Rule Editor

Rules in the CASB app monitor and protect your cloud applications.

Policies

The Policy section of Proofpoint CASB enables you to define criteria for identifying problematic activity, effectively curating the vast quantity of cloud activity within your organization into a more manageable collection of potentially suspicious events. Each cloud service’s policy is made up of rules that evaluate events within your organization against a set of criteria and trigger a response for matching events.

Rule Types

There are four types of rules that you can define in the CASB app:

• Access Rules are the first line of defense in protecting against cloud account takeover. They can detect, alert, and remediate on login activity made to cloud applications.

• Data Rules help prevent unwanted or unauthorized data sharing. They can detect, alert, and remediate on file activity in your cloud applications, such as anomalous file activity, which may indicate an insider threat.

• App Governance Rules help prevent threat actors from accessing your environment by leveraging malicious, abused, or vulnerable apps. They can detect, alert, and remediate

• Configuration and Security Posture Rules monitor your cloud app and cloud email configurations.

Together, these rules form the Detection and Remediation Policies for your connected cloud applications. Each rule is designed to detect specific suspicious activity. When an event occurs that matches a rule’s criteria, the rule triggers its alert, notifications, and remediations.

For information about Adaptive Access Control (AAC), see:

• AAC Getting Started
• AAC Rules
• SaaS Isolation Configuration

Rule Configuration

You can configure a rule to do the following:

• Match with an Event – These define which events the rule will apply. For example, you can configure an Access | Login rule to only fire if the login is from a Tor address.

• Generate an Alert – Whenever a rule is triggered, the system can automatically generates an activity alert in the Analytics app, which is where comprehensive information for each cloud app events is provided. Alerts can be customized to aid your security analysts in conducting security investigations and incident triage.

• Send Email Notifications (Optional) – Each rule can be configured to issue an email notification to your specified individuals whenever an alert is generated.

• Perform Automatic Remediations (Optional) – Rules can perform automatic remediations, which are defensive responses to suspicious events. For example, we recommend that you configure a suspicious login rule to automatically Suspend User, Force Password Change if the login is successful. Available remediations vary by cloud service, the type of suspicious event, and system configurations.

When Does a Rule Fire?

CASB can only monitor events on connected cloud applications. When an event occurs, CASB detects the event details then performs a prioritized evaluation (from top to bottom) of the rule category related to the event type. All matching rules will fire according to priority until the system enforces a matching rule with defined remediation action.

In order for a rule to both match and trigger, each of the following must be true:

1. The rule is operational (Rule status enabled.)

2. The rule monitors the Application where the event took place.

3. The rule monitors the same Activity type as the event.

4. The event details match all Criteria Conditions defined in the rule.

Best Practices

Proofpoint provides best practices for configuring a universally useful policy. For detailed configuration information, see Configuring Policies According to Best Practices.

The CASB app provides pre-configured rule templates that make it easy for you to deploy all recommended policies. If necessary, you can edit each rule template to meet the unique needs of your organization.

Important Notes

• Rules may generate an alert for a matching event. Your security teams can review and triage alerts in the dedicated Analytics application. Optional rule configurations can direct the system to deliver notifications and perform automatic remediations for matching events.

• Remediation actions and notifications should only be applied following thorough testing in your environment.

• We recommend that rules should first be implemented without remediations or notifications for a period of time. This allows you to first verify rules are properly configured.

• The order of the rules in the policy impacts which events trigger which remediations or access controls. Proofpoint CASB evaluates rules from top to bottom. Rule evaluation stops once a rule with a remediation is matched. For important details about this behavior, see the Change Rule Priority section in Managing Rules.

Related Topics:

To learn how to use all administration controls related to CASB rules, visit these pages:

Managing Rules

Define a CASB Rule

Advanced Mode

Managing Rules