Define a CASB Rule

Use the rule editor to define a rule’s settings.

Overview

Whenever you define or edit a rule, you will use the Rule Editor to make the necessary configurations. The rule editor opens any time you: Add a new rule (template or custom), Edit an existing rule, or Duplicate an existing rule.

The rule editor is divided into four different sections of configurations:

  • Name and Description (Required)

  • Applications, Activity Type, and Alert Threshold (Required)

  • Criteria (Required)

  • Response (Optional)

When all four sections of the rule editor are configured properly, click SAVE to deploy the policy.

Only items relevant to your license type will be available in rule configurations.

If you are creating a custom rule, you must configure each section in order to advance through the rule editor. If you are using a rule template or exiting an existing rule, you can navigate to any section to make edits because each section is already configured.

This help page provides detailed instructions on how to configure all sections in the rule editor.

1. Name and Description

Rule Name

  1. Enter the rule's Name in the respective text field.

  2. The Name should be unique and allow CASB users to quickly identify and differentiate the rule from other existing rules.

Rule Description

  1. Enter a Description of the rule in the respective text field.

  2. Use the description to provide additional clarification on the rule’s permissions and/or use case.

Click Save to move to the next section.

2. Applications, Activity Type and Alert Threshold

In this section, define which Applications the rule will monitor and the specific Activity type(s) it will detect. You can optionally set an Alert Threshold to only receive alerts when an aggregated number of rule matches occur.

Applications

A single rule can trigger alerts on activities coming from multiple cloud applications. This eliminates the need to add separate rules per individual app.

  1. Define which Applications the rule will monitor by clicking an app's checkboxes

  2. The rule will only monitor selected connected apps

Only your connected cloud applications are avaiable for seletion. If a cloud application you want to monitor is not shown, you can connect it by navigating to CASB’s Setup > Connected Apps page using the “Add more applications” link.

Define the Activity Type

A rule can either monitor specified user activities or search an event for known threats. A Known Threats a pre-defined activity, sequence or set of indicators which often indicates suspicious behavior. The more activities you select in a rule, the broader the scope and the more complex it can be to administer the rule, apply remediations, modify users, etc.

Consider creating narrow rules for specific use cases that map only to a small number of activities. This will help you maintain the rules as they fire in your environment.

  1. Select either the Activity or Known Threats radio button.

  2. A dropdown menu of related options will display.

  3. Select item(s) from the dropdown menu.

  4. The rule will monitor your selected items.

Only activities and threats relevant to the rule category and selected apps will display.

You cannot select Activities when Known Threats are defined (and vice versa).

Define the Alert Threshold (Optional)

By default, a rule will trigger an alert each time a matching event occurs.

You can create rule that triggers only when a high volume of matching activities in the rule’s specified apps are performed by a single user in a defined time period.

Example use case: Create a rule that detects when a user is performing massive file downloads or deletions in a short time period.

The intention for a volume rule is to detect instances of atypical user behavior. If you want to remediate on single user activities, you will need to define an additional rule with remediation actions.

If the total number of matching activities exceeds the total number defined in the rule, only one alert will fire during the chosen timeframe.

1. Define the alert threshold for the rule.

  • Choose the number of instances/events (Minimum 5, Maximum 500)

  • Choose the time period (Minimum 5 minutes, Maximum of 24 hours)

When a rule with a defined alert threshold is created or updated, the system starts counting alerts after the rule is saved.

To view all associated activity matches (instances) and/or resources that caused the rule to trigger, we recommend the following: In Analytics, open the Alert’s Side Panel > Summary Tab > Origin Card > and click the Open Timeline link. This will show a list of all events for that user in the time period.

Click Save to move to the next section.

3. Criteria

This section provides information on using the rule editor when in Simple mode. If you need to create conditions using advanced AND/OR logic, you can switch the Criteria section into Advanced Mode .

Define what criteria is used by the rule to determine if it will match with an event.

Context conditions are required and you must specify all three: User, Device, and Source and IP Address.

Attributes are not-required, these are additional conditions you can use to further limit a rule’s scope.

How to Define Criteria - General Steps

Hover your cursor over any criteria item to access its edit controls, then define match criteria using the intuitive Add, Edit, Save, and Delete controls provided.

