Nov 08 2017 05:37 AM
Currently using CAS to scan SharePoint Online for any documents that contain sensitive data, and the product seems to do a fine job of detection. But it seems to be lacking in tools or process for remediation.
Scenario:
When manually resolving the options do not seem very intuitive or productive.
Dismiss If the alert was a false positive, dismiss it. You can optionally add a comment explaining why you dismissed it.
Resolve alert If the alert was triggered by an activity that you know isn't a threat, resolve it. You can optionally add a comment explaining why you resolved it.
Is there a way for the detected document to fall out of Alerts once it has been removed? Or are there features coming that will allow this or at least allow the generation of a custom report that will state the document has been removed/re-mediated?
Nov 09 2017 06:41 AM
Hello Scott,
Thanks for your feedback.
All alerts are generated at the specific point of time where a policy match was detected and aren’t edited later (after a file was remediated for example) in order to provide an investigation timeline and let you control the process.
What you can do is use the “Matched Policy” filter on the Files page in order to see a real-time status of your files. When using this filter you will only see the files which trigger the policy in the present and not the ones that were already remediated, thus getting an up-to-date status of what still needs to be resolved.
The “Resolve” action on alerts is supposed to be taken after you finish solving the issue it reported, so I would suggest “dismissing” the alerts you identify as false/positive or non-threat and “resolving” the ones you took action on. Both of these actions can be also done in bulk by selecting the checkbox next to the alerts.
More info regarding alerts actions can be found here:
https://docs.microsoft.com/en-us/cloud-app-security/managing-alerts
Does this answer your question? Feel free to expand if not.
Regards,
Dima.
Nov 13 2017 06:08 AM