1. Using Oracle CASB Cloud Service
  2. Getting Started
  3. Oracle CASB Cloud Service
  4. A Tour of the Oracle CASB Cloud Service Console

A Tour of the Oracle CASB Cloud Service Console

Get familiar with the major screens and the functions they provide in the Oracle CASB Cloud Service console.

Dashboard

Get familiar with the layout of the Dashboard, the Oracle CASB Cloud Service landing page.

Accessing the Dashboard

After your first login to Oracle CASB Cloud Service, the Dashboard is the first thing you see in the Oracle CASB Cloud Service in later logins. If the Dashboard is not displayed, select Dashboard from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

Working with the Dashboard

In the row of tiles at the top of the Dashboard, the Add/Modify App tile takes you to the Register an app instance wizard on the Applications page. There you can add, or register a new application instance to be monitored, or select an application instance to be updated.

The rest of the tiles in the row at the top of the Dashboard provide counts of the total number of registered application instances in each risk level or status. Click a tile with a non-zero entry to go to the Applications page, showing only registered applications in that risk level or status:

  • Image showing icon for unreachable application instance. — Status: Application instance is unreachable.

  • Image showing icon for high risk level. — High risk level. A threat has been detected.

  • Image showing icon for medium risk level. — Medium risk level. Some items require investigation, but no behavioral threats or malicious IP address accesses.

  • Image showing icon for low risk level. — Low risk level. Few or no issues require attention.

  • Image showing icon for new application instance. — Status: You or another administrator recently added this application instance. Oracle CASB Cloud Service is collecting initial data.

The Access Map displays symbols that indicate points of origin for events:

  • Image showing large green circle symbol. — Indicates a cluster of normal events. Click this symbol to see individual normal events.

  • Image showing smaller green circle symbol, with a black dot in the center. — Indicates an individual normal event.

  • Image showing large red circle symbol with an “X” in the center. — Indicates a cluster of suspicious events. Click this symbol to see individual suspicious events.

  • Image showing smaller red circle symbol, with a black “X” in the center. — Indicates an individual suspicious event.

Click links in the summary information to see more details.

  • Click a large circle symbol to zoom in until you can see smaller circle representing individual events.

  • Click a smaller circle symbol to see summary information about the access.

  • Click links in the summary information to see more details.

  • Select the type of events - all events, normal events, or suspicious events from the Filter drop-down list.

    Note:

    Oracle CASB Cloud Service remembers this selection for the current session.

  • Click the Help icon Image of Help icon in the upper-right corner to see online help about the suspicious and normal IP addresses that are represented by the dots on the Access Map.

The Health Summary: All Application Instances card summarizes potential threat information across all registered application instances.

  • Click any non-zero entry in that Health Summary: All Application Instances card to see a detailed report.

  • Click the Help icon Image of Help icon in the upper-right corner to see online help about the suspicious and normal IP addresses that are represented by the dots on the Access Map.

The other summary cards on the Dashboard, such as Suspicious and normal IP addresses, display statistics for specific types of activity that may or may not be suspicious. For each summary card, you can:

  • View the summary statistics displayed.

  • Hover over parts of the card to see additional information in pop-ups, and to identify links.

  • Click any link in the card to see more detailed information.

  • Click the Help icon Image of Help icon in the upper-right corner to see online help about the type of information displayed in the card.

Note:

If you total up the number users in the User risk levels tile, you will get the total number of users currently being monitored in all of the cloud applications that are registered in Oracle CASB Cloud Service. This number may be much smaller than the total number of users in your organization, especially if your organization has just started using Oracle CASB Cloud Service.

You never have to create users in Oracle CASB Cloud Service, or import users from some other source. Users automatically enter the system when they are detected in actions that they take in cloud applications that are being monitored. Typically the total number of users that appear in Oracle CASB Cloud Service is a lot less than the total number of users in your organization.

Threats

Learn how to filter threats that are displayed in Risk Events, and how to view details for a threat.

Accessing the Threats Display for an Application Instance

To quickly display threats for a particular application instance:

  1. To display the Health Summary card for an application instance, go to Applications and click the application instance tile.

  2. Click the nonzero entry for Threats.

    If the Threats entry is zero, there aren’t any threats that were detected for that application instance at this time.

Working with the Threats Display for an Application Instance

The App Details page displays risk events for an application instance which Oracle CASB Cloud Service has identified as threats.

