This Guide will walk you through setting up custom content policies. Custom Content Policies allows automatic alerting or remediation when specified conditions are met. Whether it is a PCI infraction, or a profanity alert, all content related policy is created here. You will find a quick video to walk you through the process, as well as written instructions beneath.
NOTE: Do not use the Remediation option until you are fully comfortable with Cloud Access Monitor, and understand how this will affect your users.
STEP ONE:
Sign into your Cloud Access Monitor Instance.
STEP TWO:
Navigate to the Audit & Control page, and select the Name of your desired Cloud Environment. (Global Views will show all accounts in your domain, while filtered views will show only users for that view)
STEP THREE:
Select the "x Enabled" policies button to the right of the desired Cloud Environment.
STEP FOUR:
Enter your Email you wish to receive alerts to.
STEP FIVE:
Select the "Add Policy" Button on the bottom right of the screen.
STEP SIX:
Here you can customize your policy to suit your environment. There are three columns in the policy setup, Content, Threats, and Sharing.
Content:
Here you can chose to narrow the source, type, and size of the content you wish to create a policy for.
Source: Choose the sources you wish to create the policy for, Drive File, Shared Drive File, Email, or Hangout.
Type: Choose the file type(s) you would like to be monitored to violations. Leaving the field blank will monitor all files.
Size (MB): Enter a file size in MB to monitor, any files bigger than chosen size will be monitored.
Threats:
Here you can select which threat types to monitor for, Risk, Malware, Url Scan.
Risk: can be set to specific values, such as PCI, PII, Profanity, Image, and many more.
Malware: will look for malicious files
Url Scan: looks for urls that link to known malicious sites.
Sharing:
Sharing allows you to narrow down results by specifying...
No. of Shares: The number of times the file has been shared. Entering a number here will trigger a policy violation once the number of shares is reached.
From Organization: Will trigger a policy violation if the file is sent to an outside domain with defined risks.
Explicit User/Group Sharing: Here you can select if you wish to choose to monitor only internal traffic (Within Domain) or outbound traffic (To Outside Domain)
Link Sharing: Monitor files that have been shared via link, either by domain wide links, our global links (To Outside Domain).
From Outside Domain: Will trigger an alert if the file is sent from an outside domain with defined risks.
Domain Name: Here you can input a full domain string or add "*" to apply a wildcard value.
To Specific User: Will trigger a violation if a specific user(s) receives a file with defined risks.
From Specific User: Will trigger a violation if file is sent by a specific user(s) containing defined risks.
To Specific OU: Will trigger a violation if the file is sent to a specific user OU(s).
From Specific OU: Will trigger a violation if the file is sent from a specific user OU(s).
Here you can apply either Include or Exclude conditional values.
STEP SEVEN:
Once you have setup your custom policy select the "Apply" button on the bottom left.
STEP EIGHT:
At this point you may choose if you would like any Automatic Remediation to take place. Each source has its own remediation options.
(Note: "Warn User" remediation only applies to INTERNAL DOMAIN ACCOUNTS.)
Drive:
Delete: Will delete the file from the drive.
Quarantine: Will place the file into a folder in the administrative g-drive named CAM_Quarantine
Revoke Sharing From Outside Domain: Will remove the share if it is coming from an outside domain.
Warn User: Send the user who triggered the violation an email warning them of their behavior.
Email:
Delete: This will delete the e-mail as soon as it is found to contain risk.
Quarantine: Will move the e-mail into the users trash folder
Warn User: Send the user who triggered the violation an email warning them of their behavior.
Shared Drive:
Delete: This will delete the e-mail as soon as it is found to contain risk.
Warn User: Send the user who triggered the violation an email warning them of their behavior.
Hangout:
Warn User: Send the user who triggered the violation an email warning them of their behavior.
STEP NINE:
Once you have chosen your remediation options (if any), the next step is to choose when remediation options will occur. Options include...
Immediately: The action will occur as soon as the policy is violated.
One Day: In 24 Hours the remediation will occur.
Three Days: In three days the remediation will occur.
One Week: In one week the remediation will occur.
Two Weeks: In two weeks the remediation will occur
STEP TEN:
Choose who will be notified if a remediation does occur.
Notify User: Notify the user that caused the policy violation to occur.
Notify Admin: Notify the Cloud Access Monitor Admin of the infraction.
STEP ELEVEN:
Define alternate admin contacts if desired. If the "Send email to" checkbox is left blank, policy violation emails will be sent to the email defined in step four at the top of the page. This can be one or a comma separated list of email addresses to be sent policy violation alerts of this policy only.
STEP TWELVE:
Select the save button at the bottom right of the window.
NOTE:
Enable / Disable: To enable or disable a policy, simply click the enable button found on the policy window.
Edit: To edit an existing policy click the edit pencil on the right side of the policy window.
Delete: To delete a policy, simply click the trash can icon on the right side of the policy window.