In the 114 release, we are excited to introduce a new type of content for Netskope SSPM: template-based rules. These rule templates are designed to assist deploying environment-specific detections for known threats, noteworthy anomalies and address misconfigurations. Using templates makes it easier to establish a more expedient and proactive defense strategy for your SaaS ecosystem.
Each template is composed with the same Netskope Governance Language (NGL) rule logic which is also used in the hundreds of built-in detections bundled within Netskope SSPM.
Kindly refer below steps
Template based rules are predefined detection rules, which contain placeholders intended to be filled by the user. By simply populating the placeholders within the rule, users can effortlessly generate rules tailored to their specific business requirements and constraints.
For example, you might want to ensure every user account in a SaaS application is registered with a company provided email-address? Or create an alert if a user is assigned a custom role your organization has considered high risk? As traditional predefined rules are not aware of the structure of the company email addresses or organization hierarchy, deploying such detection would require the user to teach the SSPM of what kind of email addresses or role descriptions should trigger detection. These types of detections are easy to build using templates.
Furthermore, the rules generated by these templates seamlessly integrate into your existing findings workflow as custom rules.
Let’s see how they work in practice.
To list all predefined templates we introduced a new filter called Template in Rule type filters under Policy -> Security Posture -> SaaS -> Rules
Once listed it is possible to see the details by clicking on the template
The Rule is an NGL code with a placeholder that needs to be replaced with needed string, integer or list arguments. The placeholder can be identified as the string contained in two curly brackets like “{{ .CompanyDomainString }}”
Once we select the template that we want to use to build a rule and click on IMPORT TO RULE, the workflow follows the custom rule creation tool. The definition, categorization and descriptions will be pre-filled on users behalf, waiting for any modifications.
Rule logic, Category and Description are all predefined.
Tip: Under the Description tab we provide a full working rule example to make the placeholder replacement easy for the end user.
And this is how it looks once placeholder is filled with the preferable value
Once the rule code is completed and the Rule name is set, the rule is ready to be saved and inserted in the preferable Policy.
The alert workflow for template based rule is the same of builtin or custom rules, they are visible under the Findings page
The template based rule content is continuously updated with new templates to make the SSPM more powerful for all customer needs.