  • Filter the risk events that are displayed:

    1. Click the Filter icon Image of Filter icon. at the upper right.

    2. Set any combination of filters to focus on specific groups of risk events.

      • Risk Level — high-, medium-, or low-risk events.

      • Category — a single risk event category.

      • Date Range — risk events logged in a specific date range.

        Note:

        Date ranges labeled “Last # days” all start at midnight on the first date, and end at the present moment. “Last 1 day” includes all of yesterday.

      • Status — open or resolved risk events.

    3. Click Search.

      The search results now display all risk events matching your filter settings.

      Note:

      The filter icon is highlighted to indicate that you are viewing a subset of the risk events. If you return to the Risk Events page in the same session, or later in another session, the events remain filtered.

  • Hover over icons in the RISK LEVEL column to see a description of the risk level.

  • Click a column heading that has up and down arrows next to it to sort the table on that column.

  • Drop down the Action list in the ACTION column to see available actions for the risk event. Actions you will see:

    • Dismiss — This option dismisses the risk event, when you do not view it as a threat.

    • View threat — This option details the reasons that the event appears to be a threat and shows charts and a map to help you analyze the threat.

  • In the Top Risk Activities area at the top left:

    • View summary statistics for the top risk activities.

    • Filter the list of risk events by clicking Security controls, Threats, or Policy alerts.

  • In the Risks by Category chart at the top:

    • View the counts of different types of threats.

    • Hover over a number to see the percentage value.

    • Click a number to filter the list of risk events to show only that type of threat.

  • View summary statistics for Data Processed in the Last 90 Days at the upper right.

For more information about threats, see Finding and Analyzing Users at Risk, and Remediating and Dismissing a Suspicious Activity Threat.

For definitions of the different risk types in Oracle CASB Cloud Service, see Different Types of Risk That Oracle CASB Cloud Service Monitors.

Applications

Learn how the Applications page is used.

Accessing the Applications Page

If the Applications page is not displayed, select Applications from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

Working with the Applications Page

The Applicationspage is where you register and update the cloud applications that Oracle CASB Cloud Service monitors. Applications lets you register application instances, modify the settings on an application instance that's already registered, and view the Health Summary for an application instance.

  • Use the icons at the top to filter the list of application instances by risk level or status — click any icon with a non-zero number beside to show only:

    • Image showing icon for new application instance. — Status: You or another administrator recently added this application instance. Oracle CASB Cloud Service is collecting initial data.

    • Image showing icon for unreachable application instance. — Status: Application instance is unreachable.

    • Image showing icon for high risk level. — High risk level. A threat has been detected.

    • Image showing icon for medium risk level. — Medium risk level. Some items require investigation, but no behavioral threats or malicious IP address accesses.

    • Image showing icon for low risk level. — Low risk level. Few or no issues require attention.

    If you return to the Applications page in the same session, or later in another session, the application instances remain filtered.

  • Use the Search icon Image of Search icon to display only application instances with names that contain the text that you enter.

    For example, enter aws to display only application instances with “aws” in their names. Depending on how you name your application instances, these may or may not be AWS application instances.

  • Explore the two different views available for the Applications page.

    • The very first time you access the Applications page, it opens in card view, with each application displayed in a square card.

    • In card view, you click the card for an application instance to view the Health Summary information, which contains a menu that lets you modify settings for the application instance.

    • Use the view switcher tool Image of the view switcher tool to switch to grid view, with each application instance displayed in a separate row.

    • In grid view, the Health Summary information is displayed in the row for the application instance, and a drop-down Action  menu lets you modify settings for the application instance.

    • Use the view switcher tool Image of the view switcher tool again to switch back to card view.

      When you return to the Applications page in the same session, or later in another session, the last selected view is retained.

  • In card view:

    • View summary statistics at the top, indicating counts of new and unreachable application instances, and application instances with high, medium, and good threat levels.

    • Click the Search icon Image of Search icon to search for specific application instances.

    • Hover over the risk indicator icon in the top left of an application instance card to see a description of the risk level.

    • Click the card for an application instance to display the Health Summary card for that instance.

      From the Health Summary card:

      • Click View Details to see a summary of all activity on that application instance.

      • Click one of the non-zero Top Risk Activities to see detailed information for that activity.

