1. Using Oracle CASB Cloud Service
  2. Enhancing Security
  3. Creating Policies and Managing Policy Alerts
  4. Managing Policy Alerts in Risk Events

Managing Policy Alerts in Risk Events

Understand how to view and resolve the alerts that both managed and custom policies generate.

As you monitor the alerts generated by both managed policies and by custom policies you set up, you can view the log data for events to determine how serious they are.

Managed policies automatically generate alerts, if they are enabled by being subscribed. See Working with Managed Policies.

After you configure a custom policy, as described in Creating a Policy, Oracle CASB Cloud Service generates alerts when conditions in the application match the policy conditions. For example, you can create policies to detect when users share restricted information or when administrators modify a cloud service's access controls, and Oracle CASB Cloud Service will generate an alert when it detects these activities.

Both types of policy alerts produce risk events that appear on the Risk Events page.

  1. From the Dashboard, click the policy alerts number in the Health Summary card to view policy alerts for all applications on the Risk Events page.
  2. From the Applications page, to view all policy alerts for a single application on the Risk Events page:
    1. In grid view, click the count of policy alerts for an application that appears in the POLICY ALERTS column for the application.
    2. In card view, click an application tile to see the Health Summary card for that application, then click the “Policy alerts” number.
  3. Click an entry in the Risk Events list to view details about the alert:

    • The actor is usually the user whose actions triggered the alert. Click the email address for the Actor to view an Activity report for that user.

    • Click the link for the related policy name to view the rules that triggered the alert.

    • Click View log data to see the event information that triggered the alert.

    Note:

    Policy alerts for some application types have additional information on details that appear in Risk Events. Look for a topic titled "Risk Event Details Specific to <application_type>" in the "Creating Policy Alerts for <application_type>" section for that application type.
  4. To manage the alert, click the Actions drop-down menu and do one of the following:

    • If you feel the risk doesn't merit attention at this time, click Dismiss. If the rules that triggered the alert are too inclusive, modify the related policy so that it only picks up events that you are interested in (for example, change the resource definition in the policy to include only one or two actions of interest, or make the resource name more specific).

    • You can also dismiss all risk events for a policy alert at the same time:

      • On the Risk Events page, click the drop-down menu in the ACTION column for the event, select Dismiss, and then select Dismiss all ... open risk events created by the policy ....

      • On the Policy Management page (select Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.), for any policy that has a non-zero entry in the RISK EVENTS column, drop down the Action menu for the policy, select Dismiss, and then select Dismiss all risk events.

      Note:

      If the number of risk events dismissed at one time is 100 or more, a job is created on the Jobs page. See Jobs.