Skip to main content

We are working towards implementing a rule that looks for plaintext credentials within shared documents. In doing so, we’ve utilized the Passwords (contextual) pre-defined entity. We’ve noticed that this entity is catching teams and zoom meeting passcodes. We do not want to catch these passcodes in the rule and are trying to create a “not near” advanced expression. I’m looking for guidance on how to perform this.

 

For example here is what we have:

 

P1 = Passwords (Contextual)

D5 = Custom Dictionary of words like “meeting”, “teams”, “zoom”, etc…

 

Both options we’ve tried:

 

1.) ( P1 AND ( NOT ( P1 NEAR D5 ) ) )

2.) (P1 AND NOT (P1 NEAR D5))

 

Any help would be appreciated.

 

 

You need two RTP policies.

  1. To block any passwords, create a policy with DLP Profile A (P1) and Action to Block (I believe you already have this policy)
  2. Above the first policy, add a new policy with DLP Profile B (P1 NEAR D5) and Action to Allow.


 


Hi Ejang,

 

Thanks for the reply. We are actually using API policies for this so don’t believe this solution would work.

 

Thank you,

 

KD


I asked the same question, specifically related to passwords near Zoom links here: 

Even with the final reply by Oscar it doesn’t work. This doesn’t seem to be possible even with custom entities enabled. I also opened a support ticket at the time and was also told this was not possible.


@nduda,

 

I’ve reviewed your question many times.. Thanks for reaching out. This seems to be a big deal and I wonder why there aren’t more folks asking the same question.

 

@ejang please advise if there is a way to do this.

 

Thank you,

 

KD


@kdibble 
I used the below expression and it worked. Please try.

(NOT (P0 NEAR D0)) AND (P0)


@kdibble 
I used the below expression and it worked. Please try.

(NOT (P0 NEAR D0)) AND (P0)

 

Ok this seems to work somewhat, but It depends on the format. For example, this wont trigger on a slack post with a hyperlinked zoom link. If you remove the hyperlink (text only) it triggers. This just might be Netskope not able to look at hyperlinks.

P0 = Passwords (Contextual)
C0 = company.zoom.us (custom entity)

(NOT (P0 NEAR C0)) AND (P0)


This was allowed to be posted:

This was prevented (same link, hyperlink removed)

 


@kdibble Neither hyperlink nor text triggered the DLP in my environment.

 

 


@kdibble I see now. You used a data identifier (C0) instead of a dictionary (D5). Please check the expression in C0. 


@kdibble i am using Obfuscation feature to detect the password 

 

(P0) - Password Terms (English)
(C0) - Passwords (Contextual)
(C1) - PWD_Secure
(C2) - PWD_Common
 


C0 OR ( P0 NEAR C2 ) OR ( P0 NEAR C1 )
Proximity Check: 42 characters

 

Try this


Reply