    • To add or register a new application instance, click the Add/Modify App card.

    • To modify settings for an existing application instance, click the card for the instance to open its Health Summary card, and then click Modify to display a list of settings that you can select to modify.

    • To delete an application instance, click the card for the instance to open its Health Summary card, and then click Remove.

  • In grid view:

    • View summary statistics at the top, indicating counts of new and unreachable application instances, and application instances with high, medium, and good threat levels.

    • Click the Search icon Image of Search icon to search for specific application instances.

    • Click a column heading that has up and down arrows next to it to sort the table on that column.

    • Hover over the risk indicator icon in the Risk column for an application instance to see a description of the risk level.

    • Drop down the Action menu and select View details to see a summary of all activity on that application instance.

    • View the Health Summary information for that instance in the four columns to the right of the Instance column.

      Click a non-zero number in one of these columns to see detailed information for that activity.

    • To add or register a new application instance, click Add/Modify App at the top left.

    • To modify settings for an existing application instance, drop down the Action menu and select an Update ... option.

    • To delete an application instance, drop down the Action menu and select Remove app instance.

Risk Events

Learn what information is available for each risk in Risk Events.

Accessing Risk Events Page

If the Risk Events page is not displayed, select Risk Events from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

Working with the Risk Events Page

Risk Events displays a risk level icon for every user that Oracle CASB Cloud Service detects. To view a breakdown of risk-related activity for an individual user, click the user’s name.

  • Set the type of name displayed in the SUMMARY column for risk events that are triggered by a policy alert.

    By default, an internally generated name is displayed. Choosing to display the policy alert name instead of the internally generated name lets you control what you see in the SUMMARY column for risk events that are triggered by a policy alert. See Setting Your Preferences.

  • Filter the risk events that are displayed:

    1. Click the Filter icon Image of Filter icon. at the upper right.

    2. Set any combination of filters to focus on specific groups of risk events.

      • Risk Level — high-, medium-, or low-risk events.

      • Category — a single risk event category.

      • Date Range — risk events logged in a specific date range.

        Note:

        Date ranges labeled “Last # days” all start at midnight on the first date, and end at the present moment. “Last 1 day” includes all of yesterday.

      • Status — open or resolved risk events.

    3. Click Search.

      The search results now display all risk events matching your filter settings.

      Note:

      The filter icon is highlighted to indicate that you are viewing a subset of the risk events. If you return to the Risk Events page in the same session, or later in another session, the events remain filtered.

  • Hover over icons in the RISK LEVEL column to see a description of the risk level.

  • Click a column heading that has up and down arrows next to it to sort the table on that column.

  • Click any row to expand the row to show a detailed breakdown of the risk event, including a recommendation on what to do about it.

  • Drop down the Action list in the Action column to see available actions for the risk event. Some of the actions you may see:

    • Dismiss — available if an incident has not yet been created for the risk event. This option dismisses the risk event, when you do not view it as a threat.

    • View threat — available when Oracle CASB Cloud Service has identified the risk event as a threat. This option details the reasons that the event appears to be a threat and shows charts and a map to help you analyze the threat.

Reports

Understand what’s available on the Reports page.

Accessing the Reports Page

If the Reports page is not displayed, select Reports from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

Working with the Reports Page

Oracle CASB Cloud Service supplies predefined reports for auditing activity within Oracle CASB Cloud Service (an audit trail), risks shown in Risk Events. The Reports page is where you access these reports.

  • Click a column heading that has up and down arrows next to it to sort the table on that column.

  • Click the Run icon in the Action column to run the report.

  • Click New Report at the top left to create a custom report that is saved in the reports list.

  • Click Report Builder at the top left to create and run an ad hoc query. Ad hoc queries are not saved in the reports list.

Users

Learn what information is available for each user on the Users page.

Accessing the Users Page

If the Users page is not displayed, select Users from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

Working with the Users Page

The Users area displays a risk score for every user that Oracle CASB Cloud Service monitors. To view a breakdown of risk-related activity for an individual user.

  • Click a column heading that has up and down arrows next to it to sort the table on that column.

  • Click a user’s name to view a breakdown of risk-related activity for that user.

  • Click a link in the Reasons column to view detailed information about the reason.

Note:

You never have to create users in Oracle CASB Cloud Service, or import users from some other source. Users automatically enter the system when they are detected in actions that they take in cloud applications that are being monitored. Typically the total number of users that appear in Oracle CASB Cloud Service is a lot less than the total number of users in your organization.

