DLP detection of Application Connector stops generating incidents after upgrade to v15

Article Id: 170789
Status: Published
Updated On: 30-10-2018 12:04
Legacy Id: TECH248649
Products:
Data Loss Prevention Enforce Data Loss Prevention Cloud Detection Service
Issue/Introduction:

A DLP Enforce environment previously configured (in v14.6 or earlier) with a Cloud Connector is no longer detecting incidents for registered Securlet or Gatelets after upgrade.

Cause:

There are 2 possible causes.

Firstly, there is a known defect when 2 servers for Cloud Detection are registered in the same Enforce console. This issue usually arises after the second one is added, and is described in TECH248993 (see related articles link). The solution in that case requires upgrading to 15.0 MP1.

This article describes a second issue - which is related to the configuration of individual Gatelets or Securlets in the "Manage > Application Detection" fields.

Much of the backend as well as the UI changed in DLP v15 - as per related article content.

  • The "Manage > Cloud Connector" section has been renamed "Manage > Application Detection".
  • It is required to have at least one application specified in this field, otherwise detection will not occur - as per TECH247771.
  • There is a "Sync to CloudSOC" button, whereby the DLP-configuration for these applications is sent to the Detector, which also correlated to CASB functionality.
  • There are also a whole host of new conditions and rule for detection, as per DOC9451.

Environment:

DLP v15, upgrading from earlier release (14.6, 14.6 MP2, etc.)

Of note:

  • In DLP 14.6 versions, the server which connects to CASB and WSS is called the Cloud Service Connector
  • In DLP 15.0, this service and its associated product was renamed to the Cloud Detection Service - it's the same service, but with updated features

Resolution:

If the configuration of an app for detection is not correct, no "syncing" of the Application Detection will occur.

Below are 2 examples of incorrect details for O365 Securlet, for instance:

Settings as entered when "Sync Pending" never resolves:

  1. Type = "Cloud Detection API Service" => This should be "Securlet"
  2. Applications = choice was "Amazon Web Services" => This should be the name of the Application in question, e.g., "Office 365 Email"

See this screenshot for depiction of 3 correctly configured O365 Securlets:

Once the configuration is saved, the synchronization should commence without further action required.