Shadow IT events detection
A new factory default event handler is available to detect shadow IT events. These events include:
- High-risk unsanctioned cloud applications
- Unsanctioned users
- File exfiltration
To detect these events, FortiAnalyzer must be connected with the FortiCASB connector and running the Get Cloud Service Data (FortiCasb Connector) playbook. FortiAnalyzer applies the meta-data of sanctioned applications and sensitive files against the application control logs. Events are generated when these incoming application control logs meet the filter criteria of the Default-Shadow-IT-Events event handler.
To enable the shadow IT event handler:
- Go to FortiSoC > Handlers > Event Handler List.
You can double-click the Default-Shadow-IT-Events event handler to view its filters.
- Select the checkbox for Default-Shadow-IT-Events.
- From the More dropdown, click Enable.
To get cloud service data from the FortiCASB connector:
- Go to Fabric View > Connectors.
- Confirm there is an enabled FortiCASB Connector.
If there is not an enabled FortiCASB Connector, click Create New and choose FortiCASB under the Security Fabric category. Configure the FortiCASB connector settings, and click OK.
- Go to FortiSoC > Automation > Playbook.
- Confirm the Get Cloud Service Data (FortiCasb Connector) playbook is Enabled.
This playbook is automatically created when you configure a FortiCASB connector in FortiAnalyzer.
- Double-click the Get Cloud Service Data (FortiCasb Connector) playbook to view its configuration.
This playbook must get cloud service data through the FortiCASB connector for the Default-Shadow-IT-Events event handler to generate events.
To view events generated by the shadow IT event handler:
- Go to FortiSoC > Event Monitor > All Events.
- Filter by
Handler = Default-Shadow-IT-Events
.