Jobs

Learn how the Jobs page is used.

Accessing the Jobs Page

If the Jobs page is not displayed, select Jobs from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

Working with the Jobs Page

Exports of more than 1,000 rows of report data to CSV files are processed in the background, through a job that’s listed in Jobs page. Bulk dismissals of more than 100 risk events are also processed in the background through the Jobs page.

If there have been no recent large reports exported or bulk dismissals of risk events, the Jobs page is empty.

  • Use the icons at the top to filter the list of jobs by the status — click any icon with a non-zero number beside to show only:

    • Image showing icon for new jobs.— Status: New jobs that were created.

    • Image showing icon for failed jobs.— Status: Jobs that failed.

    • Image showing icon for completed jobs— Status: Completed jobs.

  • Use the Search icon Image of Search icon for a text-based search.

    For example, to search for jobs by a particular requestor, enter the email ID of the requestor.

  • Hover over icons in the Status column to see a description of the status.

  • Click a column heading that has up and down arrows next to it to sort the table on that column.

  • If the Results column displays a CSV icon CSV Download icon for a job, click it to download the comma-separated values file that you can open in a spreadsheet program.

For information about exporting large amounts of report data, see Exporting a Report.

Configuration

Learn what functions are available in the Configuration menu.

The Configuration section lets you configure different components that support Oracle CASB Cloud Service:

  • Admin Management: Add Oracle CASB Cloud Service administrators, and update their admin information or remove them.

  • Policy Management: Create policy (rule-based) alerts that, when triggered, add entries in Risk Events, and optionally send email notifications.

  • Import Enterprise Users: Upload directory information to populate user and group-related widgets, and enable cross-application threat analytics.

  • Manage IP Addresses: Add to the suspicious IP addresses that Oracle CASB Cloud Service ingests from third-party threat feeds, and whitelist IP addresses that are trusted.

  • Threat Intelligence Providers: View third-party threat intelligence providers that contribute to Oracle CASB Cloud Service's threat analytics (particularly in the area of suspicious IP addresses).

  • Identity Management Providers: View identity providers that are available to support single sign-on (SSO) that’s implemented in your application instances.

  • SIEM Providers: View security information and event management (SIEM) providers that are supported to receive Oracle CASB Cloud Service data for further analysis and consolidation with other systems.

  • Threat Management: View thresholds that determine when alerts are triggered to be displayed in Risk Events.

Administrator Management

Learn how to add an administrative users and assign roles to the user.

This page lists the uses who have administrator privileges in Oracle CASB Cloud Service.

Accessing the Administrator Management Page

If the Administrator Managementpage is not visible, select Configuration, Administrator Managementfrom the Navigation menu. If the Navigation menu is not displayed, click the Navigation menu icon to display it

Working with the Administrator Management Page

The Administrator Management displays the list of all the administrative users. Here, you can view the details of an administrator user, edit the users’ details, reset the users’ password and delete the user.

To add new administrators, click New Administrator. See Adding an Administrator through the Oracle CASB Cloud Service Console.

To make changes to existing administrators, click an icon in the ACTION column for that administrator:

  • Image of the View icon. - to view detailed information for the administrator.

  • Image of the Reset Password icon - to reset the administrator's password.

  • Image of the Edit icon. - to edit information for the administrator.

  • Image of the Delete icon. - to delete the administrator.

Policy Management

Learn about using the Policy Management page to create policy-based alerts.

The Policy Management page displays the existing policies. You can also create new policies.

Accessing the Policy Management Page

If the Policy Management page is not visible, select Configuration, Policy Management from the Navigation menu. If the Navigationmenu is not displayed, click the Navigation menu icon to display it.

Custom policies and Managed policies

The Policy Management page has separate tabs for Custom and Managed policies. The Custom tab is selected when you open the page.

  • Custom policies are completely under your control - you can modify any custom policy listed and you can create new custom policies.

  • Managed policies are maintained by Oracle CASB Cloud Service. You can't create or modify a custom policy. If you want to modify a managed policy, copy it as a custom policy and modify the copy.

Working with Custom Policies on the Policy Management Page

Click the Custom tab if it is not already selected.

