Juniper Secure Edge Application User Guide

Copyright and disclaimer
Copyright © 2023 Lookout, Inc. and/or its affiliates. All rights reserved.
Lookout, Inc., Lookout, the Shield Logo, and Everything is OK are registered trademarks of Lookout, Inc. Android is a trademark of Google Inc. Apple, the Apple logo, and iPhone are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. UNIX is a registered trademark of The Open Group. Juniper Networks, Inc., Juniper, the Juniper logo, and Juniper Marks are registered trademarks of Juniper Networks, Inc.
All other brand and product names are trademarks or registered trademarks of their respective holders.
This document is provided under a license agreement containing restrictions on its use and disclosure and is protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means.
The information contained in this document is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
This document may provide access to, or information on content, products and services from third parties. Lookout, Inc. and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to thirdparty content, products, and services. Lookout, Inc. and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.
2023-04-12

About Juniper Secure Edge

Juniper Secure Edge helps you secure your remote workforce with consistent threat protection that follows users wherever they go. It provides full-stack Security Service Edge (SSE) capabilities to protect web, SaaS, and on-premises applications and provides users with consistent and secure access from anywhere.
It includes key SSE capabilities including Cloud Access Security Broker (CASB) and Data Loss Prevention (DLP) to protect user access on SaaS applications and ensures that sensitive data in those applications doesn’t leave your network if you don’t want it to.
Benefits of Juniper Secure Edge

Secure user access from anywhere—Support your remote workforce in the office, at home, or on the road with secure access to the applications and resources they need. Consistent security policies follow users, devices, and applications without copying or recreating rule sets.
Single policy framework from a single UI—Unified policy management from the edge through the data center means fewer policy gaps, elimination of human error, and a more secure environment.

Dynamic user segmentation—Follow-the-user policy provides automated access control to employees and third-party contractors through granular policy, locking down third-party access as an attack vector.
Protect access to applications on-premises and in the cloud—Reduce risk by leveraging effective threat prevention services proven to be the most effective on the market by multiple third-party tests to inspect traffic, ensuring secure access to web, SaaS, and on-premises applications from anywhere.

Transition at a pace that is best for your business—Juniper meets you where you are on your journey, helping to leverage the cloud-delivered security capabilities of Secure Edge for both onpremises edge security at the campus and branch, and for your remote workforce, working from anywhere.

Cloud Access Security Broker
CASB provides visibility into SaaS applications and granular control to ensure authorized access, threat prevention, and compliance.
Using Juniper’s CASB, you can:

Apply granular controls to ensure authorized access, threat prevention, and compliance.
Secure your data from unauthorized or inadvertent access, malware delivery and distribution, and data exfiltration.

Allow organizations to leverage their existing technology investments, whether you are starting on-premises with campus and branch, in the cloud with remote workforce, or a hybrid approach.

Data Loss Prevention
Juniper’s DLP classifies and monitors data transactions to ensure compliance requirements and data security. Juniper’s DLP reads files, classifies content (for example, credit card numbers, social security numbers, and addresses), and tags the file as containing a specific category of data. Using your organization’s DLP policy, you can add granular controls and add tags (for example, HIPAA and PII) to the files. If anyone attempts to remove the data from your organization, Juniper’s DLP stops that from happening.

Getting started

The following sections provide instructions for the next steps after you have deployed Juniper Secure Edge:

Logging in for the first time

Viewing feature walkthroughs
Accessing product information, documentation, and customer support

Managing your password and logging out

Once you log in, you will be provided with options for onboarding cloud applications.
Logging in for the first time
After your enterprise has purchased Juniper Secure Edge, you will receive an email with a link that provides a username and a temporary password. Click the link.
The username you see in the Create Account screen is prepopulated from the email.

Enter the temporary password.
In the Password field, enter a new password for future use. Hints are provided as a guide to the type and number of characters allowed.

Re-enter the new password in the Confirm Password field and click Create.

Note
The email link and temporary password expire in 24 hours. If more than 24 hours have passed before you see this email, contact Support to get a new temporary link and password.
When you have completed the login steps, the initial welcome screen appears.
When you are ready to onboard unsanctioned or sanctioned cloud applications, select these areas from the Management Console:

To initiate cloud discovery for unsanctioned cloud applications: Choose Administration > Log Agents to upload log files and create log agents.
To onboard sanctioned cloud applications: Choose Administration > App Management. Then, follow the instructions for onboarding cloud applications.

Viewing feature walkthroughs
Click the i menu to view a list of how-to walkthroughs of Juniper Secure Edge features.
Accessing product information, documentation, and customer support
Click the question mark icon to display the help menu.
Version information
Click the About link.
Documentation and videos
The following links are available:

Walkthrough Videos – Opens the Walkthrough Videos page, with links to videos about product features.
You can also access links to feature videos from any Management Console page that displays a video link at the upper right.

Online Help – Opens the online help for the product. The help includes a clickable Table of Contents and an index for searching.
Documentation – Opens a link to a downloadable PDF of the Juniper Secure Edge CASB and DLP Administration Guide.

Customer support
You can contact Juniper Networks Technical Assistance Center (JTAC) 24 hours a day, seven days a week on the Web or by telephone:

Juniper Support Portal: https://supportportal.juniper.net/

Note
If this is your first time requesting support, please register and create an account at: https://userregistration.juniper.net/

Telephone: +1-888-314-JTAC (+1-888-314-5822), toll free in U.S., Canada, and Mexico

Note
For international or direct-dial options in countries without toll free numbers, see https://support.juniper.net/support/requesting-support. If you are contacting JTAC by telephone, enter your 12-digit service request number followed by the pound (#) key for an existing case, or press the star (*) key to be routed to the next available support engineer.
Managing your password and logging out
Use the following procedures to change your password, reset a forgotten password, and log out.
Changing your administrative password

Click the Profile icon.
Click Change Password.
Enter your current password in the Old Password field.
Enter your new password in the New Password and Confirm Password fields.
Click Update.

Resetting a forgotten password
If you forgot your password, perform the following steps to reset it.

From the Login screen, click Forgot your password?.
In the Forgot Password screen, enter your username and click Reset.
You will receive an email with a temporary password and a link to reset your password.
This temporary password will expire in 24 hours. If more than 24 hours have passed since you received your temporary password, you will see a Token Expired message when you try to enter your temporary password. If this happens, repeat the first two steps to receive a new temporary password.
In the email, click the link for the new temporary password.
The Forgot Password dialog box is displayed with your first name, last name, and username filled in.
Enter the temporary password provided. If you copy and paste the temporary password from the email instead of typing it, be sure not to copy any extra spaces or characters.
Enter your new password in the New Password and Confirm New Password fields. As you type, tooltips appear at the right that provide guidance for the required format and number of characters.
Click Create.

Logging out
Click the Profile icon and click Logout.

Onboarding cloud applications and suites

The following sections provide instructions for configuring and onboarding cloud applications and application suites. Once cloud applications are onboarded, you can create and configure policies for those cloud applications.
For Secure Web Gateway (SWG), you can also create and configure policies for web access.
Supported sanctioned cloud applications
Juniper Secure Edge supports the following cloud types:

Atlassian
AWS
Azure

Box
Dropbox
Egnyte

Google Cloud
Google Drive
Now

OneDrive
Salesforce
ServiceNow

SharePoint
Slack
Teams

Support is available for custom applications you create to meet your specific data security needs.
For each cloud application you onboard, you will need to provide a service account with login credentials for the managed administrative user of that application. These application-specific login credentials enable the administrator to manage the account details for an application and monitor user activity for it.
Note
Juniper Secure Edge does not store cloud-specific administrator credentials.

Onboarding process overview
Some onboarding steps vary depending on the cloud you are onboarding and the types of protection you choose. The following overview summarizes the onboarding procedure.
From the Management Console, select Administration > App Management.

Click New. Then, perform the following steps.
Enter basic information

Choose a cloud application type.
(Required) Enter a name for the new cloud application. Use only alphabetical characters, numbers, and the underscore character (_). Do not use spaces or any other special characters.

(Optional) Enter a description for the new application.

For application suites, select applications
If you are onboarding a cloud type that is an application suite, you will be prompted to select the applications in that suite that you want to protect. Click the check marks for the applications to include.
Select protection modes
Depending on the cloud type you chose, some or all of the following protection modes will be available.
For suites, the selected protection modes apply to the entire suite.

API Access – Provides an out-of-band approach to data security; performs ongoing monitoring of user activities and administrative functions.

Cloud Security Posture – Used for cloud types for which you want to apply Cloud Security Posture Management functionality.
Cloud Data Discovery — Used for cloud types for which you want to apply Cloud Data Discovery functionality.
Select one or more protection modes, depending on the type of protection you want to enable for a cloud. You can create policies for the cloud application based on the protection modes you choose.

Click Next.

Select configuration settings
You will need to set configuration information for the cloud application you are onboarding. These configuration settings will vary, depending on the cloud type and the protection modes you choose.
Enter authorization information
For most protection modes, you will need to go through an authorization step by logging in to the cloud application with your administrator credentials for the account.
Save the onboarded cloud application

Click Next to view a summary of information about the new cloud application. The summary shows the cloud type, name and description, the selected protection modes, and other information, depending on the cloud type and selected protection modes for the cloud application.

Click Previous to correct any information or click Save to confirm the information.
The new cloud application is added to the App Management page.

The display in the grid shows the following information:

The name of the cloud application.
A description (if provided). To view the description, hover over the information icon next to the cloud application name.
The protection modes available for cloud application. Each icon represents a protection mode.
The protection modes you selected for this cloud appear in blue; those not selected for this cloud appear in gray. Hover over each icon to see its protection type.

The key assignment status. The orange icon at the upper right indicates that the application is waiting for a key to be assigned. You can assign a key now or do so later. Once you assign a key to the cloud application, the orange icon is replaced by a green check mark.
The user ID (email address) of the administrator user who onboarded the application.
The date and time the application was onboarded.

The following sections provide instructions for onboarding cloud applications and suites.
Onboarding Microsoft 365 suite and applications
This section outlines the procedures for onboarding a Microsoft 365 suite and applications and enabling audit logging.
Note
The following user roles are required for onboarding.

Office Apps Administrator
SharePoint Administrator

Teams Administrator
Application Administrator
Cloud Application Administrator

Guest Inviter
Privileged Authentication Administrator
Privileged Role Administrator

Global Reader
Compliance Administrator
Compliance Data Administrator

Configuration steps
Microsoft 365 application suite
CASB can provide protection options to the entire suite of Microsoft 365 applications, including Microsoft Teams in addition to OneDrive and SharePoint.
The Microsoft 365 cloud type is an application suite. You can onboard the suite, and then select the applications for which to apply protection. Some configurations, such as key management, will apply to the entire suite and cannot be specified by application. Other configurations can be customized for each application in the suite.
CASB provides a dedicated dashboard for monitoring activity in the Microsoft 365 suite applications. You can select the Microsoft 365 dashboard from the Monitor menu.
Turning on audit log search and verifying mailbox management by default
For monitoring of applications in the Microsoft 365 suite, you must configure settings for these options: Turn on audit log search. You must turn on audit logging in the Microsoft Security & Compliance Center before you can start searching the Microsoft 365 audit log. Turning on this option enables user and administrator activity from your organization to be recorded in the audit log. The information is retained for 90 days.
For more details and instructions about how to turn on audit log search and turn it off, see https://docs.microsoft.com/en-us/office365/securitycompliance/turn-audit-log-search-on-or-off

SharePoint / OneDrive
Creating sites for new SharePoint or OneDrive users
When new users are added to a SharePoint or OneDrive account, you must perform the following procedure to start monitoring and protecting data in the personal sites for these users. You should also perform a user sync.
Perform the following steps to add sites for new SharePoint or OneDrive users.

Go to Admin > SharePoint admin center > user profiles > My Site Settings > Setup My Sites.
Under Setup My Sites, check Enable My Site secondary admin, and select the admin as the site admin.
Go to User Profiles > Manage User Profiles.

Under Manage User Profiles, right-click the user’s profile, and click Manage site collection owners. User profiles are not displayed by default. They appear only when you search for them.The site admin should now appear in the list of site collection administrators.

Creating a Quarantine site in SharePoint
You must create a SharePoint site called Quarantine-Site to enable the Quarantine action to work.
Onboarding steps

Go to Administration > App Management and click Add New.
Choose Office 365. This is the Office 365 application suite.
Click Next.

Enter a Name (required) and a Description (optional) for the new cloud application. For the name, use only alphabetical characters, numbers, and the underscore character (_). Do not use spaces or any other special characters.
Select the Microsoft 365 applications in the suite that you want to protect. The named applications are the specific applications that are supported. The Other Apps selection includes any unsupported or partially supported applications such as Calendar, Dynamics365, Excel, Word, Planner, Sway, Stream, and Video.
Click Next.

Select one or more protection modes. The protection options you see vary, depending on the Microsoft 365 applications you selected in the previous step, and will apply to those applications. You cannot select protection modes for individual applications.

API Access	Available for all Microsoft 365 applications. Must be also enabled if you enable Dynamic or Cloud Data Discovery.
Cloud Security Posture	Available for all Microsoft 365 applications. Select this mode if you want to implement Cloud Security Posture Management (CSPM) functionality, also known as SaaS Security Posture Management (SSPM) functionality, for this cloud. For more information about CSPN, see Cloud Security Posture Management (CSPM).
Cloud Data Discovery	Available for OneDrive and SharePoint applications. Select this mode if you want to implement Cloud Data Discovery functionality for this application. Also requires API Access to be enabled.

Click Next.
Enter the following configuration information. The fields you see depend on the protection modes you selected.● Proxy
● The Custom HTTP Header Name and Custom HTTP Header Value fields are configured on the cloud level (as opposed to the cloud application level). If this is the first Microsoft 365 cloud application you are onboarding, the values you enter in these two fields will apply to all other Microsoft 365 cloud applications you onboard. If this is not the first Microsoft 365 cloud application you are onboarding, these field values will be initialized from the first Microsoft 365 cloud you onboarded.
The remaining fields are configured for the cloud application you are onboarding. Enter values as needed.
● Login Domain Prefix — For example, companyname.com (as in<username>@companyname.com)
● Specific Domains – Microsoft 365-specific domain names that need to be redirected. Enter or select domains for this cloud application.
● Tenant Identifier Domain Prefix — For example, casbprotect (as in casbprotect.onmicrosoft.com)
● API Settings (required only for API Access protection mode) —
● Content Collaboration Scan – Toggle is enabled by default. This setting enables events for File CheckIn/CheckOut to be processed. If this toggle is disabled, these events are not processed.
● Internal Domains — Enter one or more internal domains.
● Archive Settings – Enables archiving of files that are either permanently deleted or replaced by Content Digital Rights policy actions. Archived files (including those for SharePoint and Teams) are placed in an Archive folder under a CASB Compliance Review folder created for the cloud application. You can then review the files and restore them if needed.
Notes
● If you onboard Microsoft Teams as a Microsoft 365 application, be sure that an Active Sync directory is created, because the Azure AD is the source of user information. To create a directory, go to Administration > Enterprise Integration > User Directory.
● When the authorized administrator for a cloud account is changed, previously archived content in the CASB Compliance Review folder that is owned by the previous administratorshould be shared with the new authorized administrator to enable archived data to be reviewed and restored.
The Archive Settings option is available for onboarded cloud applications with API Access protection mode selected.
Two options are available:
● Remove from Trash
● ArchiveFor Permanent Delete policy actions, both options are disabled by default; for Content Digital Rights, they are enabled by default.
Note
For OneDrive cloud applications (Microsoft 365), files for non-administrator user accounts are not removed from the Trash when the Remove from Trash flag is enabled.
Click the toggles to enable or disable the settings. If you select the Archive action, you must also select the Remove from Trash option for archiving to be enabled.
Enter the number of days for which to retain archived files. The default value is 30 days.
● Authorization — Authorize the Microsoft 365 components. You will need to provide your Microsoft 365 login credentials when prompted. Click the buttons as follows:
● OneDrive and SharePoint — Click each Authorize button. If you did not select either of these applications earlier, these buttons do not appear.
● Office 365 – Clicking Authorize authorizes the Office 365 suite components you selected, except for OneDrive and SharePoint, which must be authorized separately. This authorization is for monitoring only.

Click Next.
View the summary page to verify that all information is correct. If it is, click Next.
The onboarding is complete. The cloud application is added to the list on the App Management page.

Enabling audit logging and managing mailbox auditing
Once you have onboarded a Microsoft 365 suite with applications, you must turn on audit logging in your Microsoft 365 account before you can search the audit log. Event polling will start 24 hours after audit logging is enabled.
For information and instructions regarding about audit logging for Microsoft 365, see the following Microsoft documentation: https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365worldwide

Onboarding Slack Enterprise applications
This section outlines the procedure for onboarding a Slack enterprise cloud application. For these applications, you can choose several protection modes including API Access, which provides expanded access controls that go beyond user IDs, such as denial of logins from non-compliant or compromised devices and from users with patterns of risky behavior.
A non-enterprise Slack application is also available with a smaller number of protection modes.

Onboarding steps

Go to Administration > App Management.

In the Managed Apps tab, click Add New.
Select Slack Enterprise and click Next.
Enter a Name (required) and a Description (optional). Then click Next.

Select one or more protection modes.
● API Access
● Cloud Data Discovery
Enter the information for the selected protection modes.
● For API Settings – Enter or select the following information:
● The API Usage type — Defines how this application will be used with API protection. Check Monitoring & Content Inspection, Receiving Notifications, or Select All.If you select only Receiving Notifications, this cloud application is not protected; and will be used only to receive notifications.
● Enable Review of Quarantine Files — Click this toggle to enable reviewing of tombstoned files through the Slack channel.
● Internal Domains – Enter any internal domains applicable for this application.
● Slack Enterprise Domain (Full Login Domain) — Enter the full domain for your organization. Example: https://<name>.enterprise.slack.com
Click Authorize. Enter Slack credentials when prompted.

Slack displays a prompt requesting that you confirm permissions to access your organization’s messages, modify messages, and view elements from workspaces, channels, and users in your organization.
Click Allow to confirm these permissions.
Authorize one or more workspaces. Click Authorize next to the workspace name to authorize it. At least one workspace must be authorized.
When prompted to install the app in the workspace, click Allow.
Note
If you want to enable additional functionality, each workspace must be onboarded (authorized) separately. If the workspaces are not authorized separately, the following actions will not be supported:
● Encrypt
● Watermark
● Removed external shared link

In response to the prompt for non-discovery access, click Allow.
Click Next. The Key Management page is displayed.
To request a new key now, click Request New Key. The administrator will be notified, and a key will be assigned. Then, click Save. If you want to request a new key later, click Save.

Onboarding the AWS suite and applications
This section outlines instructions for onboarding the AWS suite in CASB. You can choose to perform an automated or manual onboarding depending on your needs.
Automated onboarding
You can onboard the AWS suite automatically using the provided Terraform module.
Onboarding with Terraform

In the Management Console, select Administration > System Settings > Downloads.
Locate the file aws-onboarding-terraform-module-<version>.zip and download it.

Extract the contents of the zip file.
Locate and open the file README-Deployment steps.pdf.
Follow the instructions provided in the README file to complete the automated onboarding.

Manual onboarding
This section outlines instructions for configuring the AWS suite for manual onboarding in CASB, followed by the manual onboarding instructions.
Configuration steps
Before you onboard the AWS application, you must perform a set of configuration steps.
Note: These configuration steps are only necessary if you plan to onboard AWS in API mode. If you plan to onboard AWS in inline mode, skip to Onboarding steps.
To get started, log in to the AWS console (http://aws.amazon.com).

Then, perform the following configuration steps.

Step 1 — Create an Identity Access Management (IAM) DLP policy
Step 2 – Create an IAM Monitor policy
Step 3 – Create an IAM Cloud Security Posture Management (CSPM) policy

Step 4 – Create an IAM Key Management Service (KMS) policy
Step 5 – Create an IAM role for Juniper CASB
Step 6 – Create Simple Queue Service (SQS)

Step 7 – Create a Cloud Trail

Step 1 — Create an Identity Access Management (IAM) DLP policy

Click Services and select IAM.

Select Policies and click Create Policy.
Click the JSON tab.
Copy and paste the following policy information.
{
“Statement”: [
{
“Action”: [
“iam:GetUser”,
“iam:ListUsers”,
“iam:GetGroup”,
“iam:ListGroups”,
“iam:ListGroupsForUser”,
“s3:ListAllMyBuckets”,
“s3:GetBucketNotification”,
“s3:GetObject”,
“s3:GetBucketLocation”,
“s3:PutBucketNotification”,
“s3:PutObject”,
“s3:GetObjectAcl”,
“s3:GetBucketAcl”,
“s3:PutBucketAcl”,
“s3:PutObjectAcl”,
“s3:DeleteObject”,
“s3:ListBucket”,
“sns:CreateTopic”,
“sns:SetTopicAttributes”,
“sns:GetTopicAttributes”,
“sns:Subscribe”,
“sns:AddPermission”,
“sns:ListSubscriptionsByTopic”,
“sqs:CreateQueue”,
“sqs:GetQueueUrl”,
“sqs:GetQueueAttributes”,
“sqs:SetQueueAttributes”,
“sqs:ChangeMessageVisibility”,
“sqs:DeleteMessage”,
“sqs:ReceiveMessage”,
“cloudtrail:DescribeTrails”
],
“Effect”: “Allow”,
“Resource”: “*”,
“Sid”: “LookoutCasbAwsDlpPolicy”
}
],
“Version”: “2012-10-17”
}

Click Review Policy at the lower right portion of the screen.
Name the policy lookout-api-policy and click Create Policy.

Step 2 – Create an IAM Monitor policy

Click Services and select IAM.
Select Policies and click Create Policy.
Click the JSON tab.
Copy and paste the following policy information.
{
“Statement”: [
{
“Action”: [
“cloudtrail:DescribeTrails”,
“cloudtrail:LookupEvents”,
“iam:Get*”,
“iam:List*”,
“s3:AbortMultipartUpload”,
“s3:DeleteObject”,
“s3:GetBucketAcl”,
“s3:GetBucketLocation”,
“s3:GetBucketNotification”,
“s3:GetObject”,
“s3:ListAllMyBuckets”,
“s3:ListBucket”,
“s3:ListMultipartUploadParts”,
“s3:PutBucketAcl”,
“s3:PutBucketNotification”,
“s3:PutObject”,
“s3:ListBucketMultipartUploads”
],
“Effect”: “Allow”,
“Resource”: “*”,
“Sid”: “LookoutCasbAwsMonitorPolicy”
}
],
“Version”: “2012-10-17”
}
Click Review Policy at the lower right portion of the screen.
Give the policy the name lookout-aws-monitor and click Create Policy.

Step 3 – Create an IAM Cloud Security Posture Management (CSPM) policy

Click Services and select IAM.
Select Policies and click Create Policy.
Click the JSON tab.
Copy and paste the following policy information:
{
“Statement”: [
{
“Action”: [
“account:*”,
“cloudhsm:AddTagsToResource”,
“cloudhsm:DescribeClusters”,
“cloudhsm:DescribeHsm”,
“cloudhsm:ListHsms”,
“cloudhsm:ListTags”,
“cloudhsm:ListTagsForResource”,
“cloudhsm:TagResource”,
“cloudtrail:AddTags”,
“cloudtrail:DescribeTrails”,
“cloudtrail:GetEventSelectors”,
“cloudtrail:GetTrailStatus”,
“cloudwatch:DescribeAlarms”,
“cloudwatch:DescribeAlarmsForMetric”,
“cloudwatch:TagResource”,
“config:Describe*”,
“dynamodb:ListStreams”,
“dynamodb:TagResource”,
“ec2:CreateTags”,
“ec2:Describe*”,
“ecs:DescribeClusters”,
“ecs:ListClusters”,
“ecs:TagResource”,
“elasticbeanstalk:AddTags”,
“elasticfilesystem:CreateTags”,
“elasticfilesystem:DescribeFileSystems”,
“elasticloadbalancing:AddTags”,
“elasticloadbalancing:DescribeLoadBalancers”,
“elasticloadbalancing:DescribeTags”,
“glacier:AddTagsToVault”,
“glacier:ListVaults”,
“iam:GenerateCredentialReport”,
“iam:Get*”,
“iam:List*”,
“iam:PassRole”,
“kms:DescribeKey”,
“kms:ListAliases”,
“kms:ListKeys”,
“lambda:ListFunctions”,
“lambda:TagResource”,
“logs:DescribeLogGroups”,
“logs:DescribeMetricFilters”,
“rds:AddTagsToResource”,
“rds:DescribeDBInstances”,
“redshift:CreateTags”,
“redshift:DescribeClusters”,
“s3:GetBucketAcl”,
“s3:GetBucketLocation”,
“s3:GetBucketWebsite”,
“s3:ListAllMyBuckets”,
“s3:ListBucket”,
“s3:PutBucketTagging”,
“sdb:ListDomains”,
“secretsmanager:ListSecrets”,
“secretsmanager:TagResource”,
“sns:GetTopicAttributes”,
“sns:List*”,
“tag:GetResources”,
“tag:GetTagKeys”,
“tag:GetTagValues”,
“tag:TagResources”,
“tag:UntagResources”
],
“Effect”: “Allow”,
“Resource”: “*”,
“Sid”: “LookoutCasbAwsCspmPolicy”
}
],
“Version”: “2012-10-17”
}
Click Review Policy.
Give the policy the name lookout-cspm-policy and click Create Policy.

Step 4 – Create an IAM Key Management Service (KMS) policy
Perform the following steps if the S3 bucket has KMS enabled.

Click Services and select IAM.
Select Policies and click Create Policy.
Click the JSON tab.
From an S3 bucket, obtain the KMS key for the KMS policy information.
a. Click an S3 bucket.
b. Click Bucket Properties.
c. Scroll to the default encryption section and copy the AWS KMS key ARN.
If different keys are assigned to buckets, you will need to add them under Resource in the policy information (step 5).
Copy and paste the following policy information:
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: [
“kms:Decrypt”,
“kms:Encrypt”,
“kms:GenerateDataKey”,
“kms:ReEncryptTo”,
“kms:DescribeKey”,
“kms:ReEncryptFrom”
],
“Resource”: [“<AWS_KMS_key_ARN>”
] }
Click Review Policy.
Give the policy the name lookout-kms-policy and click Create Policy.

Step 5 – Create an IAM role for Juniper CASB

Click Roles and select Create role.
Select Role Type: Another AWS Account.
For Account ID, obtain this ID from the Juniper Networks team. This is the account ID for the AWS account in which the tenant Management Server is onboarded.
Under Options, check Require External ID.
Enter the following information:
● External ID – Enter a unique attribute to be used while onboarding AWS S3 in CASB.
● Require MFA – Do not check.
Click Next: Permissions.
Assign the policies created in the first three steps according to the desired protection modes. For example, if you need only an S3 DLP policy, select only lookout-casb-aws-dlp policy.
Click Next: Tags and (optional) enter any tags you want to include to the Add Tags page.
Click Next: Review.
Enter a Role Name (for example, Juniper-AWS-Monitor) and click Create Role.
Search for the role name you created and click it.
Copy the role ARN and enter it in the Role ARN field.
Copy the External ID from the Roles > Trust relationships tab > Lookout-AWS-Monitor summary view > Conditions.

Step 6 – Create Simple Queue Service (SQS)

Under Services, go to Simple Queue Service (SQS).
Click Create New Queue.
Enter a Queue Name and select Standard Queue as the queue type.
Go to the Access Policy section.
Select Advanced and paste the following policy information.
{
“Version”: “2008-10-17”,
“Id”: ” default_policy_ID”, “Statement”: [
{
“Sid”: ” owner_statement”, “Effect”: “Allow”, “Principal”: {
“AWS”: “*”
},
“Action”: “SQS:*”, “Resource”:
“arn:aws:sqs:<SQS_REGION>:<AWS_ACCOUNT_ID_OF_CURRENT>:<SQS_QUEUE_NAME>”
},
{
“Sid”: ” s3_bucket_notification_statement”, “Effect”: “Allow”,
“Principal”: {
“Service”: “s3.amazonaws.com”
},
“Action”: “SQS:*”, “Resource”:
“arn:aws:sqs:<SQS_REGION>:<AWS_ACCOUNT_ID_OF_CURRENT>:<SQS_QUEUE_NAME>”
}
] }
Click Create Queue.

