What is Application Control via API with Audit Activities?

Audit Activities with enables out-of-band visibility into actions taken in SaaS applications via direct API connections. This article provides an overview and background information about API-based CASB to monitor traffic to sanctioned SaaS cloud applications.

Overview

Users have become increasingly dependent on a wide range of SaaS applications to complete their daily tasks. Siloed departments may use these applications without them being vetted. This creates a risk as security teams are unaware of what applications are being used, what data they are processing, and have no single location to monitor application usage.

The API-Based solution provides you with out-of-band visibility of all activity made by any user in a connected SaaS application. You still have visibility even if a user is not connected to the Cato Cloud, or TLS inspection is disabled.

For example, you can view a user changing their permissions. To ensure you understand the nuances of each application, activities are automatically categorized into predefined Activity Categories. An event is created after an activity is performed which is summarized in the Cloud Activities Dashboard. This provides you with complete visibility of activities on applications in one place.

A CASB license is required for Application Control via API with Audit Activities. This license also includes app and data control. For more about purchasing a CASB license, please contact your Cato representative.

Use cases

These are two use cases of how Application Control via API with Audit Activities can provide visibility of suspicious activity in a SaaS application.

Suspicious Downloads

A contractor on an unmanaged device downloads 10MB of Salesforce reports with customer personal data each week. In one day the contractor downloads 5GB of customer personal data. From reviewing the Cloud Activities Dashboard, the security team can identify this behavioral anomaly and analyze if it is suspicious.

Employee Offboarding

A developer that uses their own device is leaving company ABC. They have access to a SharePoint with presentations containing sensitive intellectual property. On the Events page, the security team can filter for the SharePoint activities taken by the developer to ensure they did not download the intellectual property before leaving the company.

Supported Applications

These are the supported applications:

  • Atlassian

  • Microsoft Exchange Online

  • Microsoft SharePoint and OneDrive for Business

  • Salesforce

  • Zendesk

  • Egnyte

Understanding Unified CASB

Application Control via API with Audit Activities is part of the Cato Unified CASB solution. Unified CASB provides you with a comprehensive solution for monitoring and controlling user activities in SaaS applications across your account.

The inline solution help users safely access and use sanctioned and shadow cloud applications and lets you enforce a corporate policy that minimizes security incidents and compliance violations. The inline solution requires users to be connected to the Cato Cloud and TLS inspection to be enabled.

Audit Activities provides out-of-band visibility of all users activities in including unmanaged users (contractors) that access corporate SaaS applications. This functionality does not require users to be connected to the Cato Cloud or TLS inspection.

For total visibility of sanctioned and unsanctioned applications and managed and unmanaged users, we recommend using the inline and API solutions together.

Events generated from the inline and out-of-band solutions are visible from the Cloud Activity Dashboard and the Events page. This enables you to monitor all application activities in one location, without needing to switch between different consoles.

Understanding Activity Categories

Different SaaS applications use different terms to describe the same action. For example, accessing a report could be called Exporting, Downloading, or Fetching. This creates a challenge when trying to understand what actions users are taking.

With Activity Categories, Cato maps activities in a SaaS application into a general category. This lets you track, filter, and visualize SaaS application activity, without needing to understand detailed processes in each application.

Activity Categories are applied to activities monitored by your Application Control policy and apps integrated with Audit Activities. They are used as a field in the Application Security API Events and can be in the Cloud Activities Dashboard to filter activities.

This ensures a unified solution across both API-based and inline modes.

The Activity Categories are:

Activity Category

Example Actions

Admin Settings

User creation, Quarantine, Change permissions

API and Integration Execution

Automation, scripts via API

Communication & Collaboration

Chat, Video, Voice

Content Operations other

Upload, Download, Move

Delete

Deleting data

Download

Downloading a report

Execution

Automation, scripts

Failed Login

Failed login

Login other

Login, Logout

Move

Moving the location of a report

Search and View

View report

Share

Sharing via link

Upload

Uploading data

Configuring Application Control via API with Audit Activities

Follow these steps to configure Audit Activities:

  1. Configure the integration within the SaaS application

  2. Create the API connector in the CMA

Step 1: Configuring the Integration within the SaaS Application

To provide Audit Activities with visibility of data, set up an integration with the required application. See the configuration article for each application for more information:

Step 2: Create the API Connector in the CMA

After you have set up an integration with the required application, add the details in the CMA.

To add create the API connector in the CMA:

  1. From the navigation menu, click Resources > Integrations.

  2. Click the Integrated APIs tab.

  3. Click New.

    The New Integration panel opens.

  4. Select the Saas Application you want to add.

  5. In the Capability drop down select Audit Activities.

  6. Add the details created during step one.

  7. Click Save.

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment