When you connect apps using API connectors, Cloud App Security enables you to import user groups, for example from Office 365 and Azure Active Directory. There are two types of user groups:
Automatic groups are created by default by Cloud App Security. For example, there is an automatic user group called External which combines all users from all apps who are external to your organization and have access to files or were in user activities in your tenant. The following automatic groups exist in Cloud App Security:
- Dropbox administrator
- Office 365 administrator
- G Suite administrator
- Box administrator
- All Salesforce standard and custom profiles, for example, Salesforce System Administrator. See the full list here.
You can import any group from your connected apps. For example, you can import user groups from Office 365 (Active Directory) and other connected apps. This enables you to look for threats in your org, not by looking at the whole org or at a specific user, but by looking at a specific group.
Typical scenarios that leverage imported user groups include: you can investigate which docs the HR people look at, or you can check if there's something unusual happening in the executive group, or if someone from the admin group performed an activity outside the US. To import user groups:
- In the menu bar, click the settings icon and select User groups.
Click Import user group.
Select the app from which to import the user group. The list of apps will depend on which App Connectors you deployed.
- Select the group to import. The list of available groups will be a list of all the existing user groups in the app itself. If you want to add a new group, you have to do it directly in the app itself, and then when it appears here, select it.
- Depending on the size of the group, import can take up to an hour. You can select the option to be notified by email when the import process is complete.
- Click Import. After you import a group, Cloud App Security automatically syncs the group members, just like Active Directory Connect.
- After the import is complete, from the User groups page you can click on a specific group to view a list of all the members of the group. You can also click on any member of the group to further drill down into the details of a specific account and view which apps they use and a summary of the account including graphs of the user and their activity.
Importing groups enables you to select those groups as filters when investigating in the Activity log and when creating policies.
Only activities performed after importing a user group will be tagged as having been performed by a member of the user group.
For more information on using the User group filters, see Activities.