This topic describes some of the differences in terminology between the CASB application and the Information and Cloud Security Platform's dedicated Analytics app.
Since the Information and Cloud Security Platform hosts not only cloud activity, but also, ITM, endpoint DLP, and email DLP, with more information protection channels to come, it requires a terminology that applies equally to all these channels
CASB Alert Tagging in Analytics
When viewing CASB alerts in Analytics, you will see each comes with predefined tags.
The mapping between the CASB rule types and Analytics predefined tags is as follows:
-
Access Rule -> Suspicious Login tag
-
Data Rule -> Data Leakage tag
-
App Governance -> Suspicious Activity tag
-
Configuration & Security Posture Rule -> Suspicious Activity tag
Common/Frequently Used Cloud Event Attribute Names in Analytics
| Legacy Attribute Name | Platform Page Attribute Name | Platform Section Name in Details Tab | Value Example | Comment |
|---|---|---|---|---|
| Access Control | Enforcement Action | Processing | Allow with MFA | |
| Alert Name | Rule Name | Alert | Data | Content Download | Currently only shows cloud Data Leakage alerts |
| Application name (previously - Sign-in App) | Authentication App Name | Session | Office 365 Exchange Online | Application a user was signing into via the IDP (Okta or Azure) |
| Client App Type | Client/3PA Type | Client / 3PA | web | Type of 3PA which did the event (actor) |
| Cloud Service | Name | Entity / Application | Office 365 | |
| Event type (field) | Primary Category | Activity | File Modify Extend | A specific and granular event type, usually as received from the cloud service |
| Event type (filter) | Action Family | Activity | Change | |
| Failure Reason | Action Status Message | Activity | UserStrongAuthClientAuthNRequired | Non indexed attribute (not available for filtering / grouping) |
| Location | Geo Address Country Name | Access Source | United States of America | |
| Network | Host Network Name |
Access Source | ||
| Performed by App | Client Name | Client / 3PA | SharePoint notification service | |
| Resource | Action Object Type | Activity | Storage File-or-Folder | |
| Target App Type | API Resource Type | Activity | tenant wide | Type of 3PA on which the event took place, including Malicious type |
| (none) | Tenant Alias | Feed | (customer CASB tenant name) | Allows customers with more than one CASB tenant to filter by tenant |
| (none) | Classification Labels Name | File / Resources | Credit Card Information with Terms | Indicates what type of sensitive data the file contains based on matching DLP detector set(s) and also provides label / classification information |
| (none) | Resource Insights | Activity | External Share | Indicates the nature of the activity |
| (none) | Resource Type | Activity | Sharing link with expiration | Specifies the resource involved in the activity |
| (none) | Resource Relation Object Identifiers | Activity | user@gmail.com | Indicates the entity identifiers associated with the resource involved in the activity |
| (none) | Resource Relation Labels | Activity | gmail.com | Indicates the entity labels (e.g. domain, name, etc.) associated with the resource involved in the activity |
| (none) | Resource Attributes | Activity | permission:reader | Raw attributes from the API associated with the activity |
Key Examples
Cloud Service -> Entity/Application Name
The legacy CASB Activities, Alerts, and Files pages use the term 'Cloud Service' to designate cloud application monitoring by CASB-sanctioned applications.
In the Analytics Explorations page, this is now called the Entity/Application Name, and is found in the Activity Summary column and the Summary panel, as shown below.
Event Types -> Primary Category and Action Families
The legacy CASB Activity page featured both a column and filter called 'Event Types'(1) that showed groups or families of events. This example illustrates the Change (2) event type. It displays different types of changes, such as (3) File/Folder Rename, File Modify, or User Update. These specific types of changes all come under the general 'Change' family.
In the Analytics Exploration page, these specific types are translated into primary categories, which are grouped into families. There are several levels of families, as you will see in the query example below.
The first column in the grid displays the category information.
Refer to the example below. The bolded text is the primary category. That is the specific type of event that took place ('File/Folder Add'(1)). Below the primary category, is the lowest level family ('File/Folder Create (2)) and the type of object (Storage 'File/Folder (3)) or resource, as they were called in CASB.
The primary categories are similar to the specific events that appeared in the event type column in the legacy CASB activities: file rename, file update, etc.
Resource Types -> Objects
The legacy CASB used the term 'resource type' to designate the object on which an event took place, such as a file, a third-party application, or a user. In the Analytics Explorations page, these are called 'object types' (3).
