent
;send email
Creating Policy Alerts for Discovered ApplicationsCreate custom policies to generate alerts for actions on resources that are specific todiscovered applications.
Prerequisite: Ensure that you have followed the instructions in Getting Started withPolicies to review available managed policies, and any custom policies that alreadyexist, before creating a new custom policy.
Creating a Policy for Discovered ApplicationsFollow these general steps for any policy you create to generate an alert for actions indiscovered applications.
Oracle CASB Cloud Service displays an alert in Risk Events whenever an eventoccurs that matches the policy conditions.
The following are the general steps for creating a policy for discovered applicationsthat generates an alert whenever an event occurs that matches the policy conditions.Oracle CASB Cloud Service displays all alerts in Risk Events. Optionally, you canalso choose to receive an email notification.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. On the Custom tab, click New Policy.
3. In the Name page:
a. Enter a name for the policy.
b. (Optional) Enter a description.
c. Select a Priority.
d. If you want policy violations to be included in user risk score computations,select Include in user risk score.
e. Click Next.
4. On the Resource page, make these selections.
Field Value(s)
Application type Select Discovery.
Chapter 22Creating Policy Alerts for Discovered Applications
22-106
Field Value(s)
Application instance Leave the selection as Any. There can only be oneinstance of App Discovery in an Oracle CASB CloudService tenant.
5. Specify resource details and actions.
a. Specify Resource details, using the information in the table below:
Field Value(s)
Resource The tag for the type of discovered application you wantto monitor:• Sanctioned — applications like this are officially
sanctioned and should be available to all users.• Permitted — applications like this are not officially
sanctioned, but are permitted when a user or grouphas asked to use the application and the requesthas been approved.
• Restricted — applications like this are restricted touse by only specific individuals.
• Prohibited — applications like this should never beused by anyone in the organization.
• Irrelevant — applications like common websitesor an advertisement that can be excluded from asecurity analysis.
Resource name You must provide a name for the selected resource type.If you select:• Text, select an operator from the drop-down list
(Equal to, Contains), Begins with or Ends withand enter type a full or partial rule name.
• Regular expression, enter .* to match all emailretention rules.
b. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Tag The only option available. Selecting this has same effectas selecting Any.
c. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the sameresource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-actionpair is matched.
• Click Add resource and action to add another resource name to thepolicy alert, or to add the same resource name again with a differentaction.
• Click Duplicate resource and action to copy the resource name-actionpair you just added as the basis for the resource name-action pair youwant to add.
d. Click Next when you have finished specifying resource name-action pairs.
Chapter 22Creating Policy Alerts for Discovered Applications
22-107
You are now on the Username page.
6. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set on the Resource page.
a. In the drop-down list, select Username contains or Username does notcontain.
b. In the text box to the right, enter one or more text strings that the user namemust contain, or not contain, in order to trigger the alert.
Separate multiple entries with commas. With multiple entries, if any one entryis contained, or not contained, in the name of the user who took the action, thealert is triggered.
c. Click Next to go on to the next page.
7. (Optional) On the Conditions page, set conditions so that an alert is triggered onlyif the specified conditions are met.
For information on condition parameters available for use in policy alerts fordiscovered applications, see Condition Parameters for Discovered Applications.For information on free-form conditions, see Examples of Parameters in Free-Form Conditions.
a. Click Add condition or Add Free-From Condition.
b. Select a Parameter, an Operator, and a Value from the drop-down lists.
In free-form conditions, you enter values for Parameter and Value.
c. To add another condition or free-form condition, repeat the 3 steps above.
Note:
When you specify multiple conditions, the conditions are ANDed.The alert is triggered only if all of the conditions are met. If youneed to OR multiple conditions, create a separate policy for eachcondition.
d. Click Next to go on to the next page.
8. On the Action page, set your notifications:
• Show an alert in the Risk Events page is always selected. When an eventmatches the policy, Oracle CASB Cloud Service always adds an alert to RiskEvents.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
9. When you are done, click Next, review your settings, then click Submit.
Condition Parameters for Discovered ApplicationsReview the parameters and operators that are available in the Conditions page ofthe policy creation wizard for applications discovered in Oracle CASB Cloud Service –Discovery.
These parameters and operators are available on the Conditions page of the NewPolicy wizard to fine tune your alerts for discovered applications.
Chapter 22Creating Policy Alerts for Discovered Applications
22-108
Field Value(s)
Resource The type of object you want to monitor.
Resource name In this field, you restrict Oracle CASB Cloud Service's alertsto resources with a particular name or partial name.
Action on this resource Leave the selection as Any. The alert will be triggered if theresource is discovered.
Creating Policy Alerts for GitHubCreate custom policies to generate alerts for actions on resources that are specific toyour GitHub environment.
Prerequisite: Ensure that you have followed the instructions in Getting Started withPolicies to review available managed policies, and any custom policies that alreadyexist, before creating a new custom policy.
Policies let you identify user behaviors that you want to be alerted about. In addition toautomatically detecting suspicious behaviors within GitHub, you can configure OracleCASB Cloud Service to generate alerts for particular resources and actions in GitHub.
• Creating a GitHub Policy provides general instructions for creating a policy alert forany GitHub component. Start creating your GitHub policy here.
• Condition Parameters for GitHub describes the condition parameters that areshared by alerts for all of the Office 365 components.
Creating a GitHub PolicyFollow these general steps for any policy you create to generate an alert for actionsGitHub.
The following are general steps for creating a GitHub policy. Once created, when thepolicy conditions are met, Oracle CASB Cloud Service displays an alert in RiskEvents and optionally can send the alert through email.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. On the Custom tab, click New Policy.
3. In the Name page:
a. Enter a name for the policy.
b. (Optional) Enter a description.
c. Select a Priority.
d. If you want policy violations to be included in user risk score computations,select Include in user risk score.
e. Click Next.
4. On the Resource page, make these selections.
Chapter 22Creating Policy Alerts for GitHub
22-109
Field Value(s)
Application type Select GitHub.
Application instance The application instance(s). Select Any if you want thealert to apply to every registered instance of the selectedapplication type. Otherwise, select one or more individualinstances.
5. To complete the selections on the Resource page, follow a link below to locate thetopic for the particular resource type on which you want to trigger this alert.
• Creating Alerts for GitHub Organization Activity
• Creating Alerts for GitHub Team Activity
• Creating Alerts for GitHub Repository Activity
• Creating Alerts for GitHub Account Activity
When you finish making the rest of the selections on the Resource page, followthe link at the end of that topic to return to this page and continue with the nextstep below.
6. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set on the Resource page.
a. In the drop-down list, select Username contains or Username does notcontain.
b. In the text box to the right, enter one or more text strings that the user namemust contain, or not contain, in order to trigger the alert.
Separate multiple entries with commas. With multiple entries, if any one entryis contained, or not contained, in the name of the user who took the action, thealert is triggered.
c. Click Next to go on to the next page.
7. (Optional) On the Conditions page, set conditions so that an alert is triggered onlyif the specified conditions are met.
For information on condition parameters available for use in policy alerts forGitHub, see Condition Parameters for GitHub. For information on free-formconditions, see Examples of Parameters in Free-Form Conditions.
a. Click Add condition or Add Free-From Condition.
b. Select a Parameter, an Operator, and a Value from the drop-down lists.
In free-form conditions, you enter values for Parameter and Value.
c. To add another condition or free-form condition, repeat the 3 steps above.
Note:
When you specify multiple conditions, the conditions are ANDed.The alert is triggered only if all of the conditions are met. If youneed to OR multiple conditions, create a separate policy for eachcondition.
d. Click Next to go on to the next page.
8. On the Action page, set your notifications:
Chapter 22Creating Policy Alerts for GitHub
22-110
• Show an alert in the Risk Events page is always selected. When an eventmatches the policy, Oracle CASB Cloud Service always adds an alert to RiskEvents.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
9. When you are done, click Next, review your settings, then click Submit.
Condition Parameters for GitHubReview the parameters and operators that are available in the Conditions page of thepolicy creation wizard for GitHub.
These parameters and operators are available on the Conditions page of the NewPolicy wizard to fine tune your alerts for GitHub.
Parameter Operator Value
Device Include or exclude the selected device type. Select Desktop, Mobile, APICall, or Other.
Timestamp The drop-down list determines whetherthe time is exact, later than the timeyou entered, or earlier (given a 24-hourtime frame). Oracle CASB Cloud Serviceevaluates the timestamp using GreenwichMean Time (GMT).
A value as a time in 24-hourHH:MM:SS format.
City, State, orCountry
• Equal to requires matching the nameyou enter in Value.
• Not Equal to requires not matching thename you enter in Value.
• In requires matching any one of severalnames you enter in Value.
• Not in requires matching none ofseveral names you enter in Value.
The name of the city,or the state or province,in the physical addressthat’s associated with the IPaddress.
Creating Alerts for GitHub Organization ActivityCreate alerts related to GitHub organizations, including creating them, invitingmembers, and canceling invitations.
Prerequisite: You must start creating your new policy in Creating a GitHub Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Organization
Chapter 22Creating Policy Alerts for GitHub
22-111
Field Value
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Select the action to trigger an alert. If you select Any, thenthis may produce more alerts than is practical. You canreduce the number of alerts by setting filters in later pagesof this wizard.
Blocked user from anorganization
A user was blocked from an organization.
Invitation to organizationcanceled
An invitation to an organization was canceled.
Member added toorganization
A member was added to an organization.
Member invited to joinorganization
A member was invited to join an organization.
Member removed from anorganization
A member was removed from an organization.
Member updated in anorganization
A member's details were updated in an organization.
Organization created A new organization was created.
Unblocked user from anorganization
A user was unblocked from an organization.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a GitHub Policy and finish the steps to complete your policyalert, resuming at step 6.
Creating Alerts for GitHub Team ActivityCreate alerts related to GitHub teams, including creating and deleting them, andadding and removing members.
Chapter 22Creating Policy Alerts for GitHub
22-112
Prerequisite: You must start creating your new policy in Creating a GitHub Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Team
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Member added to a team A member was added to a team.
Member removed from ateam
A member was removed from a team.
Team created A new team was created.
Team destroyed A team was destroyed.
Team edited Details of a team were edited.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return toCreating a GitHub Policy and finish the steps to complete your policyalert, resuming at step 6.
Creating Alerts for GitHub Repository ActivityCreate alerts for GitHub repositories, including adding, deleting, and creating ofbranches, tags, and repositories, and accessing repositories and other actions.
Chapter 22Creating Policy Alerts for GitHub
22-113
Prerequisite: You must start creating your new policy in Creating a GitHub Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
You can refine the alerts by users and groups who perform these activities.
Oracle CASB Cloud Service also provides a default template for a repository alert. It’sdisabled until you enable it. This is a broad policy, so you can use it as a template butyou probably will want to make it more restrictive.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Repository
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Branch created in arepository
A branch is created in the repository.
Branch destroyed from arepository
A branch is removed from the repository.
Comment on pull request's iscreated, edited, or deleted ina repository
A comment has been created, edited, or deleted on a pullrequest in the repository.
Commit comment created ina repository
A comment has been created on a commit action in therepository.
Issue assigned in arepository
An issue is assigned in the repository.
Issue closed in a repository An issue is closed in the repository.
Issue created in a repository An issue is created in the repository.
Issue demilestoned in arepository
Milestones of an issue are removed in the repository.
Issue edited in a repository An issue is edited in the repository.
Issue labeled in a repository An issue label is provided in the repository.
Issue milestoned in arepository
Milestones are added to an issue in the repository.
Issue opened in a repository An issue is opened in the repository.
Issue reopened in arepository
An issue is reopened in the repository.
Chapter 22Creating Policy Alerts for GitHub
22-114
Action on this resource Description
Issue unassigned in arepository
The assignee for an issue is removed.
Issue unlabeled in arepository
The label for an issue is removed.
Member added to repository A new member is added to the repository.
Member permission updatedin a repository
A member's permission in the repository is updated.
Member removed fromrepository
A member is removed from the repository.
Milestone created, closed,opened, edited, or deleted ina repository
A milestone is created, closed, opened, edited, or deleted.
Project card created,updated, moved, convertedto an issue, or deleted in arepository
A project is created, updated, moved, converted to anissue, or deleted in a repository.
Project column created,updated, moved, or deletedin a repository
The project column is created, updated, moved, or deleted.
Project created, updated,closed, reopened, or deletedin a repository
A project is created, updated, closed, reopened, or deleted.
Pull from a repository A pull action occurred.
Pull request review issubmitted, edited ordismissed in a repository
A pull request review is submitted, edited, or dismissed.
Push to repository A push action occurred.
Repository access typechanged
Access Type for the repository is changed.
Repository created A new repository is created.
Repository destroyed A repository is destroyed.
Repository forked A repository is forked.
Repository issue comment iscreated, edited, or deleted
A comment on the repository is created, edited, or deleted.
Repository label created,edited or deleted
A label on the repository is created, edited, or deleted.
Repository renamed A repository is renamed.
Tag created under repository A tag under the repository is created.
Tag destroyed from arepository
A tag from the respository is destroyed.
Team added to repository A team is added to a repository.
Team removed fromrepository
A team is removed from a repository.
Wiki page updated A wiki page is updated.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
Chapter 22Creating Policy Alerts for GitHub
22-115
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a GitHub Policy and finish the steps to complete your policyalert, resuming at step 6.
Creating Alerts for GitHub Account ActivityCreate alerts related to any change in GitHub account activity.
Prerequisite: You must start creating your new policy in Creating a GitHub Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Account
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Select the action to trigger an alert. If you select Any, thenthis may produce more alerts than is practical. You canreduce the number of alerts by setting filters in later pagesof this wizard.
Billing information change Billing information in the account has changed.
Marketplace plan canceled A marketplace plan is canceled.
Marketplace plan changed A marketplace plan is changed.
Marketplace plan purchased A marketplace plan is purchased.
Payment method update A payment method is updated.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
Chapter 22Creating Policy Alerts for GitHub
22-116
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a GitHub Policy and finish the steps to complete your policyalert, resuming at step 6.
Creating Policy Alerts for Google for WorkCreate custom policies to generate alerts for actions on resources that are specific toyour Google for Work environment.
Prerequisite: Ensure that you have followed the instructions in Getting Started withPolicies to review available managed policies, and any custom policies that alreadyexist, before creating a new custom policy.
Policies let you identify user behaviors that you want to be alerted for. In addition toautomatically detecting suspicious behaviors within GoogleApps, you can configureOracle CASB Cloud Service to generate alerts for particular resources and actions inGoogle for Work.
• Creating a Google for Work Policy provides general instructions for creating apolicy alert to monitor any GoogleApps resource. Start creating your Google forWork policy here.
• Condition Parameters for Google for Work describes the condition parameters thatare shared by alerts for all of the Google for Work resources.
Based on the resource you select to monitor for actions that should trigger an alert.Locate the specific topic for the Google for Work resource you want to monitor in oneof these sections:
Creating a Google for Work PolicyFollow these general steps for any policy you create to generate an alert for actions inGoogle for Work.
The following are general steps for creating an Office 365 Exchange Online policy.Once created, when the policy conditions are met, Oracle CASB Cloud Servicedisplays an alert in Risk Events and optionally can send the alert through email.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. On the Custom tab, click New Policy.
3. In the Name page:
a. Enter a name for the policy.
Chapter 22Creating Policy Alerts for Google for Work
22-117
b. (Optional) Enter a description.
c. Select a Priority.
d. If you want policy violations to be included in user risk score computations,select Include in user risk score.
e. Click Next.
4. On the Resource page, make these selections.
Field Value(s)
Application type Select GoogleApps.
Application instance The application instance(s). Select Any if you want thealert to apply to every registered instance of the selectedapplication type. Otherwise, select one or more individualinstances.
5. To complete the selections on the Resource page, follow a link below to locate thetopic for the particular resource type on which you want to trigger this alert.
• Creating Alerts for Granting Access to New Mobile Devices
• Creating Alerts for Sharing Content and Calendars
• Creating Alerts for Administrator Actions
When you finish making the rest of the selections on the Resource page, followthe link at the end of that topic to return to this page and continue with the nextstep below.
6. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set on the Resource page.
a. In the drop-down list, select Username contains or Username does notcontain.
b. In the text box to the right, enter one or more text strings that the user namemust contain, or not contain, in order to trigger the alert.
Separate multiple entries with commas. With multiple entries, if any one entryis contained, or not contained, in the name of the user who took the action, thealert is triggered.
c. Click Next to go on to the next page.
7. (Optional) On the Conditions page, set conditions so that an alert is triggered onlyif the specified conditions are met.
For information on condition parameters available for use in policy alerts forOffice 365, see Condition Parameters for Office 365. For information on free-formconditions, see Examples of Parameters in Free-Form Conditions.
a. Click Add condition or Add Free-From Condition.
b. Select a Parameter, an Operator, and a Value from the drop-down lists.
In free-form conditions, you enter values for Parameter and Value.
c. To add another condition or free-form condition, repeat the 3 steps above.
Chapter 22Creating Policy Alerts for Google for Work
22-118
Note:
When you specify multiple conditions, the conditions are ANDed.The alert is triggered only if all of the conditions are met. If youneed to OR multiple conditions, create a separate policy for eachcondition.
d. Click Next to go on to the next page.
8. On the Action page, set your notifications:
• Show an alert in the Risk Events page is always selected. When an eventmatches the policy, Oracle CASB Cloud Service always adds an alert to RiskEvents.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
9. When you are done, click Next, review your settings, then click Submit.
Condition Parameters for Google for WorkReview the parameters and operators that are available in the Conditions page of thepolicy creation wizard for Google for Work.
These parameters and operators are available on the Conditions page of the NewPolicy wizard to fine tune your alerts for Google for Work.
Note:
The exact list of parameters that you see on the Conditions page dependson the resource details that you specify on the Resource page. Not allparameters are available with all resources.
Parameter Operator Value
IP address v4 Include this list of addresses (In or Equalto) or exclude them (Not in or Not equalto).
A comma-separated list ofIPv4 addresses.
Timestamp The drop-down list determines whetherthe time is exact, later than the timeyou entered, or earlier (given a 24-hourtime frame). Oracle CASB Cloud Serviceevaluates the timestamp using GreenwichMean Time (GMT).
A value as a time in 24-hourHH:MM:SS format.
Recipients Include or exclude this user (Contains orNot Contains).
This option applies to theperson or group that aresource is shared with. Forexample, to prevent sharingoutside of example.com,you would select NotContains and then enterexample.com.
Chapter 22Creating Policy Alerts for Google for Work
22-119
Parameter Operator Value
City, State, orCountry
• Equal to requires matching the nameyou enter in Value.
• Not Equal to requires not matching thename you enter in Value.
• In requires matching any one of severalnames you enter in Value.
• Not in requires matching none ofseveral names you enter in Value.
The name of the city,or the state or province,in the physical addressthat’s associated with the IPaddress.
Creating Alerts for Granting Access to New Mobile DevicesCreate a policy that generates an alert when someone installs a Google Apps Devicepolicy on a new mobile device.
If your organization requires users to install Google's Device Policy app on theirdevices, then this enables your administrators to enforce security controls and policieson these devices (for example, device password strength, device password length,and the ability to do a device wipe).
You can create a policy that generates an alert when someone installs a Google AppsDevice policy on a new mobile device.
When Oracle CASB Cloud Service detects an event in the cloud that matches thepolicy, Oracle CASB Cloud Service updates the Policy Alerts count in the Dashboard(both the global and instance-specific Health Summary widgets). Oracle CASB CloudService also generates an entry in the Risk Events page. The alert describes theaffected resource, the person or agent that performed the action, and additional datagleaned from the application's own event logs.
Prerequisite: You must start creating your new policy in Creating a Google for WorkPolicy in order to be ready to be ready to follow the steps below to specify theresource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Mobile
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action. . The only action available is Useradded device.
Chapter 22Creating Policy Alerts for Google for Work
22-120
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Google for Work Policy and finish the steps to complete yourpolicy alert, resuming at step 6.
Creating Alerts for Sharing Content and CalendarsCreate alerts for Google Apps content and calendars that are shared.
You can create alerts related to sharing Google Apps content and calendarinformation, for example:
• Sharing an organization's calendar publicly. For example, you can be alerted ifsomeone shares your organization's or department's calendar publicly.
• Sharing sensitive files and folders from Google Drive with people outside of anauthorized work group or organization.
When Oracle CASB Cloud Service detects an event in the cloud that matches thepolicy, Oracle CASB Cloud Service updates the Policy Alerts count in the Dashboard(both the global and instance-specific Health Summary widgets). Oracle CASB CloudService also generates an entry in the Risk Events page. The alert describes theaffected resource, the person or agent that performed the action, and additional datataken from the application's own event logs.
Prerequisite: You must start creating your new policy in Creating a Google for WorkPolicy in order to be ready to be ready to follow the steps below to specify theresource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Chapter 22Creating Policy Alerts for Google for Work
22-121
Field Value
Resource Select one of the following:
• Drive. Select this option if you want to monitor for sharingparticular files and folders on Drive.
Note:
Google Drive information on files and folders isonly monitored for administrator users.
• Calendar. Select this option if you want to monitor forsharing a calendar.
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
If you selected Drive as the Resource type, use this table to specify the Action:
Action on this resource Description
Any Matches any action.
Publicly Shared The drive was shared publicly.
Shared content with externaluser
Content from the drive was shared with an external user.
If you selected Calendar as the Resource type, use this table to specify theAction:
Action on this resource Description
Any Matches any action. The only option available is PubliclyShared.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Google for Work Policy and finish the steps to complete yourpolicy alert, resuming at step 6.
Chapter 22Creating Policy Alerts for Google for Work
22-122
Creating Alerts for Administrator ActionsCreate a policy that generates an alert when administrative actions are taken on aresource.
When Oracle CASB Cloud Service detects an event in the cloud that matchesthe policy, Oracle CASB Cloud Service updates the Policy Alerts count inthe Dashboard (both the global and instance-specific Health Summary widgets).Oracle CASB Cloud Service also generates an entry in the Risk Events page. Thealert describes the affected resource, the person or agent that performed the action,and additional data gleaned from the application's own event logs.
Prerequisite: You must start creating your new policy in Creating a Google for WorkPolicy in order to be ready to be ready to follow the steps below to specify theresource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Select a resource that ends with Setting or Settings.
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action. . The only action available is Useradded device.
Add... Specified setting was added.
Add nickname A nickname was added for a user. (For User settings only.)
Alert receivers changed Alert receivers were changed. (For Domain settings only.)
Alert status changed Alert status was changed. (For Domain settings only.)
Allow ASP without 2sv An ASP was allowed without two-step verification. (ForSecurity settings only.)
Allow service for oauth2access
Service was allowed for OAUTH2 access. (For Securitysettings only.)
Assign role A role was assigned. (For Delegated admin settings only.)
Authorize api access API access was authorized. (For Domain settings only.)
Bulk upload A bulk upload of users was made. (For User settings only.)
Bulk upload notification sent Notification of a bulk upload of users was sent. (For Usersettings only.)
Change... Specified setting was changed.
Chapter 22Creating Policy Alerts for Google for Work
22-123
Action on this resource Description
Create... Specified setting was created.
Create role A role was created. (For Delegated admin settings only.)
Delete... Specified setting was deleted.
Disallow service for oauth2access
Service was disallowed for OAUTH2 access. (For Securitysettings only.)
Download userlist csv A user list was downloaded to a CSV file. (For Usersettings only.)
Edit... Specified setting was edited.
Enable... Specified setting was enabled.
Generate... Specified setting was generated.
Gmail reset user A Gmail user reset occurred. (For User settings only.)
Mail routing destinationadded
A mail routing destination was added. (For User settingsonly.)
Mail routing destinationremoved
A mail routing destination was removed. (For User settingsonly.)
Mobile device approved A mobile device was approved. (For Mobile settings only.)
Mobile device block A mobile device was blocked. (For Mobile settings only.)
Mobile device cancel wipethen approve
A mobile device wipe was canceled, then the device wasapproved. (For Mobile settings only.)
Mobile device cancel wipethen block
A mobile device wipe was canceled, then the device wasblocked. (For Mobile settings only.)
Mobile device delete A mobile device wipe was deleted. (For Mobile settingsonly.)
Mobile device wipe A mobile device wipe was wiped. (For Mobile settingsonly.)
Move... Specified setting was moved.
Move user to org unit A user was moved into an organization unit. (For Usersettings only.)
Mx record verification claim A record verification claim was made. (For Domainsettings only.)
Org all license auto assign An organization was set to autoassign licenses to itsmembers. (For License settings only.)
Org all users licenseassignment
All users in an organization were assigned a license. (ForLicense settings only.)
Org license revoke A license was revoked for all users in an organization. (ForLicense settings only.)
Regenerate... Specified setting was regenerated.
Remove... Specified setting was removed.
Rename... Specified setting was renamed.
Resend user invite A user invite was resent. (For User settings only.)
Revoke... Specified setting was revoked.
Toggle... Specified setting was toggled.
Transfer document ownership Ownership of a document was transferred. (For Docssettings only.)
Chapter 22Creating Policy Alerts for Google for Work
22-124
Action on this resource Description
Unassign role A role was unassigned. (For Delegated admin settingsonly.)
Update... Specified setting was updated.
Upload... Specified setting was uploaded.
User license assignment User license was assigned. (For License settings only.)
User license reassignment User license was reassigned. (For License settings only.)
User license revoke User license was revoked. (For License settings only.)
Verify... Specified setting was verified.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Google for Work Policy and finish the steps to complete yourpolicy alert, resuming at step 6.
Creating Policy Alerts for Office 365Create custom policies to generate alerts for actions on resources that are specific toyour Office 365 environment.
Prerequisite: Ensure that you have followed the instructions in Getting Started withPolicies to review available managed policies, and any custom policies that alreadyexist, before creating a new custom policy.
Policies let you identify user behaviors that you want to be alerted for. In additionto automatically detecting suspicious behaviors within Office 365, you can configureOracle CASB Cloud Service to generate alerts for particular resources and actions inOffice 365.
• Creating an Office 365 Policy provides general instructions for creating a policyalert for any Office 365 component. Start creating your Office 365 policy here.
• Condition Parameters for Office 365 describes the condition parameters that areshared by alerts for all of the Office 365 components.
Exchange, SharePoint and OneDrive, and Active Directory each have their ownspecific configurations, based on the resource you select to monitor for actions thatshould trigger an alert.
Chapter 22Creating Policy Alerts for Office 365
22-125
Creating an Office 365 PolicyFollow these general steps for any policy you create to generate an alert for actions inOffice 365.
The following are general steps for creating an Office 365 Exchange Online policy.Once created, when the policy conditions are met, Oracle CASB Cloud Servicedisplays an alert in Risk Events and optionally can send the alert through email.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. On the Custom tab, click New Policy.
3. In the Name page:
a. Enter a name for the policy.
b. (Optional) Enter a description.
c. Select a Priority.
d. If you want policy violations to be included in user risk score computations,select Include in user risk score.
e. Click Next.
4. On the Resource page, make these selections.
Field Value(s)
Application type Select Office365.
Application instance The application instance(s). Select Any if you want thealert to apply to every registered instance of the selectedapplication type. Otherwise, select one or more individualinstances.
5. To complete the selections on the Resource page, follow a link below to locate thetopic for the particular resource type on which you want to trigger this alert.
• Creating Policy Alerts for Office 365 Exchange Online
• Creating Policy Alerts for Office 365 SharePoint and OneDrive
• Creating Policy Alerts for Office 365 Azure Active Directory
When you finish making the rest of the selections on the Resource page, followthe link at the end of that topic to return to this page and continue with the nextstep below.
6. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set on the Resource page.
a. In the drop-down list, select Username contains or Username does notcontain.
b. In the text box to the right, enter one or more text strings that the user namemust contain, or not contain, in order to trigger the alert.
Separate multiple entries with commas. With multiple entries, if any one entryis contained, or not contained, in the name of the user who took the action, thealert is triggered.
Chapter 22Creating Policy Alerts for Office 365
22-126
c. Click Next to go on to the next page.
7. (Optional) On the Conditions page, set conditions so that an alert is triggered onlyif the specified conditions are met.
For information on condition parameters available for use in policy alerts forOffice 365, see Condition Parameters for Office 365. For information on free-formconditions, see Examples of Parameters in Free-Form Conditions.
a. Click Add condition or Add Free-From Condition.
b. Select a Parameter, an Operator, and a Value from the drop-down lists.
In free-form conditions, you enter values for Parameter and Value.
c. To add another condition or free-form condition, repeat the 3 steps above.
Note:
When you specify multiple conditions, the conditions are ANDed.The alert is triggered only if all of the conditions are met. If youneed to OR multiple conditions, create a separate policy for eachcondition.
d. Click Next to go on to the next page.
8. On the Action page, set your notifications:
• Show an alert in the Risk Events page is always selected. When an eventmatches the policy, Oracle CASB Cloud Service always adds an alert to RiskEvents.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
9. When you are done, click Next, review your settings, then click Submit.
Condition Parameters for Office 365Review the parameters and operators that are available in the Conditions page of thepolicy creation wizard for Office 365.
These parameters and operators are available on the Conditions page of the NewPolicy wizard to fine tune your alerts for Office 365.
Note:
The exact list of parameters that you see on the Conditions page dependson the resource details that you specify on the Resource page. Not allparameters are available with all resources.
Parameter Operator Value
IP address v4 Include this list of addresses (In or Equalto) or exclude them (Not in or Not equalto).
A comma-separated list ofIPv4 addresses.
Chapter 22Creating Policy Alerts for Office 365
22-127
Parameter Operator Value
Device Include or exclude the selected device type. Select Desktop, Mobile, APICall, or Other.
Timestamp The drop-down list determines whetherthe time is exact, later than the timeyou entered, or earlier (given a 24-hourtime frame). Oracle CASB Cloud Serviceevaluates the timestamp using GreenwichMean Time (GMT).
A value as a time in 24-hourHH:MM:SS format.
CASB threatintelligence IPreputation
Equal to is the only option. To flag events from IPaddresses with bad or goodreputations, select:• Suspicious for bad
reputations.• Regular for good
reputations.
City, State, orCountry
• Equal to requires matching the nameyou enter in Value.
• Not Equal to requires not matching thename you enter in Value.
• In requires matching any one of severalnames you enter in Value.
• Not in requires matching none ofseveral names you enter in Value.
The name of the city,or the state or province,in the physical addressthat’s associated with the IPaddress.
Creating Policy Alerts for Office 365 Exchange OnlineLearn how to create policies to identify Exchange Online events that you want to benotified of ,for example, sending email to competitor email domains or adding users toExchange Online administrative groups.
Prerequisite: Ensure that you have followed the instructions in Getting Started withPolicies to review available managed policies, and any custom policies that alreadyexist, before creating a new custom policy.
For background about the different Office 365 resource types and that you can detectwith policy alerts, see Exchange Online knowledge base.
Creating Alerts for Sending and Receiving Email Using ExchangeOnline
Create policy alerts for email that is sent through the Exchange Online server.
You can create policy alerts for email that is sent through the Exchange Online server,either through the Outlook application or through an external application such asThunderbird. For example, you can be notified when:
• Email recipients belong to external or competitor organizations.
• Users send email from or to IP addresses that are identified as suspicious.
• An administrator removes a protection rule related to sending email.
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-128
Note:
Alerts can't be triggered based on content in that appears in email subjectline.
To create an alert for sending or receiving email:
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, make these selections:
Field Values
Application type Select Office365.
Applicationinstance
The application instances. Select Any if you want the alert to apply toevery registered instance of the selected application type. Otherwise,select one or more individual instances.
Resource Select Exchange Mail.
Resource name Oracle CASB Cloud Service currently defaults the Exchange Mailresource type to "all sent or received email."
You can define email senders in the next step of the wizard. Youalso can define recipients and other filters (for example, destinationdomains) in the Conditions page of the wizard.
Action on thisresource
Send. Identifies email sent from this Exchange Online account.
Received. Identifies email sent to this Exchange Online account.
When you are done, click Next.
5. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
6. When you are done, click Next. The Conditions page is optional. For adescription of condition parameters, see Condition Parameters for Office 365.
7. Click Next and set your Action notifications:
• Show an alert in the Risk Events page is selected. When an event matchesthe policy, Oracle CASB Cloud Service adds an alert to Risk Events.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
• Send email to this address. Send email to the designated address.
8. When you are done, click Next, review your settings, and then click Submit.
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-129
Outlook Protection Rule ResourcesUnderstand how to use the Resource type Exchange Admin: Outlook ProtectionRule.
In addition to policies for sending and receiving email, you can configure the resourcetype Exchange Admin: Outlook Protection Rule to detect when an administratormodifies any rule that’s applied before a user sends a message (Action: Set), disabledthe rule (Action: Disable), enabled one (Action: Enable), created a rule (Action: New),or deleted one (Action: Remove).
Creating Alerts for Exchange Users, Admins, Roles, Contacts, andGroups
Create policies to identify actions taken on roles, and memberships to role groups.
Office 365 Exchange lets administrators define the tasks that groups of users andadministrators can perform using role groups.
Creating Alerts for Actions Taken on AdministratorsCreate alerts to track changes to administrative roles and the users given these roles.
This information can be useful to people who are responsible for Office 365administration and want to ensure that they know everyone who has access tosensitive resources in Exchange Online.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, make these selections:
Field Value
Application type Select Office365.
Application instance The application instances. Select Any if you want the alert toapply to every registered instance of the selected application type.Otherwise, select one or more individual instances.
Resource Select Exchange Admin: Admin Role Member
Resource name If you select:
Text. Select an operator from the drop-down menu (for example,Contains), and then enter a full or partial role group name.
Regular expression. Enter .* to match all roles or a regularexpression to identify a subset of all role groups.
Action on thisresource
Trigger an alert when a member of an administrative role group isadded (Action: Add), deleted (Action: Remove), or modified (Action:Update).
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-130
5. Click Add and then add the resource type Exchange Admin: Admin RoleMember, and identify one or more members and actions.
When you are done, click Next.
6. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
7. When you are done, click Condition. In this page, you can filter the policy. For adescription of condition parameters, see Condition Parameters for Office 365.
8. Click Next and set your Action notifications:
• Show an alert in the Risk Events page is selected. When an event matchesthe policy, Oracle CASB Cloud Service adds an alert to Risk Events.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
• Send email to this address. Send email to the designated address.
9. When you are done, click Next, review your settings, and then click Submit.
Creating Alerts for Changes to Administrative GroupsCreate a policy that generates an alert when an administrative group is added,deleted, or modified.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, make these selections:
Field Value
Application type Select Office365.
Application instance The application instances. Select Any if you want the alert toapply to every registered instance of the selected applicationtype. Otherwise, select one or more individual instances.
Resource Exchange Admin: Admin Role
Resource name If you select:
Text. Select an operator from the drop-down menu (for example,Contains), and then enter a full or partial role group name.
Regular expression. Enter .* to match all roles or a regularexpression to identify a subset of all roles.
Action on this resource Trigger an alert when an administrative role group is added(Action: Add), deleted (Action: Remove), or modified (Action:Update).
When you are done, click Next.
5. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-131
6. When you are done, click Condition. In this page, you can filter the policy. For adescription of condition parameters, see Condition Parameters for Office 365.
7. Click Next and set your Action notifications:
• Show an alert in the Risk Events page is selected. When an event matchesthe policy, Oracle CASB Cloud Service adds an alert to Risk Events.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
• Send email to this address. Send email to the designated address.
8. When you are done, click Next, review your settings, and then click Submit.
Creating Alerts for Changes to User Role AssignmentsCreate a policy that generates an alert when a user role is added, deleted, or modified.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, make these selections:
Field Value
Application type Select Office365.
Application instance The application instances. Select Any if you want the alert toapply to every registered instance of the selected applicationtype. Otherwise, select one or more individual instances.
Resource Exchange Admin: User Role
Resource name If you select:
Text. Select an operator from the drop-down menu (for example,Contains), and enter type a full or partial role group name.
Regular expression. Enter .* to match all roles or a regularexpression to identify a subset of all roles.
Action on this resource Any. Matches any action on the role or roles.â
When you are done, click Next.
5. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
6. When you are done, click Condition. In this page, you can filter the policy. For adescription of condition parameters, see Condition Parameters for Office 365.
7. Click Next and set your Action notifications:
• Show an alert in the Risk Events page is selected. When an event matchesthe policy, Oracle CASB Cloud Service adds an alert to Risk Events.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-132
• Send email to this address. Send email to the designated address.
8. When you are done, click Next, review your settings, and then click Submit.
Creating Alerts for Other User, Group, Admin, Role, and Contact ResourcesCreate a policy that generates an alert for other actions on Exchange Online users,administrators, contacts, and groups.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, make these selections:
Field Value
Application type Select Office365.
Application instance The application instances. Select Any if you want the alert toapply to every registered instance of the selected application type.Otherwise, select one or more individual instances.
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-133
Field Value
Resource Select a resource:
• Exchange Admin: Address List Paging : Detectswhen address list paging is enabled (Action: Enable-AddressListPaging).
• Exchange Admin: Contact List : Detects importing a list ofcontacts using a .csv file (Action: Import).
• Exchange Admin: Distribution Group : Detects distributiongroup modifications (Actions: Set), new groups (Action: New),and deletions (Action: Remove).
• Exchange Admin: Distribution Group Member : Detectsdistribution group member modifications (Actions: Set),new group members (Action: New), and deletions (Action:Remove).
• Exchange Admin: Dynamic Distribution Group : Detectsdynamic distribution group modifications (Actions: Set), newcontacts (Action: New), and deletions (Action: Remove).The membership for these groups is based on filters andconditions, and is recalculated each time a user sends amessage to the group.
• Exchange Admin: Mail Contact : Detects contact list usermodifications (Actions: Set), new contacts (Action: New), anddeletions (Action: Remove).
• Exchange Admin: Mail User : Detects email usermodifications (Actions: Set), new groups (Action: New), anddeletions (Action: Remove).
• Exchange Admin: Management Role : Detects changes torole-based permission sets (Actions: Set), new roles (Action:New), and deletions (Action: Remove).
• Exchange Admin: Management Role Assignment : Detectswhen someone assigns a management role to a group, policy,user or security group (Action: New), deletes the role (Action:Remove), or modifies it (Action: Set).
• Exchange Admin: Management Role Entry : Detectschanges to the permissions assigned to a management role(Actions: Set), permissions added to the role (Action: New),and permissions deleted (Action: Remove).
• Exchange Admin: Management Scope : Detects changes tothe scope of a management role (Actions: Set), new scopedefinitions (Action: New), and deletions (Action: Remove).These are servers, mailboxes, and other objects that amanagement role applies to.
• Exchange Admin: Unified Group : Detects creation of aunified group (Action: Set-UnifiedGroup).
• User Photo (UserPhoto) : Detects addition (Action: Set-UserPhoto) and removal (Action: Remove-UserPhoto) of auser photo.
• Exchange Admin: User Role : Detects changes to roleassignment policies. These alerts detect new, deleted, andupdated policies, which are collections of user roles.
Resource name If you select:
Text. Select an operator from the drop-down menu (for example,Contains), and then enter a full or partial role group name.
Regular expression. Enter .* to match all roles or a regularexpression to identify a subset of all roles.
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-134
Field Value
Action on thisresource
Any. Matches any action on the role or roles.
When you are done, click Next.
5. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
6. When you are done, click Condition. In this page, you can filter the policy. For adescription of condition parameters, see Condition Parameters for Office 365.
7. Click Next and set your Action notifications:
• Show an alert in the Risk Events page is selected. When an event matchesthe policy, Oracle CASB Cloud Service adds an alert to Risk Events.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
• Send email to this address. Send email to the designated address.
8. When you are done, click Next, review your settings, and then click Submit.
Creating Alerts for DLP, Malware, and FilteringCreate a policy that generates an alert for actions on policies for data loss prevention(DLP), or malware and content.
Office 365 Exchange lets administrators configure data loss prevention (DLP) policiesto filter email messages and attachments (for example, to prevent transmissionof personally identifiable information). Malware and content (spam) filtering policiesprevent distribution of unwanted information and potentially destructive programs.
You can create policies to identify actions taken on DLP, malware, and content filteringpolicies.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, make these selections:
Field Value
Application type Select Office365.
Application instance The application instances. Select Any if you want the alert toapply to every registered instance of the selected applicationtype. Otherwise, select one or more individual instances.
Resource Exchange Admin: Data Loss Prevention Policy
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-135
Field Value
Resource name If you select:
Text. Select an operator from the drop-down menu (for example,Contains), and enter type a full or partial DLP or malware filterpolicy name.
Regular expression. Enter .* to match all DLP or malware filterpolicies or a regular expression to identify a subset of all ofthese policies.
Action on this resource These alerts detect when one of these resource types has beenadded (Action: New), deleted (Action: Remove), or modified(Action: Set), or when a malware filter rule has been enabledor disabled.
When you are done, click Next.
5. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
6. When you are done, click Condition. In this page, you can filter the policy. For adescription of condition parameters, see Condition Parameters for Office 365.
7. Click Next and set your Action notifications:
• Show an alert in the Risk Events page is selected. When an event matchesthe policy, Oracle CASB Cloud Service adds an alert to Risk Events.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
• Send email to this address. Send email to the designated address.
8. When you are done, click Next, review your settings, and then click Submit.
Additional DLP, Malware, and Filtering ResourcesLearn about additional resources you can use in alerts for DLP, and malware andcontent filtering.
Malware and content (spam) filtering policies prevent distribution of unwantedinformation and potentially destructive programs. These fields or field types areavailable for use in creating alerts:
Field or Field Type Description
Exchange Admin: HostedConnection Filter Policy
Detects modifications to connection filter policies (Action: Set).
These policies create safe sender and blocked sender lists.
Exchange Admin: HostedContent Filter Policy
Detects modifications to spam filter policies (Action: Set) anddeleted policies (Action: Remove).
Exchange Admin: HostedContent Filter Rule
Detects modifications to spam filter rules, which define whenand how to apply spam filter policies (Action: Set), deleted rules(Action: Remove), enabled rules (Action: Enable), and disabledones (Action: Disable).
Creating Alerts for Exchange Information Rights ManagementCreate a policy that generates an alert when information rights management (IRM)rules are disabled, modified, or deleted.
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-136
Office 365 Exchange lets administrators create Information Rights Management (IRM)rules. These rules protect online and offline email messages and attachments. Youcan create policies to identify changes to your IRM rules, for example, to be notifiedwhen these rules are disabled, modified, or deleted.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, make these selections:
Field Value
Application type Select Office365.
Application instance The application instances. Select Any if you want the alert toapply to every registered instance of the selected applicationtype. Otherwise, select one or more individual instances.
Resource Exchange Admin: IRM Configuration
Resource name If you select:
Text. Select an operator from the drop-down menu (for example,Contains), and then enter a full or partial rule name.
Regular expression. If you select this option, enter .* to matchall IRM rules or a regular expression to match one or morerules.
Action on this resource One of the following:
• Any. Matches any action on an IRM rule.• Set. Generates an alert when someone modifies a rule.
When you are done, click Next.
5. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
6. When you are done, click Condition. In this page, you can filter the policy. For adescription of condition parameters, see Condition Parameters for Office 365.
7. Click Next and set your Action notifications:
• Show an alert in the Risk Events page is selected. When an event matchesthe policy, Oracle CASB Cloud Service adds an alert to Risk Events.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
• Send email to this address. Send email to the designated address.
8. When you are done, click Next, review your settings, and then click Submit.
Creating Alerts for Exchange Online Access RulesCreate a policy that generates an alert when online access rules are created, deleted,or modified.
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-137
Office 365 Exchange lets administrators define access controls within and acrossforests. You can create policies to identify changes to your access rules, for example,to be notified when these rules are disabled, modified, or deleted.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, make these selections:
Field Value
Application type Select Office365.
Application instance The application instances. Select Any if you want the alert toapply to every registered instance of the selected applicationtype. Otherwise, select one or more individual instances.
Resource Exchange Admin: Availability Config
Resource name If you select:
Text. Select an operator from the drop-down menu (for example,Contains), and then enter a full or partial rule name.
Regular expression. If you select this option, enter .* to matchall rules or a regular expression to match one or more rules.
Action on this resource One of the following:
• New. Matches creation of a new rule.• Remove. Generates an alert when someone deletes a rule.• Set. Generates an alert when someone modifies a rule.
When you are done, click Next.
5. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
6. When you are done, click Condition. In the Conditions page, you can filter thepolicy. For a description of condition parameters, see Condition Parameters forOffice 365.
7. Click Next and set your Action notifications:
• Show an alert in the Risk Events page is selected. When an event matchesthe policy, Oracle CASB Cloud Service adds an alert to Risk Events.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
• Send email to this address. Send email to the designated address.
8. When you are done, click Next, review your settings, and then click Submit.
Other Exchange Online Access ResourcesLearn about additional resources you can use in alerts for online access rules.
These Resource types are available for use when creating alerts.
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-138
Resource Type Description
Exchange Admin:Availability AddressSpace
This resource type identifies rules for creating availability addressspace objects for sharing free/busy data. Available actions in thepolicy: Create a new availability address space (Action: Add), ordelete (Action: Remove).
Exchange Admin: DefaultSharing Policy
This resource type identifies installation of a default sharing policy(Action: Install-DefaultSharingPolicy).
Exchange Admin:Federated OrganizationIdentifier
This resource type identifies the federated organization identifier forthe Exchange organization. Available actions in the policy: modifythe identifier (Action: Set).
Exchange Admin:Organization Relationship
Identifies when an administrator defines a new relationship with anexternal Exchange organization (Action: New), deletes one (Action:Remove), modifies one (Action: Set), or tests the configuration foran organization relationship (Action: Test).
Exchange Admin: OutlookWeb App Policy
Identifies creation of new policies to control access to webmailboxes and calendars (Action: New), deleted policies (Action:Remove), and modified policies (Action: Set).
Exchange Admin:Recipient EnforcementProvisioning Policy
Identifies when a recipient enforcement policy is created (Action:Set-RecipientEnforcementProvisioningPolicy).
Creating Alerts for Exchange Mailboxes and FoldersCreate a policy that generates an alert for changes to public and user mailboxes.
Office 365 Exchange lets administrators create, update, enable, disable, and deletepublic folder mailboxes and user mailboxes. You can create policies to identifychanges to public and user mailboxes (for example, to track any changes to themailbox audit or diagnostic logs or to global mailbox settings).
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, make these selections:
Field Value
Application type Select Office365.
Application instance The application instances. Select Any if you want the alert toapply to every registered instance of the selected applicationtype. Otherwise, select one or more individual instances.
Resource Exchange Admin: Mailbox
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-139
Field Value
Resource name If you select:
Text. Select an operator from the drop-down menu (for example,Contains), and then enter a full or partial mailbox name.
Regular expression. Enter .* to match all mailboxes or aregular expression to identify a subset of all mailboxes.
Note: If you match all mailboxes, consider narrowing the policyin later pages of this wizard. Otherwise, the policy can generatetoo many alerts to be practical.
Action on this resource Identifies when a mailbox is created (Action: New), removed,searched, modified (Action: Set), disabled, or enabled.
When you are done, click Next.
5. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
6. When you are done, click Condition. In the conditions page, you can filter thepolicy. For a description of condition parameters, see Condition Parameters forOffice 365.
7. Click Next and set your Action notifications:
• Show an alert in the Risk Events page is selected. When an event matchesthe policy, Oracle CASB Cloud Service adds an alert to Risk Events.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
• Send email to this address. Send email to the designated address.
8. When you are done, click Next, review your settings, and then click Submit.
Creating Alerts for Other Exchange Mailbox ActionsCreate a policy that generates an alert for the full range of actions on public and usermailboxes.
1. Follow steps 1 and 2 in the previous procedure.
2. In step 3, configure a resource and action as follows:
Resource Type Description
Exchange Admin: ClientAccess Settings on amailbox
Detects when any change is made to client access policies for thenamed mailbox (for example, setting the mailbox email protocol andActiveSync mailbox policy).
Exchange Admin:FolderBind
Detects when a mailbox folder is accessed (Action: FolderBind).
Exchange Admin:InboxRule
Detects enabled inbox rules, which define inbound messagehandling, for example, by moving particular messages to aspecified folder (Action: Enable), changes to the rules (Action:Set), disabled rules (Action: Disable), new rules (Action: New), anddeleted rules (Action: Remove).
Exchange Admin: MailPublic Folder
Detects when someone email-enables a public folder (allows usersto post to it) (Action: Enable) or disables posting (Action: Disable).
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-140
Resource Type Description
Exchange Admin: MailboxAudit Log
Detects when the audit log is searched.
Exchange Admin: MailboxCalendar Folder
Detects when someone configures access and sharing permissionsfor a folder.
Exchange Admin: MailboxDiagnostic Logs
Detects when someone exports the diagnostic logs.
Exchange Admin: MailboxFolder
Detects when someone exports a folder.
Exchange Admin: MailboxFolder Permissions
Detects when someone creates, deletes, or modifies folderpermissions.
Exchange Admin: MailboxPermission
Detects when someone adds or removes access permission to amailbox. This can be the mailbox owner or another user.
Exchange Admin: MailboxRelocation Request
Detects when someone submits a mailbox relocation request(Action: New-MailboxRelocationRequest).
Exchange Admin:Managed Folder Assistant
Detects when someone starts message records management(MRM) processing for one or more mailboxes.
Exchange Admin: PublicFolder
Detects when a public folder is created (Action: New), its attributesare modified (Action: Set), or it’s deleted (Action: Remove).
Exchange Admin: PublicFolder Client Permission
Detects when user access rights to a folder are created (Action:Add) or deleted (Action: Remove).
Exchange Admin: PublicFolder Mailbox
Detects when settings for a public folder mailbox are modified(Action: Update).
Exchange Admin: PublicFolder Migration Request
Detects when migration from Exchange Server 2010 is created(Action: New), deleted (Action: Remove), resumed (Action:Resume), modified (Action: Set), or suspended (Action: Suspend).
Exchange Admin: SiteMailbox
Detects when someone modifies or tests a site mailbox (whichconsolidates SharePoint and Exchange Online email).
Exchange Admin: SiteMailbox ProvisioningPolicy
Detects when someone modifies the storage quotas for a sitemailbox.
Exchange Admin: SoftDeleted Mailbox
Detects when someone restores a soft-deleted mailbox to an ActiveDirectory account.
Creating Alerts for Exchange Email Retention Rule ChangesCreate a policy that generates an alert for changes to email retention rules.
Office 365 Exchange lets administrators create, update, and delete policies forhow long different types of email must be kept. In general, these policieshelp an organization comply with internal, governmental, and legal requirements.Administrators also create, enable, disable, and delete journal rules. This controlsstorage of sent and received messages, again often to comply with variousrequirements.
Exchange Online administrators can extend retention periods by putting a mailbox onIn-Place Hold or Litigation Hold.
You can create policies to identify changes to your email retention rules, for example,to be notified when these rules are disabled, modified, or deleted.
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-141
Prerequisite: You must start creating your new policy in Creating an Office 365 Policyin order to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Exchange Admin: Retention Policy
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
New-RetentionPolicy A new retention policy is created.
Remove-RetentionPolicy A retention policy is removed.
Set-RetentionPolicy A retention policy is set.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an Office 365 Policy and finish the steps to complete yourpolicy alert, resuming at step 6.
Creating Alerts for Journal Rule ChangesCreate a policy that generates an alert for changes to journal rules.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Locate the policy you want to modify, and then click the Edit icon (right end of row,under ACTION).
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-142
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, make these selections:
Field Value
Application type Select Office365.
Application instance The application instances. Select Any if you want the alert toapply to every registered instance of the selected applicationtype. Otherwise, select one or more individual instances.
Resource Exchange Admin: Journal Rule
Resource name If you select:
Text. Select an operator from the drop-down menu (for example,Contains), and then enter a full or partial rule name.
Regular expression. Enter .* to match all email retention rules.
Action on this resource Any. Matches any action on a journal rule.
When you are done, click Next.
5. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
6. When you are done, click Condition.
In the Conditions page, you can filter the policy. For example, to excludeeveryone in a particular domain, click Add new condition, in the Parameterdrop-down list select Recipient, and in the Operator field, select Contains orDoes not contain, then enter the user name or a partial name.
7. Click Next and set your Action notifications:
• Show an alert in the Risk Events page is selected. When an event matchesthe policy, Oracle CASB Cloud Service adds an alert to Risk Events.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
• Send email to this address. Send email to the designated address.
8. When you are done, click Next, review your settings, and then click Submit.
Creating Alerts for Mailbox Retention Rule ChangesCreate a policy that generates an alert for changes to mailbox retention rules.
1. Follow steps 1 and 2 in the previous procedure.
2. In step 3, configure a resource and action as follows
Resource Type Description
Exchange Admin:Retention Policy
Detects when someone creates a mailbox or folder retentionpolicy (Action: New), deletes one (Action: Remove), or modifiesone (Action: Set).
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-143
Resource Type Description
Exchange Admin:Retention Policy Tag
Detects when someone creates a mailbox or folder retention tag(Action: New), deletes one (Action: Remove), or modifies one(Action: Set).
The tags contain particular retention settings. Retention policiescontain one or more tags.
Creating Alerts for Exchange Mobile Devices and ActiveSyncCreate a policy that generates an alert for actions taken on ActiveSync devices.
An administrator can configure and remove mobile devices that can synchronizewith Office 365 Exchange mailboxes. The administrator can also create rules for anExchange ActiveSync device that define conditions under which a mobile device canaccess Office 365 Exchange. These conditions, or access rules, define when devicesare allowed, blocked, or quarantined (for example, if they are believed to be infectedwith malware).
You can create policies to identify actions taken on ActiveSync devices, includingremoving or wiping the devices clean, creating or modifying the access rules andmailbox policies for them, and setting organizations for the devices.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, make these selections:
Field Value
Application type Select Office365.
Application instance The application instances. Select Any if you want the alert toapply to every registered instance of the selected applicationtype. Otherwise, select one or more individual instances.
Resource Exchange Admin: ActiveSyncDevice. Returns mobile devicesthat have been configured for synchronization (ActiveSync) withyour Exchange Online account.
Resource name If you select:
Text. Select an operator from the drop-down menu (for example,Contains), and enter type a full or user name.
Regular expression. Enter .* to match all devices.
Action on this resource Any. Matches any action on an ActiveSync device.
Clear. Matches a clear (wipe) action on an ActiveSync device.
Remove. Matches remove (delete) action on an ActiveSyncdevice.
When you are done, click Next.
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-144
5. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
6. When you are done, click Condition. In the Conditions page, you can filterthe policy, for example, according to the client's IP address or time of day. Forexample, to limit the alert to only a particular set of users, or to everyone except aparticular set of users, click Add new condition, in the Parameter drop-down list,select Recipient, and then do the following:
• To monitor for particular users, in the Operator field select Contains and thenenter the user name or a partial name.
• To monitor for changes to anyone except a particular user or users, in theOperator field select Does not contain and then enter the name or partialname.
For more information on conditions in Office 365 alerts, see Condition Parametersfor Office 365.
7. Click Next and set your Action notifications:
• Show an alert in the Risk Events page is selected. When an event matchesthe policy, Oracle CASB Cloud Service adds an alert to Risk Events.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
• Send email to this address. Send email to the designated address.
8. When you are done, click Next, review your settings, and then click Submit.
Creating Alerts for Other ActiveSync Device ActionsCreate a policy that generates an alert for actions taken on other ActiveSyncresources.
There are several more resource types for which you can configure Exchange alertsfor ActiveSync device actions.
1. Follow steps 1 and 2 in the previous topic to configure the policy.
2. When you set the action, set one the following resource types and actions:
Resource Type Description
Exchange Admin:ActiveSync DeviceAccess Rule
Triggers an alert when someone adds a device (Action: New),deletes one (Action: Remove), or modifies one (Action: Set).
Exchange Admin:ActiveSync MailboxPolicy
Triggers an alert when someone adds a mailbox policy (Action:New), deletes one (Action: Remove), or modifies one (Action:Set). Mailbox policies include tranport rules and securityconfiguration settings (for example, S/MIME rules and passwordrequirements).
Exchange Admin:ActiveSync AccessSettings
Triggers an alert when someone modifies a global setting for anorganization, such the email addresses of administrators whoreceive reports (Action: Set).
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-145
Other Alerts for Mobile Services and ActiveSyncLearn about additional resources you can use in alerts for mobile services andActiveSync.
Oracle CASB Cloud Service policies support these Resource types:
Resource Type Description
Device Exchange Admin: Mobile Triggers an alert when someone deletes a mobile devicewith an ActiveSync partnership (Action: Remove) orwipes one clean (Action: Clear).
Exchange Admin: Mobile DeviceMailbox Policy
Triggers an alert when someone creates a policy (forexample, password rules) for a mobile device (Action:New), deletes a mobile device policy (Action: Remove),or modifies one (Action: Set).
Creating Alerts for Unified MessagingCreate a policy that generates an alert for actions taken on the Unified Messaging(UM) system that controls voice mail and the auto-attendant.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, make these selections:
Field Value(s)
Application type Select Office365.
Applicationinstance
The application instances. Select Any if you want the alert to apply toevery registered instance of the selected application type. Otherwise,select one or more individual instances.
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-146
Field Value(s)
Resource Select a resource:
• Exchange Admin: UM Auto Attendant : Detects when an auto-attendant is enabled (Action: Enable), disabled (Action: Disable),created (Action: New), deleted (Action: Remove), or modified(Action: Set).
• Exchange Admin: UM Call Answering Rule : Detectswhen a UM call answering rule is enabled (Action: Enable),disabled (Action: Disable), created (Action: New), deleted (Action:Remove), or modified (Action: Set).
• Exchange Admin: UM Call Data Record : Detects when a UMcall is exported (Action: Export).
• Exchange Admin: UM Dial Plan : Detects when a dial planthat connects a user's telephone number and voice mail to theirmailbox is created (Action: New), deleted (Action: Remove), ormodified (Action: Set).
• Exchange Admin: UM Hunt Group : Detects when a hunt groupis added (Action: New) or deleted (Action: Remove). A hunt groupis a logical representation of a private branch exchange (PBX) orIP PBX hunt group, and connects a UM IP gateway with a UM dialplan.
• Exchange Admin: UM IP Gateway : Detects when someonecreates a Unified Messaging (UM) gateway to connect a huntgroup to other gateways, PBXes or controllers (Action: New),disables the gateway (Action: Disable), enables one (Action:Enable), deletes one (Action: Remove) or modifies one (Action:Set).
• Exchange Admin: UM Mailbox : Detects when someoneenables a mailbox for UM (Action: Enable), disables UM for amailbox (Action: Disable), or modifies a mailbox's UM settings(Action: Set).
• Exchange Admin: UM Mailbox PIN : Detects when someoneresets the PIN for a UM-enabled mailbox (Action: Set).
• Exchange Admin: UM Mailbox Policy : Detects when someonecreates a UM mailbox policy (Action: New), deletes one (Action:Remove), or modifies one (Action: Set). UM mailbox policiesdefine the configuration of the mailbox (for example, whetherspeech recognition is enabled and whether the the user isrequired to enter a PIN to access voice mail).
• Exchange Admin: UM Prompt : Detects when someone exportsthe audio file for UM dial plans and auto-attendants.
Resource name Oracle CASB Cloud Service sets the default for the Exchange Mailresource type to "all sent or received email."
You can define email senders in the next step of the wizard. Youalso can define recipients and other filters (for example, destinationdomains) in the Conditions page of the wizard.
Action on thisresource
Send. Identifies email sent from this Exchange Online account.
Received. Identifies email sent to this Exchange Online account.
When you are done, click Next.
5. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set in the previous step.
6. When you are done, click Next. The Conditions page is optional. For moreinformation on conditions in Office 365 alerts, see Condition Parameters for Office365.
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-147
7. Click Next and set your Action notifications:
• Show an alert in the Risk Events page is selected. When an event matchesthe policy, Oracle CASB Cloud Service adds an alert to Risk Events.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
• Send email to this address. Send email to the designated address.
8. When you are done, click Next, review your settings, and then click Submit.
Alerts for Other Exchange Online ResourcesLearn about additional Resource types you can use in alerts for Exchange Online.
Almost every administrative action that affects Exchange Online triggers an underlyingfunction known as a cmdlet. Oracle CASB Cloud Service generates alerts when acmdlet matches a policy action, and the objects that the cmdlet acts on match theresources in the policy (and optionally other conditions). As a result, Oracle CASBCloud Service detects actions performed in the UI, at the command line, and using anyother method that triggers an Exchange Online action.
Consult the online help for Exchange Online cmdlets for details about each cmdlet.You can create policy alerts for all available actions on these cmdlets.
SubscriptionsLearn about additional resources you can use in alerts for subscriptions in Exchange.
Exchange subscription fields and descriptions.
Field Description
Exchange Admin:Connect Subscription
Detects a new service integration (for example, with Facebook)(Action: New) or a modified one (Action: Set).
Exchange Admin: IMAPSubscription
Detects when a user creates IMAP subscriptions in their cloud-based mailbox (Action: New) or deletes one (Action: Remove).
Exchange Admin: HotmailSubscription
Detects when a user creates Hotmail subscriptions in their cloud-based mailbox (Action: New) or modifies one (Action: Set).
Exchange Admin: POPSubscription
Detects when a user creates POP subscriptions in their cloud-based mailbox (Action: New) or modifies one (Action: Set).
Exchange Admin:Subscription
Detects when a user creates a new Hotmail, POP or IMAPsubscription in their cloud-based mailbox (Action: New) or deletesone (Action: Remove).
Admin Audit LogLearn about additional resources you can use in alerts for admin audit logs inExchange.
This table lists the fields on the Resource page in the policy creation wizard, with thevalues you would use in an alert for Admin Audit Log.
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-148
Field or field type Description
Exchange Admin: AdminAudit Log
Detects when someone writes a comment in the admin audit log(Action: Write).
Exchange Admin:Admin AuditLog Config(AdminAuditLog)
Detects when someone writes a configuration entry in the audit log(Action: Write-AdminAuditLog).
Exchange Admin: AdminAudit Log Search
Detects when someone searches the admin audit log (Action:Search).
System ConfigurationLearn about additional resources you can use in alerts for system configuration inExchange.
Exchange system configurations fields and descriptions.
Field or Field Type Description
Exchange Admin:Availability AddressSpace
Detects when someone creates address space objects for creatingfree/busy information across organizations (Action: Add) or deletingthem (Action: Remove).
Exchange Admin:Availability Config
Detects when someone creates an access level for free/busyinformation (Action: Add), deletes one (Action: Remove), ormodifies one (Action: Set).
Exchange Admin: DataClassification Config
Detects when someone installs a data classification configuration(Action: Install-DataClassification).
Exchange Admin:Exchange AssistanceConfig
Detects when someone creates (Action: New-ExchangeAssistanceConfig) or sets (Action: Set-ExchangeAssistanceConfig) an Exchange assistance configuration.
Exchange Admin:Resource Config
Detects when someone installs a resource configuration (Action:Install-ResourceConfig).
Exchange Admin: TenantObject Version
Detects when someone sets a tenant object version (Action: Set-TenantObjectVersion).
Migration and Move RequestsLearn about additional resources you can use in alerts for migration and moverequests in Exchange.
This table lists the fields on the Resource page in the policy creation wizard, with thevalues you would use in an alert for migration and move requests.
Field or Field Type Description
Exchange Admin:Migration Batch
Detects when someone concludes the process to move mailboxesfrom on-premises to Exchange Online, or from Exchange Onlineto on-premises (Action: Complete), submits a migration request(Action: New), deletes the request (Action: Remove), updates therequest (Action: Set), starts the process (Action: Start), or stops anin-flight migration (Action: Stop).
Exchange Admin:Migration Report
Detects when someone exports a migration report (Action: Export).
Chapter 22Creating Policy Alerts for Office 365 Exchange Online
22-149
Field or Field Type Description
Exchange Admin:Migration ServerAvailability
Detects when someone tests migration server availability (Action:Test).
Exchange Admin:Migration User
Detects when someone deletes a user from a migration task(Action: Remove).
Exchange Admin: MoveRequest
Detects when someone creates a request to move anasynchronous mailbox or personal archive (Action: New), deletesthe request (Action: Remove), restarts a move (Action: Resume),modifies a request (Action: Set), or suspends an in-flight move(Action: Suspend).
OrganizationsLearn about additional resources you can use in alerts for organizations in Exchange.
This table lists the fields on the Resource page in the policy creation wizard, with thevalues you would use in an alert for organizations.
Field Description
Exchange Admin:Organization Config
Detects when an administrator has modified settings for anExchange organization (Action: Set), for example, changingdistribution group settings and the address book root.
Exchange Admin:OrganizationCustomization
Detects when an administrator enables organization customization(Action: Enable). This permits the administration center to performactions such as creating role groups, role assignment policies, andsharing policies.
Creating Policy Alerts for Office 365 SharePoint andOneDrive
Create custom policies to generate alerts for actions on resources that are specific toyour Office 365 SharePoint and OneDrive environment.
Prerequisite: Ensure that you have followed the instructions in Getting Started withPolicies to review available managed policies, and any custom policies that alreadyexist, before creating a new custom policy.
You can create policies for actions and resources in SharePoint and OneDrive.
Note:
If you registered your Office 365 instance before April 2016, to enablethe features for SharePoint and OneDrive and for Azure AD, you must re-enter the Oracle CASB Cloud Service user's credentials for your registeredapplication instance in the credentials update page: select Applications,click the icon for the instance to display the Health Summary, and thenModify, Update Credentials.
Chapter 22Creating Policy Alerts for Office 365 SharePoint and OneDrive
22-150
Creating Alerts for SharePoint and OneDrive User and GroupManagement
Create a policy that generates an alert for actions taken on users and groups.
For instructions about how to create a policy alert for Office 365, see the topics forCreating Policy Alerts for Office 365 Exchange Online.
Here are the resources and actions for user and group management. Except wherenoted otherwise, these resource types and actions apply to both SharePoint andOneDrive.
Resource Action/Event Name Trigger for Policies with This Resource andAction
List of user agentsexempted fromindexing
Modify(CustomizeExemptUsers)
A global administrator customizes the listof exempt user agents in the SharePointadministrator center.
When exempt user agents encounter an InfoPathform, the form is returned as an XML file insteadof an entire web page. This speeds up indexing ofInfoPath forms.
Add to list(ExemptUserAgentSet)
A global administrator adds a user agent to thelist of exempt user agents in the SharePointadministrator center.
Group Add group(GroupAdded)
A site administrator or owner creates a group fora site, or performs another task that results in agroup being created. (For example, when a usercreates a link with edit permissions to a sharedfile, a system group is added to the user's site.)
Remove group(GroupRemoved)
A user deletes a group from a site.
Modify(GroupUpdated)
A site administrator or owner changes the settingsfor a group (for example, the group name or whocan edit the group membership).
Grant permission tocreate groups(AllowGroupCreationSet)
A site administrator or owner adds a permissionlevel that allows users to create a group for thesite.
Add user(UserAddedToGroup)
A site administrator or owner adds a personto a group on a site. This grants the group'spermissions to the user.
Remove user(UserRemovedFromGroup)
A site administrator or owner removes a personfrom a group on a site. This removes the group'spermissions from the user.
Add group SSOcredentials(SSOGroupCredentialsSet)
An administrator sets group credentials in theSecure Store service.
User Add User SSOcredentials(SSOUserCredentialsSet)
An administrator sets user credentials in theSecure Store service.
Chapter 22Creating Policy Alerts for Office 365 SharePoint and OneDrive
22-151
Creating Alerts for SharePoint and OneDrive Files and FoldersCreate a policy that generates an alert for actions taken on files and folders.
Note:
For instructions about how to create a policy alert, see the topics for CreatingPolicy Alerts for Office 365 Exchange Online.
.
This table lists the fields on the Resource page in the policy creation wizard, with thevalues you would use in an alert for SharePoint and OneDrive files and folders.
Note:
The Folder... options may only be available if you have set up targetedrelease options (also commonly referred to as "preview mode") for the Office365 service account. See the Microsoft documentation, Set up the Standardor Targeted release options in Office 365.
Resource Action/Event Name Trigger forPolicies withThis Resourceand Action
SharePoint/OneDrive SharingInvitation SharingInvitationAccepted A recipient of aninvitation to viewor edit a sharedfile or folderclicks the link inthe invitation.
SharingInvitationCreated A user sends aninvitation to viewor edit a sharedfile or folder on asite. Theinvitation goes toa person insideor outside his orher organization.
Chapter 22Creating Policy Alerts for Office 365 SharePoint and OneDrive
22-152
Resource Action/Event Name Trigger forPolicies withThis Resourceand Action
AccessInvitationExpired An invitation sentto an externaluser expires.
By default, aninvitation sent toa user outside ofyour organizationexpires after 7days if theinvitation isn'taccepted.
SharingInvitationRevoked The siteadministrator orowner of a site ordocumentwithdraws aninvitation thatwas sent to auser outside yourorganization.
An invitation canbe withdrawnonly before it'saccepted.
AccessInvitationUpdated The sender of aninvitation to viewor edit a sharedfile or folder on asite resends theinvitation.
SharePoint/OneDrive Sharing SharingRevoke Someoneremoves asharingpermission.
SharingSet Someonemodifies asharingpermission.
SharePoint/OneDrive SharedLink AnonymousLinkCreated Someonecreates a linkthat allowsexternal users toview documentsanonymously.
AnonymousLinkUsed Someone viewsdocumentsanonymously.
CompanyLinkCreated Someonecreates a linkthat can be usedcompany-wide.
Chapter 22Creating Policy Alerts for Office 365 SharePoint and OneDrive
22-153
Resource Action/Event Name Trigger forPolicies withThis Resourceand Action
CompanyLinkRemoved Someone deletesa link that can beused company-wide.
SharePoint/OneDrive File AnonymousLinkCreated Someonecreates a linkthat allowsexternal users toview documentsanonymously.
AnonymousLinkRemoved Someone deletesa link that allowsexternal users toview documentsanonymously.
AnonymousLinkUpdated Someoneupdates a linkthat allowsexternal users toview documentsanonymously.
AnonymousLinkUsed Someone viewsdocumentsanonymously.
CompanyLinkCreated Someonecreates a linkthat can be usedcompany-wide.
CompanyLinkRemoved Someone deletesa link that can beused company-wide.
FileAccessed Someone viewsa file on a site.
FileCheckOutDiscarded A user discards(or undoes) achecked out file.This discards anychanges madewhen it waschecked out.
FileCheckedIn A user checks ina document to adocument library.
Chapter 22Creating Policy Alerts for Office 365 SharePoint and OneDrive
22-154
Resource Action/Event Name Trigger forPolicies withThis Resourceand Action
FileCheckedOut A user checksout a documentin a library.
Users can checkout and editdocuments thatwere shared withthem.
FileCopied A user copies adocument from asite. The usercan save thecopy to anotherfolder on the site.
FileDeleted A user deletes adocument from asite.
FileDownloaded A userdownloads adocument from asite.
FileModified A user or systemaccount modifiesthe content or theproperties of adocument on asite.
FileMoved A user moves adocument on asite to a newlocation.
FileRenamed A user renamesa document on asite.
FileRestored A user restores adocument fromthe recycle bin ofa site.
FileUpdated A user modifies afile on a site.
FileUploaded A user uploads adocument to afolder on a site.
SharePoint/OneDrive Folder FolderCreated A user creates afolder on a site.
FolderDeleted A userpermanentlydeletes a folderon a site.
Chapter 22Creating Policy Alerts for Office 365 SharePoint and OneDrive
22-155
Resource Action/Event Name Trigger forPolicies withThis Resourceand Action
FolderDeletedFirstStageRecycleBin A user deletes afolder to the firststage recycle binon a site.
FolderDeletedSecondStageRecycleBin
A user deletes afolder to thesecond stagerecycle bin on asite.
FolderModified A user modifies afolder on a site.
FolderMoved A user moves afolder on a site.
FolderRenamed A user renamesa folder on a site.
SharePoint/OneDrive Activation(browser-enabled basic formtemplates)
ActivationEnabled Users canbrowser-enableform templatesthat don't containform code,require full trust,enable renderingon a mobiledevice, or use adata connectionmanaged by aserveradministrator.
SharePoint/OneDriveCollaborationType
CollaborationTypeModified The type ofcollaborationallowed on sites(for example,intranet, extranet,or public) wasmodified.
After you have finished specifying Resource and Action options, complete your policyby continuing where you left off in Creating Policy Alerts for Office 365 ExchangeOnline.
Creating Alerts for SharePoint Application ManagementCreate a policy that generates an alert for application management actions.
For instructions about how to create a policy alert for Office 365, see any of the topicsfor Creating Policy Alerts for Office 365 Exchange Online.
Here are the resources and actions for SharePoint-connected applications that youcan make the target of a policy.
Chapter 22Creating Policy Alerts for Office 365 SharePoint and OneDrive
22-156
Resource Type Description
SharePoint/OneDrive:AppCatalog
Detects a new app catalog for SharePoint (Action:AppCatalogCreated), or removing or updating the auditpolicy for the catalog (Action: AuditPolicyRemoved,AuditPolicyUpdate).
SharePoint/OneDrive:SSOApplication
Detects when an administrator creates a single sign-onapplication (Action: CreateSSOApplication), deletes one(Action: DeleteSSOApplication, or updates one (Action:UpdateSSOApplication).
Creating Alerts for SharePoint and OneDrive Site ManagementCreate a policy that generates an alert for site management actions.
For information about creating a policy alert for Office 365, see the topics for CreatingPolicy Alerts for Office 365 Exchange Online.
Note:
The SharePoint/OneDrive Site options may only be available if you have setup targeted release options (also commonly referred to as "preview mode")for the Office 365 service account. See the Microsoft documentation, Set upthe Standard or Targeted release options in Office 365.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click New Policy.
3. In the Name page, enter a name for the policy, enter a description, selecta Priority, select Include in user risk score if you want policy violations includedin user risk score computations, and then click Next.
4. In the Resource page, select Office365 as the application type, select anapplication instance, and then set the resource:
Resource Action/EventName
Trigger for Policies with This Resource andAction
SharePoint/OneDriveLegacyWorkflowEnabled
LegacyWorkflowEnabledSet
A site administrator or owner adds theSharePoint Workflow Task content type to thesite.
SharePoint/OneDriveOfficeOnDemand
OfficeOnDemandSet
A site administrator enables Office on Demand,which lets users access the latest version ofOffice desktop applications. Office on Demandis enabled in the SharePoint administratorcenter and requires an Office 365 subscriptionthat includes full, installed Office applications.
SharePoint/OneDriveMaxQuota
MaxQuotaModified The maximum quota for a site is modified.
Chapter 22Creating Policy Alerts for Office 365 SharePoint and OneDrive
22-157
Resource Action/EventName
Trigger for Policies with This Resource andAction
SharePoint/OneDriveMaxResourceUsage
MaxResourceUsageModified
The maximum allowable resource usage for asite is modified.
SharePoint/OneDriveNewsFeedEnabled
NewsFeedEnabledSet
A site administrator or owner enables RSSfeeds for a SharePoint or OneDrive for Businesssite.
SharePoint/OneDriveResourceWarningEnabled
ResourceWarningEnabledModified
An administrator modifies the resource quotawarning.
SharePoint/OneDriveSearchCenterURL
SearchCenterUrlSet
An administrator sets a search center URL.A Search Center lets users to submit searchqueries and view search results.
A Search Center site is the top-level site of asite collection that a farm administrator creates.
SharePoint/OneDriveSecondaryMySiteOwner
SecondaryMySiteOwnerSet
A user modifies the secondary owners of theirMySite site.
SharePoint/OneDriveSendToConnection
SendToConnectionAdded
A global administrator creates a new Send Toconnection on the Records management pagein the SharePoint admin center.
SendToConnectionRemoved
A global administrator deletes a Send Toconnection from the Records managementpage in the SharePoint admin center.
SharePoint/OneDriveSite
SiteCollectionAdminAdded
A site administrator or owner adds aSharePoint or OneDrive for Business collectionadministrator.
SiteCollectionAdminRemoved
A site administrator or owner removes aSharePoint or OneDrive for Business collectionadministrator.
SiteCollectionCreated
A site administrator or owner creates aSharePoint or OneDrive for Business collectionadministrator.
SiteRenamed A site administrator or owner renames aSharePoint or OneDrive for Business site.
SharePoint/OneDriveSiteAdminChange
SiteAdminChangeRequest
Someone submits a request to change the siteadministrator.
SharePoint/OneDriveSiteCollection
SiteCollectionAdminAdded
Someone adds a site collection administrator.
SiteCollectionCreated
Someone creates a site collection.
SharePoint/OneDriveSitePermissions
SitePermissionsModified
Someone modifies site permissions.
Creating Alerts for SharePoint Evidence ManagementCreate a policy that generates an alert for unwarranted actions related to evidencemanagement.
You can create policies for unwarranted actions related to evidence managementin SharePoint. For example, a policy can alert you when someone performs an
Chapter 22Creating Policy Alerts for Office 365 SharePoint and OneDrive
22-158
eDiscovery hold. The hold maintains a copy of the content, while letting users continueto work with their content.
For instructions about how to create a policy alert for Office 365, see any of the topicsfor Creating Policy Alerts for Office 365 Exchange Online.
Here are the resources and actions for SharePoint eDiscovery that you can make thetarget of a policy.
Resource type Description
SharePoint/OneDrive:eDiscovery
Detects when a new In-Place Hold was placed on acontent source (Action: eDiscoveryHoldApplied, or removed(Action: eDiscoveryHoldRemoved), or someone performedan eDiscovery search of an eDiscovery site collection(Action:eDiscoverySearchPerformed).
Creating Policy Alerts for Office 365 Azure Active DirectoryCreate custom policies to generate alerts for actions on resources that are specific toyour Office 365 Azure AD (Active Directory) environment.
Prerequisite: Ensure that you have followed the instructions in Getting Started withPolicies to review available managed policies, and any custom policies that alreadyexist, before creating a new custom policy.
You can create policies for actions and resources in Azure AD.
Note:
If you registered your Office 365 instance before April 2016, to enablethe features for SharePoint and OneDrive and for Azure AD, you mustreenter the Oracle CASB Cloud Service user's credentials for your registeredapplication instance in the credentials update page. Select Applications,click the icon for the instance to display the Health Summary, and thenModify, Update Credentials.
Creating Alerts for Azure AD User, Group, and Role ManagementCreate a policy that generates an alert for unwarranted actions related to sensitive filesand folders.
You can create policies for unwarranted actions related to sensitive files and foldersin Office 365 Azure Active Directory (AD). For example, a policy can be triggered andgenerate an alert you when someone creates a self-service tenant from a domain thatyou want to exclude from membership.
For instructions about how to create a policy alert for Office 365, see any of the topicsfor Creating Policy Alerts for Office 365 Exchange Online.
Here are the resources and actions for Azure AD that you can make the target of apolicy.
Chapter 22Creating Policy Alerts for Office 365 Azure Active Directory
22-159
Resource Action/Event Name Trigger for Policies with This Resource andAction
AzureAD User Add An administrator adds a user to the directory. Thiscan be a new user in your organization, a userwith an existing Microsoft account, or a user inanother Azure AD directory that this administratormanages.
Delete An administrator deletes a user from the directory.
Update An administrator updates a user in the directory.The Azure AD logs should show the attributesthat were updated.
Reset user password An administrator resets the password for a user inthe directory.
Change userpassword
An administrator changes the password for a userin the directory.
Set force changeuser password
An administrator sets the property that forces auser to change his or her password on login.
Set licenseproperties
An administrator sets the license properties for auser in the directory.
Change user license An administrator changes the license assigned toa user in the directory. To see what licenses wereupdated, look in the Azure AD logs for an "Updateuser" event immediately before or after this event.
AzureADAuthentication
Failed login User login failed.
Login User logged in successfully.
AzureAD Group Add group An administrator creates a group in the directory.This event is of interest for groups with specialprivileges.
Update group An administrator updates a group in the directory.This event is of interest for groups with specialprivileges.
Delete group An administrator deletes a group from thedirectory. This event is of interest for groups withspecial privileges.
Add member togroup
An administrator adds a member to a group in thedirectory. This event is of interest for groups withspecial privileges.
Remove memberfrom group
An administrator removes a member from a groupin the directory. This event is of interest for groupswith special privileges.
AzureAD RoleEvents
Add role member An administrator adds a user to a directory role(a set of permissions). This can be a sensitiveoperation if the role is highly privileged.
Remove rolemember
An administrator removes a user from a directoryrole (a set of permissions). This can be asensitive operation if the role is highly privileged.
Set company contactinformation
An administrator sets company-level contactpreferences, including email addresses formarketing and technical notifications aboutMicrosoft Online Services.
Chapter 22Creating Policy Alerts for Office 365 Azure Active Directory
22-160
Resource Action/Event Name Trigger for Policies with This Resource andAction
Directory Set federationsettings on domain
Update the federation settings for a domain.
Verify domain Verify a domain in the directory.
Verify email domain Do email verification of a domain in the directory.
Set DirSyncEnabledflag on company
Set the property that enables a directory for AzureAD Sync.
Set Password Policy Set length and character constraints for userpasswords.
Set CompanyInformation
Update company-level information. See the Get-MsolCompanyInformation PowerShell cmdlet formore information.
Creating Alerts for Azure AD Application and Directory ManagementCreate a policy that generates an alert for unwarranted actions related to sensitive filesand folders.
You can create policies for actions related to application and directory management inOffice 365 Azure AD (for example, when someone creates a self-service tenant from adomain that you want to exclude from membership).
For instructions about how to create a policy alert, see the topics for Creating PolicyAlerts for Office 365 Exchange Online.
Here are the resources and actions for Azure AD that you can make the target of apolicy.
Resource Action/Event Name Trigger for Policies with This Resource andAction
AzureAD ApplicationEvents
Add service principal An administrator adds a service principal to thedirectory.
A Service Principal can be tied to an application(often, the application is single sign on). AService Principal grants the application access toresources in the directory.
Remove serviceprincipal
An administrator removes a service principal fromthe directory.
Add service principalcredentials
An administrator adds authentication credentialsto a service principal. After adding an application,an administrator can add a Service Principal thatis tied to the application. Often, the purposeof the application is single sign-on. Adding aService Principal grants the application access toresources in the directory.
Remove serviceprincipal credentials
An administrator removes authenticationcredentials for a service principal.
Chapter 22Creating Policy Alerts for Office 365 Azure Active Directory
22-161
Resource Action/Event Name Trigger for Policies with This Resource andAction
Add delegation entry An administrator creates anOAuth2PermissionGrant in the directory to showthe resources that each client may access and thepermission level for each resource.
Set delegation entry An administrator updates anOAuth2PermissionGrant in the directory.
Remove delegationentry
An administrator deletes anOAuth2PermissionGrant in the directory. Theoauth2PermissionGrants show the resources thateach client may access and the permission levelfor each resource.
AzureAD DirectoryEvents
Add application An application has been added to the directory.
Add partner tocompany
Add a partner to the directory.
Remove partnerfrom company
Remove a partner from the directory.
Remove domainfrom company
Remove a domain from the directory.
Update domain Update a domain in the directory.
Set domainauthentication
Change the default domain setting for thecompany.
Set federationsettings on domain
Update the federation settings for a domain.
Verify domain Verify a domain in the directory.
Verify email domain Do email verification of a domain in the directory.
Set DirSyncEnabledflag on company
Set the property that enables a directory for AzureAD Sync.
Set Password Policy Set length and character constraints for userpasswords.
Set CompanyInformation
Update company-level information.
Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)Create custom policies to generate alerts for actions on resources that are specific toOCI environment.
Prerequisite: Ensure that you have followed the instructions in Getting Started withPolicies to review available managed policies, and any custom policies that alreadyexist, before creating a new custom policy.
You can configure policies for any changes in roles or objects.
Chapter 22Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)
22-162
Creating an OCI PolicyFollow these general steps for any policy you create to generate an alert for actions inOCI.
Oracle CASB Cloud Service displays an alert in Risk Events whenever an eventoccurs that matches the policy conditions.
The following are general steps for creating an OCI policy that generates an alertwhenever an event occurs that matches the policy conditions. Oracle CASB CloudService displays all alerts in Risk Events. Optionally, you can also choose to receivean email notification.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. On the Custom tab, click New Policy.
3. In the Name page:
a. Enter a name for the policy.
b. (Optional) Enter a description.
c. Select a Priority.
d. If you want policy violations to be included in user risk score computations,select Include in user risk score.
e. Click Next.
4. On the Resource page, make these selections.
Field Value(s)
Application type Select OCI.
Application instance The application instance(s). Select Any if you want thealert to apply to every registered instance of the selectedapplication type. Otherwise, select one or more individualinstances.
5. To complete the selections on the Resource page, follow a link below to locate thetopic for the particular resource type on which you want to trigger this alert.
• Creating Alerts for Compute Images
• Creating Alerts for Compute Instances
• Creating Alerts for Database Systems
• Creating Alerts for Identity Groups
• Creating Alerts for Identity Policies
• Creating Alerts for Identity Users
• Creating Alerts for Identity Compartments
• Creating Alerts for Identity Federations
• Creating Alerts for Networking Load Balancers
• Creating Alerts for Networking Security Lists
Chapter 22Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)
22-163
• Creating Alerts for Networking Virtual Cloud Networks
• Creating Alerts for Object Storage
• Creating Alerts for Storage Block Volumes
When you finish making the rest of the selections on the Resource page, followthe link at the end of that topic to return to this page and continue with the nextstep below.
6. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set on the Resource page.
a. In the drop-down list, select Username contains or Username does notcontain.
b. In the text box to the right, enter one or more text strings that the user namemust contain, or not contain, in order to trigger the alert.
Separate multiple entries with commas. With multiple entries, if any one entryis contained, or not contained, in the name of the user who took the action, thealert is triggered.
c. Click Next to go on to the next page.
7. (Optional) On the Conditions page, set conditions so that an alert is triggered onlyif the specified conditions are met.
For information on condition parameters available for use in policy alerts for OCI,see Condition Parameters for Oracle Cloud Infrastructure.
a. Click Add condition or Add Free-From Condition.
b. Select a Parameter, an Operator, and a Value from the drop-down lists.
In free-form conditions, you enter values for Parameter and Value.
c. To add another condition or free-form condition, repeat the 3 steps above.
Note:
When you specify multiple conditions, the conditions are ANDed.The alert is triggered only if all of the conditions are met. If youneed to OR multiple conditions, create a separate policy for eachcondition.
d. Click Next to go on to the next page.
8. On the Action page, set your notifications:
• Show an alert in the Risk Events page is always selected. When an eventmatches the policy, Oracle CASB Cloud Service always adds an alert to RiskEvents.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
9. When you are done, click Next, review your settings, then click Submit.
Condition Parameters for Oracle Cloud InfrastructureReview the parameters and operators that are available in the Conditions page of thepolicy creation wizard for OCI.
Chapter 22Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)
22-164
These parameters and operators are available on the Conditions page of the NewPolicy wizard to fine tune your alerts for OCI.
Note:
The exact list of parameters that you see on the Conditions page dependson the resource details that you specify on the Resource page. Not allparameters are available with all resources.
Parameter Operator Value
IP address v4 Include this list of addresses (In or Equalto) or exclude them (Not in or Not equalto).
A comma-separated list ofIPv4 addresses.
Device Include or exclude the selected device type. Select Desktop, Mobile, APICall, or Other.
Timestamp The drop-down list determines whetherthe time is exact, later than the timeyou entered, or earlier (given a 24-hourtime frame). Oracle CASB Cloud Serviceevaluates the timestamp using GreenwichMean Time (GMT).
A value as a time in 24-hourHH:MM:SS format.
CompartmentName (notavailable ifresource is a useror a group)
Specify Equal to, Not Equal to, In, or Notin
Comma-separated list ofCompartment Names.
CASB threatintelligence IPreputation
Equal to is the only option. To flag events from IPaddresses with bad or goodreputations, select:• Suspicious for bad
reputations.• Regular for good
reputations.
City, State, orCountry
• Equal to requires matching the nameyou enter in Value.
• Not Equal to requires not matching thename you enter in Value.
• In requires matching any one of severalnames you enter in Value.
• Not in requires matching none ofseveral names you enter in Value.
The name of the city,or the state or province,in the physical addressthat’s associated with the IPaddress.
Creating Alerts for Compute ImagesCreate a policy that generates an alert for changes to Compute Images.
Prerequisite: You must start creating your new policy in Creating an OCI Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Chapter 22Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)
22-165
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Compute Images
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
DeleteImage The compute image has been deleted.
ExportImage The compute image has been exported.
ImportImage The compute image has been imported.
UpdateImage The compute image has been updated.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an OCI Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Compute InstancesCreate a policy that generates an alert for changes to Compute Instances.
Prerequisite: You must start creating your new policy in Creating an OCI Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Chapter 22Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)
22-166
Field Value
Resource Compute Instances
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Attach VNIC A VNIC has been attached to the compute instance.
Detach VNIC A VNIC has been detached from the compute instance.
Get VNIC Information about a VNIC attached to the compute instancewas queried.
Launch Instance The compute instance has been launched.
Terminate Instance The compute instance has been terminated.
Update Instance The compute instance has been updated.
Update VNIC Information about a VNIC attached to the compute instancehas been updated.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an OCI Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Database SystemsCreate a policy that generates an alert for changes to Database Systems.
Prerequisite: You must start creating your new policy in Creating an OCI Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Chapter 22Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)
22-167
Field Value
Resource Database Systems
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
GetDbSystem The database system has been accessed.
LaunchDbSystem The database system has been launched.
TerminateDbSystem The database system has been terminated.
UpdateDbSystem The database system has been updated.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an OCI Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Dynamic Routing GatewaysCreate a policy that generates an alert for changes to Dynamic Routing Gateways.
Prerequisite: You must start creating your new policy in Creating an OCI Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Dynamic Routing Gateways
Chapter 22Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)
22-168
Field Value
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Create routing gateway The networking routing gateway has been created.
Delete routing gateway The networking routing gateway has been deleted.
Update routing gateway The networking routing gateway has been detached.
Detach routing gateway The networking routing gateway has been detached.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an OCI Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Identity GroupsCreate a policy that generates an alert for changes to Identity Groups.
Prerequisite: You must start creating your new policy in Creating an OCI Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Identity Groups
Chapter 22Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)
22-169
Field Value
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Add user to group A user has been added to the identity group.
Create Group The identity group has been created.
Delete Group The identity group has been deleted.
Get Group The identity group has been accessed.
GetUserGroupMembership The identity group membership has been accessed.
List groups The identity group has appeared in a listing of identitygroups.
ListUserGroupMemberships The identity group membership has has appeared in alisting of identity group memberships.
Remove user from group A user has been removed from the identity group.
Update group The identity group has been updated.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an OCI Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Identity PoliciesCreate a policy that generates an alert for changes to Identity Policies.
Prerequisite: You must start creating your new policy in Creating an OCI Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Chapter 22Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)
22-170
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Identity Policies
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
CreatePolicy The identity policy has been created.
CreatePolicy The identity policy has been deleted.
GetPolicy The identity policy has been accessed.
ListPolcies The identity policy appeared in a listing of identity policies.
UpdatePolicy The identity policy has been updated.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an OCI Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Identity UsersCreate a policy that generates an alert for changes to Identity Users.
Prerequisite: You must start creating your new policy in Creating an OCI Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Chapter 22Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)
22-171
Field Value
Resource Identity Users
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Create User The identity user has been created.
CreateCustomerSecretKey A customer secret key for the identity user has beencreated.
CreateOrResetUIPassword A UI password for the identity user has been created.
CreateSwiftPassword A customer swift password for the identity user has beencreated.
Delete user The identity user has been deleted.
DeleteApiKey An API key for the identity user has been deleted.
DeleteCustomerSecretKey A customer secret key for the identity user has beendeleted.
DeleteSwiftPassword A swift password for the identity user has been deleted.
Get user The identity user has been accessed.
List users The identity user appeared in a listing of identity users.
ListApiKeys An API key for the identity user appeared in a listing ofidentity user API keys.
ListCustomerSecretKeys A customer secret key for the identity user appeared in alisting of identity user customer secret keys.
ListSwiftPasswords A swift password for the identity user appeared in a listingof identity user swift passwords.
Login_Fail A login failed for the identity user.
Login_Success A login succeeded for the identity user.
Update user The identity user has been updated.
UpdateCustomerSecretKey A customer secret key for the identity user has beenupdated.
UpdateSwiftPassword A customer swift password for the identity user has beenupdated.
UpdateUserState The user state for the identity user has been updated.
UploadApiKey An API key for the identity user has been uploaded.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
Chapter 22Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)
22-172
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an OCI Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Identity CompartmentsReview the actions that are available in the Resources page of the policy creationwizard when the Resource is Identity Compartments.
Follow the steps in Creating an OCI Policy to complete the steps in the policy creationwizard leading up to selecting a Resource type on the Resource page.
After you select a Resource type of Identity Compartments, you choose one ofthese options from the Action on this resource drop-down list:
Action on this Resource Description
Any Any action taken on this file, as identified in the Criteria fieldof the Resource page.
Create compartment An identity compartment has been created.
Delete compartment An identity compartment has been deleted.
Get compartment Details of an identity compartment has been accessed.
List compartments The list of identity compartments has been accessed.
Update compartment Details of an identity compartment has been updated.
For steps to complete the alert, after selecting an Action on this resource, seeCreating an OCI Policy.
Creating Alerts for Identity FederationsCreate a policy that generates an alert for changes to Identity Federations.
Prerequisite: You must start creating your new policy in Creating an OCI Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Identity Federations
Chapter 22Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)
22-173
Field Value
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Create identity provider An identity provider has been created.
Delete identity provider An identity provider has been deleted.
Get identity provider Details of an identity provider has been accessed.
List identity providers The list of identity providers has been accessed.
Update identity provider Details of an identity provider has been updated.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an OCI Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Networking Internet GatewaysCreate a policy that generates an alert for changes to Networking Internet Gateways.
Prerequisite: You must start creating your new policy in Creating an OCI Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Networking Internet Gateways
Chapter 22Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)
22-174
Field Value
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Create Internet gateway The networking Internet gateway has been created.
Delete Internet gateway The networking Internet gateway has been deleted(detached).
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an OCI Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Networking Load BalancersCreate a policy that generates an alert for changes to Networking Load Balancers.
Prerequisite: You must start creating your new policy in Creating an OCI Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Networking Load Balancers
Chapter 22Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)
22-175
Field Value
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Create listener A listener for the networking load balancer has beencreated.
CreateLoadBalancer The networking load balancer has been created.
Delete listener A listener for the networking load balancer has beendeleted.
DeleteLoadBalancer The networking load balancer has been deleted.
GetLoadBalancer The networking load balancer has been accessed.
ListLoadBalancers The networking load balancer has appeared in a listing ofnetworking load balancers.
UpdateListener The networking load balancer has appeared in a listing ofnetworking load balancers.
UpdateLoadBalancer The networking load balancer has been updated.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an OCI Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Networking Network Security GroupsCreate a policy that generates an alert for changes to Networking Network SecurityGroups.
Prerequisite: You must start creating your new policy in Creating an OCI Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Chapter 22Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)
22-176
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Networking Network Security Groups
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Create network securitygroup
The networking network security group has been created.
Delete network securitygroup
The networking network security group has been deleted(detached).
Update network securitygroup
The networking network security group has been updated(name changed).
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an OCI Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Networking Security ListsCreate a policy that generates an alert for changes to Networking Security Lists.
Prerequisite: You must start creating your new policy in Creating an OCI Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Chapter 22Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)
22-177
Field Value
Resource Networking Security Lists
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Create security list A networking security list has been created.
Delete security list A networking security list has been deleted.
Get security list A networking security list has been read.
List security list A networking security list has been listed.
Update security list A networking security list has been updated.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an OCI Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Networking Virtual Cloud NetworksCreate a policy that generates an alert for changes to Networking Virtual CloudNetworks.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Networking Virtual Cloud Networks
Chapter 22Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)
22-178
Field Value
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
CreateVcn The networking virtual cloud network has been created.
DeleteVcn The networking virtual cloud network has been deleted.
ListVcns The networking virtual cloud network has appeared in alisting of networking virtual cloud networks.
UpdateVcn The networking virtual cloud network has been updated.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an OCI Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Object StorageCreate a policy that generates an alert for changes to Object Storage.
Prerequisite: You must start creating your new policy in Creating an OCI Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Object Storage
Chapter 22Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)
22-179
Field Value
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Create bucket A bucket for the object storage has been created.
Create pre-authenticatedrequest
A preauthenticated request for the object storage has beencreated.
Delete bucket A bucket for the object storage has been deleted.
Delete pre-authenticatedrequest
A preauthenticated request for the object storage has beendeleted.
Get bucket A bucket for the object storage has been accessed.
Update bucket A bucket for the object storage has been updated.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an OCI Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Storage Block VolumesCreate a policy that generates an alert for changes to Storage Block Volumes.
Prerequisite: You must start creating your new policy in Creating an OCI Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Chapter 22Creating Policy Alerts for Oracle Cloud Infrastructure (OCI)
22-180
Field Value
Resource Storage Block Volumes
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
AttachBlockVolume The storage block volume has been attached.
ExportImage An image of the storage block volume has been exported.
ImportImage An image of the storage block volume has been imported.
UpdateImage An image of the storage block volume has been updated.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an OCI Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Policy Alerts for Oracle ERP CloudCreate custom policies to generate alerts for actions on resources that are specific toyour Oracle ERP Cloud environment.
Prerequisite: Ensure that you have followed the instructions in Getting Started withPolicies to review available managed policies, and any custom policies that alreadyexist, before creating a new custom policy.
You can configure policies for any changes in roles or objects.
Chapter 22Creating Policy Alerts for Oracle ERP Cloud
22-181
Creating an Oracle ERP Cloud PolicyFollow these general steps for any policy you create to generate an alert for actions inOracle ERP Cloud.
The following are general steps for creating an Oracle ERP Cloud policy. Oncecreated, when the policy conditions are met, Oracle CASB Cloud Service displaysan alert in Risk Events and optionally can send the alert through email.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. On the Custom tab, click New Policy.
3. In the Name page:
a. Enter a name for the policy.
b. (Optional) Enter a description.
c. Select a Priority.
d. If you want policy violations to be included in user risk score computations,select Include in user risk score.
e. Click Next.
4. On the Resource page, make these selections.
Field Value(s)
Application type Select ERPCloud.
Application instance The application instance(s). Select Any if you want thealert to apply to every registered instance of the selectedapplication type. Otherwise, select one or more individualinstances.
5. To complete the selections on the Resource page, follow a link below to locate thetopic for the particular resource type on which you want to trigger this alert.
• Creating Alerts for Oracle ERP Cloud Roles
• Creating Alerts for ERP Cloud Business Objects
• Creating Alerts for Oracle ERP Cloud Login Events
When you finish making the rest of the selections on the Resource page, followthe link at the end of that topic to return to this page and continue with the nextstep below.
6. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set on the Resource page.
a. In the drop-down list, select Username contains or Username does notcontain.
b. In the text box to the right, enter one or more text strings that the user namemust contain, or not contain, in order to trigger the alert.
Separate multiple entries with commas. With multiple entries, if any one entryis contained, or not contained, in the name of the user who took the action, thealert is triggered.
Chapter 22Creating Policy Alerts for Oracle ERP Cloud
22-182
c. Click Next to go on to the next page.
7. (Optional) On the Conditions page, set conditions so that an alert is triggered onlyif the specified conditions are met.
For information on condition parameters available for use in policy alerts for Office365, see Condition Parameters for Oracle ERP Cloud.
a. Click Add condition or Add Free-From Condition.
b. Select a Parameter, an Operator, and a Value from the drop-down lists.
In free-form conditions, you enter values for Parameter and Value.
c. To add another condition or free-form condition, repeat the 3 steps above.
Note:
When you specify multiple conditions, the conditions are ANDed.The alert is triggered only if all of the conditions are met. If youneed to OR multiple conditions, create a separate policy for eachcondition.
d. Click Next to go on to the next page.
8. On the Action page, set your notifications:
• Show an alert in the Risk Events page is always selected. When an eventmatches the policy, Oracle CASB Cloud Service always adds an alert to RiskEvents.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
9. When you are done, click Next, review your settings, then click Submit.
Condition Parameters for Oracle ERP CloudReview the parameters and operators that are available in the Conditions page of thepolicy creation wizard for Oracle ERP Cloud.
These parameters and operators are available on the Conditions page of the NewPolicy wizard to fine tune your alerts for ERP.
Note:
The exact list of parameters that you see on the Conditions page dependson the resource details that you specify on the Resource page. Not allparameters are available with all resources.
Parameter Operator Value
Device Include or exclude the selected device type. Select Desktop, Mobile, APICall, or Other.
Chapter 22Creating Policy Alerts for Oracle ERP Cloud
22-183
Parameter Operator Value
Timestamp The drop-down list determines whetherthe time is exact, later than the timeyou entered, or earlier (given a 24-hourtime frame). Oracle CASB Cloud Serviceevaluates the timestamp using GreenwichMean Time (GMT).
A value as a time in 24-hourHH:MM:SS format.
City, State, orCountry
• Equal to requires matching the nameyou enter in Value.
• Not Equal to requires not matching thename you enter in Value.
• In requires matching any one of severalnames you enter in Value.
• Not in requires matching none ofseveral names you enter in Value.
The name of the city,or the state or province,in the physical addressthat’s associated with the IPaddress.
Chapter 22Creating Policy Alerts for Oracle ERP Cloud
22-184
Parameter Operator Value
Target Type • Equal to requires matching the nameyou enter in Value.
• Not Equal to requires not matching thename you enter in Value.
Values: User, Group, orRole.
N
o
t
e
:
Thisconditionparameterisonlyavailableforth
Chapter 22Creating Policy Alerts for Oracle ERP Cloud
22-185
Parameter Operator Value
eResourceTypeJobRole.
Chapter 22Creating Policy Alerts for Oracle ERP Cloud
22-186
Parameter Operator Value
Target Value • Equal to requires matching the nameyou enter in Value.
• Not Equal to requires not matching thename you enter in Value.
• In requires matching any one of severalnames you enter in Value.
• Not in requires matching none ofseveral names you enter in Value.
