SaaS Security Administrator's Guide
    : Assess New Incidents on Data Security
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. SaaS Security Administrator's Guide
    4. Data Security
    5. Assess Incidents on Data Security
    6. Assess New Incidents on Data Security
    Download PDF

    SaaS Security Administrator's Guide

    Assess New Incidents on Data Security

    Table of Contents

    Assess New Incidents on Data Security

    Learn how to assess new incidents on Data Security.
    Data Security compiles a summary of incidents for you to view, assess, and address with further investigation or closure. SaaS Security web interface displays all the relevant information you need to assess the incident and understand the service’s decision to create the incident. After the initial discovery and remediation process, the same incidents don't display again.
    Data Security compares all information it discovers against the enabled data patterns and active policy rules, then identifies all violations and exposures for every asset across all cloud apps. Finally, SaaS Security does the following:
    • Assigns a unique numeric Incident ID, which associates the asset with the rule violation.
    • Displays match results for the specific rules that the sensitive content violated when the rule defines data patterns instead of data profiles.
    • Sorts incidents by Severity so you can assess them efficiently.
    Support for automated remediation capabilities varies by SaaS application.
    1. From the Dashboard, view the summary of the Incident By Status, which displays:
      • Open—Number of open violations.
      • Resolved—Number of closed incidents .
    2. From the Dashboard, select either View All Open Incidents from the Open Incidents by Severity section or View all Incidents from the Incidents by Status section.
      This opens the Data SecurityIncidentspage.
      1. Narrow your search results further to pinpoint risks.
        • Type keywords to search for an asset name or owner.
        • Sort column by ascending or descending data.
        • Use the built-in filters to see different views.
        • Export the incidents to a CSV file.
    3. Get more information about specific incidents.
      1. Click Data Asset Name to display summary data and match results for the specific rules that were violated.
        These match results operate on rules that define data patterns only—not data profiles. Therefore, Incident Details don't yet display match results for predefined rules, which use data profiles by default.
      2. View Snippets (this option is available only if you have Write access).
      3. Navigate By Confidence Level to filter through the match results, starting with High Confidence.
      4. Observe Asset Details.
      5. Get a better understanding of the data behind the incident. In Actions, depending on the asset type and cloud app:
        • Open File.
        • Download File
        • Admin Quarantine
        • User Quarantine
        • Change Sharing
    4. Address the incidents.
      After you understand the incidents and the context around them, you can start to address incidents. If you have several incidents to resolve, you can configure Automatic Incident Remediation Options for most of the cloud apps. There are several ways to remediate an incident:

    © 2024 Palo Alto Networks, Inc. All rights reserved.