Skip to main content

Processing CASB Alerts

Audience: Security Operations and Data Protection teams.

Purpose: Review and process CASB alerts for data exposure incidents.

Overview

CASB alerts are triggered when users share sensitive data via cloud applications. This guide covers the alert review and triage process.

Accessing the Console

  1. Navigate to the CASB Analytics page
  2. Log in with your NETID-admin account

Reviewing Alerts

Step 1: Navigate to Explorations

  1. From the dashboard, click See all explorations
  2. Select WeeklyPublicSharingAlerts
Activity Indicators

Dashes underneath "Activity" descriptions indicate the number of DLP rules triggered by the file action. These consolidate when alerts share the same status.

Step 2: Filter New Alerts

  1. Click the three dots (⋮) next to the STATUS dropdown
  2. Select Filter by New

Step 3: Review Individual Alert

  1. Click any dash under the file ACTIVITY
  2. Detail pane opens on the right

Step 4: Claim the Alert

  1. Change STATUS to In Progress
  2. Click under ASSIGNEE and select your name

Step 5: Review Triggered Rules

  1. Scroll to bottom of detail pane
  2. Click + to expand rule details
  3. Review keywords that triggered the alert

Classification Decision

False Positive

If keywords don't represent sensitive data:

  • Change STATUS to False Positive
  • No further action needed

True Positive (Needs Review)

If keywords may represent sensitive data:

  • Change STATUS to On Hold
  • Open a ServiceNow ticket (see below)

Opening ServiceNow Ticket

Step 1: Access Form

Open the CASB Detection Form

Step 2: Gather Information

From the CASB detail pane, collect:

Form FieldLocation in CASB
NetIDDetails → User → expand
EmailDetails → User → expand
File NameDetails → Website → expand
File URLDetails → Website → expand
PlatformDetails → Website → expand
Detection TypeRule name at top of detail pane

Step 3: Determine Detection Type

Rule ReferencesDetection Type
HIPAA dataPHI
SSNSSN
Credit CardPCI

Step 4: Submit

  1. Complete all fields
  2. Click Submit
  3. Confirmation message displays with ticket number

Alert Workflow