Hi all,
Wanted to get your thoughts on how to best approach something. We have a specific user account that's leverage for internal pen testing. As expected, there are Real-time Protection Policies that fire off alerts for this account's activity when active.
We've had a request to see if it's possible to filter this account out of either the policies or the alerts. Is there currently a way to omit a given account from a specific policy or alert (triggering)?
On the alerts side, you could exclude it from SkopeIt and Analytics by explicitly excluding it via the search condition.
That could then be saved and set as a Shared Search.
But that wouldn't exclude it from showing in pre-built reports and dashboards (such as the home page).
To prevent the Alert from firing at all, I would clone the rule(s) that generate the alert and place the new rule immediately ahead of the cloned rule. Then I would add a source constraint of your pentest user and change the action to Allow.
Netskope has the ability to exclude by source user or group in a real-time policy. If you don't have this feature enabled in your tenant, reach out to your account team for help. Example shown below where a real-time policy is configured to apply to all users with an exclusion for the pen tester account.
If you haven't already registered, now is a good time to do so. After you register, you can post to the community, receive email notifications, and lots more. It's quick and it's free! Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