Step 7 – Create a Cloud Trail

From Services, go to Cloud Trail.
Select Trails from the left panel.
Click New Trail and enter the following information.● Trail name – ccawstrail (for example)
● Apply trail to all regions – check Yes.
● Management events —
● Read/Write events – Check All.
● Log AWS KMS events – Check Yes.
● Insight events – check No.
● Data Events (optional) – Configure data events if you want to see activity audit logs and AWS monitoring screens.● Storage location –● Create a new S3 bucket – Check Yes to create a new bucket or No to pick up existing buckets in which to store logs.
S3 bucket – Enter a name (for example, awstrailevents).
Click CreateTrail at the bottom of the screen.
Under Buckets, go to the bucket that stores the CloudTrail logs (for example, awstrailevnts).
Click the Properties tab for the bucket.
Go to the Event Notifications section and click Create event notification.
Enter the following information for the notification.
● Name – any naming (for example, SQS Notification)
● Event Types – Check all object create events.
● Filters – Enter any filters to apply to the notification.
● Destination – Select SQS Queue.
● Specify SQS Queue – Select LookoutAWSQueue (select the SQS queue created in Step 5.)
Click Save Changes.
The event is created.

Onboarding steps

Go to Administration > App Management and click New.
Select AWS from the dropdown list.
Enter a Name (required) and a Description (optional) and click Next.
For the application, check Amazon Web Services and click Next.
Select one or more of the following protection models by clicking the toggle for each protection model to include.
● Cloud Authentication
● API Access
● Cloud Security Posture
Click Next.
Notes
● To onboard AWS in API mode, choose API Access.
● Cloud Security Posture Management (CSPM) provides tools to monitor resources used in your organization and assess security risk factors against security best practices for AWS cloud applications. To enable use of CSPM, you must choose Cloud Security Posture as a protection mode.
If you selected API Access:
a. Click the AWS Monitoring toggle and enter the following information in the API section of the Configuration page. This is the information you had generated in Step 2 of the configuration steps (Create an Identity Access Management (IAM) role for CASB).
i. External ID
ii. Role ARN
iii. SQS Queue Name and SQS Region (see Step 6 – Create Simple Queue Service [SQS])b. In the Authentication section, click the Authorize button and click Next.
A popup message appears prompting you to confirm that the required policies (according to the selected protection modes) are assigned to the role.
Note: Be sure your browser is configured to allow pop-ups to be displayed.
c. Click Continue to confirm that the required policies are displayed.
When the authorization is complete, a green checkmark appears next to the Authorize button, and the button label now reads Re-Authorize.
d. Click Next to display a summary of the onboarding settings.
e. Click Save to complete onboarding.
The new cloud application is displayed as a tile on the App Management page.

Onboarding Azure applications
This section outlines the procedures for onboarding Azure cloud applications. For Azure Blob Storage onboarding instructions, see the next section.
Configuration steps
To use the CSPM feature for an Azure account, you need a Service Principal that has access to the corresponding subscription.
The Service Principal should have the Reader or Monitoring Reader role with access to Azure AD user, group, or service principal and associated Client Secret.
Before onboarding, you should have the Subscription ID of the account, and the following information from the Service Principal:

Application (Client) ID
Client Secret
Directory (Tenant) ID

Onboarding steps

From the Management Console, select Administration > App Management, and click Add New.
Select Azure. Then, enter the details for the application.
Enter a Name (required) and a Description (optional). The name must include only alphanumeric characters, with no special characters other than the underscore, and no spaces. Then, click Next.
Select one or more of the following protection modes for the application and click Next.
● Cloud Authentication
● API Access
● Cloud Security Posture
The Cloud Security Posture mode is required if you want to implement Cloud Security Posture Management (CSPM) functionality.
Depending on the protection modes you selected, enter the required configuration details.● If you selected App Authorization, no additional configuration is required. Click Next to view the summary information.
● If you selected API Access, no additional configuration is needed other than authorization. Go to the Authorization step.
● If you selected Cloud Security Posture, enter the following information from the Azure configuration steps you performed earlier.
● Service Principal’s Application Id
● Service Principal’s Client Secret
● Service Principal’s Directory Id
● Subscription Id
● Sync Interval (1-24 Hrs) is how often (in hours) that CSPM will retrieve information from the cloud and refresh the inventory. Enter a number.
Click Authorize and enter your Azure login credentials.
Review the summary information to verify that it is correct. If it is, click Save to complete onboarding.

Onboarding Azure Blob applications
This section outlines the procedures for onboarding Azure Blob Storage cloud applications.
Notes

Juniper Secure Edge does not support Azure Data Lake Storage generation 2 storage accounts.
Juniper is unable to log activity or take actions on blobs using this storage type.
Juniper Secure Edge does not support content-related actions on immutable containers, due to retention and legal hold policies enforced by Azure.

Configuration steps
In preparation for onboarding Azure Blob, do the following:

Ensure that you have an active Azure account and that you have the Subscription ID of the account.
Ensure that your Azure subscription has at least one storage account with the storageV2 type.
Ensure that you have a storage account to use for quarantine actions. You will be prompted to select the storage account during onboarding. You can use an existing storage account, or, if you prefer, create a new dedicated storage account for quarantine.
Create a new custom role at the subscription level, and assign it to an admin account. This will be used for authorization on the Management Console. See details for this step below.
Ensure that your Azure account has the EventGrid resource registered. See details for this step below.

Creating a custom role

Copy the following code into a new text document.
{“properties”:{“roleName”:”lookoutcasbrole”,”description”:”Lookout casb role”,”assignableScopes”:[“/subscriptions/<SubscriptionID>”],”permissions”:[{“actions”:[“Microsoft.Storage/storageAccounts/read”, “Microsoft.Storage/storageAccounts/encryptionScopes/read”,”Microsoft.Storage/storageAccounts/blobServices/read”,”Microsoft.Storage/storageAccounts/blobServices/containers/read”,”Microsoft.Storage/storageAccounts/blobServices/containers/write”,”Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/read”,”Microsoft.Storage/storageAccounts/queueServices/read”,”Microsoft.Storage/storageAccounts/queueServices/queues/write”,”Microsoft.EventGrid/eventSubscriptions/delete”,”Microsoft.EventGrid/eventSubscriptions/read”,”Microsoft.EventGrid/eventSubscriptions/write”,”Microsoft.Storage/storageAccounts/write”,”Microsoft.Storage/storageAccounts/listkeys/action”,”Microsoft.EventGrid/systemTopics/read”,”Microsoft.EventGrid/systemTopics/write”,”Microsoft.Insights/eventtypes/values/Read”,”Microsoft.Storage/storageAccounts/blobServices/providers/Microsoft.Insights/diagnosticSettings/read”],”notActions”:[],”dataActions”: “Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read”,”Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write”,”Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete”,”Microsoft.Storage/storageAPost-onboarding tasks 78Configuring tenants for user access and session activity 80Managing users 82Configuring CASB for enterprise integration 88ccounts/blobServices/containers/blobs/add/action”,”Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action”,”Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action”,”Microsoft.Storage/storageAccounts/blobServices/containers/blobs/permanentDelete/action”,”Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action”,”Microsoft.Storage/storageAccounts/queueServices/queues/messages/read”,”Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete”],”notDataActions”:[]}]}}
Replace the text “<Subscription-ID>” with the subscription ID for your Azure account. If desired, you can also replace the roleName and description values.
Save the text file with a .json extension.
In the Azure console, navigate to Azure Subscription > Access Control (IAM).
Click Add and select Add custom role.
For Baseline Permissions, select Start from JSON.
Use the file browser to select and upload the .json file that you saved in step 2 above.
If needed, enter or update the name and (optional) description of your new role.
Select Review + Create to see all settings for your new role.
Click Create to finish creating the new role.
Assign the new role to a user with admin permissions on your Azure account.

Registering the EventGrid resource

In the Azure console, navigate to Azure Subscription > Resource Providers.
Use the filter field to search for Microsoft.EventGrid. Select it and click Register.

Onboarding steps

From the Management Console, select Administration > App Management and click +New.
Select Azure. Enter a Name (required) and a Description (optional). The name must include only alphanumeric characters, with no special characters other than the underscore, and no spaces. Click Next.
Select Microsoft Azure Blob Storage and click Next.
Select API Access (required). If needed, you can also select Cloud Security Posture (optional). Click Next.
For both Azure and Azure Blob Storage, click the Authorize button and enter the credentials for the account that you assigned your new role to in the previous section. If prompted, click Accept to give Juniper permissions on your Azure account.
After you have authorized both accounts, the Subscription Id field appears. Select your Azure subscription.
The Destination Storage Account field appears. Select the storage account that you want to use as a quarantine container.
Click Next.
Ensure that the details shown on the summary page are correct. If they are, click Next to finish onboarding.

Onboarding the Google Workspace suite and applications
This section outlines the procedures for onboarding Google Workspace (formerly G Suite) along with Google Drive applications.
Configuration steps
The enterprise account used for Google Drive must be part of the Google Workspace business plan.
The authenticated user must be an administrator with super admin privileges.
Updating API access settings

Log in to the Google Workspace application and click Security from the left panel.
Under Security, click API controls.
Scroll down and click Manage Domain-wide Delegation.
Click Add New.
Enter the Client ID:
102415853258596349066
Enter the following OAuth scopes:
https://www.googleapis.com/auth/activity,
https://www.googleapis.com/auth/admin.directory.group,
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/admin.reports.audit.readonly,
https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/drive.activity.readonly,
https://www.googleapis.com/auth/admin.directory.user.security,
https://www.googleapis.com/auth/userinfo.email
Click Authorize.

Updating folder access information

From the left panel, click Apps > Google Workspace > Drive and Docs.
Scroll down and click Features and Applications.
Make sure that Drive SDK is on.

Onboarding steps in CASB

From the Management Console, select Administration > App Management and click New.
Select Google Workspace from the list.
Enter a Name (required) and a Description (optional). The name must include only alphanumeric characters, with no special characters other than the underscore, and no spaces. Then, click Next.
Select Google Drive application.
Click Next and select one or more protection models.
The available protection models depend on the applications you selected in the previous step. The following table lists the protection modes available for each Google Workspace application.

Google Workspace application Protection models available

Google Drive API Access
Cloud Data Discovery

Note
Some protection models require one or other models to be enabled or must be selected for specific functions.
Cloud Data Discovery must be selected if you want to implement Cloud Data Discovery (CDD) for this cloud application. You must also select API Access protection mode as well.
Click Next.
Enter the following configuration information. The fields you see depend on the protection modes you selected.
● API Settings (required for API Access protection mode)● Internal domains – Enter necessary internal domains, along with enterprise business domain.
● Archive Settings (for Google Drive) — Enables archiving of files that are either permanently deleted or replaced by Content Digital Rights policy actions. Archived files are placed in an Archive folder under a CASB Compliance Review folder created for the cloud application. You can then review the files and restore them if needed.
Note
When the authorized administrator for a cloud account is changed in CASB, previously archived content in the CASB Compliance Review folder that is owned by the previous administrator should be shared with the new authorized administrator to enable archived data to be reviewed and restored.
Two options are available:
● Remove from Trash
● ArchiveFor Permanent Delete policy actions, both options are disabled by default; for Content Digital Rights, they are enabled by default.
Click the toggles to enable or disable the settings.
Enter the number of days for which to retain archived files. The default value is 30 days.
● Authorization — If you selected Google Drive as one of your Google Workspace applications, authorize Google Drive and click Next.Review the instructions in the screen that appears and click Continue to authorize access to your Google Drive account. Enter your account credentials.
In the Summary page, review the summary information to verify that all information is correct. If it is, click Save to complete onboarding.

Onboarding Google Cloud Platform (GCP)
This section outlines procedures for configuration and onboarding of Google Cloud Platform applications.
Configuration steps

Create a service account in GCP Org. For more information, go to https://cloud.google.com/docs/authentication/getting-started
Create an OAuth client ID.
a. In the Google Cloud Platform, go to the Credentials page. b. From the Projects list, select the project containing your API.
c. From the Create Credentials dropdown list, select OAuth client ID. d. From the dropdown list, select Web application as the application type. e. In the Application field, enter a Name. f. Fill in the remaining fields as needed.
g. To add a redirect URL, click Add URL. h. Enter the redirect URL and click Create. A message appears with the client ID and the client secret. You will need this information when you onboard the Google Cloud Platform application.

Onboarding steps

From the Management Console, select Administration > App Management, and click New.
Select GCP from the dropdown list.
Tip
To find an app, enter the first few characters of the app name, then select the app from the search results.
Enter a Name (required) and a Description (optional). The name must include only alphanumeric characters, with no special characters other than the underscore, and no spaces. Then, click Next.
Select one or more protection models and click Next. The options are
● API Access
● Cloud Security Posture
Enter the following configuration information. The fields you see depend on the protection models you selected in the previous step.
● If you selected API Access, enter:
● Client Id
● Client Secret
This is the information created during the GCP pre-onboarding configuration steps. Be sure to enter exactly the same information in the Client ID and Client Secret fields here.● If you selected Cloud Security Posture, enter:
● Service Account Credentials (JSON) –The service account credentials for the JSON file you downloaded in the configuration steps.
● Sync Interval (1-24 Hrs) – How often CSPM will retrieve information from the cloud and refresh the inventory. Enter a number.
Click Authorize. ● If you selected only Cloud Security Posture, the Summary page appears. Review it and save the new GCP application to complete onboarding.
● If you selected API Access or both API Access and Cloud Security Posture, enter your GCP account login credentials when prompted.
Note
● If you entered an invalid client secret or client ID on the Configuration page, an error message will appear after you click Authorize. Review your client secret and client ID entries, make any corrections, and click Authorize again. Once the system recognizes the entries as valid, enter your GCP login credentials when prompted.
After your GCP login credentials have been accepted, save the new GCP cloud application to complete onboarding.

Onboarding Dropbox applications
This section outlines procedures for onboarding Dropbox cloud applications.

From the Management Console, select Administration > App Management, and click New.
From the Choose an app list, select Dropbox.
Enter a Name (required) and a Description (optional). The name must include only alphanumeric characters, with no special characters other than the underscore, and no spaces. Then, click Next.
From the Configuration page, select one or more protection models:
● API Access
● Cloud Data Discovery (CDD)
Enter the following configuration information. The fields you see depend on the protection models you selected in the previous step.
● If you selected API Access, enter one or more internal domains.
You can also configure Archive Settings. These settings enable archiving of files that are either permanently deleted or replaced by Content Digital Rights policy actions. Archived files are placed in an Archive folder under a CASB Compliance Review folder created for the cloud application. You can then review the files and restore them if needed.
Note
When the authorized administrator for a cloud account is changed, previously archived content in the CASB Compliance Review folder that is owned by the previous administrator should be shared with the new authorized administrator to enable archived data to be reviewed and restored.
The Archive Settings option is available for onboarded cloud applications with API Access and Cloud Data Discovery protection modes selected.
Two options are available:
● Remove from Trash
● ArchiveFor Permanent Delete policy actions, both options are disabled by default; for Content Digital Rights, they are enabled by default.
Click the toggles to enable or disable the settings. If you select the Archive action, also select the Remove from Trash option.
Enter the number of days for which to retain archived files. The default value is 30 days.
Then, click Authorize, and enter your Dropbox administrator login credentials.
Click Next and review a summary to verify that all information is correct. If it is, click Save. The new cloud application is added to the App Management page.

Onboarding the Atlassian Cloud suite and applications
This section outlines procedures for onboarding the Atlassian cloud suite and applications.
Note: For the Confluence application, you must have an enterprise account. CASB does not support free Confluence accounts.

From the Management Console, select Administration > App Management and click New.
Select Atlassian from the app list.
Enter a Name (required) and a Description (optional). The name must include only alphanumeric characters, with no special characters other than the underscore, and no spaces. Then, click Next.
Select the applications in the suite to include and click Next.
Select API Access protection model.

Entering configuration settings for protection models
Enter required configuration information for the protection models you selected.
API Access

Enter the following API access information. ● API Token (Confluence applications only) – Enter an API token. To create an API token from your Atlassian account, see the following section, Generating an API Token.
● Polling Timezone (Confluence applications only) – Select a time zone for polling from the dropdown list. The selected time zone must be the same as that of the cloud application instance, not the time zone of the user.
● Authorization – Click the Authorize button next to each app included in the suite.
When prompted, click Accept to authorize domain access for each of the selected apps. The Authorize button labels will now say Re-Authorize.
● Domains – For each app included in the suite, select the applicable domain or accept the domain shown. Select only domains that are included in the access authorization in the previous step.
Click Next.
Review the information on the Summary page. Click Save to save and onboard the application.

Generating an API token (Confluence applications only)
You can generate an API token from your Atlassian account.

Log into your Atlassian account.
Select Administration from the left menu.
From the Administration page, select API Keys from the left menu.
Any API keys you created previously are listed.
Click Create New Key to generate a new key.
Give the new key a name and select an expiration date. Then, click Create.

The new API key is created and is added to the list of keys on the Administration page. For each key, the system generates an alphanumeric string that serves as the API token. Enter this string in the API Token field in the CASB Management Console.

Onboarding Egnyte applications
This section outlines the procedure for onboarding an Egnyte cloud application.

Go to Administration > App Management and click New.
Choose Egnyte from the dropdown list and click Next.
Enter a Name (required) and a Description (optional). The name must include only alphanumeric characters, with no special characters other than the underscore, and no spaces. Then, click Next
Select API Access protection mode.
Click Next and enter the following configuration information, depending on the protection modes you selected.
If you selected API Access, click Authorize Egnyte, and enter your Egnyte login credentials.
Enter a domain name associated with your Egnyte account and click Continue.
Once your authorization is successful, save the new cloud application.

Onboarding Box applications
This section outlines prerequisite configuration and onboarding steps for Box applications.
Configuration steps in the Box Admin Console
For connectivity to Box cloud applications, several user account settings are required to enable proper policy creation and visibility into Box user activities.
Perform the following steps to configure the ADMIN account for a Box cloud application.
Note
The ADMIN account is required for authorization of a Box cloud application. Authorization or reauthorization cannot be completed with CO-ADMIN (co-administrator) account credentials.

Log in to Box using the ADMIN credentials for the Box account.
Click the Admin Console tab.
Click the Users icon.
From the Managed Users window, select the admin account you want to validate and use to connect to your Box cloud application.
Expand the User Account information.
In the Edit User Access Permissions window, be sure that Shared contacts / Allow this user to see all managed users is checked.
Note
Do not allow co-administrators to monitor other co-admin activities. Only an administrator should monitor other co-admin activities.
Go to Apps > Custom Apps.
Choose Authorize New App.
In the pop-up window that appears, enter the following string: xugwcl1uosf15pdz6rdueqo16cwqkdi9
Click Authorize.
Click Continue to confirm access to your Box enterprise account.

Onboarding steps in the Management Console

Go to Administration > App Management.
In the Managed Apps tab, click New.
Select Box from the list.
Enter a Name (required) and a Description (optional).
Click Next and select one or more available protection modes:
● API Access
● Cloud Data Discovery
Click Next and enter the configuration information. The fields you see on the Configuration screen depend on the deployment and the protection modes you chose in the previous step.
Enter the information needed for each protection mode you select.
● For Cloud Data Discovery — You must also choose the API Access protection mode.
● For API Access – In the API Settings section, enter a valid Admin Email address for the Box account. This address must be for the Admin account and not for a co-admin account. Then, enter the names of Internal Domains.● For API Access – Archive Settings enable archiving of files that are either permanently deleted or replaced by Content Digital Rights policy actions. Archived files are placed in an Archive folder under a CASB Compliance Review folder created for the cloud application. You can then review the files and restore them if needed.
Note
When the authorized administrator for a cloud account is changed, previously archived content in the CASB Compliance Review folder that is owned by the previous administrator should be shared with the new authorized administrator to enable archived data to be reviewed and restored.
The Archive Settings option is available for onboarded cloud applications with API Access protection mode selected.
Two options are available:
● Remove from Trash
● ArchiveFor Permanent Delete policy actions, both options are disabled by default; for Content Digital Rights, they are enabled by default.
Click both toggles to enable or disable the settings.
Enter the number of days for which to retain archived files. The default value is 30 days.
Note
For Box applications, the original files are not removed from the Trash.
For API Access, enter the Enterprise ID used to authorize access to Box.
When you have entered the required configurations, click Next to authorize access to Box.
In the Grant Access to Box screen, enter the Enterprise ID for this Box account, and click Continue.
In the Log in to Grant Access to Box screen, enter the admin login credentials for the Box account, and click Authorize.
If the administrator has configured an SSO setup, click the Use Single Sign On (SSO) link and enter the credentials to authenticate. Any multi-factor authentication information is submitted.
The Box cloud application is onboarded and added to the list of managed applications in the App Management page.

Onboarding Salesforce applications
Configuration steps
CASB for Salesforce scans standard objects such as Accounts, Contacts, Campaigns, and Opportunities, as well as custom objects.
Enable CRM content
For DLP scanning to work with Salesforce, the Enable CRM setting must be enabled in Salesforce for all users. To enable Salesforce CRM content, log in to your Salesforce account and perform the following steps:

Using the Quick Find box at the top left, search for Salesforce CRM Content.
From the search results, click the Salesforce CRM Content link.
The Salesforce CRM Content settings box appears.
If the Enable Salesforce CRM Content and Autoassign feature licenses to existing and new users options are not checked, check them.

Enable scanning for structured data
If you are working with structured data, be sure that the Structured Data option is enabled.
Enable permissions for DLP scanning
System administrators have global access to Salesforce standard and custom objects. For nonadministrators, the Push Topics and API Enabled permissions must be enabled for DLP to work, as follows.
To set the Push Topics option:

From the Manage Users menu, select Users.
From the All Users page, select a user.
In the User Detail page for that user, click the Standard Platform User link.
Scroll to the Standard Object Permissions section.
Under Basic Access/Push Topics, be sure that Read, Create, Edit, and Delete are checked.
To set the API Enabled option:
On the Standard Platform User page, scroll to the Administrative Permissions section.
Be sure that API Enabled is checked.

Enable permissions for viewing event log files
To view event monitoring data, user permissions must be enabled for the View Event Log Files and API Enabled settings.
Users with View All Data permissions also can view event monitoring data. For more information, refer to the following link: https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/using_resources_event_log_files.htm
Enable permissions for Audit Trail events
To process Audit Trail events, permissions must be enabled for View Setup and Configuration.

Enable permissions for Login History events
To process Login History events, permissions must be enabled for Manage Users, which also enables permissions for the following settings:
Requires Reset User Passwords and Unlock Users
View All Users
Manage Profiles and Permission Sets
Assign Permission Sets
Manage Roles
Manage IP Addresses
Manage Sharing
View Setup and Configuration
Manage Internal Users
Manage Password Policies
Manage Login Access Policies
Manage Two-Factor Authentication in User Interface

Onboarding steps

Go to Administration > App Management and click New.
Select Salesforce from the list
Enter a Name (required) and a Description (optional) and click Next.
Select one or more protection modes:
● API Access
● Cloud Security Posture
● Cloud Data Discovery
Click Next and enter configuration settings. The fields you see depend on the deployment and the protection modes you chose in the previous step.
● For API Access – Enter a Salesforce Subdomain.● For Cloud Security Posture – No other details are needed.
● For Cloud Data Discovery — No other details are needed.
Click Authorize.
Select the Salesforce instance from the dropdown list.
If this authorization is for a custom or a sandbox domain, click the box. Then, click Continue.
Enter the administrator login credentials for this Salesforce account. Then, click Log In.

Onboarding ServiceNow applications
The following section provides instructions for onboarding ServiceNow applications.
Configuration steps
Before onboarding the ServiceNow application, create an OAuth application.

Log in to ServiceNow as an administrator.
To create an OAuth application, go to
System OAuth > Application Registry > New > Create an OAuth API endpoint for external clients.
Enter the following information:
● Name – Enter a name for this OAuth app.
● Redirect URL – Enter the appropriate URL.
● Logo URL – Enter the appropriate URL for the logo.
● PKCE Required — Leave unchecked.
Click Submit.
Open the newly created app and note the Client ID and Client Secret values.

Onboarding steps

From the Management Console, go to Administration > App Management.
In the Managed Apps tab, click New.
Select ServiceNow and click Next.
Enter a Name (required) and a Description (optional). Then click Next.
Select one or more protection modes and click Next.
On the Configuration page, enter the information for the protection modes you selected in the previous step.
● For API Access, enter:
● The API Usage type, which defines how this application will be used with API protection.
Check Monitoring & Content Inspection, Receiving Notifications, or Select All.
If you select only Receiving Notifications, this cloud application is not protected; it is used only to receive notifications.● The OAuth App Client ID
● The OAuth App Client Secret
● The ServiceNow Instance ID
● For Cloud Data Discovery, enter
● The OAuth App Client ID
● The OAuth App Client Secret
● The ServiceNow Instance ID
7. Click Authorize.
When prompted, log in to the ServiceNow application.
When prompted, click Allow.
If authorization is successful, you should see a Re-Authorize button when you return to the Management Console. Click Next and Save to complete onboarding.

Post-onboarding tasks

Once you have onboarded cloud applications, you can filter events for those applications.
Applying event filtering to onboarded cloud applications
If you selected API Access as a protection mode, you can select event filtering options for that cloud application after it is onboarded.
After you have onboarded a cloud application with API Access as a protection mode, you can set default filters for allowing or denying all events for users, user groups, domains, or events. These filters can help narrow the focus to specific groups and will require less processing time and less demand on system resources.

To apply event filtering:

Go to Administration > App Management.
Select the cloud to which you want to apply event filtering by checking the pencil option.
Select filtering options as follows:
● Default filters – Choose a default filter.
● Deny All Events – No events are processed.
● Allow All Events – All events are processed.
● Exceptions – Select exceptions to the chosen filter for users or user groups. For example, if you want to apply an exception for one group — the engineering team — the default filter actions would be applied as follows:
● For Deny All Events, no events are processed except those for the engineering team.
● For Allow All Events, all events are processed except those for the engineering team.
● Exclusions – Select any criteria that should not be included in the exceptions. For example, you might opt to deny (not to process) events for staff in engineering except for managers. Using this example, the default filter exclusions would be applied as follows:
● For Deny All Events — No events are processed except for the engineering team. The managers are excluded from this exception, which means that events for managers within the engineering team are not processed.
● For Allow All Events — Events are processed except for the engineering team. The managers are excluded from this exception, which means that events for managers within the engineering team are processed.
Click Next.

Configuring tenants for user access and session activity

You can set conditions for tenant access by:

Specifying authorized IP addresses for user access
Entering session timeout information
Choosing a time frame for login access to Juniper Support.

Authorized IP addresses
You can allow access to the tenant for only the IP addresses you authorize. When users with Application Administrator, Key Administrator, or Application Monitor roles want to log in to the Management Console,the system checks their IP addresses against those authorized addresses.

If the match with a valid IP address is not found, login is denied and the message Invalid IP user range is displayed.
If a match with a valid IP address is found, the user can log in.

Notes
This validation process does not apply for:

System Administrator, Operations Administrator, or Service Administrator logins
Login with IdP

To specify authorized IP addresses for access to the tenant, click in the Authorized IP Addresses field.

Enter one or more IP addresses you want to authorize for access to the tenant. Separate each IP address with a comma.
Click Save to close the entry box and select other configuration settings on the page.

Session Timeout
Enter a time (in minutes, any number between 1 and 120) after which a session expires, and another login is required. The default value is 30 minutes.
Login access to Juniper Support
System administrators and application administrators can enable or disable access to Juniper Support by service administrators and operations administrators. You can deny access or select the number of days available access.
In the Lookout Support field, select an option. The default selection is No Access. You can also select access for 1 day, 3 days, or 1 week.
Click Save to save all tenant configuration settings.

Managing users

CASB provides three options for managing users:

Administrative, which enables control of user access by role for the Management Server and Hybrid Key Management System
Enterprise, which provides an integrated view of users in their enterprise, and their account information

Administrative user management
CASB provides role-based access control to provide clear distinction of user access privileges and responsibilities. You can add new users as needed.
All user information is identical for the Management Server and the Hybrid Key Management System (HKMS), although the sets of users are maintained separately.

Adding new users
To add users:

Go to Administration > User Management and click the Administrative User Management tab.
Click New.
Enter the following information:
● User Name – Enter a valid email address for the user.
● Role – Use the check boxes to select one or more roles for the user.● System Administrator – Can perform all system administration functions, including onboarding cloud applications, adding and removing users, creating and assigning keys, and restarting the Management Server.
● Key Administrator – Can create, assign, and remove keys, and monitor other system functions.
● Application Administrator – Can create and manage applications and monitor other system functions.
● Application Monitor – Can monitor system functions through the Management Console, view alerts, and export reports. Cannot create or modify functions such as onboarding cloud applications, adding users, editing user information, or configuring system settings.
Note
Hosted deployments include two additional users with unique roles: Services Administrator and Operations Administrator. These users are assigned by Juniper Networks and cannot be deleted.
Click Apply.
Click Save. The new user is added to the list. The new user will receive an email notification with a temporary password and will be asked to select a permanent password.

