No detection occuring via new Cloud Detection Service after successful enrollment of server in DLP v15

book

Article ID: 170252

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Detection Service

Issue/Introduction

After a new Cloud Detector, for the Cloud Detection Service, has been enrolled in DLP v15.

The CDS has also been registered successfully in the CloudSOC (CASB) console.

However, there are no incidents or detections occurring via the related technology (WSS or CloudSOC).

Cause

Firstly, be sure there are no two-tier indexing issues, as per this related article : be sure all indexes are present, and the CDS has a full profile and policy matrix.

Secondly, in contrast to settings in DLP v14.6.x, in DLP v15 and above it is required that a "New Configuration" be setup in order for successful detection via Cloud Services.

Environment

For all versions of DLP Enforce, with Cloud Detection Service, and any of the following associated technologies:

  • Elastica Cloud SOC (i.e., CASB application monitoring)
  • REST API (associated with custom application as configured by end-user)

For versions 15.0 and 15.1,

  • Web Security Services proxy (i.e., BlueCoat WSS Proxy, Cloud Web Proxy, or WSS).
  • For Enforce v15.5 and above, policies for the Cloud Web Proxy are handled via regular Policy Groups configuration (System > Servers > Policy Groups).

Resolution

Follow the steps given in the Admin Guide (also available online, via the Symantec Help Center, by clicking on the "?" in the Enforce Console), in the section entitled "Managing Application Detection":

After you have deployed and configured your Symantec Data Loss Prevention
Cloud Service Connector, you can configure cloud application detection on the
Manage > Application Detection > Configuration page

Take note, however, that while the documentation suggests you "can" perform this step, it is in fact required.