How to create a contextual attribute condition for REST (CASB) detection for a Gatelet that is not listed in the predefined list of Application Names
Article ID: 387388
Updated On:
Products
Issue/Introduction
When the DLP Enforce server is integrated with CASB (CloudSOC) it allows to manage policies used for the detection on data forwarded to the Cloud Detection Server for REST by the CASB tenant. The integration is enabled by enrolling an Enforce managed CDS for REST to the Enforce server and adding the same CDS server to CASB by using the REST Token.
With the integration fully implemented the Enforce server will allow to use Contextual Attributes type of condition in the polices. Without the integration the option is not visible in the Detection Rules.
The Contextual Attributes, among other, allows to define the Gatelet or Securlet to which the policy should be applicable by using the "Application Name" attribute.
Note that the list is not a synchronized list of Gatelets from CASB. It is a predefined list hardcoded into the DLP Enforce Console. The list may differ between releases of the DLP product as more may be added over time. Below link leads to a full list of Gatelets available for the condition on DLP 16.1:
As the list of the Gatelets in the Enforce is not one to one with the Gatelets available in the CASB product it may lead to a situation where the Gatelet for which the policy should apply is not present in the Application Name attribute. In such situation the "Custom" option in the bottom of the list should be used.
This article describes how to determine the correct Name value for the Custom Application Name attribute for a Gatelet of interest.
Resolution
The correct value for the Name field in the Custom Application Name attribute in terms of gatelets has the format "gatelet.name". In most situations the name will match the name of the Gatelet from CASB with all lowercase characters stripped of any spaces in the name. For example "gatelet.wetransfer" in case of the WeTransfer Gatelet, or "gatelet.googledrive" for the "Google Drive" Gatelet.
While the above method will work in most situations there is a more precise way to determine the correct value.
1. First of all ensure that the CASB Gatelet of interest is enabled in both CASB and Application Detection on DLP side. This will ensure that CASB will steer the traffic towards the CDS for REST for DLP detection.
2. Create a generic policy to be captured by the Gatelet. It can be a simple unique keyword.
3. Wait for the policy to be synchronized with the CDS for REST which may take a couple minutes.
4. Upload/download a file containing the unique keyword to the service which the Gatelet covers.
5. Wait for an incident to be created on the DLP Enforce side. Once it's present open the incident details.
6. Scroll down to the left bottom of the incident and click on the "Open Original Message" link. The screenshot comes from DLP 16.1 which uses the modern incident snapshot view but the link is always located in the bottom section of the left pane.
7. This will download a file which should be named "message.stream48" or similar. The file is in fact a JSON.
8. Open the JSON file in a text editor of preference and search for the term "common.application". You should find an entry similar to the one below. Note that the below snippet of the JSON file is formatted with indentations for easier readability. The original downloaded file will not be formatted this way.
{
"name": "common.application",
"value": [
"gatelet.wetransfer"
]
},
9. The "value" attribute content for the "common.applicaton" node is the value to be used in the "Name" field of the Application Name Custom attribute to limit the policy to the specific Gatelet. In this example "gatelet.wetransfer" as visible in the below screenshot.
Feedback
