About Policy Alerts

Learn about the different types of policies you can use to generate alerts for suspicious activity.

Managed Policies

Oracle CASB Cloud Service provides a predefined set of policies, called "managed policies," for most application types.

Managed policies are a new generation of policies that are refined to provide:

Better, higher value alerts — configured for real vulnerabilities
Actionable outcomes — clear guidance on actions to take
Reduced “noise” — fewer alerts that are “false positives”
“Expertise out-of-the-box” — you don’t have to be a security expert in order to set up useful alerts

Some managed policies require you to provide environment-specific information in order for them to operate properly.

For more information on managing managed policies, see Working with Managed Policies.

Custom Policies

To supplement the alerts provided by managed policies, you can create custom policies that will generate alerts whenever the exact conditions that you specify are met. These include specific actions on specific resources, and optionally you may specify users or groups taking the actions, or other specific conditions under which the actions are taken. Policies are defined for a single application type, but they can be set to apply to one instance, all instances, or a specific list of instances of the application that are registered in your Oracle CASB Cloud Service tenant.

For more information on creating custom policies, see Creating a Policy.

Policy Alerts in Risk Score Computations

To have policy alert violations included in the computation of the risk score for individual users, when you create or modify a policy, on the policy wizard's Name page select the Include in user risk score check box when you create a custom policy.

Policy Names on the Risk Events Page

By default, when a policy alert generates a risk event, an internally generated name is displayed in the SUMMARY column on the Risk Events page. You can set a preference to display the policy name instead of the internally generated name. This lets you control what you see in the SUMMARY column for risk events that are triggered by a policy alert. See Setting Your Preferences.

Components of Policies

As described in Policy Alerts (Rule-Based Alerting), Oracle CASB Cloud Service can compare activity in the cloud with policies, or sets of rules, that you define, and generate an alert any time it detects a policy violation.

When Oracle CASB Cloud Service detects behaviors that correspond to these rules, it produces alerts that describe the policy violation and can provide recommendations for responding to them.

Each policy has these components:.

Resources

Every cloud application has resources that people use in some way. As a security precaution, you might want to monitor particular types of resources. For example, in Amazon Web Services: S3 (storage) containers, EC2 (web server) instances, IAM (identity and access) users, access controls.

Actions on the Resources

Every cloud application allows its users and administrators to do things with the resources. Here are some examples:

Sharing, sending, or permitting collaboration with other people (inside or outside the organization).
Creating, modifying, and deleting resources (servers, user accounts, access control lists)
Starting or stopping services

Options for Narrowing the Policy Definition

You might be interested in particular events no matter where or when they take place. However, if needed you can qualify a policy according to these criteria:

People or groups who perform the action (for example, someone who shares a sensitive file)
Domains that shouldn't receive a shared resource
IP addresses that aren't sanctioned by your organization
Unusual times of day (after-hours events)

Notifications When a Policy Violation Is Detected

You might be interested in particular events no matter where or when they take place. However, if needed, you can qualify a policy according to these criteria:

By default, Oracle CASB Cloud Service displays a total count of policy alerts in the Health Summary widget on the Dashboard, and a count of policy alerts for each application on the Applications page: (when you click an application icon).
- In card view on the Applications page, click an application tile to see the Health Summary card for that application.
- In grid view on the Applications page, a count of policy alerts for each application appears in the POLICY ALERTS column for the application.
Details for policy alerts display on the Risk Events page. Sort on the CATEGORIES column and locate the “Policy alert” entries.
Optionally, Oracle CASB Cloud Service also can send policy violation alerts through email.

Oracle CASB Cloud Service Administrator Roles and Policies

Understand permissions granted to different administrator roles in viewing, creating, and modifying policies to generate alerts.

Your ability to view and work with policy alerts depends on your assigned role. The different administrator roles are allowed to perform different combinations of tasks in Oracle CASB Cloud Service:

Tenant Administrators. If you have this role, you can create, view, modify, and delete all policies. You also can optionally receive email notifications of new policy violation alerts.
Security Administrators. If you have this role, you can create, view, modify, and delete all policies for application instances that you have access to . You also have read-only access to policies that are assigned to "any" application instance if you have permission to view at least one instance of that type (for example, AWS).
Compliance Administrators. If you have this role, you can't view policies.
SOC Operator: If you have this role, you can't view policies.

To enable this feature, contact Oracle Support (http://support.oracle.com). If you have not registered yet, you will need your Customer Support Identifier (CSI) in order to register to submit service request tickets. As an alternative, you can also contact your Oracle CASB Cloud Service Customer Success Manager.