Setting up a user account password policy
CASB provides a default password policy. You can change the default settings to meet your organization’s needs.
To change the user account password policy:

Go to Administration > User Management.
Click the User Account Password Policy link.
The Password Policy screen is displayed. (The Save button becomes active once you begin entering changes.)

Change the policy items as needed:

Field	Description
Minimum Length	Specifies the minimum number of characters that can make up a password for a user account. You can set a value of between 1 and 13 characters. To specify that no password is required, set the number of characters to (zero). A minimum of 8 characters is recommended. This number is long enough to provide adequate security, but not too difficult for users to remember. This value also helps to provide adequate defense against a brute force attack.
Maximum Length	Specifies the maximum number of characters that can make up a password for a user account. If you specify 0 (zero), the allowed length will be unlimited. A setting of 0 (unlimited) or a relatively large number such as 100 is recommended.
Lowercase Characters	Specifies the minimum number of lowercase characters that must be present in a password for a user account. If you enter 0 (zero), no lowercase characters are allowed in the password. A minimum of 1 lowercase character is recommended.
Uppercase Characters	Specifies the minimum number of uppercase characters that must be present in a password for a user account. If you enter 0 (zero), no uppercase characters are allowed in the password. A minimum of 1 uppercase character is recommended.
Special Characters	Specifies the minimum number of special characters (for example, @ or $) that can make up a password for a user account. If you enter 0 (zero), no special characters are required in the password. A minimum of 1 special character is recommended.
Numerics	Specifies the minimum number of numeric characters that must be present in a password for a user account. If you enter 0 (zero), no numeric characters are required in the password. A minimum of 1 numeric character is recommended.

Field	Description
Enforce Password History	Specifies the number of unique new passwords that must be associated with a user account before an old password can be reused. A low number allows users to use the same small number of passwords repeatedly. For example, if you select 0, 1, or 2, users can reuse old passwords more quickly. Setting a higher number will make using old passwords more difficult.
Password Expiration Period	Specifies the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 99, or you can specify that passwords never expire by setting the number of days to 0 (zero).
Invalid Login Attempts Allowed	Specifies the number of failed login attempts that will cause a user account to be locked. A locked account cannot be used until it is reset by an administrator or until the number of minutes specified by the Lockout Effective Period policy setting expires. You can set a value from 1 through 999. If you want the account never to be locked, you can set the value to 0 (zero).
Lockout Effective Period	Specifies the number of minutes that an account remains locked out before automatically becoming unlocked. The available range is from 1 through 99 minutes. A value of 0 (zero) means that the account will be locked out until an administrator unlocks it.

Click Save.

Account status for system administrator and non-administrator roles
Non-administrator user accounts are disabled automatically after more than 90 days of non-use. When an account is disabled, the user will see a message on the Management Console login screen notifying them that their account is disabled. A system administrator must re-enable the account before the user can log in to the Management Console.
Note
Accounts for system administrators, service administrators, and operations administrators cannot be disabled. Only accounts for Key Administrator, Application Administrator, and Application Monitor roles can be disabled and re-enabled.
On the Administrative User Management tab of the User Management page, the toggles represent the following conditions:

System Administrators: The toggle is visible, enabled by default. and shows as grayed out.
Services Administrators and Operations Administrators: The toggle is visible, enabled by default, and shows as grayed out.
System Administrators can disable or enable the status of users with Key Administrator, Application Administrator and Application Monitor roles.
For existing System Administrators who have not completed the user onboarding process, the toggle shows a status of disabled.
For newly created System Administrators who have not completed the user onboarding process, the toggle is not visible.
For System Administrators who have completed the onboarding process but have not logged into the application yet, the toggle is enabled but grayed out.
For Key Administrator, Application Administrator, and Application Monitor roles: These users’ accounts are disabled after 90 days of non-use. They will be blocked when they try to log in to the Management Console.

Note
System Administrators whose accounts were disabled previously are now enabled (active).
The following sections provide instructions for system administrators to disable and re-enable nonadministrator user accounts.
Disabling a non-administrator user account

Click the bright green toggle for the enabled non-administrator account.
When prompted, confirm the action to disable the account.

Re-enabling a disabled non-administrator user account

Click the dimmed, colorless toggle for the disabled non-administrator account.
When prompted, confirm the action to re-enable the account.

Reassigning the Super Administrator role
A tenant can only have one Super Administrator account. If you want to reassign the Super Administrator role to a different user, you must do it while logged in with the current Super Administrator account.

In the Management Console, select Administration > System Settings > Tenant Configuration.
If you are logged in with the Super Administrator role, you will see the Re Assignment of Super Administrator option.
Select the desired user from the drop-down menu. Only users who currently have the System Administrator role are shown here.
Click Send OTP to receive a one-time password.
Retrieve the password from your email and enter it in the Enter OTP field. Click Validate.
Click Save. The Super Administrator role is transferred to the user you selected.

Enterprise user management
The Enterprise User Management page provides an integrated view of users in their enterprise and their account information.
Searching for user information
You can search for user information by:

account name (Email), to see which users are associated with a specific account,
User Group, to see which users are part of a specific user group, or
User Name, to see which users (if any) are associated with more than one account.

To perform a search, enter all or part of the username, group name, or email in the Search box.
Searches are case sensitive. To return to the default list, clear the Search box.
Filtering user information
You can filter the display of information by cloud application. Click the Filter icon at the upper right and select the cloud applications to include in the display.

To clear the filter, click anywhere outside of the list box.

Configuring CASB for enterprise integration

You can configure CASB to work with external services to manage user data, gather information about unsanctioned cloud applications, and other functions.
The following topics are provided:

Installing an on-premise connector for system services
Adding Advanced Threat Protection (ATP) services
Adding external services for Enterprise Data Loss Prevention (EDLP)
Configuring Security Information and Event Management (SIEM)
Configuring data classification
Creating and managing user directories
Creating and managing enterprise sites
Creating notification channels

Installing an on-premise connector for system services
CASB provides a unified on-premise connector that can be used with multiple services, including SIEM, log agents, and EDLP. The following sections provide specifications and instructions for installing the onpremise connector.

Specifications
Downloading the connector
Pre-installation steps
Installing the connector
Restarting and uninstalling the connector
Additional notes

Note
Remote upgrades are supported only for agents running on CentOS.
If you are using connector version 22.03 and planning to migrate to version 22.10.90, you can upgrade the SIEM, EDLP, and Log Agents using the manual upgrade procedure. For more information, see the Manually upgrading the SIEM, EDLP, and Log Agents section.
Specifications
The following specifications are required for installation of the on-premise connector.
Operating systems and software

For SIEM, EDLP, and Log Agent: Red Hat Enterprise, CentOS 8, Ubuntu 20.04.5 LTS (Focal Fossa)
Java version 11
bzip2 1.0.6
RPM version 4.11.3

Firewall settings

Allow outbound HTTPS traffic
Allow the following outbound WSS connections:
- nm.ciphercloud.io (applies to SIEM, LOG, and EDLP agents)
- wsg.ciphercloud.io (applies to SIEM, LOG, and EDLP agents)

Minimum requirements for VM configurations
Here are the deployment options and minimum hardware requirements. The Base Package contains the NS-Agent and upgrade service.
Log agent, SIEM, and EDLP services

8 GB RAM
4 vCPUs
100 GB disk space

Downloading the connector

Go to Administration > System Settings > Downloads.
Select On-premise Connector and click the download icon.
Save the RPM file for installation on the appropriate VM.

Pre-installation steps
Step 1 – Create an agent for the service

Go to Administration > Enterprise Integration and select the agent to configure.
Perform the following steps to configure the agent.

Step 2 – Create an environment
Perform these basic steps to create an environment.

Go to Administration > Environment Management and click New.
Enter a Name and a Description for the environment.
Select On-premise Connector as the environment Type.
Enter an IP address for the location where you want to install the connector.
Enable the agent and select a service.
Save the environment.

Step 3 – Create a node
Perform these basic steps to create a node.

Go to Administration > Node Management and click New.
Enter a Name and a Description for the node.
Select Connector as the node Type.
Select the environment you created in the previous step.
Select the service.
Save the node.
Perform the steps in the following sections to install the on-premise connector.

Installing the connector (SIEM, EDLP, and Log Agent)
Perform the following steps to install the on-premise connector. In the script, the term Node Server refers to the connector. In the next sections, the term node server refers to the connector.
Run the following command to start the installation:
[root@localhost home]# rpm -ivh enterprise-connector-21.01.0105.x86_64.rpm
Preparing… #################################
[100%] /usr/sbin/useradd -r -g ccns-c ${USER_DESCRIPTION} -s /bin/nologin ccns
Updating / installing…
1:enterprise-connector-0:21.01.0-10################################# [100%] CipherCloud node server has been successfully installed in
/opt/ciphercloud/node-server.
Adding [Systemd] service support
Reloading Systemd daemon
Systemd service node-server has been installed
Please use ‘sudo systemctl start node-server’ to start the service manually
==========================IMPORTANT================
Please run ‘sudo /opt/ciphercloud/node-server/install.sh’ to configure the node server before starting it for the first time.
===================================================
Run the following command to change to the directory in which to install the connector.
[root@localhost ~]# cd /opt/ciphercloud/node-server/
Run the following command to perform the installation.
[root@localhost node-server]# ./install.sh
Initializing node-server install script. Please wait..
Please enter Management Server endpoint [wss://nm:443/nodeManagement]:
Based on the location of your tenant, provide the Node Management URL:
For Europe Central-1 [euc1]:
wss://nm.euc1.lkt.cloud:443/nodeManagement
For United States West-2 [usw2]:
wss://nm.usw2.lkt.cloud:443/nodeManagement
Note: You can identify the Node Management URL from your Management Console URL as follows:
If your Management Console URL is https://maxonzms.euc1.lkt.cloud/account/index.html#login
Then your Node Management URL is
euc1.lkt.cloud
Enter the default option shown or enter the URL for this installation.
Management Server endpoint: <Node Management endpoint URL>
Enter ID for this tenant.
Input Tenant Id: <tenant name>
Enter the unique name for the Node Server.
Input Node Server Unique Name: <node_name>
Enter the API token (click the API Token button in the Configuration tab).
Input Node Server Token: <Node API token>
There are 3 NICS assigned to this host.
1) NIC_n
2) NIC_n
3) <NIC_n>
Please select an option from the above list
Select an NIC option.
NIC option (1 to 3): <n>
Selected NIC is <NIC_n>
Adding new property ms.endpoint.
Adding new property node.name.
Adding new property node.token.plain.
Adding new property node.nic.
Updating property logging.config
Updating property logging.config
Updating property logging.config
Updating property logging.config
Node server installation is done. Start node server using ‘sudo service nodeserver start’.
================================
Starting the connector
Run the following command:
sudo service node-server start
Restarting and uninstalling the connector
Restarting
Run the following command:
[root@localhost node-server]#sudo systemctl restart node-server
Uninstalling
Run the following command:
rpm -ev enterprise-connector
Additional configuration notes for SIEM

WSG configurations are based on the installing region.
For SIEM, the spooling directory path should be under /opt/ciphercloud/node-server. The directory does not need to be created manually. In the SIEM configuration, provide the directory path and name — for example, /opt/ciphercloud/node-server/siempooldir.

Additional configuration notes for log agents
Connecting to a different server
KACS and WSG configuration are provided by default. If you need to connect to a different server, use the following commands to override the server and port information.
[root@localhost log-agent]# cat /opt/ciphercloud/node-server/config/logagent/log-agent.conf
JAVA_OPTS=-Xms7682m -Xmx7682m -Dkacs.host=kacs.devqa.ciphercloud.in Dkacs.port=8987-Dwsg.host=wsg.devqa.ciphercloud.in -Dwsg.port=8980
Write permissions
If needed, provide the ccns user with write permissions for the spooling directories.
Redis commands for Palo Alto Networks logs
For Palo Alto Networks logs, use the following setup commands for a local Redis.
Setup
Run the systemctl setup command for ciphercloud-node-logagent-redis
[root@localhost ~]# cd /opt/ciphercloud/node-server/bin/log-agent
[root@localhost log-agent]# ./logagent-redis-systemctl-setup.sh
Run the following commands to start, restart, stop, and display status for ciphercloud-node-logagent-redis.
Start
[root@localhost log-agent]#
systemctl start ciphercloud-node-logagent-redis
Restart
[root@localhost log-agent]#
systemctl restart ciphercloud-node-logagent-redis
Stop
[root@localhost log-agent]#
systemctl stop ciphercloud-node-logagent-redis
Display status
[root@localhost log-agent]#
systemctl status ciphercloud-node-logagent-redis
Additional configuration notes for EDLP
KACS and WSG configurations are based on the installing region.

Adding Advanced Threat Protection (ATP) services
From this page, you can create and manage configurations to integrate with vendors for advanced threat protection. CASB supports Juniper ATP Cloud and FireEye ATP services.

From the Enterprise Integration page, choose Threat Management.
To display details of a configuration, click the > arrow to the left for that configuration.

To add a new configuration for threat management:

Click New.
Enter the following information. Fields with a colored border at the left require a value.
● Name — The name of the service. The name you enter here will appear in the dropdown list of available external services when you create a policy that scans for malware.
● Description (optional) — Enter a description of the service.
● Vendor — Select a vendor from the list, either FireEye or Juniper Networks (Juniper ATP Cloud).● Service URL — Enter the URL of the service for this configuration.
● API key — Enter the API key provided by the service. You can opt to show or hide this key. When the key is hidden, Xs appear for the entry.
If you want to exclude file sizes and extensions from scanning by this service, click the File Type Exclusion and File Size Exclusion toggles to enable these settings. Then, enter the following information.
● For File Type Exclusion, enter types of files to be excluded from scanning. Separate each type with a comma. ● For File Size Exclusion, enter a number greater than zero that represents upper file size threshold for scanning. Files larger than this size will not be scanned.
Click Save.
The new configuration is added to the list. A successful connection is indicated by a green connector icon.

Adding external services for Enterprise Data Loss Prevention (EDLP)
You can configure CASB to work with external services to manage user data, gather information about unsanctioned cloud applications, and other functions.
Many organizations have made a significant investment in an enterprise DLP (EDLP) solution. This investment not only counts the capital expenditure on the software and support but also the person-hours and intellectual capital to craft policies that meet the organization’s needs. By adding a CASB to an organization, you can extend the access boundary from the endpoint, where traditional enterprise DLP lives, to the cloud and SaaS.
When CASB is integrated with an EDLP solution, policies can be configured to do the initial check on the CASB DLP, and then pass the file/data to the EDLP. Or it can pass everything to the EDLP or a combination of the two.
After the file/data inspection is complete, the policy action is taken. Examples of policy actions include these:

Encryption
Deny upload
Watermarking
Quarantine
Allow and log
User remediation
Replace file with a marker file

The following topics provide instructions for configuring external services for data loss prevention.

Creating a new configuration for EDLP
Downloading and installing an EDLP agent
Stopping and starting the EDLP agent
Symantec DLP response rule configuration for Vontu service

Creating a new configuration for EDLP

In the Management Console, go to Administration > Enterprise Integration > Data Loss Prevention.
Click New.
Enter the following configuration details. (The values shown are examples.)● Name — Enter a name for this EDLP service.
● Description (optional) — Enter a brief description.
● Vendor – Select an external DLP vendor. The options are Symantec or Forcepoint.
● DLP Server Hostname — Enter the host name or IP address of the server to be used for the external DLP.
● Service Name — Enter the name or IP address of the service that applies to this configuration.
● ICAP port — Enter the number for the associated Internet Content Management Protocol (ICAP) server. ICAP servers focus on specific issues such as virus scanning or content filtering.
To exclude any file types or size from EDLP scanning, click the toggles to enable exclusions. Then, enter the appropriate file information.● For file types, enter the extensions for the file types to exclude, separating each extension by a comma.
● For file size, enter the maximum file size (in megabytes) to exclude.
Click Save.
The new configuration is added to the list. Once an agent is downloaded and installed, a connection can be made. A successful connection is indicated on the Data Loss Prevention page by a green connector icon.

Downloading and installing an EDLP agent
After you create at least one EDLP agent, you can download the EDLP agent and install it on a machine or server. The machine you choose for the EDLP agent installation should contain RedHat Enterprise / CentOS 7.x and Java 1.8.
Prerequisites for installing the EDLP agent
Your environment must include the following components and settings for installing and running the EDLP agent:

Oracle Server Java 11 or later
JAVA_HOME environment variable set
root or sudo privileges
Hardware – 4 Core, 8 GB RAM, 100 GB storage

Perform the steps outlined in the following sections to download, install, and start the EDLP agent.
Downloading the EDLP agent

In the Management Console, go to Administration > System Settings > Downloads.
Select EDLP Agent from the list and click the Download icon under Actions.
To view information about the file, including version, size, and checksum value, click the Information icon.
The EDLP agent is downloaded as ciphercloud-edlpagent-20.07.0.22.centos7.x86_64.rpm.
Move the EDLP agent to its intended machine.

Installing the EDLP agent

From the command line, run the following command:
rpm -ivh <RPM Name>
For example:
rpm -ivh ciphercloud-edlpagent-20.07.0.22.centos7.x86_64.rpm
Preparing… ################################# [100%] Preparing / installing…
1:ciphercloud-edlpagent-20.07.0.22.centos7.x86_64########################
## [100%] Execute ‘EDLP-setup’ to setup your EDLP Agent
The RPM client will be installed under the following location:
/opt/ciphercloud/edlp
Go to the /opt/ciphercloud/edlp/bin directory.
Run the setup file using the following command:
./edlp_setup.sh
When prompted, enter the auth token to complete the installation process.
To get the auth token, go to Administration > Enterprise Integration > Data Loss Prevention (Auth Token column).To hide the auth token from view, click the Column Filter icon at the upper right, and uncheck Auth Token.

Note
You can access logs from the /opt/ciphercloud/edlp/logs directory.
Stopping and starting the EDLP agent service

To stop the EDLP agent service, enter the following command: systemctl stop ciphercloud-edlp
To start the EDLP agent service, enter the following command: systemctl start ciphercloud-edlp

Checking the EDLP agent status

To check the status of the EDLP agent service, enter the following command: systemctl status ciphercloud-edlp

Symantec DLP response rule configuration (Vontu service)
In the Symantec DLP configuration (Manage tab / Configure Response Rule), you need to enter information about the violation and the policies violated, as shown, with violation as the keyword. Enclose the name of each violated policy between dollar signs, separated by commas. The policy name or names should be exactly the same as they are entered in CASB. Format the policy entries as follows:
$PolicyNameA, PolicyNameB, PolicyNameC$

Configuring the Forcepoint Security Manager and Protector
Perform the following steps to configure the Forcepoint Security Manager and Protector:

In the General tab, enable the ICAP system module with the default port of 1344.
In the HTTP/HTTPS tab, set the mode to Blocking for the ICAP server.
Under Policy Management, add a new policy from the Predefined policy list or create a custom policy. Then, deploy the new policy.

Manually upgrading the SIEM, EDLP, and Log Agents
Depending on your OS and the type of package that you want to install, perform the steps in the following sections to upgrade the on-premise connectors manually. This manual upgrade procedure is applicable for EDLP, SIEM, and Log Agent.
For CentOS and RHEL
If you installed the rpm package in the previous version, upgrade the connector using an RPM package.
For instructions, see the Upgrading a connector using an RPM package section.
Upgrading a connector using an RPM package

From the Management Console, go to Administration > System Settings > Downloads.
Click the download icon for the On-premise Connector rpm package.
Copy the downloaded RPM package to the Node Server on which you want to install.
Log in to the Node Server.
Stop the Node Server services: sudo service node-server stop
Run the following command: sudo yum install epel-release
Run the following command to upgrade the connector: sudo yum upgrade ./enterprise-connector*.rpm
Start the Node server services: sudo service node-server start

For Ubuntu
If your previous connector was installed using a Tar package, to get the latest connector version, you can either perform a fresh installation using a Debian package (Method 1) or upgrade the connector using a Tar package (Method 2).
If your previous connector was installed using a Debian package, you can upgrade the connector using a Debian package (Method 3).
Method 1 (Recommended): Installing the latest connector version using a Debian package
If your previous connector was installed using a Tar package, to get the latest connector version, you can perform a fresh installation of the latest connector version using a Debian package. Detailed steps for this procedure are provided below.
Pros:

You can use service/systemctl commands to start/stop the services.
Additional dependencies required for other features are automatically installed by the apt command.

Cons:

As this is a fresh installation, you are required to run install.sh script.
Provide the details such as nodeName, authToken etc, during the installation.

Method 2: Upgrading a connector using a Tar package
Pros:

No need to run the install.sh script again.

Cons:

You need to use the sudo bash <script> command for any start/stop operations.
Before untarring the TAR package in the opt/ciphercloud directory, you need to delete the old boot-ec-*.jar file.

Method 3: Upgrading a connector using a Debian package
Use this procedure if your previous connector was installed using a Debian package.
Method 1: Installing the latest connector version using a Debian package
Note: If you have already installed any connector on your machine using a Tar package, stop the Node Server services and delete the ciphercloud directory located under the opt directory before starting this procedure.

From the Management Console, go to Administration > System Settings > Downloads.
Click the download icon for the On-premise Connector – Debian package.
Copy the downloaded Debian package to the Node Server on which you want to install.
Log in to the Node server.
Run the following command to start the installation in the Linux instance:
[ubuntu@localhost home]# sudo apt install ./enterpriseconnector_<version>_amd64.deb
Where <version> is the current DEB file version in the Management Console.
Note: Make sure you are connected to the internet while performing this installation.
Click Yes when prompted to save the IPv4 and IPv6 rules.
Run the following command to change to the directory in which to install the connector. cd /opt/ciphercloud/node-server
Run the following command to configure the installation options. ./install.sh System response: Initializing node-server install script. Please wait..
Respond to the system prompts as follows:
Please enter Management Server endpoint
[wss://nm.<domain>:443/nodeManagement]:
a. Enter the default option shown or enter the URL for this installation.
b. Management Server endpoint: <Node Management endpoint URL>
c. Enter the unique ID for this tenant. Input Tenant Id: <tenant name>
c. Enter the unique name for the Node Server.
Input Node Server Unique Name: <node_name>
d. Enter the API token (click the API Token button in the Configuration tab)
Input Node Server Token: <Node API token> Once Node server installation is done. Start node server using ‘sudo service node-server start’.
e. Select Y to install with upstream proxy and enter the upstream proxy details.
Note If you do not want to use the upstream proxy, specify N and press Enter.
Does upstream proxy exist? [y/n]: y
Input Host Name of upstream proxy server: 192.168.222.147
Input port number of upstream proxy server: 3128
f. Enter the username and password if you want to enable the upstream proxy with authorization.
Otherwise, press Enter.
Input upstream proxy authorization – user name (Press enter key if no authorization required): test Input upstream proxy authorization – password: test@12763
Run the following command to start the Node Server: sudo service node-server start

Method 2: Upgrading a connector using a Tar package
Note: If you are on the Ubuntu OS, we recommend that you install the latest Debian package. For instructions, see Installing a new connector with Debian package.

From the Management Console, go to Administration > System Settings > Downloads.
Click the download icon for the On-premise Connector Tar Package.
Copy the downloaded Tar package to the Node Server on which you want to upgrade.
Log in to the Node Server.
Stop the Node Server services using the following command: sudo bash /opt/ciphercloud/node-server/bin/agent/agent stop
Make a backup copy of the boot-ec-*.jar file and save it to a different location.
Delete the boot-ec-verion.jar file from the /opt/ciphercloud/node-server/lib directory.
Untar the On-premise Connector Tar package to /opt/ciphercloud: sudo tar -xvf enterprise-connector-<version>.tar.gz –directory /opt/ciphercloud sudo chown -R ccns:ccns /opt/ciphercloud/node-server
This action extracts the contents to the node-server directory.
Start the Node Server services: sudo bash /opt/ciphercloud/node-server/bin/agent/agent start

Method 3: Upgrading a connector using a Debian package
If your previous connector on the Ubuntu OS was installed using a Debian package, use this procedure for upgrading your connector.

From the Management Console, go to Administration > System Settings > Downloads.
Click the download icon for the On-premise Connector – Debian package.
Copy the downloaded Debian package to the Node Server on which you want to install.
Log in to the Node Server.
Stop the Node Server services: sudo service node-server stop
Run the following command to upgrade the connector: sudo apt upgrade ./enterprise-connector*.deb
Click Yes when prompted to save the IPv4 and IPv6 rules.
Start the Node Server services: sudo service node-server start

Configuring Security Information and Event Management (SIEM)
From the Enterprise Integration page, click SIEM.
To view the details of an existing SIEM configuration, click the > icon at the left.
Downloading, installing, and connecting a SIEM agent
After you create at least one SIEM agent, you can download the SIEM agent and install it on a machine or server. The machine you choose for SIEM agent installation should contain RedHat Enterprise / CentOS 7.x, as well as Java 1.8.
If the data you intend to run using the SIEM agent is a directory or file, the SIEM agent must be downloaded to the machine where the files are located.
Prerequisites for installation of an SIEM agent
Your environment must include the following components and settings for installing and running an SIEM agent:

Oracle Server Java 11 or later
JAVA_HOME environment variable set
root or sudo privileges

Perform the following steps to download, install, and start a SIEM agent.
Downloading

In the Management Console, select Administration > Enterprise Integration.
Click the Download icon in the row of the SIEM agent you are downloading.
The SIEM agent is downloaded as ciphercloud-siemagent-1709_rc2-1.x86_64.rpm.
Move the SIEM agent to its intended machine (or to multiple machines as needed).

Installing
From the command line, run the following command: rpm -ivh <RPM Name>
For example:
rpm -ivh ciphercloud-siemagent-1709_rc2-1.x86_64.rpm
Preparing… #################################
[100%] Preparing / installing…
1:ciphercloud-siemagent-1709_rc2-1.x86_64################
[100%] Execute ‘siemagent-setup’ to setup your siem Agent

Configuring
Run the siemagent setup command to configure the SIEM-agent and paste the authentication token, as outlined in the following instructions.
siemagent-setup
for example:
siemagent-setup
Enter Auth Token:<Auth token>
Initiating CipherCloud siem Agent configuration
Java already configured
Updated CipherCloud siem Agent with Auth Token
Starting CipherCloud siem Agent Service …
Already Stopped / Not running (pid not found)
Started Log Agent with PID 23121
Done

Viewing the authentication token

Go to Administration > Enterprise Integration > SIEM.
Select the SIEM agent you created.
In the Display Auth Token column, click Show to display the token.

Uninstalling a SIEM agent
To uninstall the SIEM agent, run the following command: rpm -e <RPM name up to x86_64>
For example:
rpm -e ciphercloud-siemagent-1709_rc2-1.x86_64
Stopped [12972] Package ciphercloud-logagent with version 1709 has been uninstalled successfully

Starting, stopping, and checking the status of a SIEM agent
To start an SIEM agent, enter the following command: systemctl start ciphercloud-siemagent
To stop an SIEM agent, enter the following command: systemctl stop ciphercloud-siemagent
To check the status of an SIEM agent, enter the following command: systemctl status ciphercloud-siemagent

Viewing SIEM agent logs
Go to /opt/ciphercloud/siemagent/logs/
Creating a new SIEM configuration
To create a new SIEM configuration, perform the following steps.

Click New.
Enter the following information. (The values shown are examples.)
● Name (required) – Enter a name for this configuration.
● Description (optional) — Enter a brief description.
● Cloud – Select one or more cloud applications for this configuration.● Event Type – Select one or more event types for this configuration.● Vendor — Select a vendor. The options are
● HP ArcSight
● IBM QRadar
● Intel Security
● Log Rhythm
● Others
● Splunk
● Forwarded Type — Select Spooling Directory, Syslog TCP, or Syslog UDP.
● For Spooling Directory, enter the directory path for the log files generated.● For Syslog TCP or Syslog UDP, enter a remote host name, a port number, and a log format (either JSON or CEF).
Click Save.

The new configuration is added to the list. By default, the authentication token is hidden. To display it, click Show.
Once an agent is downloaded and installed, a connection can be made. A successful connection is indicated on the SIEM page by a green connector icon.

Additional actions
In addition to the download action, the Action column provides the following two options:

Pause – Pauses the transfer of events to SIEM. When this button is clicked and the agent is paused, the tool tip changes the button label to Resume. To resume the transfer, click the button again.
Remove – Delete the agent.

Configuring data classification
CASB enables integration with Azure Information Protection (AIP) and Titus for data classification. The following sections outline how to configure these integrations.
Integration with Azure Information Protection (AIP)
CASB enables integration with Microsoft Azure Information Protection (AIP), which provides additional options for protecting your data. If you have a Microsoft Office account, you can use your Microsoft 365 credentials to add an AIP integration connection and apply it as an action to any policy you create, for any of your cloud applications.
AIP enables use of Active Directory Rights Management Services (AD RMS, also known as RMS), which is server software that addresses information rights management. RMS applies encryption and other functionality limitations for various types of documents (for example, Microsoft Word documents), to restrict what users can do with the documents. You can use RMS templates to protect an encrypted document from being decrypted by specific users or groups RMS templates group these rights together.
When you create an AIP integration connection, content policies you create provide an RMS Protection action that applies protection as specified in the RMS template you choose for the policy.
You can use labels to identify specific types of protection to the documents in your cloud. You can add labels to existing documents or assign or modify labels when the documents are created. Labels are included in the information for the policies you create. When you create a new label, you can click the Sync Labels icon in the AIP Configuration page to synchronize your labels and enable the newest labels to be assigned.

Retrieving parameters required for AIP RMS connection
To enable access to the required parameters:

Open Windows PowerShell in administrator mode.
Run the following command to install the AIP cmdlets. (This action will take a few minutes to complete.)
Install-Module -Name AADRM
Enter the following cmdlet to connect to the service: Connect-AadrmService
In response to the authentication prompt, enter your Microsoft Azure AIP login credentials.
Once you are authenticated, enter the following cmdlet: Get-AadrmConfiguration
The following configuration details are displayed BPOSId : 9c11c87a-ac8b-46a3-8d5c-f4d0b72ee29a
RightsManagementServiceId : 5c6bb73b-1038-4eec-863d-49bded473437
Licensing Intranet Distribution Point Url : https://5c6bb73b-1038-4eec-863d49bded473437.rms.na.aadrm.com/_wmcs/licensing
Licensing Extranet Distribution Point Url: https://5c6bb73b-1038-4eec-863d49bded473437.rms.na.aadrm.com/_wmcs/licensing
Certification Intranet Distribution Point Url : https://5c6bb73b-1038-4eec-863d49bded473437.rms.na.aadrm.com/_wmcs/certification
Certification Extranet Distribution Point Url: https://5c6bb73b-1038-4eec-863d49bded473437.rms.na.aadrm.com/_wmcs/certification
Admin Connection Url : https://admin.na.aadrm.com/admin/admin.svc/Tenants/5c6bb73b-1038-4eec863d-49bded473437
AdminV2 Connection Url : https://admin.na.aadrm.com/adminV2/admin.svc/Tenants/5c6bb73b-1038-4eec863d-49bded473437
On Premise DomainName: Keys : {c46b5d49-1c4c-4a79-83d1-ec12a25f3134}
Current Licens or Certificate Guid : c46b5d49-1c4c-4a79-83d1-ec12a25f3134
Templates : { c46b5d49-1c4c-4a79-83d1-ec12a25f3134, 5c6d36g9-c24e-4222-7786e-b1a8a1ecab60}
Functional State : Enabled
Super Users Enabled : Disabled
Super Users : {admin3@contoso.com, admin4@contoso.com}
Admin Role Members : {Global Administrator -> 5834f4d6-35d2-455b-a134-75d4cdc82172, ConnectorAdministrator -> 5834f4d6-35d2-455b-a134-75d4cdc82172}
Key Rollover Count : 0
Provisioning Date : 1/30/2014 9:01:31 PM
IPCv3 Service Functional State : Enabled
Device Platform State : {Windows -> True, WindowsStore -> True, WindowsPhone -> True, Mac ->
FciEnabled For Connector Authorization : True
Document Tracking FeatureState : Enabled
From this output, you will need the highlighted items for the AIP integration connection.
Run the following command to obtain the base 64 key information: install-module MSOnline
Run the following command to connect to the service: Connect-MsolService
In response to the authentication prompt, enter your Azure AIP login credentials again.
Run the following command: Import-Module MSOnline
Run the following command to obtain the key information needed for the AIP integration connection: New-MsolServicePrincipal
The following information is displayed, which includes the key type (Symmetric) and key ID.
cmdlet New-MsolServicePrincipal at command pipeline position 1
Supply values for the following parameters:
Enter a display name of your choice.
DisplayName: Sainath-temp
The following information is displayed. You will need the highlighted information when you create the AIP integration connection.
The following symmetric key was created as one was not supplied
qWQikkTF0D/pbTFleTDBQesDhfvRGJhX+S1TTzzUZTM=

DisplayName : Sainath-temp
ServicePrincipalNames : {06a86d39-b561-4c69-8849-353f02d85e66}
ObjectId : edbad2f2-1c72-4553-9687-8a6988af450f
AppPrincipalId : 06a86d39-b561-4c69-8849-353f02d85e66
TrustedForDelegation : False
AccountEnabled : True
Addresses : {}
KeyType : Symmetric
KeyId : 298390e9-902a-49f1-b239-f00688aa89d6
StartDate : 7/3/2018 8:34:49 AM
EndDate : 7/3/2019 8:34:49 AM
Usage : Verify

Configuring AIP protection
Once you have retrieved the parameters needed for the connection, you can create the connection in the Azure AIP page.

To enable AIP configuration:

Go to Administration > Enterprise Integration.
Select Data Classification.
If the Azure Information Protection tab is not displayed, click it.
Click the toggle to enable Azure Information Protection configuration.
Once AIP configuration is enabled, the Authorize button appears for you to access Azure information. (If you have authorized previously, the button is labeled Re-Authorize.)
When the Microsoft login page appears, follow the prompts to enter your Microsoft login credentials.

Syncing labels
When a cloud application is onboarded in CASB, you can create new policies or assign policies in Azure. You can sync Azure labels instantly from the AIP Configuration page. These labels will be listed with the policy information in the Management Console.
To sync labels:

Go to Administration > Enterprise Integration > Data Classification > Azure Information Protection.
Click the Sync icon at the right above the list of labels to obtain the most recent Azure labels.
When the sync is completed, the newly added labels are displayed, and are ready to be assigned.
The date of the last sync action appears next to the Sync icon.

Label information
Labels are listed in a table in the lower part of the AIP Configuration page. For each label, the list includes the label name, description, and active status (true=active; false=not active). Depending on how the label was configured, the table might include additional details (AIP Tooltip), a sensitivity level, and the label’s parent name.
To search for a label in the list, enter all or part of the label name in the Search box above the list, and click the Search icon.

Creating a policy with RMS protection
Once you have created an AIP connection, you can create or update a policy to include RMS protection for your documents. Perform the following steps to create a policy for RMS protection. For more information about options for policy types, content rules, and context rules, see Configuring Juniper Secure Edge CASB for policy management.

Create a policy.
Enter a name and a description for the policy.
Select content and context rules for the policy.
Under Actions, select RMS Protect.
Select a notification type and template.
Select an RMS template for the policy. The template you select applies specific protections to the documents. Examples of predefined templates include those listed here. You can create additional templates as needed.
● Confidential \ All Employees — Confidential data that requires protection, which allows all employees full permissions. Data owners can track and revoke content.
● Highly Confidential \ All Employees — Highly confidential data that allows employees view, edit, and reply permissions. Data owners can track and revoke content.
● General — Business data that is not intended for public consumption but that can be shared with external partners as required. Examples include a company internal telephone directory, organizational charts, internal standards, and most internal communication.
● Confidential — Sensitive business data that could cause damage to the business if shared with unauthorized people. Examples include contracts, security reports, forecast summaries, and sales account data.
Confirm the policy information and save the policy.
When users open a protected document, the policy will apply the protections specified in the RMS protection action.

Creating additional RMS policy templates

Log in to the Azure portal.
Go to Azure Information Protection.
Verify that the service is active by reviewing the protection activation status.
If the service is not activated, select Activate.
Enter a name (label) for the template you want to create.
Select Protect.
Select Protection.
Select Azure (cloud key) to use the Azure Rights Management service for protection of documents.
Select Add Permissions to specify user permissions.
From the Select from List tab, choose either
● <organization_name> – all members, which includes all users in your organization, or
● Browse directory to search for specific groups.
To search for individual email addresses, click the Enter Details tab.
Under Choose Permissions from preset or custom, select one of the permission levels, then use the check boxes to specify the types of permissions.
Click OK when you are finished adding permissions.
To apply the permissions, click Publish, then click Yes to confirm.

The template is added to the dropdown list for the RMS Protect action.
Integration with Titus

Go to Administration > Enterprise Integration > Data Classification.
Click the Titus tab.
Click the Titus toggle to enable integration.
Click Upload Schema and select the file containing the data classification configurations.

Creating and managing user directories
The User Directory page (Administration > Enterprise Integration > User Directory) displays information about user directories you can create and manage.

For each directory, the page shows the following information:

Cloud Name – The cloud application using the directory.
Cloud Type – The type of directory:
- Manual upload — The manual upload directory contains details for your cloud application users and the user groups to which they belong. These details are stored in a CSV file. By identifying user groups and their users, administrators can more easily control or monitor their access to data. You can create and configure multiple manual upload user directories.
- Azure AD — The cloud directory uses Azure Active Directory functionality to monitor user information and access. Azure AD directory information is displayed for each cloud application. In addition, you can create and configure one Azure AD directory.
Users – The current count of users in the directory.
User Groups – The current count of user groups in the directory.
Created Date – The date and time (local) on which the directory was created.
Uploaded CSV (manual upload directories only) –The name of the uploaded CSV file that contains the user and user group information.
Last Synced (cloud and administrator-created Azure AD directories only) – The date and time (local) on which the last successful directory sync occurred.
Last Sync Status (cloud and administrator-created Azure AD directories only) – The status of the last sync action, either Success, Failed, or In Progress. If the status is Failed, try the sync again later. If the sync continues to fail, contact your administrator.
Actions – The actions you can take for the directory.

Cloud and administrator-created Azure AD directories only — Sync the directory content to retrieve the latest information.
Manual upload directories only — Export CSV files for the directory.
Administrator-created Azure AD and manual upload directories only — Delete the directory.
The following sections provide information about creating and managing manual upload and Azure AD user directories.
Manual upload user directory
Perform the steps in the following sections to create and manage a manual upload directory.
Creating a new manual upload directory

Go to Administration > Enterprise Integration > User Directory and click New.
Select Manual Upload from the Select Source dropdown list.
Enter a Name and a Description for the directory.The Select File button becomes active and the option to download a sample CSV file is displayed.
You can download the sample file to create a directory or use a blank CSV file of your own.
The CSV file must use the following format:
● First column — First name of cloud user
● Second column — Last name of cloud user
● Third column — Email ID of cloud user
● Fourth column — User group(s) to which the cloud user belongs. If the user belongs to multiple groups, separate the name of each group with a semicolon.
The sample file available for download is preformatted with these columns.
Once you have finalized the file with the needed user information, click Select File to upload it.
The file name appears above the Save button, and the Save button becomes active.
Click Save. The uploaded CSV file is added to the User Directory list.

Exporting a manually uploaded CSV file

In the Action(s) column, click the Export icon for the CSV file you want to export, and save the file to your computer.

Deleting a manually uploaded CSV file

In the Actions column, click the trash can icon for the file you want to delete, and click Yes to confirm the deletion.

Azure AD user directory

Perform the steps in the following sections to create and manage an Azure AD directory.

Creating a new Azure AD user directory
If no administrator-created Azure AD user directory exists, you can create one. If an administrator-created AD user directory already exists, you must delete it before another one can be created.

In the User Directory page, click New.
Select Azure AD from the Select Source list.
Enter a Name (required) and a Description (optional) for the directory.
Click Authorize.
An Azure AD creation successful message appears.

After the directory is created, you can perform a sync to retrieve the latest information.
Syncing an Azure AD user directory

In the Actions column, click the Sync icon for the Azure AD directory you want to sync.
A sync scheduled message appears at the bottom right corner of the page.
If the sync is successful, the date in the Last Sync column is updated, and the Sync Status shows a status of Success.

Configuring logs

You can configure the level of information for each log along with log file size and organization.
You can select different settings for each item and change them at any time based on your system activity and the type of information you need to track and analyze. Because much of the system activity takes place within nodes, you might need to provide more detail and greater log file capacity for the Node Server.
Note
Log levels apply only to Juniper classes, not to third-party libraries.
Perform the following steps to configure log settings.

Go to Administration > Environment Management.
Select the on-premise connector environment for which to apply log configuration settings.
Click the Log Configuration icon.
Click the Log Configuration Override toggle to display the log settings.

Enter or select the following settings.

Field	Description
Log Level	Log Level refers to the type of content and level of detail included in logs. The options (in increasing level of detail) are: ▪ Warn — Includes only errors or warnings of actual or possible problems. ▪ Info — Includes informational text about system processes and status, along with warnings and errors. ▪ Debug — Includes all informational text, warnings and errors, and more detailed information about system conditions. This nformation can aid in diagnosing and troubleshooting system issues. ▪ Trace — The most detailed level of information. This information can be used by developers to focus on a precise area of the system. Select a log level.
Number of Log Files	The maximum number of files that can be maintained. When this number is reached, the oldest log file is deleted.
Log File Max Size	The maximum size allowed for a single log file. When the maximum file size is reached, the file is archived, and information is stored in a new file. Each of the remaining logs is renamed to the next higher number. The current log is then compressed and renamed log-name.1.gz. A new log is started with log-name. So, if the maximum is 10, log-name.9.gz is the oldest file, and log-name.1.gz is the newest non-active file.

Click Save.

Creating and managing notifications and alerts

CASB provides a flexible and comprehensive set of tools for creating notifications for policy enforcement and communication of critical messages regarding protection of data. You can create notifications for a variety of data security needs and cloud applications, devices, and network environments. You can then apply those preconfigured notifications to multiple inline and API access policies. Because notifications are created separately from policies, you can apply notifications consistently across policies and customize them conveniently as needed.
You can also view an audit trail of past notifications and export this information for historical purposes.
Notifications are created and managed from these areas in the Management Console:

Administration > Enterprise Integration > Notification Channels for creating channels used by cloud applications
Administration > Notification Management for creating templates and building notifications with the appropriate templates and channels
Administration > System Settings > Alert Configuration for setting threshold values to receive email notifications

The workflow for creating notifications includes these steps:

Create channels to define the communication method for issuing a notification.
Create templates to specify the text and format for the notification.
Create the notification itself, which includes the channel and the template needed for the notification.
Once you have created a notification, you can apply it to the appropriate policies.

Creating notification channels
Notification channels define how the notification will be communicated. CASB provides several types of channels for various notification types. Channels are available for email notifications, messages on Slack cloud applications, and marker files.
The Notification Channels page (Administration > Enterprise Integration > Notification Channels) lists the notification channels that have been created.
To view details for a channel, click the eye icon to the left of the channel name. To close the details view, click Cancel.
To filter the columns displayed, click the Filter icon at the upper right, and check the columns to hide or show.
To download a CSV file with a list of channels, click the Download icon at the upper right.
To create a new notification channel:

Go to Administration > Enterprise Integration > Notification Channels and click New.
Enter a Name (required) and a Description (optional but recommended) for the new channel.
Select a notification type. The options are:
● Email (for notifications as email)
● Proxy (for proxy-related notifications)
● Slack (for notifications pertaining to Slack applications)
● ServiceNow Incident (for notifications pertaining to ServiceNow)
● Marker (for notifications as marker files)
Select the Slack Incident or ServiceNow type, the Cloud Name field appears. Select a cloud application to which the channel will apply.
Save the channel.

Creating notification templates
Templates define the text and format of a notification. Most templates offer an HTML or plain text format option and offer base text that you can customize.
The Templates tab on the Notifications page (Administration > Notification Management) lists predefined templates and enables you to create additional templates.
You can define the following attributes for each template:

Name — The name by which the template will be referenced.
Type – The action or event for which the template is used. For example, you can create templates to notify users about Slack messages or to send email notifications about alerts or jobs completed.
Subject — A brief description of the template’s function.
Format — The format of the template for the application, connector, or function. Options include Email, Slack (format and channel), ServiceNow, SMS, Proxy, Reporting, and configuration changes.
Updated On — The date and time on which the template was created or last updated.
Updated User – The email address of the user to which the template applies.
Actions – Options for modifying or deleting a template.

To create a new notification template:

Go to Administration > Notification Management.
Click the Templates tab and click New.
Enter a Name (required) and a Description (optional).
Select a template Category. This is the type of action, event, or policy for which the template will be used.
Select a Format for the template. The formats available depend on the category you chose in the previous step. In this example, the formats listed are for the Cloud Access Policy category.
Select a notification Type. The options listed depend on the format you chose in the previous step.
Enter the content for the template in the text area at the right. Scroll down to the areas where you want to enter content.
Select any variables you want to use from the list at the left. Place the cursor at the point where the variable should be inserted and click the variable name. The list of available variables will vary depending on the format and type of template you are creating.
If you are creating an email template, select HTML or Text as the delivery format, and enter a subject.
Click Preview at the upper right to see how your template content will be displayed.
Save the template.

Creating notifications
Once you have created notification channels and templates, you can create the actual notifications that can be applied to policies. Each notification uses a selected channel and template and is distributed according to the frequency you specify.
To create a new notification:

Click the Notifications tab and click New.
Enter a Name (required) and a Description (optional).
Select a notification Category.
Select a Notification Channel.
Select a Notification Template. The templates in the dropdown list depend on the channel you selected in the previous step.
Depending on the notification channel you selected, you will be prompted to enter additional information. Here are two examples:
● For an email channel:
● Select an email template, then check the types of recipients. If you checked Others, enter recipient names separated by commas.
● Select a notification frequency – Immediate or Batched. For Batched, select a batch frequency and a time interval (minutes or days).
● For a Slack channel:
● Select a notification template.
● Select one or more Slack channels.
Save the notification.
The new notification is added to the list.

Creating activity alerts
You can create activity alerts for onboarded (managed) cloud applications and for cloud discovery.
For managed cloud applications

For each managed-cloud alert, the Activity Alerts page shows:

Name — The name of the alert.
Activity – The type of activity to which the alert applies.
Notification — The name of the associated notification for this alert.
Updated on — The date and time on which the alert was updated. The time is based on the Time Zone setting configured in the System Settings page.
Updated by – The valid username for the user who last updated the alert, or a system update.
Status – A toggle that indicates the status of the alert (active or inactive).
Actions – An icon that, when clicked, enables you to edit information about the alert.

To view the details for an alert, click the icon to the left of the alert name.
Click Cancel to return to the list view.
For cloud discovery

For each cloud-discovery alert, the Activity Alerts page displays the following information:

Name – The name of the alert.
Updated on – The date and time at which the alert was last updated. The time is based on the time zone setting configured in the System Settings page.
Updated by – The valid username of the user who last updated the alert, or a system update.
Notification – The name of the associated notification.
Status – A toggle that indicates the alert status (active or inactive).
Actions – An icon that, when clicked, enables you to edit information about the alert.

To view the details for an alert, click the icon to the left of the alert name.
Click Cancel to return to the list view.

Types of alerts
For onboarded cloud applications, three types of alerts can be created:

Cloud Activity, which includes alerts about content activity on the cloud application you specify
External System Connectivity, which includes alerts involving your configurations for external connectivity (enterprise DLP, log agent, or SIEM).
Tenant Activity, which provides alerts for anomalies (geolocations, authentications, content deletion, downloads by size and by count) and changes cloud to risk scores.

Creating alerts for managed cloud applications

Go to Monitor > Activity Alerts.
In the Managed Clouds tab, click New.
Enter an Alert Name.
Select an Alert Type.
a. For Cloud Activity alerts, enter or select the following information:● Cloud Account — The cloud application for the alert.
● Activity — Check the boxes for one or more activities. ● Filters — Select the filters for this alert activity type. o For Time Window, select a day and time range in which the activity occurs.
o For Threshold, enter the number of events, the duration, and time increment (Mins or Hours) for this activity (for example, 1 event every 4 hours).o The Aggregate Alert Counts toggle is enabled by default, which indicates that threshold aggregation occurs at the cloud application level. To enable activity count aggregation at the individual user level, click the toggle to disable it.
o For User Groups:
o Click in the box to the right.
o Double-click the directory name.
o Select a group from the list that appears and click the arrow to move it to the Selected Groups column.
o Click Save.
o To specify more than one filter, click the + button and select another filter.
● Notifications — Select a notification to send with this alert. The options are based on the notifications you created.
b. For External System Connectivity alerts, select the following information:● Services – Check the boxes for one or more services, including Enterprise DLP, Log Agent, and SIEM.
● Frequency – Select Once or Send Reminders. For Send Reminders, enter a reminder quantity and time increment (day or hour). For example, 2 reminders per day.● Notifications – Select a notification from the list.
c. For Tenant Activity alerts, select the following information:
● Activity Type – Select an activity, either Anomaly or Risk Score Change.
For Anomaly, select one or more anomaly types to include in notifications.● Filters – Select Time Window. Then select a day and time range in which the activity occurs.● Notifications – Select a notification to use for the alert.

Creating alerts for Cloud Discovery

Click the Cloud Discovery tab and click New.
Enter the following information:
Enter a Name for the alert.
Select a Content Type.
● Users — Enter one or more valid user email addresses for users to be included in the alert. Separate each email address with a comma. Click Save.
● User Groups — Check one or more user groups, or check Select All. Click Save.
● Cloud Risks — Check one or more cloud risk levels.
● Cloud Category — Check one or more cloud application categories, for example, Cloud Storage or Collaboration.
● Total Bytes Threshold — Enter a number (in kilobytes) that represents the size threshold for triggering an alert. Then, enter a duration quantity and interval.
● To specify more than one content type, enter the information in the second dropdown list. To specify additional content types, click the + icon at the right, and enter the information in the additional dropdown lists.
Select a Notification for the type to be used when the alert is sent.
Save the alert.

Configuring notification and alert options in System Settings
You can configure threshold values for email notifications, and configure logos for templates, from System Settings.
Selecting alert configurations

Go to Administration > System Settings > Alert Configuration.
Click Create an Alert.

In the Alert Configuration window, enter the following information:

Field	Description
Event Name	The type of event that generates the alert. The options are: ▪ CPU ▪ Memory ▪ Disks ▪ Threads ▪ Service Down ▪ Login Failure ▪ Certificate Event ▪ Service Up ▪ Key Creation ▪ Node Management ▪ Node State Change ▪ User Management ▪ Connector Management ▪ Node Communication Action ▪ Environment Management
Trigger value/Greater or Less Note Alerts fall into two categories: ▪ those driven by thresholds being crossed, and ▪ those driven by events that occur. This setting pertains to alerts for thresholds. It does not apply to the strict occurrence of events such as a login failure or the creation of a key.	The limit for an event which, if more or less than specified value, triggers an alert. For example: ▪ If the value for CPU is greater than 90, and system CPU usage goes up to 91%, an alert is triggered. ▪ If the value for CPU is less than 10%, and the system CPU usage drops to 9%, an alert is triggered. Alert notifications are sent to the specified recipient. If you selected Show on the Home page, the alert is listed on the Management Console dashboard. Although administrators are typically most often interested in events that indicate greater-than status, sometimes you might want to know when events drop below the trigger to indicate a possible problem (for example, no activity appears to be taking place).
Environments	The environments to which the alert applies. You can choose specific environments or all environments.
Connectors	If connectors are available, only alerts related to those connectors and their associated applications will be visible.

Field	Description
Email list	The email addresses of those who should receive the alert notifications. The most common recipient is the system administrator, but you can add other addresses. Enter each recipient email address, separating the addresses by commas. System Administrator and Key Administrator will include all users with the matching role. This list can be empty if you only want it to show in the Alert Messages section of the Management Console.
Alert interval	How often the alert should be sent. Select a number and type of interval (hour, minute, or day). Select 0 to get all instances of an event type, such as Key Creation.
Show Alerts	Click the toggle button to enable alerts to be listed in the Alert Messages section of the Management Console dashboard. You might want to use this option for alerts relating to more serious conditions. Those alert messages will be seen on the dashboard whenever the Home page is displayed.
Description	Enter a description of the alert.

Save the configuration.

Editing an alert configuration
You can edit information about an alert if the conditions related to the alert have changed — for examplif the severity of the alert has increased or decreased, the condition applies to more or fewer environments, or you need to modify recipient email addresses or the alert description.

From the System Settings page, choose Alert Configuration.
Select the alert configuration you want to edit.
Click the pencil icon.
In the Alert Configuration dialog box, modify the alert information as needed.
Click Save.

Deleting an alert configuration
You can delete an alert configuration if the related event no longer applies, or if you do not need to monitor the event.

From the System Settings page, choose Alert Configuration.
Select the alert you want to delete.
Click the trash can icon.
When prompted, confirm deleting the alert.
Click Save.

Configuring Juniper Secure Edge CASB for policy management

The policy management options provided by Juniper Secure Edge enable you to protect the sensitive data stored in your organization’s sanctioned and unsanctioned cloud applications. In addition, the Juniper Secure Edge’s Secure Web Gateway enables you to set policies to monitor web traffic in your organization and limit access to specific sites or categories of sites.
Through the CASB policy engine in Juniper Secure Edge, you can control access to information by specifying the conditions under which users can access, create, share, and manipulate data, and the actions to address violations of those policies. The policies you set determine what is protected and how. CASB enables you to configure your security settings to create policies that will protect data stored in multiple cloud applications and devices. These configurations streamline the process of creating and updating policies.
In addition to protecting data, CASB supports Optical Character Recognition (OCR), which can detect sensitive information in image files that have been uploaded to a cloud using Optical Character Recognition (OCR). For example, a user might have uploaded a photo, a screen shot, or other image file (.png, .jpg, .gif, and so on) that shows a credit card number, social security number, employee ID, or other sensitive information. When creating policies, you can enable the OCR option (a checkbox), which will apply protection actions to image files. OCR can be enabled in policies for cloud applications with API protection modes.
OCR protection can also be applied to policies for files that include images; for example, a PDF or a Microsoft Word file that includes one or more images within the file.

Policy configuration and creation workflow
Policy management in Juniper Secure Edge includes several configuration steps that enable efficient and consistent creation of policies. You can apply these configurations to protect data stored in multiple cloud applications and on a variety of devices and monitor web traffic.
Policy management in Juniper Secure Edge includes several configuration steps that enable efficient and consistent creation of policies. You can apply these configurations to protect data stored in multiple cloud applications and to monitor web traffic.

Create content rule templates
Create Content Digital Rights templates
Configure file type, MIME type, and file size for exclusion from scanning
Configure folder sharing
Set number of folder sublevels for DLP scanning
Configure default policy violation actions
Configure tenant-level default TLS-intercept settings
Enable user coaching as a secondary action in a policy
Enable continuous (step-up) authentication as a secondary action in a policy
Create policies: API Access

The following sections outline these steps.
Create content rule templates
Content rules identify the content to apply to a policy. Content can include sensitive information in a file, such as usernames, credit card numbers, Social Security numbers, and file types.
For DLP rules, you can create templates that include sets of content rules and apply one of those templates to one or more policies. With content rule templates, you can classify content based on more than one context. Because content rules are configured as a separate process from policy creation, you can save time and enable consistent content information in all of the policies you create.
The content rule templates provided with the product, and those you create, are listed in the Content Rule Management page.
The Content Rule Management page has three tabs:

Document Rule Templates — Specifies overall rules to apply to documents.
DLP Rule Templates — Specifies DLP rules. When customers create a document rule template, they select a DLP rule if the document template is applied to DLP policies. You can use any of the templates provided with the product or create additional templates.
Data Types — Specifies data types to apply to this rule. You can use any of the data types provided with the product or create additional data types.

Perform the steps in the following procedures to create additional data types and templates for configuring content rule management.
Creating new data types

Click the Data Types tab and click New.
Enter a Data Type Name (required) and a Description (optional) for the data type.
Select a data Type to apply. Options include Dictionary, Regex Pattern, File Type, File Extension, File Name, and Composite.
Click Next.
Enter additional information for the data type you selected.
● Dictionary
● Regex Pattern
● File Type
● File Extension
● File Name
● Composite
● Exact Data Match
Click Next to review a summary for the new data type.
Click Confirm to save the new data type, or Previous to make any corrections or updates.

You can configure data types as follows.
Dictionary
Use the Dictionary data type for plain text strings.
Select either Create Keyword or Upload File.

For Create Keyword – Enter a list of one or more keywords; for example, account number,account ps,american express,americanexpress,amex,bank card,bankcard
For Upload File – Click Upload a File and select a file to upload.

Regex Pattern
Enter a regular expression. For example: \b$?([0-9]{3})$?[-.\t ]?([0-9]{3})[-.\t ]?([0-9]{4})\b
File Type
Check the boxes to select one or more file types or check Select All. Then click Save.

File Extension
Enter one or more file extensions (for example, .docx, .pdf, .png) Click Save.
File Name
Enter one or more file names (for example, PII, Confidential) Click Save.
Composite
You can select two Dictionary data types, or one Dictionary type and one Regex Pattern type.

