Real-time protection

  • 15 August 2023
  • 8 replies
  • 77 views

Badge +1

I have an instance where I have a block in place for an application but I do not want to receive alerts for it. Is there a way to keep the block but disable the alert?


8 replies

Userlevel 4
Badge +12

We would like this also - mainly for blocking DNS over HTTPS. 99% of all our alerts is blocks on this. It's annoying to filter this out.

Userlevel 5
Badge +16

💯
Was one of the first things I asked for when we converted out legacy policy. 
"Can we block without an alert?"   
Response at the time was along the lines of "Why would you ever want to do that?"
Is there an existing Enhancement Request we can pile-on?

Userlevel 2
Badge +9

You can change any policy to No Notification (Mute) the policy will still block, however there will be no block page/alert to the user. Also, you can save a query to then run and filter out alerts. At this time there is no feature that will allow you to not "log" a category or specific traffic within SkopeIT.

 

 

Badge +1

I think that we need to figure out how to raise this as a feature request because there are some blocks that are very noisy and most of them I personally don't care to review. But since we don't currently have the ability to not, a filter/query will have to do. Thank you all for your help.

Badge +14

You could also have something in the rule name, such as [Ignore] [filter out] and have a SkopeIT query to remove these from your default view.  

 

Userlevel 4
Badge +12

The issue with filtering stuff out of SkopeIT doesnt't really address the underlying data though. Think of all the reporting in AA and in third party integrations (SIEM, Cloud Exchange...etc) where you would also have to filter out. 

It would just be best if the option (even controlled GA) was given to perform xyz action without Alerting. I keep going back to blocking DNS over HTTPS. If a company accepts having to do that (which with netskope is pretty much a requirement) then there is no reason to have those blocks (hundreds of thousands a day for companies like mine) skew reporting.

Userlevel 5
Badge +16

That's really a band-aid to fix a flaw in native functionality.

Userlevel 5
Badge +16

That's just it.  I DO want it logged and blocked.   I just don't need it to be an alert which implies some action should be taken by the SOC.

To exemplify:
We are getting 20M alerts per week.

However, if I exclude the our three noisiest policy (DoH, Advertising/Analytics, and other default blocked categories) rules where we expect blocks we remove ~85% of those alerts.

Without the ability to block without alerting, every pre-built or community dashboard based around alerts needs to be tuned in AA.   along with needing to make similar filters and exclusions in every other reporting platform the org uses.

Reply