Blank mail ID for Internal user is showing blank under Protect > Policies > Alerts

book

Article ID: 227261

calendar_today

Updated On:

Products

CASB Security Advanced CASB Gateway CASB Securlet SAAS

Issue/Introduction

Under Protect > Policies > Alerts you see a blank mail ID for an internal user. 

Cause

`Log Obfuscation for External Accounts` setting is enabled and it is working as designed.

 

Environment

Component: CASB

Resolution

In CloudSOC Investigate logs/Policy Alerts, there are 2 user fields:

  1. 'CloudSOC User' (this is the authenticated user passed by WSS)
  2. 'CloudService User' (User-id used to log into the SaaS app from the browser or thick client - unrelated to the logged in user on the machine).

The activity being treated as External comes into play ONLY if the latter 'CloudService User' is different from the former 'CloudSOC User'. If the 'Cloud Service User' is not in the Users table in CloudSOC (even if part of the primary/secondary domain for the tenant) then it is treated as external. This distinction is made to allow customers to have the same domain across tenants and have independent policies in those tenants. e.g., '[email protected]' could be a valid user in `example1` tenant but if Google Drive access is done for '[email protected]' Google drive from a machine belonging to '[email protected]' (who is part of 'example2' tenant), that access will be treated as external (as userA is not part of example2 tenant in CloudSOC). If userA is to be treated as internal in `example2` tenant, it will have to be in Users table in that tenant.

`Log Obfuscation for External Accounts` feature is implemented to cover the use case where none of the tenant admins should get to see any PII for external accounts monitoring for legal reasons (just policy enforcement when appropriate). 

Refer:
Managing CloudSOC Gateway external account monitoring
Understanding CloudSOC user privacy features