  • Search for custom policies within the list of custom policies displayed:

    1. Click the Search icon Image for Search icon at the upper right to bring up the Search field.

    2. Enter a search text and then, press Enter.

      The list of policies that match the search text is displayed.

  • Toggle the switch in the ENABLED column to enable or disable a policy.

  • The ACTION column lists the actions you can take on a policy:

    • View: View the selected policy details

    • Dismisses all risk events: Dismisses all risk events generated as a result of this policy.

    • Edit: Edit the selected policy

    • Delete: Delete the selected policy.

  • Click New Policy to create a new policy definition. See Creating Policies and Managing Policy Alerts

Working with Managed Policies on the Policy Management Page

Click the Managed tab if it is not already selected.

  • Search for managed policies within the list of policies displayed:

    1. Click the Search icon Image for Search icon at the upper right to bring up the Search field.

    2. Enter a search text and then, press Enter.

      The list of policies that match the search text is displayed.

  • Toggle the switch in the SUBSCRIBED column to enable or disable a policy.

  • In the ACTION column, drop down the Action list for a policy to see the actions you can take on it:

    • View: View the selected policy details

    • Dismiss all risk events: Dismisses all risk events generated as a result of this policy

    • Copy to Custom: Delete the selected policy

For more information on managed policies, see Working with Managed Policies.

Manage IP Addresses

Learn how to add to the suspicious IP addresses that Oracle CASB Cloud Service ingests from third-party threat feeds, and whitelist IP addresses that are trusted.

When an IP addresses is blacklisted, an alert is automatically generated when that IP addresses is detected. For IP addresses that are whitelisted, alerts are suppressed.

Accessing the Policy Management Page

If the Manage IP Addresses page is not visible, select Configuration, Manage IP Addresses from the Navigation menu. If the Navigationmenu is not displayed, click the Navigation menu icon to display it.

Working with the Manage IP Addresses Page

The two tabs on the Manage IP Addresses page — Blacklist and Whitelist lets you add IP addresses to the respective lists.

  • Blacklist tab: Displays all the blacklisted IP addresses, IP address type, the applications that the IP address applies to, and the date the IP address was added to the list.

  • Whitelist tab: Displays all the whitelisted IP addresses, IP address type, the applications that the IP address applies to, and the date the IP address was added to the list.

For detailed instructions on blacklisting or whitelisting IP addresses, see Putting IP Addresses on Blacklists or Whitelists.

Threat Intelligence Providers

Learn how the Threat Intelligence Providers page is used.

Accessing the Threat Intelligence Providers Page

If the Threat Intelligence Providers page is not displayed, select Configuration, Threat Intelligence Providers from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

Working with the Threat Intelligence Providers Page

The Threat Intelligence Providers page subscribes your Oracle CASB Cloud Service tenant to three of the most up-to-date threat intelligence services, provided out-of-the-box, at no additional cost.

The data provided by these threat intelligence services gives security administrators and system and organization control (SOC) analysts additional visibility about threat alerts that are generated in their respective environments.

Three primary threat intelligence providers are enabled by default:

  • Digital Element allows Oracle CASB Cloud Service to better resolve IP addresses to physical locations, as well as providing information about the relationship between an IP address and the underlying domain name.

  • Tor gives Oracle CASB Cloud Service insight into anonymous proxy usage.

  • abuse.ch provides Oracle CASB Cloud Service with detailed information about URL classification, domain classification, and IP reputation.

It is recommended best practice to keep these threat intelligence services enabled, in order to provide more details about the threats that are generated in the Oracle CASB console.

SIEM Providers

Learn how the SIEM Providers (Security Information and Event Management) page is used.

Accessing the SIEM Providers Page

If the SIEM Providers page is not displayed, select Configuration, SIEM Providers from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

Threat Management

Learn how the Threat Management page is used.

Accessing the Threat Management Page

If the Threat Management page is not displayed, select Configuration, Threat Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

Working with the Threat Management Page

The Threat Management page lists the threat thresholds configured for your Oracle CASB Cloud Service tenant.

You can't change threat thresholds directly on the Threat Management page. To request changes in any of the threat thresholds for your Oracle CASB Cloud Service tenant, contact Oracle Support (http://support.oracle.com).  If you have not registered yet, you will need your Customer Support Identifier (CSI) in order to register to submit service request tickets.  As an alternative, you can also contact your Oracle CASB Customer Success Manager.