Creating a Policy

Understand the general procedure for creating a custom policy to generate an alert.

Note:

The steps in this topic create a completely new custom policy. You can also create a new custom policy by copying an existing custom, predefined, or managed policy that is similar, and then just making a few changes. See:

For any application (for example, Box or AWS) or an application instance, you can create a policy that causes Oracle CASB Cloud Service to issue alerts. A policy consist of these components:

  • Actions that users or administrators perform (for example, creating or deleting).

  • Resources that these users act upon (for example, files, folders, or EC2 instances).

  • Optionally, you can identify additional filters such as people or groups who perform the action, the IP address of the actor, and the recipient of the action (for actions such as sharing and collaboration).

  • You can also add instructions for the person who reads the alert. For example, if you create an alert related to deleting access control lists, then you can add instructions to inform the group that is responsible for managing the access control lists.

  • You can set up email notifications when the alert is triggered. This supplements the ability of users to request notifications for all high-risk events through Setting Your Preferences.

Alerts appear in Risk Events. Oracle CASB Cloud Service can also send email notifications for an alert.

Note:

Unlike other automatically detected risks types, a policy alert doesn't automatically generate a ticket in the Incidents section of the console. However, you can create a ticket manually.
  1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

  2. Click the Custom tab.

    Note:

    You can’t create managed policies.

  3. Click New Policy.

  4. In the Name page:
    1. Enter a name for the policy.

      Policy names can only contain the characters a-z, A-Z, 0-9, underscore (_), space ( ) and dash (-). Oracle CASB Cloud Service automatically removes any characters that can't be used in a policy name.

    2. (Optional) Enter a description.

    3. Select a Priority.

    4. If you want policy violations to included in user risk score computations, select Include in user risk score.

    5. If you want <fill_in_the_blank>, select Data Protection.

    6. Click Next.

    Note:

    As you complete each page in the policy wizard, the highlight moves through the numbered tasks at the top. Before you complete a task, the icon displays a number Image of the Policy wizard task icon displaying a number..

    After a task is completed, a check mark icon Image of the Policy wizard task icon displaying a check mark, indicating that the task has been completed. replaces the task number.

    Use the Next and Previous buttons at the bottom to move through the tasks in sequence. You can also click a check mark icon to go directly to that task.  

  5. In the Resource page, provide the following information, and then click Next.  

    Field Description

    Application type

    The application type to be monitored

    Application instance

    The application instances. Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.

    Resource

    Select the resource for the application type and instance. Different application types have different resources that you can monitor. For example, an EC2 instance in AWS or a file in Box. 

    Resource name or tag

    A filter to identify particular instances of the resource type. For example, for a resource type of File, you can enter a full or partial file name, or a tag name.

    The Tag option is only available for the application types that support tags: AWS, Box, and ServiceNow. 

    Select Text or Regular expression, and then enter all or part of the name. If you're entering only part of the name, select ContainsBegins with, or Ends with to specify the part of the name entered. 

    If you choose Resource name 

    In the Resource name section, you can filter the resource in one of two ways:

    • The Text option lets you enter the exact name (Equal to) or part of the name (ContainsBegins with, or Ends with). For example, to match all Box folders that begin with "Finance," you select Begins with and then enter Finance in the text entry field.

    • Regular expression can be an efficient way to match multiple names. You enter type .* to match everything. However, this can generate too many alerts.

      Note:

      For AWS resources that use IDs instead of names (for example, VPCs, VPNs, routes, and subnets), use the resource ID as the name.

    If you choose Tag

    Enter a tag name as follows:

    • For Box or ServiceNow, enter the tag name. Example: For a ServiceNow database incident with the tag "Escalate," enter escalate in the text field.

    • For AWS, enter an AWS EC2 instance tag key. (Although you specify the tag as a key/value pair in AWS, you only specify the key on the Resource page.)

    Note:

    Don't use the Tag option with a Delete action. This is because the tag is deleted along with the resource, and there are no log entries.

    Action on this resource

    An action that someone takes on the resource (for example, if the application instance is Salesforce, and the resource type is Profile, then you can select the action Assign).

    For a policy to be useful, it shouldn't generate too many alerts.  If you select a frequently performed action (for example, viewing a resource), then this can generate many alerts, so specify additional filters in the next pages of the policy wizard as described in the following steps.

    If you select Any, this may produce more alerts than is practical. You can reduce the number of alerts by setting filters in later pages of this wizard.

  6. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

    Exception: If the resource action is Login, you identify the user who is logging in in the previous step (the Resources page) and skip this step.   

