Netskope Global Technical Success (GTS)
Use Case - Netskope DLP] How to Exclude Words from a Predefined Identifier
Netskope Cloud Version - 125
Objective
Exclude words from a Predefined Identifier.
Prerequisite
Netskope CASB/SWG License is required.
Standard DLP License is required.
Context
Netskope users may want to exclude specific words from Predefined Identifiers in Data Loss Prevention (DLP) to reduce false positives. This allows for more precise detection of sensitive data by ignoring common terms or phrases that could trigger alerts unnecessarily. Excluding words refines the DLP policies, ensuring that only genuine violations are flagged, thereby improving the efficiency of security operations.
Configuration
Step 1: Identifying the Predefined Identifier
The first step is to identify the specific Predefined Identifier to modify by excluding certain words.
Before applying the DLP configuration to production user groups, it is typically tested in a controlled environment. During testing, if specific words trigger a DLP Alert that shouldn't, it is considered a false positive. The Predefined Identifier matching that word can be found in DLP Incidents and subsequently excluded.
There might be situations where this happens on Production Environments; the process is the same. By checking the DLP Incidents, the user can check the data matches that triggered the alert.
For Example:
The highlighted words activated the DLP Rule/Profile/Policy shown on the right. The matched predefined identifier can be identified by hovering the mouse over the data term, as shown in the picture above. The rule matched on this example was US-SSN-Name. By checking the rule, the Predefined Identifier Name can be identified.
Step 2: Configure the Entity Modifier
Path: Netskope Tenant UI >>> Policies >>> Profiles DLP >>> Edit Rules >>> Data Loss Prevention > Entities > New Entity
- Create a Name for the Entity: This name will be used in the DLP Rule. For instance, if the identifier to modify is "Social Security Number Terms (US)", the Entity can be named as "SSN Terms Modified (US)".
- Select Data Identifier.
- Choose Case Sensitivity: It is recommended to set this to "Case Insensitive" to prevent data leaks.
- Add the Predefined Identifier: Type two open curly brackets {{ and begin typing the name of the Predefined Identifier. A list of available identifiers may appear. Select the desired one to add it to the Entity.
5. Advanced Options: Configure Additional conditions to check for this entity. Select “Begins with, Ends with, Does not match” and click “Add Condition” Any of the options can be used to modify the Predefined Identifier, however in this example, there would be an exclusion of a word “Does not match” would be chosen.
Regex or Keywords can be used. If multiple keywords or Regexes are going to be added, these must be added in separated lines.
The final Entity configuration would look like this:
The new Entity can be found under “Custom Entities” in the “Entity” step when configuring the DLP Rule.
Verification
DLP Policy Configuration:
DLP Rule
DLP Profile
RTP Policy:
Results:
Once it detects any data that matches the Predefined Identifier: Full Names (International) Except the Keyword “Luke Oneal” the policy would be triggered as shown below.
Terms and Conditions
- All documented information undergoes testing and verification to ensure accuracy.
- In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
- To modify Predefined Identifiers, you may need to enable additional backend features. If the "Entity" option is unavailable on the NS Tenant, please contact Netskope GTS by submitting a 'How To Question' support case.