For each criteria item, you must specify "IS" or "IS NOT."

Click the checkmark to save a defined criteria item.

A rule will only fire when there is a match in each required context condition and each defined attribute. Only ONE matching condition within a specified Context field and Attribute is needed for the system to determine the rule is a match.

Context

The Context sub section lists the three mandatory fields that must be defining in order for a rule to be valid: Users, Device, and Source and IP Address.

When adding a new rule from scratch, each Context field is configured to “match all” by default.

You can edit the Context fields or add additional conditions within a Context field to define a rule that is more limited in scope. Use the Add, Edit, and Delete Context controls for each listed Context field condition to make and save modifications.

For example, you can define an Access rule with the condition it will only match with individuals in the “Finance” user group who are also classified as a Very Attacked Person (VAP). To do this, define the following in the User section:

  • Group > IS > “Finance”

  • Click the + button to add a second User condition

  • User Type > IS > VAP

The rule will now only match with users who are both in the “Finance” group and who are VAPs.

NOTE: When 2 or more conditions are added to a Context field, the system needs to only find a match within ONE.

Because they are required settings, you cannot delete or remove a Context field or set its value to zero. If is no value is specified, the system reverts to the “match all” condition.

A rule only triggers when there is at least one match within ONE listed Context field condition.

Define Context - User

You can match all users (default setting) or include/exclude based on Users, Groups, and/or User Types.

  1. Select one - User, Group, or User Type

  2. Select operator - Is or Is Not

  3. Select desired items from the drop down menu

  4. Click the Checkmark icon to save your edits

Define Context - Device

You can match all devices or include/exclude specified User Agents.

  1. Select one – Device Type

  2. Select operator - Is or Is Not

  3. Enter value to specify the User Agent string

  4. Click the Checkmark icon to save your edits

Filter by complete or partial User Agent strings (case sensitive).

To filter by more than one User Agent, you can switch to Advanced Mode to specify OR conditions for User Agent.

Define Context - Source and IP Address

You can match all or include/exclude based on Locations, Networks, and/or IP Reputations.

Location: Lists of countries meaningful to your organization will display. (See Setup > Locations.)

Network: Lists of networks meaningful to your organization will display. (See Setup > Networks.)

IP Reputation: Proxy, VPN, Data Center Hosting, Tor.

  1. Select one – Locations, Network, or IP Reputation

  2. Select operator - Is or Is Not

  3. Select desired items from the drop down menu

  4. Click the Checkmark icon to save your edits

Attributes

The Attributes subsection (optional) allows you to add attribute conditions that further specialize a rule.

  • Add attribute conditions using the + Attribute condition button.

  • Hover over a saved condition to access controls for edit and delete.

  • Each attribute condition that you define further refines the rule.

  • Only attributes relevant to the rule you are defining are provided for selection.

  • A rule only triggers when there is at least one match within each specified attribute condition.

For example, if you are defining a Data rule that governs file sharing activity, you can make the rule only match when the event matches is for one of these available Share Level attributes conditions: Externally Owned, Public, External, All Domain, Internal, Private, Unknown.

Example: Using Rule Attributes

Here is an example of how you can tailor a rule to match with an even more limited use case:

If you are creating an Access rule that monitors logins, you can modify it so it only fires for logins made by users who are also Global/Super Admins.

To do this, define the following in the Criteria > Attributes section:

  • Click + Add attribute condition

  • User Type > IS > Global/Super Admin

The rule will now only match when the User is also a Global/Super Admin.

How Do Attributes Affect When a Rule Triggers?

A rule only triggers when all rule attributes that pertain to the specified connected cloud application are a match.

This is because a rule can reference one or more connected cloud applications, however, the attributes defined in a rule do not need to apply to all cloud applications covered by the rule.

To understand how the system determines if a rule will trigger, keep in mind:

  • The system will only evaluate rule attributes that pertain to a connected cloud application

  • If a rule attribute does not pertain to a connected cloud application, the system will ignore the attribute

For example: Consider an access rule that is configured for several applications, including Box. This access rule includes a "device: user agent" context condition. Since Box's public API security events do not include user agent information, the system will ignore the "device: user agent" attribute when evaluating Box events. Instead, Box login events will trigger the rule if they match with all context conditions/attributes that pertain to Box in the rule.

