Match Criteria for Asset Rules

When you Add a New Asset Rule or you Modify an Asset Rule, you define the match criteria that the asset rule uses when scanning for matches. Prisma SaaS compares all of the information it discovers against the enabled asset rules and identifies incidents and exposures in every asset across all your monitored SaaS applications. Match criteria is critical for successful discovery of risks in SaaS application usage across your organization so, when you set the match criteria, you must carefully consider the thresholds, types of information, and risks associated with how assets are shared. Use match criteria to enforce compliance with your corporate acceptable use policy.
Match Criteria
Description
Activity
Select the asset access and modification activities within a selected time frame to match. For example, activities can include
Accessed
,
Not Accessed
,
Modified
, and
Not Modified
. Time frames include
in the past week
,
in the past month
, and
in the past 6 months
.
Asset Name
Enter the
Asset Name
to include or exclude in the match results. Select either
Equals
to match the asset, or
Does not Equal
to exclude the asset from matching.
Cloud Apps
Select the managed applications to scan and match. By default, all cloud apps you added to Prisma SaaS are scanned, but you can Rescan a Managed Cloud App.
Data Pattern
Select the available data patterns to match including predefined or custom data patterns or a file property you defined when you Configure Data Patterns. Enter the number of
Occurrences
required to display a data pattern match.
Exposure
Select the match conditions for how the asset is shared (Public, External, Company, or Internal).
File Extension
Enter the
File Extension
to include or exclude in the match results. Select either
Equals
to match the asset file extension, or
Does not Equal
to exclude the asset file extension from matching.
File Owner’s Group
To enforce group-based policy using
File Owner’s Group
, you must Connect Prisma SaaS to Directory Services (Beta).
Select either
Equals
, or
Does not Equal
and the Azure Active Directory Group to which the file owner must belong. You can also select
Not Available
if you want to enforce an action for any users who are not identified either because the email address is unavailable or because they belong to an AD group that is not being scanned by Prisma SaaS.
Owner
Enter the email address for the asset
Owner
to
Include
or
Exclude
in the match results. You can add one or more Directory groups
File Hash
Files are scanned using WildFire analysis to detect and protect against malicious portable executables (PEs) and known threats based on file hash. Enter the
Hash
(SHA256) details of the file to match. Select
Equals
(include in matching), or
Does not Equal
(exclude in matching).
Trust State
When you Define Untrusted Users and Domains or if you are matching on an assets trust state, all assets shared with a user in the selected
Trusted
,
Untrusted
, or
Anyone Not Trusted
users list are detected as a match. Specify the number of occurrences (such as
Any
,
More than
,
Fewer than
, or
Between
with whom a file must be shared to trigger a match.
Account
Select the
Cloud App
and the
Project/Subscription
in the storage
Account
to include in the match results.
match-criteria-attributes.png

Related Documentation