Netskope Global Technical Success (GTS)

 DLP (work around) -  Alert a POST activity with a long number of characters

Netskope Cloud Version - 128

Objective

Netskope's can leverage Entities to alert some activities with a long number of characters.

Note: We must keep in mind that this is a workaround and is not a DLP Use Case

Prerequisite

Netskope SWG and DLP license is required

Netskope Entity Modifier Flag must be enabled.

Note: create a how to question ticket within the support portal to request the flag enablement. 

Context

In this knowledge base article, we'll explore Netskope's capabilities regarding DLP Entity Modifier control. We'll go through a use case to provide insights into its capabilities.

Do You Know?

Netskope’s Data Loss Prevention (DLP) engine uses advanced context- and content-aware detection to prevent sensitive data from leaking across cloud apps, web traffic, and private apps—all in real time?

With over 3,000 pre-defined data identifiers, file fingerprinting, exact data match (EDM), and ML-enhanced detection, Netskope DLP goes far beyond simple keyword or regex matching.

Use Case 1 Alert a POST action with a long number of characters.

Step 1: Create a custom entity modifier, adding the following Regex:

Path>> Netskope UI >> Policies>> DLP>> Edit Rules>> Data loss prevention >> Entities >> New Entity

Copy the following regex: ^.{499,}$ add an Entity Name and click save.

Step 2: Create a DLP Rule with the entity created in step 1.

Path>> Netskope UI >> Policies>> DLP>> Edit Rules>> New Rule

Select “Custom Entities” and choose the entity created in step 1

Click Next until "Severity Threshold" and change the values for low severity to 1 and set "Take policy action at Low"

Click Next

Add a rule name and click save.

Step 3: Create DLP Profile and add the rule created in step 2

Path>> Netskope UI >> Policies>> DLP>> New Profile.

Click Next on file profiles section (we are not going to use a file profile)

At the rule classification section , Click on DLP Rule, filter by Custom and select the rule created in step 2

Click Next, add a profile name and save it.

Step4: Create an RTP rule with the DLP Profile created in step 3

Path>> Netskope UI >> Policies>> Real Time protection >> New Policy>> Cloud app access

add a profile, select DLP and choose the DLP Profile created in step 3

Verification

Go to Incidents>> DLP

Filter by the DLP profile used for this workaround.
 

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.