If you select two Dictionary types, a Proximity option appears for the second Dictionary type. This option enables a match count of up to 50 words. No Exception option is available. Enter a Match Count and a Proximity value for the second Dictionary type.
- If you select one Dictionary type and one Regex Pattern type, enter a Match Count of up to 50 words and a Proximity value.

(Optional) To enter any exceptions, click in the Token Whitelist text box and enter one or more token keywords. Separate each item with a comma. Click Save to close the text box.
Exact Data Match
Exact data matching (EDM) allows CASB to identify data in records that matches criteria you specify.
As part of managing data types, you can create an EDM template using a CSV file with sensitive data for which you can define the matching criteria. You can then apply this template as part of a DLP rule in API policies.
Perform the following steps to create an exact data match type and apply DLP rule information.

Step 1 — Create or obtain a CSV file with the data to use for matching.
In the second row of the file, map the column headers with data types in CASB. This information will be used to identify the data types that will be matched. In this example, the Full Name column is mapped to the data type Dictionary, and the remaining column headings are mapped to the data type Regex.

Step 2 – Create a new data type — Exact Data Match.

Click the Data Types tab and click New.
Enter a Name (required) and a Description.
Select Exact Data Match as the Type.
Click Next.
Click the Pre-Indexed toggle if sensitive data in the CSV file you are uploading has been hashed previously. For files without previous hashing, the data will be hashed when the file is uploaded.If you want to perform hashing on a file before you upload it, use a data hashing tool provided with CASB. Go to Administration > System Settings > Downloads and select the EDM Hashing Tool. Download the tool, install it, and apply data hashing to the file.
Click Upload and select the CSV file to use for the data match. To see a sample file, click Download Sample.The uploaded file name is displayed. To remove it (for example, if you uploaded an incorrect file or want to cancel the procedure), click the trash can icon.
Note
You can replace the uploaded file later as long as the fields in the file are not changed.
Click Next.
A table is displayed that shows the source file name, the number of records it contains, and the number of data types it includes.
Click Next, review the summary information, and save the data type. You will use this data type in the next step.

Step 3 – Create a new DLP Rule template to configure the data matching properties.

In the DLP Rules tab, click New.
Enter a Rule Name (required) and a Description (optional).
Select Exact Data Match as the Rule Type and click Next.
Select Custom Content Rule as the Rule Template.
For Exact Data Match, select the EDM data type you created previously. The fields and mapped data types from the CSV file you uploaded previously are listed with a weightage option for each field.
Select a weightage for each field. The weightages you choose are used along with the number of fields to match to determine if a record is considered a match. The options are:
● Mandatory – The field must be matched for the record to be considered a match.
● Optional – The field serves as “padding” when determining if a record is matched.
● Exclude – The field is ignored for matching.
● Whitelist – If one or more fields are whitelisted, the record is whitelisted and not considered a match even if it meets all other matching criteria.
Select the matching criteria for field matching, record matching, and proximity.● For Minimum Number of Fields to Match, enter a value that equals or exceeds the number of fields with a mandatory weightage and equals or is less than the number of fields with an optional weightage. This is the number of fields that must match for this rule. For example, if you have four fields with a mandatory weightage and three fields with an optional weightage, enter a number between 4 and 7.
● For Minimum Number of Records to Match, enter a value of at least 1. This number represents the minimum number of records that must be matched for the content to be considered in violation.
● For Proximity, enter a number of characters that represents the distance between fields. The distance between any two matching fields must be less than this number for a match. For example, if the Proximity is 500 characters:
● The following content would be a match because the proximity is fewer than 500 characters: Field1value + 50 characters+Field3value + 300 characters + Field2value ● The following content would not be a match because the proximity is greater than 500 characters:
Field1value + 50 characters+Field3value +600 characters + Field2value
Click Next.
Review the summary and save the new DLP rule.

You can now apply this DLP rule to inline or API Access policies.
Creating new DLP rule templates

Click the DLP Rule Templates tab and click New.
Enter a Rule Name (required) and a Description (optional).
Select DLP Rules as the rule type and click Next.
Select a Rule Template from the dropdown list. Then, perform either of the following steps.
a. If you selected the Custom Content Rule template, select a Rule Type and the accompanying value for that type. The options are:
● Composite — Select a unique name (for example, VIN, SSN, or Phone).
● Dictionary – Select a keyword list (for example, US: SSN) and a match count.
● Regex Pattern – Select a regular expression (regex pattern) and a match count.
The match count can be any value between 1 and 50. The match count indicates the minimum number of violating tokens to be considered for a violation.
Whatever match count you specify, the DLP engine detects up to 50 violating tokens and takes the actions you have configured (for example, highlighting, masking, redacting, and so on).
Note: If you select Dictionary, for XML files the attribute you choose must have a value for the DLP engine to recognize it as a match. If the attribute is specified but has no value (example: ScanComments=””), it does not match.
b. If you select a predefined rule template, the Rule Type and values are filled in.
Click Next and review the summary information for the DLP rule template.
Click Confirm to create and save the new template or click Previous to make any corrections needed.

If a template is deleted, the indicated action will no longer be allowed unless the associated policies are disabled or replaced with a different template.
Creating new document rule templates

Click the Document Rule Template tab and click New.
Enter a Rule Name (required) and a Description (optional).
To include Optical Character Recognition (OCR) for API access policies, click the Optical Character Recognition toggle.
Click Next.
Enter or select the following information as needed for your template. For each information type to include, click the toggle to enable it.
● File Metadata – Enter a range of file sizes to include. Then select file information from the default data types provided with the product, or any data types you created in the Data Types tab.● File Size Range – Enter a range of file sizes to include in scanning.
Note: DLP and malware scanning are not performed on files larger than 50 MB. To be sure that DLP and malware scanning are available, enter range sizes of 49 MB or smaller in both fields.
● File Type – Select a file type (for example, XML). This option is disabled when minimum and maximum file sizes are 50 MB or larger.
● File Extension – Select a file extension (for example, .png).
● File Name – Select File Name to specify the exact file name or select Regex Pattern to select a regular expression. In either case, use the drop-down menu to select the value for the policy to find and scan. This may be a predefined data type, or one that you created on the Data Types tab.
● Data Classification● Select a classification label – Microsoft AIP or Titus. Then, enter a label name.● (Optional) Click the + sign at the right to include both classification labels.
● Watermark ● Enter text for a watermark.
Note
For OneDrive and SharePoint applications, watermarks are not locked and can be removed by users.
● Content Matching Rule ● Select a DLP rule type from the list.
Click Next and review the summary information.
Click Save to confirm the template, or Previous to make any corrections.
The template can now be applied to policies you create.

Create Content Digital Rights templates
Content Digital Rights configurations provide streamlined template management for efficient and consistent application of content classification, customization, and protection options. Templates for content digital rights can be created and the settings applied to multiple policies. The templates can be accessed and managed through a Content Digital Rights page under the Protect menu in the Management Console.
Content Digital Rights captures all aspects of content classification and protection, in these components.
Where encryption is applied, documents will be tracked by the CDR ID used to encrypt, instead of the ID of the policy that is triggered for encryption.
Once a CDR template is created, it can be modified as needed, but cannot be deleted as long it is still being used.

Steps for creating CDR templates
Once CDR templates are created, they can be applied to multiple policies as needed.

Go to Protect > Content Digital Rights and click New.
Enter a Name (required) and a Description (optional) for the CDR template.
Select the Type of documents to which this template will apply:
● Structured — Policy applies to structured objects.
● Documents with Encryption — Policy applies to documents to be encrypted.
● Documents without Encryption — Policy applies to documents that are not to be encrypted.
Click Next to add CDR elements.
For each component to include, click the toggle to enable it.
● Watermark Text
Enter the text for the watermark. Then, select the formatting options for the watermark.
● Token Obscurity
Select Mask, Redact, or Document Highlighting.
IMPORTANT
The Mask and Redact actions permanently delete the selected characters, to prevent unauthorized leaks of data. Masking and redaction cannot be undone once a policy is saved.
Notes regarding API policy enforcement for Redact, Mask, Watermark/Encrypt actions
In Salesforce reports (Classic and Lightning versions), the Mask action is not applied to report name, filter criteria, and keyword search. As a result, these items are not masked in the report object.
When an API Protect policy is created with Redact/Mask/Watermark/Encrypt as an action, the policy action is not taken if a file created in Google Drive is renamed and then updated with DLP content.
● Encrypt
If the policy will provide an encryption action, select these items to apply specific directions for encryption:
● An encryption key.
● Content expiration – by date, by time, or no expiration.
● If you selected By Date, select a date from the calendar.
● If you selected By Time, select minutes, hours, or days, and a quantity (for example, 20 minutes, 12 hours, or 30 days).
● An offline access option.
● Always (default)
● Never
● By Time. If you select By Time, select hours, minutes, or days, and a quantity.
Add permission objects, which define the scope (internal or external), users and groups, and permission levels.
a. Click New and select permission options.b. Scope — Select Internal or External.
c. Type –
● For Internal scope, select Users, Groups, or Recipients.
● For External scope, select Users, Domains, or Recipients.
Note
The Recipients type applies only to cloud applications that have the Email protection mode selected when the cloud is onboarded.
Depending on the Type you choose, the next field will be labeled as follows.
● For Internal scope, either Users (for users) or Source (for groups). If you selected
Recipients, this next field does not appear. If you selected Source, check the names of groups to include.
● For External scope, either Users (for users) or Domains. If you selected Recipients, this next field does not appear.
Enter or select the user, source, or domain information.
● For Users (Internal or External scope) – Click the pen icon, choose All or Selected. For Selected, enter one or more valid user email addresses, each separated by a comma. Click Save.
● For Source (Internal scope) – Select a source for the group or groups. From the Groups List box that appears, check one or more groups, or all groups. Click Save.
● For Domains (External scope) – Enter one or more domain names.
Permissions – Select Allow (full permissions) or Deny (no permissions).
Click Save. The permission object is added to the list.
Click Next to view a summary of the CDR template and click Confirm to save it. The template is listed on the Content Digital Rights page. When you assign this template to policies you create, those policy names will appear in the Assigned Policies column.

Configure file type, MIME type, and file size for exclusion from scanning
In hosted deployments, you can specify the file types, MIME types, and sizes of files to be excluded from data scanning. You can specify scanning exclusions for DLP policy types, and for exclusion by the CASB scan engine during malware scanning.
To configure exclusions, go to Administration > System Settings > Advanced Configuration and click the Content Settings tab. Then, perform the following steps for CASB DLP exclusions, CASB scan engine exclusions, or both.

Exclusion from scanning by Juniper DLP engine
Click the toggle for each exclusion you want to set.
File type
Review the default file types shown and delete those you want to exclude. Because excluded files are not scanned, response time for loading them is faster. For example, rich-media files such as .mov, .mp3, or .mp4 load faster if they are excluded.

MIME type
Enter any MIME types to be excluded (for example, text/css, application/pdf, video/.*., where * acts as a wildcard to indicate any format). Separate each MIME type with a comma.

File size
Enter a file size (in megabytes) that will serve as the threshold for files to be excluded. Or accept the default value of 200 MB. Any files larger than this size are not scanned. A value greater than zero is required. The maximum value allowed is 250 MB.

Exclusions from scanning by the CASB scan engine
Click the toggle for each exclusion you want to set.
File type
Enter the file types to exclude. Because excluded files are not scanned, response time for loading them is faster. For example, rich-media files such as .mov, .mp3, or .mp4 load faster if they are excluded.

File size
Enter a file size (in megabytes) that will serve as the threshold for files to be excluded. Any files larger than this size are not scanned. A value greater than zero is required. The maximum value allowed is 250 MB.

Click Reset when finished.
Configure folder sharing for DLP scanning
You can opt to have DLP scanning performed automatically for files in shared folders.

Go to Administration > System Settings > Advanced Configuration and click the Content Settings tab.
Under Folder Sharing Configuration, click the toggle to enable automatic downloading of files in shared folders.

Set number of folder sublevels for scanning

Go to Administration > System Settings > Advanced Configuration and select the Content Settings tab.
Under Default Number of Sub Folders, select a number from the dropdown list. The number represents the level of subfolders that will be scanned. For example, if you select 2, data in the parent folder and two subfolder levels will be scanned.

Configure default policy violation actions
You can set a default violation action – either Deny or Allow & Log. The action that occurs depends on whether a match is found with an existing policy.

If a policy match is not found, CASB applies the default violation action using a policy called TenantDefaultAction. For example, if the default violation action is set to Deny, and no policy match is found, CASB applies a Deny action.
If a policy match is found, CASB applies the action from that policy, regardless of which default violation action is set. For example, if the default violation action is set to Deny, and CASB finds a matched policy with an action of Allow & Log for a specific user, CASB applies the Allow & Log action for that user.

To set a default policy violation action:

Go to Administration > System Settings > Advanced Configuration and click the Proxy Settings tab.
From the Default Violation Action dropdown list, select either Deny or Allow & Log, and click Save.

Creating policies for data protection and application security

For SWG and CASB, you can create policies that apply to one, some, or all cloud applications in your enterprise. For each policy, you can specify:

The types of information to which the policy should apply – for example, content that includes credit card or Social Security numbers, files that exceed a specific size, or files of a specific type.
The users or groups of users to which the policy should apply, the folders or sites, or whether files can be shared internally, externally, or with the public.
You can assign one or more protection modes to each cloud application you onboard. These protection modes enable you to apply the types of protection most needed for the data stored on those cloud applications.

You can also create policies that control access to keys that protect encrypted data. If access to a key is blocked by a policy, users cannot access that data protected by that key.
For SWG, you can create policies and apply them to control access to categories of websites, and specific sites.
Creation of a policy typically involves these steps:

Step 1. Enter a policy name and description.
Step 2. Select content rules for the policy. Content rules are the “what” of a policy – they specify the type of content to which rules should apply, and what rule types apply to the policy. CASB enables you to create content rule templates that can be applied to multiple policies.
Step 3. Select the cloud applications to which the policy should apply.
Step 4. Define context rules, actions, and notifications for the policy. Context rules are the “who” of a policy – they specify to whom the rules apply and when. Actions are the “how” and “why” of a policy – they specify what actions must occur to address violations of the policy.
Step 5. Confirm the policy. Save the policy settings and put the policy into effect.

Note about Slack cloud applications
When creating policies for Slack cloud applications, keep the following items in mind:

Remove Collaborator works only for the following content and context definition:
Content: NONE
Context: Member Type
Data Type: Structured
Addition of members to a channel is an independent event, which is not associated with messages, files, or any other event in the channel. (The group_add_user is the event type.)
The group_add_user contains no content. There is no structured or unstructured data.
Because files are org-level properties in Slack, they do not belong to any particular channel or workspace. As a result, you must select structured data as the event type.
Member Type context: By default, Slack is a sharing cloud, and uploading a file or sending a message to a channel is in itself a sharing event. As a result, a new context (apart from the existing sharing type) is available to help manage events for Slack cloud applications.

Note about Microsoft 365 cloud applications (OneDrive)

When files are uploaded to OneDrive, the Modified By field in OneDrive displays the name SharePoint App instead of the name of the user who uploaded the file.

Note about continuous authentication in policies
Continuous authentication must be enabled in the Management Console before it can be used in a policy.
For example, if you want to include continuous authentication as a secondary action in a policy, make sure that continuous authentication is enabled in the Management Console.
If continuous authentication is selected in a policy, it cannot be disabled in the Management Console.
Note about capturing events in the Slack thick app
To capture events in the Slack thick app in forward proxy mode, you must log out of both the application and the browser and log in again to authenticate.

Log out of all workspaces in the desktop Slack app. You can log out from the application grid.
Log out from the browser.
Log in to the Slack app again to authenticate.

The following sections provide step-by-step instructions for creating policies to meet your data protection needs.

Viewing policy lists
API Access policies

Viewing policy lists
From the Protect page of the Management Console, you can create and update policies, set their priorities, and update the rules that apply to them.
Depending on the type of policy, the policy list page includes tabs that display policies created for specific security and data protection needs.
API Access policies
Two options for API Access policies are available:

The Real Time tab lists policies created for real-time scanning. Most of the policies you create will be real-time policies.
The Cloud Data Discovery tab lists policies created for use with Cloud Data Discovery, which enables CASB to discover sensitive data (for example, Social Security numbers) through scheduled scans in your cloud applications and apply remediation actions to protect that data. Cloud Data Discovery can be used to perform scans for Box automated clouds.
For more information, see Cloud Data Discovery.

Creating API Access policies

Go to Protect > API Access Policy.
Make sure that the Real Time tab is in view. Then, click New.

Note
For DLP to work with Salesforce, you must have the following settings enabled in Salesforce:

Enable CRM must be enabled for all users.
Sharing settings must be other than Private.
For non-administrators, the Push Topics and API Enable permissions must be enabled.

Enter a Name (required) and a Description (optional).
Select a Content Inspection Type – None, DLP Scan, or Malware Scan. Then, configure the context and actions for the policy type.

API policies with DLP Scan or None as the content inspection type
API policies with Malware Scan as the content inspection type

API policies with DLP Scan or None as the content inspection type
If you choose DLP Scan as the content inspection type, you can select options for protection of several types of sensitive data for industries such as banking and health care. You must then select a policy template. For example, if you are creating a policy to encrypt all documents containing U.S. Social Security numbers, select Personal ID – US SSN as the policy template. If you are creating a policy to encrypt files of a specific type, select the file type as the policy template.
If you select None as the content inspection type, the DLP options are not available.

Click Next to select cloud applications, context, and actions.
Select the cloud applications for the policy.
You can apply additional context options specific to the cloud applications you select, depending on the options available for each application. For example:
● If you are creating a policy for a OneDrive account, you will not see the context option for sites because that option is unique to SharePoint Online.
● If you are creating a policy for SharePoint Online, you can select Sites as a context.
● If you are creating a policy for Salesforce (SFDC), Users is the only context type option available.
To select all cloud applications, check FileSharing. This option allows you to select only context definitions that are common across the cloud applications in your enterprise.
Under Content Scanning, check Structured Data, Unstructured Data, or both, depending on which cloud applications you are including in the policy.
● Structured data – Includes objects (for example, contact or lead tables used by Salesforce).
Structured data objects cannot be quarantined or encrypted, and remediation actions cannot be performed on them. You cannot remove public links or remove collaborators. If you did not choose a Salesforce cloud for this policy, this option will be disabled.
● Unstructured data – Includes files and folders.
Note For Dropbox applications, collaborators cannot be added or removed at the file level; they can be added or removed only on the parent level. As a result, the sharing context will not match for subfolders.
Do either of the following actions:
● If the content inspection type is DLP Scan —
● Select a Rule Template from the list. These are the templates you created previously (Protect > Content Rule Management). If the scanning type is Structured Data, the DLP rule templates are listed. If the scanning type is Unstructured Data, the document rule templates are listed.
● To enable scanning by an external DLP service, click the External DLP toggle. To perform EDLP scanning, you must have external DLP configured from the Enterprise Integration page.
● If the content inspection type is None —
● Go to the next step.
Under Context Rules, select a context type. Context rules identify to whom the policy is to be applied – for example, which cloud applications, users and user groups, devices, locations, or files and folders. The items you see in the list depend on the cloud applications you have selected for the policy.● Users – Enter the email IDs of the users to whom the policy applies or select All Users.
● User Groups – If you have user groups, they will be populated in a list. You can select one, some, or all user groups. To apply a policy to multiple users, create a user group and add the user group name.
User groups are organized into directories. When you select User Group as a context type, the available directories containing the groups are listed in the left column.
User groups can be helpful in defining rules for access to specific types of sensitive data. By creating user groups, you can limit access to that data to the users in that group. User groups can also be helpful in managing encrypted content – for example, the finance department might need the extra security of having some of its data encrypted and accessible only to a small group of users. You can identify these users in a user group.
Select a directory to view the user groups it contains. The user groups for that directory are displayed.
Select the groups from the list and click the right-arrow icon to move them to the Selected User Groups column and click Save. These are the groups to which the policy will apply.

To search for a directory or group, click the Search icon at the top.
To refresh the list, click the Refresh icon at the top.
Notes

If you select All user groups, the policy you are creating will apply to all new user groups you create in the future.
For Dropbox, only the Users and User Groups options are supported.
When selecting users for Salesforce, provide the user’s email address, not the Salesforce username. Make sure that this email address is for a user, not an administrator. The user and administrator email addresses should not be the same.
Folder (Box, OneDrive for Business, Google Drive, and Dropbox cloud applications only) –
For policies that pertain to OneDrive for Business, select the folder (if any) to which the policy applies. For policies that pertain to Box, enter the folder ID of the folder to which the policy applies.

Note
In OneDrive applications, only folders owned by administrator users are displayed in policies witha Folder context type.
Creating secure folder policies (Box cloud applications only) — A folder is treated as a secure folder when documents stored in it are encrypted. You can designate a secure folder by creating a secure folder policy. You might want to create such a policy if a folder was moved or copied and you want to be sure that the text in all of its files is encrypted, or if any network or service disruption occurred that might leave files in plain text.
To create a secure folder, set the context as Folder, the DLP Rule as None, and the action as Encrypt.
Secure folder audits — CASB audits secure folders every two hours, checking each one for files that have plain text. If content with plain text is found in any file, it is encrypted. Files that are already encrypted (.ccsecure files) are ignored during the audit. To change the audit schedule, contact Juniper Networks Support.

Folder Names – Enter one or more folder names.
Collaboration (Slack Enterprise) – For policies that pertain to Slack Enterprise, select the Slack Enterprise cloud application to which the policy applies. The following context rules are specific to Slack Enterprise cloud applications:
Users — All or Selected
Channels — Group chat and Channels shared at Org level
Workspaces — Workspaces (all Workspaces are listed, including non-authorized workspaces)
Sharing Type
Member Type — Internal / External
Sites (SharePoint Online cloud applications only) – For policies that pertain to SharePoint Online, select the sites, subsites, and folders to which the policy applies.

Note
When you select Sites as a context type for SharePoint cloud applications, you must enter the full site name to allow CASB to perform a successful search.

Sharing Type – Identifies who the content can be shared with.
External – Content can be shared with users outside your organization’s firewall (for example, business partners or consultants). These external users are known as external collaborators. Because sharing of content between organizations has become easier, this policy control can help you exercise greater control over what types of content you share with external collaborators.
If you choose a Sharing type of External, a Blocked Domain option is available. You can specify domains (such as popular email address domains) to be blocked from access.
Internal – Content can be shared with internal groups you specify. This policy control helps you exercise greater control over who within your organization can see specific types of content. For example, many legal and financial documents are confidential and should be shared only with specific employees or departments. If the policy you are creating is for a single cloud application, you can specify one, some, or all groups as shared groups by selecting the groups from the dropdown list in the Shared Groups field. If the policy applies to multiple cloud applications, the Shared Groups option defaults to All. You can also specify any shared groups as exceptions.
Private – Content is not shared with anyone; it is available only to its owner.
Public – Content is available to anyone inside or outside the company who has access to the public link. When the public link is active, anyone can access the content without a login.
File Sharing – Select External, Internal, Public, or Private. If there are any blocked domains for external sharing, enter the domain names.
Folder Sharing — Select External, Internal, Public, or Private. If there are any blocked domains for external sharing, enter the domain names.

6. (Optional) Select any Context Exceptions (items to exclude from the policy). If you selected the context types Sharing Type, File Sharing, or Folder Sharing, you can enable an additional option, Apply to Content Actions, to configure whitelisting of domains. Click the toggle to enable this option. Then, select Whitelist Domains, enter the applicable domains, and click Save.

7. Click Next.
8. Select actions. Actions define how policy violations are addressed and resolved. You can select an action based on the sensitivity of data and the severity of violations. For example, you might choose to delete content if a violation is serious; or you might remove access to the content by some of your collaborators.
Two types of actions are available:

Content actions
Collaboration actions

Content actions include:

Allow & Log – Logs file information for viewing purposes. Select this option to see what content is uploaded and what remediation steps, if any, are needed.
Content Digital Rights – Defines content classification, customization, and protection options. Select the CDR template to use for the policy.

Note regarding content actions that include watermarking:
For OneDrive and SharePoint applications, watermarks are not locked and can be removed by users.

Permanent Delete – Deletes a file permanently from a user’s account. After a file is deleted, it cannot be recovered. Be sure that policy conditions are being detected properly before you enable this action in production environments. As a rule, use the permanent delete option only for serious violations in which avoiding access is critical.
User Remediation – If a user uploads a file that violates a policy, the user is given a specified time to remove or edit the content that caused the violation. For example, if a user uploads a file that exceeds a maximum file size, the user can be given three days to edit the file before it is permanently deleted. Enter or select the following information.
Duration to Remediate — The time (up to 30 days) in which remediation must be completed, after which the file is rescanned. Enter a number and frequency for the remediation time allowance.
User Remediation Action and Notification –
- Select a remediation action for the content. The options are Permanent Delete (delete the content permanently), Content Digital Rights (comply with conditions included in the Content Digital Rights template you choose), or Quarantine (place the content in quarantine for administrative review).
- Select a notification type for informing the user about what action was taken on the file after the remediation time expired.

For more information about notifications, see Creating and managing notifications and alerts.
Note
Remediation is not available for cloud applications that store objects and records (structured data).

Quarantine – Quarantine does not delete a file. It restricts user access to the file by moving it to a special area to which only an administrator has access. The administrator can review the quarantined file and determine (depending on the violation) whether to encrypt it, delete it permanently, or restore it. The quarantine option can be used for files that you do not want to remove permanently, but that might require evaluation before further action. Quarantine is not available for cloud applications that store structured data.
AIP Protect — Applies Azure Information Protection (Azure IP) actions to the file. For information about applying Azure IP, see Azure IP.
Decrypt – For context type of folder, decrypts content for files when those files are moved to specific folders or when a file’s content is downloaded to a managed device, to specified users, groups, and locations, or to an authorized network. The Decrypt action is available only for policies with a content inspection method of None.

You can specify users or groups to be excluded from enforcement of the policy. In the field to the right, select the user or group names to exclude.
Notes

In the Exceptions list, blocked domains are called Whitelist Domains. If you have specified blocked domains, you can list domains to exclude from blocking.
For cloud applications that include unstructured data in the policy, several actions are available, including Allow & Log, Content Digital Rights, Permanent Delete, User Remediation, Quarantine, and AIP Protect.
For cloud applications that include only structured data, only the Log and Permanent Delete actions are available.
If the policy will apply to a Salesforce cloud application:
Not all available context and action options apply. For example, files can be encrypted, but not quarantined.
You can apply protection to both files and folders (unstructured data) and structured data objects.
Collaboration actions can be selected for Internal, External, and Public users. To select more than one user type, click the + icon at the right.Select an option for the user type(s).
Remove Shared Link – A shared link makes content available without a login. If a file or folder includes a shared link, this option removes shared access to the file or folder. This action does not affect the content of the file — only its access.
Remove Collaborator – Removes the names of internal or external users for a folder or file. For example, you might need to remove the names of employees who have left the company, or external partners who are no longer involved with the content. These users will no longer be able to access the folder or file.
Note For Dropbox applications, collaborators cannot be added or removed at the file level; they can be added or removed only on the parent level. As a result, the sharing context will not match for subfolders.
Limit Privilege – Limits the user action to one of two types: Viewer or Previewer.
Viewer enables the user to preview content in a browser, download, and create a shared link.
Previewer allows the user only to preview content in a browser.
The Limit Privilege action is applied on the file level only if the policy content is DLP. It is applied on the folder level if the policy content is NONE.

9. (Optional) Select a secondary action. Then, select a notification from the list.
Note If Remove Recipients is selected as a secondary action with external domains, the policy will act on all external domains if no domain values are entered. The value of All is not supported.
10. Click Next and review the policy summary. If the policy includes a Salesforce cloud, a CRM column will appear next to the FileSharing column.
11. Then, perform any of these actions:

Click Confirm to save and activate the policy. Once the policy is in effect, you can view policy activity through your dashboards on the Monitor page.
Click Previous to go back to previous screens and edit information as needed. If you need to change the policy type, do so before you save it, because you cannot change the policy type after you save it.
Click Cancel to cancel the policy.

Note
Once policies are created and violations are detected, it might take up to two minutes for violations to be reflected in dashboard reports.

API policies with Malware Scan as policy type

In the Basic Details page, select Malware Scan.
Select scanning options.Two options are available:
● Lookout Scan Engine uses the Lookout scanning engine.
● External ATP Service uses an external service you choose from the ATP Service dropdown list.
Click Next to select context options.
Select a Context Type. The options include Users, User Groups, Folder (for some cloud applications), Folder Names, Sharing Type, File Sharing, and Folder Sharing.
To include more than one context type in the policy, click the + sign to the right of the Context Type field.

Enter or select the context details for the context type(s) you chose.

