Omit specific account from Real-Time Protection/Threat Protection policy

  • 25 January 2023
  • 2 replies

Userlevel 2
Badge +13

Hi all, 


Wanted to get your thoughts on how to best approach something. We have a specific user account that's leverage for internal pen testing. As expected, there are Real-time Protection Policies that fire off alerts for this account's activity when active.


We've had a request to see if it's possible to filter this account out of either the policies or the alerts. Is there currently a way to omit a given account from a specific policy or alert (triggering)? 


Best answer by myee 25 January 2023, 23:56

View original

2 replies

Userlevel 5
Badge +16

On the alerts side, you could exclude it from SkopeIt and Analytics by explicitly excluding it via the search condition.

That could then be saved and set as a Shared Search.

But that wouldn't exclude it from showing in pre-built reports and dashboards (such as the home page).  

To prevent the Alert from firing at all, I would clone the rule(s) that generate the alert and place the new rule immediately ahead of the cloned rule.   Then I would add a source constraint of your pentest user and change the action to Allow.


Userlevel 3
Badge +12

Netskope has the ability to exclude by source user or group in a real-time policy.  If you don't have this feature enabled in your tenant, reach out to your account team for help.    Example shown below where a real-time policy is configured to apply to all users with an exclusion for the pen tester account.