• Contains requires having the text youenter in Value to be present
• Not Contains requires not having thetext you enter in Value to be present
Name of the user, group, orrole.
N
o
t
e
:
Thisconditionparameterisonlyavailableforth
Chapter 22Creating Policy Alerts for Oracle ERP Cloud
22-187
Parameter Operator Value
eResourceTypeJobRole.
Creating Alerts for Oracle ERP Cloud RolesCreate alerts for activity related to Oracle ERP Cloud roles. For example,administrators who are creating too many privileged roles, or users who areperforming impersonation.
Prerequisite: You must start creating your new policy in Creating an Oracle ERPCloud Policy in order to be ready to be ready to follow the steps below to specify theresource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Job Role
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Chapter 22Creating Policy Alerts for Oracle ERP Cloud
22-188
Action on this resource Description
Privileges added Privileges were added to this job role.
Privileges removed Privileges were removed from this job role.
Role created A job role was created.
Role membership added A user, group, or role was assigned this job role.
Role membership removed A user, group, or role was removed from this job role.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an Oracle ERP Cloud Policy and finish the steps to completeyour policy alert, resuming at step 6.
Creating Alerts for ERP Cloud Business ObjectsCreate alerts for activity related to Oracle ERP Cloud business objects. For example,administrators who are creating too many bank accounts or bank account users.
Note:
The Oracle ERP Cloud business objects described in this section mustbe enabled on your Oracle CASB Cloud Service tenant. To enable thisfeature, contact Oracle Support (http://support.oracle.com). If you have notregistered yet, you will need your Customer Support Identifier (CSI) in orderto register to submit service request tickets. As an alternative, you can alsocontact your Oracle CASB Cloud Service Customer Success Manager.
Prerequisite: You must start creating your new policy in Creating an Oracle ERPCloud Policy in order to be ready to be ready to follow the steps below to specify theresource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Chapter 22Creating Policy Alerts for Oracle ERP Cloud
22-189
Field Value
Resource • Bank Account• Bank Account - Checkbook• Bank Account - General Ledger Account• Bank Account - Payment Document• Bank Account - Use• Disbursement Business Unit Wise Option• Disbursement Enterprise Unit Wise Option• External Bank Account• External Bank Account Owner• Financial Option• Payment System Format• Payment System Info Audit• Payment System Transmission• Supplier• Supplier - Address Contacts• Supplier - Address Tax Classifications• Supplier - Address Tax Registrations• Supplier - Address Tax Reporting Codes• Supplier - Addresses• Supplier - Bank Accounts• Supplier - Business Classifications• Supplier - Contacts• Supplier - Payment Attributes• Supplier - Payment Methods• Supplier - Products and Services• Supplier - Site Assignments• Supplier - Sites• Supplier - Tax Classifications• Supplier - Tax Registrations• Supplier - Tax Reporting Codes• System Option• System Security Options
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Add The selected business object was added.
Delete The selected business object was deleted.
Modify The selected business object was modified.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
Chapter 22Creating Policy Alerts for Oracle ERP Cloud
22-190
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an Oracle ERP Cloud Policy and finish the steps to completeyour policy alert, resuming at step 6.
Creating Alerts for Oracle ERP Cloud Login EventsCreate alerts for activity related to Oracle ERP Cloud log in events. For example,successful and unsuccessful logins.
In the policy creation wizard Resource page, after you selecta Resource type of Login Event, you can choose one of these options fromthe Action on this resource drop-down list:
Prerequisite: You must start creating your new policy in Creating an Oracle ERPCloud Policy in order to be ready to be ready to follow the steps below to specify theresource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Login Event
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Failed Login A failed login event occurred.
Login A successful login event occurred.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
Chapter 22Creating Policy Alerts for Oracle ERP Cloud
22-191
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an Oracle ERP Cloud Policy and finish the steps to completeyour policy alert, resuming at step 6.
Creating Policy Alerts for Oracle HCM CloudCreate custom policies to generate alerts for actions on resources that are specific toyour HCM Cloud environment.
Prerequisite: Ensure that you have followed the instructions in Getting Started withPolicies to review available managed policies, and any custom policies that alreadyexist, before creating a new custom policy.
You can configure policies for any changes in roles or objects.
Creating an Oracle HCM Cloud PolicyFollow these general steps for any policy you create to generate an alert for actions inOracle HCM Cloud.
The following are general steps for creating an Oracle HCM Cloud policy. Oncecreated, when the policy conditions are met, Oracle CASB Cloud Service displaysan alert in Risk Events and optionally can send the alert through email.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. On the Custom tab, click New Policy.
3. In the Name page:
a. Enter a name for the policy.
b. (Optional) Enter a description.
c. Select a Priority.
d. If you want policy violations to be included in user risk score computations,select Include in user risk score.
e. Click Next.
4. On the Resource page, make these selections.
Field Value(s)
Application type Select HCMCloud.
Application instance The application instance(s). Select Any if you want thealert to apply to every registered instance of the selectedapplication type. Otherwise, select one or more individualinstances.
Chapter 22Creating Policy Alerts for Oracle HCM Cloud
22-192
5. To complete the selections on the Resource page, follow a link below to locate thetopic for the particular resource type on which you want to trigger this alert.
• Creating Alerts for Oracle HCM Cloud Roles
• Creating Alerts for Oracle HCM Cloud Objects
• Creating Alerts for Oracle HCM Cloud Login Events
When you finish making the rest of the selections on the Resource page, followthe link at the end of that topic to return to this page and continue with the nextstep below.
6. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set on the Resource page.
a. In the drop-down list, select Username contains or Username does notcontain.
b. In the text box to the right, enter one or more text strings that the user namemust contain, or not contain, in order to trigger the alert.
Separate multiple entries with commas. With multiple entries, if any one entryis contained, or not contained, in the name of the user who took the action, thealert is triggered.
c. Click Next to go on to the next page.
7. (Optional) On the Conditions page, set conditions so that an alert is triggered onlyif the specified conditions are met.
For information on condition parameters available for use in policy alerts for HCM,see Condition Parameters for Oracle HCM Cloud.
a. Click Add condition or Add Free-From Condition.
b. Select a Parameter, an Operator, and a Value from the drop-down lists.
In free-form conditions, you enter values for Parameter and Value.
c. To add another condition or free-form condition, repeat the 3 steps above.
Note:
When you specify multiple conditions, the conditions are ANDed.The alert is triggered only if all of the conditions are met. If youneed to OR multiple conditions, create a separate policy for eachcondition.
d. Click Next to go on to the next page.
8. On the Action page, set your notifications:
• Show an alert in the Risk Events page is always selected. When an eventmatches the policy, Oracle CASB Cloud Service always adds an alert to RiskEvents.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
9. When you are done, click Next, review your settings, then click Submit.
Chapter 22Creating Policy Alerts for Oracle HCM Cloud
22-193
Condition Parameters for Oracle HCM CloudReview the parameters and operators that are available in the Conditions page of thepolicy creation wizard for Oracle HCM Cloud.
These parameters and operators are available on the Conditions page of the NewPolicy wizard to fine tune your alerts for HCM.
Note:
The exact list of parameters that you see on the Conditions page dependson the resource details that you specify on the Resource page. Not allparameters are available with all resources.
Parameter Operator Value
IP address v4 Include this list of addresses (In or Equalto) or exclude them (Not in or Not equalto).
A comma-separated list ofIPv4 addresses.
Device Include or exclude the selected device type. Select Desktop, Mobile, APICall, or Other.
Timestamp The drop-down list determines whetherthe time is exact, later than the timeyou entered, or earlier (given a 24-hourtime frame). Oracle CASB Cloud Serviceevaluates the timestamp using GreenwichMean Time (GMT).
A value as a time in 24-hourHH:MM:SS format.
CASB threatintelligence IPreputation
Equal to is the only option. To flag events from IPaddresses with bad or goodreputations, select:• Suspicious for bad
reputations.• Regular for good
reputations.
City, State, orCountry
• Equal to requires matching the nameyou enter in Value.
• Not Equal to requires not matching thename you enter in Value.
• In requires matching any one of severalnames you enter in Value.
• Not in requires matching none ofseveral names you enter in Value.
The name of the city,or the state or province,in the physical addressthat’s associated with the IPaddress.
Chapter 22Creating Policy Alerts for Oracle HCM Cloud
22-194
Parameter Operator Value
Target Type • Equal to requires matching the nameyou enter in Value.
• Not Equal to requires not matching thename you enter in Value.
Values: User, Group, orRole.
N
o
t
e
:
Thisconditionparameterisonlyavailableforth
Chapter 22Creating Policy Alerts for Oracle HCM Cloud
22-195
Parameter Operator Value
eResourceTypeJobRole.
Chapter 22Creating Policy Alerts for Oracle HCM Cloud
22-196
Parameter Operator Value
Target Value • Equal to requires matching the nameyou enter in Value.
• Not Equal to requires not matching thename you enter in Value.
• In requires matching any one of severalnames you enter in Value.
• Not in requires matching none ofseveral names you enter in Value.
• Contains requires having the text youenter in Value to be present
• Not Contains requires not having thetext you enter in Value to be present
Name of the user, group, orrole.
N
o
t
e
:
Thisconditionparameterisonlyavailableforth
Chapter 22Creating Policy Alerts for Oracle HCM Cloud
22-197
Parameter Operator Value
eResourceTypeJobRole.
Creating Alerts for Oracle HCM Cloud RolesCreate alerts for activity related to Oracle HCM Cloud roles. For example,administrators who are creating too many privileged roles, or users who areperforming impersonation.
Prerequisite: You must start creating your new policy in Creating an Oracle HCMCloud Policy in order to be ready to be ready to follow the steps below to specify theresource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Job Role
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Chapter 22Creating Policy Alerts for Oracle HCM Cloud
22-198
Action on this resource Description
Privileges added Privileges were added to this job role.
Privileges removed Privileges were removed from this job role.
Role created A job role was created.
Role membership added A user, group, or role was assigned this job role.
Role membership removed A user, group, or role was removed from this job role.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an Oracle HCM Cloud Policy and finish the steps to completeyour policy alert, resuming at step 6.
Creating Alerts for Oracle HCM Cloud ObjectsCreate alerts for activity related to Oracle HCM Cloud objects. For example, changesin salary or a salary component, or users who are adding users and then assigningparticular roles to them.
Prerequisite: You must start creating your new policy in Creating an Oracle HCMCloud Policy in order to be ready to be ready to follow the steps below to specify theresource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Any resource other than Job Role
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Chapter 22Creating Policy Alerts for Oracle HCM Cloud
22-199
Action on this resource Description
Add The resource was added.
Modify The resource was modified.
Delete The resource was deleted..
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an Oracle HCM Cloud Policy and finish the steps to completeyour policy alert, resuming at step 6.
Creating Alerts for Oracle HCM Cloud Login EventsCreate alerts for activity related to Oracle HCM Cloud log in events. For example,successful and unsuccessful log ins.
Prerequisite: You must start creating your new policy in Creating an Oracle HCMCloud Policy in order to be ready to be ready to follow the steps below to specify theresource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Login Event
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Failed Login A failed login event occurred.
Login A successful login event occurred.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
Chapter 22Creating Policy Alerts for Oracle HCM Cloud
22-200
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an Oracle HCM Cloud Policy and finish the steps to completeyour policy alert, resuming at step 6.
Creating Policy Alerts for Oracle Identity Cloud Service(IDCS)
Create custom policies to generate alerts for actions on resources that are specific toyour IDCS environment.
Prerequisite: Ensure that you have followed the instructions in Getting Started withPolicies to review available managed policies, and any custom policies that alreadyexist, before creating a new custom policy.
You can configure policies for any changes in roles or objects.
Creating an IDCS PolicyFollow these general steps for any policy you create to generate an alert for actions inIDCS.
The following are general steps for creating an IDCS policy. Once created, when thepolicy conditions are met, Oracle CASB Cloud Service displays an alert in RiskEvents and optionally can send the alert through email.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. On the Custom tab, click New Policy.
3. In the Name page:
a. Enter a name for the policy.
b. (Optional) Enter a description.
c. Select a Priority.
d. If you want policy violations to be included in user risk score computations,select Include in user risk score.
e. Click Next.
4. On the Resource page, make these selections.
Chapter 22Creating Policy Alerts for Oracle Identity Cloud Service (IDCS)
22-201
Field Value(s)
Application type Select IDCS.
Application instance The application instance(s). Select Any if you want thealert to apply to every registered instance of the selectedapplication type. Otherwise, select one or more individualinstances.
5. Specify resource details and actions.
a. Specify Resource details, using the information in the table below:
Field Value(s)
Resource The type of object you want to monitor. Currently, theonly object you can monitor is Identity.
Resource name You must provide a name for the selected resource type.If you select:• Text, select an operator from the drop-down list
(Equal to, Contains), Begins with or Ends withand enter type a full or partial rule name.
• Regular expression, enter .* to match all emailretention rules.
b. Specify an Action on the resource using the table below:
Action on this resource Description
Failed login A failed login occurred.
Login A successful login occurred.
c. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the sameresource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-actionpair is matched.
• Click Add resource and action to add another resource name to thepolicy alert, or to add the same resource name again with a differentaction.
• Click Duplicate resource and action to copy the resource name-actionpair you just added as the basis for the resource name-action pair youwant to add.
d. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
6. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set on the Resource page.
a. In the drop-down list, select Username contains or Username does notcontain.
b. In the text box to the right, enter one or more text strings that the user namemust contain, or not contain, in order to trigger the alert.
Chapter 22Creating Policy Alerts for Oracle Identity Cloud Service (IDCS)
22-202
Separate multiple entries with commas. With multiple entries, if any one entryis contained, or not contained, in the name of the user who took the action, thealert is triggered.
c. Click Next to go on to the next page.
7. (Optional) On the Conditions page, set conditions so that an alert is triggered onlyif the specified conditions are met.
For information on condition parameters available for use in policy alerts fordiscovered applications, see Condition Parameters for IDCS.
a. Click Add condition or Add Free-From Condition.
b. Select a Parameter, an Operator, and a Value from the drop-down lists.
In free-form conditions, you enter values for Parameter and Value.
c. To add another condition or free-form condition, repeat the 3 steps above.
Note:
When you specify multiple conditions, the conditions are ANDed.The alert is triggered only if all of the conditions are met. If youneed to OR multiple conditions, create a separate policy for eachcondition.
d. Click Next to go on to the next page.
8. On the Action page, set your notifications:
• Show an alert in the Risk Events page is always selected. When an eventmatches the policy, Oracle CASB Cloud Service always adds an alert to RiskEvents.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
9. When you are done, click Next, review your settings, then click Submit.
Condition Parameters for IDCSReview the parameters and operators that are available in the Conditions page of thepolicy creation wizard for IDCS.
These parameters and operators are available on the Conditions page of the NewPolicy wizard to fine tune your alerts for IDCS.
Note:
The exact list of parameters that you see on the Conditions page dependson the resource details that you specify on the Resource page. Not allparameters are available with all resources.
Chapter 22Creating Policy Alerts for Oracle Identity Cloud Service (IDCS)
22-203
Parameter Operator Value
IP address v4 Include this list of addresses (In or Equalto) or exclude them (Not in or Not equalto).
A comma-separated list ofIPv4 addresses.
Device Include or exclude the selected device type. Select Desktop, Mobile, APICall, or Other.
Timestamp The drop-down list determines whetherthe time is exact, later than the timeyou entered, or earlier (given a 24-hourtime frame). Oracle CASB Cloud Serviceevaluates the timestamp using GreenwichMean Time (GMT).
A value as a time in 24-hourHH:MM:SS format.
CASB threatintelligence IPreputation
Equal to is the only option. To flag events from IPaddresses with bad or goodreputations, select:• Suspicious for bad
reputations.• Regular for good
reputations.
Group Include this list of groups (In) or excludethem (Not in).
Comma-separated list ofgroup names.
City, State, orCountry
• Equal to requires matching the nameyou enter in Value.
• Not Equal to requires not matching thename you enter in Value.
• In requires matching any one of severalnames you enter in Value.
• Not in requires matching none ofseveral names you enter in Value.
The name of the city,or the state or province,in the physical addressthat’s associated with the IPaddress.
Creating Policy Alerts for Oracle Sales CloudCreate custom policies to generate alerts for actions on resources that are specific toyour Oracle Sales Cloud environment.
Prerequisite: Ensure that you have followed the instructions in Getting Started withPolicies to review available managed policies, and any custom policies that alreadyexist, before creating a new custom policy.
You can configure policies for any changes in roles or objects.
Creating an Oracle Sales Cloud PolicyFollow these general steps for any policy you create to generate an alert for actions inOracle Sales Cloud.
The following are general steps for creating an Oracle Sales Cloud policy. Oncecreated, when the policy conditions are met, Oracle CASB Cloud Service displays analert in Risk Events and optionally can send the alert through email.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
Chapter 22Creating Policy Alerts for Oracle Sales Cloud
22-204
2. On the Custom tab, click New Policy.
3. In the Name page:
a. Enter a name for the policy.
b. (Optional) Enter a description.
c. Select a Priority.
d. If you want policy violations to be included in user risk score computations,select Include in user risk score.
e. Click Next.
4. On the Resource page, make these selections.
Field Value(s)
Application type Select SalesCloud.
Application instance The application instance(s). Select Any if you want thealert to apply to every registered instance of the selectedapplication type. Otherwise, select one or more individualinstances.
5. To complete the selections on the Resource page, follow a link below to locate thetopic for the particular resource type on which you want to trigger this alert.
• Creating Alerts for Oracle Sales Cloud Roles
• Creating Alerts for Oracle Sales Cloud Login Events
When you finish making the rest of the selections on the Resource page, followthe link at the end of that topic to return to this page and continue with the nextstep below.
6. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set on the Resource page.
a. In the drop-down list, select Username contains or Username does notcontain.
b. In the text box to the right, enter one or more text strings that the user namemust contain, or not contain, in order to trigger the alert.
Separate multiple entries with commas. With multiple entries, if any one entryis contained, or not contained, in the name of the user who took the action, thealert is triggered.
c. Click Next to go on to the next page.
7. (Optional) On the Conditions page, set conditions so that an alert is triggered onlyif the specified conditions are met.
For information on condition parameters available for use in policy alerts forOffice 365, see Condition Parameters for Office 365. For information on free-formconditions, see Examples of Parameters in Free-Form Conditions.
a. Click Add condition or Add Free-From Condition.
b. Select a Parameter, an Operator, and a Value from the drop-down lists.
In free-form conditions, you enter values for Parameter and Value.
c. To add another condition or free-form condition, repeat the 3 steps above.
Chapter 22Creating Policy Alerts for Oracle Sales Cloud
22-205
Note:
When you specify multiple conditions, the conditions are ANDed.The alert is triggered only if all of the conditions are met. If youneed to OR multiple conditions, create a separate policy for eachcondition.
d. Click Next to go on to the next page.
8. On the Action page, set your notifications:
• Show an alert in the Risk Events page is always selected. When an eventmatches the policy, Oracle CASB Cloud Service always adds an alert to RiskEvents.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
9. When you are done, click Next, review your settings, then click Submit.
Condition Parameters for Oracle Sales CloudReview the parameters and operators that are available in the Conditions page of thepolicy creation wizard for Oracle Sales Cloud.
These parameters and operators are available on the Conditions page of the NewPolicy wizard to fine tune your alerts for SalesCloud.
Note:
The exact list of parameters that you see on the Conditions page dependson the resource details that you specify on the Resource page. Not allparameters are available with all resources.
Parameter Operator Value
Device Include or exclude the selected device type. Select Desktop, Mobile, APICall, or Other.
Timestamp The drop-down list determines whetherthe time is exact, later than the timeyou entered, or earlier (given a 24-hourtime frame). Oracle CASB Cloud Serviceevaluates the timestamp using GreenwichMean Time (GMT).
A value as a time in 24-hourHH:MM:SS format.
City, State, orCountry
• Equal to requires matching the nameyou enter in Value.
• Not Equal to requires not matching thename you enter in Value.
• In requires matching any one of severalnames you enter in Value.
• Not in requires matching none ofseveral names you enter in Value.
The name of the city,or the state or province,in the physical addressthat’s associated with the IPaddress.
Chapter 22Creating Policy Alerts for Oracle Sales Cloud
22-206
Parameter Operator Value
Target Type • Equal to requires matching the nameyou enter in Value.
• Not Equal to requires not matching thename you enter in Value.
Values: User, Group, orRole.
N
o
t
e
:
Thisconditionparameterisonlyavailableforth
Chapter 22Creating Policy Alerts for Oracle Sales Cloud
22-207
Parameter Operator Value
eResourceTypeJobRole.
Chapter 22Creating Policy Alerts for Oracle Sales Cloud
22-208
Parameter Operator Value
Target Value • Equal to requires matching the nameyou enter in Value.
• Not Equal to requires not matching thename you enter in Value.
• In requires matching any one of severalnames you enter in Value.
• Not in requires matching none ofseveral names you enter in Value.
• Contains requires having the text youenter in Value to be present
• Not Contains requires not having thetext you enter in Value to be present
Name of the user, group, orrole.
N
o
t
e
:
Thisconditionparameterisonlyavailableforth
Chapter 22Creating Policy Alerts for Oracle Sales Cloud
22-209
Parameter Operator Value
eResourceTypeJobRole.
Creating Alerts for Oracle Sales Cloud RolesCreate alerts for activity related to Oracle Sales Cloud roles. For example,administrators who are creating too many privileged roles, or users who areperforming impersonation.
Prerequisite: You must start creating your new policy in Creating an Oracle SalesCloud Policy in order to be ready to be ready to follow the steps below to specify theresource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Any resource other than Job Role
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Chapter 22Creating Policy Alerts for Oracle Sales Cloud
22-210
Action on this resource Description
Privileges added Privileges were added to this job role.
Privileges removed Privileges were removed from this job role.
Role created A job role was created.
Role membership added A user, group, or role was assigned this job role.
Role membership removed A user, group, or role was removed from this job role.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an Oracle Sales Cloud Policy and finish the steps to completeyour policy alert, resuming at step 6.
Creating Alerts for Oracle Sales Cloud Login EventsCreate alerts for activity related to Oracle Sales Cloud log in events. For example,successful and unsuccessful log ins.
Prerequisite: You must start creating your new policy in Creating an Oracle SalesCloud Policy in order to be ready to be ready to follow the steps below to specify theresource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Any resource other than Login Event
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Failed Login A failed login event occurred.
Chapter 22Creating Policy Alerts for Oracle Sales Cloud
22-211
Action on this resource Description
Login A successful login event occurred.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating an Oracle Sales Cloud Policy and finish the steps to completeyour policy alert, resuming at step 6.
Creating Policy Alerts for SalesforceCreate custom policies to generate alerts for actions on resources that are specific toyour Salesforce environment.
Prerequisite: Ensure that you have followed the instructions in Getting Started withPolicies to review available managed policies, and any custom policies that alreadyexist, before creating a new custom policy.
You can create alerts for particular Salesforce standard or custom objects, for turninghistory tracking on and off, and for changes to roles and privileges.
You also can create alerts for almost any administrator activity by copying events thatappear in the Salesforce Setup Audit Trail. For example, you can monitor changesto Salesforce security controls to augment the Oracle CASB Cloud Service defaultmonitoring of the password and session security controls.
Tip:
To find audit trail resource names, in the Salesforce console go to SecurityControls, View Setup Audit Trail, and then copy the value in the Actioncolumn that you want to monitor and paste it in a text file. You can then copythis string into the regular expression in the Resource instance name field.
Note:
Unlike automatically detected risks, a policy alert doesn't generate acorresponding ticket in the Incidents section of the console.
Chapter 22Creating Policy Alerts for Salesforce
22-212
Creating a Salesforce PolicyFollow these general steps for any policy you create to generate an alert for actions inSalesforce.
The following are general steps for creating a Salesforce policy. Once created,when the policy conditions are met, Oracle CASB Cloud Service displays an alertin Risk Events and optionally can send the alert through email.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. On the Custom tab, click New Policy.
3. In the Name page:
a. Enter a name for the policy.
b. (Optional) Enter a description.
c. Select a Priority.
d. If you want policy violations to be included in user risk score computations,select Include in user risk score.
e. Click Next.
4. On the Resource page, make these selections.
Field Value(s)
Application type Select Salesforce.
Application instance The application instance(s). Select Any if you want thealert to apply to every registered instance of the selectedapplication type. Otherwise, select one or more individualinstances.
5. To complete the selections on the Resource page, follow a link below to locate thetopic for the particular resource type on which you want to trigger this alert.
• Creating Alerts for Custom Salesforce Objects
• Creating Alerts for Configuration Changes: Setup Audit Trail
• Creating Alerts for Configuration Changes to Any Salesforce Object
• Creating Alerts for User Profiles
• Creating Alerts for Object History Tracking
• Creating Alerts for Mass Deletes and Transfers
• Creating Alerts for Running and Exporting Custom Reports
• Creating Alerts for Changes to Security Controls in Salesforce
• Creating Alerts for User Privilege Updates
When you finish making the rest of the selections on the Resource page, followthe link at the end of that topic to return to this page and continue with the nextstep below.
Chapter 22Creating Policy Alerts for Salesforce
22-213
6. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set on the Resource page.
a. In the drop-down list, select Username contains or Username does notcontain.
b. In the text box to the right, enter one or more text strings that the user namemust contain, or not contain, in order to trigger the alert.
Separate multiple entries with commas. With multiple entries, if any one entryis contained, or not contained, in the name of the user who took the action, thealert is triggered.
c. Click Next to go on to the next page.
7. (Optional) On the Conditions page, set conditions so that an alert is triggered onlyif the specified conditions are met.
For information on condition parameters available for use in policy alerts forSaalesforce, see Condition Parameters for Salesforce Alerts.
a. Click Add condition or Add Free-From Condition.
b. Select a Parameter, an Operator, and a Value from the drop-down lists.
In free-form conditions, you enter values for Parameter and Value.
c. To add another condition or free-form condition, repeat the 3 steps above.
Note:
When you specify multiple conditions, the conditions are ANDed.The alert is triggered only if all of the conditions are met. If youneed to OR multiple conditions, create a separate policy for eachcondition.
d. Click Next to go on to the next page.
8. On the Action page, set your notifications:
• Show an alert in the Risk Events page is always selected. When an eventmatches the policy, Oracle CASB Cloud Service always adds an alert to RiskEvents.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
9. When you are done, click Next, review your settings, then click Submit.
Creating Alerts for Standard Salesforce ObjectsCreate a policy to generate an alert for actions on standard Salesforce objects, suchas Lead, Contact, and Contract.
You can create a policy to track changes to standard objects by selecting the objecttype (for example, Lead, Contact, Contract) and a related action.
Chapter 22Creating Policy Alerts for Salesforce
22-214
Note:
Unlike automatically detected risks, a policy alert does not generate acorresponding ticket in the Incidents section of the console.
Prerequisite: You must start creating your new policy in Creating a Salesforce Policyin order to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Lead, Contact or Contract
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Create A new lead, contact or contract is created.
Update A lead, contact or contract is updated.
Delete A lead, contact or contract is removed.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Salesforce Policy and finish the steps to complete your policyalert, resuming at step 6.
Creating Alerts for Custom Salesforce ObjectsCreate policies to generate alerts for actions on custom Salesforce objects.
Chapter 22Creating Policy Alerts for Salesforce
22-215
You can track changes to custom objects (the actual object definition, for example,MyLead) and individual records that belong to that custom object type (for example, arecord that contains the string high value lead).
Note:
When configuring custom object policies, you must supply the API name forthe custom object rather than its display name.
Creating Alerts for Changes to a Custom Object ConfigurationCreate a policy to generate an alert for any action on a custom object.
Prerequisite: You must start creating your new policy in Creating a Salesforce Policyin order to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Custom Object
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Create field A custom field is created
Create object A custom object is created
Delete field A custom field is deleted
Delete object A custom object is deleted
Update field A custom field is updated
Update object A custom object is updated
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
Chapter 22Creating Policy Alerts for Salesforce
22-216
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Salesforce Policy and finish the steps to complete your policyalert, resuming at step 6.
Creating Alerts for Changes to a Custom Object RecordCreate a policy to generate an alert for any a custom object record.
Prerequisite: You must start creating your new policy in Creating a Salesforce Policyin order to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Custom Object Record
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Create A custom object record is created
Update A custom object record is updated
Delete A custom object record is deleted
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Salesforce Policy and finish the steps to complete your policyalert, resuming at step 6.
Chapter 22Creating Policy Alerts for Salesforce
22-217
Creating Alerts for Configuration Changes: Setup Audit TrailCreate a policy to generate an alert for any action in the Setup Audit Trail.
The Setup Audit Trail section of the Salesforce console displays a log of all theadministrative changes to your Salesforce configuration. You can create policies todetect almost any administrative action taken in Salesforce by using content from theSetup Audit Trail in the definition of a policy alert. For example, you can create a policyalert that tracks modifications to a privileged user profile.
Before creating alerts for administrator activity in Salesforce, you must be familiar withthe events that appear in the Setup Audit Trail.
To view the Setup Audit Trail in Salesforce, go to the Setup, Administer section,Security Controls, View Setup Audit Trail.
Prerequisite: You must start creating your new policy in Creating a Salesforce Policyin order to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Setup Audit Trail
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Salesforce Policy and finish the steps to complete your policyalert, resuming at step 6.
Chapter 22Creating Policy Alerts for Salesforce
22-218
Creating Alerts for Configuration Changes to Any Salesforce ObjectCreate a policy to generate an alert for updates to either standard or customSalesforce objects.
Prerequisite: You must start creating your new policy in Creating a Salesforce Policyin order to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Salesforce lets you keep track of configuration changes to standard objects (forexample, Leads, Accounts, Contracts), and custom objects. These are tracked throughits Setup Audit Trail (see Creating Alerts for Configuration Changes: Setup Audit Trail).For example, you can generate an alert if someone modifies the fields in a Contractobject, which in turn affects anyone who creates or updates a contract.
Note:
You can track most modifications to standard and custom objects and fields.However, the Setup Audit Trail doesn't currently register modifications tocustom fields within standard objects.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Setup Audit Trail
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
As an alternative, you can identify the resource by a tag:
a. Drop down the Identify resource by name or tag list andselect Tag.
b. Enter the complete tag name.
For more flexibility in using tag names to target resources,select Tag as a Parameter in the Conditions step in ConditionParameters for Salesforce Alerts.
2. Specify an Action on the resource using the table below:
Action on This Resource Description
Update An object is updated.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
Chapter 22Creating Policy Alerts for Salesforce
22-219
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Salesforce Policy and finish the steps to complete your policyalert, resuming at step 6.
Creating Alerts for User ProfilesCreate a policy to generate an alert for changes to user profiles.
Salesforce administrators change user profiles in the Setup section,under Administer, Manage Users in the Profiles section. They change user rolesin Setup, under Administer, Manage Users, Roles. User profiles should not bechanged often, so you may want to monitor for this type of activity.
Prerequisite: You must start creating your new policy in Creating a Salesforce Policyin order to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Profile
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
As an alternative, you can identify the resource by a tag:
a. Drop down the Identify resource by name or tag list andselect Tag.
b. Enter the complete tag name.
For more flexibility in using tag names to target resources,select Tag as a Parameter in the Conditions step in ConditionParameters for Salesforce Alerts.
2. Specify an Action on the resource using the table below:
Action on This Resource Description
Assign Assigning a profile to a user.
Chapter 22Creating Policy Alerts for Salesforce
22-220
Action on This Resource Description
CreateAdministrativePermissions
This tracks new administrative permissions in Salesforce.
ChangeGeneralUserPermission
This tracks new user permissions in Salesforce.
ChangeObjectPermission This tracks changes to a user's ability to create, view,modify, and delete objects.
CreateProfile This action applies to both creating and cloning a profile.
DeleteProfile This tracks profile deletion.
UpdateProfile This tracks modifications to profiles.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Salesforce Policy and finish the steps to complete your policyalert, resuming at step 6.
Creating Alerts for RolesCreate a policy to generate an alert for changes to roles.
Salesforce administrators change roles in the Setup section,under Administer, Manage Users in the Roles section.
Prerequisite: You must start creating your new policy in Creating a Salesforce Policyin order to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Role
Chapter 22Creating Policy Alerts for Salesforce
22-221
Field Value
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
As an alternative, you can identify the resource by a tag:
a. Drop down the Identify resource by name or tag list andselect Tag.
b. Enter the complete tag name.
For more flexibility in using tag names to target resources,select Tag as a Parameter in the Conditions step in ConditionParameters for Salesforce Alerts.
2. Specify an Action on the resource using the table below:
Action on This Resource Description
Any Matches any action.
Assign Role A role is assigned to a user.
Create Role A new role is created.
Delete Role A role is deleted.
Revoke Role A role is revoked from a user.
Update Role A role is updated.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Salesforce Policy and finish the steps to complete your policyalert, resuming at step 6.
Creating Alerts for Object History TrackingCreate a policy to generate an alert for events logged in object history tracking.
Salesforce lets you keep track of changes to standard objects such as Leads,Accounts, Contracts, and custom objects. These are tracked through its Setup AuditTrail (see Creating Alerts for Configuration Changes: Setup Audit Trail). This audit trailis important for accountability, so you may want to be alerted if someone turns offauditing for these objects.
Chapter 22Creating Policy Alerts for Salesforce
22-222
For example, you can generate an alert if someone turns off the history tracking for aLead or an Account object (which should never happen).
Note: Unlike automatically detected risks, a policy alert doesn't generate acorresponding ticket in the Incidents section of the console.
Prerequisite: You must start creating your new policy in Creating a Salesforce Policyin order to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Setup Audit Trail
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
As an alternative, you can identify the resource by a tag:
a. Drop down the Identify resource by name or tag list andselect Tag.
b. Enter the complete tag name.
For more flexibility in using tag names to target resources,select Tag as a Parameter in the Conditions step in ConditionParameters for Salesforce Alerts.
2. Specify an Action on the resource using the table below:
Action on This Resource Description
Any Any action taken on this role, as identified in the Criteriafield of the resource page.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Salesforce Policy and finish the steps to complete your policyalert, resuming at step 6.
Chapter 22Creating Policy Alerts for Salesforce
22-223
Creating Alerts for Mass Deletes and TransfersCreate a policy to generate an alert for mass deletes or transfers.
Mass operations are recorded in Salesforce. The Setup Audit Trail displays bulkoperations as "mass" events, for example, mass deletes. You can create policy alertsagainst the corresponding keywords in the Setup Audit Trail.
The Setup Audit Trail doesn't provide information about the quantity of the massoperation. However, you can create policy alerts related to mass operations forparticular users, groups, times of day, or particular objects to be able to narrow yourfocus.
Prerequisite: You must start creating your new policy in Creating a Salesforce Policyin order to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Setup Audit Trail
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Salesforce Policy and finish the steps to complete your policyalert, resuming at step 6.
Chapter 22Creating Policy Alerts for Salesforce
22-224
Creating Alerts for Running and Exporting Custom ReportsCreate a policy to generate an alert when a custom report is run or exported.
In general, it takes 24 hours after a report is run for Salesforce to report this eventto Oracle CASB Cloud Service. Currently, Oracle CASB Cloud Service only detectsreports that users store in public folders or give other users read access to. Salesforcedoesn't currently provide information about reports that users store in a personalcustom folder.
Prerequisite: You must start creating your new policy in Creating a Salesforce Policyin order to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Report
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
As an alternative, you can identify the resource by a tag:
a. Drop down the Identify resource by name or tag list andselect Tag.
b. Enter the complete tag name.
For more flexibility in using tag names to target resources,select Tag as a Parameter in the Conditions step in ConditionParameters for Salesforce Alerts.
2. Specify an Action on the resource using the table below:
Action on This Resource Description
Any Matches any action.
Async report run The Sync report is run.
Report export A report is exported.
Report run A report is run.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
Chapter 22Creating Policy Alerts for Salesforce
22-225
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Salesforce Policy and finish the steps to complete your policyalert, resuming at step 6.
Creating Alerts for Changes to Security Controls in SalesforceCreate a policy to generate an alert for control modifications that are recorded in theSetup Audit Trail.
Each type of security control (for example, download methods, sharing settings) has aunique record type in the Setup Audit Trail.
Note:
The Oracle CASB Cloud Service monitors password policies and sessionsettings by default. Currently, you must define policies for the remainingsecurity controls.
Prerequisite: You must start creating your new policy in Creating a Salesforce Policyin order to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Setup Audit Trail
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
For more flexibility in using tag names to target resources,select Tag as a Parameter in the Conditions step in ConditionParameters for Salesforce Alerts.
2. Specify an Action on the resource using the table below:
Action on This Resource Description
Any Matches any action.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
Chapter 22Creating Policy Alerts for Salesforce
22-226
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Salesforce Policy and finish the steps to complete your policyalert, resuming at step 6.
Creating Alerts for User Privilege UpdatesCreate a policy to generate an alert for changes in user privileges.
Prerequisite: You must start creating your new policy in Creating a Salesforce Policyin order to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Setup Audit Trail
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on This Resource Description
Any Any action taken on this role, as identified in the Criteriafield of the resource page.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
Chapter 22Creating Policy Alerts for Salesforce
22-227
You are now on the Username page.
5. Return to Creating a Salesforce Policyand finish the steps to complete your policyalert, resuming at step 6.
Condition Parameters for Salesforce AlertsReview the parameters and operators that are available in the Conditions page of thepolicy creation wizard for Salesforce.
These parameters and operators are available on the Conditions page of the NewPolicy wizard to fine tune your alerts for Salesforce.
Note:
The exact list of parameters that you see on the Conditions page dependson the resource details that you specify on the Resource page. Not allparameters are available with all resources.
Parameter Operator Value
IP address v4 Include this list of addresses (In or Equal to)or exclude them (Not in or Not equal to).
A comma-separated list ofIPv4 addresses.
Device Include or exclude the selected device type. Values: Mobile or Desktop.
Timestamp The drop-down list determines whether thetime is exact, later than the time you entered,or earlier (given a 24-hour time frame). OracleCASB Cloud Service evaluates the timestampusing Greenwich Mean Time (GMT).
A value as a time in 24-hourHH:MM:SS format.
CASB threatintelligence IPreputation
Equal to is the only option. To flag events from IPaddresses with bad or goodreputations, select:• Suspicious for bad
reputations.• Regular for good
reputations.
City, State, orCountry
• Equal to requires matching the name youenter in Value.
• Not Equal to requires not matching thename you enter in Value.
• In requires matching any one of severalnames you enter in Value.
• Not in requires matching none of severalnames you enter in Value.
The name of the city, orthe state or province, inthe physical address that’sassociated with the IPaddress.
Permission Trigger the alert if the named permission isaffected (Equal to).
The exact permissionname.
Chapter 22Creating Policy Alerts for Salesforce
22-228
Creating Policy Alerts for ServiceNowCreate custom policies to generate alerts for actions on resources that are specific toyour ServiceNow environment.
Prerequisite: Ensure that you have followed the instructions in Getting Started withPolicies to review available managed policies, and any custom policies that alreadyexist, before creating a new custom policy.
You can configure policies for activities such as adding or removing roles or scripts,updating incidents that are tagged as sensitive, and filtering policies by access clienttype or accessing IP address.
• Creating a ServiceNow Policy provides general instructions for creating a policyalert for any Office 365 component. Start creating your ServiceNow policy here.
• Condition Parameters for ServiceNow Alerts describes the condition parametersthat are shared by alerts for ServiceNow objects.
Creating a ServiceNow PolicyFollow these general steps for any policy you create to generate an alert for actions inServiceNow.
The following are general steps for creating a ServiceNow policy. After it's created,when the policy conditions are met, Oracle CASB Cloud Service displays an alert inRisk Events and optionally can send the alert through email.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. On the Custom tab, click New Policy.
3. In the Name page:
a. Enter a name for the policy.
b. (Optional) Enter a description.
c. Select a Priority.
d. If you want policy violations to be included in user risk score computations,select Include in user risk score.
e. Click Next.
4. On the Resource page, make these selections.
Field Value(s)
Application type Select ServiceNow.
Application instance The application instance(s). Select Any if you want thealert to apply to every registered instance of the selectedapplication type. Otherwise, select one or more individualinstances.
5. To complete the selections on the Resource page, follow a link below to locate thetopic for the particular resource type on which you want to trigger this alert.
Chapter 22Creating Policy Alerts for ServiceNow
22-229
• Creating Alerts for ServiceNow Roles
• Creating Alerts for ServiceNow Users
• Creating Alerts for ServiceNow Incident Types
• Creating Alerts for ServiceNow Assets
• Creating Alerts for ServiceNow Scripts
• Creating Alerts for Bulk Exports from ServiceNow
When you finish making the rest of the selections on the Resource page, followthe link at the end of that topic to return to this page and continue with the nextstep below.
6. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set on the Resource page.
a. In the drop-down list, select Username contains or Username does notcontain.
b. In the text box to the right, enter one or more text strings that the user namemust contain, or not contain, in order to trigger the alert.
Separate multiple entries with commas. With multiple entries, if any one entryis contained, or not contained, in the name of the user who took the action, thealert is triggered.
c. Click Next to go on to the next page.
7. (Optional) On the Conditions page, set conditions so that an alert is triggered onlyif the specified conditions are met.
For information on condition parameters available for use in policy alerts forServiceNow, see Condition Parameters for ServiceNow Alerts. For information onfree-form conditions, see Examples of Parameters in Free-Form Conditions.
a. Click Add condition or Add Free-From Condition.
b. Select a Parameter, an Operator, and a Value from the drop-down lists.
In free-form conditions, you enter values for Parameter and Value.
c. To add another condition or free-form condition, repeat the 3 steps above.
Note:
When you specify multiple conditions, the conditions are ANDed.The alert is triggered only if all of the conditions are met. If youneed to OR multiple conditions, create a separate policy for eachcondition.
d. Click Next to go on to the next page.
8. On the Action page, set your notifications:
• Show an alert in the Risk Events page is always selected. When an eventmatches the policy, Oracle CASB Cloud Service always adds an alert to RiskEvents.
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
Chapter 22Creating Policy Alerts for ServiceNow
22-230
9. When you are done, click Next, review your settings, then click Submit.
Condition Parameters for ServiceNow AlertsReview the parameters and operators that are available in the Conditions page of thepolicy creation wizard for ServiceNow.
These parameters and operators are available on the Conditions page of the NewPolicy wizard to fine tune your alerts for ServiceNow.
Note:
The exact list of parameters that you see on the Conditions page dependson the resource details that you specify on the Resource page. Not allparameters are available with all resources.
Parameter Operator Description
Timestamp The drop-down list determines whetherthe time is exact, later than the timeyou entered, or earlier (given a 24-hourtime frame). Oracle CASB Cloud Serviceevaluates the timestamp using GreenwichMean Time (GMT).
A value as a time in 24-hourHH:MM:SS format.
Chapter 22Creating Policy Alerts for ServiceNow
22-231
Parameter Operator Description
Tag Specify Equal to, Not Equal to, In, or Notin
Comma-separated list of TagNames.
N
o
t
e
:
ThisparameteronlyappliestotheIncident,Role,A
Chapter 22Creating Policy Alerts for ServiceNow
22-232
Parameter Operator Description
sset,Script,andUserresourcetypes.
City, State, orCountry
• Equal to requires matching the nameyou enter in Value.
• Not Equal to requires not matchingthe name you enter in Value.
• In requires matching any one ofseveral names you enter in Value.
• Not in requires matching none ofseveral names you enter in Value.
The name of the city,or the state or province,in the physical addressthat’s associated with the IPaddress.
Chapter 22Creating Policy Alerts for ServiceNow
22-233
Parameter Operator Description
Priority Specify Equal to, Not Equal to, Geaterthan, or Less than
Select from Critical, High,Moderate, Low, or Planning.
N
o
t
e
:
ThisparameteronlyappliestotheIncidentresour
Chapter 22Creating Policy Alerts for ServiceNow
22-234
Parameter Operator Description
cetype.
Chapter 22Creating Policy Alerts for ServiceNow
22-235
Parameter Operator Description
Elevated Privileges Select True or False. Equal to is the only option.
N
o
t
e
:
ThisparameteronlyappliestotheRoleresourcetyp
Chapter 22Creating Policy Alerts for ServiceNow
22-236
Parameter Operator Description
e.
Creating Alerts for ServiceNow RolesCreate alerts for operations that affect ServiceNow roles.
You can create alerts for activity related to ServiceNow roles. For example, you canmonitor for administrators who are creating too many privileged roles or users who areperforming impersonation.
Prerequisite: You must start creating your new policy in Creating a ServiceNow Policyin order to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Role
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
As an alternative, you can identify the resource by a tag:
a. Drop down the Identify resource by name or tag list andselect Tag.
b. Enter the complete tag name.
For more flexibility in using tag names to target resources,select Tag as a Parameter in the Conditions step in ConditionParameters for Box Alerts.
2. Specify an Action on the resource using the table below:
Action on This Resource Description
Added Granting a role to a user (added to the user's privileges)
Any Any action taken on this role, as identified in the Criteriafield of the resource page.
Delete Removing a role
Insert Creating a role
Removed Revoking a role (taking the role away from a user)
Chapter 22Creating Policy Alerts for ServiceNow
22-237
Action on This Resource Description
Security elevated roledisabled
Ending the assignment of elevated privileges for a user
Security elevated roleenabled
Giving a user elevated privileges
Update Modifying a role definition
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a ServiceNow Policy and finish the steps to complete yourpolicy alert, resuming at step 6.
Creating Alerts for ServiceNow UsersCreate alerts for operations that affect ServiceNow users..
You can create alerts for activity related to ServiceNow users. For example, you canmonitor for administrators who are adding users, or you can create a complex policy tofind users who are adding users and then assigning particular roles to them.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource User
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
As an alternative, you can identify the resource by a tag:
a. Drop down the Identify resource by name or tag list andselect Tag.
b. Enter the complete tag name.
For more flexibility in using tag names to target resources,select Tag as a Parameter in the Conditions step in ConditionParameters for Box Alerts.
2. Specify an Action on the resource using the table below:
Chapter 22Creating Policy Alerts for ServiceNow
22-238
Action on ThisResource
Description
Any Any action taken on this user, as identified in the Criteria field of theresource page
Delete Removing a user
Impersonation end Ending the use of an assumed role
Impersonationstart
Starting to use an assumed role
Insert Creating a user
Update Modifying a user's definition
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a ServiceNow Policy and finish the steps to complete yourpolicy alert, resuming at step 6.
Creating Alerts for ServiceNow Incident TypesCreate alerts for operations that are related to ServiceNow incidents. .
You can create alerts for activity related to ServiceNow incidents. For example, youcan monitor for tickets related to the ServiceNow database or network, and filter bypriority level.
Prerequisite: You must start creating your new policy in Creating a ServiceNow Policyin order to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource One of the Incident... categories:
• Incident (Category: Database)• Incident (Category: Hardware)• Incident (Category: Inquiry/Help)• Incident (Category: Network)• Incident (Category: Request)• Incident (Category: Software)
Chapter 22Creating Policy Alerts for ServiceNow
22-239
Field Value
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
As an alternative, you can identify the resource by a tag:
a. Drop down the Identify resource by name or tag list andselect Tag.
b. Enter the complete tag name.
For more flexibility in using tag names to target resources,select Tag as a Parameter in the Conditions step in ConditionParameters for Box Alerts.
2. Specify an Action on the resource using the table below:
Action on This Resource Description
Any Any action taken on this incident, as identified in the Criteriafield of the resource page
Attachment deleted Deleting a document uploaded to the incident
Attachment uploaded Attaching a document to the incident
Delete Deleting an incident report
Incident assigned The user assigned to resolve the incident
Incident commented Adding a comment to the incident
Incident assigned to group The group assigned to resolve the incident
Incident inserted Creating an incident report
Incident updated Modifying an incident report
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a ServiceNow Policy and finish the steps to complete yourpolicy alert, resuming at step 6.
Creating Alerts for ServiceNow AssetsCreate alerts for operations that affect ServiceNow assets.
Chapter 22Creating Policy Alerts for ServiceNow
22-240
You can create alerts for activity related to ServiceNow assets. For example, you canmonitor for administrators who are updating information related to sensitive corporateassets.
Prerequisite: You must start creating your new policy in Creating a ServiceNow Policyin order to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Asset
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
As an alternative, you can identify the resource by a tag:
a. Drop down the Identify resource by name or tag list andselect Tag.
b. Enter the complete tag name.
For more flexibility in using tag names to target resources,select Tag as a Parameter in the Conditions step in ConditionParameters for Box Alerts.
2. Specify an Action on the resource using the table below:
Action on ThisResource
Description
Any Any action taken on this asset, as identified in the Criteria field ofthe resource page
Insert Creating an asset
Update Modifying an asset definition
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a ServiceNow Policy and finish the steps to complete yourpolicy alert, resuming at step 6.
Chapter 22Creating Policy Alerts for ServiceNow
22-241
Creating Alerts for ServiceNow ScriptsCreate alerts for operations that affect ServiceNow scripts.
You can create alerts for activity related to ServiceNow scripts. For example, you canmonitor for administrators who seem to be creating or updating an unusual number ofscripts.
Prerequisite: You must start creating your new policy in Creating a ServiceNow Policyin order to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Script
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
As an alternative, you can identify the resource by a tag:
a. Drop down the Identify resource by name or tag list andselect Tag.
b. Enter the complete tag name.
For more flexibility in using tag names to target resources,select Tag as a Parameter in the Conditions step in ConditionParameters for Box Alerts.
2. Specify an Action on the resource using the table below:
Action on ThisResource
Description
Any Any action taken on this incident, as identified in the Criteria field ofthe resource page
Delete Deleting a script
Insert Creating a script
Update Modifying a script
Creating Alerts for Bulk Exports from ServiceNowCreate alerts for users who perform bulk exports of ServiceNow data.
When creating a policy for ServiceNow, you can identify users who have done bulkexports by selecting the resource type of Table and the action List export.
Chapter 22Creating Policy Alerts for ServiceNow
22-242
Prerequisite: You must start creating your new policy in Creating a ServiceNow Policyin order to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Table
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
As an alternative, you can identify the resource by a tag:
a. Drop down the Identify resource by name or tag list andselect Tag.
b. Enter the complete tag name.
For more flexibility in using tag names to target resources,select Tag as a Parameter in the Conditions step in ConditionParameters for Box Alerts.
2. Specify an Action on the resource using the table below:
Action on This Resource Description
Any Any action taken on this role, as identified in the Criteriafield of the resource page.
List export Performing a bulk export of the table data
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a ServiceNow Policy and finish the steps to complete yourpolicy alert, resuming at step 6.
Chapter 22Creating Policy Alerts for ServiceNow
22-243
Creating Policy Alerts for SlackCreate custom policies to generate alerts for actions on resources that are specific toyour Slack environment.
Prerequisite: Ensure that you have followed the instructions in Getting Started withPolicies to review available managed policies, and any custom policies that alreadyexist, before creating a new custom policy.
You can configure policies that alert you for activities such as creating new files andmodifying public channels.
Caution:
If your Slack account does not provide direct access to private channels anddirect messages to the user registered with Oracle CASB Cloud Service, thisinformation is not collected. Reports and policy alerts will show nothing, oronly the public channel data that is available.
