Creating Policy Alerts for Discovered Applications

Create custom policies to generate alerts for actions on resources that are specific to discovered applications.

Prerequisite: Ensure that you have followed the instructions in Getting Started with Policies to review available managed policies, and any custom policies that already exist, before creating a new custom policy.

Creating a Policy for Discovered Applications

Follow these general steps for any policy you create to generate an alert for actions in discovered applications.

Oracle CASB Cloud Service displays an alert in Risk Events whenever an event occurs that matches the policy conditions.

The following are the general steps for creating a policy for discovered applications that generates an alert whenever an event occurs that matches the policy conditions. Oracle CASB Cloud Service displays all alerts in Risk Events. Optionally, you can also choose to receive an email notification.

Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
On the Custom tab, click New Policy.
In the Name page:
1. Enter a name for the policy.
2. (Optional) Enter a description.
3. Select a Priority.
4. If you want policy violations to be included in user risk score computations, select Include in user risk score.
5. Click Next.

On the Resource page, make these selections.

Field	Value(s)
Application type	Select Discovery.
Application instance	Leave the selection as Any. There can only be one instance of App Discovery in an Oracle CASB Cloud Service tenant.

Specify resource details and actions.

Specify Resource details, using the information in the table below:

Field	Value(s)
Resource	The tag for the type of discovered application you want to monitor: Sanctioned — applications like this are officially sanctioned and should be available to all users. Permitted — applications like this are not officially sanctioned, but are permitted when a user or group has asked to use the application and the request has been approved. Restricted — applications like this are restricted to use by only specific individuals. Prohibited — applications like this should never be used by anyone in the organization. Irrelevant — applications like common websites or an advertisement that can be excluded from a security analysis.
Resource name	You must provide a name for the selected resource type. If you select: Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name. Regular expression, enter .* to match all email retention rules.

Field

Value(s)

Resource

The tag for the type of discovered application you want to monitor:

Sanctioned — applications like this are officially sanctioned and should be available to all users.
Permitted — applications like this are not officially sanctioned, but are permitted when a user or group has asked to use the application and the request has been approved.
Restricted — applications like this are restricted to use by only specific individuals.
Prohibited — applications like this should never be used by anyone in the organization.
Irrelevant — applications like common websites or an advertisement that can be excluded from a security analysis.

Resource name

You must provide a name for the selected resource type. If you select:

Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name.
Regular expression, enter .* to match all email retention rules.

Specify an Action on the resource using the table below:

Action on this resource	Description
Any	Matches any action.
Tag	The only option available. Selecting this has same effect as selecting Any.

(Optional) Add more Resource name-Action pairs to refine your policy.

You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.
- Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.
- Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.
Click Next when you have finished specifying resource name-action pairs.

You are now on the Username page.

(Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set on the Resource page.
1. In the drop-down list, select Username contains or Username does not contain.
2. In the text box to the right, enter one or more text strings that the user name must contain, or not contain, in order to trigger the alert.
  
  Separate multiple entries with commas. With multiple entries, if any one entry is contained, or not contained, in the name of the user who took the action, the alert is triggered.
3. Click Next to go on to the next page.
(Optional) On the Conditions page, set conditions so that an alert is triggered only if the specified conditions are met.

For information on condition parameters available for use in policy alerts for discovered applications, see Condition Parameters for Discovered Applications. For information on free-form conditions, see Examples of Parameters in Free-Form Conditions.
1. Click Add condition or Add Free-From Condition.
2. Select a Parameter, an Operator, and a Value from the drop-down lists.
  
  In free-form conditions, you enter values for Parameter and Value.
3. To add another condition or free-form condition, repeat the 3 steps above.
  
  Note:
  When you specify multiple conditions, the conditions are ANDed. The alert is triggered only if all of the conditions are met. If you need to OR multiple conditions, create a separate policy for each condition.
4. Click Next to go on to the next page.
On the Action page, set your notifications:
- Show an alert in the Risk Events page is always selected. When an event matches the policy, Oracle CASB Cloud Service always adds an alert to Risk Events.
- Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.
When you are done, click Next, review your settings, then click Submit.

Condition Parameters for Discovered Applications

Review the parameters and operators that are available in the Conditions page of the policy creation wizard for applications discovered in Oracle CASB Cloud Service – Discovery.

These parameters and operators are available on the Conditions page of the New Policy wizard to fine tune your alerts for discovered applications.

Field	Value(s)
Resource	The type of object you want to monitor.
Resource name	In this field, you restrict Oracle CASB Cloud Service's alerts to resources with a particular name or partial name.
Action on this resource	Leave the selection as Any. The alert will be triggered if the resource is discovered.