Skip to main content
Solved

Not Near Best Practices

  • November 14, 2024
  • 9 replies
  • 312 views
kdibble

We are working towards implementing a rule that looks for plaintext credentials within shared documents. In doing so, we’ve utilized the Passwords (contextual) pre-defined entity. We’ve noticed that this entity is catching teams and zoom meeting passcodes. We do not want to catch these passcodes in the rule and are trying to create a “not near” advanced expression. I’m looking for guidance on how to perform this.

 

For example here is what we have:

 

P1 = Passwords (Contextual)

D5 = Custom Dictionary of words like “meeting”, “teams”, “zoom”, etc…

 

Both options we’ve tried:

 

1.) ( P1 AND ( NOT ( P1 NEAR D5 ) ) )

2.) (P1 AND NOT (P1 NEAR D5))

 

Any help would be appreciated.

 

 

Best answer by ejang

@kdibble 
I used the below expression and it worked. Please try.

(NOT (P0 NEAR D0)) AND (P0)

This topic has been closed for replies.

9 replies

ejang
Netskope Employee
Forum|alt.badge.img+5
  • ejang
  • Netskope Employee
  • November 17, 2024

You need two RTP policies.

  1. To block any passwords, create a policy with DLP Profile A (P1) and Action to Block (I believe you already have this policy)
  2. Above the first policy, add a new policy with DLP Profile B (P1 NEAR D5) and Action to Allow.


 

"Security and Networking Reimagined."
kdibble
  • kdibble
  • Author
  • New Member III
  • November 18, 2024

Hi Ejang,

 

Thanks for the reply. We are actually using API policies for this so don’t believe this solution would work.

 

Thank you,

 

KD

N
Forum|alt.badge.img+12
  • nduda
  • Explorer
  • November 18, 2024

I asked the same question, specifically related to passwords near Zoom links here: 

Even with the final reply by Oscar it doesn’t work. This doesn’t seem to be possible even with custom entities enabled. I also opened a support ticket at the time and was also told this was not possible.

kdibble
  • kdibble
  • Author
  • New Member III
  • November 18, 2024

@nduda,

 

I’ve reviewed your question many times.. Thanks for reaching out. This seems to be a big deal and I wonder why there aren’t more folks asking the same question.

 

@ejang please advise if there is a way to do this.

 

Thank you,

 

KD

ejang
Netskope Employee
Forum|alt.badge.img+5
  • ejang
  • Netskope Employee
  • Answer
  • November 19, 2024

@kdibble 
I used the below expression and it worked. Please try.

(NOT (P0 NEAR D0)) AND (P0)

"Security and Networking Reimagined."
Rohit_Bhaskar
N
Forum|alt.badge.img+12
  • nduda
  • Explorer
  • November 19, 2024

@kdibble 
I used the below expression and it worked. Please try.

(NOT (P0 NEAR D0)) AND (P0)

 

Ok this seems to work somewhat, but It depends on the format. For example, this wont trigger on a slack post with a hyperlinked zoom link. If you remove the hyperlink (text only) it triggers. This just might be Netskope not able to look at hyperlinks.

P0 = Passwords (Contextual)
C0 = company.zoom.us (custom entity)

(NOT (P0 NEAR C0)) AND (P0)


This was allowed to be posted:

This was prevented (same link, hyperlink removed)

 

ejang
Netskope Employee
Forum|alt.badge.img+5
  • ejang
  • Netskope Employee
  • November 20, 2024

@kdibble Neither hyperlink nor text triggered the DLP in my environment.

 

 

"Security and Networking Reimagined."
ejang
Netskope Employee
Forum|alt.badge.img+5
  • ejang
  • Netskope Employee
  • November 20, 2024

@kdibble I see now. You used a data identifier (C0) instead of a dictionary (D5). Please check the expression in C0. 

"Security and Networking Reimagined."
A
  • Ashwininagar
  • New Member
  • December 4, 2024

@kdibble i am using Obfuscation feature to detect the password 

 

(P0) - Password Terms (English)
(C0) - Passwords (Contextual)
(C1) - PWD_Secure
(C2) - PWD_Common
 


C0 OR ( P0 NEAR C2 ) OR ( P0 NEAR C1 )
Proximity Check: 42 characters

 

Try this

Badges Winner

Show all badges

Not finding what you're looking for?

Don't be shy and let us know about your challenge.

Ask your question here!
Terms & ConditionsCookie settingsAccessibility statement