Skip to main content

AD_4nXf4DqskzmEk7dUZjDFEdzXHZFx9W3rgLSF1uoy5Zh_h5yOROESfjKJQeErqlYQ8vIb89Be3rLHx2DJcM_JIWMyMG1XpzHNwws9yj7SVb-CLM47gqveIrcUUljBUJgv1v0fmlags?key=XiaJYuZt_YdLiRfH_tN9Rw

Netskope Global Technical Success (GTS)

Netskope DLP – Building Effective DLP Rules in Netskope

Netskope Cloud Version - 127

Introduction

This article explains how to create and configure DLP Rules in Netskope.provides
DLP Rules define how sensitive data is detected based on previously created Entities, and control the conditions, logic, and severity under which detections are triggered.

Rules form the heart of Netskope DLP — without them, Entities alone cannot inspect or enforce anything.

This document breaks down each part of a DLP Rule, with configuration guidance, use cases, and practical examples.

 


What is a DLP Rule?

A DLP Rule connects one or more Entities to a specific set of detection behaviors. It defines how data is matched, where it is inspected (content vs metadata), how many matches are required to trigger detection, and what severity should be assigned.

Rules are then added into DLP Profiles, which are later applied to traffic via DLP Policies.

 

AD_4nXeRuUsl4Vz-q3FX5eYjjhBGpiBuSjNI7RFeVzo3koKSmYZwaM8vSUgeUyu6934CRiIg-fgZcdAFdsBtQazLXDgJPKVALoIQi677_dS0V9tLrZjrJO8bUhQjkYU7X9RG1TAdEb3F?key=XiaJYuZt_YdLiRfH_tN9Rw

 


Core Components of a DLP Rule

1. Entity Selection

 

What It Is

Why It Matters

Examples / Best Practices

Defines which data types the rule should inspect for. You can choose: - Predefined Data Identifiers - Custom or Predefined Dictionaries - Both (multiple entities in one rule)

Entities determine what kind of sensitive content Netskope should detect.

Example: Detect both SSNs and internal keywords like "Project Orion". Best Practice: Group related entities (e.g., all financial identifiers) to keep rules organized.

 

AD_4nXeVfe9Auhyj3NorJBGpTgwaElEMW5ZkxtGNYSD-n9xXWzwZJHyZA6jtug5d3x8itQorHjbjgYjtpAKoKJHhuLQFaZCZo0q6DWk2gOSaVJoUsypMSXpOOVT7mMV3POhuiRlqV8Yq?key=XiaJYuZt_YdLiRfH_tN9Rw

 


2. Exact Match (Fingerprinting)

 

What It Is

Why It Matters

Examples / Best Practices

This feature allows detection of exact values from structured datasets or sensitive documents you’ve previously fingerprinted, like employee IDs or customer lists.

It provides highly accurate detection with minimal false positives. Only the data you've explicitly uploaded for fingerprinting will trigger alerts, which makes it ideal for confidential or regulated datasets.

Example: Upload a list of customer account numbers; rule triggers only if one of those exact numbers is found. Important: The dataset must be uploaded and configured beforehand under Policies > DLP > Exact Match. Best Practice: Use for sensitive structured data like payroll files, CRM exports, or PII dumps.

 

AD_4nXczsy6gPj6ZeXJEvqTiII6_nujj9zcbYBuoazQq2C9h8qiADXH34EgIYUsJMYebvU5F8ZYbgvTlh2peky8-BuJW7GGGlXJRnBjK1YWQMoMs_dAxd6MH4y-1thoN2dEhV5AzIzX6?key=XiaJYuZt_YdLiRfH_tN9Rw

 


3. Advanced Options


 

What It Is

Why It Matters

Examples / Best Practices

Lets you define how entities should appear in content to trigger a match. Includes Boolean logic (AND/OR), proximity (words must appear close together), and match count thresholds.

These refinements help you reduce false positives and tune rules for realistic business scenarios. By using these options, your rules can better mimic how sensitive data is actually used or leaked.

Examples: - Match if both "confidential" AND "proposal" are present - Trigger only if 5 or more sensitive keywords are found - Detect "bank" within 15 words of "account number" Best Practice: Use logical conditions for more precise detection, especially in rules using broad or custom dictionaries.

 

AD_4nXfQIYXjS-xLSBbGGcuLXQXrikOSWF29jj6hMSPCcWFjJbebtAfLFxL9KZ7rQFMefAT1yBYuD58JMBIRGzTPF5bDgyejtj4oEPKqGvQeJcRpps2tHyyLsvhcWgbmXqLshIPA_ZBF?key=XiaJYuZt_YdLiRfH_tN9Rw
 

 


4. Content Inspection

 

What It Is

Why It Matters

Examples / Best Practices

Controls whether Netskope scans the actual content (like body text), metadata (like filenames or authors), or both. You can select one depending on your inspection goal.

Targeting the appropriate part of the data object helps reduce unnecessary scanning and improves efficiency. It also ensures relevant data is inspected, depending on where sensitive terms are likely to be found.

Use Cases: - Metadata Only: Detect filenames like “payroll_q1.pdf” - Content Only: Scan contents of emails or files - Content and Metadata: For full-scope inspection Best Practice: Match scanning mode to the data type — for example, use metadata scanning for files where content isn’t relevant but filenames are.

 

AD_4nXfc_yVCANY1wTWGS2iOcIMZy7Bgc4thImlmCnWgUpT__o6r7awCtyH-lnMr8OGGpnWN5TuqkM-J5c8X1VvuPta5NT5HzDhh0MjisU450rJBDTIodpMfobvSdLTMppXACzRHImMF?key=XiaJYuZt_YdLiRfH_tN9Rw

 


5. Severity and Match Threshold

 

What It Is

Why It Matters

Examples / Best Practices

Severity classifies how critical the rule is (Low, Medium, High), while the Match Threshold sets the number of matches needed to trigger the rule. These settings control alert sensitivity.

Proper use of severity helps with triaging alerts and managing incident response, while match thresholds prevent minor or partial matches from triggering alerts unnecessarily.

Examples: - High Severity: Trigger on 10+ credit card numbers - Low Severity: Trigger on 1–2 internal terms in chat Best Practice: Use High severity for regulated data (like PCI or HIPAA), and increase match thresholds for keyword-heavy rules to reduce noise.

AD_4nXceFRXrXK-Musst66rBmyE9KTWPWXSlS2EIes0y4tYnFHh1Dt9mGbO0DHr0xScyIrNlsgMaUH_VnIN3vlvg9DQgRDcNgkKWEoYkfq7iLKPpcJifzHeMUujz1W37UaFn3uuWgSDG?key=XiaJYuZt_YdLiRfH_tN9Rw

 


Best Practices for DLP Rules

  • Avoid overloading a single rule with unrelated Entities
  • Use multiple focused rules rather than one broad one for better tuning and analytics
  • Regularly review rules to reflect changes in business processes, regulations, or terminology
  • Document what each rule is intended to catch, for long-term maintainability
     

 


What’s Next?

Once DLP Rules are created, they must be added to a DLP Profile, which groups them and defines additional filtering options like file types and sizes.


 

 


 

Terms and Conditions

  • All documented information undergoes testing and verification to ensure accuracy.
  • In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

 



 

Notes

  • This article is authored by Netskope Global Technical Success (GTS).
  • For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.

 

 

Be the first to reply!