CAS Remediation

%3CLINGO-SUB%20id%3D%22lingo-sub-125458%22%20slang%3D%22en-US%22%3ECAS%20Remediation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-125458%22%20slang%3D%22en-US%22%3E%3CP%3ECurrently%20using%20CAS%20to%20scan%20SharePoint%20Online%20for%20any%20documents%20that%20contain%20sensitive%20data%2C%20and%20the%20product%20seems%20to%20do%20a%20fine%20job%20of%20detection.%26nbsp%3B%20%26nbsp%3BBut%20it%20seems%20to%20be%20lacking%20in%20tools%20or%20process%20for%20remediation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EScenario%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3ECAS%20detects%20document%20in%20specific%20SharePoint%20online%20site%20that%20contains%20sensitive%20data%20and%20throws%20an%20alert%20that%20provides%20details%20on%20the%20document%20and%20the%20owner%20of%20the%20document.%3C%2FLI%3E%3CLI%3EOwner%20of%20the%20document%20is%20contacted%20and%20the%20document%20is%20removed%20from%20the%20site.%20(Re-mediated)%3C%2FLI%3E%3CLI%3EDocument%20continues%20to%20show%20up%20in%20alerts%20unless%20manually%20dismissed%20or%20resolved%20within%20CAS.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EWhen%20manually%20resolving%20the%20options%20do%20not%20seem%20very%20intuitive%20or%20productive.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CP%3E%3CSTRONG%3EDismiss%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EIf%20the%20alert%20was%20a%20false%20positive%2C%20dismiss%20it.%20You%20can%20optionally%20add%20a%20comment%20explaining%20why%20you%20dismissed%20it.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%20class%3D%22x-hidden-focus%22%3E%3CSTRONG%3EResolve%20alert%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EIf%20the%20alert%20was%20triggered%20by%20an%20activity%20that%20you%20know%20isn't%20a%20threat%2C%20resolve%20it.%20You%20can%20optionally%20add%20a%20comment%20explaining%20why%20you%20resolved%20it.%3C%2FP%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EIs%20there%20a%20way%20for%20the%20detected%20document%20to%20fall%20out%20of%20Alerts%20once%20it%20has%20been%20removed%3F%26nbsp%3B%20Or%20are%20there%20features%20coming%26nbsp%3B%20that%20will%20allow%20this%20or%20at%20least%20allow%20the%20generation%20of%20a%20custom%20report%20that%20will%20state%20the%20document%20has%20been%20removed%2Fre-mediated%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-125458%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-127188%22%20slang%3D%22en-US%22%3ERe%3A%20CAS%20Remediation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-127188%22%20slang%3D%22en-US%22%3EDima%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%20for%20your%20response.%20I%20appreciate%20the%20work%20around%20to%20my%20questions.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-126059%22%20slang%3D%22en-US%22%3ERe%3A%20CAS%20Remediation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-126059%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Scott%2C%3C%2FP%3E%0A%3CP%3EThanks%20for%20your%20feedback.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAll%20alerts%20are%20generated%20at%20the%20specific%20point%20of%20time%20where%20a%20policy%20match%20was%20detected%20and%20aren%E2%80%99t%20edited%20later%20(after%20a%20file%20was%20remediated%20for%20example)%20in%20order%20to%20provide%20an%20investigation%20timeline%20and%20let%20you%20control%20the%20process.%3C%2FP%3E%0A%3CP%3EWhat%20you%20%3CSTRONG%3Ecan%3C%2FSTRONG%3E%20do%20is%20use%20the%20%E2%80%9CMatched%20Policy%E2%80%9D%20filter%20on%20the%20Files%20page%20in%20order%20to%20see%20a%20real-time%20status%20of%20your%20files.%20When%20using%20this%20filter%20you%20will%20only%20see%20the%20files%20which%20trigger%20the%20policy%20in%20the%20present%20and%20not%20the%20ones%20that%20were%20already%20remediated%2C%20thus%20getting%20an%20up-to-date%20status%20of%20what%20still%20needs%20to%20be%20resolved.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20%E2%80%9CResolve%E2%80%9D%20action%20on%20alerts%20is%20supposed%20to%20be%20taken%20after%20you%20finish%20solving%20the%20issue%20it%20reported%2C%20so%20I%20would%20suggest%20%E2%80%9Cdismissing%E2%80%9D%20the%20alerts%20you%20identify%20as%20false%2Fpositive%20or%20non-threat%20and%20%E2%80%9Cresolving%E2%80%9D%20the%20ones%20you%20took%20action%20on.%20Both%20of%20these%20actions%20can%20be%20also%20done%20in%20bulk%20by%20selecting%20the%20checkbox%20next%20to%20the%20alerts.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMore%20info%20regarding%20alerts%20actions%20can%20be%20found%20here%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fmanaging-alerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fmanaging-alerts%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDoes%20this%20answer%20your%20question%3F%20Feel%20free%20to%20expand%20if%20not.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%2C%3C%2FP%3E%0A%3CP%3EDima.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Currently using CAS to scan SharePoint Online for any documents that contain sensitive data, and the product seems to do a fine job of detection.   But it seems to be lacking in tools or process for remediation.

 

Scenario: 

 

  • CAS detects document in specific SharePoint online site that contains sensitive data and throws an alert that provides details on the document and the owner of the document.
  • Owner of the document is contacted and the document is removed from the site. (Re-mediated)
  • Document continues to show up in alerts unless manually dismissed or resolved within CAS.

When manually resolving the options do not seem very intuitive or productive.

 

  • Dismiss If the alert was a false positive, dismiss it. You can optionally add a comment explaining why you dismissed it.

  • Resolve alert If the alert was triggered by an activity that you know isn't a threat, resolve it. You can optionally add a comment explaining why you resolved it.

Is there a way for the detected document to fall out of Alerts once it has been removed?  Or are there features coming  that will allow this or at least allow the generation of a custom report that will state the document has been removed/re-mediated?

 

2 Replies
Highlighted

Hello Scott,

Thanks for your feedback.

 

All alerts are generated at the specific point of time where a policy match was detected and aren’t edited later (after a file was remediated for example) in order to provide an investigation timeline and let you control the process.

What you can do is use the “Matched Policy” filter on the Files page in order to see a real-time status of your files. When using this filter you will only see the files which trigger the policy in the present and not the ones that were already remediated, thus getting an up-to-date status of what still needs to be resolved.

 

The “Resolve” action on alerts is supposed to be taken after you finish solving the issue it reported, so I would suggest “dismissing” the alerts you identify as false/positive or non-threat and “resolving” the ones you took action on. Both of these actions can be also done in bulk by selecting the checkbox next to the alerts.

 

More info regarding alerts actions can be found here:

https://docs.microsoft.com/en-us/cloud-app-security/managing-alerts

 

Does this answer your question? Feel free to expand if not.

 

Regards,

Dima.

Highlighted
Dima,

Thank you for your response. I appreciate the work around to my questions.