Add Attribute Conditions (Optional)

  1. Click Add attribute condition

  2. Select an item

  3. Select operator - Is or Is Not

  4. Select desired items from the drop down menu

  5. Click the Checkmark icon to save your edits

Click Save to move to the next section.

4. Response

Define what happens if a rule triggers.

  • Alert Settings are required.

  • Optionally, you set the rule to perform automatic Remediation Actions and deliver email Notifications whenever the rule triggers.

Alert Settings

The Alert Settings subsection is where you define the types of alerts the system generates in the Analytics app when the rule fires. The Analytics apps provides comprehensive information for each event detected in your connected app environments.

Customize rule alerts to aid your security analysts in conducting security investigations and incident triage.

Define Alert Severity

  1. Select the Alert Severity: Critical, High, Medium, or Low.

Alerts for this rule will display as the selected severity in the Analytics app.

Define Advanced Alert Settings (Optional)

The advanced settings option allows you to enable/disable Alert Focus Mode.

When enabled, alerts are ONLY generated for events that introduce new violations. This allows your teams to focus on alerts that may pose a threat or indicate a security violation. Enabled is the recommended setting and all added rules have Alert Focus Mode enabled by default.

When disabled, the system generates alerts for all events, even if the event does not introduce a new violation.

How Alert Focus Mode operates differently for access alerts vs. data alerts

  • For access rules - system will alert only once within 15 minutes for exact rule matches

  • For data rules - system will alert only once within 6 hours for exact rule matches

Remediation Actions

For some rules, the Remediations subsection allows you to specify if a rule should perform automatic remediations to help prevent, mitigate, or reverse a security or data violation if the rule triggers.

Automatic remediations can help reduce attacker dwell time because the protections you need are enforced at the time of the event.

Only remediation actions relevant to both the rule and connected app you are defining will display for selection. “No Options ” means the rule does not support automatic remediations for the cloud app.

For example, an Access Rule that monitors for suspicious logins in your Office 365 environment can be configured to automatically perform some or all of the following remediation when the rule triggers:

  • Suspend User

  • Revoke Session

  • Force Password Change

Define Remediation Actions (Optional)

  1. For each cloud application specified in the rule, click on the drop down menu.

  2. Select all desired remediation actions.

Define MIP Labeling (for Office 365)

Some Data rules designed to monitor your Office 365 app will allow you to specify the MIP Label.

MIP labels are also referred to as sensitivity labels. Like Data Loss Prevention (DLP), sensitivity labels allow organizations to classify, track, and protect sensitive information. Organizations create and configure MIP labels in their Microsoft tenants.

For complete details this feature, visit the MIP Labeling page.

Only MIP Labels configured in your Office 365 service will display for selection.

  1. Click on the MIP Label drop down menu.

  2. Select the desired MIP Label actions.

  3. Enable or disable the “Overwrite existing MIP labels” feature.

Notifications

The notifications subsection allows you to send notifications when a rule triggers.

Once you select Platform Notifications, CASB Notifications option will be removed.

Platform Notifications (Recommended)

Platform Notifications let you send email or webhook notifications when an alert is triggered.

Platform notifications are set up in Administration app (IntegrationsNotification Policies). For details about how to set up a notification, see Using Customized Email Notifications for Rules.

For suggested CASB email templates, see Applying Notification Policies for CASB.

From the Notification Policy dropdown, select the notification you want to use.

With the platform notification policies you can:

  • Customize your notification with any alert field

  • Customize the text, its format and also include images

  • Set static or dynamic recipients

  • Send email or webhook notifications

CASB Notifications (legacy)

CASB Notifications are to be deprecated. It is highly recommended that you use the platform notifications.

A standard notification email template is used. You can sect Admin Notifications or End User Notification.

Admin Notifications

To define which administrators get notifications, edit the Alert Email Recipients list on the Setup > Admin Notifications Recipients page.

  1. In the Admin Notifications section, click Enable.

  2. Select the desired notification policies.

End User Notifications

The email of the end user associated with the activity that triggered the rule will receive the notification.

  1. In the End User Notifications section, click Enable.

  2. Select the desired notification policies.