Data Security identifies and sets the state and category
for each incident discovered during the scanning of your assets.
Where Can I Use This?
What Do I Need?
NGFW (Managed by Strata Cloud Manager)
Prisma Access (Managed by Strata Cloud Manager)
Data Security license
Or any of the following licenses that include the Data Security license:
CASB-X
CASB-PA
Incidents are triggered by policies. Data Security identifies incidents when it finds
noncompliance with asset rules—whether predefined policies or user
defined policies—and security control policies. The
service detects these incidents by scanning all assets in your managed SaaS applications
and matches the file and folder metadata, associated collaborators, and the content of
the files against your active policy rules or the configuration.
For each incident, you can determine whether it indicates a regulatory noncompliance, or if it
compromises the security of your proprietary data or intellectual property.
Examples of incidents include:
AWS keys that have not been rotated in 3 months.
Files that WildFire classified as malware.
Passwords that don't meet the minimum complexity requirements.
A document or folder containing sensitive data (such as credit
card or social security numbers, secret code names, or source code) shared
with an external user or contains a public link.
Assets users have shared with external domains or collaborators
or are directly accessible through a public link or vanity URL.
Forwarding a corporate email containing sensitive data to
a personal email domain.
Data Security enables you to assess and resolve such incidents, which
include the following default Open and
Closed categories:
You can't delete, or rename default or custom categories.
Incident State
Incident Category
Open
Data Security automatically assigns all incidents as New and needs
assessment. You can't manually assign an incident from another state
to New.
The incident investigation is In
Progress, but not closed. The assigned administrator
is actively working to assess and resolve the incident.
Pending action to
take place before you can assess, investigate, or remediate the
incident. Action can be information from an asset owner or a dependency
on another stakeholder in your organization.
Closed
No Reason found for
the reported incident.
Business Justified because an asset owner’s job responsibilities
necessitate the specific user behaviors identified in the policy or
because the incident was triggered as part of the testing you
performed in the process of fine-tuning your policies.
Misidentified as a
data pattern match or policy violation.
When an asset changes such that a policy violation no longer exists, Data Security closes the
incident and assigns In The Cloud. You can't
manually assign an incident from another state to In The
Cloud.
When an asset is quarantined during automatic
remediation, Data Security resolves this
incident and assigns the status as Aperture.
Data Security was originally named Aperture. However, the SaaS Security web
interface maintains this status to support any incidents with this
status.
