search cancel

Investigate Events are Missing the Cloud Service Username

book

Article ID: 210002

calendar_today

Updated On:

Products

CASB Gateway Advanced CASB Security Advanced CASB Security Premium CASB Security Standard

Issue/Introduction

Issue:

CloudSOC investigates events that could be missing the Cloud Service Username for some CASB Gateway activity. The Cloud Service Username is the user's SaaS login name example: [email protected]

The CloudSOC Username is the corporate user that attempted the activity in the SaaS and is not affected by this potential issue.

The potential problem:

A CloudSOC Gateway enforcement policy could be affected by this issue if the policy specifies the account type as internal or external. The procedure may not be enforced because CloudSOC cannot identify the external user.

This issue does not affect policies that are enforced by the CloudSOC username instead of the account type.

Cause

If a user's connectivity method is switched during an active SaaS session, the new session may not have the Cloud Service Username (SaaS username) example: [email protected] The Gateway access enforcement policy may not be enforced properly in this condition.

The gateway connectivity methods include:

  • WSS Agent
  • WSS Proxy Forwarding through a local proxy
  • Reach Agent (Deprecated. Users that have not been migrated to WSS.)
  • Elastica SSO (Deprecated. Users that have not been migrated to WSS.)
  • CloudSOC Gateway Proxy Chaining through a local proxy destination gw.elastica.net (Deprecated)

Resolution

To resolve the issue before the synchronization occurs, logout and login of the SaaS will send the Cloud Service username in the new session and resolve the issue. The user may need to log out of more than one SaaS or clear the browser cache, which will result in a new login for the SaaS.

This issue may be minimized by:

  • Reduce the duration of a SaaS session is active.
  • Reduce policies that are triggered based on the Cloud Service username.
  • Reduce conditions where the connectivity methods change where the SaaS session is active.
  • Consider implementing a browser session cookie reset during the WSS Agent installation if you find this issue familiar after moving to the WSS Agent. For example, the procedure could be applied before the computer restarts during the WSS Agent install.