  7. (Optional) On the Conditions page, specify conditions to limit when the alert is triggered. Use either one or both of these options, and then click Next.

    You can specify a condition using either of these types of conditions multiple times, and you can specify either type of condition in any order, freely mixing the two types.

    Note:

    When you specify multiple conditions, the conditions operate independently. Each condition causes the alert to either be triggered (Equal To operator), or not be triggered (Not Equal to operator), for that specific condition. The AND and the OR operators are not applied to conditions.
    • Click Add condition and select parameters from a list. Use the following table as a guide.

      Note:

      If a particular parameter doesn't appear on the Conditions page, it is because the parameter doesn't apply to the resource and actions that you selected previously.
       
      Parameter Operator Description

      IP address v4

      Trigger the alert if the IP address appears (In  or Equal to) or if the IP address doesn't match the value (Not in or Not equal to).  

      A comma-separated list of IPv4 addresses.

      Device

      Include or exclude the selected device type.

      This applies to Salesforce application instances only.

      Values: Mobile or Desktop.

      SSH Key Used

      The drop-down list determines whether you are setting a minimum, maximum, or exact value.

      Applies to Amazon Web Services application instances only.

      The number of days SSH keys may be kept before rotating them.

      Timestamp

      The drop-down list determines whether the time is exact, later than the time you entered, or earlier (given a 24-hour time frame).

      Oracle CASB Cloud Service evaluates the timestamp using Greenwich Mean Time (GMT). 

      A value as a time in 24-hour HH:MM:SS format.

      CASB threat intelligence IP reputation

      Equal to is the only option.

      To flag events from IP addresses with bad or good reputations, select:
      • Suspicious for bad reputations.

      • Regular for good reputations.

      City, State, or Country

      • Equal to requires matching the name you enter in Value.

      • Not Equal to requires not matching the name you enter in Value.

      • In requires matching any one of several names you enter in Value.

      • Not in requires matching none of several names you enter in Value.

      The name of the city, or the state or province, in the physical address that’s associated with the IP address.

      Tag

      Trigger the alert based on the appearance or non-appearance of this tag (Equal to or Not equal to).

      Select In or Not in if you want to enter a list of tags.

      You don't need to repeat a selection of Tag if you already entered tags in an earlier step.

      This applies to Box and Amazon Web Services (AWS).

      Box: A single tag name, or a comma-separated list of tag names. The list is treated as a logical OR.

      AWS: A complete key/value pair for the AWS tag, a single key name, or a comma-separated list of key names or key/value pairs. The list is treated as a logical OR.

      Recipients

      Trigger the alert if this user or users  are the recipient (Contains) or are not the recipient (Does not contain).

      Available for collaborative actions (for example, sending email or sharing a file). Takes a string that matches one or more users.

      For example, to flag any Box file being shared outside of mycompany.com, you can select Does not contain as the operator and type a value of mycompany.com.

      The following resource type and action combinations apply to the Recipient parameter:

      • AWS: Applies to sharing EC2 resources (the EC2 resource type). Requires a key/value pair.

      • Box: Applies to sharing or unsharing files (the File resource type),  collaboration, sharing, or unsharing folders (the Folder resource type).

      • Office 365: Applies to ExchangeMailFlow resources.

      ​Permission

      Trigger the alert if the named permission is affected (Equal to). 

      Only applies to policy alerts for Salesforce profiles.

    • Click Add Free-form condition, and then:

      • Using View Log Data information from an item in Risk Events that reflects the details you want to filter, enter the name of a Parameter. To ensure the exact, case-sensitive match that's required, copy and paste the parameter from a Risk Event item to the View Log Data display, where this information appears.

      • Select an Operator from the list.

      • Enter a Value to compare against from the same View Log Data information. To ensure the exact, case-sensitive match that's required, copy and paste the value from a Risk Event item to the View Log Data display, where this information appears.

        Note:

        Comparisons are made on string data, regardless of the original data type. Comparison of string conversions of date and numeric values may not produce the same results as the original data types.

      Note:

      The easiest way to add a free-form condition is to first create the alert with no conditions, or with only conditions that you add using the Add condition option, and then:
      1. Wait until you get an alert that you don't want from the policy.

      2. In Reports, locate the unwanted policy alert, and click View Log Data for the alert.

      3. Carefully copy the parameter and the value from that view to paste into the Parameter and Value fields. Note: If the text you copy for the parameter or value contains a comma, enclose it within quotation marks after pasting. This isn't necessary for text that contains spaces.

  8. On the Actions page, set your notifications and click Next

    • Show a risk event in Risk Events. When an event matches the policy, Oracle CASB Cloud Service creates a risk event in Risk Events.    

    • Display a recommendation in the risk event. Select this option to add instructions for the person who reads an alert related to this policy. The recommendation can help speed up issue resolution.

    • Send email to this address. Send email to the designated address.

  9. When you are done, click Next, review your settings, and then click Submit.

Duplicating a Policy

If you want to create a policy that is very similar to an existing policy, you can save time by duplicating the existing policy, then making a few changes.

Note:

The instructions below are for duplicating a custom policy as the template for creating a new custom policy. If you want to use a managed policy as the template for your new custom policy, see Working with Managed Policies.

Sometimes you may need to create several versions of the same policy that differ from each other in only a few details. Whenever this happens, you can simply duplicate the first policy and use it as a template for the next one. Duplicating a policy makes an exact copy, and then you only have to make the few changes that are needed for the new version.

  1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.
  2. Locate the policy that you want to use as a template for another policy.
  3. In the row for that policy, drop down the Action list and select Duplicate.

    The New Policy wizard opens to the Name page, with all the settings copied from the selected policy. Only the policy Name is changed, adding the word “copy” to the end.

    Tip:

    Name related policies so that they list together in a sequence when you sort your policies on the Name column.

  4. In the New Policy wizard, navigate to the settings that you want to change for this version, and make the changes.
    • Click Next to work your way through the pages in sequence.

    • Click a page name, such as Condition or Action, in the column on the left, to go directly to that page.

    • Click Review and Submit whenever you have made all the changes you want to, then click Submit on that page to save your changes.

    For information on the different global settings in the New Policy wizard, see Creating a Policy. For information on Resource and Action settings that are specific to an application type, see the Creating Policy Alerts for... topic for that application type, in the Creating Policies and Managing Policy Alerts chapter.

Examples of Parameters in Free-Form Conditions

Learn how to use more complex free-form conditions, based on information in View Log Data for an event.

Here are more examples, increasing in complexity, for determining the free-form condition parameters to enter, based on information in View Log Data for an event.

Any parameter displayed in View Log Data parameters for an incident can be used to filter policy alerts so that unwanted false alarms aren't triggered. If you determine that an incident that was triggered by a policy alert didn't, in reality, need to be brought to your attention and you do not want to see future alerts for this same situation, then locate the alert in Risk Events and examine the View Log Data information for the incident to locate parameters that you can use to filter out future alerts.

Simple Example

Some parameters and values are easy to see in the View Log Data information. In simple cases like this, it's easy to locate the parameter and value information, and copy it directly from View Log Data tabular view into your free-form condition:

  • Parameter - Application 

  • Operator Equal to, to include this application as an alert trigger; Not Equal to, to exclude this application from triggering the alert  

  • Value - Workbench

Do you want to combine several applications in this condition, to either include or exclude both as alert triggers? Just separate the additional applications with commas in the Value field. For example, to specify that Workbench, XXX, or YYY should trigger (or not trigger) the alert:

  • Parameter - Application 

  • Operator In, to include these applications as alert triggers; Not in, to exclude these applications from triggering the alert 

  • Value - Workbench, XXX, YYY The space after the comma is optional. If multiple entries are listed in the Value field, the OR operator is applied to the values - a match on any one or more value tells the Operator to either trigger the alert (In operator) or not trigger the alert (Not in operator).

Note:

Remember that all comparisons are made on string data, regardless of the original data type. A comparison of the string conversions of date and numeric values may not produce the same results as the original data types.

More Complex Example

You might think of Slack as an application, but you will not find a parameter named Application in the View Log Data information for a policy alert triggered by Slack. Instead, you must use the information provided for the additional_details parameter:

In this case, it's easier to see how the parameter and value information must be entered as a free-form condition if you turn off tabular view and examine the raw data.

From the raw data, you can more easily determine these correct entries for your free-form condition:

  • Parameter - additional_details.service_name (including the period, but not the quotation mark (") or the left brace ({)

  • Value - Slack

Even More Complex Example — Response Contains Array

A response from Google Apps contains array data, so the policy alert definition must provide the array index as part of the identifying information. In this case, you must use both Tabular and raw data views of the View Log Data information. The Tabular view displays the array index values: 0 for events and 7 for doc_id.

In the raw data, you might be able to determine the correct parameter and value entries for your free-form condition.

Combining the information from the raw data with the index values displayed in tabular view, you can determine these correct entries for your free-form condition:

  • Parameter - events.0.parameters.7.value 

  • Value - 1xgwbui_zMqaNMN7BdiDMEu9G5zZC_5xmxUvnd3Qnvkw​