• Creating a Slack Policy provides general instructions for creating a policy alert forany Slack component. Start creating your Slack policy here.
Creating a Slack PolicyFollow these general steps for any policy you create to generate an alert for actions inSlack.
Oracle CASB Cloud Service displays an alert in Risk Events whenever an eventoccurs that matches the policy conditions.
The following are general steps for creating a Slack policy that generates an alertwhenever an event occurs that matches the policy conditions. Oracle CASB CloudService displays all alerts in Risk Events. Optionally, you can also choose to receivean email notification.
1. Select Configuration, Policy Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. On the Custom tab, click New Policy.
3. In the Name page:
a. Enter a name for the policy.
b. (Optional) Enter a description.
c. Select a Priority.
d. If you want policy violations to be included in user risk score computations,select Include in user risk score.
e. Click Next.
4. On the Resource page, make these selections.
Chapter 22Creating Policy Alerts for Slack
22-244
Field Value(s)
Application type Select Slack.
Application instance The application instance(s). Select Any if you want thealert to apply to every registered instance of the selectedapplication type. Otherwise, select one or more individualinstances.
5. To complete the selections on the Resource page, follow a link below to locate thetopic for the particular resource type on which you want to trigger this alert.
• Creating Alerts for Slack Direct Messages
• Creating Alerts for Slack Files
• Creating Alerts for Slack Private Channels
• Creating Alerts for Slack Public Channels
When you finish making the rest of the selections on the Resource page, followthe link at the end of that topic to return to this page and continue with the nextstep below.
6. (Optional) On the Username page, filter the alert so that it is triggered only if thenamed user performs the action that you set on the Resource page.
a. In the drop-down list, select Username contains or Username does notcontain.
b. In the text box to the right, enter one or more text strings that the user namemust contain, or not contain, in order to trigger the alert.
Separate multiple entries with commas. With multiple entries, if any one entryis contained, or not contained, in the name of the user who took the action, thealert is triggered.
c. Click Next to go on to the next page.
7. (Optional) On the Conditions page, set conditions so that an alert is triggered onlyif the specified conditions are met.
a. Click Add condition or Add Free-From Condition.
b. Select a Parameter, an Operator, and a Value from the drop-down lists.
In free-form conditions, you enter values for Parameter and Value.
c. To add another condition or free-form condition, repeat the 3 steps above.
Note:
When you specify multiple conditions, the conditions are ANDed.The alert is triggered only if all of the conditions are met. If youneed to OR multiple conditions, create a separate policy for eachcondition.
d. Click Next to go on to the next page.
8. On the Action page, set your notifications:
• Show an alert in the Risk Events page is always selected. When an eventmatches the policy, Oracle CASB Cloud Service always adds an alert to RiskEvents.
Chapter 22Creating Policy Alerts for Slack
22-245
• Show these instructions in the alert. Select this option to add instructionsfor the person who might read an alert related to this policy.
9. When you are done, click Next, review your settings, then click Submit.
Creating Alerts for Slack Direct MessagesReview the actions and conditions that are available in the Resources page of thepolicy creation wizard when the Resource is Direct Message.
You can create alerts for activity related to Slack files.
Caution:
If your Slack account does not provide direct access to private channels anddirect messages to the user registered with Oracle CASB Cloud Service, thisinformation is not collected. Reports and policy alerts will show nothing, oronly the public channel data that is available.
Prerequisite: You must start creating your new policy in Creating a Slack Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Direct Message
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Direct Message Close The direct message has been closed.
Direct Message Created The direct message has been created.
Direct Message Opened The direct message has been opened.
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
Chapter 22Creating Policy Alerts for Slack
22-246
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Slack Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Slack FilesCreate alerts for operations that affect Slack Files.
Prerequisite: You must start creating your new policy in Creating a Slack Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource File
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
As an alternative, you can identify the resource by a tag:
a. Drop down the Identify resource by name or tag list andselect Tag.
b. Enter the complete tag name.
2. Specify an Action on the resource using the table below:
Action on This Resource Description
Any Any action taken on this role, as identified in the Criteriafield of the resource page.
File changed A file was changed.
File created A file was created.
File deleted A file was deleted.
File shared in channel A file was shared in a channel
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
Chapter 22Creating Policy Alerts for Slack
22-247
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Slack Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Slack Private ChannelsReview the actions and conditions that are available in the Resources page of thepolicy creation wizard when the Resource is Private Channel.
You can create alerts for activity related to Slack private channels.
Caution:
If your Slack account does not provide direct access to private channels anddirect messages to the user registered with Oracle CASB Cloud Service, thisinformation is not collected. Reports and policy alerts will show nothing, oronly the public channel data that is available.
Prerequisite: You must start creating your new policy in Creating a Slack Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Private Channel
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on this resource Description
Any Matches any action.
Private Channel Archived The private channel has been archived.
Private Channel HistoryChanged
The private channel's history has been changed.
Private Channel PurposeEdited
The private channel's purpose has been edited.
Private Channel Renamed The private channel has been renamed.
Chapter 22Creating Policy Alerts for Slack
22-248
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Slack Policy and finish the steps to complete your policy alert,resuming at step 6.
Creating Alerts for Slack Public ChannelsCreate alerts for operations that affect Slack Public Channel.
You can create alerts for activity related to Slack roles. For example, you can monitorfor administrators who are creating too many privileged roles or users who areperforming impersonation.
Prerequisite: You must start creating your new policy in Creating a Slack Policy inorder to be ready to be ready to follow the steps below to specify the resource andaction that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
1. Specify Resource details, using the information in the table below:
Field Value
Resource Public Channel
Resource name You must provide a name for the selected resource type. If youselect:• Text, select an operator from the drop-down list (Equal to,
Contains), Begins with or Ends with and enter type a fullor partial rule name.
• Regular expression, enter .* to match all email retentionrules.
2. Specify an Action on the resource using the table below:
Action on This Resource Description
Any Any action taken on this role, as identified in the Criteriafield of the resource page.
Public Channel Historychanged
The public channel's history was changed.
Public Channel archived The public channel was archived.
Public Channel created The public channel was created.
Public Channel deleted The public channel's purpose was deleted.
Chapter 22Creating Policy Alerts for Slack
22-249
3. (Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resourcetype (Resource field) selection. When you add more resource name-action pairs,the alert will be triggered when any one resource name-action pair is matched.
• Click Add resource and action to add another resource name to the policyalert, or to add the same resource name again with a different action.
• Click Duplicate resource and action to copy the resource name-action pairyou just added as the basis for the resource name-action pair you want to add.
4. Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
5. Return to Creating a Slack Policy and finish the steps to complete your policy alert,resuming at step 6.
Chapter 22Creating Policy Alerts for Slack
22-250
23Maintaining Secure Configuration Settings
Take steps as needed to ensure that your security configuration settings provideoptimal protection.
Oracle CASB Cloud Service monitors most cloud services for weak or non compliantsecurity configurations.
Topics:
• Typical Workflow for Maintaining Secure Configuration Settings
• About Security Configuration Monitoring
• Managing Weak or Noncompliant Security Controls
• Putting IP Addresses on Blacklists or Whitelists
• Pushing Security Control Values to an Application Instance
Typical Workflow for Maintaining Secure ConfigurationSettings
With Oracle CASB Cloud Service, you can monitor most cloud services for weak ornon-compliant security configurations.
Task Description Additional Information
Understand securityconfiguration monitoring.
You can learn about howOracle CASB Cloud Servicecan help maintain securityconfigurations for a cloud appor service.
About Security ConfigurationMonitoring
Manage security controls. You can manage alertsthat Oracle CASB CloudService generates whenit detects non-conformingsecurity configuration values.
Managing Weak orNoncompliant SecurityControls
Manage suspicious IPaddresses.
You can use Oracle CASBCloud Service to monitor forsuspicious IP addresses andaddress ranges, and whitelistor blacklist them.
Putting IP Addresses onBlacklists or Whitelists
Push security control values. You can have OracleCASB Cloud Service setconfiguration values in anAWS, Box, or Salesforceapplication instance.
Pushing Security ControlValues to an ApplicationInstance
23-1
About Security Configuration MonitoringUnderstand how Oracle CASB Cloud Service can help maintain security configurationsfor a cloud application or service.
All enterprise cloud applications have security-related settings, such as requirementsfor password complexity and automatic timeouts for sessions that are idle, that areyour first line of defense for protecting your data and users. For example, when usersare permitted to keep idle sessions for hours at a time, it greatly increases the risk oftheir accounts being compromised.
When an Oracle CASB Cloud Service administrator registers a cloud applicationor service, Oracle CASB Cloud Service establishes a baseline for various securitycontrols in the instance, and generates risk events when the instance's settingsdeviate from the baseline.
Some of the security settings that Oracle CASB Cloud Service monitors are generic,for example, password complexity requirements. Many of the settings are specific tothe cloud application or service, and without Oracle CASB Cloud Service these wouldrequire expertise in the service to configure correctly. For example, Oracle CASBCloud Service automatically monitors Amazon Web Services (AWS) for insecure S3bucket encryption settings, weak network ACLs, and security groups with sensitiveports that are exposed to the internet.
There are a few ways that Oracle CASB Cloud Service can help maintain securityconfigurations for a cloud application or service:
• When you add or register a cloud application, as described in RegisteringCloud Applications with Oracle CASB Cloud Service in Monitor-only mode,Oracle CASB Cloud Service automatically alerts you when it detects securityconfiguration settings in the application that diverge from Oracle CASB CloudService's internal benchmarks.
• When you register a cloud application or service in Monitor and push controlsmode, you select the settings that you want to configure in the application orservice. When registration is complete, Oracle CASB Cloud Service automaticallyupdates the security configuration settings in the application or service, and thensubsequently alerts you when it detects any modifications to these settings.
• You can create incident tickets for non compliant security controls, and export thetickets to a central system.
Note:
Monitoring for weak security settings isn't supported for Office 365.
Managing Weak or Noncompliant Security ControlsLocate and resolve security controls issues in Risk Events.
Some of the risks that Oracle CASB Cloud Service detects are related to nonconforming security configuration values. Oracle CASB Cloud Service alerts you whenit detects non conforming security configuration values, for example, the minimum
Chapter 23About Security Configuration Monitoring
23-2
password length or the length of time a user's session can be idle before an automatictimeout occurs.
To respond to a security control alert, you can either update the setting in the cloudapplication manually, or in some cases, you can have Oracle CASB Cloud Serviceperform the update on your behalf.
1. From the Dashboard, click the “Non-compliant security controls” number in theHealth Summary card to view non-compliant security alerts for all applications onthe Risk Events page (CATEGORY column lists only “Security control” entries).
2. From the Applications page, to view all non compliant security alerts for a singleapplication on the Risk Events page:
a. In grid view, click the count of non compliant security control alerts foran application that appears in the SECURITY ALERTS column for theapplication.
b. In card view, click an application tile to see the Health Summary card for thatapplication, then click the “Security controls” number.
3. On the Risk Events page, view the description of the non compliant securitycontrol that triggered the alert in the SUMMARY column for the alert.
The SUMMARY column displays the label for the security control as it appears inthe related application or service. For example, Box has these security controls:
• Minimum number of uppercase letters
• Require at least one number
• Require a mixture of letters and numbers
4. Click any row in the risk events list to view details about the security control risk,including its current value and Oracle CASB Cloud Service's recommended value.
For example, if a cloud application only requires 5 characters in a password, thenthe recommended value might be 10 characters. The recommended value is theOracle CASB Cloud Service baseline:
• If you register a cloud application instance in monitor-only mode, then OracleCASB Cloud Service uses its own stringent settings as the baseline.
• If you register a application in push controls mode, then Oracle CASB CloudService sets your preferred values in the cloud application, and then generatesan alert if anyone modifies that value in the cloud application.
5. To manage the security control risk, click the Actions drop-down menu and doone of the following:
• If a ticket already exists for this risk, click View incident. This lets you create aticket for tracking this problem to completion in Tracking Incident Tickets.
• To create a ticket, click Create incident. Oracle CASB Cloud Servicepopulates the incident ticket with information from the risk event, and youcan add details about the incident. When you are done, click New incident.Oracle CASB Cloud Service creates a new incident ticket that you can track tocompletion in Tracking Incident Tickets.
• If you feel the risk doesn't merit attention at this time, click Dismiss. Toprevent Oracle CASB Cloud Service from generating additional alerts aboutthis risk, you can update the security control baseline for this application
Chapter 23Managing Weak or Noncompliant Security Controls
23-3
instance. See Updating the Security Control Baseline for an ApplicationInstance.
Putting IP Addresses on Blacklists or WhitelistsAdd an IP address to a blacklist to automatically generate an alert when the IPaddress is detected, or add an IP address to a whitelist to suppress alerts when itis detected.
Oracle CASB Cloud Service ingests information about suspicious IP addresses fromexternal threat feeds. These are listed in the Configuration section of the console,Manage IP Addresses page. In addition to discovering suspicious IP addresses fromthird parties, Oracle CASB Cloud Service can monitor for specific IP addresses andaddress ranges, and either whitelist or blacklist them.
• Blacklisting: Oracle CASB Cloud Service creates threat alerts when it detectsaccess from these IP addresses or address ranges.
• Whitelisting: Oracle CASB Cloud Service never creates threat alerts when itdetects one of these IP addresses or address ranges.
You can apply blacklisting and whitelisting universally or restrict it to particularapplication instances.
Exceptions to this functionality:
• Salesforce whitelists. For IP addresses that are already defined as RestrictedIPs in Salesforce, Oracle CASB Cloud Service doesn't duplicate the alerting thatSalesforce does. However, Oracle CASB Cloud Service continues to generatethreat alerts for suspicious activity from these IP addresses (for example, evidenceof brute-force attacks).
• Office 365. You currently can't whitelist IP addresses that access Office 365Exchange.
You can also designate trusted IP addresses and users that are to be excluded fromconsideration by the threat engine and user behavior analytics. For this functionality,you provide the information about the trusted entities directly to Oracle CASB CloudService.
Chapter 23Putting IP Addresses on Blacklists or Whitelists
23-4
Note:
You can control automatic whitelisting of trusted network addresses byselecting or deselecting the Allow Oracle CASB to automatically whitelisttrusted network addresses check box - above the Blacklist and Whitelisttabs.
If the Allow Oracle CASB to automatically whitelist trusted networkaddresses check box is selected, trusted network addresses areautomatically whitelisted. A "trusted network address" meets the examplecriteria below:
• The IP address is not associated with any Tor network, botnet commandand control server, or terrorist organization or state sponsor of terrorismas defined by the United States Department of State.
• The top level domain linked to an IP Address and or CIDR block isowned or leased from a known cloud services or infrastructure provider(for example, Microsoft, AWS, or Google).
• The networking address is owned or leased by your organization.
• The entry and exit ASN (autonomous system number) in the tracerouteare owned by a reputable company.
1. Select Configuration, Manage IP addresses from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Select the tab for the action you want to take:
• Blacklist: to blacklist IP addresses. If a user or web service accesses amonitored application from this address, then generate a threat and update theAccess Map in the Dashboard with a red pin.
• Whitelist: to whitelist IP addresses. If a user or web service accesses amonitored application from this address, then classify this as a normal access.
3. Click Add IP Address.
4. From the Address format list, select any of the following:
• IPV4: provide an IP address in the IPv4 format in the corresponding field.
• IPV4 CIDR: provide an IP address in the IPv4 CIDR format in thecorresponding field.
• IPV4 Range: provide a range of IPv4 addresses in the corresponding fields.
• IPV6: provide an IP address in the IPv6 format in the corresponding field.
Note:
Compact formats are not accepted for IPv6 addresses.
• IPV6 CIDR: provide an IP address in the IPv6 CIDR format in thecorresponding field.
Chapter 23Putting IP Addresses on Blacklists or Whitelists
23-5
Note:
You can also specify IPv6 CIDR addresses in the compact format.
• IPV6 Range: provide a range of IPv6 addresses in the corresponding fields.
Note:
Compact formats are not accepted for IPv6 addresses.
Note:
For IPv6 CIDR addresses, IP address combinations starting with "fe"(for example, fexx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/<subnet>)with the subnet range 0 - 8, are not accepted.
5. Enter a description (for example, what's being blacklisted and why).
6. Select the cloud applications and instances that these IP addresses apply to.
In general, whitelists should be restricted to particular instances because OracleCASB Cloud Service will flag access attempts from all IP addresses outside of thewhitelist.
7. Click Save.
You can search for IP addresses that you’ve added to your whitelist or blacklist:
1. Select Configuration, Manage IP addresses from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Select the tab for in which you want to search for IP addresses.
3. Click the Search icon and enter text to search for.
Note:
Text can appear in any field in the IP address record.
Pushing Security Control Values to an Application InstanceUnderstand how Oracle CASB Cloud Service can push security control values toapplications that support this feature.
You can have Oracle CASB Cloud Service set configuration values in an AWS, Box, orSalesforce application instance.
By default, Oracle CASB Cloud Service automatically notifies you if a registered cloudapplication or service has security control settings that should be strengthened tocomply with best practices. For example, it automatically sets the password minimumlength control in the application to ensure that this value meets a baseline value.
Chapter 23Pushing Security Control Values to an Application Instance
23-6
Related Topics:
• Security Control Values for AWS (Push Controls/Read-Write)
• Security Control Values for Box (Push Controls/Read-Write)
• Security Control Values for Salesforce (Push Controls/Read-Write)
Chapter 23Pushing Security Control Values to an Application Instance
23-7
24Discovering Shadow Applications
Use Oracle CASB Cloud Service – Discovery to find applications that are not explicitlyauthorized, but are running in your environment and may present a security threat.
Oracle CASB Cloud Service Discovery allows you to uncover any applications orplug-ins that don't have explicit organizational approval.
Topics:
• Typical Workflow for Discovering Shadow Applications
• About Discovering Shadow Applications
• Subscribing to Oracle CASB Cloud Service — Discovery
• Manually Uploading a Log File
• Setting Up Automatic Upload of Log Files
• Viewing Discovered Applications and Understanding the Results
• App Discovery Reference
Typical Workflow for Discovering Shadow ApplicationsWith Oracle CASB Cloud Service, you can uncover any apps or plug-ins that do nothave explicit organizational approval.
Task Description Additional Information
Understand shadowapplications.
You can learn about shadowapplications and how OracleCASB Cloud Service -Discovery discovers them.
About Discovering ShadowApplications
Manually upload a single logfile from your firewall.
You can upload a sample logfile from your firewall to testthe settings before you set upautomatic upload.
Manually Uploading a Log File
Set up ongoing automaticupload of log files from yourfirewall.
You can set up your syslogserver to automatically uploadlog files from your firewall.
Setting Up Automatic Uploadof Log Files
View information discoveredabout shadow applications.
You can learn how to view andinterpret the information thatOracle CASB Cloud Service -Discovery discovers.
Viewing DiscoveredApplicationsand Understanding theResults
Understand required fields ofa log file.
You can learn about thefields of a log file that arerequired to upload the file intoOracle CASB Cloud Service -Discovery.
Required Log Fields
24-1
About Discovering Shadow ApplicationsLearn about options for discovering and viewing shadow, or stealth applications.
What Are Shadow Applications?
Applications or plug-ins that don't have explicit organizational approval are known asshadow or stealth applications.
Oracle CASB Cloud Service — Discovery monitors application usage in cloudapplications it's monitoring and displays information about the risks for eachapplication. You can also download a list of the application's users for further analysis.
How Do I Enable Oracle CASB Cloud Service — Discovery?
If there is no Discovery option on the Navigation menu you log in to the Oracle CASBCloud Service console, you will have to request that it be enabled for your tenant.Contact Oracle Support (http://support.oracle.com). If you have not registered yet, youwill need your Customer Support Identifier (CSI) in order to register to submit servicerequest tickets. As an alternative, you can also contact your Oracle CASB CustomerSuccess Manager.
What Firewalls Are Supported?
With the Discovery option on the Navigation menu in the Oracle CASB CloudService console:
1. Select Discovery from the Navigation menu.
2. Click the Import from Logs button.
The Upload log file for analysis dialog box lists the firewalls that are currentlysupported.
If your firewall is not enabled, contact Oracle Support (http://support.oracle.com). Ifyou have not registered yet, you will need your Customer Support Identifier (CSI) inorder to register to submit service request tickets. As an alternative, you can alsocontact your Oracle CASB Customer Success Manager.
You must provide a sample log file from your firewall to Oracle Support.
The sample log file should contain a representative sample of the traffic through yourfirewall that involves applications or plug-ins that do not have explicit organizationalapproval. For a list of the fields that are required for processing by Oracle CASB CloudService — Discovery, see Required Log Fields.
Why Upload a Single Log File?
Although it is not required, it is highly recommended that you manually upload asample log file from your firewall before attempting to set up automatic upload of logfiles. The manual log file upload:
• Is easy to execute — all you need is a sample log file from your firewall.
• Provides an opportunity to quickly detect and correct problems that you wouldotherwise encounter in the automatic upload.
For more information on manually uploading a single firewall log file, see ManuallyUploading a Log File.
Chapter 24About Discovering Shadow Applications
24-2
What Is Involved in Setting Up Automatic Upload of Log Files?
For more information on setting up ongoing, automatic upload of firewall log files, seeSetting Up Automatic Upload of Log Files.
Subscribing to Oracle CASB Cloud Service — DiscoveryUnderstand how to enable the Discovery option on the Navigation menu in an OracleCASB Cloud Service tenant.
Prerequisites:
• If your Oracle CASB Cloud Service tenant is not a metered tenant, running underthe universal credit model, you must purchase access to Oracle CASB CloudService — Discovery.
• You must be a tenant administrator in order to enable or disable Oracle CASBCloud Service — Discovery, or change the number of users that are subscribed.
1. Log in to your Oracle CASB Cloud Service tenant as a tenant administrator.
2. Select Discovery from the Navigation menu.
3. Click the App Discovery tab.
4. Click Enable in the banner at the top of the tab.
5. In the Discovery User Count dialog box, enter the Expected User Count PerMonth and click Confirm.
Enter an expected number of users on a monthly basis that may be discovered inyour firewall logs uploaded for Oracle CASB Cloud Service — Discovery.
If this expected number of users is exceded in a particular month, you will seea notice above the detailed information for discovered applications, with a link toupdate your subscription. See Updating an App Discovery Subscription.
6. To verify the number of subscribed users, click the App Discovery Settings icon
at the top right.
In the App Discovery Settings dialog box, in the Subscription section at thebottom, you see “<count> of <subscribed> subscribers identified”:
• <count> is the actual count of users defined in your Oracle CASB CloudService tenant.
• <subscribed> is the number of users subscribed, set by the Expected UserCount Per Month value you entered in the Discovery User Count dialogbox.
What to Do Next
With your subscription to Oracle CASB Cloud Service — Discovery enabled, proceedwith Manually Uploading a Log Fileto run a test on a sample firewall log.
Chapter 24Subscribing to Oracle CASB Cloud Service — Discovery
24-3
Updating an App Discovery SubscriptionLearn how to change the Expected User Count Per Month for an existing AppDiscovery subscription.
Prerequisite: The Oracle CASB Cloud Service tenant must already be subscribed.See Subscribing to Oracle CASB Cloud Service — Discovery.
1. Log in to your Oracle CASB Cloud Service tenant as a tenant administrator.
2. Click the App Discovery tab.
3. Click the Settings icon at the top right.
4. In the App Discovery Settings dialog box, in the Subscription section at thebottom, click Update Subscription.
5. In the Discovery User Count dialog box, enter a new value for Expected UserCount Per Month and click Confirm.
Ending an App Discovery SubscriptionLearn how to terminate an existing App Discovery subscription.
Prerequisite: The Oracle CASB Cloud Service tenant must already be subscribed.See Subscribing to Oracle CASB Cloud Service — Discovery.
1. Log in to your Oracle CASB Cloud Service tenant as a tenant administrator.
2. Click the App Discovery tab.
3. Click the Settings icon at the top right.
4. In the App Discovery Settings dialog box, in the Subscription section at thebottom, click End Subscription.
5. In the App Discovery End Subscription dialog box, click Confirm.
Manually Uploading a Log FileLearn how to manually upload a log file to Oracle CASB Cloud Service — Discoveryas a test.
Objective: Manually uploading a firewall log file is a one-time task that it’srecommended that you perform as a test, so that you can catch and resolve anyissues that you encounter before you attempt to set up an ongoing, automated uploadof log files from your firewall.
Prerequisites:
1. Oracle CASB Cloud Service — Discovery must be enabled on your Oracle CASBCloud Service tenant.
If the Discovery option does not appear on the Navigation menu, Oracle CASBCloud Service — Discovery is not enabled. To enable it, see Subscribing to OracleCASB Cloud Service — Discovery.
2. Your firewall must be one of those listed in the Upload log file for analysis dialogbox, opened from the Discovery page by clicking the Import from Logs button.
Chapter 24Manually Uploading a Log File
24-4
To enable your firewall in the list, see About Discovering Shadow Applications.
3. You must have a sample log file from your firewall available for you to upload.
The sample log file should contain a representative sample of the traffic throughyour firewall that involves applications or plug-ins that do not have explicitorganizational approval. For a list of the fields that are required for processingby Oracle CASB Cloud Service — Discovery, see Required Log Fields.
Note:
The maximum size for log file to be uploaded manually is 1 GB.
To manually upload a log file:
1. Select Discovery from the Navigation menu in the Oracle CASB Cloud Serviceconsole.
If the Discovery option does not appear on the Navigation menu, Oracle CASBCloud Service — Discovery is not enabled on your Oracle CASB Cloud Servicetenant. See Prerequisites above.
2. Click the Import from Logs button on the right side of the page.
If there is a summary of a previous manual log file upload, or ongoing automateduploads, scroll down below the summary information to locate the Import fromLogs button.
3. Select the firewall brand from which you are uploading the sample log file and clickBrowse.
4. Navigate to the location of the sample log file, select it, and click Open.
5. In the Upload firewall log for analysis dialog box, click Import.
A progress bar appears.
• At first the progress bar shows that the file is being uploaded, then that the fileis being processed, and finally that the analysis is being performed. After that,the information about stealth applications or plug-ins appears.
• If the log file is very large, it may take up to 30 minutes or more before theinformation appears.
• If with the log file, an error message displays, indicating what the problem is,for example:
– Domain mapping not present for given log file: No valid domain ordestination IP address is present in the log file, or the support added forthe firewall had incorrect values for indexes.
– Unable to process your log file. Either the uploaded file does notcontain valid data, or LORIC does not yet support this vendor's logs:Either the format of the log file being uploaded does not match the firewallselected, or there is a failure in the analytics phase.
– Unable to process your log file. Please contact CASB support:Uploading of the log file has failed, due to network or other issues.
If you encounter an error that you are unable to resolve, contact Oracle Support(http://support.oracle.com). If you have not registered yet, you will need your
Chapter 24Manually Uploading a Log File
24-5
Customer Support Identifier (CSI) in order to register to submit service requesttickets. As an alternative, you can also contact your Oracle CASB CustomerSuccess Manager..
What to Do Next
• If the log file uploads correctly, you are ready to proceed with Setting Up AutomaticUpload of Log Files.
If you would first like to examine the information discovered in the sample log file,see Viewing Discovered Applications and Understanding the Results.
• If the log file does not progress through the processing stages, or if yousee error messages that you can’t resolve, contact Oracle Support (http://support.oracle.com). If you have not registered yet, you will need your CustomerSupport Identifier (CSI) in order to register to submit service request tickets. As analternative, you can also contact your Oracle CASB Customer Success Manager..
Setting Up Automatic Upload of Log FilesLearn how to set up automatic, ongoing uploading of log files from your firewall toOracle CASB Cloud Service — Discovery.
Objective: Setting up ongoing, automatic upload of log files from your firewall ensuresthat use of applications or plug-ins that do not have explicit organizational approval ismonitored continuously.
Prerequisites:
1. Oracle CASB Cloud Service — Discovery must be enabled on your Oracle CASBCloud Service tenant.
If the Discovery option does not appear on the Navigation menu, Oracle CASBCloud Service — Discovery is not enabled. To enable it, see Subscribing to OracleCASB Cloud Service — Discovery.
2. Your firewall must be one of those listed in the Upload log file for analysis dialogbox, opened from the Discovery page by clicking the Import from Logs button.
To enable your firewall in the list, see About Discovering Shadow Applications.
3. It is strongly recommended that you perform a test on a sample firewall log filebefore attempting to set up automatic uploading of log files from that firewall. SeeManually Uploading a Log File.
To set up automatic upload of log files:
Note:
The maximum volume of log file data that can be automatically uploaded in asingle day is 10 GB. Once that limit is reached, automatic uploading stops forthat day, then resumes the next day.
1. Request a syslog-ng.conf file that is customized to forward logs from yourfirewall to Oracle CASB Cloud Service — Discovery.
Chapter 24Setting Up Automatic Upload of Log Files
24-6
Contact Oracle Support (http://support.oracle.com). If you have not registered yet,you will need your Customer Support Identifier (CSI) in order to register to submitservice request tickets. As an alternative, you can also contact your Oracle CASBCustomer Success Manager.
You must provide a sample log file from your firewall to Oracle Support.
The sample log file should contain a representative sample of the traffic throughyour firewall that involves applications or plug-ins that do not have explicitorganizational approval. For a list of the fields that are required for processingby Oracle CASB Cloud Service — Discovery, see Required Log Fields.
2. Configure your firewall to push log files to your syslog server.
See the documentation for your firewall for instructions.
Note:
Ensure that when configuring the program that will push data to OracleCASB Cloud Service — Discovery, you specify the IP address for theendpoint that is specific to your Oracle CASB Cloud Service tenant:
• OCI US uses 147.154.109.206
• OCI EU uses 138.1.40.53
3. When you receive the syslog-ng.conf file, copy it to the /etc/syslog-ngdirectory on your syslog server, replacing the syslog-ng.conf file at thatlocation.
4. Download the log collector certificate.
a. Click the App Discovery Settings icon to the right of the Import fromLogs button.
b. In the App Discovery Settings dialog box, click the Download button at thebottom, to the right of “Oracle CASB Cloud Service log collector certificate.”
c. In the Opening logs-dev.palerra.net.zip dialog box, select Save File.
The file is automatically saved to your Downloads directory.
d. Unzip the logs-dev.palerra.net.zip file and copy the .crt files tothe /etc/syslog-ng/cs/ directory on your syslog-ng server:
• On Windows, copy the files from the top level of the .zip file.
• On Mac OS X, copy the files from the __MACOSX folder in the .zip file.
5. Restart the syslog-ng service.
6. In the Oracle CASB Cloud Service console, select Discovery from the Navigationmenu.
Within 2-3 hours, you should start to see information about stealth applications orplug-ins.
• Before that happens, there are no visible changes on the Discovery page.
• You can check the System Audit Trail report to see how the auto-upload isprogressing. Look for entries where the EVENT is PushAutoLogStatus andDESCRIPTION is Auto log status updated. See Log File Processing Stages.
Chapter 24Setting Up Automatic Upload of Log Files
24-7
Viewing Discovered Applications and Understanding theResults
View and process information on discovered applications.
Users utilize IaaS, PaaS, or SaaS applications. Oracle CASB Cloud Service -Discovery examines these applications to determine their risk profile and customer'sexposure.
The results of the analysis of IaaS, PaaS, and SaaS applications are displayed in agrid view in the Discovery page. The specific applications accessed varies amongcustomers, so the details of the discovered applications will vary. The grid offers aconsistent view. Oracle CASB Cloud Service console users can view the following:
1. Select Discovery from the Navigation menu.
2. If you see Key Security Indicators and App Discovery tabs below theDiscovery: App Discovery heading, click the App Discovery tab.
These two tabs appear only when key security indicators (KSIs) are enabled forOracle CASB Cloud Service - Discovery. This feature must be enabled in additionto enabling the basic Oracle CASB Cloud Service - Discovery functionality. Toenable KSIs for App Discovery, contact Oracle Support (http://support.oracle.com). If you have not registered yet, you will need your Customer Support Identifier (CSI)in order to register to submit service request tickets. As an alternative, you canalso contact your Oracle CASB Customer Success Manager.
3. Set the month slider to the month for which you want data to be displayed.
Data is available for the past 3 months. The date and time of the last log dataingestion is displayed to the right of the month slider.
4. To display a different set of data for the month:
• To search for applications, click the Search icon and start entering theapplication name.
As you type, the applications list is filtered to show only those applicationnames that contain a text string that matches what you entered.
• To filter the application rows, click the Filter icon to the right of the headersfor the application rows.
Then, in the panel of filtering options that's displayed:
– To filter applications by source, under Source selecteither Perimeter (source is log files), or a listed application. If you select alisted application, then you may also be able to select a specific instanceof that application.
– To filter applications by category, select one ormore options under Category. Applications matching any category aredisplayed.
– To filter applications by a user, start entering the user name under Users,and then select the best match that appears as you type.
– To filter applications by tags, select one or more tag values under Tags.Applications matching any one tag will be displayed.
Chapter 24Viewing Discovered Applications and Understanding the Results
24-8
– To save the current filter settings, click Set as Default on the right side.These filter settings will then be automatically set next time you openthe App Discovery tab.
• To get back the entire list of discovered applications:
– In the filter options panel, click Clear Filter.
– Ensure there is no text in the Search box.
5. To control the order in which the items are listed, click the Sort icon next to theheading for a sortable column.
For individual items, in the ACTION column for the item:
• To see more detailed information about a discovered application, clickanywhere in the row for that application.
• To open an incident ticket on an application, in the ACTION column, click the
Create Incident icon .
See Tracking Incident Tickets.
• To assign a tag, or change the assigned tag, for the discovered application,
click the Edit Tags icon .
In the Tag Selected App dialog box, select one of the other predefined tags:
– Sanctioned — applications like this are officially sanctioned and shouldbe available to all users.
– Permitted — applications like this are not officially sanctioned, but arepermitted when a user or group has asked to use the application and therequest has been approved.
– Restricted — applications like this are restricted to use by only specificindividuals.
– Prohibited — applications like this should never be used by anyone in theorganization.
– Irrelevant — applications like common websites or an advertisement thatcan be excluded from a security analysis.
By default, newly discovered applications are assigned the “Discovered”tag. You should change this to a more meaningful tag, in terms of yourorganization’s security policies for applications that users install on their own.
Note:
When you assign a tag to a discovered application:
– That same tag then will be automatically assigned to applicationsdiscovered in the future that originate from the same domain, aslisted in the APP/DOMAIN column.
– You can define custom policy alerts to generate risk eventsbased on the tag.See Creating Policy Alerts for Discovered Applications.
6. For the entire month’s data:
Chapter 24Viewing Discovered Applications and Understanding the Results
24-9
• To export the list of discovered applications to a comma-separated values
(CSV) file, click the Export to CVS icon .
• To delete the data for the entire list of discovered applications displayed for the
current month, click the Delete icon .
Caution:
The Delete icon on the App Discovery tab always deletes alldiscovered application data for the selected month, not just thesubset you may see listed.
7. If KSIs are enabled for Oracle CASB Cloud Service - Discovery:
a. Ensure that the month slider is set to the month for which you want to view theKSI summary data.
The month slider on the App Discovery tab also controls the data displayed onthe Key Security Indicators tab.
b. Click the Key Security Indicators tab.
c. Continue with the next topic, Working with the Key Security Indicators Tab.
Working with the Key Security Indicators TabUnderstand how use the App Discovery Key Security Indicators tab to viewsummary information on discovered shadow applications, and to list the discoveredapplications behind each summary on the App Discovery tab.
The table below lists the key security indicators (KSIs) provided by Oracle CASBCloud Center - Discovery, with a description of the information summarized in each.
Key SecurityIndicator
Description
Top 10 AppCategories Traffic
Summarizes traffic in MB for different application categories, for theselected month's discovered applications.
Top 10 AppCategories (UserCount)
Summarizes user counts for different application categories, for theselected month's discovered applications.
Traffic Distribution byRisk
Summarizes, in a pie chart, the distribution of traffic (in megabytes)by risk level (normal, low, medium, high), for the selected month'sdiscovered applications.
User Distribution byRisk
Summarizes, in a pie chart, the distribution of user counts by risklevel (normal, low, medium, high), for the selected month's discoveredapplications.
App Distribution byRisk
Summarizes, in a pie chart, the distribution of applications by risklevel (normal, low, medium, high), for the selected month's discoveredapplications.
Users with most apps Lists the top 10 users with the most applications, in the selectedmonth's discovered applications.
Chapter 24Viewing Discovered Applications and Understanding the Results
24-10
Key SecurityIndicator
Description
Top 10 most usedapps
Lists the top 10 applications that appear most frequently, in the selectedmonth's discovered applications.
To manipulate the KSI information that's displayed and drill down into thedetails:
1. Move your mouse around the information displayed on the Key SecurityIndicators tab and notice:
• Some items always have a number displayed.
• Some items display a number only when you move the mouse pointer overthem.
• The mouse pointer changes to indicate that it's over a link in both cases.
Note:
Whenever the mouse pointer changes to indicate a link:
• The number displayed is the number of discovered applications involved in theitem you are pointing to in that KSI.
• You can click to display the all those discovered applications on the AppDiscovery tab.
2. Control what’s displayed in App Categories Traffic (in MB) and App Categories(User Count) KSIs.
Note:
Color code for tags (Discovered, Sanctioned, Permitted, Restricted,Prohibited) appears on right side of each of these KSIs.
Horizontal bars to right of each category listed for each of these KSIsindicate the proportion of the total number of discovered applications thateach tag is contributing to that total.
a. Click a tag color code to remove it from the horizontal bars for each category.
b. Click the same tag color code again to restore it in the horizontal bars for eachcategory.
3. Control what's displayed in pie charts.
Chapter 24Viewing Discovered Applications and Understanding the Results
24-11
Note:
Three KSIs (Traffic Distribution by Risk (in MB), User Distribution byRisk, and App Distribution by Risk) display their summary informationin pie charts, with color code at the bottom
a. Color codes are displayed below each pie chart.
b. Color codes indicate risk level: Normal, Low, Medium, High.
a. Click a color code to remove that risk level from the pie chart.
b. Click the same color code again to restore that risk level to the pie chart.
4. View the list of discovered applications summarized in a KSI.
a. Locate an item, outside of the tag color codes, that changes the mouse pointerto indicate a link.
b. Click the item.
The App Discovery tab is brought forward, listing all the discoveredapplications that were summarized by the item you clicked. Notice that eitherFilter or Search options were automatically set to produce this list.
5. View and process the list.
You can process this list of discovered applications in the same way that youcan process the entire list for the selected month. See Viewing DiscoveredApplications and Understanding the Results.
Caution:
The Delete icon on the App Discovery tab always deletes alldiscovered application data for the selected month, not just the subsetyou may see listed.
6. Click the Key Security Indicators tab to view more summary information there.
Ensure that the month slider is set to the correct month for which you wish to viewsummary date before you switch tabs.
App Discovery ReferenceLearn about the fields that are required in uploaded log files and the processing thatoccurs in the different stages upload stages.
Required Log FieldsReview the general and firewall-specific requirements for log files you plan to upload toOracle CASB Cloud Service – Discovery.
Any log file you want to upload into Oracle CASB Cloud Service - Discovery mustcontain the following fields in order to upload and process correctly. It may still be
Chapter 24App Discovery Reference
24-12
possible to process a log file with some of these fields missing, but that information willbe missing in the resulting list of discovered applications and plug-ins.
Description of Basic Fields Required
Generic FieldName
Generic Field Description Result If Field Is Missing
Time stamp Date and time when the eventwas logged
"Unknown" appears inDashboard, App Discovery tab.
Source IP IP address from which thelogged event originated
"Unknown" appears inDashboard, App Discovery tab.
Source username
User name that originated thelogged event
"Anonymous" appears inDashboard, App Discovery tab.
Action Action taken on the loggedevent
Oracle CASB Cloud Service - Discoveryassumes the record is an ALLOWEDaction. The entry is logged in the OracleCASB Cloud Service Audit trail to recordthis.
Destination FQDN
Fully qualified domain name ofthe destination of the loggedevent
If both the Destination FQDN andDestination IP are missing, thenINGESTION FAILS with "Domain mappingnot present for given log file" error.
If only the Destination FQDN is missing, theDestination IP is used to do reverse DNSlookup. If the reverse DNS lookup fails,then IP address is displayed in the OracleCASB Cloud Service console.
Destination IP IP address of the destinationof the logged event
If both the Destination FQDN andDestination IP are missing, thenINGESTION FAILS with "Domain mappingnot present for given log file" error.
If only the Destination FQDN is missing, theDestination IP is used to do reverse DNSlookup. If the reverse DNS lookup fails,then IP address is displayed in the OracleCASB Cloud Service console.
Destination IP is NOT used if theDestination FQDN is in the record.
Protocol The internet protocolassociated with the loggedevent
Oracle CASB Cloud Service - Discovery assumes all records are HTTP/HTTPS protocol. The entry is logged inthe system audit trail to record this. OnlyHTTP/HTTPS records are used; othersare discarded.
Data sent Number of bytes of data sentfrom Source IP in the loggedevent.
A zero valuedisplays in Dashboard, App Discoverytab.
Data received Number of bytes of datareceived by the Destination IPin the logged event.
A zero valuedisplays in Dashboard, App Discoverytab.
Chapter 24App Discovery Reference
24-13
Log File Processing StagesUnderstand the processing that occurs in stages when a firewall log file is uploaded.
The table below shows the System Audit Trail report entries for an upload of a firewalllog file.
Auto-Upload Stage Keyword in DETAILS Column
File Upload Started PROCESSING_STARTED
File Upload Completed,Analytics Started
PROCESSING_COMPLETED
Analytics Completed ANALYTICS_COMPLETED
Chapter 24App Discovery Reference
24-14
25Managing Data Protection
Set up data loss prevention (DLP) for applications that support this feature.
To enable this feature, contact Oracle Support (http://support.oracle.com). If you havenot registered yet, you will need your Customer Support Identifier (CSI) in order toregister to submit service request tickets. As an alternative, you can also contact yourOracle CASB Cloud Service Customer Success Manager.
Note:
See Data Protection Limitations to help you plan your DLP implementation.
Topics:
• Typical Workflow for Managing Data Protection
• Getting Started with Data Protection
• Managing Named Conditions
• Managing Information Types
• Managing Information Groups
• Managing Classifications
• Managing Rules
• Viewing Scan Results in Risk Events
• Performing a Retroactive Scan
• Viewing Scan Results
• Data Protection Limitations
Typical Workflow for Managing Data ProtectionWith Oracle CASB Cloud Service, you can protect sensitive data by preventingspecified actions on sensitive files, and quarantining problematic files as soon as theyappear.
Task Description Additional Information
Get started with dataprotection
Follow the sequence of tasksnecessary to implement dataprotection.
Getting Started with DataProtection
25-1
Task Description Additional Information
Manage named conditions Learn how to manage namedconditions that restrict thescope of actions taken when arule is applied.
Managing Named Conditions
Manage information types Learn how to manageinformation types, the basicunits on which data protectionis built..
Managing Information Types
Manage information groups Learn how to combineinformation types intoinformation groups, for easierprocessing.
Managing Information Groups
Manage classifications Learn how to createclassification labels, to simplifycreation of rules.
Managing Classifications
Manage rules Learn how to create rules tocontrol data protection scans.
Managing Rules
Perform a retroactive dataprotection scan
Learn how to perform a dataprotection scan retroactively,scanning file actions after theyhave taken place.
Performing a Retroactive Scan
View data protection scanresults
Learn how to view the resultsof data protection scans thatare performed in real time.
Viewing Scan Results
Getting Started with Data ProtectionUnderstand the sequence of tasks to perform in order to implement data protection.
1. Ensure that data protection has been enabled on your Oracle CASB Cloud Servicetenant.
In the Oracle CASB Cloud Service console, click Configuration in the leftnavigation panel. If DLP Management appears in the list of configuration options,data protection is enabled.
Contact your Oracle CASB Cloud Service Customer Success Manager if DataProtection is not available in your instance.
2. Prepare and register the Box instance to be protected.
See Preparing Box and Adding a Box Instance.
3. Enable data protection for that Box instance.
See Updating Data Protection for a Box Instance.
4. If you want to have real-time access control with this Box instance, configure andenable the reverse proxy.
See Updating the Reverse Proxy Configuration for a Box Instance.
5. (Optional) Try out some of the predefined configurations.
Oracle CASB Cloud Service data protection comes with predefined configurationsof information types and information groups that you can use immediately tocreate rules without the need to configure these components. If you would like
Chapter 25Getting Started with Data Protection
25-2
to try these out before configuring your own custom data protection components,see Managing Rules.
6. (Optional) Create custom information types.
Information types are the building blocks of data protection. They define specifictypes of information that you want to protect, such as credit card numbers. Dataprotection scans look for the types of information that you specify, such as creditcard numbers. To create custom information types, see Managing InformationTypes.
7. (Optional) Create custom information groups.
Information groups combine specified information types for convenience indefining rules. Data protection scans look for documents that contain any oneof the information types in an information group. To create custom informationgroups, see Managing Information Groups.
8. Create optional custom rules and initiate an ongoing scan.
You can use one of the predefined rules or create your own custom rule. SeeManaging Rules.
9. View the results of the ongoing scan.
The results of an ongoing data protection scan appear in Risk Events, asindividual events are returned. See Viewing Scan Results in Risk Events.
10. Run a retroactive scan.
A retroactive scan goes over all files — those that were scanned earlier, plusany that were in place before you started scanning — and classifies them in thesame way they would have been classified in a ongoing scan, using the currentrules. If you make major changes in your rules, a retroactive scan will update fileclassifications, as needed, to conform to your current rules. To run a retroactivescan, see Performing a Retroactive Scan.
Managing Named ConditionsCreate new managed conditions as needed to restrict the scope of actions taken whena rule is applied.
Named conditions are useful when you do not want a rule to apply, and take actions,in all matching cases — you want to limit its scope to certain conditions. For example,you may want to classify documents as highly confidential only if the documents areowned by a specific user, or list of users and they are located in specific high-securityfolders.
1. Select Configuration, DLP Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click Named Conditions in the row of options at the top.
Always is the default named condition:
• It is the default and specifies no limitations on the scope.
• You can’t delete or modify this named condition.
3. To create a new named condition:
a. Click Add conditions to open the Add conditions dialog box.
Chapter 25Managing Named Conditions
25-3
b. Enter a Name for the named condition, and (optionally) a Description.
c. If you want to set a scope that includes or excludes one or more users:
i. Click Add user.
ii. Select User name contains or User name does not contain.
iii. Enter one or more user names — separate multiple user names withcommas.
d. If you want to set a scope that includes or excludes one or more locations:
i. Click Add location.
ii. Select an application from the App list.
iii. Select an application instance from the Activity of list.
iv. Select one or more folders from the Scan from list.
v. To add another location, repeat these steps.
e. Click Save when done.
4. To see the details for any named condition listed, click the View icon in theACTION column in the row for that named condition.
5. To modify any named condition listed (except Always), click the Edit icon in the ACTION column in the row for that named condition to open the Editconditions dialog box.
You can use the basic instructions for adding a named condition, under step 3above, to modify an existing named condition.
Note:
To delete a user or a location, click the “X” icon to its right.
6. To delete any named condition listed (except Always), click the Delete icon inthe ACTION column in the row for that named condition.
Managing Information TypesCreate new information types as needed to precisely target sensitive files.
Information types are the building blocks for data protection scans. Each informationtype identifies one specific type of information you want to be detected, such as acredit card number.
Note:
You cannot modify or delete the predefined information types.
Chapter 25Managing Information Types
25-4
1. Select Configuration, DLP Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click Information Type in the row of options at the top.
3. To create a new information type:
a. Click Add Item to open the Add Item dialog box.
b. Enter a descriptive Name for this information type.
c. To use a keyword.
i. Select Keyword.
ii. Enter text to be matched in the text box. If this text is found in a file, the fileis classified as specified in the rule.
iii. Set a Threshold value, for the number of times the Keyword text mustoccur in a file in order to be classified as specified in the rule. Setting thisvalue to 3 means that the Keyword must appear in the file at least threetimes. Setting it to 1 means that the Keyword only needs to appear in thefile once.
iv. Select Match Whole Word if the text you entered for Keyword is to bematched only if it occurs as a whole word, but not matched if it is part of alonger text string. For example, if you select Match Whole Word and yourKeyword entry is secret, secretly, secrets, and secrete are notcounted as matches.
v. Select Scrambled if your Keyword entry contains two or more separatewords, and you want it counted as a match, even if those words appear ina different order. For example, if you select Scrambled and your Keywordentry is high risk, risk high is also counted as a match.
d. To use a regular expression.
i. Select Regex.
ii. Enter text to be matched, including standard regular expressioncharacters, in the text box.
iii. Set a Threshold value, for the number of times the Regex text must occurin a file in order to be classified as specified in the rule. Setting this valueto 3 means that the Regex text must appear in the file at least three times.Setting it to 1 means that the Regex text only needs to appear in the fileonce.
e. Click Save.
You can include information types that you create in information groups. SeeManaging Information Groups.
4. To view the details for an existing information type:
a. Click anywhere in the row for the information type.
b. Click the View icon in the ACTION column.
5. To edit the details for an existing information type:
a. Click anywhere in the row for the information type.
b. Click the Edit icon in the ACTION column.
Chapter 25Managing Information Types
25-5
6. To delete an existing information type:
a. Click anywhere in the row for the information type.
b. Click the Delete icon in the ACTION column.
Combine information types in information groups for convenience. See ManagingInformation Groups.
Managing Information GroupsCombine information types into information groups for convenience in defining rules.
Information groups consist of multiple information types. Data protection scans lookfor files that match any one information type in the information group. Files are thenclassified according the classification that you specify in a rule.
Note:
You cannot modify or delete the predefined information groups.
1. Select Configuration, DLP Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click Information Group in the row of options at the top.
3. To create a new information group:
a. click Add Group to open the Add Group dialog box, displaying a list of all theexisting information types below a text box.
b. Enter a descriptive Name for this information group.
c. To add an information type to the group, select it in the list.
d. To remove an information type from the group, deselect it.
e. Click Save.
You can use information groups that you create in rules. See Managing Rules.
4. To view the details for an existing information group:
a. Click anywhere in the row for the information group.
b. Click the View icon in the ACTION column.
5. To edit the details for an existing information group:
a. Click anywhere in the row for the information group.
b. Click the Edit icon in the ACTION column.
6. To delete an existing information group:
a. Click anywhere in the row for the information group.
b. Click the Delete icon in the ACTION column.
Use information groups define classifications. See Managing Classifications.
Chapter 25Managing Information Groups
25-6
Managing ClassificationsSet up custom classifications to use in your data protection rules.
Classifications are used to tag files according to the content matching that you specifyin a rule. Oracle recommends that you begin by using a fairly small number ofclassifications (5 or 6), and add more only when it is clear that you need them.
Note:
You cannot modify or delete the predefined classifications.
1. Select Configuration, DLP Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click Classification in the row of options at the top.
3. To create a new information group:
a. click Add Classification to open the Add Classification dialog box.
b. Enter a descriptive Name for this classification.
c. Set a Sensitivity level. Enter a positive integer between 1 and 100. Thisnumber indicates the relative level of risk that would be presented by a databreach that accessed the information in the file.
d. Click Save.
