: Add a New Asset Rule
Focus
Focus
Table of Contents

Add a New Asset Rule

Learn how to create a new asset rule.
Data Security
enables you to add new rules for scanning assets (content) stored on your sanctioned SaaS applications. For example, you can create a rule that triggers an alert based on match criteria such a given exposure level (for example, an asset is publicly accessible) needed to protect a specific asset. An exclamation point for your cloud app denotes no active rules.
When you create a new asset rule, you have the option to automatically remediate incidents that violate that rule. Automatic remediation is a powerful tool and can modify a large number of assets in a short amount of time: before you include these remediation actions in additional rules, perform a test using one rule and a small set of assets.
  1. Log in to SaaS Security. Go to
    Data Security
    Policies
    . Three types of policies are listed:
    • Data Asset Policies
    • User Activity Policies
    • Security Control Policies
    Select your policy type and click
    Add Policy
    .
  2. Enter a
    Rule Name
    and an optional
    Description
    .
  3. Select a for the rule.
  4. Verify that the
    Status
    is
    Enabled
    .
  5. Specify , including the exposure levels.
  6. Specify
    Actions
    and automatically remediate for change sharingwhen there are rule violations:
    • Create Incident
      —Do one of the following:
      • (
        Recommended
        ) Enable to create an incident when a file violates this policy and display only the first occurrence of the violation in the Remediation Email Digest.
      • Disable to add the violation in the Remediation Email Digest and display the violation daily until the asset owner remediates the violation. Repeating the same violation in an email digest might cause user fatigue, resulting in asset owners ignoring daily email digests. However, if you know that administrators do not have time to remediate issues, an alternative is to repeatedly ask asset owners to remediate issues themselves.
    • Quarantine
      —Automatically move the compromised asset to a quarantine folder.
    • Change Sharing
      —Automatically remove links that allow the asset to be accessed. Base your selections on your organization’s Exposure Level tolerance.
    • Notify File Owner
      —Include in the email digest actions (
      Recommended Action
      ) asset owners can take to remediate policy violations (
      Issue
      ).
      Issue
      is an in-line link that takes asset owners to the file or folder that needs remediation. From there, asset owners can change share settings within the cloud app.
      Best practice is for you to provide text in these fields and provide detailed explanations and instructions via internal links in the email digest body as outlined in Remediation Email Digest.
    • (
      Designated Apps Only
      )
      Notify via Bot
      —Uses a machine account that you created to send a direct message to the asset owner who triggered the policy match. Only designated SaaS apps support this capability.
    • Include Remediation Email Digest
      —When you either
      Quarantine
      or
      Change Sharing
      for an asset, include
      in
      the email digest actions taken along with the specific policy violation (Issue).
    • Send Administrator Alert
      —Temporarily choose an administrator who has context to triage the policy violations and address the potential risk. By default any incidents generated by this asset rule are not assigned to an administrator. As a best practice, after you uncover specific issues that are high-compliance risks on your network, modify the rule or add a new rule that triggers automatic remediation instead of sending alerts. If you Connect Directory Services to Data Security, the SaaS Security web interface displays
      Assign to
      .
      • Use for compliance issues for which administrators need to take immediate action, such as policy rules that identify high-risk or sensitive assets.
      • Consider your administrators’ areas of expertise and triage accordingly to minimize overloading any one administrator.
        Data Security
        sends up to five emails per hour on matches against each Cloud app instance.
      • Enable alerts only after
        Data Security
        completes the initial discovery scan so that administrators are not inundated with emails when historical assets are scanned.
  7. Save/Create
    your new policy rule.
    Data Security
    starts scanning files against the policy rule as soon as you save the changes. After the scan starts, you can start to assess new incidents and fine-tune your new policy.

Recommended For You