Investigate Events are Missing the Cloud Service Username

book

Article ID: 210002

calendar_today

Updated On:

Products

CASB Gateway Advanced

Issue/Introduction

Issue:

CloudSOC investigate events could be missing the Cloud Service Username for some CASB Gateway activity. The Cloud Service Username is the user's SaaS login name example: [email protected]

The CloudSOC Username is the corporate user that attempted the activity in the SaaS and is not affected by this potential issue.

The potential problem:

A CloudSOC Gateway enforcement policy could be affected by this issue if the policy specifies the account type as internal or external. The policy may not be enforced because CloudSOC is not able to identify the external user.

Policies that are enforced by the CloudSOC username instead of the account type are not affected by this issue.

Cause

If a user's connectivity method is switched during an active SaaS session, the new session may not have the Cloud Service Username (SaaS username) example: [email protected] The Gateway access enforcement policy may not be enforced properly in this condition.

The gateway connectivity methods include:

  • WSS Agent
  • WSS Proxy Forwarding through a local proxy
  • Reach Agent (Deprecated. Users that have not been migrated to WSS.)
  • Elastica SSO (Deprecated. Users that have not been migrated to WSS.)
  • CloudSOC Gateway Proxy Chaining through a local proxy destination gw.elastica.net (Deprecated)

Resolution

Broadcom has added a nightly user replication process that will sync the users state from AWS to GCP twice a day.  For users migrating to the WSS methods, the replication will resolve this issue without interaction once the replication has occurred.

To resolve the issue before the synchronization occurs a logout and login of the SaaS will send the Cloud Service username in the new session and resolve the issue.  It is possible that the user may need to logout of more than one SaaS or even clear the browser cache which also will result in a fresh login for the SaaS.

This issue may be minimized by:

  • Reducing the duration a SaaS session is active.
  • Reduce policy's that are triggered based on the Cloud Service username.
  • Reduce conditions where the connectivity methods change where the SaaS session is active.
  • Consider implementing a browser session cookie reset during the WSS Agent installation if you find this issue is common issue after moving to the WSS Agent. The procedure could be applied before the computer restarts during the WSS Agent install.