You can use classifications that you create in rules. See Managing Rules.
4. To view the details for an existing classification:
a. Click anywhere in the row for the classification.
b. Click the View icon in the ACTION column.
5. To edit the details for an existing classification:
a. Click anywhere in the row for the classification.
b. Click the Edit icon in the ACTION column.
6. To delete an existing classification:
a. Click anywhere in the row for the classification.
b. Click the Delete icon in the ACTION column.
Use classifications to define rules. See Managing Rules.
Managing RulesDefine a rule to configure a data protection scan.
Prerequisite: One or more classifications must be defined in order to create a rule.
Chapter 25Managing Classifications
25-7
Note:
Once a file is classified according to one of your rules, either in ongoingscanning or in a retroactive scan, the classification of that version of thefile is never changed in future ongoing scanning. If you make importantchanges to your rules, you must run a retroactive scan to update any fileclassifications that would be different under your new rules. See Performinga Retroactive Scan.
1. Select Configuration, DLP Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click Rule in the row of options at the top.
3. To enable an existing rule, such as one of the predefined rules:
a. Click anywhere in the row for the rule.
b. Click the Edit icon in the ACTION column to open the Edit Rule dialogbox.
c. Click Next to go to the second, REMEDIATION section.
d. Click Next again to go to the third, SUBMIT section.
e. For Set Rule Status, select Enabled.
f. Click Save.
Ongoing scanning begins immediately, but you may not see any results for awhile — files are detected only as activity occurs.
4. To create a new rule:
a. click Add Rule to open the Add Rule dialog box to the first section,CONTENT.
b. Enter a descriptive Name for this rule.
c. Select Content Scan, and then select one or more of the classifications listed,by clicking the check box at the far right side of the screen.
These predefined classifications are available:
• HIPAA: Compliance problems with the Health Insurance Portability andAccountability Act.
• GLBA: Compliance problems with the Gramm-Leach-Bliley Act.
• PCI: Compliance problems with payment card industry standards.
Chapter 25Managing Rules
25-8
Note:
For INFORMATION TYPES, you cannot select the entireclassification by selecting the INFORMATION TYPES check box.You must expand the INFORMATION TYPES list and manuallyselect the individual information types that you want to include. Asyou select individual information types:
• The check box for INFORMATION TYPES becomes partiallyselected — it changes to fill the upper left half when you selectone or more information types.
• If you select all the individual information types, theINFORMATION TYPES check box becomes fully selected — itchanges to a regular check mark.
• If you click the INFORMATION TYPES check box when it iseither partially or fully selected, the INFORMATION TYPEScheck box is cleared and the check boxes of all the individualinformation type check boxes that have been selected arecleared.
d. Click Next to display the second section of the Add Rule dialog box,REMEDIATION.
e. If you want the scan to classify detected files, select Classify and then selecta setting from the list. These predefined classifications are available:
• Highly Confidential — these files contain the very most sensitiveinformation.
• Confidential — these files contain less sensitive information, which stillshould not be made public.
• Public — these files contain information that is already public, or canfreely be made public.
• Unclassified — these files contain information that cannot be placedin another category by your rule. You should use this classificationvery rarely, when you want to prevent a rule from applying anotherclassification.
For example, if one rule would normally classify a file as HighlyConfidential, but you want an exception to be made if the owner is theCEO of your company, you might create a rule just to make that exception,classifying the file as Unclassified if the owner is the CEO. Then youwould list that rule on the Rules tab above the rule that would normallyclassify the file as Highly Confidential.
Note:
The Unclassified classification is used internally to tag files thatdo not get classified by any of the rules on your Rules tab.
• If you want to limit the scope of the rule for the Classify action, select anamed condition from the drop-down list. If you leave the default condition,Always, the Classify action is always performed.
Chapter 25Managing Rules
25-9
f. Select Tag if you want the classification you selected to appear with the filename in Box.
The classification you selected will always appear in the DLPCLASSIFICATION column on the Data page. Selecting Tag causes it toappear with the file name in Box as well.
If you want to limit the scope of the rule for the Tag action, select a namedcondition from the drop-down list. If you leave the default condition, Always,the Tag action is always performed.
g. Select Alert if you want an alert to be generated and displayed in Risk Eventsfor each file detected in the scan.
If you want to limit the scope of the rule for the Alert action, select a namedcondition from the drop-down list. If you leave the default condition, Always,the Alert action is always performed.
On the Risk Events page, risk events generated by this rule display:
• A RISK LEVEL icon that matches the level you select for Alert.
• “DLP Alert” in the CATEGORY column.
h. Select Quarantine if you want to move the file to a folder that is onlyaccessible by the administrator. A “tombstone file” is created in the originallocation, indicating that the file has been quarantined.
If you want to limit the scope of the rule for the Quarantine action, select anamed condition from the drop-down list. If you leave the default condition,Always, the Quarantine action is always performed.
i. Select Delete if you want to simply delete the file, without moving to anadministrator folder or creating a “tombstone file” in the original locationindicating what has happened to the file.
If you want to limit the scope of the rule for the Delete action, select a namedcondition from the drop-down list. If you leave the default condition, Always,the Delete action is always performed.
j. Click Next to display the third section of the Add Rule dialog box, SUBMIT.
k. Enter a descriptive Name for the rule.
l. (Optional) Enter a longer Description for the rule.
m. For Set Rule Status, select:
• Enabled — to enable the rule. Ongoing scanning will begin as soon asyou save the rule.
• Disabled — to disable the rule. The rule definition will be saved, butongoing scanning will not begin.
n. Click Save.
If the rule is enabled, it will come into play, scanning files in real time as theevents come in — you may not see any results for a while, because files aredetected only as activity occurs.
After you complete a new rule, move it up or down in the list to control order inwhich it is processed. Rules are processed in the order they are listed, and once afile matches a rule, then no more rules are processed for that file.
Chapter 25Managing Rules
25-10
Note:
Place your highest priority rules at top of the list, to flag files protect themaccording to the most sensitive information they contain. For example,if a file contained both a credit card number and a phone number, youwant the file to be process on the basis of the credit card number and notthe less sensitive cell phone number, so a rule scanning for credit cardnumbers should precede a rule scanning for phone numbers.
Note:
To see the ongoing output of the data protection scan for your rule, seeViewing Scan Results in Risk Events
To run a scan on files that came in before you started ongoing scanning,or to rescan all files with your current rules, see Performing a RetroactiveScan.
5. To view the details for an existing rule:
a. Click anywhere in the row for the rule.
b. Click the View icon in the ACTION column.
6. To edit the details for an existing rule:
a. Click anywhere in the row for the rule.
b. Click the Edit icon in the ACTION column.
c. Go through the three sections of the Edit Rule dialog box and change settingsas described in step 4 above for creating a new rule.
7. To delete an existing rule:
a. Click anywhere in the row for the rule.
b. Click the Delete icon in the ACTION column.
Performing a Retroactive ScanRun a data protection scan that shows alerts that would have been triggered if the rulehad been enabled 90 days before today.
There are two use cases for ongoing scans:
• When you first implement data protection and want to classifying files that arealready in place.
• When you have made important changes in your rules and want to reclassify filesthat would be classified differently under your new rules.
1. Select Configuration, DLP Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. On the DLP Management page, click Retroactive Scan in the row of options nearthe top.
Chapter 25Performing a Retroactive Scan
25-11
3. If you want to rerun a scan that you ran previously:
a. Locate the scan in the list.
b. In the ACTION column for that scan, click the Rerun Scan icon .
A job appears in the list below the Add Scan button.
c. Continue with step 9 below, "If you need to cancel..."
4. Click Add Scan.
5. In the Add Scan dialog box, set App to the application type that you want to scanretroactively, then set Activity of to the specific application instance you want toscan.
6. In the Scan from list, click any site listed and select any of the available foldersthat you want to be covered by the retroactive scan for this application instance.
You can select any combination of the folders that are available on the differentsites listed.
7. Click Add to add this scan to the list.
8. Click Run Scan to initiate the scan.
A job appears in the list below the Add Scan button.
9. If you need to cancel the scan, click the Stop Scan icon in the ACTIONcolumn for the scan.
10. Check the STATUS column to determine if the job has completed:
The retroactive scan job STATUS will have one of these values:
• New: Processing has not yet started.
• In Progress: Job is being processed.
• Completed: Processing has completed.
Note:
Be aware of these restrictions on running retroactive scans:
• You can run only one retroactive scan job at a time on the sameOracle CASB Cloud Service tenant. Until that job’s STATUS isCompleted, you cannot create another retroactive scan.
• If the volume of data scanned is greater than the single-tenant limit,the job is split up over several days, processing only the single-tenant limit volume of data each day.
11. When the job’s STATUS is Completed, you can view the updates to data risks onthe Data page, and you can view any risk events that were generated on the RiskEvents page.
See Viewing Scan Results in Risk Events.
Chapter 25Performing a Retroactive Scan
25-12
Viewing Scan ResultsView scan results on the Data Navigator or in Risk Events.
In the Data Navigator you are viewing only events from scan results, and you havemore options for filtering the events.
If you are already in Risk Events, you can easily view events from scan results, andyou see the same information when you view the event details on either page.
Viewing Scan Results in Risk EventsRisk events are generated in both ongoing and retroactive scans, and the scan resultsappear in Risk Events.
As soon as a rule is enabled, it will come into play, scanning files in real time as theevents come in — you may not see any results for a while, because files are detectedonly as activity occurs.
Note:
Once a file is classified according to one of your rules, either in ongoingscanning or in a retroactive scan, the classification of that version of thefile is never changed in future ongoing scanning. If you make importantchanges to your rules, you must run a retroactive scan to update any fileclassifications that would be different under your new rules. See Performinga Retroactive Scan.
1. Select Configuration, DLP Management from the Navigation menu. If theNavigation Menu is not displayed, click the Navigation Menu icon to displayit.
2. Click the CATEGORY column header to sort the events by category.
3. Look for events where the CATEGORY entry is “DLP Alert” — these events areproduced by data protection scans (DLP stands for “data loss prevention”).
If you don’t see any “DLP Alert” events, try clicking the CATEGORY columnheader to reverse the sort order, or if the list is long, you may have to use thelist navigation tools at the bottom of the page to move through the list to locate the“DLP Alert” events.
If you determine that there are no “DLP Alert” events in the list, come back andcheck later. Files that match your rule can only be detected as activity occurs, andit may take a while for you to see results.
4. When you locate some “DLP Alert” events, look for your rule name in theINSTANCE column.
The name of the rule that triggers a “DLP Alert” event appears in the INSTANCEcolumn.
Chapter 25Viewing Scan Results
25-13
Note:
You can also search for scan results in Box. In Box, search for files taggedwith the classification that you specified in your data protection rule.
Viewing Scan Results in the Data PageView scan results in the Data provides more options when you are focusing on scanresults and want the maximum support for filtering and processing these events.
1. Select Data from the Navigation menu. If the Navigation Menu is not displayed,click the Navigation Menu icon to display it. .
2. View scan results on the page:
• The Data page opens with the information sorted on the RISK column.
• Click a column heading that has up and down arrows next to it to sort the tableon that column.
• The RISK column contains icons that reflect the risk level:
– — High risk level.
– — Medium risk level.
– — Low risk level.
– — No risk.
• Other columns provide important summary information:
– TYPE:
– OBJECT NAME: The name of the file that was scanned.
– PARENT:
– RISK SCORE: Value is derived from the DLP CLASSIFICATION andSHARING entries.
– OWNER: The email address of the file owner.
– DLP CLASSIFICATION: A measure of the sensitivity of the information; arelative indication of how serious unauthorized access to this informationwould be.
– SHARING: How widely this file is shared, according to file sharingsettings.
– APP: The application type.
– INSTANCE: The application instance.
– SIZE: The file size.
• Click anywhere in the row for an item to view more details.
Chapter 25Viewing Scan Results
25-14
Data Protection LimitationsUnderstand the limitations on the data protection feature in Oracle CASB CloudService.
As you consider Oracle CASB for Data Protection, Data Loss Prevention, it isimportant to be aware for the current limitations of this service.
1. Oracle CASB for Data Protection, Data Loss Prevention is not available at thistime for tenants using https://loric-ca.palerra.net are not supported.
2. Real-time intervention via reverse proxy is not available at this time for tenantsusing https://loric-eu.palerra.net.
3. Cloud applications supported, and their limitations:
a. Only Box, and Office 365 SharePoint and OneDrive are supported at this time.
b. The quarantine remediation option is only supported for Box.
c. Cloud editing, using tools like Word Online or Google Docs, is not supportedthrough reverse proxy.
4. Only files that are 10 MB or smaller are scanned.
5. Oracle CASB for Data Protection, Data Loss Prevention Retroactive Scan islimited to 200 GB of scanned data per day.
6. Only the following file formats are scanned:
a. Microsoft Office documents
b. PDF files
c. HTML files
d. Single file web archive files (.mht extension)
e. Plain text files
f. RTF files
g. Compressed archive files (.zip, .tar, and .rar extensions)
7. Archive nesting (archive files including other archive files) is supported, with nolimit on the number of levels of nesting, as long as the primary archive is within the10 MB file size limitation.
8. Although predefined data types use heuristics to improve detection, like Luhnvalidation for credit card numbers, data protection scans cannot be guaranteed tobe 100% accurate.
Chapter 25Data Protection Limitations
25-15
Part VMonitoring Cloud Applications
View, analyze, track, and manage the potential security threats that Oracle CASBCloud Service collects.
After you have set up a cloud application in Oracle CASB Cloud Service, you can startmonitoring security for that application.
Chapters:
• Creating and Running Reports
• Analyzing User Activity Risks and Trends
• Managing Behavioral Anomalies and Threats
• Tracking Incident Tickets
26Creating and Running Reports
Locate and run predefined reports, and create your own custom reports.
The Reports page displays the reports that you run from the Dashboard, and letsyou run detailed activity reports on each user of your cloud applications. You can alsocreate custom reports.
Topics:
• Typical Workflow for Creating and Running Reports
• What's in Reports
• Running Predefined Reports
• User Activity Reports
• System Audit Trail Report
• Analyzing a Report
• Creating a Custom New Report
• Running an Ad Hoc Report: Report Builder
• Viewing Predefined Application-Specific Reports
Application-Specific Topics
• Viewing Reports for AWS
• Viewing Reports for Azure
• Viewing Reports for Box
• Viewing Reports for Custom Apps for AWS
• Viewing Reports for GitHub
• Viewing Reports for Google for Work
• Viewing Reports for Microsoft Office 365
• Viewing Reports for Oracle Cloud Infrastructure (OCI)
• Viewing Reports for Oracle ERP Cloud
• Viewing Reports for Oracle HCM Cloud
• Viewing Reports for Oracle Sales Cloud
• Viewing Reports for Salesforce
• Viewing Reports for ServiceNow
• Viewing Reports for Slack
26-1
Typical Workflow for Creating and Running ReportsWith Oracle CASB Cloud Service, you can run predifined reports, and create and runcustom reports.
Task Description Additional Information
Understand reports. You can learn about howOracle CASB Cloud Service'sreports offer a detailed view ofpotential security risks.
What's in Reports
Run predefined reports. You can generate predefinedreports in Oracle CASB CloudService.
Running Predefined Reports
Run user activity reports. You can generate reportsto monitor activity for asingle user or for all userscombined in Oracle CASBCloud Service.
User Activity Reports
Run the system audit trialreport.
You can generate a report tomonitor administrator actionsand automated system eventsin Oracle CASB CloudService.
System Audit Trail Report
Analyze reports. You can filter or exportreports in Oracle CASB CloudService.
Analyzing a Report
Create custom reports. You can create customreports in Oracle CASB CloudService.
Creating a Custom NewReport
Run ad hoc reports. You can construct ad hocquery reports when you don'tsee the report you want togenerate in Oracle CASBCloud Service.
Running an Ad Hoc Report:Report Builder
View predefined application-specific reports.
You can view predefinedreports and summary statisticsfor each application type.
Viewing PredefinedApplication-Specific Reports
What's in ReportsUnderstand what information reports provide, and how to access them.
A variety of report types are available, for specific application types and for generalcoverage.
Oracle CASB Cloud Service's predefined reports offer a detailed view of potentialsecurity risks. Unless noted otherwise, reports by default display three days of data,with up to 90 days of data available. In addition to the reports on potential securityrisks, Oracle CASB Cloud Service provides a user activity report, an audit trail report,and custom reports.
Some reports are general, covering all application types. Each application type alsohas its own application-specific reports.
Chapter 26Typical Workflow for Creating and Running Reports
26-2
General Reports
Report Name Description
File downloads This report shows the user ID, IP address, app instance, and date ofeach download.
You can use the report to get detailed information about users with anunusual amount of downloads.
IP addressesanalyzed
This report is a breakdown of specific addresses flagged as suspiciousby a threat feed or in the IP address page in the Oracle CASB CloudService console.
system audit trail This report is record of all administrator activity in the Oracle CASBCloud Service console.
Users with filedeletes
An abundance of deletes can indicate malicious activity.
This report provides details of each deletion, including the user, the file,the user's IP address, application instance, and date.
Users with no activity Orphaned accounts are a security risk.
If there are a large number of orphaned accounts, the this reportprovides a complete list along with the last date that the account wasaccessed.
Users with failedlogins
This report provides the IP address and instance being accessed foreach failed login.
Users with an exceptional number of failed logins usually also appear invarious threats.
Users with filedownloads
Users with an exceptional number of failed downloads can also appearin various threats.
User logins Users with an exceptional number of logins can also appear in variousthreats.
Application-Specific Reports:
• Viewing Reports for AWS
• Viewing Reports for Azure
• Viewing Reports for Box
• Viewing Reports for Custom Apps for AWS
• Viewing Reports for GitHub
• Viewing Reports for Google for Work
• Viewing Key Security Indicators and Reports for Microsoft Office 365
• Viewing Reports for Oracle Cloud Infrastructure (OCI)
• Viewing Reports for Oracle ERP Cloud
• Viewing Reports for Oracle HCM Cloud
• Viewing Reports for Oracle Sales Cloud
• Viewing Reports for Salesforce
• Viewing Reports for ServiceNow
• Viewing Reports for Slack
Chapter 26What's in Reports
26-3
Custom Reports:
• Creating a Custom New Report
• Running an Ad Hoc Report: Report Builder
Running Predefined ReportsRun, filter, and sort predefined reports from the Reports page.
Report data always displays in the Reports page. You can filter the informationdisplayed by setting filters on the Reports page. In addition to predefined generalreports, you can also run predefined comprehensive user activity reports, an OracleCASB Cloud Service audit trail report, and you can create and run new types ofreports.
You can export the results of any of these reports to a comma-separated value (CSV)file and import this file to most standard spreadsheets.
Running a Predefined Report
1. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. In the Reports page, click the View Report icon for the report that you want torun.
3. To sort the report, click the column header that you want to use as the sort key.
4. To filter the report, click the Filters panel at the top of the report page to open it.
Select a date range or an instance name, or enter one or more user namesseparated with commas.
5. To save the report by exporting the data to a CSV file, continue with Exporting aReport
User Activity ReportsView details of user activity for a single user or for all users combined.
If you want to see what a particular user has been doing, just locate that user on theUsers page and view the details, complete with charts.
If you want to see what all users, or a specific list of users have been doing, run theUser activity report from the Reports page.
User Details: Activity for One UserView reports of all the activity for a single user.
When you select a particular user on the Users page, two user activity reports appear.The reports are filtered to show parameters that Oracle CASB Cloud Service useswhen assessing the user's overall risk score.
1. Select Users from the Navigation menu. If the Navigation Menu is not displayed,click the Navigation Menu icon to display it.
Chapter 26Running Predefined Reports
26-4
2. On the Users page, click a user name of interest, for example, a user with ahigh-risk score.
The user details page for that user opens, with the "speedometer" on theleft indicating the user's average risk score, with the user's maximum riskscore displayed below. The USER RISK SCORE TRENDING chart on theright displays the user's risk score as it has changed over the past 30 days:
Hover over any point on the graph to see the user’s precise score on that date.
3. To switch to the interactive USER ACTIVITIES chart, click the User Activities icon
in the upper-right corner.
Click a section of a chart bar to display information for that activity in the detailarea at the bottom of the page.
Click the User Risk Score Trending icon in the upper-right corner again toswitch back to the USER RISK SCORE TRENDING chart.
Note:
If the application involved is using an Oracle Identity Cloud Service IDPinstance to authenticate, then you can suspend the user by clickingthe ACTIONS link, above the RISK FACTORS label and clickingthe Suspend user link in the ACTIONS dialog box.
4. To focus on various activities of interest in the ISSUES BY ACTIVITIES chart:
• Click the colored box next to an item in the list of activities (Actions in NetworkAcl, Network Prefix, ...) to remove the activity from the chart. Click the samebox again to restore the item.
• Click the Single Selection button to turn off all of the colored boxes exceptthe top one, and then you can easily select just a few.
• Click the Multi Selection button to turn on all of the colored boxes, and thenyou can easily deselect just a few.
5. With either chart displayed, scroll down the page to see all activity data for theuser.
Click the links to the right of the RISK FACTORS box on the left, just below thecharts, to scroll quickly to those sections.
User Activity Report: Activity for All UsersView a report of all the activity for all users or select users, or a specific list of users.
The Reports page contains a User activity report that shows activity for all users inall of your registered cloud applications and services. The report shows three days ofactivity by default, which can be expanded up to 90 days. You can filter this report bydate range, user name, access (source) IP address, and client device type. This reportis useful when you want details about a particular user.
1. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
Chapter 26User Activity Reports
26-5
2. On the Reports page, click anywhere in the row for the User activity report.
The report opens showing all activity for all users over the last three days.
3. Filter the report to focus on parameters of interest:
Caution:
If you set filter values that return too much data, the retrieval processmay time out before it can complete. Except for the date range, all otherparameters are set to all by default. Avoid extending the date rangewithout limiting some of the other parameters.
• From and To — set a different date range
• User — limit one or more specific users
• Client type — limit to specific client types
• Instance — limit to a specific application instance
• Source IP address — limit to a specific IP address
Click Search to filter the list with your current settings.
4. To save the report by exporting the data to a CSV file, continue with Exporting aReport.
System Audit Trail ReportView the system audit trail report to see information on all actions taken by OracleCASB Cloud Service administrators and the Oracle CASB Cloud Service scheduler.
The system audit trail report collects activity data from your registered cloudapplications and services. Use this report to monitor administrator actions andautomated system events.
1. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. In the reports page, click the Run icon for the Oracle CASB Cloud Service audittrail report.
3. In the report details page, click Filters to restrict the amount of data beingdisplayed. You can filter the audit report by date range and user.
4. To save the report, click Export to CSV.
You can open the saved file in a spreadsheet.
Analyzing a ReportFilter the report on the Reports page, or export the report to a spreadsheet.
There are several ways to analyze a report run in Oracle CASB Cloud Service:
• Use filters in the report details page. Most reports provide filtering by date range,user name, and instance.
Chapter 26System Audit Trail Report
26-6
• Export the report to a spreadsheet for additional analysis. For example, if you wantto analyze the Oracle CASB Cloud Service audit trail to see all of the risk eventsthat were dismissed, then you can click Export to CSV, open the resulting .csvfile in Excel, and sorting the report by the Description column to isolate all of the"dismiss" actions. Exporting the report can also be helpful if you are interested inthe log data. You can view logs for individual events in the report details page, butyou need to export the report to view multiple event logs simultaneously.
Creating a Custom New ReportCreate a customized report, with content controlled by the parameters that you specify,and store it in the Reports list to be run as needed.
1. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Examine the report names listed.
• Note how the reports are grouped. Typically, you view this list in alphabeticorder.
• System-generated, application-specific reports have a common prefix thatgroups them together.
• The name for your custom report doesn't have to follow this scheme. Youmight choose an application-independent prefix to group related reports, butyou should choose a name that will be easy to locate in this list.
• You can't change the custom report name after you create it.
3. Click New Report in the upper right.
4. In the New Report dialog box, on the Name and description page, enter aReport name and optional description, select an Application and an Instance ofthat application, and then click Next.
5. On the Parameters page, select parameters that define the basic data the reportwill cover:
• Time Interval: Except for Date range, all time interval settings are relative tothe date the report is run.
• Event - Select the event to be reported. Different applications have differentevent lists.
• When you are done, click Next.
6. Optionally, on the Users and groups page, you can:
• Select either User or Group, to limit your report to covering only the users orgroups you specify.
• Enter search text that will match the names of one or more users or groups.For example, if you selected Group and then enter "fin" for the search text,then the report will cover all users in all groups with "fin" in the group name.This would cover the entire Finance department, if all of its groups have "fin" inthe group name.
• When you are done, click Next.
7. Optionally, on the Filters page, you can enter parameters that restrict your reportto only the access types and IP addresses that you specify.
Chapter 26Creating a Custom New Report
26-7
• For Parameter, then select either Access Type or IP Address.
– If you selected Access Type, then select any combination of the devicetypes listed.
– If you selected IP Address, specify the IP address or range of addressesto be included in, or excluded from your report.
• Click New Filter if you want to specify additional parameters to restrict yourreport's coverage. You can specify the combination of access types to becovered in your report in a single filter; you may need to set additional filterson IP addresses in order to get the exact combination you want to include andexclude.
• Click the Trash icon to remove a parameter.
• When you are done, click Next.
8. On the Review & Submit page, review your report settings.
• To change settings, click the heading in the left panel to go directly to thosesettings, or click Previous to back one page at a time.
• Click Create to save your report.
9. To delete your custom report, locate it in the Reports list, and click the Delete iconon the right.
Running an Ad Hoc Report: Report BuilderUse the Report Builder to create an ad hoc query report using many of the variablesavailable in the predefined reports.
If you don't see the report you want in the Reports page, and the New Report wizarddoesn't provide enough flexibility, then try the Report Builder
As an example of using Report Builder, if the Users page shows a high risk score fora particular user, then you might want to create a unique report to focus on actions thatthis user has performed in a particular cloud service in a particular time frame.
1. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. In the Reports page click the Report Builder button at the top of the page.
3. In the Report Builder page, a filter on Date is displayed by default. The date inthe From field is set to two days before the current date and the date in the Tofield is set to the current date. You can change the dates in these fields to displaydata over a maximum period of 90 days.
4. In the Report Builder page, click the Add Filter icon, select the first variableof interest in the report (for example, User), and then enter selection criteria for thevariable (for example, a username or partial username).
Tip: For many reports, it's practical to start with the most general variable(Application or User) before selecting a more specific one (for example, anaction).
Chapter 26Running an Ad Hoc Report: Report Builder
26-8
Filter Name Description
Action: App Native The name of an action taken in the cloud application or service.Example: LOGIN_SUCCESS.
This list includes all actions, sorted by cloud service type. Thename of the related service is shown in a green bar at the top ofthe drop-down list of actions.
If you select this action type and the report applies to more thanone cloud application or service type, then it can be helpful todisplay both the Action: App Native and Action: Normalizedas report columns (see Step 4).
Action: Normalized A common name for an action that can be taken in multiplecloud services. Example: Console login.
If you select this action type and the report applies to more thanone cloud application or service type, then it can be helpful todisplay both the Action: App Native and Action: Normalizedas report columns (see Step 4).
Application The name of a cloud application or service.
Application Sub-type For services that have sub types, this is the name of a sub type.
Classification An IP address classification: Normal or Suspicious.
Country The country in which an action is detected.
Date The date range for the information in the report.
Device Type The access device (a physical device, such as a desktopcomputer, or a program).
IP Address Typically, this is the source IP address (the location of the useror agent performing an action).
Instance The name of the registered application instance.
Resource The name of the item being acted upon, for example, a filename, a folder name, or a repository name.
Resource Type A resource classification, for example, a token (for userauthorization) or Drive (for Google Apps).
User A user identifier (for example, a full or partial user name).
5. To further restrict the amount of data being displayed, click the Add Filter iconand then select an additional filter.
For example, you can select Date and then set a date range filter.
6. Click Search to apply the filters selected.
7. In the Display/Hide Columns drop-down list, select the report columns that youwant to view.
8. Click Reset to remove the filters and set the date fields to the default value.
Viewing Predefined Application-Specific ReportsView the predefined reports that are available for each application type.
The preceding sections cover general predefined reports that summarize informationacross all of your registered application instances. Each application type has its ownset of predefined reports that are specific to that application type. The followingtopics describe the information that is available for each application type and provideinstructions for viewing it.
Chapter 26Viewing Predefined Application-Specific Reports
26-9
Viewing Reports for AWSLocate and view AWS reports on the Reports page.
AWS predefined reports have an AWS: prefix in the name.
1. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Scroll to the section of report names that start with AWS:, and click anywhere in therow for the report you want to run.
3. To see the raw log data for the issue, click View log data.
AWS Report TypesUnderstand what information is available in each of the AWS predefined reports.
You can run predefined reports for AWS reports from the Reports page.
You can create a report from scratch. See Creating a Custom New Report andRunning an Ad Hoc Report: Report Builder.
The following table shows what information is available in each of the AWS predefinedreports.
Report Name Description
AWS: CIS benchmarkfor IAM and logging
This report monitors requirements for section 1, Identity and AccessManagement, and section 2, Logging, from the AWS and Center forInternet Security Web Services Foundations document.
The report provides recommendations for actions to take, for each itemthat fails the checks or requires your review.
AWS: IAM users whoperformed a SwitchRole
This report lists all user Switch Role actions with details about thesession in which they used the roles.
You may want to investigate the activity of users who request anunusual number of cross-account roles, or users who perform a SwitchRole action and assume highly privileged roles.
AWS: User actionsperformed after aSwitch Role
This report shows the actions performed after a user assumed the newrole.
AWS: EC2 key pairrotation
This report lists each key name, its status, its fingerprint, creationregion, the instance in which it was generated, and its creation date.
Both unused and nonrotated keys offer opportunities for the system tobe compromised.
AWS: Failed changepassword attempts
An unusual number of failed change password attempts can indicate anattempt to hijack a user's credentials.
AWS: IAM accesskey rotation
This report lists each key name, its status, its owner, creation date, andthe instance in which it was generated.
Both unused and nonrotated keys offer opportunities for the system tobe compromised.
AWS: IAM user rolesthat Oracle CASBCloud Service reset
After you define a policy that allows Oracle CASB Cloud Serviceto revert changes to role definitions in AWS, this report shows theoccasions when Oracle CASB Cloud Service performed a reset action.
Chapter 26Viewing Reports for AWS
26-10
Report Name Description
AWS: S3 BucketsACL
This report lists assigned permissions on S3 bucket access control lists(ACLs) and access control policies (ACPs).
Viewing Reports for AzureView Azure-specific information in predefined general reports.
Currently no Azure-specific KSIs or reports are provided.
To view Azure-specific information within a global report:
1. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it..
2. Locate any report that does not have an application type prefix.
Examples of application prefixes: “AWS:,” “Box:”, “GitHub:”.
Examples of global reports, without prefixes: “Device Type events.” “IP addressesanalyzed,” “System audit trail.”
3. Click anywhere in the row for that report.
4. On the report page, click the Filter icon in the top right corner.
5. Drop down the Instance list and select an Azure instance, then click Search at thefar right.
Repeat this step for any additional Azure instances.
Viewing Reports for BoxLocate, view, and filter Box reports on the Reports page.
Oracle CASB Cloud Service offers predefined reports for Box. You can run thesereports from the Reports page. You also can create a new custom report. SeeCreating a Custom New Report and Running an Ad Hoc Report: Report Builder.
If any report shows unusual activity for a user, you can check the Users page to seewhether the user was also flagged as being high risk. You also can search the RiskEvents page for additional events in which the user or administrator is implicated.
To run a predefined report from the Reports page:
1. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Scroll to the section of report names that start with Box: and click anywhere in therow for the report you want to run.
3. To filter the report:
a. If the filter fields are not displayed, click the Filter icon to display them.
b. Make fileter selections from the drop-down lists.
c. Click Search.
Chapter 26Viewing Reports for Azure
26-11
4. Click View log data to see the raw log data for the issue.
Viewing Reports for Custom Apps for AWSLocate and view Custom Apps for AWS reports on the Reports page.
Oracle CASB Cloud Service offers predefined reports for Custom Apps for AWS. Youcan run these reports from the Reports page.
You also can create a report from scratch using the report builder.
If any report shows unusual activity for a user, you can check the Users section tosee whether the user has also been flagged as being high risk. You also can searchthe Risk Events page for additional events in which the user or administrator isimplicated..
Reports for Custom Apps for AWS
Report Description
CustomApp: Actions performed Lists actions performed by users, in order offrequency
CustomApp: Browsers used by users Lists browsers used, in order of frequency
CustomApp: Most operating systems used byusers
Lists operating systems used, in order offrequency
To view reports for Custom Apps for AWS
1. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Scroll to the section of report names that start with "CustomApp:" and clickanywhere in the row for the report you want to run.
Viewing Reports for GitHubLocate and view GitHub reports on the Reports page.
GitHub predefined reports have a GitHub: prefix in the name.
Report Description
GitHub: Action performedon Repository
Tracks all actions performed on repositories. Highlights the mostactive repositories.
GitHub: Events by type Tracks all actions performed on repositories. Summarizes eventtypes across organizations and repositories.
GitHub: Members added Tracks members added to repositories and teams, and teamsadded to repositories.
GitHub: Most active users Tracks each user's actions within the account. A moderately activeuser suddenly becoming the most active may indicate a hijackeduser account.
GitHub: Repositorymembers by role
Shows the number of users with admin, write and readpermissions across all the repositories. In general, there shouldonly be a few administrators for an account.
Chapter 26Viewing Reports for Custom Apps for AWS
26-12
Report Description
GitHub: Repositorymembers with role & team
Lists all repositories, with users and roles. Highlights therepositories that are most accessible to users.
GitHub: Team members Lists teams with users and their roles, Highlights teams with themost activity and teams with most members.
GitHub: User activity Lists all user activities with action and object details. Highlights themost active users.
GitHub: User multi-factorauthentication status
Lists all users with their multifactor authentication (MFA) status.
To view Github reports
1. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Scroll to the section of report names that start with GitHub: and click anywhere inthe row for the report you want to run.
3. Click View log data to see the raw log data for the issue.
Viewing Reports for Google for WorkLocate and view Google for Work reports on the Reports page.
Oracle CASB Cloud Service offers predefined reports for Google for Work. You canrun these reports from the Reports page. You can also create a custom report fromusing the Report Builder. See Creating a Custom New Report and Running an AdHoc Report: Report Builder.
If any report shows unusual activity for a user, then you can check the Users pageto see whether the user has also been flagged as being high risk. You also cansearch the Risk Events page for additional events in which the user or administrator isimplicated.
Report Name Description
Google: Admin rolesassigned most often
Allows you to keep track of the number of users who have access tosensitive information.
In general, the number of people with administrative roles should belimited.
Google: Activitiesperformed byadministrators
Allows you to monitor for administrators who are performing anunusual number of sensitive operations.
Google: Active devices Helps you track devices, whether they are being shared (if differentusers have the same device ID), and actions performed on thedevices.
Google: Activitiesperformed byadministrators
Allows you to track whether an unusual number of sensitiveoperations are being performed, such as adding users to privilegedroles.
Chapter 26Viewing Reports for Google for Work
26-13
Report Name Description
Google: File downloads Allows you to keep track of unusual download activity, by file type.
Note:
Google Drive information on filesand folders is only monitored foradministrator users.
Applications authorizedby users
Monitors the number of apps that users have downloaded from theGoogle marketplace and permitted to access data from their otherapps.
Users with publiclyshared content
Unusually high sharing indicates suspicious activity. An extremenumber is indicative of account compromise or an insider threat.
To run a Google for Work report
1. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Scroll to the section of report names that start with Google:, and click anywhere inthe row for the report you want to run.
3. Click View log data to see the raw log data for the issue.
Viewing Reports for Microsoft Office 365Locate and view Microsoft Office 365 reports on the Reports page.
Note:
If you registered your Office 365 instance before April 2016, to enablethe features for SharePoint and OneDrive and for Azure AD, you must toreenter the Oracle CASB Cloud Service user's credentials for your registeredapplication instance in the credentials update page. From the Oracle CASBCloud Service console, select Applications, and then:
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, select Modify, Update credentials.
• In grid view, drop down the Action list for the instance you want tomodify, and then select Update credentials.
Chapter 26Viewing Reports for Microsoft Office 365
26-14
Exchange Reports
Report Name Description
Office 365: Exchangeadministrator activity
Helps to detect Exchange administrators who have an unusually highamount of activity.
You can also check the Users page to see whether anyadministrators listed in this indicator are flagged as being high risk.
Office 365: Cmdlets run You can track almost any type of Exchange Online activity through itscorresponding cmdlet.
Azure AD Reports
Report Name Description
Office 365: Azure ActiveDirectory audit report
Helps to detect Azure AD administrators who have an unusually highamount of activity.
You can also check the Users page to see whether users listed inthis indicator are flagged as being high risk.
Office 365: Azure ActiveDirectory audit report
You can track almost any type of Azure AD activity through itscorresponding audit report.
SharePoint/OneDrive Reports
Report Name Description
Office 365: SharePoint/OneDrive files accessed
Helps to identify suspicious trends regarding file access.
Office 365: SharePoint/OneDrive audit report
Helps to detect users who have an unusually high amount of activity.
You can also check the Users page to see whether users listed inthis indicator are flagged as being high risk.
Office 365: SharePoint/OneDrive invitationscreated
Helps to detect unwanted sharing of data, particularly fileswith sensitive information and sharing with users outside theorganization's domain.
You can also define a policy in Configuration, Policy Managementto track sharing activity outside of your organization's domain.
Office 365: SharePoint/OneDrive files deleted
Helps to detect users who have an unusually high amount of filedeletions.
You can also check the Users page to see whether users listed inthis indicator are flagged as being high risk.
Office 365: SharePoint/OneDrive shared linkscreated
Helps to detect unwanted sharing of data, particularly fileswith sensitive information and sharing with users outside theorganization's domain.
You can also define a policy in Configuration, Policy Managementto track sharing activity outside of your organization's domain.
Office 365: SharePoint/OneDrive files modified
Helps to identify suspicious trends regarding file access and use.
Office 365: SharePoint/OneDrive filesdownloaded
Helps to identify suspicious trends regarding data exfiltration.
You can also define a policy in Configuration, Policy Managementto track download activity for particular files or downloads byparticular users.
Chapter 26Viewing Reports for Microsoft Office 365
26-15
To view Office 365 reports
1. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Scroll to the section of report names that start with Office 365: and click anywherein the row for the report you want to run.
3. Click View log data to see the raw log data for the issue.
Viewing Reports for Oracle Cloud Infrastructure (OCI)Locate and view OCI reports on the Reports page.
Oracle CASB Cloud Service offers predefined reports for Oracle Cloud Infrastructure.You can run these reports from the Reports page.
You also can create a custom report from scratch using the report builder.
If any report shows unusual activity for a user, you can check the Users page tosee whether the user has also been flagged as being high risk. You also can searchthe Risk Events page for additional events in which the user or administrator isimplicated.
Report Name Description
CASB SecurityControls exceptions
Shows information on CASB Security Control exceptions that preventcertain OCI objects from being monitored.
CASB SecurityControl templateattachment
Shows information on the template each OCI compartments uses.
IAM User API Keysage report
Shows key state and rollover status for API keys
KMS key rotation Shows a list of KMS keys and the key age for compartments under aregistered tenancy.
Objects encryptedusing KMS key
Shows the list of OCI objects and the keys that are using
Privileged IAMchanges - Groupmembership
Shows information on users added to, or removed from groups
Privileged IAMchanges - Users andGroups
Shows information on actions targeting users and groups
Public buckets Shows information on public buckets
Swift passwordsreport
Shows information on swift passwords
User activity report This automates the report that you could generate in Report Builder, byfiltering for Application = OCI.
To view reports for OCI
1. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
Chapter 26Viewing Reports for Oracle Cloud Infrastructure (OCI)
26-16
2. Scroll to the section of report names that start with "Oracle CloudInfrastructure:" and click anywhere in the row for the report you want to run.
3. Click View log data to see the raw log data for the issue.
Viewing Reports for Oracle ERP CloudLocate and view Oracle ERP Cloud reports on the Reports page.
Oracle CASB Cloud Service offers predefined reports for Oracle ERP Cloud. You canrun these reports from the Reports page.
You also can create a report from scratch using the report builder.
If any report shows unusual activity for a user, you can check the Users page tosee whether the user has also been flagged as being high risk. You also can searchthe Risk Events page for additional events in which the user or administrator isimplicated.
Report Name Description
Oracle ERP Cloud: Payables Bank Accountand External Bank Account Changes Report*
Users who have made the most changes toBank Account and External Bank Accountbusiness objects
Oracle ERP Cloud: Payables DisbursementPayment System Security and FinancialSystem Changes Report*
Users who have made the most changes toPayables options business objects
Oracle ERP Cloud: Procurement SupplierChanges Report*
Users who have made the most changes toSuppliers business objects
Oracle ERP Cloud: Role managementchanges
Users who have had the most role changes
Note:
Reports listed above with an asterisk ("*") do not appear unless youhave enabled Oracle ERP Cloud business objects in your Oracle CASBCloud Service tenant. To enable this feature, contact Oracle Support (http://support.oracle.com). If you have not registered yet, you will need yourCustomer Support Identifier (CSI) in order to register to submit servicerequest tickets. As an alternative, you can also contact your Oracle CASBCloud Service Customer Success Manager.
To view reports for Oracle ERP Cloud
1. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Scroll to the section of report names that start with "Oracle ERPCloud:" and clickanywhere in the row for the report you want to run.
3. Run a detailed report from Reports.
4. Click View log data to see the raw log data for the issue.
Chapter 26Viewing Reports for Oracle ERP Cloud
26-17
Viewing Reports for Oracle HCM CloudLocate and view Oracle HCM Cloud reports on the Reports page.
Oracle CASB Cloud Service offers predefined reports for Oracle HCM Cloud. You canrun these reports from the Reports page.
You also can create a report from scratch using the report builder.
If any report unusual activity for a user, you can check the Users page to see whetherthe user has also been flagged as being high risk. You also can search the RiskEvents page for additional events in which the user or administrator is implicated.
Report Name Description
Oracle HCM Cloud: Compensation changes Users who have had the most compensationchanges
Oracle HCM Cloud: Personally IdentifiableInformation (PII) changes
Personally identifiable information (PII)changes that have been most frequent
Oracle HCM Cloud: Role managementchanges
Roles most frequently affected by changes
To view reports for Oracle HCM Cloud
1. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Scroll to the section of report names that start with "Oracle HCMCloud:" and clickanywhere in the row for the report you want to run.
3. Click View log data to see the raw log data for the issue.
Viewing Reports for Oracle Sales CloudLocate and view Oracle Sales Cloud reports on the Reports page.
Oracle CASB Cloud Service offers predefined reports for Oracle Sales Cloud. You canrun these reports from the Reports page.
You also can create a report from scratch using the report builder.
If any report shows unusual activity for a user, you can check the Users page tosee whether the user has also been flagged as being high risk. You also can searchthe Risk Events page for additional events in which the user or administrator isimplicated.
Report Name Description
Oracle Sales Cloud: Role managementchanges
Roles and users most frequently affected bychanges
1. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Scroll to the section of report names that start with "Oracle SalesCloud:" and clickanywhere in the row for the report you want to run.
Chapter 26Viewing Reports for Oracle HCM Cloud
26-18
3. Click View log data to see the raw log data for the issue.
Viewing Reports for SalesforceLocate and view Salesforce reports on the Reports page.
Oracle CASB Cloud Service offers predefined reports for the Salesforce Sales Cloud.You can run these reports from the Reports page. You can also create a customreport. See Creating a Custom New Report and Running an Ad Hoc Report: ReportBuilder.
If any report shows unusual activity for a user, then you can check the Users page tosee whether the user was flagged as being high risk. You also can search the RiskEvents page for additional events in which the user or administrator is implicated.
Report Name Description
Salesforce: Adminswho made changesto Setup
The Setup section of Salesforce controls the appearance of data andaccess privileges throughout the application.
This report can alert you to administrators who are making an unusualnumber of changes.
Click the report icon for details about all the actions in Setup. TheSalesforce setup, once established, should be relatively stable.
Salesforce: Createdand updatedobjects
This report can alert you to unusual changes to Salesforce objects. ManySalesforce objects should be relatively stable, such as administrativegroups, contracts, and leads.
Click the report icon for details about all the object updates.
Some Salesforce objects are particularly sensitive because they containpersonal information about customers, and financial and legal data foryour organization.
Salesforce: Customreports exported
Reports can contain sensitive information about your business. Unusualexport activity or export by unauthorized users can be a sign of dataleakage. Oracle CASB Cloud Service collects data about reports thatusers store in Public Reports (the default folder) or any folder other thanthe user's personal folder.
This report indicates popular reports and can indicate trends related todata leakage (whether sensitive reports were exported).
Note:
Salesforce (and as a result, Oracle CASBCloud Service) only updates these metricsonce every 24 hours.
To view this security indicator and report,you must have purchased the event logfile API option. See Creating a DedicatedProfile in Salesforce.
Chapter 26Viewing Reports for Salesforce
26-19
Report Name Description
Salesforce: Customreports run
Reports can contain sensitive information about your business. Runningreports on sensitive data or export by unauthorized users can be a sign ofdata leakage.
This report indicates which reports are the most popular. The reportshows trends related to data leakage (whether sensitive reports wererun).
Oracle CASB Cloud Service collects data about reports that users storein Public Reports (the default folder) or any folder other than the user'spersonal folder.
Note:
To view this report, you must havepurchased the event log file API option. SeeCreating a Dedicated Profile in Salesforce.
Salesforce: Adminswho made changesto Setup
The Setup section of Salesforce controls user privileges and what endusers of Salesforce can see and do.
Changes to sensitive Salesforce data, such as administrative groups,contracts, and leads can indicate suspicious activity.
This report can indicate whether particularly sensitive Salesforce objectsand permissions have been modified.
This report provides details about which section of Setup was used,the action taken in that section, the time, and the Salesforce applicationinstance.
To view reports for Salesforce
1. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Scroll to the section of report names that start with Salesforce:, and click anywherein the row for the report you want to run.
3. Click View log data to see the raw log data for the issue.
Viewing Reports for ServiceNowLocate and view ServiceNow reports on the Reports page.
Oracle CASB Cloud Service offers predefined reports for ServiceNow. You can runthese reports from the Reports page. You can also create a custom report. SeeCreating a Custom New Report and Running an Ad Hoc Report: Report Builder.
If any report shows unusual activity for a user, you can check the Users page to seewhether the user was also flagged as being high risk. You also can search the RiskEvents page for additional events in which the user or administrator is implicated.Thistable lists the predefined reports for ServiceNow.
Chapter 26Viewing Reports for ServiceNow
26-20
Report Name Description
ServiceNow: Users whocreated critical and highincidents
This report can show whether there are particularly active users(which can indicate either extreme productivity or an insider threat,depending on the user).
The report provides details about these users.
ServiceNow: Users whoresolved critical and highincidents
This report can show whether there are particularly active users(which can indicate either extreme productivity or an insider threat,depending on the user).
The report provides details about these users.
ServiceNow: Usersgranted highly privilegedadministrative roles
This report can show whether there are too many privilegedServiceNow users. The report provides details about these users.
To view reports for ServiceNow
1. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Scroll to the section of report names that start with "ServiceNow:" and clickanywhere in the row for the report you want to run.
3. Click View log data to see the raw log data for the issue.
Viewing Reports for SlackLocate and view Slack reports on the Reports page.
Oracle CASB Cloud Service offers predefined reports for Slack. You can run thesereports from the Reports page. You can also create a custom report. See Creating aCustom New Report and Running an Ad Hoc Report: Report Builder.
If any report shows unusual activity for a user, then you can check the Users sectionto see whether the user was flagged as being high risk. You also can search the RiskEvents page for additional events in which the user or administrator is implicated.
Caution:
If your Slack account does not provide direct access to private channels anddirect messages to the user registered with Oracle CASB Cloud Service, thisinformation is not collected. Reports and policy alerts will show nothing, oronly the public channel data that is available.
Report Description
Slack: Channel activities Breaks down for both public and privatechannels
Slack: File created Breaks down users by number of files created
Slack: File Edited Breaks down users by number of files edited
Chapter 26Viewing Reports for Slack
26-21
Report Description
Slack: Private Channel invites Breaks down users by number private channelinvitations sent
Slack: Public Channel invites Breaks down users by number public channelinvitations sent
Slack: Users Breaks down users by use and non-use oftwo-factor authentication (2FA)
Slack: Users in direct messages Breaks down users involved in directmessages
Slack: Users in group direct messages Breaks down users involved in group directmessages
Slack: Users in private channel Breaks down users by activity in privatechannels
Slack: Users in public channel Breaks down users by role: owner, admin,or member
To view reports for Slack
1. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Scroll to the section of report names that start with Slack: and click anywherein the row for the report you want to run.
3. Click View log data to see the raw log data for the issue.
Chapter 26Viewing Reports for Slack
26-22
27Analyzing User Activity Risks and Trends
Find and analyze the different types of user activity risks that Oracle CASB CloudService detects.
After you add your first application instance and Oracle CASB Cloud Servicecompletes initial data collection, Oracle CASB Cloud Service generates a risk event forevery type of security issue that it detects.
Topics:
• Typical Workflow for Analyzing User Activity Risks and Trends
• Different Types of Risk That Oracle CASB Cloud Service Monitors
• Risk Summaries: The Dashboard Summary Tab
• Overall Health of All Registered Services: The Health Summary Card
• Incidents Summary
• Risks Specific to Each Application: The Applications Page
• Risks to Users
• Risks for Access IPs and Clients
• Managing Different Types of Risks
• Searching For and Viewing Risks
• Dismissing Risk Events
Typical Workflow for Analyzing User Activity Risks andTrends
With Oracle CASB Cloud Service, you can generate risk events for security issues thatare detected based on user activity.
Task Description Additional Information
Understand risk types. You can learn about thedifferent types of risk thatOracle CASB Cloud Servicemonitors.
Different Types of Risk ThatOracle CASB Cloud ServiceMonitors
Understand risk summaries. You can learn about high-levelinformation associated withthe types of risk that OracleCASB Cloud Service monitors.
Risk Summaries: TheDashboard Summary Tab
Understand the health ofapplication instances.
You can learn about the openissues and incident ticketsfor all application instancesmonitored by Oracle CASBCloud Service.
Overall Health of AllRegistered Services: TheHealth Summary Card
27-1
Task Description Additional Information
Understand incidents. You can learn about howOracle CASB Cloud Servicegenerates incident tickets foranomalous behavior patterns.
Incidents Summary
Monitor risk for applications. You can monitor for severaldifferent types of risk forapplications.
Risks Specific to EachApplication: The ApplicationsPage
Monitor risk for users. You can monitor for severaldifferent types of risk for users.
Risks to Users
Monitor risk for access identityproviders and clients.
You can monitor for severaldifferent types of risk foraccess identity providers andclients.
Risks for Access IPs andClients
Manage risk types. You can manage different risktypes in Oracle CASB CloudService.
Managing Different Types ofRisks
View risk events. You can search for and viewrisk events in Oracle CASBCloud Service.
Searching For and ViewingRisks
Dismiss risk events. You can dismiss risk eventsfrom Oracle CASB CloudService.
Dismissing Risk Events
Different Types of Risk That Oracle CASB Cloud ServiceMonitors
Oracle CASB Cloud Service monitors four different categories of risk. Data for differenttypes of risk is displayed in different parts of the Oracle CASB Cloud Service console.
Risks Where to find them
User behavior risks The Oracle CASB Cloud Service Users page. Oracle CASB CloudService provides a risk score for each user based on the user's activityhistory. The risk score is based on hundreds of behavioral parameters(for example, logins, failed logins, and file downloads). When the user'samount of activity for a particular parameter spikes from their normalusage history, Oracle CASB Cloud Service increases the user's riskscore and provides details of the user's actions as it relates to theparameter.
Chapter 27Different Types of Risk That Oracle CASB Cloud Service Monitors
27-2
Risks Where to find them
Suspicious activity,indicative of a threat
These are specific behavior patterns that appear to be suspicious.Examples: Possible account compromise for an administrator based onan unusual amount of administrative changes, a user who is hoppingbetween IP addresses and geographical locations.
Oracle CASB Cloud Service displays the number of threats found in theDashboard section of the console, and displays a description of eachthreat in the Risk Events page (with an option to drill down into detailsfor the alert).
Oracle CASB Cloud Service also displays a risk score based onanomalous activity in the Users page.
For tracking and remediation purposes, Oracle CASB Cloud Serviceautomatically creates a ticket for any threat in the Incidents section ofthe console.
Security control This is a non conforming security configuration value that can leave yourusers or data at a higher risk of compromise. Examples include settingsthat permit users to create a five-character password or leave sessionsidle for 12 hours before a timeout.
Oracle CASB Cloud Service displays the number of security controlalerts in the Dashboard. You can read the complete alert in the RiskEvents page. For tracking and remediation purposes, you can optionallycreate tickets for security control issues in the Incidents section.
Note:
Monitoring for weak security settings isn'tcurrently supported for GitHub and Office365.
Policy alert A policy is a rule (for example, "if anyone shares a file taggedConfidential, generate an alert." When Oracle CASB Cloud Servicedetects an event that matches a policy, it generates an alert in theconsole, and it can also send the alert over email. Examples of actionsthat are often the subject of policies include changes to access controllists, creating or deleting privileged roles and users, and downloading orsharing sensitive files.
Oracle CASB Cloud Service displays the number of policy violationsfound in the Dashboard. You can find a complete description of eachpolicy alert in the Risk Events page. For tracking and remediationpurposes, you can optionally create tickets for policy alerts in theIncidents section.
Finally, you can can configure policies and optionally direct policy alertsto an email recipient in Configuration, Policy Management.
Risk Summaries: The Dashboard Summary TabUnderstand how to view summary information on risks in the Dashboard.
What to Look at First
After your first login to a new account, each time you log in to Oracle CASB CloudService, the landing page shows the Summary tab in the Dashboard.
Chapter 27Risk Summaries: The Dashboard Summary Tab
27-3
Unless there are particular issues that you want to concentrate on, you can view theHealth Summary card to see if there are any current risks. If any of the following itemshas a value higher than zero, you can click the number to immediately view details ofthe risk in the Monitor:
• Non compliant security controls. One or more of your registered cloud serviceshas security configuration settings that don't match your preferences.
• Policy alerts. An action was taken in one or more of your registered cloudservices that doesn't comply with rules that you or another administrator defined inOracle CASB Cloud Service.
• Threats. Oracle CASB Cloud Service identified potentially suspicious actions inone or more of your registered cloud services. The Oracle CASB Cloud Servicethreat engine tracks user behavior and flags both anomalies and behaviors thatappear to exceed a normal threshold.
Cards in the Summary Tab
• Health Summary: A rollup of all risks for all monitored services. Click any numberto view the details for the risk type (or open incident ticket).
• Access map: Locations of normal and suspicious IP addresses that haveaccessed the monitored services.
• IP addresses analyzed. A count of normal and suspicious IP addresses. IPaddresses that are flagged as suspicious have been identified either by a OracleCASB Cloud Service administrator or a third-party IP reputation feed.
• User risk levels: Shows users with risky behavioral profiles. A high risk scoreindicates a user account that might be subject to misuse (account sharing, accountcompromise, or another issue).
• Users with the most failed login attempts: Shows the top 5 users with failed logins.An exceptional number suggests a brute force attack. Click the report icon to drilldown to a report of all failed logins.
• Users with the highest login activity: Shows trends related to user logins. Click thereport icon to drill down to a report of all login activity.
• Incidents. Shows a tally of new and resolved incident tickets. Click the report iconto view the actual tickets.
• Client type and activity: The clients (including web services) and devices that areaccessing your applications.
Overall Health of All Registered Services: The HealthSummary Card
Understand how to view summary information on risks in the Health Summary Card.
The Health Summary card summarizes the open issues and incident tickets for allmonitored application instances. A breakdown by application instance is availablefrom the Applications page, as described in Risks Specific to Each Application: TheApplications Page. By default, this card shows three days of data, with up to 90 daysof data available.
Click a non-zero number in this card to view the related items. For example, click theThreats number to view all open threats.
Chapter 27Overall Health of All Registered Services: The Health Summary Card
27-4
Related Topics:
• Managing Weak or Noncompliant Security Controls
• Creating Policies and Managing Policy Alerts
• Managing Behavioral Anomalies and Threats
Incidents SummaryUnderstand how to view summary information on all incidents in the Incidents card.
The Incidents card in the Dashboard displays the number of new tickets in theIncidents section of the console and the number of incidents that were resolved.
Oracle CASB Cloud Service automatically generates incident tickets for anomalousbehavior patterns, and Oracle CASB Cloud Service administrators can manuallycreate incident tickets for any type of risk that Oracle CASB Cloud Service detects.
This card shows up to 90 days of data. To view the corresponding incident tickets, clickthe grid icon in the card.
Risks Specific to Each Application: The Applications PageUnderstand how to view summary information on risks for a single application instancein the Applications page.
Information on the risks that are specific to each application instance is availablefrom the Applications page, where an icon indicates the risk level or status for eachapplication instance:
• — High risk level. A threat was detected.
• — Medium risk level. Some items require investigation, but no behavioralthreats or malicious IP address accesses.
• — Low risk level. Few or no issues require attention.
• — Status: You or another administrator recently added this applicationinstance. Oracle CASB Cloud Service is collecting initial data.
• — Status: Application instance is unreachable.
These icons also appear at the top of the Applications page, with a count indicatinghow many registered application instances are in risk level or each status. Click anon-zero number next to an icon to display only application instances in that risk levelor status.
From the Applications page, to view all alerts for a single application on the RiskEvents page:
• In grid view, in the row for an application instance, click the number under thecolumn heading for the type of incident you want to view.
• In card view, click an application tile to see the Health Summary card for thatapplication, then click the number next to the type of incident you want to view.
Chapter 27Incidents Summary
27-5
Below are the types of events for which you can get a filtered list of incidents in a linkin Risk Events. The labels appear as shown below on the Health Summary card incard view. In grid view as column headers, they are all completely capitalized:
• Security Controls. The number of weak security configuration settings in theapplication instance (for example, weak requirements for password length andcomplexity).
• Incidents. The number of incident tickets raised for this application instance.
• Threats. The number of suspicious behaviors or IP addresses currently detected.
• Policy Alerts. All open alerts triggered by a manually configured policy.
• Most recent data analyzed. A summary of new items reviewed during the lastdata collection run.
A value of 0 means that there are no related risk events.
Risks to UsersUnderstand how to identify and analyze user risks.
Users pose a variety of different security risks that Oracle CASB Cloud Service candetect.
Identifying High Risk Users: User Risk Levels CardUnderstand how to use the User risk levels card to identify high risk users.
In the Dashboard, the User risk levels card provides an overview of whether anyusers of your cloud services have an elevated risk score.
Oracle CASB Cloud Service typically collects 10 days of data before creating a riskprofile for a user. It then generates a risk score for the user. This score is based onthe degree to which the user's actions over the past day (24 hours) has deviated fromtheir typical usage pattern. Oracle CASB Cloud Service doesn't analyze every actionwhen calculating this risk score. Instead, it looks at actions that are often implicated inmalicious insider or external hacker activity.
Typically, the longer Oracle CASB Cloud Service monitors a user's behavior, the moreaccurate the risk score will be.
Examples of behaviors that can generate a high risk score:
• Downloading an unusual number of files, or deleting an unusual number of files,from IP addresses that the user hadn't used.
• Traversing an unusually long geographical distance in a relatively short amount oftime, particularly when benchmarked against the user's typical behavior.
• Accessing a cloud service from new IP addresses and locations outside of typicalwork hours for that user.
• Unusual application-specific activities for the user that might involve sensitive data.For example, in Salesforce, Oracle CASB Cloud Service monitors actions suchas changes to security controls (for example, session timeout settings), changesto federated identity providers (known as Security Assertion Markup Language,or SAML providers), mass transfers and deletes, and changes to authenticationcertificates.
Chapter 27Risks to Users
27-6
This Dashboard card provides a summary of users and highlights which users areshowing normal activity and which users have shown behaviors that put their accountat risk.
Click the report icon in this card (the grid) to view a detailed report of users who are atrisk (also accessible from the Users page).
Click any area of the chart to view details for the users at the corresponding risk level.
Related Topics:
• Users with the Most Failed Logins Card
• Users with the Most Logins Card
• Finding and Analyzing Users at Risk
Analyzing User Risks: The Users PageUnderstand how to use the Users page to analyze high risk users.
The Users page provides a risk profile for all users who access the cloud applicationsor services that Oracle CASB Cloud Service monitors.
Each risk profile is based on activity that Oracle CASB Cloud Service considersatypical. These activities can be generic (for example, an unusually high number oflogin attempts or access IP addresses) or specific to an application type (for example,sensitive administrative operations that are specific to Amazon Web Services).
For the first 10 days that Oracle CASB Cloud Service monitors a user, it basesits risk score on internal benchmarks. After 10 days of monitoring a particular user,Oracle CASB Cloud Service bases the risk score on significant changes in the user'sbehavior, relative to that user's previous behavior. The longer Oracle CASB CloudService monitors a user, the more stable Oracle CASB Cloud Service's model of theuser becomes. Oracle CASB Cloud Service recalculates its risk score daily based onnew input, and raises or lowers the risk score relative to the new risk factors detected:
• Generic factors include the user's locations and IP addresses, file downloadactivity, and number of operating systems used.
• Service-specific factors include sharing content with external users; creating,updating, and deleting content; and administrative activity, such as creating,modifying, and deleting users.
These are the risk ratings in the Users page:
• High. A risk score of 90 and above is categorized as high risk.
• Medium. 80-89.
• Low (some) risk. 60-79.
• Normal activity. Below 60.
To View Users at Risk
1. Select Users from the Navigation menu. If the Navigation Menu is not displayed,click the Navigation Menu icon to display it.
Chapter 27Risks to Users
27-7
This page displays all monitored users, sorted by default according to their riskscores.
Note:
Some AWS users can have the key HIDDEN_DUE_TO_SECURITY_REASONSinstead of a user name. This is because AWS hides the names of userswho have errors during login that could expose potentially sensitiveinformation (for example, accidentally entering a password in the username field).
2. To view details related to an individual risk factor for a user, click the risk factorname (for example, Failed login IP addresses).
3. To view all details related to a user's risk score, click the user name.
4. In the user details page, click a link in the Risk Factors section to view the detailsrelated to specific risk factors for a user.
Note:
For risk factors related to new items (for example, new IP addresses),you must manually compare the recently detected items with the itemslisted as previously seen.
5. If there are more than ten lines of data for a particular risk factor:
• Click the See More link at the bottom of the table, and in the risk factor detailsdialog box, page through all of the events related to the risk factor.
• To view the raw event data for a particular risk in this table, click the View logdata button in each table row.
6. To close the risk factor details dialog box, click the close icon in the upper rightcorner.
7. To close the user risks details page, click the close icon in the upper right corner.
Note:
You can do additional investigation of this user by generating an activityreport, and by searching for risk events related to this user in the RiskEvents page.
8. To view a report of all activity related to a user:
a. Select Users from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
b. Locate a user and then click the user name.
c. In the user details page, click the link for All Activities Report.
d. To save the data in this report, cick the Export to CSV button.
Chapter 27Risks to Users
27-8
Users with the Most Failed Logins CardUnderstand how to use the Users with the most failed logins card to identify highrisk users.
The Dashboard card for most failed user logins can give you insight into users whomay need help with password creation and retrieval, and it can also indicate possibleaccount hijacking attempts when the failure numbers are extreme.
To get more information about potential security issues, click the View Report icon and explore the overall pattern. If Oracle Identity Cloud Service (IDCS) is enabled inyour Oracle CASB Cloud Service tenant, the report shows two additional columns:
• ASSOCIATED CASB APP — the application instance registered in Oracle CASBCloud Service that user accessed.
• ASSOCIATED IDP APP — the name of the single sign-on application that wasused to access the registered application instance.
To enable IDCS, Oracle Support (http://support.oracle.com). If you have not registeredyet, you will need your Customer Support Identifier (CSI) in order to register to submitservice request tickets. As an alternative, you can also contact your Oracle CASBCustomer Success Manager.
You can also run a user activity report and filter the report for the user in question tosee if the multiple login failures are associated with other unusual activity (for example,login success, followed by a high number of file downloads or sensitive administrativeoperations).
In addition, you can click the Users page to see if this user appears to have a high-risklevel, or search for the user name in the Risk Events section of the console to see ifthis user is an actor in any risk events.
Related Topics
• Identifying High Risk Users: User Risk Levels Card
• Users with the Most Logins Card
• Finding and Analyzing Users at Risk
Users with the Most Logins CardUnderstand how to use the Users with the most logins card to identify high riskusers.
The Dashboard card for most user logins can give you insight into user activity.Excessive numbers of logins on the part of a particular user can be an indicator of acompromised account.
To get more information about potential security issues, click the View Report icon and explore the overall pattern. If Oracle Identity Cloud Service (IDCS) is enabled inyour Oracle CASB Cloud Service tenant, the report shows two additional columns:
• ASSOCIATED CASB APP — the application instance registered in Oracle CASBCloud Service that user accessed.
Chapter 27Risks to Users
27-9
• ASSOCIATED IDP APP — the name of the single sign-on application that wasused to access the registered application instance.
To enable IDCS, Oracle Support (http://support.oracle.com). If you have not registeredyet, you will need your Customer Support Identifier (CSI) in order to register to submitservice request tickets. As an alternative, you can also contact your Oracle CASBCustomer Success Manager.
You can also run a user activity report, and filter the report for the user in question tosee if the multiple logins are associated with other unusual activity (for example, a highnumber of file downloads or sensitive administrative operations).
In addition, you can select the Users page in the Oracle CASB Cloud Service consoleto see if this user appears to have a high-risk level, or search for the user name in theRisk Events page of the console to see if this user is an actor in any risk events.
Related Topics:
• Identifying High Risk Users: User Risk Levels Card
• Analyzing User Risks: The Users Page
• Users with the Most Failed Logins Card
Risks for Access IPs and ClientsUnderstand how to identify and analyze risks related to IP addresses and clients.
Oracle CASB Cloud Service monitors for several different types of risk for access IPsand clients.
Suspicious and Normal Access IP Addresses: The Dashboard AccessMap
Understand how to interpret the IP address information displayed in the Access Mapin the Dashboard.
Threat feeds and Oracle CASB Cloud Service administrators can flag IP addresses assuspicious. The Access Map on the Dashboard shows geographical locations withuser activity from both trusted IP addresses and IP addresses that were flagged assuspicious.
• Green pins or radial icons on the map indicate geographical locations with activitythat appears to be normal.
• Red pins on this map indicate geographical locations with events that are a threator a Oracle CASB Cloud Service administrator has tagged as suspicious. Redradial icons indicate a cluster in which at least one pin is red.
Chapter 27Risks for Access IPs and Clients
27-10
Note:
When Oracle CASB Cloud Service detects a threat, it doesn'tautomatically change the pin color in the Access Map to red. You caninvestigate threats and determine whether the IP addresses included in athreat by manually adding them to a blacklist. See Putting IP Addresseson Blacklists or Whitelists.
• Radial icons indicate a cluster of access locations. If the icon is red, then thisindicates at least one suspicious location is included in the cluster. Click thesepoints to view the individual access points.
To investigate pins on the Access Map
1. Select Dashboard from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. In the Access Map, click a pin, or click a radial icon to expose its underlying pins.
3. Click the link for the number of events in the pin location.
4. A corresponding report appears in the Reports page.
5. To sort the report, click the column header that you want to use as the sort key.
6. To filter the report, ensure that the filters widget is exposed, set a filter (forexample, select a date range), and then click Search.
7. To save the report by exporting the data to a CSV file, continue with Exporting areport.
Related Topics
• The IP Addresses Analyzed Card
• The Client and Device Access Card
The IP Addresses Analyzed CardUnderstand how to interpret the IP information displayed in the IP AddressesAnalyzed card.
Oracle CASB Cloud Service ingests information about suspicious IP addresses fromseveral third-party providers and lists normal and suspicious IP addresses in this card.You can also add blacklisted or whitelisted IP addresses to be monitored. To addblacklisted or whitelisted IP addresses for monitoring, see Putting IP Addresses onBlacklists or Whitelists.
To view details of the IP addresses analyzed, click the report icon (the grid).
Any IP addresses that are flagged as suspicious should be investigated. Copy andpaste the IP address in the risk event viewer in the Risk Events section of the OracleCASB Cloud Service console to see if the suspicious IP address is implicated in anypolicy alerts and threats that Oracle CASB Cloud Service detected.
Related Topics
• Suspicious and Normal Access IP Addresses: The Dashboard Access Map
Chapter 27Risks for Access IPs and Clients
27-11
• The Client and Device Access Card
The Client and Device Access CardUnderstand how to interpret the information displayed in the Client and DeviceAccess card.
The Client and Device Access card summarizes the device types and services thataccessed your applications. The API Call label identifies access by a program orapplication. A device type of Other means the client type couldn't be identified.
Click the report icon (the grid) to see a detailed report about client and device access.Click a bar in the chart to see a detailed report about access from that client or devicetype.
Related Topics
• Suspicious and Normal Access IP Addresses: The Dashboard Access Map
• The IP Addresses Analyzed Card
Managing Different Types of RisksUnderstand how to manage the different types of risks that Oracle CASB CloudService detects.
The way in which you manage a detected risk depends on the risk type.
Related Topics:
• Incidents Summary
• Managing Weak or Noncompliant Security Controls
• Managing Policy Alerts in Risk Events
• Managing Behavioral Anomalies and Threats
Searching For and Viewing RisksFind and view risks from the Dashboard and from the Risk Events page.
The Risk Events page in the Oracle CASB Cloud Service console shows a risk eventfor each weak or non-compliant security control setting, policy violation, and behavioralanomaly or potential threat. By default, the page shows different types of risk for up to90 days of data.
You can view risk events several different ways:
• To view risk events for all application instances, drill down from the HealthSummary tile in the Dashboard.
• To view risk events for a single application instance, drill down from healthsummary information in Applications.
• To view risk events for all or selected application instances, go directly to RiskEvents.
Chapter 27Managing Different Types of Risks
27-12
Viewing Risk Events from the Risk Events PageOn the Risk Events page, filter the list or search for risk events containing specifiedtext, sort the list, and view detailed information for individual events.
1. Select Risk Events from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. To search for risk events:
a. Click the Search icon at the upper right.
b. Enter the text that you want to find.
c. Press Enter.
The search results display all risk events that contain the text you enteredanywhere in the Summary, Category, and Status columns.
• Click any column heading that has a sort icon (arrows) to sort the tablealphabetically by the information in the column.
• To filter by application instance, click Filter App Instances at the top of thepage.
3. To filter risk events:
a. Click the Filter icon at the upper right.
b. Set any combination of filters to focus on specific groups of risk events.
• Risk Level — high-, medium-, or low-risk events.
• Category — a single risk event category.
• App Instance — one or more application instances.
Deselect All, then select individual application instances.
• Status — open or resolved risk events.
• Date Range — risk events logged in a specific date range.
Note:
Date ranges labeled “Last # days” all start at midnight on the firstdate, and end at the present moment. “Last 1 day” includes all ofyesterday.
c. Click Search.
The search results now display all risk events matching your filter settings.
Note:
The filter icon is highlighted to indicate that you are viewing a subsetof the risk events. If you return to the Risk Events page in the samesession, or later in another session, the events remain filtered.
Chapter 27Searching For and Viewing Risks
27-13
4. To sort risk events, click any column header that has the up and down arrowsbeside it.
5. To view details for a risk event, click the event.
The row for the risk even expands to show additional information.
• For a weak or non compliant security setting in the application, the event isa security control alert, and the details will show which setting should beupdated and the recommended value for the new setting.
• For a policy violation, the event is a policy alert, and the event details will showthe user who triggered the alert and the affected resource.
• For a behavioral threat, the event can fall into several categories. The eventdetails will show the variables that triggered the alert (for example, unusuallyhigh failed logins or administrative changes), the user who performed theactions, and other details.
6. To view the settings that are causing security control alerts and behavioral threatsto appear in Risk Events, select Configuration, Threat Management from theNavigation menu. If the Navigation Menu is not displayed, click the NavigationMenu icon to display it.
A risk events entry is triggered whenever THRESHOLD values on the ThreatManagement page are exceeded.
Viewing Risk Events from the DashboardFrom the Dashboard, go directly to the risk events behind the summary informationfor all registered application instances.
1. Select Dashboard from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. In the Health Summary card, click the number beside a risk event type (policyalerts, security controls, or threats).
The Risk Events page displays, showing the risk event type you selected in theDashboard, for all registered application instances.
3. Sort or filter the list, and view details for individual events..
See Viewing Risk Events from the Risk Events Page.
Viewing Risk Events from the Applications PageFrom the Applications page, go directly to the risk events behind the summaryinformation for a specific application instance.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Locate the application instance for which you want to see risk events, and:
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, click a non-zero number beside one of the four riskevent categories.
• In grid view, click a non-zero number in one of the four risk event categorycolumns.
Chapter 27Searching For and Viewing Risks
27-14
3. Sort or filter the list, and view details for individual events..
See Viewing Risk Events from the Risk Events Page.
Dismissing Risk EventsAfter you fix the cause of a reported risk or decide that a reported risk doesn't requireaction, you dismiss the risk event from the Oracle CASB Cloud Service console.
Dismissing a risk also closes out any related incident tickets. You can later retrieve riskevents that were dismissed.
Oracle CASB Cloud Service creates an entry in its audit trail for each dismiss action.
1. Select Risk Events from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Locate the events that you want to dismiss.
3. Dismiss one or more events:
• To dismiss an individual event, click the drop-down menu in the ACTIONcolumn for the event and then select Dismiss.
• To dismiss multiple events at a time, click the selection check box to the left ofthe events that you want to dismiss, and then click the Dismiss button at thetop of the page.
• If an event was triggered by a policy alert, you can dismiss all events for thesame policy alert at the same time. Click the drop-down menu in the ACTIONcolumn for the event, select Dismiss, and then select Dismiss all ... openrisk events created by the policy ....
Note:
If the number of events dismissed is 100 or more, a job is created onthe Jobs page. See Jobs.
The risk events are dismissed, along with any associated incident tickets.
4. To find dismissed events on the Risk Events page:
a. Select Risk Events from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
b. In the Status drop-down menu, select Resolved.
5. To run a report of dismissed events:
a. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
b. Select Oracle CASB Cloud Service audit trail.
c. In the audit trail report, do one of the following:
• Search the Description column in the report.
• Export the audit trail to a .csv file, open the .csv file in a spreadsheet, andthen search for dismissed events.
Chapter 27Dismissing Risk Events
27-15
28Managing Behavioral Anomalies andThreats
Understand how to manage behavioral anomalies and threats that Oracle CASB CloudService detects.
Oracle CASB Cloud Service monitors user and agent behavior and automaticallygenerates risk scores and alerts based on their activity patterns. To take advantageof this data, you must find and analyze users at risk, suspicious activity patterns, andactivity from suspicious IP addresses.
As described in Anomalous Behaviors and IP Addresses, Oracle CASB Cloud Servicemonitors user and agent behavior and automatically generates risk scores and alertsbased on their activity patterns.
Topics:
• Typical Workflow for Managing Behavioral Anomalies and Threats
• Dashboard View of User Risks and Threats
• Finding and Analyzing Users at Risk
• User Risk Factors
• Viewing Suspicious Activity Threats
• Monitoring Suspicious IP Addresses
• Detecting Application-Specific Threats
Typical Workflow for Managing Behavioral Anomalies andThreats
With Oracle CASB Cloud Service, you can find and analyze users at risk, suspiciousactivity patterns, and activity from suspicious IP addresses.
Task Description Additional Information
Understand the Dashboard. You can learn about howthe Summary tab in theOracle CASB Cloud ServiceDashboard provides high-levelsummaries of users at risk.
Dashboard View of User Risksand Threats
Analyze high-risk users. You can use Oracle CASBCloud Service to find andanalyze users at risk, andprocess users with high-riskscores.
Finding and Analyzing Usersat Risk
28-1
Task Description Additional Information
Understand risk types. You can learn about high-levelinformation associated withrisk factors for users in eachapplication type.
User Risk Factors
View suspicious activitythreats.
You can use Oracle CASBCloud Service to viewsuspicious activity.
Viewing Suspicious ActivityThreats
Monitor suspicious IPAddresses.
You can monitor for suspiciousIP addresses in Oracle CASBCloud Service.
Monitoring Suspicious IPAddresses
Monitor application-specificthreats.
In addition to global threatsthat apply to all applicationtypes, you can monitor threatsthat are specific to eachapplication type.
Detecting Application-SpecificThreats
Dashboard View of User Risks and ThreatsUnderstand how to find and interpret information on user risks and threats that isavailable in the Dashboard.
The Dashboard provides quick access to summaries of risks and threats. From theDashboard summary information you can click through to the full details from the logdata:
• Suspicious activity threats
• User behavior anomalies
• Activity from suspicious IP addresses
Suspicious activity threats. Oracle CASB Cloud Service identifies activity patternsthat appear to be suspicious and marks them as Threats in the Health Summarycard. Click the number in the card to view the details for these threats in Risk Events.By default the Risk Events page shows events for all application instances. You canfilter the list to show events for any one or more application instances that you select.See Viewing Suspicious Activity Threats.
You can also view a single type of risk event for a single application instance bydrilling down from the Applications page. See Risks Specific to Each Application: TheApplications Page.
User behavior anomalies. Oracle CASB Cloud Service assigns a risk score to theuser based on significant deviations from the user's typical activities. These are shownin the User risk levels card. Click anywhere in the chart to view details for each user'srisk score. See Finding Users at Risk.
Activity from suspicious IP addresses. Oracle CASB Cloud Service also identifiessuspicious IP addresses using third-party IP reputation and network information feeds,as well as your own IP whitelist and blacklist data. These appear as red pins in theAccess Map. If a red pin shares a geographical region with other pins (red or green),the map shows a red radial icon. Click a pin and then click the event link in therelated pop-up to view suspicious IP address details. See Monitoring Suspicious IPAddresses.
Chapter 28Dashboard View of User Risks and Threats
28-2
Finding and Analyzing Users at RiskView the data that Oracle CASB Cloud Service provides on users flagged as possiblerisks, and analyze that data to determine if you need to take action.
After you have uploaded your directory information, Oracle CASB Cloud Servicegenerates a risk score for each user and agent that accesses one of your registeredcloud apps or services. The risk score is based on how much a user's actions in a24-hour period deviate from the norm for that user's activity history.
Initially, Oracle CASB Cloud Service compares each individual's activity against a setof internal benchmarks. After ten days, Oracle CASB Cloud Service compares eachindividual's activity in a 24-hour period with that individual's past behavior. The longerOracle CASB Cloud Service monitors a particular individual, the more accurate itsassessments become.
Oracle CASB Cloud Service monitors common risk factors such as failed logins andthe total number of access IP addresses as well as factors that are specific to thecloud service being monitored.
Finding Users at RiskFind users at risk, and information about their recent activities summarized on theDashboard, with additional details available in the Risk Events and Users pages.
The Dashboard displays summary information regarding users at risk. For users witha high risk score, Oracle CASB Cloud Service also generates entries in the RiskEvents page. Full details on each user’s recent activity is available on the Userspage.
1. Select Dashboard from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click the Summary tab.
The User risk levels card shows tallies of users and risk levels (normal activity orlow, medium, and high risks assessments).
3. To view risk levels for all users, from the Oracle CASB Cloud Service console,select the Users page from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
The users with the highest risk scores are shown at the top of the table by default.You can also click a segment of the User risk levels card to filter the Users pageby risk level.
4. In the Users page, click a user name to view the details of risk factors for thatuser.
Processing Users with High Risk ScoresTake a few simple actions when you find a user with a high risk score.
In general, when you find a user with a high risk score, there are a few simple actionsyou can take in Oracle CASB Cloud Service to do additional investigation:
Chapter 28Finding and Analyzing Users at Risk
28-3
1. Run a full activity report on the user (a link to the full report is available on the riskdetails page).
2. Check whether the user shared their credentials. If not, consider the possibility ofaccount compromise or an insider threat.
3. Check the Risk Events page for any other risk events related to this user.
4. Consider configuring a new Oracle CASB Cloud Service policy to generate alertsrelated to this user.
5. Consider implementing safeguards for user accounts, including multi-factorauthentication and VPN access with endpoint verification and protection.
6. If you suspect the account has been compromised, force a password reset andconsider blocking the account's access IP address.
Analyzing Users at RiskAnalyze the factors for a user with a high risk score and correlate that user with otherrisk events.
You can assess user risks from the user details view in the Oracle CASB CloudService console Users section and user activity reports. You can also find other riskyevents that involve a particular user in the Risk Events section of the console.
1. Select Users from the Navigation menu. If the Navigation Menu is not displayed,click the Navigation Menu icon to display it.
2. Click the user name for a user with a high risk score.
3. In the user details page, click the links under Risk Factors (below the spedometericon).
4. Determine whether any factors are of immediate importance:
Risk Factor What You Can Do
IP address or proxy IPaddress
Use an IP reputation service to determine the trustworthiness ofthe user's access points.
Failed logins Check the login frequency, elapsed time for the failed loginattempts, and login locations to see if there may be an attemptto hijack the user's account.
Locations Check whether the access locations match hubs on yourcorporate network.
Access devices If multiple devices are being used simultaneously, make surethey all belong to the user who owns the account (the account isnot being shared).
Operating systems If multiple operating systems are being used simultaneously,make sure they all belong to the user who owns the account(the account is not being shared).
File and folder activity(views, deletes)
If there is excessive activity related to corporate data, andother risk factors appear suspicious, this can be an indicator ofaccount compromise or misuse.
Role, password, accesskey, and access controlupdates
If there is excessive activity related to access privileges, andother risk factors appear suspicious, this can be an indicator ofaccount compromise or misuse.
Chapter 28Finding and Analyzing Users at Risk
28-4
5. Click View log data for any item in the activity tables to get additional detailsrelated to each event.
For example, HTTP request parameters, request URL, and user identity details.
6. To view all of this user's actions in for up to 30 days, click the link, Go to 30-dayactivity report.
7. Correlate a user with a high risk score with other risk events in Oracle CASBCloud Service:
a. From the Oracle CASB Cloud Service console, select the Users page, andcopy the user name.
b. Select Risk Events, and in the risk events page, Filter text field, paste theuser name.
If there are any additional risk events related to this user, the table will befiltered to only show the events related to them.
c. Repeat these steps for other risk factors, such as this user's access IPaddresses.
User Risk FactorsReview summaries of each risk factor for users in different application types.
Select Users in the Oracle CASB Cloud Service console, then select the username todisplay a user profile page for the user's risk score. Depending on the application type,you see different risk factors.
General Risk FactorsLearn about risk factors that apply to all application types.
Login count per day. In the past 24 hours the account for a user had a large numberof logins relative to his or her typical behavior.
If this is a legitimate user, determine whether network outages caused the need to login multiple times. If you can't find an obvious reason for the login count, check whetherthe user is sharing their login credentials (this should be discouraged).
IP addresses per day. In the past 24 hours the account for a user had logins from alarge number of IP addresses relative to past behavior. This can indicate an accounthijacking attempt, sharing of account credentials, or other issues related to accountaccess.
Check whether the user is traveling, or is has another legitimate reason for loggingin from these locations. If the user associated with this account is not traveling,determine whether the user account or the system was compromised, the user sharedhis or her login credentials, or the user poses an insider threat.
Geo locations per day. This user account had logins in from a large number oflocations in the past 24 hours, relative to past behavior. This can indicate accounthijacking attempt, sharing of account credentials, or other suspicious access.
Check whether the user is traveling, or is has another legitimate reason for loggingin from these locations. If the user associated with this account is not traveling,determine whether the user account or the system was compromised, the user sharedhis or her login credentials, or the user poses an insider threat.
Chapter 28User Risk Factors
28-5
Failed logins per day. The account for a user had a large number of failed loginsin the past 24 hours, relative to past behavior. This can indicate an account hijackingattempt.
Check whether the user is having login issues and needs help with selecting a strongpassphrase that can also be remembered. If the user associated with this accountdoes not recall having issues with login, determine whether this was an attempt tocompromise the account.
Failed login IP addresses per day. The account for a user had failed logins froma large number of IP addresses in the past 24 hours, relative to past behavior. Thiscan indicate an account hijacking attempt, sharing of account credentials, or othersuspicious access.
Check whether the user is traveling, or is has another legitimate reason for loggingin from these locations. If the user associated with this account is not traveling,determine whether the user account or the system was compromised, the user sharedhis or her login credentials, or the user poses an insider threat. You also can run areport in Oracle CASB Cloud Service to see if the IP address has been flagged assuspicious. If you find suspicious activity, block the IP addresses performing the failedlogins.
Geo locations for failed logins per day. The account for a user had failed loginsfrom a large number of geographical locations in the past 24 hours, relative topast behavior. This can indicate an account hijacking attempt, sharing of accountcredentials, or other suspicious access.
Check whether the user is traveling, or has another legitimate need to log in fromvarying locations. If the user associated with this account is not traveling, determinewhether the user account or the system was compromised, or the user shared his orher login credentials.
Distance traveled per day. In the past 24 hours, the account for a user had loginsthat spanned unusually large geographical distances between IP addresses. Thiscan indicate an account hijacking attempt, sharing of account credentials, or othersuspicious access.
Check whether the user is traveling, or has another need to log in from different (anddistant) locations. If the user associated with this account is not traveling, determinewhether the user account or the system was compromised, or the user shared his orher login credentials.
After-hours access. The account for a user had activity at an unusual time of dayrelative to his or her normal behavior.
Check whether the user is traveling, working against a deadline, or has otheroperational or business needs. If more investigation is needed, determine whetherthe user account or the system was compromised, the user shared his or her logincredentials, or the user poses an insider threat.
Failed logins after hours. The account for a user had failed logins at an unusual timeof day relative to his or her normal behavior.
Check whether the user is traveling or needs assistance with password retrieval. Ifmore investigation is needed, determine whether the user account or the system wascompromised, the user shared his or her login credentials, or the user poses an insiderthreat.
Chapter 28User Risk Factors
28-6
Platforms per day. In the past 24 hours the account for a user had logins from a largenumber of operating systems relative to his or her normal behavior.
Check whether this user has been issued a new device or has brought in a new deviceof their own, the operating systems were upgraded or changed, and if the devices andupgrades were authorized.
Browsers per day. In the past 24 hours the account for a user had logins from a largenumber of browsers relative to his or her normal behavior.
Check whether this user has been issued a new device or has brought in a new deviceof their own, or the operating systems were upgraded or changed, and if the devicesand upgrades are authorized.
Suspicious IPs per day. In the past 24 hours the account for a user had loginsfrom one or more IP addresses that a threat feed or a Oracle CASB Cloud Serviceadministrator tagged as suspicious.
Because at least one source has flagged an IP addresses as suspicious, checkthe Oracle CASB Cloud Service console, Reports section, and search for additionalinformation about the IP address. Also check the Configuration section, Manage IPaddresses page to see if a Oracle CASB Cloud Service administrator is responsiblefor flagging this IP address. If you find suspicious activity, block the IP addressesperforming the activity and intiate your incident response plan.
Proxy IP addresses per day. In the past 24 hours the account for a user had loginsusing a large number of proxy IP addresses relative to his or her normal behavior. Aproxy substitutes (disguises) the real IP address being used to access a cloud servicewith a set of substitute (proxy) IP addresses.
Check whether the user is traveling or has another need to log in from differentlocations. If the user associated with this account is not traveling, determine whetherthe user account or the system was compromised, or the user shared his or her logincredentials. .
Access IP addresses per day. In the past 24 hours the account for a user hadactivity from a large number of IP addresses relative to his or her normal behavior.This includes logins and additional activities.
Check whether the user is traveling, or has another need to log in from differentlocations. If the user associated with this account is not traveling, determine whetherthe user account or the system was compromised, or the user shared his or her logincredentials.
Network prefixes per day. In the past 24 hours, there has been a large change in thepattern of networks that this account has connected from.
Check whether the user is traveling, or has another need to log in from differentlocations. If the user associated with this account is not traveling, determine whetherthe user account or the system was compromised, or the user shared his or her logincredentials.
Activity and geo locations per day. In the past 24 hours the account for a user hadactivity from a large number of geographical locations relative to his or her normalbehavior.
Check whether the user is traveling, or has another need to log in from different (anddistant) locations. If the user associated with this account is not traveling, determine
Chapter 28User Risk Factors
28-7
whether the user account or the system was compromised, or the user shared his orher login credentials.
New access IP addressesper day. In the past 24 hours the account for a user hadactivity from an IP address that had not been used previously.
Check whether the user is traveling, or has another need to log in from different (anddistant) locations. If the user associated with this account is not traveling, determinewhether the user account or the system was compromised, or the user shared his orher login credentials.
New subnet masks per day. In the past 24 hours the account for a user had activityfrom an IP address with a new subnet mask (the final three octets).
New network prefixes per day. In the past 24 hours the account for a user hadactivity from an IP address with a new network prefix (the final two octets).
New access countries per day. In the past 24 hours the account for a user hadactivity from a country that that had not been used previously.
Check whether the user is traveling, or has another need to log in from different (anddistant) locations. If the user associated with this account is not traveling, determinewhether the user account or the system was compromised, or the user shared his orher login credentials.
New browsers per day. In the past 24 hours the account for a user had activity usinga browser that that had not been used previously.
Check whether this user has been issued a new device or has brought in a newdevice of their own, the operating systems were upgraded or changed, additional webbrowsers installed, and if the devices and upgrades were authorized.
New operating systems per day. In the past 24 hours the account for a user hadactivity using an operating system that that had not been used previously.
Check whether this user has been issued a new device or has brought in a new deviceof their own, the operating systems were upgraded or changed, and if the devices andupgrades were authorized.
New devices per day. In the past 24 hours, the account for a user had activity using adevice that that had not been used previously.
Check whether this user has been issued a new device or has brought in a new deviceof their own and if the devices and upgrades were authorized.
AWS Risk FactorsLearn about risk factors that are specific to Amazon Web Services (AWS).
EC2 instance starts per day. In the past 24 hours, this administrative accounthas issued a large number of start or run EC2 instance commands relative to pastbehavior. EC2 instances are virtual servers that use a defined amount of CPU,memory, and so on as defined in an Amazon Machine Image (AMI). Each time youtransition an instance from stopped to started, Amazon EC2 charges a full instancehour, even if transitions happen multiple times within a single hour.
Check whether this administrator is authorized to start these EC2 instances andrecalls performing these actions.
Chapter 28User Risk Factors
28-8
Stop EC2 instance monitoring, occurrences per day. In the past 24 hours thisadministrative account stopped monitoring a large number of EC2 instances relativeto past behavior. EC2 instances are virtual servers that use CPU, memory, and soon as defined in an Amazon Machine Image (AMI). They are a part of your criticalinfrastructure.
Check whether this administrator is authorized to stop monitoring of your EC2instances and recalls performing these actions.
EC2 instance ACLs, actions per day. In the past 24 hours, this user performed alarge number of actions on EC2 network ACLs or ACL entries relative to past behavior.EC2 instances are virtual servers that use CPU, memory, and so on as defined inan Amazon Machine Image (AMI). They are a part of your critical infrastructure. EC2Access Control Lists (ACLs) determine which users can access and manage EC2instances.
Check whether this administrator has configured sufficiently restrictive EC2 networkACLs and recalls performing these actions.
EC2 security groups, actions per day. In the past 24 hours this administrativeaccount performed a large number of actions related to EC2 security groupsor inbound/outbound traffic rules for these groups relative to past behavior. EC2instances are virtual servers that use CPU, memory, and so on as defined in anAmazon Machine Image (AMI). They are a part of your critical infrastructure. securitygroups determine the privileges for users who access and manage EC2 instances.
Check whether this administrator has added a large number of users to the securitygroups because this can increase your exposure to threats. Also check whether theadministrator recalls performing these actions.
EC2 key pairs, actions per day. In the past 24 hours this administrative accountperformed a large number of actions related to EC2 key pairs relative to past behavior.These key pairs permit access to an Elastic Compute Cloud (EC2) instance, which ispart of your critical infrastructure.
Check whether these are authorized actions, and that these actions support alegitimate business need with an approved change control for your organization.Determine whether the administrative account or the system was compromised, theuser shared his or her login credentials, or the user poses an insider threat.
IAM policies, actions per day. In the past 24 hours, this user performed a largenumber of actions related to IAM policies relative to past behavior. Policies grantpermissions to IAM users and groups, defining the resources that the user or groupcan access, and the actions they can perform.
Check whether the administrator updated administrative or highly privileged userpolicies, because this can increase your exposure to threats. Also check whether theadministrator recalls performing these actions.
IAM groups, actions per day. In the past 24 hours this administrative accountperformed a large number of actions related to Identity and Access Management(IAM) groups or group policies relative to past behavior. IAM groups provides sets ofpermissions to IAM users. An IAM user is an account for a person or a service that canperform administrative actions in AWS. For a service or application running on an EC2instance, the IAM user credentials permit the service to access S3 storage bucketsand other important resources.
Chapter 28User Risk Factors
28-9
Check whether the administrator updated administrative or highly privileged usergroups, because this can increase your exposure to threats. Also check whether theadministrator recalls performing these actions.
IAM roles, actions per day. In the past 24 hours this administrative accountperformed a large number of actions related to Identity and Access Management (IAM)roles or role policies relative to past behavior. Roles provides sets of permissions toIAM users. An IAM user is an account for a person or a service that can performadministrative actions in AWS. For a service or application running on an EC2instance, the IAM user credentials permit the service to access S3 storage bucketsand other important resources.
Check whether the administrator updated administrative or highly privileged userroles, because this can increase your exposure to threats. Also check whether theadministrator recalls performing these actions.
IAM users, actions per day. In the past 24 hours this administrative accountperformed a large number of actions related to Identity and Access Management(IAM) users or user policies relative to past behavior. An IAM user is an account for aperson or a service that can perform administrative actions in AWS. For a service orapplication running on an EC2 instance, the IAM user credentials permit the service toaccess S3 storage buckets and other important resources.
Check whether the administrator updated administrative or highly privileged users,because this can increase your exposure to threats. Also check whether theadministrator recalls performing these actions.
IAM certificates, actions per day. In the past 24 hours this administrative accountperformed a large number of actions related to Identity and Access Management(IAM) signing certificates or server certificates relative to past behavior. An IAM signingcertificate permits the user or agent who has the certificate to use the EC2 commandline and AMI tools. Server certificates enable SSL between servers and the clients thataccess them. AWS uses SSL certificates for various types of servers, including ElasticLoad Balancing servers.
Check whether the administrator is authorized to manage IAM user certificates orserver certificates, the certificates use valid ciphers (not depreciated) with appropriatekey lengths and bit lengths, and that you are tracking expiration dates for timelyreplacement.
OpenID, actions per day. AWS supports federated authentication based on OpenIDConnect (OIDC). This allows users to sign in to AWS using their credentials fromanother service (for example, Salesforce or Ping Federate).
Check whether this administrator is authorized to establish cross-domain trust,because this can increase your exposure to threats. Also check whether theadministrator recalls performing these actions.
IAM access keys, actions per day. In the past 24 hours this administrative accountperformed a large number of actions related to Identity and Access Management (IAM)access keys relative to past behavior. AWS uses cryptographic keys to authenticateIdentity and Access Management (IAM) users.
Check whether this administrator issued these IAM access keys to authorizedusers, because this can increase your exposure to threats. Also check whether theadministrator recalls performing these actions.
IAM login profiles, actions per day. In the past 24 hours this administrative accountperformed a large number of actions related to Identity and Access Management (IAM)
Chapter 28User Risk Factors
28-10
login profiles relative to past behavior. Login profiles allow users to access the AWSManagement Console.
Check whether this administrator is authorized to update login profiles, because thiscan increase your exposure to threats. Also check whether the administrator recallsperforming these actions.
IAM instance profiles, actions per day. In the past 24 hours this administrativeaccount performed a large number of actions related to Identity and AccessManagement (IAM) instance profiles relative to past behavior. IAM instance profilescan pass a role (a set of permissions) to an EC2 instance.
Check whether the administrator is authorized actions, because this can increase yourexposure to threats. Also check whether the administrator recalls performing theseactions.
SAML providers, actions per day. In the past 24 hours this administrative accountperformed a large number of actions related to Identity and Access Management (IAM)SAML providers relative to past behavior. SAML refers to the Security Access MarkupLanguage. It provides federated access to your systems, which means it permitssingle sign-on across security domains.
Check whether the administrator is authorized actions, because this can increase yourexposure to threats. Also check whether the administrator recalls performing theseactions.
IAM password changes per day. In the past 24 hours this administrative accountperformed a large number of Identity and Access Management (IAM) passwordchanges relative to past behavior.
Check whether the administrator is authorized actions, because this can increase yourexposure to threats. Also check whether the administrator recalls performing theseactions.
Password policy changes per day. In the past 24 hours this administrative accountchanged a large number of Identity and Access Management (IAM) password policiesrelative to past behavior.
Check whether the administrator is authorized actions, because this can increase yourexposure to threats. Also check whether the administrator recalls performing theseactions.
RDS DB snapshots per day. In the past 24 hours this administrative accountperformed a large number of actions related to Relational Database Service (RDS)DB snapshots in AWS relative to past behavior.
Check whether the administrator is authorized to take RDS databases snapshots. Alsocheck whether the administrator recalls performing these actions.
RDS cluster snapshots per day. In the past 24 hours this administrative accountperformed a large number of actions related to Relational Database Service (RDS)cluster snapshots in AWS relative to past behavior.
Check whether the administrator is authorized to take RDS cluster snapshots, andrecalls performing these actions.
RDS clusters, actions per day. In the past 24 hours this administrative accountperformed a large number of actions related to Relational Database Service (RDS)clusters in AWS relative to past behavior.
Chapter 28User Risk Factors
28-11
Check whether the administrator is authorized to update RDS cluster snapshots, andrecalls performing these actions.
RDS security groups, actions per day. In the past 24 hours this administrativeaccount performed a large number of actions related to Relational Database Service(RDS) security groups in AWS relative to past behavior.
Check whether the administrator is authorized to perform these actions, because thiscan increase your exposure to threats. Also check whether the administrator recallsperforming these actions.
RDS instances, actions per day. In the past 24 hours this administrative accountperformed a large number of actions related to Relational Database Service (RDS)instances in AWS relative to past behavior.
Check whether the administrator is authorized to update RDS instances, and recallsperforming these actions.
EC2 IP addresses, actions per day. In the past 24 hours this administrative accountperformed a large number of actions related to EC2 IP addresses in AWS relativeto past behavior. AWS administrators work with both private (internal network) andpublic (public Domain Name System, or DNS) IP addresses. The administrators alsoconfigure routing among EC2 instances using their private IP addresses.
Check whether the administrator is authorized to manage EC2 IP addresses, andrecalls performing these actions.
IAM IP addresses, actions per day. In the past 24 hours this administrative accountperformed a large number of actions related to Identity and Access Management IPaddresses relative to past behavior. These IP addresses identify which IP addressesrequests are allowed to come from.
Check whether the administrator is authorized to manage IAM IP addresses, andrecalls performing these actions.
RDS IP addresses, actions per day. In the past 24 hours this administrative accountperformed a large number of actions related to Relational Database Service (RDS) IPaddresses relative to past behavior.
Check whether the administrator is authorized to manage RDS IP addresses, andrecalls performing these actions.
Box Risk FactorsLearn about risk factors that are specific to Box.
Downloads per day. In the past 24 hours this user account has done a large numberof downloads from Box relative to past behavior.
Check whether these are sensitive files.
Download IP addresses per day. In the past 24 hours this user account hasdownloaded content from Box using a large number of IP addresses relative to pastbehavior.
Check whether the user is traveling, or is has another legitimate reason fordownloading from these locations. If the user associated with this account is nottraveling, determine whether the user account or the system was compromised, theuser shared his or her login credentials, or the user poses an insider threat.
Chapter 28User Risk Factors
28-12
Uploads per day. In the past 24 hours this user account has done a large number ofuploads to Box relative to past behavior.
Check whether these are sensitive files.
Upload IP addresses per day. In the past 24 hours this user account has doneuploads from Box from a large number of IP addresses relative to past behavior.
Check whether the user is traveling, or is has another legitimate reason fordownloading from these locations. If the user associated with this account is nottraveling, determine whether the user account or the system was compromised, theuser shared his or her login credentials, or the user poses an insider threat.
Items shared per day. In the past 24 hours this user account has shared a largenumber of items relative to past behavior.
Check whether this user shared sensitive files.
Copy actions per day. In the past 24 hours this user account has copied a largenumber of items relative to past behavior.
Check whether these are sensitive files.
Users added to groups per day. In the past 24 hours this user account added a largenumber of users to groups relative to past behavior.
Check whether these are administrative or privileged groups, and whether theadministrator recalls performing these actions.
Folders added to groups per day. In the past 24 hours this user account added alarge number of folders to groups relative to past behavior.
Check whether these folders contain sensitive information.
Groups created per day. In the past 24 hours this user account created a largenumber of groups relative to past behavior.
Check whether this user created administrative or privileged groups, and whether theuser recalls performing these actions.
Sharing expiration updates per day. In the past 24 hours the account for a userupdated a large number of expiration settings relative to past behavior.
Check whether the updated settings in Box conform to organization policies and thisadministrator is authorized to change these settings.
Admin role changes per day. In the past 24 hours this administrative account made alarge number of administrative role changes relative to past behavior.
Check whether these are administrative or privileged roles, and whether theadministrator recalls performing these actions.
Admin logins per day. This administrative account had a large number of logins inthe past 24 hours relative to his or her typical behavior.
If this is a legitimate administrator, and whether network outages caused the needto log in multiple times. If you can't find an obvious reason for the login count,check whether the administrator is sharing their login credentials (this should bediscouraged).
Device associations per day. In the past 24 hours this user account associated alarge number of new devices relative to past behavior.
Chapter 28User Risk Factors
28-13
Check whether your organization issued or sanctioned the new devices.
Items synced per day. In the past 24 hours this user account synced a large numberof items in Box relative to past behavior.
Check whether your organization has sanctioned the devices being used forsynchronization.
Two-factor authentication disabled per day. In the past 24 hours, this user accountdisabled two-factor authentication. Two-factor authentication requires the user to entersomething in addition to their password (for example, a unique code from a mobiledevice), which adds a level of security beyond only typing a password.
Check whether your organization permits disabling two-factor authentication, becausethis can increase your exposure to threats. Also check whether the administratorrecalls performing these actions.
Email alias confirmations per day. In the past 24 hours this user account confirmeda large number email aliases relative to past behavior. Box users are permitted to linkmultiple email addresses to their account.
Check whether this user is authorized to confirm this number of email aliases, and thatthese actions support a legitimate business need with an approved change control foryour organization.
Set primary email aliases per day. In the past 24 hours this user account set a largenumber of email aliases as primary relative to past behavior. Box users are permittedto link multiple email addresses to their account and designate one of the addressesas primary.
Check whether this user is authorized to set primary email addresses, and that theseactions support a legitimate business need with an approved change control for yourorganization.
Google Apps Risk FactorsLearn about risk factors that are specific to Google Apps.
Downloads per day. In the past 24 hours the account for a user performed a largenumber of downloads in Google Apps relative to past behavior.
Check whether the downloaded files contained sensitive information.
Download IP addresses per day. In the past 24 hours the account for a user haddownloads from Google Apps using a large number of IP addresses relative to pastbehavior.
Check whether the user is traveling, or is has another legitimate reason fordownloading from these locations. If the user associated with this account is nottraveling, determine whether the user account or the system was compromised, theuser shared his or her login credentials, or the user poses an insider threat.
Created objects per day. In the past 24 hours the account for a user created a largenumber of objects in Google Apps relative to past behavior.
Confirm that these actions support a legitimate business need with an approvedchange control for your organization.
Viewed objects per day. In the past 24 hours the account for a user viewed a largenumber of objects in Google Apps relative to past behavior.
Chapter 28User Risk Factors
28-14
Check the sensitivity of the information that this user viewed, and that these actionssupport a legitimate business need.
Deleted objects per day. In the past 24 hours the account for a user deleted a largenumber of objects in Google Apps relative to past behavior.
Check the quantity of information that the user deleted, whether this information stillhas value to the organization, and that these actions support a legitimate businessneed with an approved change control for your organization.
Items sent to trash per day. In the past 24 hours the account for a user emptied thetrash in Google Apps a large number of times relative to past behavior.
Check the quantity of information that the user permanently deleted, and that theseactions support a legitimate business need with an approved change control for yourorganization.
Items shared publicly per day. In the past 24 hours the account for a user performeda large number of public shares in Google Apps relative to past behavior.
Check whether the user shared sensitive information, and that these actions support alegitimate business need with appropriate approvals to do so.
Items shared externally per day. In the past 24 hours the account for a userperformed a large number of shares with external users in Google Apps relative topast behavior.
Check whether this user has shared sensitive files, whether the external users arefrom sanctioned domains and business partners, and that these actions support alegitimate business need with appropriate approvals to do so.
Security settings, actions per day. In the past 24 hours the account for anadministrator performed an unusually large number of actions in Google Apps securitysettings relative to past behavior.
Check whether the administrator is authorized to perform these actions, because thiscan increase your exposure to threats. Also check whether the administrator recallsperforming these actions.
Application settings, actions per day. In the past 24 hours the account foran administrator performed an unusually large number of actions in Google Appsapplication settings relative to past behavior.
Check whether the administrator is authorized to perform these actions, because thiscan increase your exposure to threats. Also check whether the administrator recallsperforming these actions.
User roles, actions per day. In the past 24 hours the account for an administratorperformed an unusually large number of actions in Google Apps user roles relative topast behavior.
Check whether the administrator is authorized to perform these actions, because thiscan increase your exposure to threats. Also check whether the administrator recallsperforming these actions.
Create, delete, and suspend actions per day. In the past 24 hours the account foran administrator performed an unusually large number of create, delete, and suspendactions in Google Apps relative to past behavior.
Chapter 28User Risk Factors
28-15
Check whether this user is authorized to do administration in Google Apps. Confirmthat these actions support a legitimate business need with an approved change controlfor your organization.
Device settings, actions per day. In the past 24 hours the account for anadministrator performed an unusually large number of actions related to devicesettings in Google Apps relative to past behavior.
Check whether this user is authorized to do administration in Google Apps. Confirmthat these actions support a legitimate business need with an approved change controlfor your organization.
Group settings, actions per day. In the past 24 hours the account for anadministrator performed an unusually large number of actions related to group settingsin Google Apps relative to past behavior.
Check the privileges for these groups and the number of users in the group. Ingeneral, administrative and privileged groups should have relatively small, stablememberships. Confirm that these actions support a legitimate business need with anapproved change control for your organization.
Administration role and privilege settings, actions per day. In the past 24 hoursthe account for an administrator performed an unusually large number of actionsrelated to administrator role and privilege settings in Google Apps relative to pastbehavior.
Check the role definitions. In general, administrative roles should be relatively stableand assigned to relatively few users. Confirm that these actions support a legitimatebusiness need with an approved change control for your organization.
Company settings, actions per day. In the past 24 hours the account for anadministrator performed an unusually large number of actions related to companysettings in Google Apps relative to past behavior.
Confirm that these actions support a legitimate business need with an approvedchange control for your organization.
Office 365 Risk FactorsLearn about risk factors that are specific to Office 365.
Administrative actions per day. In the past 24 hours the account for a userperformed a large number of administrative changes in Office 365 relative to pastbehavior.
Check whether the administrator is authorized to perform these actions, because thiscan increase your exposure to threats. Also check whether the administrator recallsperforming these actions.
Downloads per day. In the past 24 hours the account for a user downloaded a largeamount of data from Office 365 relative to past behavior.
Check whether the downloaded files contained sensitive information.
Deletes per day. In the past 24 hours the account for a user deleted a large amount ofdata from Office 365 relative to past behavior.
Chapter 28User Risk Factors
28-16
Check the quantity of information that the user deleted, whether this information stillhas value to the organization, and that these actions support a legitimate businessneed with an approved change control for your organization.
Files modified per day. In the past 24 hours the account for a user modified anunusual number of files in Office 365 relative to past behavior.
Check whether these files contain sensitive content.
Files shared externally per day. In the past 24 hours the account for a user shared alarge number of files with users in external domains relative to past behavior.
Check whether this user has shared sensitive files, whether the external users arefrom sanctioned domains and business partners, and that these actions support alegitimate business need with appropriate approvals to do so.
Email sent externally per day. In the past 24 hours the account for a user sent alarge amount of email to users in external domains relative to past behavior.
Check whether this user has sent sensitive files, whether the external users are fromsanctioned domains and business partners, and that these actions support a legitimatebusiness need with appropriate approvals to do so.
Emails received from external domains per day. In the past 24 hours the accountfor a user received a large amount of email from external domains relative to pastbehavior.
Check whether this activity was supporting a legitimate business need.
IP addresses used to access SharePoint/OneDrive per day. In the past 24 hoursthe account for a user accessed SharePoint and OneDrive from a large number of IPaddresses relative to past behavior.
Check whether the user is traveling, or is has another legitimate reason for loggingin from these locations. If the user associated with this account is not traveling,determine whether the user account or the system was compromised, the user sharedhis or her login credentials, or the user poses an insider threat.
IP addresses used to access Azure AD per day. In the past 24 hours the accountfor a user accessed Azure AD using a large number of IP addresses relative to pastbehavior.
Check whether the user is traveling, or is has another legitimate reason for loggingin from these locations. If the user associated with this account is not traveling,determine whether the user account or the system was compromised, the user sharedhis or her login credentials, or the user poses an insider threat.
Salesforce Risk FactorsLearn about risk factors that are specific to Salesforce.
Administrative actions on users per day. In the past 24 hours this administrativeaccount performed a large number of user management actions relative to pastbehavior.
Check whether this administrator is authorized to do these user managementoperations, and check whether the updated users are administrators or highlyprivileged users. Confirm that these actions support a legitimate business need with anapproved change control for your organization.
Chapter 28User Risk Factors
28-17
Password policy updates per day. In the past 24 hours this administrative accountupdated a large number of password policies relative to past behavior.
Check whether this administrator is authorized to change these password policies, andthat these actions support a legitimate business need with an approved change controlfor your organization.
Session settings updates per day. In the past 24 hours this administrative accountupdated a large number of session settings relative to past behavior.
Check whether this administrator is authorized to change these session settings, andthat these actions support a legitimate business need with an approved change controlfor your organization.
Certificate and key actions per day. In the past 24 hours this administrative accountperformed a large number of certificate and key management actions relative to pastbehavior.
Check whether this administrator is authorized to perform certificate and keymanagement operations, and that these actions support a legitimate business needwith an approved change control for your organization.
Data exports per day. In the past 24 hours the account for a user performed a largenumber of data export actions relative to past behavior.
Check whether this administrator is authorized to perform data export operations, andthat this export supported a legitimate business need.
Mass deletes per day. In the past 24 hours the account for a user performed a largenumber of mass delete actions relative to past behavior.
Check whether this administrator is authorized to perform mass delete operations andthe sensitivity of the information deleted, and that these actions support a legitimatebusiness need with an approved change control for your organization.
Mass transfers per day. In the past 24 hours the account for a user performed a largenumber of mass transfer actions relative to past behavior.
Check whether this administrator is authorized to perform mass transfer operationsand the sensitivity of the information transferred, and that these actions support alegitimate business need with an approved change control for your organization.
Whitelist actions per day. In the past 24 hours the account for a user performed alarge number of IP whitelist actions relative to past behavior. Ordinarily, IP whitelistingis done to constrain the locations from which administrators are permitted to accessSalesforce.
Check whether this administrator is authorized to do whitelisting and whether the IPaddresses affected are legitimate, and that these actions support a legitimate businessneed with an approved change control for your organization.
Security settings for downloads, changes per day. In the past 24 hours the accountfor a user updated a large number of file download security settings relative to pastbehavior.
Check whether this administrator is authorized to update file download securitysettings, and that these actions support a legitimate business need with an approvedchange control for your organization.
Chapter 28User Risk Factors
28-18
Settings for sharing, updates per day. In the past 24 hours the account for a userupdated a large number of shared settings relative to past behavior.
Check whether this user is authorized to update shared settings, and that theseactions support a legitimate business need with an approved change control for yourorganization.
Reports exported per day. In the past 24 hours the account for a user exported alarge number of reports relative to past behavior.
Check whether this user is authorized to export reports, the sensitivity of theinformation exported, and that these actions support a legitimate business need.
Reports run per day. In the past 24 hours the account for a user ran a large numberof reports (including async reports) relative to past behavior.
Check whether this user is authorized to run these reports, the sensitivity of theinformation in the reports, and that these actions support a legitimate business need.
SAML configuration changes per day. In the past 24 hours, this administrativeaccount updated a large number of SAML configuration settings relative to pastbehavior. SAML refers to the Security Access Markup Language. SAML providesfederated access to your systems, which means it permits single sign-on acrosssecurity domains.
Check whether the updated SAML settings are authorized, and that these actionssupport a legitimate business need with an approved change control for yourorganization. Determine whether the administrative account or the system wascompromised, the user shared his or her login credentials, or the user poses an insiderthreat.
Force password resets per day. In the past 24 hours, this administrative accountforced the reset of a large number of passwords relative to past behavior.
Check whether this user is authorized to force resets for passwords, and that theseactions support a legitimate business need with an approved change control for yourorganization.
Authentication provider actions per day. In the past 24 hours this administrativeaccount performed a large number of actions related to authentication providersrelative to past behavior. An authentication provider is an external provider ofcredentials (for example, Facebook) that can be used in a scheme that supports singlesign-on across websites and domains (also known as federated access).
Check whether the new or updated authentication providers are authorized, and thatthese actions support a legitimate business need with an approved change control foryour organization. Determine whether the administrative account or the system wascompromised, the user shared his or her login credentials, or the user poses an insiderthreat.
Identity provider actions per day. In the past 24 hours this administrative accountperformed a large number of actions related to identity providers in Salesforce relativeto past behavior. An identity provider is a trusted service that enables single sign-onacross websites in different domains (also known as federated access). You canenable Salesforce as an identity provider.
Check whether the new or updated identity providers are authorized. Determinewhether the administrative account or the system was compromised, the user sharedhis or her login credentials, or the user poses an insider threat.
Chapter 28User Risk Factors
28-19
Named credentials actions per day. In the past 24 hours this administrative accountperformed a large number of actions related to named credentials in Salesforcerelative to past behavior. Named credentials are used in schemes that permit singlesign-on across websites and domains (also known as federated access).
Check whether these changes to named credentials are authorized, and that theseactions support a legitimate business need with an approved change control foryour organization. Determine whether the administrative account or the system wascompromised, the user shared his or her login credentials, or the user poses an insiderthreat.
Recycle bin emptied per day. In the past 24 hours the account for a user emptied therecycle bin a large number of times in Salesforce relative to past behavior.
Check the other risk factors for this user, including multiple logins or failed logins, useof multiple IP addresses, or traveling a large distance.
Sharing settings and groups, actions per day. In the past 24 hours thisadministrative account performed a large number of actions related to sharing andgroups in Salesforce relative to past behavior.
Check whether the administrator added or updated sharing for administrative orprivileged groups, whether the information being shared is sensitive, and that theseactions support a legitimate business need with an approved change control foryour organization. Determine whether the administrative account or the system wascompromised, the user shared his or her login credentials, or the user poses an insiderthreat.
Delegated groups, actions per day. In the past 24 hours this administrative accountperformed a large number of actions related to delegated groups relative to pastbehavior.
Check whether the administrator added or updated delegation for administrative orprivileged groups, whether privileged operations are being delegated, and that theseactions support a legitimate business need with an approved change control foryour organization. Determine whether the administrative account or the system wascompromised, the user shared his or her login credentials, or the user poses an insiderthreat.
User role actions per day. In the past 24 hours this administrative account performeda large number of actions related to user roles relative to past behavior.
Check whether the administrator added or updated administrative or privileged roles,whether this administrator is authorized to perform these operations, and that theseactions support a legitimate business need with an approved change control foryour organization. Determine whether the administrative account or the system wascompromised, the user shared his or her login credentials, or the user poses an insiderthreat.
User profile actions per day. In the past 24 hours this administrative accountperformed a large number of actions related to user profiles in Salesforce relativeto past behavior.
Check whether the administrator added or updated administrative or privilegedprofiles, whether this administrator is authorized to perform these operations, and thatthese actions support a legitimate business need with an approved change control foryour organization. Determine whether the administrative account or the system wascompromised, the user shared his or her login credentials, or the user poses an insiderthreat.
Chapter 28User Risk Factors
28-20
User management actions per day. In the past 24 hours this administrative accountperformed a large number of manage user actions relative to past behavior.
Check whether this administrator is authorized to configured other administrative usersor other highly privileged users, and that these actions support a legitimate businessneed with an approved change control for your organization. Determine whether theadministrative account or the system was compromised, the user shared his or herlogin credentials, or the user poses an insider threat.
Change email settings per day. In the past 24 hours this administrative accountperformed a large number of email change actions relative to past behavior.
Check whether this administrator is authorized to update email addresses for useraccounts, and that these actions support a legitimate business need with an approvedchange control for your organization. Determine whether the administrative account orthe system was compromised, the user shared his or her login credentials, or the userposes an insider threat.
Record type actions per day. In the past 24 hours this administrative accountperformed a large number of actions related to record types relative to past behavior.
Check whether this administrator is authorized to configure user record types, and thatthese actions support a legitimate business need with an approved change control foryour organization. Determine whether the administrative account or the system wascompromised, the user shared his or her login credentials, or the user poses an insiderthreat.
User permissions, actions per day. In the past 24 hours this administrative accountperformed a large number of actions related to user permissions relative to pastbehavior.
Check whether this administrator configured overly-privileged user permissions, andthat these actions support a legitimate business need with an approved change controlfor your organization. Determine whether the administrative account or the system wascompromised, the user shared his or her login credentials, or the user poses an insiderthreat.
ServiceNow Risk FactorsLearn about risk factors that are specific to ServiceNow.
User management, actions per day. In the past 24 hours the account for a userperformed a large number of user administration actions in ServiceNow relative to pastbehavior.
Check whether this administrator is authorized to do user administration inServiceNow. Confirm that these actions support a legitimate business need with anapproved change control for your organization. Make sure that new or modified usersare not overly-privileged. Determine whether the administrative account or the systemwas compromised, the admin shared login credentials, or poses an insider threat.
User roles, actions per day. In the past 24 hours the account for a user performed alarge number of actions in user roles in ServiceNow relative to past behavior.
Check whether this administrator is authorized to do user role administration inServiceNow. Confirm that these actions support a legitimate business need withan approved change control for your organization. Make sure the roles are not
Chapter 28User Risk Factors
28-21
overly-privileged. Determine whether the administrative account or the system wascompromised, the admin shared login credentials, or poses an insider threat.
User groups, actions per day. In the past 24 hours the account for a user performeda large number of actions in groups in ServiceNow relative to past behavior.
Check whether this administrator is authorized to do group administration inServiceNow. Confirm that these actions support a legitimate business need with anapproved change control for your organization. Make sure that these groups arenot overly-privileged, and that more privileged groups only have a limited numberof members. Determine whether the administrative account or the system wascompromised, the admin shared login credentials, or poses an insider threat.
User departments, actions per day. In the past 24 hours the account for a userperformed a large number of actions in user departments in ServiceNow relative topast behavior.
Check whether this administrator is authorized to do department administrationin ServiceNow. Confirm that these actions support a legitimate business needwith an approved change control for your organization. Typically, this is a humanresources function. Determine whether the administrative account or the system wascompromised, the admin shared login credentials, or poses an insider threat.
Companies, actions per day. In the past 24 hours the account for a user performed alarge number of actions in user companies in ServiceNow relative to past behavior.
Check whether this administrator is authorized to do company administration inServiceNow. Confirm that these actions support a legitimate business need with anapproved change control for your organization. Typically, this function lets users addvendors and other business partners. Determine whether the administrative account orthe system was compromised, the admin shared login credentials, or poses an insiderthreat.
Integrations, actions per day. In the past 24 hours the account for a user performeda large number of actions related to integration of third-party services in ServiceNowrelative to past behavior.
Check whether this administrator is authorized to do third-party integrations inServiceNow. ServiceNow supports a limited number of integrations by default. Ifthe integration is not in a ServiceNow default, make sure the new application isauthorized. Confirm that these actions support a legitimate business need with anapproved change control for your organization. If you find unauthorized activity and theadministrator does not recall performing it, check whether the administrative accountor the system was compromised, the admin shared login credentials, or poses aninsider threat.
Incident operations per day. In the past 24 hours the account for a user performed alarge number of operations in incidents in ServiceNow relative to past behavior.
Check whether these incidents contain sensitive content.
Report operations per day. In the past 24 hours the account for a user performed alarge number of report operations in ServiceNow relative to past behavior.
Check whether these reports contain sensitive content. Confirm that these actionssupport a legitimate business need with an approved change control for yourorganization.
Chapter 28User Risk Factors
28-22
App operations per day. In the past 24 hours the account for a user performed alarge number of app operations in ServiceNow relative to past behavior.
Check the details of the operations that the user performed and make sure that theyare authorized, support a legitimate business need, and have approved change controlfor your organization. Give users with legitimate needs VPN access with endpointverification and protection. Consider additional restrictions on user access to reducethe risks associated with privileged activity (for example, some cloud services letyou define access control lists). If more investigation is needed, determine whetherthe user account or the system was compromised, the user shared his or her logincredentials, or the user poses an insider threat.
Role, incident, script, and asset operations per day. In the past 24 hours theaccount for a user performed a large number of update operations related to roles,incidents, scripts, or assets in ServiceNow relative to past behavior.
Check the details of the operations that the user performed and make sure that theyare authorized, support a legitimate business need, and have approved change controlfor your organization. Give users with legitimate needs VPN access with endpointverification and protection. Consider additional restrictions on user access to reducethe risks associated with privileged activity (for example, some cloud services letyou define access control lists). If more investigation is needed, determine whetherthe user account or the system was compromised, the user shared his or her logincredentials, or the user poses an insider threat.
Cloning operations per day. In the past 24 hours the account for a user performeda large number of cloning operations in ServiceNow relative to past behavior. Cloningallows an administrator to duplicate (clone) data from one instance to another.
Check whether these cloning operations are authorized, support a legitimate businessneed, and have approved change control for your organization. Give users withlegitimate needs VPN access with endpoint verification and protection. Consideradditional restrictions on user access to reduce the risks associated with privilegedactivity (for example, some cloud services let you define access control lists). Ifmore investigation is needed, determine whether the user account or the system wascompromised, the user shared his or her login credentials, or the user poses an insiderthreat.
Data management operations per day. In the past 24 hours the account for a userperformed a large number of data management operations in ServiceNow relative topast behavior. These are changes to tables, records, schema, and other aspects of thedata that ServiceNow stores and manages.
Check whether these data management changes are authorized, support a legitimatebusiness need, and have approved change control for your organization. Give userswith legitimate needs VPN access with endpoint verification and protection. Consideradditional restrictions on user access to reduce the risks associated with privilegedactivity (for example, some cloud services let you define access control lists). Ifmore investigation is needed, determine whether the user account or the system wascompromised, the user shared his or her login credentials, or the user poses an insiderthreat.
Business logic operations per day. In the past 24 hours the account for a userperformed a large number of business logic operations in ServiceNow relative to pastbehavior. Business logic consists of rules that automate processes in ServiceNow.
Check whether these business rules are authorized, support a legitimate businessneed, and have approved change control for your organization. Give users with
Chapter 28User Risk Factors
28-23
legitimate needs VPN access with endpoint verification and protection. Consideradditional restrictions on user access to reduce the risks associated with privilegedactivity (for example, some cloud services let you define access control lists). Ifmore investigation is needed, determine whether the user account or the system wascompromised, the user shared his or her login credentials, or the user poses an insiderthreat.
Viewing Suspicious Activity ThreatsView summaries of anomalous activity and cross-application activity in theDashboard, and jump to details in Risk Events.
When you select a Threats link in the Dashboard, Summary tab, you jump to theRisk Events page, with the events filtered to display open threats (either across thesystem or for a particular cloud service, depending on which link you selected). OracleCASB Cloud Service detects anomalous or suspicious activity within a particular cloudservice instance.
To view details for suspicious activity
1. Select Risk Events from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click the CATEGORY column header to sort the events by category.
3. Click in a row where CATEGORY is Anomalous activity or Cross-applicationactivity and you want more information on the threat.
The row expands to show basic information for the threat.
4. In the ACTION column, drop down the Action menu and select View threat.
The threat details pop-up shows either an area chart with the threat triggers (forexample, the number of logins, failed logins, and IP addresses for the user) or amap showing the user's access points.
If the pop-up contains the area chart, you can click items in the key to show orhide them. To view other actions the user has taken during the threat reportingperiod, click the details icon (the bar chart) in the upper right corner of the pop-up.
Click the chart switcher tool in the upper right corner to see another view - hereyou can deselect the Show All checkbox and then check individual items to bedisplayed.
5. If the threat contains a map, you can hover over different parts of the map.
The events related to that point on the map appear below the map (between themap and the table).
6. If the threat contains activity data, the threat details table contains an Issue Countcolumn. Click any row of this column to view details of each occurrence of theevent type. For example, if the Category column shows Failed Logins, and theissue count is 4, clicking this row displays a pop-up with details for all four failedlogins.
7. Click View log data to view any additional information that the cloud service's logsprovided about this event.
8. Diagnosing this threat involves doing additional research (if needed) to determinewhether any action is required, and if so, what the action should be, as describedin Office 365 Risk Factors.
Chapter 28Viewing Suspicious Activity Threats
28-24
Related Topics:
• Dashboard View of User Risks and Threats
• Finding and Analyzing Users at Risk
• User Risk Factors
• Monitoring Suspicious IP Addresses
Remediating and Dismissing a Suspicious Activity ThreatTo complete the processing of a suspicious activity threat, process the associatedincident, resolve the threat, and then dismiss it.
Oracle CASB Cloud Service automatically generates an incident ticket for eachdetected anomaly marked as a threat. You can manually create incident tickets totrack a user with a high risk score. See Finding and Analyzing Users at Risk.
1. After you find a threat in the Risk Events page (see Finding Users at Risk), dropdown the Action menu and select View incident.
2. In the View incident page for this threat, you can manage and resolve the incidentas described in Finding, Managing, and Resolving Incidents.
3. Once resolved, the threat and its related risk event and incident ticket aredismissed.
Monitoring Suspicious IP AddressesView information about activity from suspicious IP addresses that Oracle CASB CloudService detects.
Oracle CASB Cloud Service uses data feeds that report on suspicious IP addresses,and matches these with the IP addresses of users who access registered applicationinstances. If Oracle CASB Cloud Service finds a match, it updates the Access Mapand the IP address card in the Dashboard, generates a risk event in Risk Events,and raises a ticket in the Incidents section of the Oracle CASB Cloud Serviceconsole.
1. Select Dashboard from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click the Summary tab.
The Access Map shows red pins in locations that have experienced activity fromsuspicious IP addresses.
3. To view the events from the IP address for a red-pin location, click the pin and thenclick the "number of events" link in the pop-up that appears over the pin.
If the first click simply zooms in on the map, click the pin again.
Chapter 28Monitoring Suspicious IP Addresses
28-25
Note:
You can control automatic whitelisting of trusted network addresses bysetting a preference. See Setting Your Preferences.
You can also control this preference from the Manage IP Addresses page.See Putting IP Addresses on Blacklists or Whitelists.
Detecting Application-Specific ThreatsLearn how to detect threats that are specific to each application type. These threatsare In addition to the threats that are common to all application types.
Note:
Ensure that you become familiar with the global threats that are commonto all application types, which are documented in the previous sections, inaddition to the application-specific threats that are covered in the followingsections.
Detecting Threats in AWSUnderstand Oracle CASB Cloud Service threat detection features for AWS.
As described in Managing Behavioral Anomalies and Threats, Oracle CASB CloudService detects behaviors that indicate an insider or external threat. For example,access from a suspicious IP address, excessive mass transfers and deletes of salesdata, or a user hopping between IP addresses and geographical locations are alldetected.
Threat detection can alert you, for example, when an AWS user has a suspiciousnumber of failed logins (suggesting a brute force attack) or appears to be accessingtheir AWS account from an anonymizing proxy.
Viewing Security Controls Monitored for AWSFilter and sort the Reports page to see security controls monitored for AWS.
Oracle CASB Cloud Service monitors password, session, and access control settingsfor AWS, and generates alerts when the values for these controls don’t match thebaseline.
1. In the Risk Events page, filter the events so that only AWS events appear.
2. Sort the Category column so that Security Control risks appear.
3. Click a risk to view its details.
The following table describes the controls that Oracle CASB Cloud Service monitors.By default, Oracle CASB Cloud Service generates an alert if the value for the controldeviates from the value shown in the table.
Chapter 28Detecting Application-Specific Threats
28-26
In general, Oracle CASB Cloud Service's default preferred values are more stringentthan the default settings within AWS. If you want to change the baseline for OracleCASB Cloud Service's security control alerts, then you can define custom settings forthese controls.
SecurityControl Type
SecurityControl Name
Stringent(Default)Setting
Description
Passwordpolicy
Minimumpasswordlength
10 characters The longer a password is, the harder it is tocrack.
Passwordpolicy
Require at leastone uppercaseletter
On The more complex a password is, theharder it is to crack.
Passwordpolicy
Require at leastone lowercaseletter
On The more complex a password is, theharder it is to crack.
Passwordpolicy
Require at leastone number
On The more complex a password is, theharder it is to crack.
Passwordpolicy
Require at leastone non-alphanumericcharacter
On The more complex a password is, theharder it is to crack.
Passwordpolicy
Allow users tochange theirown password
On Users are more likely to update passwordswhen this activity is under their control.
Passwordpolicy
Passwordexpirationperiod (in days)
30 The more frequently a password is updated,the harder it is to crack.
Passwordpolicy
Number ofpasswords toremember
10 Reused passwords open a window for anattacker to make use of an old password.
Passwordpolicy
Passwordexpirationrequiresadministratorreset
On When passwords expire, this indicates anunused account. It’s a best practice to notlet accounts sit idle.
Setting Number of daysfor an SSH keyto beconsidered old
30 SSH keys authenticate AWS EC2 instances.The more frequently these keys areupdated, the harder they are to crack.
Setting Number of daysfor an IAM keyto beconsidered old
90 IAM keys authenticate AWS administrativeusers. The more frequently these keys areupdated, the harder they are to crack.
Chapter 28Detecting Application-Specific Threats
28-27
SecurityControl Type
SecurityControl Name
Stringent(Default)Setting
Description
Accesscontrols
Require the rootuser to usemultifactorauthentication
On Multifactor authentication requires a user tomore than one credential when logging in(for example, a password and a one-timecode).
This setting and the other access controlson this page aren’t available as a securitysetting in the AWS administration console.However, when enabled, Oracle CASBCloud Service monitors this resource andgenerates an alert when the feature isn’tenabled.
Accesscontrols
Make sure allS3 serverbuckets areencrypted
On It’s a best practice to keep data at rest inencrypted form.
Accesscontrols
Requiremultifactorauthenticationwhen deletingan S3 bucket
On Deleting an S3 bucket means removing adata store. This is a sensitive operationand should require the extra security thatmultifactor authentication provides.
This setting and the other access controlson this page aren’t available as a securitysetting in the AWS administration console.However, when enabled, Oracle CASBCloud Service monitors this resource andgenerates an alert when the feature isn’tenabled.
Accesscontrols
Requiresecurity groupchecking forunsecured ports
On AWS manages critical organizationalinfrastructure. Security group checkingprovides an additional layer of security inthe event that a port was left open to theinternet.
This setting and the other access controlson this page aren’t available as a securitysetting in the AWS administration console.However, when enabled, Oracle CASBCloud Service monitors this resource andgenerates an alert when the feature isn’tenabled.
Accesscontrols
Requirenetwork ACLsto use secureopen ports
On AWS services listen for traffic onports. These ports should require secure(encrypted) communication so that sensitiveinformation isn’t transmitted in the clear.
This setting and the other access controlson this page aren’t available as a securitysetting in the AWS administration console.However, when enabled, Oracle CASBCloud Service monitors this resource andgenerates an alert when the feature isn’tenabled.
Chapter 28Detecting Application-Specific Threats
28-28
SecurityControl Type
SecurityControl Name
Stringent(Default)Setting
Description
Accesscontrols
Do not letnetwork ACLshave Allow Allset as thedefault
On Allow All means that the access control list(ACL) provides access to anyone on theinternet.
This setting and the other access controlson this page aren’t available as a securitysetting in the AWS administration console.However, when enabled, Oracle CASBCloud Service monitors this resource andgenerates an alert when the feature isn’tenabled.
Accesscontrols
Check use ofRoute 53hosted zones
On Amazon's Route 53 service maps domainname system (DNS) queries to numericIP addresses. It routes end users toInternet applications by translating domainnames (for example, www.example.com)into numeric IP addresses (for example,192.0.2.1) that computers use to connect toeach other. Route 53 works with externaldomain names. It also works with AmazonVirtual Private Clouds (VPCs), which allowscustom domain names for your internalAWS resources without exposing them tothe public internet. Consider using Route 53service as a cost-effective solution for DNSrouting that also can be extended to yourVPCs.
This setting and the other access controlson this page aren’t available as a securitysetting in the AWS administration console.However, when enabled, Oracle CASBCloud Service monitors this resource andgenerates an alert when the feature isn’tenabled.
Accesscontrols
Check use ofRoute 53 healthchecks
On Amazon Route 53 maps domain namesystem (DNS) queries to numeric IPaddresses. Route 53 health checks ensurethat your web resources that reside at theseIP addresses are functional before directingtraffic to them.
Oracle CASB Cloud Service doesn’t monitorfor Route 53 health checks in private hostedzones.
This setting and the other access controlson this page aren’t available as a securitysetting in the AWS administration console.However, when enabled, Oracle CASBCloud Service monitors this resource andgenerates an alert when the feature isn’tenabled.
Chapter 28Detecting Application-Specific Threats
28-29
SecurityControl Type
SecurityControl Name
Stringent(Default)Setting
Description
Accesscontrols
Check EBSvolumeencryptionstatus
On Amazon Elastic Block Storage (EBS)volumes provide incremental backup forAmazon elastic compute cloud (EC2)instances. Encryption of these volumesprevents unauthorized access to the data onthem.
This setting and the other access controlson this page aren't available as a securitysetting in the AWS administration console.However, when enabled, Oracle CASBCloud Service monitors this resource andgenerates an alert when the feature isn'tenabled.
Accesscontrols
Check RDSencryptionstatus
On Amazon Relational Database Service(Amazon RDS) is a relational databasein the cloud. Ensure that RDS encryptionis enabled to prevent unauthorized accessto the information stored in the database.Amazon RDS handles authentication,access, and decryption of data transparentlywith minimal impact on performance.Amazon RDS encryption also helps to fulfillcompliance requirements for data-at-restencryption.
This setting and the other access controlson this page aren't available as a securitysetting in the AWS administration console.However, when enabled, Oracle CASBCloud Service monitors this resource andgenerates an alert when the feature isn'tenabled.
Detecting Threats in Azure ADView threats to an Azure AD instance.
Oracle CASB Cloud Service automatically detects anomalous user behavior in AzureAD as well as any behavior associated with suspicious or blacklisted IP addresses.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. On the Applications page:
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, click the non-zero number for Threats to view thosethreats in Risk Events.
• In grid view, click the non-zero number in the THREATS column to view thosethreats in Risk Events.
3. To view additional information related to the threat, including recommendedremediation actions, drop down the Actions list and select View Incident.
Chapter 28Detecting Application-Specific Threats
28-30
Detecting Threats in BoxUnderstand what you can do to find and remediate threats that Oracle CASB CloudService detects In Box.
Threats are a particular type of risk that Oracle CASB Cloud Service detects.Specifically, threats consist of user behaviors that deviate from usual patterns andindicate possible account or device hijacking. Access by suspicious IP addresses alsoconstitute a threat.
Oracle CASB Cloud Service has general methods for detecting threats within andacross different types of applications. For more information, see these topics:
Related Topics:
• Finding and Analyzing Users at Risk
• Remediating and Dismissing a Suspicious Activity Threat
Behavioral Threats and BoxUnderstand how Oracle CASB Cloud Service detects threats for Box.
Oracle CASB Cloud Service detects behaviors that indicate an insider or externalthreat — for example, access from a suspicious IP address, excessive mass transfersand deletes of sales data, or a user hopping between IP addresses and geographicallocations. For more information, see Managing Behavioral Anomalies and Threats.
Threat detection can alert you, for example, when a Box user has a suspicious numberof failed logins (suggesting a brute-force attack) or appears to be accessing his or herBox account from an anonymizing proxy.
Viewing Security Controls Monitored for BoxFilter and sort the Reports page to see security controls monitored for Box.
After registering a Box instance, Oracle CASB Cloud Service scans the followingsecurity control values in Box, and displays security control alerts if your values aredifferent from Oracle CASB Cloud Service's preferred values.
If you registered the instance in Monitor Only mode, Oracle CASB Cloud Service'sbaseline for these controls correspond to its Stringent settings, as described in thefollowing table.
After registration, you can Oracle CASB Cloud Service uses for monitoring theaccount. See Updating the Security Control Baseline for a Box Instance.
Note:
A few of the security controls that Oracle CASB Cloud Service monitorsfor might not be available in your account, depending on whether this is adeveloper account, or an enterprise account, and whether the account hasthe Box Governance Package.
Chapter 28Detecting Application-Specific Threats
28-31
1. Select Risk Events from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Drop down the App Instances list, and select only Box instances.
3. Sort the Category column, and scroll to the Security control risk events.
4. Click a risk event to view its details.
The following table describes the security controls monitored for Box.
SecurityControl Type
SecurityControl Name
Oracle CASBCloudServiceBaseline(Stringent)Value
Description
Passwordpolicy
Minimumrequiredcharacters
10 The larger the value for minimum passwordlength, the harder the password is tocrack, particularly if you also require specialcharacters, numbers, and other recomenededbest practices.
Passwordpolicy
Requirenumber(s)
2 Requiring numbers in users' password orpassphrases makes them harder to crack.Box provides the ability to force at least onenumber in users’ passwords or passphrases.This is a best practice.
Passwordpolicy
Requirespecialcharacter(s)
1 Requiring symbols (special characters) inusers’ password or passphrases makes themharder to crack. AWS provides the ability toforce at least one special character in users’passwords or passphrases. This is a bestpractice.
Passwordpolicy
Require atleast oneuppercaseletter
On Requiring uppercase letters in users'passwords or passphrases makes themharder to crack. Box provides the ability toforce at least one uppercase letter in users'passwords or passphrases. This is a bestpractice.
Passwordpolicy
Preventcommonwords / emailaddress as apassword
On Limiting the use of common words and emailaddresses in passwords makes them harderto crack. This is a best practice.
Passwordpolicy
Passwordresets:Require usersto resetpasswordsevery
30 days Password expiration limits your exposure tocredential compromise by limiting the timeavailable for a hacker to break hashed orencrypted credentials. Password expirationlimits the time that a malicious actor can keepa foothold in your systems and networks.
Passwordpolicy
Preventreusingpasswordsfrom
Last 10 times Limiting users' ability to reuse previouspasswords and passphrases helps increasetheir variations and uniqueness over time, andmakes it harder for a malicious actor to usepassword dumps found online and in rainbowtables (a table often used to crack encryptedpasswords).
Chapter 28Detecting Application-Specific Threats
28-32
SecurityControl Type
SecurityControl Name
Oracle CASBCloudServiceBaseline(Stringent)Value
Description
Passwordpolicy
Notify adminswhen usersrequest aforgetpasswordemail
On You can configure Box to notify administratorswhenever users initiate a password reset flow.
Passwordpolicy
Notify adminswhen userschangepasswords inSettings
On You can configure Box to notify administratorswhen users change their passwords.
Passwordpolicy
Require strongpasswords forexternalcollaborators
On You can configure Box to require externalcollaborators to use strong (complex)passwords. Complexity in passwords orpassphrases makes them harder to crack
Authenticationpolicies
The number offailed loginattemptsbefore adminis notified
3 You can configure Box to notify administratorsafter any Box user has had a particularnumber of failed logins. Multiple and frequentfailed logins can indicate a brute force attack(an attempt to gain control of a password byguessing it).
Authenticationpolicies
Prevent usersfrom using the"Keep mesigned in"feature
On Limiting the duration of user sessions alsolimits the amount of time a hacker has tohijack the session.
Sessionpolicies
Duration auser canremain loggedin withoutactivity beforebeing loggedout
30 minutes You can set limits on the amount of time thesession can be idle before locking out theuser. This limits the amount of time a hackerhas to hijack the session.
Settings Allow users tosign up ontheir own
Off You can configure Box to allow users tosign up instead of requiring them to ask anadministrator to sign them up.
Settings When newusers areadded, emailadmins
Immediately You can configure Box to notify administratorswhenever someone adds a new user toyour Box account. The notification can beimmediate or after a delay.
Settings Prevent usersfrom changingtheir primaryemail address
On You can prevent users from changing theirprimary email address.
Settings Enableexternal linksto
Nothing,restrict sharing
You can prevent users from sharing links withpeople who are external to this Box account.
Chapter 28Detecting Application-Specific Threats
28-33
SecurityControl Type
SecurityControl Name
Oracle CASBCloudServiceBaseline(Stringent)Value
Description
Settings Enableexternal linkswith theseaccess options
People in thefolder only
Box lets you disable the ability of users toshare link URLs to anyone they choose.
Settings Default newlinks to
People in thisfolder
Box allows you to set the default for new linksto people who already have access to theparent folder or to anyone who is given a linkto the folder.
Settings Let linkviewers
Preview theshared itemsonly
You can allow people who have links to itemsin Box to either preview the items only or bothpreview and download the shared item.
Settings Allow customshared linkURLs for linkswith openaccess
Off You can allow people who have links to itemsin Box to either preview the items only or bothpreview and download the shared item.
Settings Show yourcustomdomain inshared linkURLs
Off You can prevent users from displaying customdomain URLs when they share links to Boxresources.
Settings Restrict tagcreation
admins andco-adminsonly
You can control the tags in use in yourorganization by restricting tag creation toadministrators.
Settings Enable tagfiltering
On Box gives users the ability to filter files andfolders by tag and by name.
Settings Automaticallydisable sharedlinks
30 days Box lets you set an expiration period forshared links.
Settings Enable Trash On Box lets you give users the ability to deletefiles through the Trash function.
Settings People whocanpermanentlydelete contentin Trash
Admin only Box lets you control which users are allowedto permanently empty the Trash.
Settings Trash isautomaticallydeleted after
90 days Box lets you set a time interval forautomatically emptying the Trash.
Settings Allow users tosee allmanagedusers
Off Box lets you restrict the ability of users to viewother Box users.
Settings Device limits -exempt usersfrom Max # ofdevice logins
1 Box lets you override device pinning, whichmeans limiting the number of devices thatusers can log in from.
Chapter 28Detecting Application-Specific Threats
28-34
SecurityControl Type
SecurityControl Name
Oracle CASBCloudServiceBaseline(Stringent)Value
Description
Settings Restrictexternalcollaboration
On Box lets you restrict collaboration (sharingfiles and folders) with users outside of yourBox account.
Settings Require Appsto use SSL
On Box lets you require SSL to encryptcommunications between Box and integratedweb apps.
Settings Save files ondevice
Restrict Box lets you prevent users from downloadingfiles for offline use.
Settings Require appspassword lock
After 1 minuteof inactivity
Box lets you force users to reauthenticatefrequently on mobile devices to prevent databreaches if the device is lost or stolen.
Settings Allow externalusers tocollaborate onfolders/files
Off Box lets you restrict sharing files and folderswith users outside of this Box account.
Settings Restrict Invites On Box allows you to restrict this permission toonly owners and co-owners of a folder.
Settings Enable Invitelinks (Allowusers to invitecollaboratorsusing links)
Off Box allows you to control whether userscan invite collaborators using links to Boxresources.
Monitoring Drift from Your Security Settings for BoxLocate changes to your security settings in Risk Events.
After you push (or seed) security controls to your Box application instance, OracleCASB Cloud Service detects when anyone lowers these settings in the Box instance.The service displays these changes as risk events in the Oracle CASB Cloud Serviceconsole, and generates an incident ticket so that you can manage the event.
For example, if you push a security setting to Box to set a time limit for user sessions,and later someone increases the time limit, you will see a related risk event andincident ticket in the Oracle CASB Cloud Service console.
1. Select Risk Events from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. In the App Instances drop-down list, select the name of your application instanceand deselect all other application instances.
3. If any of your security settings were changed in the application instance, thesechanges appear in the filtered list of risk events.
4. Click the icon for an event of interest to expand it.
5. Determine whether the event appears to violate your security settings (forexample, look for the Box user whose session is longer than 30 minutes).
Chapter 28Detecting Application-Specific Threats
28-35
If the event is of interest, click View Incident. The Incidents applet opens, andyou see a ticket related to this event.
6. Click the gear icon for the ticket.
To have the Oracle CASB Cloud Service resolve the issue (for example, push yourdesired session duration setting out to Box), click Auto Remediation. Otherwise,select Manual Remediation, and fix the Box instance setting manually.
7. Click Resolved.
Detecting threats in Custom Apps for AWSUnderstand Oracle CASB Cloud Service threat detection features for Custom Apps forAWS.
As described in Managing Behavioral Anomalies and Threats, Oracle CASB CloudService detects behaviors that indicate an insider or external threat (for example, oneuser who is performing many more actions than any other user). To view threatsdetected for Custom Apps for AWS:
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. On the Applications page:
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, click the non-zero number for Threats to view thosethreats in Risk Events.
• In grid view, click the non-zero number in the THREATS column to view thosethreats in Risk Events.
3. To view additional information related to a threat, including recommendedremediation actions, drop down the Actions list and select View Incident.
Detecting Threats in GitHubView threats to a GitHub instance.
Oracle CASB Cloud Service automatically detects anomalous user behavior in GitHubas well as any behavior associated with suspicious or blacklisted IP addresses.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. On the Applications page:
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, click the non-zero number for Threats to view thosethreats in Risk Events.
• In grid view, click the non-zero number in the THREATS column to view thosethreats in Risk Events.
3. To view additional information related to the threat, including recommendedremediation actions, drop down the Actions list and select View Incident.
Chapter 28Detecting Application-Specific Threats
28-36
Detecting Threats in Google for WorkUnderstand how Oracle CASB Cloud Service detects threats for Google for Work.
Oracle CASB Cloud Service detects behaviors that indicate a threat (for example,access from a suspicious IP address, excessive mass transfers and deletes of salesdata, or a user hopping between IP addresses and geographical locations). For moreinformation, see Managing Behavioral Anomalies and Threats.
Threat detection can alert you, for example, when a Google for Work user:
• Has a suspicious number of failed logins (suggesting a bruteforce attack)
• Appears to be accessing Google Apps from an anonymizing proxy
• Logs in to Google Apps from an atypical location.
Detecting Threats in Office 365Understand how Oracle CASB Cloud Service detects threats for Office 365.
Oracle CASB Cloud Service detects behaviors that indicate an insider or externalthreat (for example, access from a suspicious IP address, excessive mass transfersand deletes of sales data, or a user hopping between IP addresses and geographicallocations). For more information, see Managing Behavioral Anomalies and Threats.
Threat detection can alert you, for example, when a user is sending an unusualamount of email, has a suspicious number of failed logins (suggesting a brute-forceattack), or appears to be accessing their Office 365 account from an anonymizingproxy.
Oracle CASB Cloud Service currently generates behavioral threats for the following:
• Exchange Online
• SharePoint/OneDrive
• Azure AD
Detecting Threats in Oracle Cloud Infrastructure (OCI)View threats to an Oracle Cloud Infrastructure (OCI) instance.
Oracle CASB Cloud Service automatically detects anomalous user behavior in OracleCloud Infrastructure as well as any behavior associated with suspicious or blacklistedIP addresses.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. On the Applications page:
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, click the non-zero number for Threats to view thosethreats in Risk Events.
• In grid view, click the non-zero number in the THREATS column to view thosethreats in Risk Events.
Chapter 28Detecting Application-Specific Threats
28-37
3. To view additional information related to the threat, including recommendedremediation actions, drop down the Actions list and select View Incident.
Detecting Threats in Oracle ERP CloudView threats to an Oracle ERP Cloud instance.
Oracle CASB Cloud Service automatically detects anomalous user behavior in OracleERP Cloud as well as any behavior associated with suspicious or blacklisted IPaddresses.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. On the Applications page:
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, click the non-zero number for Threats to view thosethreats in Risk Events.
• In grid view, click the non-zero number in the THREATS column to view thosethreats in Risk Events.
3. To view additional information related to the threat, including recommendedremediation actions, drop down the Actions list and select View Incident.
Detecting Threats in Oracle HCM CloudView threats to an Oracle HCM Cloud instance.
Oracle CASB Cloud Service automatically detects anomalous user behavior in OracleHuman Capital Management as well as any behavior associated with suspicious orblacklisted IP addresses.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. On the Applications page:
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, click the non-zero number for Threats to view thosethreats in Risk Events.
• In grid view, click the non-zero number in the THREATS column to view thosethreats in Risk Events.
3. To view additional information related to the threat, including recommendedremediation actions, drop down the Actions list and select View Incident.
Detecting Threats in Oracle Sales CloudView threats to an Oracle Sales Cloud instance.
Oracle CASB Cloud Service automatically detects anomalous user behavior in OracleSales Cloud as well as any behavior associated with suspicious or blacklisted IPaddresses.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
Chapter 28Detecting Application-Specific Threats
28-38
2. On the Applications page:
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, click the non-zero number for Threats to view thosethreats in Risk Events.
• In grid view, click the non-zero number in the THREATS column to view thosethreats in Risk Events.
3. To view additional information related to a threat, including recommendedremediation actions, drop down the Actions list and select View Incident.
Detecting Threats in SalesforceUnderstand what you can do to find and remediate threats that Oracle CASB CloudService detects in Salesforce.
Threats are a particular type of risk that Oracle CASB Cloud Service detects.Specifically, threats consist of user behaviors that deviate from usual patterns andindicate possible account or device hijacking. Access by suspicious IP addresses alsoconstitute a threat.
Users at Risk in Salesforce
In addition to application-level threat detection, Oracle CASB Cloud Service monitorsusers for the risk of their accounts being compromised.
In addition to the common at-risk behaviors, Oracle CASB Cloud Service monitorsSalesforce users for the following:
• Password-related actions: Password policy changes and password resets.
• Session settings changes (for example, changing the session timeout value).
• Changes to delegated administration groups and the items delegatedadministrators can manage.
• Changes that delegated administrators make in the Setup section of Salesforce.
• The number records that a user empties from their and the organization's RecycleBins.
• Changes to Security Assertion Markup Language (SAML) configuration settings.
• Changes to Salesforce certificates.
• Enabling or disabling identity providers.
• Changes to named credentials.
• Changes to service providers.
• Mass delete usage, including when a mass delete exceeds the user's Recycle Binlimit of 5000 deleted records. Salesforce permanently removes the excess recordsfrom the Recycle Bin, starting with the oldest ones, within 2 hours of the massdelete action.
• Data export requests.
• Changes to public groups, sharing rules, and organization-wide sharing, includingthe Grant Access Using Hierarchies option.
Oracle CASB Cloud Service has general methods for detecting threats within andacross different types of applications. For more information, see:
Chapter 28Detecting Application-Specific Threats
28-39
• Finding and Analyzing Users at Risk
• Remediating and Dismissing a Suspicious Activity Threat
Finding Weak Security Control Values in SalesforceFind and resolve weak security control values for a Salesforce instance.
Security settings in an application protect the data that's stored in them or processedby them. For example, when users are permitted to keep idle sessions active forhours at a time, it increases the risk of their accounts being compromised. For moreinformation, see Weak Security Control Values in Your Cloud Applications.
When you add or register a Salesforce instance (Adding a Salesforce Instance), youhave two choices:
• Monitor only. By default, Oracle CASB Cloud Service notifies you when securitysettings in Salesforce fall below a baseline (for example, users are allowed tohave passwords of fewer than 10 characters). This baseline is equivalent to theStringent values if you push security controls to Salesforce.
• Monitor and push security controls. In this case, the Oracle CASB CloudService configures security settings in the Salesforce account, along with laternotifying you of any drifting away from these settings.
After registration, Oracle CASB Cloud Service provides different levels of notification ofweak security configuration values in the Dashboard and in Risk Events.
1. From the Dashboard, click the “Non-compliant security controls” number in theHealth Summary card to view non-compliant security alerts for all applications onthe Risk Events page (CATEGORY column lists only “Security control” entries).
2. From the Applications page, to view all non-compliant security alerts for a singleapplication on the Risk Events page:
a. In grid view, click the count of non-compliant security control alerts foran application that appears in the SECURITY ALERTS column for theapplication.
b. In card view, click an application tile to see the Health Summary card for thatapplication, then click the “Security controls” number.
3. Click an entry in the risk events list to view its details.
4. To delegate the task of updating the security control:
a. Select Action, View incident.
b. In the Incidents dialog box, click Edit Incident.
c. In the Edit Incident dialog box, in the Assigned to list, select the emailaddress of the person to whom you want to delegate the incident.
You may need to send a manual notification to the person who is responsiblefor the Salesforce security configuration.
d. Click Save.
5. To resolve the incident:
a. Select Action, View incident.
b. In the Incidents dialog box, click Edit Incident.
Chapter 28Detecting Application-Specific Threats
28-40
c. In the Edit Incident dialog box, if Remediation options are available, thenselect:
• Auto remediation: to have Oracle CASB Cloud Service push correctivesecurity settings to the Salesforce instance.
Auto remediation is only available for an application instance ifMonitoring type is set to Push controls and monitor at the time theinstance is added.
• Manual remediation: to remediate the issue manually, by changingsecurity settings in the Salesforce instance to conform to Oracle CASBCloud Service standards.
d. In the Reason box, describe the remediation action you took that shouldprevent similar incidents from appearing in Risk Events in the future.
Note:
If you don't take a remediation action (manual or auto), then youshould dismiss the incident instead of resolving it. To dismiss insteadof resolving this incident, click Cancel twice, and then proceed withthe next numbered step.
e. Click Resolve.
6. To dismiss the incident, select Action, Dismiss.
Note:
When you dismiss an incident without making any changes in yoursecurity settings, similar incidents will continue to appear in Risk Eventsin the future
.
Monitoring Drift from Your Salesforce BaselineLocate changes to your security settings in Risk Events.
After you push (or seed) security controls to your Salesforce application instance,Oracle CASB Cloud Service detects when anyone lowers these settings in theSalesforce instance. The service displays these changes as risk events in the OracleCASB Cloud Service console, and generates an incident ticket so that you canmanage the event. For example, if you push a security setting to Salesforce toincrease the minimum password length, and later on someone lowers this value, thenyou see a related risk event and incident ticket in the Oracle CASB Cloud Serviceconsole.
1. From the Oracle CASB Cloud Service console, select Risk Events.
2. From the App instances drop-down list, deselect All, and select the name of yourapplication instance.
3. If any security settings must be strengthened in the application instance, thenthese changes appear in the filtered list of risk events.
Chapter 28Detecting Application-Specific Threats
28-41
4. Click an entry in the risk events list to view its details.
5. Determine whether the event appears to violate your security settings (forexample, see if someone shortened the minimum password length).
6. If the event is of interest, select Action, View Incident.
7. Click the gear icon for the ticket. To have the Oracle CASB Cloud Serviceresolve the issue (for example, push your desired session duration setting outto Salesforce), click Auto Remediation. Otherwise, select Manual Remediationand fix the Salesforce instance setting manually.
8. Click Resolved.
Viewing Security Controls Monitored for SalesforceFind weak security control values and monitor drift from security control baselinesettings.
For a complete description of these controls, see Security Control Values forSalesforce (Monitor Only/Read Only).
Detecting Threats in ServiceNowUnderstand what you can do to find and remediate threats that Oracle CASB CloudService detects In ServiceNow.
Oracle CASB Cloud Service automatically detects anomalous user behavior inServiceNow and any behavior associated with suspicious or blacklisted IP addresses.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. On the Applications page:
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, click the non-zero number for Threats to view thosethreats in Risk Events.
• In grid view, click the non-zero number in the THREATS column to view thosethreats in Risk Events.
3. To view additional information related to a threat, including recommendedremediation actions, drop down the Actions list and select View Incident.
Detecting Threats In SlackView threats to a Slack instance.
Oracle CASB Cloud Service automatically detects anomalous user behavior in Slackas well as any behavior associated with suspicious or blacklisted IP addresses.
1. Select Applications from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. On the Applications page:
• In card view, click the icon for the instance you want to modify, and thenin the Health Summary, click the non-zero number for Threats to view thosethreats in Risk Events.
Chapter 28Detecting Application-Specific Threats
28-42
• In grid view, click the non-zero number in the THREATS column to view thosethreats in Risk Events.
3. To view additional information related to a threat, including recommendedremediation actions, drop down the Actions list and select View Incident.
Chapter 28Detecting Application-Specific Threats
28-43
29Tracking Incident Tickets
Find, manage, and resolve or delegate your incident tickets.
Oracle CASB Cloud Service generates a ticket in the Incidents section of theOracle CASB Cloud Service console whenever it detects a behavioral anomaly.Administrators also can create incident tickets manually.
Topics:
• Typical Workflow for Tracking Incident Tickets
• About Incident Management
• Finding, Managing, and Resolving Incidents
Typical Workflow for Tracking Incident TicketsWith Oracle CASB Cloud Service, you can track tickets that are generated whenever abehavioral anomaly is detected.
Task Description Additional Information
Understand incidentmanagement.
You can learn about howOracle CASB Cloud Servicemanages problems that itdetects.
About Incident Management
Manage incidents. You can search for,modify, and either resolveincident tickets or delegateremediation to anotherincident management system.
Finding, Managing, andResolving Incidents
About Incident ManagementFind, manage, and resolve or delegate your incident tickets.
The process of fixing a problem that Oracle CASB Cloud Service detects is known asremediation.
When the Oracle CASB Cloud Service detects a behavioral anomaly (a potentialthreat), it automatically generates a ticket in the Incidents section of the Oracle CASBCloud Service console. You also can create incident tickets manually (for example, totrack the resolution of policy alerts that appear in Risk Events.).
By default, the Incidents page shows up to 90 days of data.
Oracle CASB Cloud Service Supports Three Types of Remediation
• Manual remediation. When processing an incident ticket, if you select manualremediation, then it means that you perform the remediation steps yourself (for
29-1
example, locking a user's account), and just use Oracle CASB Cloud Service fortracking the remediation task.
• Auto-remediation. When processing an incident ticket, if you select auto-remediation, it means that you are giving Oracle CASB Cloud Service or anotherremediation system permission to perform the remediation on your behalf (forexample, strengthening a password policy in the application instance). Auto-remediation is only available for a subset of incidents.
• Delegation. You can offload management of a ticket to a centralized ticketingsystem. See Exporting Data from Oracle CASB Cloud Service.
Finding, Managing, and Resolving IncidentsSearch for, modify, and resolve incident tickets in the Oracle CASB Cloud Serviceconsole.
Finding an Incident in the DashboardFind incidents in the Dashboard for all applications.
1. Select the Dashboard from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. In the Health Summary card, click the “Open incident tickets” number to viewopen incidents for all application instances on the Incidents page.
Finding an Incident in the Risk Events PageUse the INCIDENT column in Risk Events to find incidents.
1. Select Risk Events from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Locate a risk event of interest.
3. In the INCIDENT column:
• If an incident ticket has already been created, then the incident numberappears in the INCIDENT column. Click the incident number to display therelated ticket in the View Incident dialog box. Oracle CASB Cloud Serviceautomatically generates incident tickets for all categories of events.
• If no incident ticket has been created, then click Create in the INCIDENTcolumn to start a new ticket.
Finding an Incident in the Incidents PageUse Filters in the Incidents page to search for incidents that match your criteria.
1. Select Incidents from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. If filters aren't displayed, click the Filter icon .
You can filter by incident ID, application instance name, dates, and additionalcriteria. The category filters are:
Chapter 29Finding, Managing, and Resolving Incidents
29-2
• Anomalous activity is related to a threat that has been categorized asatypical user behavior.
• Security control displays only tickets flagged as pertaining to a securityconfiguration issue. An Oracle CASB Cloud Service administrator manuallycreates tickets of this type.
• Policy alert displays only tickets flagged as pertaining to a policy alert. AnOracle CASB Cloud Service administrator manually creates tickets of thistype.
• Monitoring stopped displays only tickets flagged as pertaining to OracleCASB Cloud Service being unable to connect to a monitored applicationinstance. An Oracle CASB Cloud Service administrator manually createstickets of this type.
• Other incident types are specialized versions of anomalous activities (threats).
3. When you are done setting the search filters, click Search.
Oracle CASB Cloud Service returns a list of incidents that match your criteria.
Note:
The filter icon is highlighted to indicate that you are viewing a subset ofthe incidents. If you return to the Incidents page in the same session, orlater in another session, the events remain filtered.
4. Click the Edit icon to view the details for an incident of interest.
Managing an Incident in the Incidents PageChange an incident’s assignee or priority.
1. Select Incidents from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click the Edit icon to view incident details.
3. In the Edit Incident dialog box:
• Look below Related risk events or threats to see additional informationabout the cause of the ticket.
• Drop down the Assigned to list menu to change the assignee.
Note:
Changing the assignee doesn't export the ticket to ServiceNow.Read the following procedures in this help topic for details.
• Click the drop-down list for Priority to change its level of urgency.
4. When you are done, click Save to save your changes, Resolve to close the ticketand its related alerts, or Cancel to revert any changes.
Chapter 29Finding, Managing, and Resolving Incidents
29-3
Resolving an IncidentClick Resolve in the Edit Incident dialog box, and then document how you resolved it.
1. Select Incidents from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Click the Edit icon to view incident details in the Edit Incident dialog box:
• Click Resolve.
• In the Incident#... dialog box, if Oracle CASB Cloud Service or anothersystem can resolve the incident automatically, then the Auto remediationoption is available. To delegate remediation to Oracle CASB Cloud Service,select Auto remediation.
If the Auto remediation option isn't available, or you want to fix the Boxinstance setting manually, select Manual remediation.
• Select the Approval box.
• In the Reason box, describe the remediation action you took that shouldprevent similar incidents from appearing in Risk Events in the future.
Note: If you don't take a remediation action (manual or auto), you shoulddismiss the incident instead of resolving it. To dismiss instead of resolve thisincident, click Cancel twice, and then proceed with the next numbered step.
• Click Resolve Incident.
If you selected Manual remediation, remember to fix the Box instance settingmanually.
Chapter 29Finding, Managing, and Resolving Incidents
29-4
Part VIExporting Data
Learn about the options available exporting threat information from Oracle CASBCloud Service.
At some point it is likely that you will want to export some threat information fromOracle CASB Cloud Service.
Chapters:
• Exporting Data from Oracle CASB Cloud Service
30Exporting Data from Oracle CASB CloudService
Understand the options available for exporting data from Oracle CASB Cloud Service.
Several different options are available for exporting Oracle CASB Cloud Service datato a comma-separated values (CSV) file, or to an incident management system.
Topics:
• Typical Workflow for Data Export Options
• Exporting a Report
• Exporting Risk Events to a CSV File
• About Data Retention
Typical Workflow for Data Export OptionsWith Oracle CASB Cloud Service, you can export data associated with reports or riskevents.
Task Description Additional Information
Export reports. You can export reports fromOracle CASB Cloud Serviceinto a CSV file.
Exporting a Report
Export risk events to a CSVfile.
You can export risk eventsfrom Oracle CASB CloudService into a CSV file.
Exporting Risk Events to aCSV File
Exporting a ReportExport a report by saving it to a comma-separated value (CSV) file that you can openin a spreadsheet program.
1. Select Reports from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Do one of the following:
• Click the Run icon for the report that you want to run.
• Click Report Builder and follow the instructions in Running an Ad Hoc Report:Report Builder.
• Click New Report, follow the instructions in Creating a Custom New Report,
then on the Reports page, click the Run icon
3. Set filters to display only the records you want to export.
30-1
4. Click Export to CSV.
5. If your export exceeds the 500k limit:
a. Click OK on the message about the limited number of records you can export.
b. Set filters to reduce the number of records below the limit.
c. Click Export to CSV again.
6. If your export does not exceed 1000 records:
a. In the Opening... dialog, click Save File.
b. Click the Download icon at the top right, and select your CSV file from thelist.
c. In the Text Import... dialog, change selections as needed to make the previewat the bottom look right.
d. Click OK to open the CSV file in the spreadsheet program that is associatedwith the .csv extension.
7. If your export exceeds 1000 records, but is under 500k:
a. Click OK on the message that saying the data export process has begun.
b. Select Jobs from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• Your export to CSV is now listed, with an icon in the STATUS columnindicating the job's status.
• Use the icons at the top to filter the list to show only jobs of one status.
• Click your job's entry in the DESCRIPTION column to view job details.
c. When your job's status changes to completed ( in STATUS column), click
the icon in the RESULTS column for your job.
Note:
An email is also sent to alert you when your job completes.
Exporting Risk Events to a CSV FileExport risk events from Oracle CASB Cloud Service into a comma-separated values(CSV) file, for easy import into a spreadsheet or database.
1. Select Risk Events from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
2. Filter events as needed to reduce the number listed to 1000 or fewer.
See Searching For and Viewing Risks.
3. With your filtered report displayed, click Export to CSV.
4. In the Export to CSV dialog:
a. Select the level of detail you wish to export:
Chapter 30Exporting Risk Events to a CSV File
30-2
• Leave Include all details of the risk events deselected if you wantto export only the summary information that is displayed. Information willbe downloaded in a single CSV file.
• Select Include all details of the risk events if you want to exportall available details. Information will be downloaded in multiple CSV files,one for each event type, inside a single ZIP file:
– One Threats file
– One Security Controls file
– One Policy Alerts file for each application type
Note:
If there are no events for an event type, no CSV file for thatevent type is downloaded.
If you are exporting risk events for Oracle Cloud Infrastructure(OCI) only, you also get a CSV file that contains both SecurityControls and Policy Alerts, but has only column data fromheaders that are common to both policy alerts and securitycontrol alerts.
b. Click OK.
5. If your export exceeds the 500k limit:
a. Click OK on the message about the limited number of records you can export.
b. Set filters to reduce the number of records below the limit.
c. Click Export to CSV again.
6. If your export does not exceed 1000 records:
a. In the Opening... dialog, click Save File.
b. Click the Download icon at the top right, and select your CSV file from thelist.
c. In the Text Import... dialog, change selections as needed to make the previewat the bottom look right.
d. Click OK to open the CSV file in the spreadsheet program that is associatedwith the .csv extension.
7. If your export exceeds 1000 records, but is under 500k:
a. Click OK on the message that saying the data export process has begun.
b. Select Jobs from the Navigation menu. If the Navigation Menu is notdisplayed, click the Navigation Menu icon to display it.
• Your export to CSV is now listed, with an icon in the STATUS columnindicating the job's status.
• Use the icons at the top to filter the list to show only jobs of one status.
• Click your job's entry in the DESCRIPTION column to view job details.
Chapter 30Exporting Risk Events to a CSV File
30-3
c. When your job's status changes to completed ( in STATUS column), click
the icon in the LINKS column for your job
About Data RetentionData that Oracle CASB Cloud Service collects is available in the UI for 90 days. Afterthat it is purged.
Raw Data and Derived Data
Oracle CASB Cloud Service ingests raw data on application instances that it monitors.This raw data includes security configurations, user groups and roles, and user activitymetadata, such as logins, logouts, sharing of content, and creating and terminatingcompute instances.
From this raw data, Oracle CASB Cloud Service derives the security intelligence datathat it displays in the UI, such as policy alerts, threat alerts, user risk scores, securityconfiguration drifts, and activity reports.
Data Retention
For monitored services:
• Activity data, plus all data derived from the raw activity data, is retained in the UIfor 90 days. After 90 days, that data is removed from the UI.
While data is available in the UI, you can export it for permanent storage in yoursystems. See Exporting Data.
• Configuration data is never stored in the UI.
• Discovery data is only available in the UI in summary form. Raw activity data thatwas not used in the derived data is deleted from Oracle CASB Cloud Service assoon as the raw data is analyzed and processed.
Chapter 30About Data Retention
30-4
Part VIIAppendixes
Supplemental information on Oracle CASB Cloud Service.
Topics:
• Troubleshooting Registration of Fusion Applications
• Objects Monitored by Application Type
• Third-Party and Open Source Software Attributions
ATroubleshooting Registration of FusionApplications
Learn how to troubleshoot error messages you may receive when you are trying toregister an instance of an Oracle Fusion Application.
Topics:
• An error occurred while connecting to the Oracle ERP Cloud instance
• Auditing is not enabled for OPSS
• Auditing is not enabled for these business objects...
• Authorization has failed
• Failed to get Audit API version
• Invalid hostname
• Invalid login credentials
• Invalid OAM hostname
• Oracle <Fusion Application type> instance you are trying to connect to is notavailable
• Unable to determine the OAM server hostname
• Unable to reach Oracle ERP Cloud instance, as CASB IPs are not whitelisted
• You have selected to associate CASB instance with OAM but OAM integration isnot enabled
An error occurred while connecting to the Oracle ERP Cloudinstance
Remediation: Check the connection and try again.
Auditing is not enabled for OPSSOPSS auditing must be enabled in order to register an Oracle ERP Cloud instance.
Remediation: Enable auditing for OPSS in the Oracle ERP Cloud instance console.
Auditing is not enabled for these business objects...Remediation: Enable auditing for the mentioned business objects from Oracle ERPCloud instance console. See Enabling Business Object Auditing for Oracle ERPCloud.
A-1
Authorization has failedRemediation: Please assign the SOC Operator role to the Oracle CASB CloudService user account that accesses the Oracle ERP Cloud instance you areregistering. See Adding Oracle CASB Cloud Service Administrators.
Failed to get Audit API versionCould not connect with Oracle ERP Cloud instance.
Remediation: Try again after some time has passed. If the problem persists, pleasecontact Oracle Support.
Invalid hostnameThe host name that you entered is not valid.
Remediation: Enter the host name of the Oracle ERP Cloud service host. Forexample, myoraclesaas.com.
Invalid login credentialsThe credentials you entered for logging in to Oracle ERP Cloud were rejected.
Remediation: Verify your login credentials by logging in to the dedicated Oracle CASBCloud Service user account created in Oracle ERP Cloud in a separate browserwindow. Then carefully enter the valid login credentials to register your Oracle ERPCloud instance.
Invalid OAM hostnameThe host name you entered is not valid.
Remediation: Please enter the OAM host name carefully from the service request.
Oracle <Fusion Application type> instance you are trying toconnect to is not available
Remediation: Try again after some time has passed.
Unable to determine the OAM server hostnameYou have selected the Associate with Oracle Access Manager Integration option, butthe OAM server host name can’t be determined.
Remediation: Please enter the OAM host name manually from the service request.
Appendix AAuthorization has failed
A-2
Unable to reach Oracle ERP Cloud instance, as CASB IPsare not whitelisted
Remediation: Please whitelist the Oracle CASB Cloud Service IP addresses in yourOracle ERP Cloud instance. See XXX.
You have selected to associate CASB instance with OAMbut OAM integration is not enabled
Remediation: Please contact Oracle Support or your Oracle CASB Cloud ServiceCustomer Success Manager to request that OAM integration with Oracle CASB CloudService be enabled. Try again after OAM integration has been enabled. See theEnabling Association of Oracle CASB Cloud Service with Oracle Access Manager(OAM)... topic for the Fusion Application that you are trying to register.
Appendix AUnable to reach Oracle ERP Cloud instance, as CASB IPs are not whitelisted
A-3
BObjects Monitored by Application Type
Look up the list of objects that Oracle CASB Cloud Service monitors for eachsupported application type.
Topics:
• Amazon Web Services (AWS) Objects
• Azure Objects
• Box Objects
• Custom Apps for AWS Objects
• GitHub Objects
• Google for Work Objects
• Microsoft Office 365 Objects
• Oracle Cloud Infrastructure (OCI) Objects
• Oracle Enterprise Resource Planning (ERP) Cloud Objects
• Oracle Human Capital Management (HCM) Cloud Objects
• Oracle Sales Cloud Objects
• Salesforce Sales Cloud Objects
• ServiceNow Objects
• Slack Objects
Amazon Web Services (AWS) ObjectsObjects that Oracle CASB Cloud Service monitors for AWS.
• AWS Certificate Manager
• Auto Scaling
• Cloud HSM
• Cloud Trail
• Direct Connect
• EC2 Address
• EC2 Image
• EC2 Instance
• EC2 InternetGateway
• EC2 KeyPair
• EC2 Network
B-1
• EC3 ReservedInstance
• EC2 Route
• EC2 SecurityGroup
• EC2 Snapshot
• EC2 Subnet
• EC2 Tags
• EC2 Tasks
• EC2 VPC
• EC2 VPN
• EC2 Volume
• Elastic Load Balancing
• Elastic Search
• IAM Account
• IAM Certificate
• IAM Group
• IAM IdProvider
• IAM InstanceProfile
• IAM MFADevice
• IAM PasswordPolicy
• IAM Role
• IAM User
• Key Management Service
• Redshift
• Relational Database Service
• Route 53
• S3 Bucket
• S3 Object
Azure ObjectsObjects that Oracle CASB Cloud Service monitors for Azure.
• Azure AD User
• Classic Storage Account
• Classic Virtual Machines
• Classic Virtual Networks
• Disks
• Key Vault
• Storage
Appendix BAzure Objects
B-2
• Storage Account
• Storage Account Disks
• Virtual Machines
• Virtual Networks
Box ObjectsObjects that Oracle CASB Cloud Service monitors for Box.
• File
• Folder
• Group
• User
Custom Apps for AWS ObjectsObjects that Oracle CASB Cloud Service monitors for Custom Apps for AWS.
The list of objects that Oracle CASB Cloud Service monitors for Custom Apps for AWSis the same as that for Amazon Web Services (AWS) Objects.
GitHub ObjectsObjects that Oracle CASB Cloud Service monitors for GitHub.
• Account
• Organization
• Repository
• Team
Google for Work ObjectsObjects that Oracle CASB Cloud Service monitors for Google for Work.
• Application Settings
• Calendar
• Calendar settings
• Chat settings
• Chrome os settings
• Contacts settings
• Delegated admin settings
• Docs settings
• Domain settings
• Drive
Appendix BBox Objects
B-3
• Email settings
• Group settings
• Licenses settings
• Mobile
• Mobile settings
• Organization settings
• Security settings
• Sites settings
• System settings
• User settings
Microsoft Office 365 ObjectsObjects that Oracle CASB Cloud Service monitors for Office 365.
• AzureAD Application Events
• AzureAD Authentication
• AzureAD Group
• AzureAD Role Events
• AzureAD User
• Exchange Admin: Accepted Domain (AcceptedDomain)
• Exchange Admin: ActiveSync Access Settings (ActiveSyncOrganizationSettings)
• Exchange Admin: ActiveSync Device (ActiveSyncDevice)
• Exchange Admin: ActiveSync Device Access Rule (ActiveSyncDeviceAccessRule)
• Exchange Admin: ActiveSync Mailbox Policy (ActiveSyncMailboxPolicy)
• Exchange Admin: Admin Audit Log (AmdinAuditLog)
• Exchange Admin: Admin Audit Log Search (AmdinAuditLogSearch)
• Exchange Admin: Admin Role (RoleGroup)
• Exchange Admin: Admin Role Member (RoleGroupMember)
• Exchange Admin: Apps (App)
• Exchange Admin: Availability Address Space (AvailabilityAddressSpace)
• Exchange Admin: Availability Config (AvailabilityConfig)
• Exchange Admin: Calendar Notification (CalendarNotification)
• Exchange Admin: Calendar Processing (CalendarProcessing)
• Exchange Admin: Classification Rule Collection (ClassificationRuleCollection)
• Exchange Admin: Client Access Settings on a Mailbox (CSAMailbox)
• Exchange Admin: Connect Subscription (ConnectSubscription)
• Exchange Admin: Connection Filter Policy (HostedConnectionFilterPolicy)
• Exchange Admin: Contact (Contact)
Appendix BMicrosoft Office 365 Objects
B-4
• Exchange Admin: Contact List (ContactList)
• Exchange Admin: Content Filter Policy (HostedContentFilterPolicy)
• Exchange Admin: Content Filter Rule (HostedContentFilterRule)
• Exchange Admin: Data Classification (DataClassification)
• Exchange Admin: Data Classification Config
• Exchange Admin: Data Loss Prevention Policy (DlpPolicy)
• Exchange Admin: Default Sharing Policy
• Exchange Admin: Distribution Group (DistributionGroup)
• Exchange Admin: Distribution Group Member (DistributionGroupMember)
• Exchange Admin: Dynamic Distribution Group (DynamicDistributionGroup)
• Exchange Admin: Exchange Assistance Config
• Exchange Admin: Federated Organization Identifier(FederatedOrganizationIdentifier)
• Exchange Admin: FolderBind
• Exchange Admin: Group (Group)
• Exchange Admin: Hotmail Subscription (HotmailSubscription)
• Exchange Admin: Hybrid Mailflow (HybridMailflow)
• Exchange Admin: IMAP Subscription (ImapSubscription)
• Exchange Admin: IRM Configuration (IRMConfiguration)
• Exchange Admin: In-Place eDiscovery and Hold (MailboxSearch)
• Exchange Admin: Inbound Connector (InboundConnector)
• Exchange Admin: Inbox Rule (InboxRule)
• Exchange Admin: Intra Organization Connector (IntraOrganizationConnector)
• Exchange Admin: Journal Rule (JournalRule)
• Exchange Admin: Linked User (LinkedUser)
• Exchange Admin: Mail Contact (MailContact)
• Exchange Admin: Mail Message (MailMessage)
• Exchange Admin: Mail Public Folder (MailPublicFolder)
• Exchange Admin: Mailbox (Mailbox)
• Exchange Admin: Mailbox Audit Log (MailboxAuditLog)
• Exchange Admin: Mailbox Audit Log Search (MailboxAuditLogSearch)
• Exchange Admin: Mailbox Calendar Folder (MailboxCalendarFolder)
• Exchange Admin: Mailbox Diagnostic Logs(MailboxDiagnosticLogs)
• Exchange Admin: Mailbox Folder (MailboxFolder)
• Exchange Admin: Mailbox Folder Permission (MailboxFolderPermission)
• Exchange Admin: Mailbox Permission (MailboxPermission)
• Exchange Admin: Mailbox Relocation Request
Appendix BMicrosoft Office 365 Objects
B-5
• Exchange Admin: Mailbox Spelling Configuration (MailboxSpellingConfiguration)
• Exchange Admin: Malware Filter Policy (MalwareFilterPolicy)
• Exchange Admin: MalwareFilterRule (MalwareFilterRule)
• Exchange Admin: Managed Folder Assistant (ManagedFolderAssistant)
• Exchange Admin: Management Role (ManagementRole)
• Exchange Admin: Management Role Entry (ManagementRoleEntry)
• Exchange Admin: Management Scope (ManagementScope)
• Exchange Admin: Message Classification (MessageClassification)
• Exchange Admin: Migration Batch (MigrationBatch)
• Exchange Admin: Migration Report (MigrationReport)
• Exchange Admin: Migration Server Availability (MigrationServerAvailability)
• Exchange Admin: Migration User (MigrationUser)
• Exchange Admin: Mobile Device (MobileDevice)
• Exchange Admin: Mobile Device Mailbox Policy (MobileDeviceMailboxPolicy)
• Exchange Admin: Move Request (MoveRequest)
• Exchange Admin: OAuth Connectivity (OAuthConnectivity)
• Exchange Admin: OME Configuration (OMEConfiguration)
• Exchange Admin: On Premises Organization (OnPremisesOrganization)
• Exchange Admin: Organization Config (OrganizationConfig)
• Exchange Admin: Organization Customization (OrganizationCustomization)
• Exchange Admin: Organization Relationship (OrganizationRelationship)
• Exchange Admin: Outbound Connector (OutboundConnector)
• Exchange Admin: Outbound Spam Filter Policy(HostedOutboundSpamFilterPolicy)
• Exchange Admin: Outlook Protection Rule (OutlookProtectionRule)
• Exchange Admin: Outlook Web App Policy (OwaMailboxPolicy)
• Exchange Admin: POP Subscription (PopSuubscription)
• Exchange Admin: Partner Application (PartnerApplication)
• Exchange Admin: Policy Tip Config (PolicyTipConfig)
• Exchange Admin: Public Folder (PublicFolder)
• Exchange Admin: Public Folder Client Permission (PublicFolderClientPermission)
• Exchange Admin: Public Folder Mailbox (PublicFolderMailbox)
• Exchange Admin: Public Folder Migration Request(PublicFolderMigrationRequest)
• Exchange Admin: RMS Template (RMSTemplate)
• Exchange Admin: RMS Trusted Public Domain (RMSTrustedPublicDomain)
• Exchange Admin: Recipient Enforcement Provisioning Policy
• Exchange Admin: Remote Domain (RemoteDomain)
Appendix BMicrosoft Office 365 Objects
B-6
• Exchange Admin: Resource Config
• Exchange Admin: Retention Policy (RetentionPolicy)
• Exchange Admin: Retention Policy Tag (RetentionPolicyTag)
• Exchange Admin: Role Assignment (ManagementRoleAssignment)
• Exchange Admin: Sharing Policy (SharingPolicy)
• Exchange Admin: Site Mailbox (SiteMailbox)
• Exchange Admin: Site Mailbox Provisioning Policy (SiteMailboxProvisioningPolicy)
• Exchange Admin: Smime Config (SmimeConfig)
• Exchange Admin: Soft Deleted Mailbox (SoftDeletedMailbox)
• Exchange Admin: Subscription (Subscription)
• Exchange Admin: Tenant Object Version
• Exchange Admin: Text Messaging Account (TextMessagingAccount)
• Exchange Admin: Text Messaging Verification Code(TextMessagingVerificationCode)
• Exchange Admin: Transport Config (TransportConfig)
• Exchange Admin: Transport Rule (TransportRule)
• Exchange Admin: Transport Rule Collection (TransportRuleCollection)
• Exchange Admin: UM Auto Attendant (UMAutoAttendant)
• Exchange Admin: UM Call Data Record (UMCallDataRecord)
• Exchange Admin: UM Dial Plan (UMDialPlan)
• Exchange Admin: UM Hunt Group (UMHuntGroup)
• Exchange Admin: UM IP Gateway (UMIPGateway)
• Exchange Admin: UM Mailbox (UMMailbox)
• Exchange Admin: UM Mailbox PIN (UMMailboxPIN)
• Exchange Admin: UM Mailbox Policy (UMMailboxPolicy)
• Exchange Admin: UM Prompt (UMPrompt)
• Exchange Admin: UM Unified Group
• Exchange Admin: User (User)
• Exchange Admin: User Photo (UserPhoto)
• Exchange Admin: User Role (RoleAssignmentPolicy)
• Exchange Mail
• Sharepoint/OneDrive Access Delegation on My Site Cleanup
• Sharepoint/OneDrive Access Request
• Sharepoint/OneDrive Activation
• Sharepoint/OneDrive AllowGroupCreation
• Sharepoint/OneDrive AzureStreamingEnabled
• Sharepoint/OneDrive CollaborationType
Appendix BMicrosoft Office 365 Objects
B-7
• Sharepoint/OneDrive Comment
• Sharepoint/OneDrive DefaultLanguageInTermStore
• Sharepoint/OneDrive DocumentsResultsScope
• Sharepoint/OneDrive ExemptUserAgent
• Sharepoint/OneDrive ExemptUsers
• Sharepoint/OneDrive File
• Sharepoint/OneDrive Folder
• Sharepoint/OneDrive GlobalExpSetting
• Sharepoint/OneDrive Group
• Sharepoint/OneDrive HostSite
• Sharepoint/OneDrive IRMEnabled
• Sharepoint/OneDrive LanguageTermStore
• Sharepoint/OneDrive LegacyWorkflowEnabled
• Sharepoint/OneDrive MaxQuota
• Sharepoint/OneDrive MaxResourceUsage
• Sharepoint/OneDrive MigrateO14ActivitiesEnabled
• Sharepoint/OneDrive MySiteMicroBlogEmailsEnabled
• Sharepoint/OneDrive MySitePublicEnabled
• Sharepoint/OneDrive NewsFeedEnabled
• Sharepoint/OneDrive OfficeOnDemand
• Sharepoint/OneDrive PeopleResultsScope
• Sharepoint/OneDrive PreviewModeEnabled
• Sharepoint/OneDrive QuotaWarningEnabled
• Sharepoint/OneDrive Rendering
• Sharepoint/OneDrive ResourceWarningEnabled
• Sharepoint/OneDrive SSOApplication
• Sharepoint/OneDrive SSOGroupCredentials
• Sharepoint/OneDrive SSOUserCredentials
• Sharepoint/OneDrive SearchCenterUrl
• Sharepoint/OneDrive SecondaryMySiteOwner
• Sharepoint/OneDrive SendToConnection
• Sharepoint/OneDrive SharedLink
• Sharepoint/OneDrive Sharing
• Sharepoint/OneDrive SharingInvitation
• Sharepoint/OneDrive SignIn
• Sharepoint/OneDrive Site
• Sharepoint/OneDrive SiteAdminChange
Appendix BMicrosoft Office 365 Objects
B-8
• Sharepoint/OneDrive SitePermissions
• Sharepoint/OneDrive Sync
• Sharepoint/OneDrive SyncClient
• Sharepoint/OneDrive Term Store Administrator
• Sharepoint/OneDrive User
• Sharepoint/OneDrive eDiscovery
• Sharepoint/OneDrive Data Loss Prevention Policy (DlpPolicy)
Oracle Cloud Infrastructure (OCI) ObjectsObjects that Oracle CASB Cloud Service monitors for OCI.
• Compute Images
• Compute Instance
• Database Systems
• Identity Groups
• Identity Policies
• Identity Users
• Networking Load Balancers
• Networking Security Lists
• Networking Virtual Cloud Networks
• Object Storage
• Storage Block Volumes
Oracle Enterprise Resource Planning (ERP) Cloud ObjectsObjects that Oracle CASB Cloud Service monitors for Oracle ERP Cloud.
• Bank Account
• Bank Account - Checkbook
• Bank Account - General Ledger Account
• Bank Account - Payment Document
• Bank Account - Use
• Disbursement Business Unit Wise Option
• Disbursement Enterprise Wise Option
• External Bank Account External Bank Account Owner
• Job Role
• Payment System
• Payment System Formats
• Payment System Transmission Protocols
Appendix BOracle Cloud Infrastructure (OCI) Objects
B-9
• Supplier
• Supplier - Address Contacts
• Supplier - Address Tax Classifications
• Supplier - Address Tax Reporting Codes
• Supplier - Bank Accounts
• Supplier - Business Classifications
• Supplier - Contacts
• Supplier - Payment Attributes
• Supplier - Payment Methods
• Supplier - Products and Services
• Supplier - Site Assignments
• Supplier - Sites
• Supplier - Tax Classifications
• Supplier - Tax Reporting Codes
• System Option
• System Security Options
• Supplier - Addresses
Oracle Human Capital Management (HCM) Cloud ObjectsObjects that Oracle CASB Cloud Service monitors for Oracle HCM Cloud.
• Job Role
• PayCoreAuditAM - Personal Payment Method
• Person - Address
• Person - Citizenship
• Person - Disability
• Person - Driving License
• Person - Email
• Person - Ethnicity
• Person - Legislative Info
• Person - Name
• Person - National Identifier
• Person - Passport
• Person - Phone
• Person - Religion
• Person - Visa Permit
• Role Delegated by Delegator
• Role Delegated to Proxy
Appendix BOracle Human Capital Management (HCM) Cloud Objects
B-10
• Salary
• Salary Component
Oracle Sales Cloud ObjectsObjects that Oracle CASB Cloud Service monitors for Oracle Sales Cloud.
• Job Role
Salesforce Sales Cloud ObjectsObjects that Oracle CASB Cloud Service monitors for Salesforce Sales Cloud.
• Account
• Case
• Contact
• Contract
• Contract Line item
• Custom Object
• Custom Object Record
• Entitlement
• Lead
• Login History
• Opportunity
• Profile
• Report
• Role
• Service Contract
• Setup Audit Trail
• Solution
ServiceNow ObjectsObjects that Oracle CASB Cloud Service monitors for ServiceNow.
• Asset
• Incident [Category:Database]
• Incident [Category:Hardware]
• Incident [Category:Inquiry/Help]
• Incident [Category:Network]
• Incident [Category:Request]
• Incident [Category:Software]
Appendix BOracle Sales Cloud Objects
B-11
• Role
• Script
• Table
• User
Slack ObjectsObjects that Oracle CASB Cloud Service monitors for Slack.
• Direct Message
• File
• Private Channel
• Public Channel
Appendix BSlack Objects
B-12
CThird-Party and Open Source SoftwareAttributions
Review specific licenses for third-party and open source software componentsincorporated into Oracle CASB Cloud Service.
Oracle acknowledges that the following open source software are included in OracleCASB Cloud Service Enterprise and Discovery products.
Topics:
• MIT License
• Apache 2.0 License
• BSD License
• Jquery Serialize Object License
MIT LicenseReview the license for software originating from the Massachusetts Institute ofTechnology (MIT.)
Copyright © 2016
Permission is hereby granted, free of charge, to any person obtaining a copy ofthis software and associated documentation files (the "Software"), to deal in theSoftware without restriction, including without limitation the rights to use, copy, modify,merge, publish, distribute, sublicense, and/or sell copies of the Software, and topermit persons to whom the Software is furnished to do so, subject to the followingconditions:
The above copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANYKIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THEWARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSEAND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHTHOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISINGFROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OROTHER DEALINGS IN THE SOFTWARE.
Copyright Holder/s Component Site/License
Three Dub Media Jquery-Event-Drag http://threedubmedia.com/code/license
C-1
Copyright Holder/s Component Site/License
Rico Sta. Cruz NProgress JS https://github.com/rstacruz/nprogress/blob/master/License.md
Jquery Foundation Jquery JS https://jquery.org/license/
Twitter, inc. Bootstrap JS http://getbootstrap.com/javascript/
M. Alsup Jquery-BlockUI-Plugin JS https://github.com/malsup/blockui/
Jan Sorgalla, JQueryFoundation
Jquery-Carousel-Plugin JS https://plugins.jquery.com/jcarousel/
Klaus Hartl Jquery-Cookie-Plugin JS https://github.com/js-cookie/js-cookie/blob/master/MIT-LICENSE.txt
John Culviner Jquery-FileDownload-PluginJS
https://github.com/johnculviner/jquery.fileDownload/blob/master/LICENSE
Remy Sharp, http://jsbin.com Jquery-Extra JS https://github.com/jsbin/jsbin/blob/master/MIT-LICENSE.TXT
ducksboard Jquery-Gridster-Plugin https://github.com/ducksboard/gridster.js/blob/master/LICENSE
Paul Irish Jquery-IdleTimer-Plugin https://github.com/thorst/jquery-idletimer
Jeremy Ashkenas,DocumentCloud
Backbone JS http://backbonejs.org/
Jeremy Ashkenas,DocumentCloud
Underscore JS http://underscorejs.org/
Michael Leibman SlickGrid JS https://github.com/mleibman/SlickGrid
Dustin Diaz Bowser JS https://github.com/ded/bowser
Nando Vieira I18N JS https://github.com/fnando/i18n-js
Felipe Volpatto IP Address Control JS https://github.com/felipevolpatto/jquery-input-ip-address-control
Apache 2.0 LicenseReview the license for software originating from the Apache Software Foundation.
Apache License Version 2.0, January 2004
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction, and distributionas defined by Sections 1 through 9 of this document.
Appendix CApache 2.0 License
C-2
"Licensor" shall mean the copyright owner or entity authorized by the copyright ownerthat is granting the License.
"Legal Entity" shall mean the union of the acting entity and all other entities thatcontrol, are controlled by, or are under common control with that entity. For thepurposes of this definition, "control" means (i) the power, direct or indirect, to causethe direction or management of such entity, whether by contract or otherwise, or (ii)ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficialownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity exercising permissionsgranted by this License.
"Source" form shall mean the preferred form for making modifications, including butnot limited to software source code, documentation source, and configuration files.
"Object" form shall mean any form resulting from mechanical transformation ortranslation of a Source form, including but not limited to compiled object code,generated documentation, and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or Object form, madeavailable under the License, as indicated by a copyright notice that is included in orattached to the work (an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object form, that isbased on (or derived from) the Work and for which the editorial revisions, annotations,elaborations, or other modifications represent, as a whole, an original work ofauthorship. For the purposes of this License, Derivative Works shall not include worksthat remain separable from, or merely link (or bind by name) to the interfaces of, theWork and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including the original version of theWork and any modifications or additions to that Work or Derivative Works thereof,that is intentionally submitted to Licensor for inclusion in the Work by the copyrightowner or by an individual or Legal Entity authorized to submit on behalf of thecopyright owner. For the purposes of this definition, "submitted" means any form ofelectronic, verbal, or written communication sent to the Licensor or its representatives,including but not limited to communication on electronic mailing lists, source codecontrol systems, and issue tracking systems that are managed by, or on behalf of,the Licensor for the purpose of discussing and improving the Work, but excludingcommunication that is conspicuously marked or otherwise designated in writing by thecopyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whoma Contribution has been received by Licensor and subsequently incorporated withinthe Work.
2. Grant of Copyright License.
Subject to the terms and conditions of this License, each Contributor hereby grantsto You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocablecopyright license to reproduce, prepare Derivative Works of, publicly display, publiclyperform, sublicense, and distribute the Work and such Derivative Works in Source orObject form.
3. Grant of Patent License.
Subject to the terms and conditions of this License, each Contributor hereby grantsto You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable
Appendix CApache 2.0 License
C-3
(except as stated in this section) patent license to make, have made, use, offer tosell, sell, import, and otherwise transfer the Work, where such license applies only tothose patent claims licensable by such Contributor that are necessarily infringed bytheir Contribution(s) alone or by combination of their Contribution(s) with the Work towhich such Contribution(s) was submitted. If You institute patent litigation against anyentity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work ora Contribution incorporated within the Work constitutes direct or contributory patentinfringement, then any patent licenses granted to You under this License for that Workshall terminate as of the date such litigation is filed.
4. Redistribution.
You may reproduce and distribute copies of the Work or Derivative Works thereof inany medium, with or without modifications, and in Source or Object form, provided thatYou meet the following conditions:
1. You must give any other recipients of the Work or Derivative Works a copy of thisLicense; and
2. You must cause any modified files to carry prominent notices stating that Youchanged the files; and
3. You must retain, in the Source form of any Derivative Works that You distribute,all copyright, patent, trademark, and attribution notices from the Source form ofthe Work, excluding those notices that do not pertain to any part of the DerivativeWorks; and
4. If the Work includes a "NOTICE" text file as part of its distribution, then anyDerivative Works that You distribute must include a readable copy of the attributionnotices contained within such NOTICE file, excluding those notices that do notpertain to any part of the Derivative Works, in at least one of the followingplaces: within a NOTICE text file distributed as part of the Derivative Works;within the Source form or documentation, if provided along with the DerivativeWorks; or, within a display generated by the Derivative Works, if and whereversuch third-party notices normally appear. The contents of the NOTICE file are forinformational purposes only and do not modify the License. You may add Yourown attribution notices within Derivative Works that You distribute, alongside or asan addendum to the NOTICE text from the Work, provided that such additionalattribution notices cannot be construed as modifying the License. You may addYour own copyright statement to Your modifications and may provide additional ordifferent license terms and conditions for use, reproduction, or distribution of Yourmodifications, or for any such Derivative Works as a whole, provided Your use,reproduction, and distribution of the Work otherwise complies with the conditionsstated in this License.
5. Submission of Contributions.
Unless You explicitly state otherwise, any Contribution intentionally submitted forinclusion in the Work by You to the Licensor shall be under the terms and conditionsof this License, without any additional terms or conditions. Notwithstanding the above,nothing herein shall supersede or modify the terms of any separate license agreementyou may have executed with Licensor regarding such Contributions.
6. Trademarks.
This License does not grant permission to use the trade names, trademarks, servicemarks, or product names of the Licensor, except as required for reasonable andcustomary use in describing the origin of the Work and reproducing the content of theNOTICE file.
Appendix CApache 2.0 License
C-4
7. Disclaimer of Warranty.
Unless required by applicable law or agreed to in writing, Licensor provides the Work(and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUTWARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including,without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT,MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solelyresponsible for determining the appropriateness of using or redistributing the Work andassume any risks associated with Your exercise of permissions under this License.
8. Limitation of Liability.
In no event and under no legal theory, whether in tort (including negligence), contract,or otherwise, unless required by applicable law (such as deliberate and grosslynegligent acts) or agreed to in writing, shall any Contributor be liable to You fordamages, including any direct, indirect, special, incidental, or consequential damagesof any character arising as a result of this License or out of the use or inability to usethe Work (including but not limited to damages for loss of goodwill, work stoppage,computer failure or malfunction, or any and all other commercial damages or losses),even if such Contributor has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability.
While redistributing the Work or Derivative Works thereof, You may choose to offer,and charge a fee for, acceptance of support, warranty, indemnity, or other liabilityobligations and/or rights consistent with this License. However, in accepting suchobligations, You may act only on Your own behalf and on Your sole responsibility, noton behalf of any other Contributor, and only if You agree to indemnify, defend, and holdeach Contributor harmless for any liability incurred by, or claims asserted against, suchContributor by reason of your accepting any such warranty or additional liability.
Copyright Holder/s Component Site/License
Anthony Trinh Named-Regexp https://github.com/tony19/named-regexp
Alexis Sellier and the LessCore Team
Less CSS JS http://lesscss.org/#license-faqs
BSD LicenseReview the license for software originating from the University of California, Berkeley.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, arepermitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, thislist of conditions and the following disclaimer in the documentation and/or othermaterials provided with the distribution.
3. All advertising materials mentioning features or use of this software must displaythe following acknowledgement: This product includes software developed by the<organization>.
Appendix CBSD License
C-5
4. Neither the name of the <organization> nor the names of its contributors may beused to endorse or promote products derived from this software without specificprior written permission.
THIS SOFTWARE IS PROVIDED BY <COPYRIGHT HOLDER> ''AS IS'' ANDANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITEDTO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL <COPYRIGHTHOLDER> BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITEDTO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, ORTORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUTOF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OFSUCH DAMAGE.
Copyright Holder/s Component Site/License
OWASP Foundation OWASP ES API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Project_Details
Jquery Serialize Object LicenseReview the license for software originating from Paul Macek through GitHub.
Copyright (c) 2014, Paul Macek
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, arepermitted provided that the following conditions are met:
• Redistributions of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.
• Redistributions in binary form must reproduce the above copyright notice, thislist of conditions and the following disclaimer in the documentation and/or othermaterials provided with the distribution.
• The names of its contributors will not be used to endorse or promote productsderived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ANDCONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER ORCONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUTNOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVERCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICTLIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
Appendix CJquery Serialize Object License
C-6
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THEPOSSIBILITY OF SUCH DAMAGE
Copyright Holder/s Component Site/License
Paul Macek Jquery-Serialize-Object JS https://github.com/macek/jquery-serialize-object/blob/master/LICENSE
Appendix CJquery Serialize Object License
C-7
DManaging Oracle CASB Cloud Service'sData Center Migration
Learn about what you may need to do when Oracle CASB Cloud Services migrates tonew data centers.
Overview
Oracle CASB Cloud Service (CASB) is migrating its operation from its current datacenters to Oracle Cloud Infrastructure (OCI). The start dates for each region are listedbelow.
• US operations (https://loric.palerra.net) migration from Virginia to Phoenix, theoperation will begin on Nov 16, 2019 at 03:00 GMT / Nov 15, 2019 at 23:00 EST /20:00 PST
• EU operations (https://loric-eu.palerra.net) migration from Dublin, Ireland toFrankfurt, Germany on Nov 23, 2019 at 03:00 GMT / Nov 22, 2019 at 23:00EST / 20:00 PST
The migration of services is expected to take approximately 72 hours to complete.During this time, the Oracle CASB Cloud Service will not be available.
Frequently Asked Questions
The FAQ below provides additional details on possible impacts of data centermigration.
What do I need to do?
Probably nothing. Only customers using URL/IP-centric integrations (like whitelistingthe CASB service) may need to update their references to the new environments.
The whitelist data contained within the CASB service will not be impacted by themigration to the new data center.
What if I whitelisted the current CASB service IPs for my SaaS services (such asOracle HCM or Salesforce)?
Only if you have whitelisted CASB IP addresses, you will need to adjust for the newCASB IP address ranges to the services. Most customers will NOT be impacted by thechange.
• Loric US (https://loric.palerra.net)
D-1
Old IP Addresses NEW IP Address
52.2.237.43
52.3.87.235
52.3.108.162
52.3.205.150
54.173.172.197
147.154.100.76
• Loric EU (https://loric-eu.palerra.net)
Old IP Addresses NEW IP Address
52.51.18.195
52.214.65.92
147.154.158.84
What will be impacted?
CASB event ingestion and processing will be suspended during the migration. Afterthe migration completes, the service will operation and process any backlog of datathat accumulates during the downtime.
Will my login change?
No. The service URLs will change; however, login data will not change. Mostcustomers are authenticating to CASB via the OCI console. These users should seeno changes to login or how to access the service.
If you are currently using bookmarks or direct URLs (not via OCI), you will need to usethe following URLs.
Region Old URL New URL
US https://loric.palerra.net https://loric.casb.ocp.oraclecloud.com
EU https://loric-eu.palerra.net https://loric-eu.casb.ocp.oraclecloud.com
Will the CASB API endpoints change?
Yes, but the current URLs will continue to work with the new data centers as well.
Region Old URL New URL
US https://api-loric.palerra.net https://loric.casb.ocp.oraclecloud.com
EU https://api-loric-eu.palerra.net https://loric-eu.casb.ocp.oraclecloud.com
Will there be any impact on the email alerts sent by CASB (such as change ofsender or sender IP)?
No. Email alerts will not be affected.
What do I need to do if I do not want my data moved to the new data center?
Customers that do not wish to have their Oracle CASB Cloud Services data residein the new data center regions may remove (unregister) their application services inOracle CASB prior to the migration. See Removing an Application Instance
No option for retaining CASB operations in the current data center regions will beavailable after migration.
Appendix D
D-2
What about my Discovery data?
Discovery data, which includes only summary event information, will not be migrated.After the migration and the service restarts, new data will be handled normally.
Appendix D
D-3
ERemoval of Incident Management Consoleand Related Integrations
Learn about the specific functions that will be retired when Incident ManagementFunctionality functionality is removed from Oracle CASB Cloud Service.
Overview
There is a pending retirement of Incident Management console and relatedintegrations. Retirement will occur 60 days after formal announcement. Retirementwill include removal of Incident Management console and related features from theOracle CASB Cloud Service user interface, specifically listed below.
Customers are expected to shift usage to the Oracle CASB Cloud Service Risk EventsAPI.
List of Features Being Removed
• Incidents console
• Incident Management Provider console
• All existing "Incidents assigned to user"
• ServiceNow ticket integration
• Splunk-native integration
• "Create incident" option in all areas (Risk Events, Discovery, etc.)
• "Auto-create incident for Anomalous Activity risk events"
• "Incident" references from all related consoles (including Overview, Risk Events,Application Details, Reports, etc.)
• All related references to Incidents in the documentation
E-1