Building Blocks in Asset Rules

Learn about the building blocks available to create asset rules on SaaS Security API.
An asset (or content) rule has the following information:
Field
Description
Rule Name
A name for the policy rule.
Description
A description that explains the purpose of the rule.
Severity
Specify a value to indicate the impact of the issue. The value can range from 1 to 5, with 5 representing the highest severity.
Status
A rule can be in the enabled or disabled state. The predefined data patterns provided by SaaS Security API are automatically enabled.
After you Configure Data Patterns, you must enable the pattern.
Match Criteria
Specifies what the rule scans for and the number of occurrences or frequency required to trigger an alert. See Match Criteria for Asset Rules for details about each rule type.
When you change the match criteria settings, you automatically trigger a rescan of all assets for the corresponding SaaS application. SaaS Security API uses the updated settings in the policy rule configuration to rescan assets and identify incidents.
Actions
Allows you to specify whether SaaS Security API should trigger one of the following actions to carry out Automatic Remediation Options or if it should simply log the event as a incident.
  • Quarantine
    —Automatically moves the compromised asset to a quarantine folder. For
    User Quarantine
    , you can send the asset to a quarantine folder in the owner’s root directory for the associated cloud app. For
    Admin Quarantine
    , you can send the asset to a special Admin quarantine folder which only an Admin can access. When the asset is quarantined, you can send the asset owner an email that describes the actions that were taken.
  • Change Sharing
    —Automatically removes removes public links or external collaborators.
  • Notify File Owner
    —Sends an email digest to the asset owner that describes actions they can take to fix the issue.
  • Notify via Bot
    — Sends a message using the Cisco Webex bot that you configured in Begin Scanning a Cisco Webex Teams App.
  • Apply Classification
    —Automatically applies the classification and priority labels to the third party classification data pattern match criteria.
  • Create Incident
    —Automatically changes incident status to
    Open
    and the incident category to
    New
    so the administrator can Assess Incidents.
  • Send Admin Alert
    —Select send admin alert for compliance issues that need immediate action, such as policy rules that are high risk or sensitive. Sends an email digest to the asset administrator that describes actions they can take to fix the issue.
View which autoremediate options are supported for each sanctioned SaaS application.

Recommended For You