CloudSOC investigate events could be missing the Cloud Service Username for some CASB Gateway activity. The Cloud Service Username is the user's SaaS login name example: [email protected]
The CloudSOC Username is the corporate user that attempted the activity in the SaaS and is not affected by this potential issue.
The potential problem:
A CloudSOC Gateway enforcement policy could be affected by this issue if the policy specifies the account type as internal or external. The policy may not be enforced because CloudSOC is not able to identify the external user.
Policies that are enforced by the CloudSOC username instead of the account type are not affected by this issue.
If a user's connectivity method is switched during an active SaaS session, the new session may not have the Cloud Service Username (SaaS username) example: [email protected] The Gateway access enforcement policy may not be enforced properly in this condition.
The gateway connectivity methods include:
Broadcom has added a nightly user replication process that will sync the users state from AWS to GCP twice a day. For users migrating to the WSS methods, the replication will resolve this issue without interaction once the replication has occurred.
To resolve the issue before the synchronization occurs a logout and login of the SaaS will send the Cloud Service username in the new session and resolve the issue. It is possible that the user may need to logout of more than one SaaS or even clear the browser cache which also will result in a fresh login for the SaaS.
This issue may be minimized by: