Add a New Asset Rule

To add a new rule for scanning assets (content) stored on your sanctioned SaaS applications:
  1. Select
    Policy
    Asset Rules
    Add New Rule
    .
  2. Enter a
    Rule Name
    and an optional
    Description
    .
  3. Select a
    Severity
    for the rule.
  4. Verify that the
    Status
    is
    Enabled
    .
  5. Review information in Building Blocks in Asset Rules.
    Sensitive documents are identified as a policy rule violation only if the exposure level is violated. For example, you can configure a policy rule to trigger a an alert for a sensitive document that has a Public or External exposure. To specify the exposure level for which to flag a sensitive document as an incident:
  6. Select an
    Action
    for the new asset rule.
    Automatic remediation is a powerful tool and can modify a large number of assets in a short amount of time. Make sure you perform a test run first (using one policy rule and a small set of assets) before including these actions on additional policy rules.
    auto-assign-incidents.png
    1. For most policy rules, verify that
      Actions
      setting is
      Create Incident
      . By default a new incident is not assigned to an administrator. If you have Connect Prisma SaaS to Directory Services (Beta), you have the option to
      Assign to
      a specific administrator who has context to triage the incident and address the potential risk. Then, after you uncover specific issues that are high-compliance risks on your network, you can modify the rule or add a new rule that triggers Automatic Remediation:
      Quarantine
      —Automatically moves the compromised asset to a quarantine folder.
      Change Sharing
      —Automatically removes links that allow the asset to be publicly-accessed.
      Notify File Owner
      —Sends an email digest to the asset owner that describes actions they can take to fix the issue.
      Notify via Bot
      —(Only for Cisco Webex Teams) Uses a machine account that you created to send a direct message to the asset owner who triggered the policy match.
    2. Select
      Send Administrator Alert
      only for compliance issues for which you need to take immediate action, such as policy rules that are high-risk or sensitive. Prisma SaaS can send up to five emails per hour on matches against each Cloud App instance.
      Enable email alerts only after Prisma SaaS completes the initial discovery scan so that you are not inundated with emails when historical assets are scanned.
  7. Save your new policy rule.
    Save
    your changes.
    Prisma SaaS starts scanning files against the policy rule as soon as you save the changes. After the scan starts, you can start to Assess New Incidents and Fine-Tune Policy.

Related Documentation