Articles in this section

See more

Vendor Re-Authorization Effects

Avatar
Cisco Cloudlock Support
  • Updated
Follow

What are the effects of a vendor reauthorization in Cisco Cloudlock?

spacer_resized.png

Customer licenses may lose complete or partial coverage by Cisco Cloudlock as a result of several possible changes in the customer's environment, including deprecation of integration user role permissions, and revocation of Cloudlock access. Without full access to the customer's domain, Cisco Cloudlock may not be able to effectively and fully monitor the environment and thus must be reauthorized.

Once the initial issue is resolved and the vendor platform is reauthorized with Cloudlock, the customer may see a number of different impacts, varying by the amount of time the environment was not fully authorized.

This includes but is not limited to: 

  • Influx of incidents (and subsequent response actions & notifications, as specified)
  • Influx of app detection and action (per policy configurations)
  • Event population in the Activities tab and Behavioral/Data Risk tabs.

Influx of Incidents and Apps

When a platform license loses partial or full access to a domain due to authorization issues, Cisco Cloudlock is not able to complete all scans of the environment. When reauthorization occurs, the scans will pick back up from when they were last run. As a result, any files that are newly created or modified (based on Change IDs of users already within the monitoring scope) AND any apps newly authorized during the lapse in coverage will be queued up to be screened through the Policy Engine.

Please note that with decreased permissions in an integration user, the API calls that require Admin Access will not be able to update - which means the Org Profile will not be able to update until the appropriate permissions are established. 

Event Population

In the case of UEBA activity, before correcting the issue in the customer's environment, the UBA scan state must be advanced. Otherwise, we will incur a load of activities that can cause performance issues across the instance. Advancing the scan state moves up the last point in time a scan was run, requiring the system to sort through fewer change logs, pulling less total data and easing the load on the system.

 

cisco_cloudlock_lockup_res.png

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk