Abstract: The technology disclosed enables metadata-based policy enforcement for requests that do not include metadata relevant to a policy. In a particular example, a method provides, in a network security system interposed between clients and a cloud application, receiving an incoming request from a client directed towards the cloud application. In response to determining that the incoming request lacks metadata for enforcement of a policy, the method includes transmitting a synthetic request to obtain the metadata from the cloud application and receiving a response to the synthetic request. The response provides the metadata. The method further includes applying the policy to the incoming request based on the metadata.

Abstract: The technology disclosed describes a network security system that is configured to configure a synthetic request with an object identifier, and to inject the synthetic request into an application session to transmit the synthetic request to a cloud application. The synthetic request is configured to retrieve object metadata about the object using the object identifier. The network security system is further configured to receive from the cloud application a response to the synthetic request. The response supplies the object metadata.

Abstract: The technology disclosed relates to using synthetic request injection to improve cloud object security posture management.

Abstract: The technology disclosed relates to application-specific data flow for synthetic request injection for cloud security enforcement. In particular, it relates to data flow logic configured to inject an incoming request directed to a cloud application in a processing path of a particular network security system.

Abstract: The technology disclosed enables metadata-based policy enforcement for requests that do not include metadata relevant to a policy. In a particular example, a method provides, in a network security system interposed between clients and a cloud application, receiving an incoming request from a client directed towards the cloud application. In response to determining that the incoming request lacks metadata for enforcement of a policy, the method includes transmitting a synthetic request to obtain the metadata from the cloud application and receiving a response to the synthetic request. The response provides the metadata. The method further includes applying the policy to the incoming request based on the metadata.

Abstract: The technology disclosed describes a system. The system comprises a network security system interposed between clients and cloud applications. The network security system is configured to generate a synthetic request, and inject the synthetic request into an application session to transmit the synthetic request to a cloud application and receive a response to the synthetic request from the cloud application.

Abstract: The technology disclosed describes a system. The system comprises a network security system interposed between clients and cloud applications. The network security system is configured to process an incoming request from a client and generate metadata. The network security system is further configured to transmit the incoming request to a cloud application. The network security system is further configured to configure the metadata to expire after an expiration window. The network security system is further configured to receive, after the expiration window, a further incoming request from the client. The further incoming request is directed towards the cloud application and subject to policy enforcement that requires the expired metadata. The network security system is further configured to hold the further incoming request and transmit a synthetic request to the cloud application. The synthetic request is configured to retrieve the expired metadata from the cloud application.

Abstract: The technology disclosed relates to using synthetic request injection to improve cloud object security posture management.

Abstract: The technology disclosed describes a network security system that is configured to configure a synthetic request with an object identifier, and to inject the synthetic request into an application session to transmit the synthetic request to a cloud application. The synthetic request is configured to retrieve object metadata about the object using the object identifier. The network security system is further configured to receive from the cloud application a response to the synthetic request. The response supplies the object metadata.

Abstract: The technology disclosed relates to an inline proxy configured with synthetic request injection logic to intercept incoming requests during an application session, and generate, during the application session, synthetic requests that are separate from the incoming requests.

Abstract: The technology disclosed describes a system. The system comprises a network security system interposed between clients and cloud applications. The network security system is configured to generate a synthetic request, and inject the synthetic request into an application session to transmit the synthetic request to a cloud application and receive a response to the synthetic request from the cloud application.

Abstract: The technology disclosed describes a system. The system comprises a network security system interposed between clients and cloud applications. The network security system is configured to process an incoming request from a client and generate metadata. The network security system is further configured to transmit the incoming request to a cloud application. The network security system is further configured to configure the metadata to expire after an expiration window. The network security system is further configured to receive, after the expiration window, a further incoming request from the client. The further incoming request is directed towards the cloud application and subject to policy enforcement that requires the expired metadata. The network security system is further configured to hold the further incoming request and transmit a synthetic request to the cloud application. The synthetic request is configured to retrieve the expired metadata from the cloud application.

Abstract: The technology disclosed describes a system. The system comprises an edge network of a plurality of points of presence of a network security system. Points of presence in the plurality of points of presence are configured to intermediate traffic between clients and cloud applications and to use metadata to apply policies on the intermediated traffic. There are redundancies in metadata synchronization between the points of presence due to metadata migration to a second point of presence from a first point of presence handing off intermediation to the second point of presence within an application session. Each of the points of presence is configured with inline metadata generation logic. The inline metadata generation logic is configured to issue synthetic requests to provide the metadata to the second point of presence without requiring the metadata migration to the second point of presence.

Abstract: The technology disclosed relates to application-specific data flow for synthetic request injection for cloud security enforcement. In particular, it relates to data flow logic configured to inject an incoming request directed to a cloud application in a processing path of a particular network security system.

Abstract: The technology disclosed describes a system. The system comprises a network security system interposed between clients and cloud applications. The network security system is configured to receive one or more incoming requests towards a cloud application from a client during an application session, inject one or more synthetic requests into the application session to transmit the synthetic requests to the cloud application, and receive one or more responses to the synthetic requests from the cloud application. The synthetic requests are constructed using one or more parameters of the incoming requests, and do not transmit the incoming requests.

Abstract: The technology disclosed prevents phishing attacks where a malicious attacker creates a malicious file in a cloud-based store and shares it with endpoint users. A user, opening the shared document, is redirected to a malicious website where a corporation's critical data may be compromised. The cloud-based method applies a set of rules and policies to allow the shared document or block the shared document from the network, based on identifying the ownership or originator of the shared document. Documents from blacklisted websites are blocked. Documents from trusted sources are allowed access to the network. Unknown documents are blocked and threat-scanned to determine if they contain malicious content. If analysis proves a blocked document to be safe, it may be released into the network along with subsequent documents having the same ownership or originator.

Abstract: The technology disclosed describes a system. The system comprises a network security system interposed between clients and cloud applications. The network security system is configured to receive one or more incoming requests from a client during an application session, inject one or more synthetic requests into the application session independently of the incoming requests to transmit the synthetic requests to the cloud application, and receive one or more responses to the synthetic requests from the cloud application.

Abstract: The technology disclosed describes a computer-implemented method. The computer-implemented method includes disambiguating a bypassed login event that caused a client to access a cloud application but bypassed a network security system configured to intermediate traffic between the client and the cloud application. The network security system receives from the client an incoming request to access a resource on the cloud application over an application session. The bypassed login event preceded the incoming request. The network security system analyzes the incoming request and detects absence of instance metadata required to determine whether the bypassed login event emanated from a controlled account or an uncontrolled account. The network security system holds the incoming request, generates a synthetic request, and injects the synthetic request into the application session and transmits the synthetic request to the cloud application.

Abstract: The technology disclosed describes a system. The system comprises a network security system interposed between clients and cloud applications. The network security system is configured to receive, during an application session, an incoming request from a client. The incoming request is directed towards a cloud application and includes an object identifier of an object. The network security system is further configured to analyze the incoming request and detect the object identifier. The network security system is further configured to configure a synthetic request with the object identifier and inject the synthetic request into the application session to transmit the synthetic request to the cloud application. The synthetic request is configured to retrieve object metadata about the object using the object identifier. The network security system is further configured to receive a response to the synthetic request from the cloud application. The response supplies the object metadata.

Abstract: The technology disclosed describes a system. The system comprises data flow logic configured to inject an incoming request directed to a cloud application in a processing path of a particular network security system. The particular network security system is configured to use an application-specific parser to inspect certain fields and variables in the incoming request for metadata, determine that the metadata is missing, and use an application-specific template to construct a synthetic request. The data flow logic is further configured to inject the synthetic request and its corresponding response in the processing path of the particular network security system. The particular network security system is further configured to use the application-specific parser to extract the missing metadata from the corresponding response.