Context type	Context details
Users	Enter valid usernames or select All Users.
User Groups	User groups are organized into directories. When you select User Group as a context type, the available directories containing the groups are listed in the left column. Select a directory to view the user groups it contains. The user groups for that directory are displayed. Select the groups from the list and click the right-arrow icon to move them to the Selected User Groups column and click Save. These are the groups to which the policy will apply.To search for a directory or group, click the Search icon at the top. To refresh the list, click the Refresh icon at the top.
Folder	Select folders to be included in the policy actions.

Context type	Context details
Folder Names	Enter the names of folders to be included in the policy actions.
Sharing Type	Select a scope for sharing: ▪ External – Enter blocked domains and click Save. ▪ Internal ▪ Public ▪ Private
File Sharing	Select a scope for file sharing: ▪ External – Enter blocked domains and click Save. ▪ Internal ▪ Public ▪ Private
Folder Sharing	Select a scope for folder sharing: ▪ External – Enter blocked domains and click Save. ▪ Internal ▪ Public ▪ Private

(Optional) Select any Context Exceptions (items that will be excluded from policy actions).
Select a Content Action. The options include Allow & Log, Permanent Delete, and Quarantine.
If you select Allow & Log or Permanent Delete, choose a notification type as a secondary action (optional). Then, select an email or channel notification from the list. If you select Quarantine, select Notification from the Quarantine Action & Notification list. Then, select a quarantine notification.
Click Next and review the policy summary. If the policy includes a Salesforce cloud, a CRM column will appear next to the FileSharing column.
Then, perform any of these actions:
● Click Confirm to save and activate the policy. Once the policy is in effect, you can view policy activity through your dashboards on the Monitor page.
● Click Previous to go back to previous screens and edit information as needed. If you need to change the policy type, do so before you save it, because you cannot change the policy type after you save it.
● Click Cancel to cancel the policy.

Managing connected applications

CASB provides a single location on the Management Console where you can view information about third-party applications connected to the cloud applications in your organization, install additional applications as needed, and revoke access to any applications that are considered unsafe or that could put data security at risk.
Management of connected applications is supported for Google Workspace, Microsoft 365 suite, Salesforce (SFDC), AWS, and Slack cloud applications, and can be used for cloud applications with API protection mode. For Microsoft 365 cloud applications, the applications listed on the Management Console are those that have been linked to Microsoft 365 by the administrator.
To view a list of connected applications, go to Protect > Connected Apps.
The Connected Apps page view provides information in two tabs:

Connected Apps – Displays information about the applications installed in the cloud applications onboarded in your organization; also provides options for showing additional details and removing (revoking access to) an application.
AWS Keys Usage – For any AWS cloud applications you have onboarded, displays information about the access keys used by administrators for those cloud applications.

Managing applications from the Connected Apps tab
The Connected Apps tab displays the following information about each application.

Account Name — the name of the cloud to which the application is connected.
App Info — The name of the connected application, along with the identification number for the application.
Created Date — The date on which the app was installed on the cloud.
Owner Info — The name or title of the person or administrator who installed the application, and their contact information.
Cloud Certified — Whether the application has been approved by its vendor to be published on the cloud.
Action – By clicking the View (binocular) icon, you can view details about a connected application.
The details shown vary by application, but typically they will include items such as Account ID, Account Name, App Name, App ID, Cloud Certified status, Cloud Name, Created Date, and user Email.

Managing AWS key use
The AWS Keys Usage tab lists the access keys used for AWS accounts.
For each key, the tab shows the following information:

Account Name — The account name for the cloud.
User Name — The user ID for the administrator user.
Permissions — The types of permissions granted to the administrator user for the account. If the account has multiple permissions, click View More to see additional listings.
Access Key — The key assigned to the administrator user. Access keys provide credentials for IAM users or an AWS account root user. These keys can be used to sign programmatic requests to the AWS CLI or the AWS API. Each access key consists of the key ID (listed here) and a secret key. Both the access key and the secret key must be used to authenticate requests.
Action — The actions that can be taken on each listed account:
Recycle icon — Go to the Activity Audit Logs page to view activity for this cloud.
Disable icon — Disable the access key if it is determined to be unsafe as far as data security or is no longer needed.

Filtering and syncing connected application and AWS information
On both tabs, you can filter and refresh the information displayed.
To filter information by cloud application, check or uncheck the names of the cloud applications to include or exclude.
A sync occurs automatically every two minutes, but you can refresh the display with the most recent information at any time. To do so, click Sync at the upper left.

Cloud Security Posture Management (CSPM) and SaaS Security Posture Management (SSPM)

Cloud Security Posture Management (CSPM) provides organizations with a comprehensive set of tools to monitor resources used in their organizations, assess security risk factors against security best practices, perform the needed actions to prevent misconfigurations that put their data at increased risk, and continually monitor risk. CSPM makes use of security benchmarks such as CIS for AWS and Azure, and Juniper Networks SaaS Security Posture Management (SSPM) best practices for Salesforce and Microsoft 365 Security Best Practices for Microsoft 365.

Cloud applications supported
CSPM supports the following cloud types:

For IaaS (Infrastructure as a Service) —
Amazon Web Services (AWS)
Azure
For SaaS (Software as a Service) Security Posture Management (SSPM) —
Microsoft 365
Salesforce

CSPM/SSPM includes two major components:

Infrastructure Discovery (discovering the resources used for the customer account) (inventory)
Assessment configuration and execution

Infrastructure Discovery
Infrastructure Discovery (Discover > Infrastructure Discovery) involves identification of the presence and use of resources in an organization. This component applies only to the IaaS cloud applications. Each application includes its own list of resources that can be extracted and displayed.
The Infrastructure Discovery page shows the resources available for each IaaS cloud (one tab for each cloud).

At the left of each tab is a list of accounts, regions, and resource groups. You can select and deselect items from each list to filter the display.
The resource icons at the upper part of the page represent the resource type and the number of resources for each type. When you click a resource icon, the system extracts a filtered list for that resource type. You can select multiple resource types.
The table at the lower part of the page lists each resource, showing the resource name, resource ID, resource type, account name, associated region, and the dates on which the resource was first and last observed.

The First Observed and Last Observed timestamps help to identify when the resource was first added, and the date it was last seen. If a resource timestamp shows that it has not been observed for a long time, that could indicate that the resource was deleted. When resources are pulled, the Last Observed timestamp is updated — or, if a resource is new, a new row is added to the table with a First Observed timestamp.
To display additional details for a resource, click the binocular icon at the left.
To search for a resource, enter search characters in the Search field above the resource table.

Assessment configuration
Assessment configuration (Protect > Cloud Security Posture) involves creation and management of information that evaluates and reports on risk factors, based on selected rules in the organization’s security infrastructure. This component supports these cloud applications and industry benchmarks:

AWS — CIS
Azure — CIS
Salesforce — Juniper Networks Salesforce Security Best Practices
Microsoft 365 — Microsoft 365 Security Best Practices

The Cloud Security Posture page in the Management Console lists the current assessments. This list shows the following information.

Assessment Name — The name of the assessment.
Cloud Application — The cloud to which the assessment applies.
Assessment Template — The template used to perform the assessment.
Rules — The number of rules currently enabled for the assessment.
Frequency — How often the assessment is run (daily, weekly, monthly, or on demand).
Last Run On — When the assessment was last run.
Enabled — A toggle that indicates whether the assessment is currently enabled (see Questions section).
Assessment Status – The number of rules that were triggered and passed the last time this assessment was run.
Not Run – The number of rules that were not triggered the last time this assessment was run.
Weightage Score — A color bar that shows the risk score for the assessment.
Action – Enables you to take the following actions for an assessment:
Pencil icon – Edit the properties of an assessment.
Arrow icon – Run an assessment on demand.

By clicking the eye icon at the left, you can view additional details for the most recent assessment.
These details are shown in two tabs:

Assessment Results
Past Assessment Reports

Assessment Results tab
The Assessment Results tab lists the compliance rules associated with an assessment. For each rule included in the assessment, the display shows the following information:

Compliance Rule – The title and ID of the included rule.
Enabled – A toggle that indicates whether the rule is enabled for this assessment. You can enable or disable compliance rules as needed depending on your security assessment of the cloud.
Resources Passed/Resources Failed – The number of resources that passed or failed the assessment.
Last Run Status – The overall status of the last assessment run, either Success or Failed.
Last Run Time – The date and time that the last assessment was run.

Past Assessment Reports tab
The Past Assessment Reports tab lists the reports that have been run for the assessment. A report is generated when an assessment is run and is added to the list of reports. To download a PDF report, click the Download icon for that report, and save it to your computer.
The report provides detailed information about the activity for the cloud, including:

An executive summary with a count of rules and resources passed and failed
Counts and details about resources that were tested and failed, and remediation recommendations for failed resources

If an assessment is deleted, its reports are deleted also. Only the Splunk audit logs are preserved.
To close the assessment detail view, click the Close link at the bottom of the screen.
Adding a new assessment

From the Management Console, go to Protect > Cloud Security Posture Management.
From the Cloud Security Posture Management page, click New.
You will see these fields initially. Depending on the cloud account you select for the assessment, you will see additional fields.

Enter this information for the new assessment as indicated for the type of cloud account to be used for the assessment.

Field	IaaS cloud applications (AWS, Azure)	SaaS cloud applications (Salesforce, Microsoft 365)
Assessment Name Enter a name for the assessment. The name can include only numbers and letters – no spaces or special characters.	Required	Required
Description Enter a description of the assessment.	Optional	Optional

Field	IaaS cloud applications (AWS, Azure)	SaaS cloud applications (Salesforce, Microsoft 365)
Cloud Account Select the cloud account for the assessment. All information for the assessment will pertain to this cloud. Note The list of cloud applications includes only those for which you have specified Cloud Security Posture as a protection mode when you onboarded the cloud.	Required	Required
Assessment Template Select a template for the assessment. The template option shown pertains to the cloud account you select.	Required	Required
Filter by Region Select the region or regions to be included in the assessment.	Optional	N/A
Filter by Tag To provide an additional level of filtering, select a resource tag.	Optional	N/A
Frequency Select how often to run the assessment – daily, weekly, monthly, quarterly, or on demand.	Required	Required
Notification Template Select a template for email notifications regarding assessment results.	Optional	Optional
Resource Tag You can create tags to identify and track failed resources. Enter text for a tag.	Optional	N/A

Click Next to display the Compliance Rules page, where you can select rule enablement, rule weighting, and actions for the assessment.
This page lists the compliance rules available for this assessment. The list is grouped by type (for example, rules pertaining to monitoring). To show the list for a type, click the arrow icon to the left of the rule type. To hide the list for that type, click the arrow icon again.
To display details for a rule, click anywhere on its name.
Configure the rules as follows:
● Enabled — Click the toggle that indicates whether the rule will be enabled for the assessment. If it is not enabled, it will not be included when the assessment is run.
● Weight – The weight is a number from 0 to 5 that indicates the relative importance of the rule. The higher the number, the greater the weight. Select a number from the dropdown list or accept the default weight shown.
● Comments – Enter any comments that pertain to the rule. A comment can be helpful if (for example) the rule weight or action is changed.
● Action – Three options are available, depending on the cloud you selected for this assessment.
● Audit — The default action.
● Tag (AWS and Azure cloud applications) — If you selected Resource Tags when you created the assessment, you can choose Tag from the dropdown list. This action will apply a tag to the rule if the assessment finds failed resources.
● Remediate (Salesforce cloud applications) — When you select this action, CASB will attempt to resolve issues for failed resources when the assessment is run.
Click Next to review a summary of the assessment information.
Then, click Previous to make any corrections, or Save to save the assessment.
The new assessment is added to the list. It will run on the schedule you selected. You can also run the assessment any time by clicking the arrow icon in the Actions column.

Modifying assessment details
You can modify existing assessments to update their basic information and rule configurations. To do so, click the pencil icon under the Actions column for the assessment you want to modify.
The information is displayed in two tabs:

Basic Details
Compliance Rules

Basic Details tab
In this tab, you can edit the name, description, cloud account, filtering and tagging information, templates used, and frequency.
Click Update to save the changes.

Compliance Rules tab
In the Compliance Rules tab, you can view rule details, add or delete comments, and change enablement status, weight, and actions. The next time the assessment is run, these changes will be reflected in the updated assessment. For example, if the weight of one or more rules is changed, the count of passed or failed resources could change. If you disable a rule, it will not be included in the updated assessment.
Click Update to save the changes.

Cloud Data Discovery

Cloud Data Discovery enables discovery of data through cloud scans. Using APIs, CASB can perform compliance scanning of data for ServiceNow, Box, Microsoft 365 (including SharePoint), Google Drive, Salesforce, Dropbox, and Slack cloud applications.
With Cloud Data Discovery, you can perform these actions:

Scan for data such as credit card numbers, Social Security numbers, custom keywords, and RegEx strings.
Identify this data in objects and records.
Enable checking public link folders and external collaboration folders for collaboration violations.
Appy remediation actions including permanent delete and encryption.

You can configure scans in several ways:

Select a schedule for scans — once, weekly, monthly, or quarterly.
Perform full or incremental scans. For full scans, you can select a time period (including a custom date range), which enables you to run scans for shorter durations with reduced sets of data.
Defer policy actions for scans and review them later.

You can view and run reports for past scans.
The workflow for cloud data discovery includes the following steps:

Onboard a cloud for which you want to apply Cloud Data Discovery
Create a Cloud Data Discovery policy
Create a scan
Associate a scan with a Cloud Data Discovery policy
View scan details (including past scans)
Generate a scan report

The following sections detail these steps.
Onboard a cloud application for which you want to apply Cloud Data Discovery

Go to Administration > App Management.
Select ServiceNow, Slack, Box, or Office 365 for the cloud type.
Select API Access and Cloud Data Discovery protection modes to enable CDD scans.

Create a Cloud Data Discovery policy
Note
The cloud scan policy is a special type of API access policy, which can apply to only one cloud application.

Go to Protect > API Access Policy and click the Cloud Data Discovery tab.
Click New.
Enter a policy name and description.
Select a content inspection type – None, DLP Scan, or Malware Scan.
If you select Malware Scan, click the toggle if you want to use an external service for scanning.
Under Content Scanning, select a data type.
● If you selected Malware Scan as the content inspection type, the Data Type field does not appear. Skip this step.
● For ServiceNow cloud applications, select Structured Data if you want to scan fields and records.
Perform either of the following steps, depending on the content inspection type you chose:
● If you selected DLP Scan, select a content rule template.
● If you selected None or Malware Scan, go to the next step to select a context type.
Under Context Rules, select a context type and context details.
Select exceptions (if any).
Select actions.
View the details of the new policy and confirm.

Create a Cloud Data Discovery scan

Go to Protect > Cloud Data Discovery and click New.
Enter the following information for the scan.
● Scan Name and Description — Enter a name (required) and a description (optional).
● Cloud — Select the cloud application to which the scan should apply.
If you select Box, see Options for Box cloud applications.
● Start Date – Select the date on which the scan should start. Use the calendar to select a date or enter a date in mm/dd/yy format.
● Frequency — Select the frequency at which the scan should run: Once, Weekly, Monthly, or Quarterly.
● Scan type – Select either:
● Incremental – All data generated since the last scan.
● Full – All data for the specified time period, including data in previous scans. Select a time period: 30 days (default), 60 days, 90 days, All, or Custom. If you select Custom, enter a start and end date range, and click OK.● Defer Policy Action – When this toggle is enabled, the CDD policy action is deferred, and the violating item is listed on the Violation Management page (Protect > Violation Management > CDD Violation Management tab). There, you can review the items listed and choose actions to take on all or selected files.
Save the scan. The scan is added to the list on the Cloud Data Discovery page.

Options for Box cloud applications
If you selected Box as the cloud application for the scan:

Select a Scan Source, either Automated or Report Based.
For Report Based: —
a. Select a Scan Report Folder from the widget and click Save.
b. Select a start date from the calendar.
By default, the Frequency option is Once, and the Scan Type is Full. These options cannot be changed.For Automated —
a. Select a Time Period, Start Date, Frequency, and Scan Type as described in the previous steps. b. Enable Defer Policy Action as described in the previous steps.
Save the scan.
For information about generating reports within the Box application, see Generating Box Activity Reports.

Associate a scan with a Cloud Data Discovery policy

From the Cloud Data Discovery page, select a scan you created.
Click the Policy tab. The view in this tab lists the Cloud Data Discovery policies you have created.
Click Add.
Select a policy from the dropdown list. The list includes only cloud applications that have a protection mode of Cloud Data Discovery.
Click Save.

Note
Only the policies associated with the cloud are included in the list.
You can reorder the list of Cloud Data Discovery policies by priority. To do so:

Go to the Cloud Data Discovery page.
Select a scan name by clicking the > arrow to the left of the scan name.
In the list of policies, drag and drop the policies to the priority order you need. When released, the values in the Priority column will be updated. The changes will take effect after you click Save.

Notes

You can reorder the list of cloud data discovery policies by priority for scans in the Policy tab, but not on the Cloud Data Discovery tab in the API Access Policy page (Protect > API Access Policy > Cloud Data Discovery).
Before you can start running scans, you must change the scan status to Active.

View scan details
You can view detailed values and charts that pertain to information from a scan.

On the Cloud Data Discovery page, click the > arrow next to the scan for which you want to see details.
Click the tab for the type of detail you want to see.

Overview tab
The Overview tab provides graphical detail for items found and policy violations.
The values along the top of the section show current totals and include:

Folders found
Files and data found
Policy violations found

Note
For ServiceNow cloud types, totals are also shown for structured data items.The line graphs show activity over time including:

Items found and scanned
Policy violations
You can select a time range for items to view – Last Hour, Last 4 hours, or Last 24 Hours.
Since Beginning will appear in the Showing Range list when a successful scan has been completed.

Basic tab
The Basic tab displays the information you entered when you created the scan. You can edit this information.

Policy tab
The Policy tab lists the Cloud Data Discovery policies associated with a scan. You can associate multiple policies with a scan.
Each listing shows the Policy Name and Priority. In addition, you can delete an associated policy by clicking the Delete icon in the Actions column.

To add a Cloud Data Discovery policy to a scan, see Associate a scan with a Cloud Data Discovery policy.
Past Scans tab
The Past Scans tab lists the details of previous scans.

The following information is displayed for each scan:

Scan Job ID – An identifying number assigned for the scan.
Scan Job UUID – A universally unique identifier (128-bit number) for the scan.
Started on — The date on which the scan was started.
Finished on — The date on which the scan was finished. If the scan is in progress, this field is blank.
Folders Scanned – The number of folders scanned.
Files Scanned – The number of files scanned.
Violations – The number of violations found in the scan.
Number of Policies – The number of policies associated with the scan.
Status – The status of the scan since it started.
Compliance Status — How many policy violations were detected as a percentage of total items scanned.
Report – An icon for downloading reports for the scan.

To refresh the list, click the Refresh icon above the list.
To filter the information, click the Column Filter icon, and check or uncheck the columns to view.
To download the list of past scans, click the Download icon above the list.
To generate a report for a scan, see the next section, Generate a scan report.

Generate a scan report
You can download a report of past scans in PDF format. The report provides the following information.
For generating Box activity reports, see Generating activity reports for Box cloud applications.

An executive summary that shows:
Counts of total policies enforced, files scanned, violations, and remediations.
Scope — name of cloud application, total number of items (for example, messages or folders) scanned, number of policies enforced, and the time frame for the scan.
Results — Number of scanned messages, files, folders, users, and user groups with violations.
Recommended remediations — Tips for managing and protecting sensitive content.
Report details, including:
Top 10 policies based on violation counts
Top 10 files with violations
Top 10 users with violations
Top 10 groups with violations

To download a report on a past scan:

From the Cloud Data Discovery page, display the details for the scan on which you want a report.
Click the Past Scans tab.
Click the Report download icon at the right.
Save the file for the report (as PDF).

Generating activity reports for Box cloud applications.
This section provides instructions for generating CSV formatted activity reports within Box.

Log into the Box application with your administrator credentials.
On the Box admin console page, click Reports.
Click Create Report, then select User Activity.
On the Reports page, select the columns to include in the report.
Select a start date and an end date for the report.
Under Action Types, select Collaboration and select all of the action types under COLLABORATION.
Select File Management and select all of the action types under FILE MANAGEMENT.
Select Shared Links and select all of the action types under SHARED LINKS.
Click Run at the top right to submit the report request.A popup message appears confirming the request.
When the report is finished running, you can view it in the folder under Box Reports.

Violation management and quarantine

Content that has violated a policy can be placed in quarantine for review and further action. You can view a list of documents that have been placed in quarantine. In addition, you can view a list of documents that have been reviewed by the administrator and what actions were selected for those documents.
To view information about files with violating content, go to Protect > Violation Management.
Note
Quarantine actions do not apply to files and folders in Salesforce.
Quarantine Management
Documents placed in quarantine are listed in the Quarantine Management page and are given a Pending
Review status for evaluation before action is taken. Once reviewed, their status is changed to Reviewed, with the selected action taken.
Selecting information to view
To view documents in either status, select a status from the dropdown list.

Pending review
For each quarantined document that is pending review, the list shows the following items:

Policy Type – The type of protection for the policy that applies to the document.
File name – The name of the document.
Timestamp – The date and time of violation.
User – The name of the user associated with the violating content.
Email – The email address of the user associated with the violating content.
Cloud – The name of the cloud application where the quarantined document originated.
Violated Policy – The name of the policy that was violated.
Action Status – The actions that can be taken on the quarantined document.

Administrators and users can be notified when a document is placed in the Quarantine folder.
Reviewed
For each quarantined document that has been reviewed, the list shows the following items:

Policy Type – The type of policy to address violations.
File Name – The name of the file containing violating content.
User – The name of the user associated with the violating content.
Email – The email address of the user associated with the violating content.
Cloud – The cloud application where the violation occurred.
Violated Policy – The name of the policy that was violated.
Actions – The action selected for the violating content.
Action Status – The outcome of the action.

Taking action on a quarantined file
To select an action on quarantined files in pending status:
Filter the list as needed by clicking the boxes in the left navigation bar and the time dropdown list.
Click the checkboxes for the file names on which to take action.

Select an action from the Select Actions dropdown list on the top right side.

Permanent Delete – Deletes the file from the user’s account. Select this option with care, because once a file is deleted, it cannot be recovered. Apply this option for serious violations of company policy in which users can no longer upload the sensitive content.
Content Digital Rights – Applies any actions specified for Content Digital Rights in the policy – for example, adding a watermark, redacting violating content, or encrypting the document.
Note
When you select multiple quarantined records on which to apply actions, the Content Digital Rights option is not available in the Select Actions list. This is because among the records you selected, only some of them might have been configured for a Content Digital Rights policy action. The Content Digital Rights action can be applied only to a single quarantined record.
Restore – Makes a quarantined file available to users again. Apply this option if a review determines that a policy violation did not occur.

Click Apply for the selected action.

Viewing and searching for quarantined documents
You can filter the view of existing quarantine actions using these options:

In the settings at the left, check or uncheck how you would like to organize the list of quarantine actions. Click Clear to clear all filters.
At the top of the screen, select a time period from the dropdown list.

To search for a quarantined document, use only prefix match query to search the results. For example, to find the file BOX-CCSecure_File29.txt, search by prefix on word search split at special characters. This means you can search by the prefix words—”BOX”, “CC”, and by “File.” The related records are displayed.

CDD Violation Management
The CDD Violation Management list shows content violations for Cloud Data Discovery (CDD) policies.
For each file, the list shows the following information:

Timestamp – The date and time of the violation.
Cloud Application – The name of the cloud application where the violation occurred.
Email – The valid email address of the user associated with the violation.
Action Status – The completion status for the policy action.
Policy Action – The action specified in the policy that was violated.
Policy Name – The name of the policy that was violated.
File Name – the name of the file with the violating content.
URL – The URL of the violating content.

Selecting information to view
From the left panel, choose the items to view – User Groups, Violations, Users, and Status.

Taking action on a quarantined CDD item

Click Apply Actions.
Under Action Scope, select an Action — either Policy Action or Custom Action.
● Policy Action applies the action(s) specified in the policy. Select either All Files to apply the policy action to all of the files listed, or Selected Files to apply the policy action only to the files you specify.
● Custom Action allows you to choose content and collaboration actions to apply to the files.
● Content action – Select Permanent Delete or Content Digital Rights. For Content Digital Rights, select a CDR template for the action.
● Collaboration action – Select Internal, External, or Public.
o For Internal, choose Remove Collaborator and select the user groups to include in the action.
o For External, choose Remove Collaborator and enter the domains to blocked.
o For Public, choose Remove Public Link.
o To add another collaboration action, click the + icon at the right and select the appropriate actions.
Click Take Action.

Monitoring and managing system activity

The following topics outline how you can monitor cloud activity through dashboards, charts, and activity audit logs, monitor user risk information, manage devices, and work with files in quarantine.

Viewing activity from the Home Dashboard
Monitoring cloud activity from charts
Working with activity audit logs
Monitoring user activity from audit logs
Viewing and updating user risk information
Managing devices

Viewing user and system activity from the Home Dashboard
From the Home Dashboard in hosted deployments, you can view graphical representations of cloud and user activity in your organization.
The Home Dashboard organizes data into these major components:

Data cards showing totals and trending charts for events
The total number of events that are possible threats to your data security (by cloud and by type)
A more detailed list of events. Threats include violations and anomalous activity.
The following sections describe these components.

Data cards
Data cards contain snippets of important information that administrators can view on an ongoing basis. The numbers and trending charts in the data cards are based on the time filter that you select. When you modify the time filter, the totals shown in the data cards, and the trending increments, change accordingly.
The data cards display these types of information for the cloud applications and time ranges you specify. You can see activity counts for a specific time range by hovering over the date ranges at the bottom of the data card.
The following sections describe each data card.

Content Scanning
The Content Scanning data card shows the following information.

Files and Objects — The number of files (unstructured data) and objects (structured data) that have been scanned to detect policy violations. For Salesforce (SFDC), this number includes Customer Relationship Management (CRM) objects. When customers onboard cloud applications, CASB scans content and user activity on the cloud applications. Based on the activities performed and the policies set for your enterprise, CASB generates analytics and displays them on the data cards.
Violations — The number of violations detected by the policy engine.
Protected — The number of files or objects protected through quarantine, permanent delete, or encryption actions. These remediation actions remove content from users (permanently through delete; temporarily through quarantine) or restrict the ability of content to be read by unauthorized users (encryption). These analytics provide a view (over time) of how many protective actions have been performed in response to violations that the policy engine has detected.

Content Sharing
The Content Sharing data card shows the following information.

Public Links — The total number of public links found across file storage cloud applications. A public link is any link that the general public can access without requiring a login. Public links are easy to share and are not secure. If they link to content that contains sensitive information (for example, references to credit card numbers), that information could be exposed to unauthorized users, and could compromise the privacy and security of that data.
The Remove Public Link option provides you with the flexibility of enabling information sharing but also allows you to protect specific types of content. When you create a policy, you can specify public link removal if a public link is included in a file with sensitive content. You can also specify removal of public links from folders that contain sensitive information.
External Sharing — The number of activities in which content is shared with one or more users outside the organization’s firewall (external collaborators). If a policy allows external sharing, a user can share content (for example, a file) with another user who is external. Once content is shared, the user with whom it is shared can continue accessing the content until that user’s access is removed.
Protected — The total number of events for which the public link or an external collaborator was removed. An external collaborator is a user outside the organization’s firewall with whom content is shared. When an external collaborator is removed, that user can no longer access the content that was shared.

Most Hit Security Policies
The Most Hit Security Policies card shows a table that lists the top 10 policy hits for each policy. The table lists the policy name and type and the number and percentage of hits for the policy.
Policies
The Policies card shows in a circle graph the total number of active policies and the count of active and all policies by policy type.
Event details
Event details provide a table view of all threats for the time filter you specify. The total number of events listed matches the total number shown in the graph at the right.

You can filter data using the following options.
By time range

From the dropdown list, choose the time range to include on the Home page view. The default time range is Month. When you select a time range, the totals and trending increments change.
You can also specify a custom date. To do so, choose Custom, click in the first box at the top of the Custom view, then click the preferred From and To dates from the calendar.

Viewing additional details
You can display additional details from the data cards, the threat graph, or the table view.
From a data card
For a specific date: Hover over the date along the bottom of the card for which you want details.
For the data counts in a card: Click on the data count for which you want additional details.
The details are displayed in the table view.
From the table
Click the Detailed Analysis link. All activities from the Home Dashboard page are listed in a table on the Activity Audit Logs page. From here, you can drill down further by clicking on the bars.
To display more or fewer columns in the table, click the box icon at the right, and select or deselect columns in the list. The field names available for selection depend on the filtering options you have selected. You can display no more than 20 columns in the table.

Refreshing all data
Click the Refresh icon at the upper right corner of the Home Dashboard to update the data for all items on the page.

Exporting data
You can save a printout of the information on the Home Dashboard.

Click the Export All icon at the upper right corner of the page.
Select a printer.
Print the page.

Monitoring cloud activity from charts
The Activity Dashboard page from the Monitor tab of the Management Console is the point from which you can view specific types of activity in your enterprise. This activity reflects the results of both real-time and historical data scans.
From the Monitor page, you can view the following dashboards:

Application Activities
Anomalous Activities
Office 365
IaaS Monitoring Dashboard
Activity Alerts
Zero Trust Enterprise Access

You can display dashboard views in a variety of ways. You can select all cloud applications for higherlevel overviews of your cloud data activity, or you can select specific cloud applications or only one cloud for more detailed information. To view activity for a specific time, you can select a time range.
You can go to the following pages by clicking the menu items.
The following sections describe these dashboards.

Application Activities
The Application Activities dashboard provides the following views.
Policy Analytics
Policy Analytics provides perspectives on the type, quantity, and source of policy triggers in your organization. For example, you can see the total number of policy violations over a specific time (such as a month), as well as a breakdown of violations by cloud, by user, or by policy type (such as external collaborator violations).
For descriptions, see Policy Analytics.

Activity Monitoring
Activity Monitoring shows quantified views of activities in your organization – for example, by activity type (such as logins and downloads), by time, or by user.
For descriptions, see Activity Monitoring.

Encryption Statistics
Encryption Statistics shows how encrypted files are being accessed and used in your organization. For example, you can view the highest number of users who have encrypted or decrypted files, how many encryption and decryption activities have taken place over time, or the types of files that have been encrypted.
For descriptions, see Encryption Statistics.

Privileged User Activities
Privileged User Activities shows activities performed by users with higher-level access permissions in an organization. These users are typically administrators and are sometimes referred to as “super users.” Users at this level can view the number of accounts created or frozen by an administrator, or how many session settings or password policies were changed. Being aware of privileged user activity is important because these users have permissions under which they can modify settings that could compromise a cloud’s security. The information from these dashboards allows the security team to monitor the actions of these users, and act quickly to address threats.
For descriptions, see Privileged User Activities.

Anomalous Activities
The Anomalous Activities detection engine continuously profiles data attributes and user behavior to detect activity that is out of the ordinary for your enterprise. Monitoring includes the locations from where logins take place (geo-logins), source IP addresses, and devices used. User behavior includes activities such as content uploads and downloads, edits, deletes, logins, and logouts.
Anomalies are not actual policy violations but can serve as alerts for possible data security threats and malicious data access. Examples of anomalies might be an abnormally large number of downloads from an individual user, a higher-than-normal number of logins from the same user, or persistent login attempts by an unauthorized user.
The user profile includes sizes of file downloads across cloud applications, as well as the time of the day and day of the weeks that the user is active. When the engine detects a deviation from the observed behavior over this period, it flags the activity as anomalous.
Anomalies are classified into two types: deterministic and statistical.

Deterministic detection works in real time and detects anomalies as user activity occurs, with a nominal delay (for example, 10 to 30 seconds). The algorithm profiles entities (such as users, devices, applications, content, user locations, and data destination location), attributes (such as access location, source IP address, device used), and the relation between them.
When an unknown or unexpected new relation is encountered, it is evaluated for suspicious activity.
The sample of user activities profiled in this approach is relatively small and grows over time. The accuracy of the anomalies detected using this method is high, although the number of rules or the search space is limited.
Statistical detection creates a user’s baseline with a larger activity sample, typically spanning over a 30-day period to reduce false positives. User activity is profiled using a three-dimensional model: the metric observed (location, access count, file size), time of the day, and day of the week. The metrics are grouped by time and day. Activities profiled includes:
- Content downloads
- Content access — uploads, edits, deletes
- Network access — logins and logouts

When the engine detects a deviation from the observed behavior over this period, based on clustering techniques, it flags the activity as anomalous. It detects anomalies in non-real time with a delay of typically one hour.
The deterministic algorithm is used for geoanomaly detection. The statistical algorithm is used for anomalous downloads and for content and network access.
To view anomalous activities, go to Monitor > Anomalous Activities.
For more details about viewing anomaly reports, see:

Anomalous activities by geolocation
Displaying geoanomaly details from the Activity Audit Logs page
Anomalous downloads, content access, and authentication
Three-dimensional activity views

Anomalous activities by geolocation
The Anomalous Activities by Geolocation dashboard is a map view showing geographic pointers where anomalous activity has likely taken place. This type of anomaly is called a geoanomaly. If geoanomalies have been detected, the map shows one or more geographic pointers identifying where the activity in question took place.

When you click on a pointer, you can display details about the user’s current and previous activities, including their email address, the cloud they accessed, their location, and the activity time. Using the current and previous activity details, you can make comparisons that provide insight into the anomaly. For example, the user might have logged in to two different cloud applications using the same sign-on credentials, from two different locations. The blue pointer represents the location with the current focus.
To focus on the other location, click its pointer.
If there are multiple instances of anomalous activity from a geographical area, multiple pointers appear, slightly overlapped. To display information on one of the pointers, hover over the area with the overlapping pointers. In the small box that appears, click the pointer for which you want to view details.
Displaying geoanomaly details from the Activity Audit Logs page
From the Activity Audit Logs page (Monitor > Activity Audit Logs), you can select geoanomaly views by clicking the Binocular icon that appears at the left in the activity list.

Anomalous downloads, content access, and authentication
The following dashboard charts provide information about anomalous activity across cloud applications.

The Anomalous Downloads by Size chart shows a summary count of downloads over time by size of downloaded files.
Data hijacking in enterprises is often indicated by an abnormally high number of downloads of business-critical data. For example, when an employee leaves an organization, their activity might reveal that they downloaded a large amount of corporate data just before their departure. This chart tells you the number of times an anomalous pattern is found in user downloads, the users who did the downloading, and when the downloads occurred.
The Anomalous Content Delete chart shows the number of delete events for anomalous activity.
The Anomalous Authentication chart shows the number of times an anomalous pattern is found in a user’s network access events, including logins, failed or brute-force login attempts, and logouts. Repeated unsuccessful logins could indicate a malicious attempt to gain access to the network.
The Anomalous Downloads by Count chart shows the number of anomalous downloads for your enterprise.

Three-dimensional activity views
You can also view a three–dimensional chart from which you can observe anomalous activity in relation to normal activity. In this view, activities are represented as data points (also called buckets) on three axes:

X=hour of day
Y=aggregated activity count or aggregated download size
Z=day of the week

The chart uses a clustering mechanism to illustrate activity patterns and reveal anomalies. These activity clusters can give you a better idea of what types of events are occurring most frequently at specific days and times. The clusters also enable anomalies to stand out visually.
As activities are tracked hour by hour, data points are added to the chart. Clusters are created when relevant activities total at least 15 data points. Each cluster is represented by a different color for its data points. If a cluster has fewer than three data points (buckets), the events represented by those points are considered anomalous, and they appear in red.
Each data point on the chart represents events that occurred on a specific hour of the day. You can get details about the date, the hour, and event count by clicking on any data point.
In this example, the cluster at the lower right has 15 data points. It shows that several events took place during late afternoon and evening throughout the week. The access count was similar for all activities. On one day, the access count was much higher, and the point is shown in red, indicating an anomaly.
The table below the graph lists the events represented in the graph. The list in this example outlines the date and time of the access, the name of the file accessed, the cloud from which the access took place, and the email address of the user who accessed the content.

Settings for configuring anomaly information
From the System Settings page, you can configure how to track, monitor, and communicate information about anomalous activities. For Box cloud applications, you can suppress (whitelist) connected apps included in the cloud account to prevent geoanomalies.

Adaptive threshold for permitted user activity rates (Preview feature)
The adaptive threshold defines a permitted rate of user activity. The configured threshold can be adjusted based on the user activity rate. Being able to configure a threshold enables you to adjust the rate of user activities as needed. If conditions permit, for example, the threshold can be modified to allow a higher rate of activity.
Adaptive threshold configuration evaluates threshold compliance and will allow events up to the defined threshold. CASB also checks the probability of event occurrences after the fixed threshold. If the probability is within the allowed range, the events are allowed. The default value for the variance percentage from peak probability is 50%.
You can also set a consecutive failure count (for example, three failures in a row). When the number of consecutive failures exceeds the specified count, the events are considered non-compliant. The default count is three (3) consecutive failures. It can be adjusted up to 20 or down to 1.
You can choose adaptive threshold as a context type in a policy, where these settings will be applied. This context type is available for inline policies for Upload, Download, and Delete activities. For instructions on using adaptive threshold as a policy context type, see Creating Cloud Access Control (CAC) policies.

Tracking of anomaly information

Go to Administration > System Settings > Anomaly Configuration.

Select settings as follows:

Section/Field	Description
Suppress Geoanomalies by	a. Click the field to the right of the Cloud Account field. b. Select Connected Apps. c. From the Directories list, click the folders for the apps to suppress. d. Click the right arrow to move them to the Connected Apps column. e. Enter the IP Addresses and Email Addresses for which to suppress anomaly information. In each field, separate multiple IP and email addresses with commas.
Activities for Geoanomaly	Search for the activities to track for geoanomalies, select the activities, and click Apply. Note For anomalies to be triggered for Microsoft 365 and AWS, you must check O365Audit and AWSAudit from the list.
Geoanomaly	For Minimum Geoanomaly Distance, enter the minimum number of miles for which to track geoanomalies, or accept the default of 300 miles.

Section/Field	Description
Adaptive Rate Limiting (Preview)	Enter or select the following options that will apply to the tenant: ▪ Probability Variation from Peak, as a percentage (default is 50%) ▪ Consecutive Failure Rate for Non-Compliance (default count is 3)
Clear Geoanomalies	Click Clear to clear previously reported geoanomaly information. After you click Clear, the date and time at which the geoanomalies were last purged appears below the Clear button.

Click Save.

Settings for anomaly profiles (dynamic anomaly configuration)
Dynamic anomaly configurations include profiles for defining behavior that is considered anomalous. These profiles are based on activity category and activity types. Each profile is either predefined (provided for all tenants; cannot be modified or deleted by administrators) or user defined (can be created, modified, or deleted by administrators).
You can create up to four user-defined anomaly profiles. Each profile defines anomalous behavior for an activity category (for example, authentications or content updates), and activities associated with that category (for example, login, content download, or content delete).

The Anomaly Profiles page shows:

The profile Name and Description
The Activity Category (for example, ContentUpdate)
Type – either Predefined (system-generated, cannot be edited or deleted) or User-Defined (can be created, edited, and deleted by administrators).
Created Date – the date on which the profile was created.
Last Modified By – the username of the person who last modified the profile (for user-defined profiles) or system (for predefined profiles).
Last Modified Time – the date and time on which the profile was last modified.
Actions – an Edit icon for displaying profile details and modifying user-defined profiles.

You can filter the column display or download the list of profiles to a CSV file using the icons at the upper right above the list.
To show or hide columns, click the Column Filter icon, and check or uncheck column headings.
To download the listed profiles, click the Download icon and save the CSV file to your computer.
The following procedures outline the steps for adding, modifying, and deleting user-defined anomaly profiles.

Note
You can have no more than four user-defined profiles. If you currently have four or more user-defined profiles, the New button appears dimmed. You must delete profiles to bring the number down to fewer than four before you can add new profiles.
To add a new user-defined anomaly profile:

Go to Administration > System Settings, select Anomaly Profiles, and click New.

For Profile Details, enter the following information:
● Name (required) and Description (optional).
● Activity Category – Select a category for defining activities in the profile.

Juniper Secure Edge Application - FIG 138

● Activities – Check one or more activities for the selected category. The activities you see in the list are based on the activity category you selected. The following activity types are available.

Activity Category	Activities
Content Upload	Content Upload Content Create
Content Update	Content Edit Content Rename Content Restore Content Move Content Copy
Content Sharing	Collaboration Add Collaboration Invite Content Share Collaboration Update

Click Save.

To modify a user-defined profile:

Select a user-defined profile and click the pencil icon at the right.
Make the needed modifications and click Save.

To delete a user-defined profile:

Select a user-defined profile and click the Trash Can icon at the upper right above the list.
When prompted, confirm the deletion.

Office 365

The Office 365 dashboard provides information about activities for the applications in the Microsoft 365 suite. Charts are shown only for the applications you onboarded.
The Overview charts summarize user activity information for your onboarded applications. The application charts show user activity for that application.
For chart details, see Office 365 dashboards.

AWS Monitoring
The AWS Monitoring dashboard provides information about user activity by location, time, and number of users.
For chart details, see AWS Monitoring charts.

Customizing and refreshing a dashboard display
You can move charts around on a dashboard, select which charts appear, and refresh the display for one or all charts.

To move a chart in a dashboard:

Hover over the title of the chart you want to move. Click and drag it to the desired position.

To refresh the display for a chart:

Hover over the upper right corner of the chart and click the Refresh icon.

To refresh the display for all charts on the page:

Click the Refresh icon in the upper right corner of the page.

To select what data appears in a dashboard:

In the upper left corner of the page, select the cloud applications and the time range to include.

Exporting data for reporting
You can export the information you need from any chart.

Select the tab that has the chart whose data you want to export (for example, Monitor > Activities Dashboard > Policy Analytics).
Select the chart whose data you want.
To exclude any items from the export (for example, users), click the items in the legend to hide them. (To show them again, click the items once more.)
Hover over the top of the chart, click the Export icon in the upper right corner.
Then, select an export format from the list.
Save the file.

Printing a report or chart

Click the Export icon in the upper right corner of the chart whose data you want to print, and select Print.
Select a printer and print the report.

Working with activity audit logs
The Activity Audit Logs page (Monitor > Activity Audit Logs) displays detailed views of data you select from charts, or items you search for. Through this page, you can use the filtering options in the navigation bar to focus on specific users and activities to provide an audit trail or detect patterns of use.
The page shows these items.

Search options: ▪ Cloud applications (managed, enterprise, and unsanctioned) and web categories ▪ Event types (for example, activities, policy violations) ▪ Event sources (for example, API) ▪ Time range options (for example, last 34 hours, last week, last month)
Search query string.
The total number of events found from the search.

Navigation bar from which you can filter your search further by choosing users, user groups, activity types, content types, and policy names on which to search. These filters can be helpful when you need to keep an audit trail on specific users or activities. The search results show the most recent 10,000 records from the selected filter items.
Bar graph display of event data, showing counts for all events found (in addition to the most recent 10,00 records).

Table of event data, showing the newest 500 records. The data is sorted in descending order by time.
For additional data, you can export the contents to a CSV file. The export includes the results of the currently selected filters.
Note
For ServiceNow cloud applications, the Activity Audit Logs page does not show source details (IP, city, country, country code, IP, origination, source state, or user type) for content download activity.

Juniper Secure Edge Application - FIIG 14

Filtering data
To focus on specific data, you can use the dropdown lists to set filters for the following types of information:

Cloud applications (managed and unmanaged)
Event types, including activities, violations, anomalies, Cloud Data Discovery (CDD) activities, CDD violations, and Cloud Security Posture events
Event sources, including API, IaaS audit, Office 365 audit, and other event types
Time range, including last hour, last 4 hours, last 24 hours, today, last week, last month, last year, and custom by month and day you select

When you have selected the items from the lists, click Search.

In the vertical navigation bar at the left, you can filter the data further:

All available items are listed under each category.

Click the > icon to expand the list for each category. If more than 10 items are available for a category, click More at the end of the list to see additional items.
To filter and search for data:

Select the search items from each of the dropdown lists and click Search.
The number of items matching the search criteria shows below the dropdown lists.The search results show the total count of events.
In the left menu, select the items to include in the filter.
● To include all items in a category, click the box next to the category name (for example, Activity Type).
● To select specific items, click the boxes next to them.
● To search for a user, enter a few characters of the user’s name in the Search box under the Users category. Select the username from the search results.
Click Reset to clear the filters in the navigation bar. The search items you selected from the search dropdown lists are not affected.
To hide the navigation bar and allow more room to see the data after making your filter selections, click the left-arrow icon next to the Reset link.

Selecting fields to include in the table view
To select fields to appear in the table view, click the icon at the right side of the screen to display a list of available fields. The contents of the list depend on the filtering options you selected.

Check the fields to include in the log; uncheck any fields to exclude. You can include up to 20 fields.
If you have any malware scanning policies that include scanning by an external service, choose the fields that apply to that service to include in the table for those policies. For example, for a policy using FireEye ATP for malware scanning, you can include ReportId (a UUID provided as a response by FireEye), MD5 (available to compare with similar MD5 information), and Signature Names (comma-separated values) as fields for FireEye scanning information.

Viewing additional details from a table entry
To view additional details for a listed violation, click the binocular icon at the left side of the entry. A popup window displays details. The following examples show details from FireEye and Juniper ATP Cloud services.
FireEye

To display a FireEye report with additional details, click the Report Id link.

Juniper ATP Cloud

Viewing anomaly details from the Activity Audit Logs page
From the Activity Audit Logs page, you can display a three-dimensional chart of anomalous activity for a user. To view the chart, click on the binocular icon in any table row.
The three-dimensional anomaly view opens in a new window.

For more information about anomalies, see Anomalous Activities.
Performing an advanced search
The Search Query field along the top of the Activity Audit Logs page shows the items currently displayed when you select Admin Audit Logs from the Administration menu, or the items that apply to the details you selected from one of the Home page dashboards.

Note
To perform an advanced search, make sure you understand the format for writing Splunk queries. For most searches, you can find the information you need using the filtering options, and you will not need to perform an advanced search.
To perform an advanced search:

Click in the Search Query field. The field expands.
Enter the name/value pairs for the search criteria. You can enter multiple lines of name-value pairs.
Up to five lines are displayed. If your search is more than five lines long, a scroll bar appears at the right of the Search Query field.
Click the Search icon. The search results are displayed.
To return the query string field to its original size, click the > icon at the right. To reset the search criteria to the original values before your search, click the x at the right.

Viewing additional log details
Do either of these actions:

Hover over the bar for the date for which you want additional details. A pop-up displays details for that date. In this example, the pop-up shows the number of events in a 24-hour period on April 10. ▪ Or click the bar of the date for which you want additional details, a new bar chart is displayed with a breakdown of events. In this example, the bar chart displays an hour-by-hour count of events on April 23.

Hiding the chart view
To hide the chart view at the top of the screen and display only the list of events, click the show/hide chart icon link at the right side of the chart view. To display the chart view again, click the link.

Exporting data
You can export data to a comma-separated values (.csv) file, based on the fields and navigation bar filters you have chosen.
To export data from the Activity Audit Logs page:

Select the Export icon at the right side of the screen.
Select a file name and location.
Save the file.

Monitoring user activity through Admin Audit Logs
Admin Audit Logs (Administration > Admin Audit Logs) collects security relevant system events, such as system configuration changes, user logins and logouts, system service status changes, or stopping/starting of nodes. When such changes occur, an event is generated and saved in the database.
Audit log information
The Admin Audit Logs page provides the following information.

Field	Description
Time	The recorded time of the event.
User	If a user generated the event, the name (email address) of that user. If it is an event on a node, the node name is used. If neither a user nor a node was involved, N/A appears here.
IP Address	The IP address of the user’s browser (if the user performed the action). If an event is on a node, the node’s IP address is shown. If an action is being generated with no user interaction, N/A appears here.

Field	Description
Sub System	The general area where the event takes place (for example, authentication for login activity).
Event Type	The type of event; for example, login, certificate upload, or key request.
Target Type	The area being acted on.
Target Name	The specific location of the event.
Description	Additional details available about the event (shown in JSON format). Click View Details. If no additional details are available, only curly braces {} appear.

Filtering and searching for Admin Audit Log information
You can target the type of information in the Admin Audit Logs by narrowing the time range or searching for specific types of information.
To filter by time range, select the time range from the dropdown list at the upper left.

To search for specific information:
Click the filter icon at the upper right. Then click in the boxes to select the information you want to find and click Search.

Insights Investigate
Insights Investigate provides tools for incident management in your organization. You can view incidents that involve policy violations occurring in your organization, assign a level of severity to an incident, and specify the appropriate action. In addition, you can view details about incidents and their sources from several perspectives and obtain additional information about each incident and its source.
To use Insights Investigate functions, go to Administration > Insights Investigate.
The Insights Investigate page provides information in three tabs:

Incident Management
Incident Insights
Entity Insights

Incident Management tab
The Incident Management tab lists incidents occurring in the organization.
This page lists the total number of incident records found, showing up to 50 records per page. To view additional records, use the pagination buttons at the bottom of the screen.
Four dropdown lists are available from which you can filter the information to show incidents by

time period (today, last 24 hours, week, month, or year, or a date period you specify)
cloud (managed or unmanaged)
severity (low, medium, or high)
status (open, under investigation, or resolved)

The incident management list provides the following information. Use the Column Filter at the upper right to show or hide additional columns.

Column	What it shows
Date	The date and time of the last known occurrence of the incident.
Policy Violation	The policy that the incident violated.
User Name	The name of the user for the incident.
Account Name	The name of the cloud on which the incident occurred.
Severity	The severity of the incident — low, medium, or high.
Status	The resolution status of the incident — open, under investigation, or resolved.

Column	What it shows
Date	The date and time of the last known occurrence of the incident.
Policy Violation	The policy that the incident violated.
User Name	The name of the user for the incident.
Account Name	The name of the cloud on which the incident occurred.
Subject	The text of the subject for the violating email.
Recipient	The name of the recipient of the violating email.
Actions	The actions that can be taken for this incident. Two icons are displayed. ▪ Quarantine — If the policy that was violated has an action of Quarantine, this icon is enabled. When clicked, this icon takes the administrator to the Quarantine Management page. ▪ Activity Audit Logs — When clicked, this icon takes the administrator to the Activity Audit Logs page. The Activity Audit Logs page shows the same data available on the Incident Management page, in a different format.

You can use Search box to find information about a specific violation.
Incident Insights tab
The Incident Insights tab provides details for these types of incidents:

Login violations
Geoanomalies
Activity anomalies
Malware
DLP violations
External sharing

Each violation type is labeled in the outer circle of a graph showing the tenant’s name in the center. The label for each type shows the number of incidents for that type. For example, DLP Violations (189) indicates 189 occurrences of DLP violations.
For more precise search results, you can filter this information by date (today, last 4 hours, last 24 hours, week, month, or year. (The default is Last 24 Hours.)
You can search for incidents using the Search and Add buttons. These buttons enable you to conduct more precise searches for the data you need. For example, you can add a query that specifies user AND location AND application. You can include only one user in a search query.
For incident types that have no violations (count of zero), their labels are not highlighted.
For incident types that have violations, a table to the right shows additional details about each violation.
The information in the table varies for each incident type. Click the violation label to see the list of incidents for that violation.
For DLP Violations, the table shows the following information for up to 100 records.
You can click the binocular icon in the first column of the table row to view a popup with additional details about a violation.

Entity Insights tab
The Entity Insights tab provides details about the entities that are the sources of violations, including:

User
Device
Location
Application
Content
External user

Each entity is labeled in the outer circle of the graph. By default, the tenant name appears in the center circle. The label for each entity shows the name of the entity and the count found for it. For example, User (25) would indicate 25 users found, Device (10) would indicate 10 devices found.
For more precise search results, you can filter this information by date (today, last 4 hours, last 24 hours, week, month, or year. (The default is Last 24 Hours.)
You can search for additional details about an entity. For example, if you search for a user by entering the username in the Search field, the graph displays the username and their risk level. The user’s risk level is displayed as a half-circle around the username. The color indicates the risk level (low, medium, or high).
For entity types that have incidents, a table to the right shows additional details about each incident for the entity. The type of information shown in the table varies according to the entity. Click the entity label to see the table for that entity.
Notes

The Entity Insights table can display no more than 1,000 records. If your search yielded a high count for an entity, the table displays only the first 1,000 records found, even if the total number of records exceeds 1,000. You might need to refine your search further to keep the total record count at 1,000 or fewer.
When exporting Entity Insights activity records from the Activity Audit Logs page to a CSV file, the export is limited to 10,000 events. If your search yielded an activity count higher than this, the exported CSV file will include only the first 10,000 records found.

Viewing and updating user risk information
The User Risk Management page (Protect > User Risk Management) uses information from policy violations, anomalies, and malware events to highlight users who might be posting a risk to your data security. This information can help you determine if policies or user permissions need to be adjusted.
You can update the user risk management settings to set risk thresholds and specify the type of information to include in risk assessments.
To modify user risk assessment settings, click the gear icon to the right above the table. Then, change the following settings as needed.

Under Violation Duration, move the slider to the right or left.
Under Threshold, move the slider to the right or left.
Check or uncheck the types of information (policy violations, malware incidents, anomalies and policy actions) to include in the risk assessment.

Click Save to activate the settings.

Creating, viewing, and scheduling reports

You can create a variety of reports that provide a comprehensive view of information such as:

how and from where users access data from cloud applications and from websites,
how and with whom the data is shared, and
whether users have taken all appropriate security precautions.

In addition, reports provide information that help to identify issues such as these:

anomalous/anonymous data access
deviations in the defined policies
deviations from the defined regulatory compliances
possible malware threats
types of websites accessed (for example, shopping, business and economy, news and media, technology and computers, dating, or gambling)

You can create reports and run them at a scheduled time on a selected day, or on one day of a week for the entire week. You can also view the scheduled reports and download them for further analysis.
Note
Reports are generated based on global time zone settings.
Uploading a company logo
To upload a company logo to use with reports:

Go to Administration > System Settings.
Select Logo and Time Zone.
Enter your Company Name.
Upload your company logo. Select a logo file from your computer and click Upload.
For the best results, the logo should be 150 pixels wide and 40 pixels high.
Click Save.

Setting a time zone
You can select a time zone to apply to reports. When you generate reports, they will be based on the time zone you select.
To set a time zone:

In System Settings, select Logo and Time Zone.
In the Time Zone section, select a time zone from the dropdown list and click Save.
When you generate a report, the time zone you selected is displayed on the report cover page.

Selecting report types for cloud applications
Juniper Secure Edge CASB offers the following types of reports:

Visibility
Compliance
Threat Protection
Data Security
IaaS
Custom

Each report is categorized into sub-types to provide deeper analysis.
The following sections explain the report types and sub-types.
Visibility
Visibility reports provide a consolidated view into sanctioned cloud usage patterns and Shadow IT (unsanctioned cloud) reporting, detailing how and where users are accessing cloud data.
Visibility is further categorized into these areas:

Cloud Discovery — Provides details about unsanctioned cloud usage.
User Activity — Provides details about how and where users access the sanctioned and unsanctioned cloud applications.
External User Activity — Provides details about users outside the organization with whom the data has been shared and their activities with the cloud applications.
Privileged User Activity (only if one or more Salesforce cloud applications are onboarded) – Provides details about activities by users with extended credentials.

Compliance
Compliance reports monitor data in the cloud for compliance with data privacy and data residency regulations as well as cloud risk scoring.
Compliance is further categorized as follows:

Compliance violations by user – provides details about user activities that breach defined security policies in your organization.
Sharing violations by user – provides details about user activities that breach data sharing policies with external users.

Threat Protection
Threat Protection reports provide analysis of traffic and apply user behavior analytics to find external threats such as compromised accounts and flag suspicious behavior of privileged users.
Threat Protection is further categorized as follows:

Anomaly – Provides information about anomalous, suspicious data access, and unusual user activities (such as simultaneous access of data by the same user login into the system from different devices at different locations).
Advanced threat and malware – Shows a graphical view of threats and malware incidents for the time period selected.
Unmanaged device access – Provides information about user access with unmanaged devices.

Data Security
Data Security reports provide analysis of file, field, and object protection through encryption, tokenization, collaboration controls, and data loss prevention.
Data Security is further categorized as follows:

Encryption statistics – provides information about file encryption activities by users, devices used for file encryption, files that have been encrypted, any new devices used for encrypting files, list of registered devices by operating system, file decryption by location, and decryption failures over a specified period.
Device statistics – provides information about unencrypted files on unmanaged devices and top 10 users with encrypted files on unmanaged devices.

IaaS

IaaS reports provide analysis of activity for AWS, Azure, and Google Cloud Platform (GCP) cloud types.

Custom

Custom reports enable you to generate reports from charts in the monitoring dashboards.

Displaying report information
Perform the following steps to display report information.
In the Management Console, click the Reports tab.
The Reports page lists the generated reports. If you are logging in for the first time, a blank table is displayed. For each report, the list provides the following information:

Column	Description
Name	The Name given for the report.
Type	The Type of report. ▪ For CASB – The selected type for the report (for example, Visibility). ▪ For Secure Web Gateway – Custom.
Sub-Type	Sub-Type of the report.

Column	Description
	▪ For CASB – Based on the selected report Type. ▪ For Secure Web Gateway – Custom.
Frequency	How often the report will be generated.
Actions	Option to delete the report.

Scheduling a new report

From the Reports page, click New.

Enter the following information. Fields with a colored border at the left require a value.

Field	Description
Name	Name of the report.
Description	A description of the report contents.
Filter/Type	Select either ▪ Clouds ▪ Websites
User Name	Enter one or more valid email addresses for the users to include in the report. To include all users, leave this field blank.
Configuration/Type	Select a report type. For Clouds, the options are: ▪ Visibility ▪ Compliance ▪ Threat Protection ▪ Data Security ▪ IaaS ▪ Custom For Websites, the default selection is Custom.
Sub-Type	Select one or more sub types. The options listed are related to the report type you selected.

Field	Description
	For Custom reports, double-click the dashboards from which you want to generate reports. In this example, the selectable charts are from any of the dashboards for Cloud report types. Drill down to see a list of available charts, click a chart, and click the right-arrow icon to move it to the Selected Charts list. Repeat these steps for each chart to include.
Format	Select PDF and save the report on your computer. You can open and view the report using a PDF viewer such as Adobe Reader.
Frequency	Select the time-interval at which the report needs to be generated – either Daily, Weekly, or One Time. For One Time, select the date range for the data to include in the report and click OK.
Notification	Select the type of notification to receive for report activity.

Click Save to schedule the report. The newly created report is added to the list of available reports.

Once a scheduled report is generated, the system triggers an email notification informing the user that the report scheduling is complete and provides a link to access and download the report.

Downloading generated reports
Clicking the link in the email shown above takes you to the Reports page, where you can view the list of generated reports and select a report to download.

From the Reports page, click the > icon to select the generated report you want to download.

Click the Reports for Download tab.
A list of generated reports appears, with the following information.

Column	Description
Generated Date	The date and time when the report was generated.
Report Name	Name of the report.
Report Type	Type of report.
Report Sub-Type	Sub-Type of report (based on Type). For Websites, the Sub-Type is always Custom.
Report Format	Format of the report (PDF).
Download	Icon for downloading the report.

Choose the generated report you want to download by clicking the download icon at the right.
Select a destination on your computer and a name for the file.
Save the report.

Managing report types and scheduling
You can update information about reports and their delivery schedules.

From the Reports page, click the > icon next to the report whose information you want to modify.
Click the Manage Schedules tab.
Edit the report information as needed.
Save the report.

Quick reference: Home dashboard charts

The following tables describe the content available for the dashboards from the Monitor menu.

Application Activities
Anomalous Activities
Office 365
IaaS Monitoring Dashboard
Zero Trust Enterprise Access

For information about viewing the charts, see Monitoring cloud activity from charts.
Application Activities
This dashboard displays the following groups of charts:

Policy Analytics
Activity Monitoring
Encryption Statistics
Privileged User Activities

Policy Analytics

Chart	What it shows
Files Encrypted by Policy	The number of files encrypted (for example, files with credit card data) in response to policy violations. This chart provides insights into documents that were encrypted based on one or more policy definitions.
Files Encrypted Over Time	The number of files that have been encrypted, which indicates encryption trends that can help you better understand the overall risk posture over time.
Policy Hits over Time	The number of violations or events that the policy engine had detected, indicating trends on the risk posture for your supported cloud applications.
Policy Hits by User	The number of violations or events detected by the policy engine, by user email address; helps identify top users in violation of compliance policies.
Policy Remediations	The total number of policy violation actions over a specified period, with a percentage breakdown for each type of action. This view helps identify remediation actions taken for policy violations, which provides insights into adjustments that might be needed to policy remediations.

Chart	What it shows
Activities Over Time	The number of activities on files, indicating activity trends for your cloud applications.
Policy Hits by Cloud	The total number of detected policy violations or events for all cloud applications, with a breakdown by cloud.
External Collaborator Hits by Cloud	The number of detected policy violations by external collaborators. Helps identify policy violations owing to external collaborators. This is important from the perspective of understanding risk exposure due to external collaborator activities.
Policy Hits by SharePoint Site	For each SharePoint site, the number of detected policy violations or events, by type. Applies only to SharePoint sites; shows policy hits by individual site.
Policy Hits by Location	The number of policy violations or events according to the geographical location where the events occurred.
Public Link Hits Over Time	For each cloud, the number of public link violations. This view shows compliance violations due to public (open) links. These links could provide access to highly sensitive data which is accessible to anyone with the access to the link.
Advanced Threats and Malwares Over Time	For each cloud, the number of threats and malware incidents detected.
Key Access Denied over Time	The number of times that access to a key was denied as defined by key access policies set for your enterprise.
Login Access Denied over Time	The number of times that login was denied as defined by cloud authentication policies.
Login Access Denied by Location	A map showing the locations at which login access was denied.
Top 5 Login Access Denied Users	The highest numbers of login access denials by user.

Activity Monitoring

Chart	What it shows
Activities Over Time	The number of activities being performed by users for each cloud, indicating activity trends over time.
Login Activities Over Time	For each cloud, the number of login activities.
Users by Activity	Users according to the activities they have performed, providing a view of user activities across cloud applications.
Object Types by Activity (Salesforce cloud applications)	The types of objects associated with an activity.
Login Activities by OS	The total number of login activities for a specified period, and a breakdown by percentage for each operating system from which users logged in. This view helps identify activity by OS.
Top 5 Users by File Download	The total number of files downloaded for a specified period, and a breakdown by percentage for the email addresses of the users with the highest number of downloads.
Downloaded Reports	The names of reports with the highest number of downloads.
Report Downloads by User	The email addresses of users who have downloaded the highest number of reports over time.
User Activities by OS	The number of activities, by cloud, for each operating system to which the users are logged in.
Viewed Reports by User	The types of reports viewed by users over time.
Account Names by Activity (Salesforce cloud applications only)	The names of the accounts with the highest number of activities over time.
Lead Names by Activity (Salesforce cloud applications only)	The names of the leads with the highest number of activities over time.
Viewed Reports by User	The highest numbers of reports viewed by users, from highest to lowest.
Shared Content by Activity	Activities for content that is shared. From this report, you can determine what files are being shared the most (by file name), and what is being done with those files (for example, deleting or downloading). Note In Salesforce cloud applications, sharing activities will show the file ID instead of the file name.
Login Activity by Location	A circle graph showing counts of login activities by geographical location.
Content Shared by Location	A circle graph showing counts of content sharing activity by geographical location.

Encryption Statistics

Chart	What it shows
File Encryption Activities by User	For each cloud, the email addresses of users with the highest number of file encryptions and decryptions. This view highlights access to highly sensitive encrypted data by users.
Devices Used for File Encryption	The highest numbers of client devices being used to encrypt and decrypt files. This view highlights access to highly sensitive encrypted data based on devices.
Encryption Activities by File Name	For each cloud, the names of files with the highest number of encryptions and decryptions.
New Devices Over Time	For each cloud, the number of new client devices being used for encryption and decryption.
Encryption Activities Over Time	The number of encryption and decryption activities.
File Decryption by Location	The geographical locations where files are being decrypted, and the number of files decrypted in each location. Provides important insight into the geo-locations from which highly sensitive encrypted data is being accessed.
Registered Devices by OS	Shows the total number of client devices registered for use to decrypt files, and a breakdown by percentage for each type of device.
Client Device Registration Failures Over Time	For each cloud, the number and client device registration failures, month by month.
Decryption Failures Over Time	For each cloud, shows the number of decryption failures, month by month.

Privileged User Activities

Chart	What it shows
Privileged Activities Over Time	The number of privileged-access activities month by month, for each cloud. This view is typically used to identify insider threats by users who have elevated permissions in the cloud applications.
Privileged Activities by Type	The total number of privileged-access activities, with a percentage breakdown for each activity type. Provides insights into the types of activities being performed by privileged users.
Audit Messages	For each cloud, the names of the highest number of audit messages are generated. Shows specific security setting changes by privileged users.
Accounts Enabled or Disabled Over Time	The number of accounts frozen and unfrozen by the administrator. Shows user account activation and deactivation events per cloud.
Accounts Created or Deleted Over Time	The number of user accounts created or deleted by an administrator.
Delegated Activities Over Time	Delegated activities (activities performed by an administrator while logged in as another user).

Anomalous Activities

The following charts display anomalous activities.

Chart	What it shows
Anomalous Activities by Geolocation	A map view with geographic pointers indicating where anomalous activity has likely occurred, showing login or cloud activities by the same user across multiple geolocations. This type of anomaly is called a geoanomaly. If geoanomalies have been detected, the map shows one or more geographic pointers identifying where the activity in question took place. This view is typically used to identify account hijacking or compromised account credential scenarios.
Anomalous Downloads by Size	The number of downloads that exceed the expected download activity for your enterprise, by file size.
Anomalous Authentication	The number of times an anomalous pattern is found in a user’s network events, including logins, failed or brute-force login attempts, and logouts.
Anomalous Content Delete	The number of content delete activities for anomalous content.
Anomalous Downloads by Count	The number of downloads that exceed expected download activity for your enterprise. This information is typically used to identify data exfiltration attempts by a bad inside actor. This is done by profiling normal user activity and triggering an anomalous activity when unusual download activity takes place for that account.

Office 365
Several types of charts are available to view information for the Microsoft 365 applications you selected for protection when the Microsoft 365 suite was onboarded. If you do not select an application for protection, the dashboard and charts for that application will not be visible. To add an application for protection after onboarding:

Go to Administration > App Management.
Select the Microsoft 365 cloud type you onboarded.
On the Application Suite page, select the applications for which you want to add protection.
Re-authenticate as needed.

For detailed instructions, see Onboarding Microsoft 365 cloud applications.
Use the following links to view information about the Microsoft 365 charts:

Overview
Admin Activities
OneDrive
SharePoint
Teams

Overview
The Overview charts summarize activity for the Microsoft 365 applications you have selected for protection.

Chart	What it shows
Active User Count Over Time Grouped by Clouds	The number of active users for each cloud application over the time range.
Inactive User Count Over Time Grouped by Clouds	The number of inactive users (users with no activity for six months or more) for each cloud application.
Activity Count Over Time Grouped by Cloud applications	The number of activities for each application over the time range.
Activity Count By Location Grouped by Clouds	A map view showing the number of activities in specific locations for each cloud application over the time range. If only one activity occurred, only the location icon is shown; if multiple activities occurred, the number of activities is shown in a circle graph.
Successful Logins Over Time	Counts of successful logins by user over time.
Failed Logins Over Time	Counts of failed logins by user over time.

Admin Activities
These charts display activity by administrators.

Chart	What it shows
Site Admin Activities Grouped by Activity Type	The number of activities performed by site administrators, by activity type.
User Management Grouped by Activity Type	The number of activities related to user management, by activity type.
Enterprise Settings Grouped by Activity Type	The total number of enterprise settings, by activity type.

OneDrive
The OneDrive charts display activity for the OneDrive application.

Chart	What it shows
Top 10 Users by Activity	The user IDs of the 10 most active OneDrive users, and the total activity count for each user.
Activity Count Over Time Grouped by Activity Type	The number of OneDrive activities over the time range, by activity (for example, edit, external sharing, file syncing, and internal sharing).
Activity Count by Location	A map view showing the number of OneDrive activities of each type that occurred at specific locations. If only one activity occurred, only the location icon is shown; if multiple activities occurred, the number of activities is shown in a circle graph.
Public Sharing Activity Count Over Time	The number of public sharing activities over the time range.
Top 10 External Users by Access Activity	The user IDs of the top 10 OneDrive users, and the activity count for each user over time.
External Sharing Activity Count Over Time	The number of external sharing activities over the time range.
Anonymous Access Activity Count Over Time	The number of OneDrive anonymous access activities over time. Anonymous access is granted from a link that does not require the user to provide authentication.

SharePoint
The SharePoint charts display activity for the SharePoint application.

Chart	What it shows
Top 10 Users by Activity	The user IDs of the 10 most active SharePoint users, and the total activity count for each user.
Activity Count Over Time Grouped by Activity Type	The number of activities over the time range, by activity (edit, external sharing, file syncing, and internal sharing.
Activity Count by Location	A map view showing the number of activities of each type that occurred at a specific location.
Public Sharing Activity Count Over Time	The number of public sharing activities over the time range.
Top 10 External Users by Access Activity	The user IDs of the top 10 users, and the activity count for each user, over the time range.
External Sharing Activity Count Over Time	The number of external user activities over the time range.
Anonymous Access Activity Over Time	The number of anonymous access activities over time. Anonymous access is granted from a link that does not require the user to provide authentication.

Teams
The Teams charts display activity for the Teams application.

Chart	What it shows
Top 10 Users by Activity	The user IDs of the 10 most active users for Teams, and the total activity count for each user.
Activity Count Over Time Grouped by Activity Type	The number of activities in Teams over the time range, by activity type.
Device Usage Grouped by Device Type	The number of devices used to access Teams, by device type.

IaaS Monitoring Dashboard
This dashboard displays user and activity counts in the following charts:

Amazon Web Services
Microsoft Azure
Google Cloud Platform

Amazon Web Services
The Amazon Web Services charts display information for EC2, IAM, and S3.

Chart	What it shows
Top 5 Active Users – EC2	The user IDs of the five most active EC2 users.
Top 5 Active Users – IAM	The user IDs of the five most active Identity and Access Management (IAM) users.
Top 5 Active Users – S3	The user IDs of the five most active S3 users.
Top 5 Active Users – AWS Console	The user IDs of the five most active users of the AWS Console.
Top 5 Activities – EC2	The five most frequently performed activities for EC2.
Top 5 Activities – IAM	The five most frequently performed activities for IAM.
Top 5 Activities – S3	The five most frequently performed activities for S3.
Top 5 Activities – AWS Console	The five most frequently performed activities for the AWS Console.

Chart	What it shows
Activity by User Location – EC2	A map view showing the number of EC2 activities that occurred at specific locations. If only one activity occurred, only the location icon is shown; if multiple activities occurred, the number of activities is shown in a circle graph.
Activity by User Location – IAM	A map view showing the number of IAM activities that occurred at specific locations. If only one activity occurred, only the location icon is shown; if multiple activities occurred, the number of activities is shown in a circle graph.
Activity by User Location – S3	A map view showing the number of S3 activities that occurred at specific locations. If only one activity occurred, only the location icon is shown; if multiple activities occurred, the number of activities is shown in a circle graph.
Activity by User Location – AWS Console	A map view showing the number of IAM activities that occurred at specific locations. If only one activity occurred, only the location icon is shown; if multiple activities occurred, the number of activities is shown in a circle graph.
Activities Over Time – EC2	The number of EC2 activities over the time range.
Activities Over Time – IAM	The number of IAM activities over the time range.
Activities Over Time – S3	The number of S3 activities over the time range.
Activities Over Time – AWS Console	The number of activities in the AWS Console over the time range.

Microsoft Azure
The Microsoft Azure charts display information related to virtual machine use, network configurations, storage, login, container, and Azure AD activity.

Chart	What it shows
Top 5 Active Users – Compute	The User IDs of five most active Virtual Machine users.
Top 5 Active Users – Network	The User IDs of five most active Network Configurations (for example, VNet, Network Security Group and Network Route Table Association and Dissociation) modifying users.
Top 5 Active Users – Storage	The User IDs of five most active Storage Account (Blob Storage and Compute Storage) users.
Top 5 Active Users – Azure Login	The User IDs of five most active users.
Top 5 Active Users – Container Service	The User IDs of five most active Container Service users (for example, Kubernetes or Windows Container).
Top 5 Activities – Compute	The five most frequently performed activities for Virtual Machines (for example, Creation, Deletion, Start Stop and Restart Virtual Machine).
Top 5 Activities – Network	The five most frequently performed activities for Network.
Top 5 Activities – Azure AD	The five most frequently performed activities for Azure Active Directory (Add New User, Delete User, Create Group, Delete Group, Add User to Group, Create Role, Delete Role, Associate to New Roles).
Top 5 Activities – Storage	The five most frequently performed activities for Storage (Create or Delete Blob Storage and Virtual Machine Storage).
Top 5 Activities – Container Service	The five most frequently performed activities for Container Service (for example, Create or Delete Kubernetes and Windows Container service).
Activities Over Time – Compute	The number of Virtual Machine related activities over the time range.
Activities Over Time – Network	The number of Network related activities over the time range.
Activities Over Time – Azure AD	The number of Azure Active Directory related activities over the time range.

Chart	What it shows
Activities Over Time – Storage	The number of Storage related activities over the time range.
Activities Over Time – Container Service	The number of Container activities over the time range.
Activities by Location – Compute	A map view showing the number of Virtual Machine activities that occurred at specific locations. If only one activity occurred, only the location icon is shown; if multiple activities occurred, the number of activities is shown in a circle graph.
Activities by Location – Network	A map view showing the number of Network activities that occurred at specific locations. If only one activity occurred, only the location icon is shown; if multiple activities occurred, the number of activities is shown in a circle graph.
Activities by Location – Storage	A map view showing the number of Storage activities that occurred at specific locations. If only one activity occurred, only the location icon is shown; if multiple activities occurred, the number of activities is shown in a circle graph.
Activities by Location – Azure Login	A map view showing the number of Login activities that occurred at specific locations. If only one activity occurred, only the location icon is shown; if multiple activities occurred, the number of activities is shown in a circle graph.
Activities by Location – Container Service	A map view showing the number of activities that occurred at specific locations. If only one activity occurred, only the location icon is shown; if multiple activities occurred, the number of activities is shown in a circle graph.

Google Cloud Platform
The Google Cloud Platform (GCP) charts display information for virtual machines, IAM, login, storage, and location activity.

Chart	What it shows
Top 5 Active Users – Compute	The User IDs of five most active Compute users (Virtual Machine (Instances), Firewall Rules, Routes, VPC Network).
Top 5 Active Users – IAM	The user IDs of the five most active IAM users.
Top 5 Active Users – Storage	The user IDs of the five most active Storage users.
Top 5 Active Users – Login	The User IDs of five most active users.
Top 5 Activities – Compute	The five most frequently performed activities for Compute (for example, Create Instance, Delete Instance, Create Firewall, Delete Firewall, Disable Firewall, Create Route, Delete Route, Create VPC Network).
Top 5 Activities – IAM	The five most frequently performed activities for IAM.(for example, Two Step Verification Enrolled, Two Step Verification Disabled, Create Role, Delete Role, Change Password, Create API Client, Delete API Client).
Top 5 Activities – Storage	The five most frequently performed activities for Storage (for example, Set Bucket Permissions, Create Bucket, Delete Bucket).
Top 5 Activities – Login	The five most frequently performed activities for the Login (Login Success, Login Failure, Logout).
Activities Over Time – IAM	The number of IAM activities over the time range.
Activities Over Time – Storage	The number of Storage activities over the time range.
Activities Over Time – Login	The number of Login activities over the time range.
Activities Over Time – Compute	The number of Compute activities over the time range.
Activities by Location – Compute	A map view showing the number of Compute activities that occurred at specific locations. If only one activity occurred, only the location icon is shown; if multiple activities occurred, the number of activities is shown in a circle graph.
Activities by Location – IAM	A map view showing the number of IAM activities that occurred at specific locations. If only one activity occurred, only the location icon is shown; if multiple activities occurred, the number of activities is shown in a circle graph.
Activities by Location – Storage	A map view showing the number of Storage activities that occurred at specific locations. If only one activity occurred, only the location icon is shown; if multiple activities occurred, the number of activities is shown in a circle graph.
Activities by Location – Login	A map view showing the number of login activities that occurred at specific locations. If only one activity occurred, only the location icon is shown; if multiple activities occurred, the number of activities is shown in a circle graph.

Quick reference: RegEx examples

Following are some examples of regular expressions.

Regular expression	Description	Sample data
[a-zA-Z]{4}[0-9]{9}	Custom account number starting with 4 letters followed by 9 digits.	ghrd123456789
[a-zA-Z]{2-4}[0-9]{7-9}	Custom account number starting with 2-4 letters followed by 7-9 digits.	ghr12345678
([a-z0-9_\.-]+)@([\da-z\.-]+)\.([a- z\.]{2,6})	Email address	Joe_smith@mycompany.com

Quick reference: Supported file types

CASB supports the following file types. To identify file types for any formats not listed here, contact the Juniper Networks Support team (https://support.juniper.net/support/).

File type	Description
Ami	Ami Pro
Ansi	Ansi text file
Ascii	Ascii (DOS) text file
ASF	ASF file
AVI	AVI file
Binary	Binary file (unrecognized format)
BMP	BMP image file
CAB	CAB archive
Cals	CALS metadata format described in MIL-STD-1840C
CompoundDoc	OLE Compound Document (or “DocFile”)
ContentAsXml	Output format for FileConverter that organizes document content, metadata, and attachments into a standard XML format
CSV	Comma-separated values file
CsvAsDocument	CSV file parsed as a single file listing all records
CsvAsReport	CSV file parsed as report (like a spreadsheet) instead of a database
DatabaseRecord	Record in a database file (such as XBase or Access)
DatabaseRecord2	Database record (rendered as HTML)
DBF	XBase database file

File type	Description
DocFile	Compound document (new parser)
dtSearchIndex	dtSearch index file
DWF	DWF CAD file
DWG	DWG CAD file
DXF	DXF CAD file
ElfExecutable	ELF format executable
EMF	Windows Metafile Format (Win32)
EML	Mime stream handled as a single document
EudoraMessage	Message in a Eudora message store
Excel12	Excel 2007 and newer
Excel12xlsb	Excel 2007 XLSB format
Excel2	Excel Version 2
Excel2003Xml	Microsoft Excel 2003 XML format
Excel3	Excel version 3
Excel4	Excel version 4
Excel5	Excel versions 5 and 7
Excel97	Excel 97, 2000, XP, or 2003
FilteredBinary	Filtered binary file
FilteredBinaryUnicode	Binary file filtered using Unicode Filtering
FilteredBinaryUnicodeStream	Binary file filtered using Unicode Filtering, not split into segments

File type	Description
FlashSWF	Flash SWF
GIF	GIF image file
Gzip	Archive compressed with gzip
HTML	HTML
HtmlHelp	HTML Help CHM file
ICalendar	ICalendar (*.ics) file
Ichitaro	Ichitaro word processor file (versions 8 through 2011)
Ichitaro5	Ichitaro versions 5, 6, 7
IFilter	File type processed using installed IFilter
iWork2009	IWork 2009
iWork2009Keynote	IWork 2009 Keynote presentation
iWork2009Numbers	IWork 2009 Numbers spreadsheet
iWork2009Pages	IWork 2009 Pages document
JPEG	JPEG file
JpegXR	Windows Media Photo/HDPhoto/*.wdp
Lotus123	Lotus 123 spreadsheet
M4A	M4A file
MBoxArchive	Email archive conforming to the MBOX standard (dtSearch versions 7.50 and earlier)
MBoxArchive2	Email archive conforming to the MBOX standard (dtSearch versions 7.51 and later)
MDI	MDI image file

File type	Description
Media	Music or video file
MicrosoftAccess	Microsoft Access database
MicrosoftAccess2	Microsoft Access (parsed directly, not via ODBC or the Jet Engine)
MicrosoftAccessAsDocument	Access database parsed as a single file listing all records
MicrosoftOfficeThemeData	Microsoft Office .thmx file with theme data
MicrosoftPublisher	Microsoft Publisher file
MicrosoftWord	Microsoft Word 95 – 2003 (dtSearch versions 6.5 and later)
MIDI	MIDI file
MifFile	FrameMaker MIF file
MimeContainer	MIME-encoded message, processed as a container
MimeMessage	dtSearch 6.40 and earlier file parser for .eml files
MP3	MP3 file
MP4	MP4 file
MPG	MPEG file
MS_Works	Microsoft Works word processor
MsWorksWps4	Microsoft Works WPS versions 4 and 5
MsWorksWps6	Microsoft Works WPS versions 6, 7, 8, and 9
Multimate	Multimate (any version)
NoContent	File indexed with all content ignored (see dtsoIndexBinaryNoContent)
NonTextData	Data file with no text to index

File type	Description
OleDataMso	oledata.mso file
OneNote2003	not supported
OneNote2007	OneNote 2007
OneNote2010	OneNote 2010, 2013, and 2016
OneNoteOnline	OneNote variant generated by Microsoft online services
OpenOfficeDocument	OpenOffice versions 1, 2, and 3 documents, spreadsheets, and presentations (.sxc, .sxd, .sxi, .sxw, .sxg, .stc, .sti, .stw, .stm, .odt, .ott, .odg, .otg, .odp, .otp, .ods, .ots, .odf) (includes OASIS Open Document Format for Office Applications)
OutlookExpressMessage	Message in an Outlook Express message store
OutlookExpressMessageStore	Outlook Express dbx archive (versions 7.67 and earlier)
OutlookExpressMessageStore2	Outlook Express dbx archive
OutlookMsgAsContainer	Outlook .MSG file processed as a container
OutlookMsgFile	Microsoft Outlook .MSG file
OutlookPst	Outlook PST message store
PDF	PDF
PdfWithAttachments	PDF file with attachments
PfsProfessionalWrite	PFS Professional Write file
PhotoshopImage	Photoshop Image (*.psd)
PNG	PNG image file
PowerPoint	PowerPoint 97-2003
PowerPoint12	PowerPoint 2007 and newer

File type	Description
PowerPoint3	PowerPoint 3
PowerPoint4	PowerPoint 4
PowerPoint95	PowerPoint 95
Properties	PropertySet stream in a Compound Document
QuattroPro	Quattro Pro 9 and newer
QuattroPro8	Quattro Pro 8 and older
QuickTime	QuickTime file
RAR	RAR archive
RTF	Microsoft Rich Text Format
SASF	SASF call center audio file
SegmentedText	Text segmented using File Segmentation Rules
SingleByteText	Single-byte text, encoding automatically detected
SolidWorks	SolidWorks file
TAR	TAR archive
TIFF	TIFF file
TNEF	Transport-neutral encapsulation format
TreepadHjtFile	TreePad file (HJT format in TreePad 6 and earlier)
TrueTypeFont	TrueType TTF file
UnformattedHTML	Output format only, for generating a synopsis that is HTML- encoded but that does not include formatting such as font settings, paragraph breaks, etc.
Unicode	UCS-16 text

File type	Description
Unigraphics	Unigraphics file (docfile format)
Unigraphics2	Unigraphics file (#UGC format)
Utf8	UTF-8 text
Visio	Visio file
Visio2013	Visio 2013 document
VisioXml	Visio XML file
WAV	WAV sound file
WindowsExecutable	Windows .exe or .dll
WinWrite	Windows Write
WMF	Windows Metafile Format (Win16)
Word12	Word 2007 and newer
Word2003Xml	Microsoft Word 2003 XML format
WordForDos	Word for DOS (same as Windows Write, it_WinWrite)
WordForWin6	Microsoft Word 6.0
WordForWin97	Word For Windows 97, 2000, XP, or 2003
WordForWindows1	Word for Windows 1
WordForWindows2	Word for Windows 2
WordPerfect42	WordPerfect 4.2
WordPerfect5	WordPerfect 5
WordPerfect6	WordPerfect 6

File type	Description
WordPerfectEmbedded	WordPerfect document embedded in another file
WordStar	WordStar through version 4
WS_2000	Wordstar 2000
WS_5	WordStar version 5 or 6
WordList	List of words in UTF-8 format, with the word ordinal in front of each word
XBase	XBase database
XBaseAsDocument	XBase file parsed as a single file listing all records
XfaForm	XFA form
XML	XML
XPS	XML Paper Specification (Metro)
XyWrite	XyWrite
ZIP	ZIP archive
ZIP_zlib	ZIP file parsed using zlib
7z	7-zip archive

Juniper Business Use Only

Documents / Resources

Juniper Secure Edge Application [pdf] User Guide
Secure Edge, Application, Secure Edge Application

References

User Manual

Secure Edge Application

About Juniper Secure Edge

Getting started

Onboarding cloud applications and suites

Post-onboarding tasks

Configuring tenants for user access and session activity

Managing users

Configuring CASB for enterprise integration

Configuring logs

Creating and managing notifications and alerts

Configuring Juniper Secure Edge CASB for policy management

Creating policies for data protection and application security

Managing connected applications

Cloud Security Posture Management (CSPM) and SaaS Security Posture Management (SSPM)

Cloud Data Discovery

Violation management and quarantine

Monitoring and managing system activity

Creating, viewing, and scheduling reports

Quick reference: Home dashboard charts

Quick reference: RegEx examples

Quick reference: Supported file types

Documents / Resources

References

Leave a comment

Cancel reply

Google Workspace application	Protection models available
Google Drive	API Access Cloud Data Discovery