Netskope Community
-
Forums
ProductsCommunity Resources
-
Learn
Education, Training, Certification, and Thought LeadershipCommunity Resources
-
Groups
Community GroupsCommunity Resources
-
Events
Community Resources
- Support
- Netskope Community
- Other Forums
- Additional Discussions
- Cloud Exchange - Justify Usage - business rule wor...
Cloud Exchange - Justify Usage - business rule workflow config
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-11-2023 05:28 PM - edited 05-16-2023 05:19 PM
Hi Community Members,
I have recently deployed cloud exchange in my organization, and integrated few plugins, however I need further support on implementing business rule to a monitored email box for the SOC team to pick up. At this stage, I am looking to maintain a simple workflow.
Current scenario/implementation:
- Deployed Cloud Exchange and integrated with my tenant.
- Have the plugins of Notifier & Netskope ITSM configured
- Able to receive "ALL" the alerts from Netskope tenant to cloud exchange
My further requirement as below:
- When a Web-access category is denied for a user, he may proceed with a suitable justification with "Justify Usage" or "Report False positives" description box enabled (by means of Email notification template) - I have configured this. (Completed)
- I need only the "Justify Usage" notification alerts to be received by the Cloud Exchange vs Compared to "All" the policy alerts being received by Cloud exchange - How do I tweak it ? I need to minimize the log flow here, since not much value on generic allow/deny logs in cloud exchange system. (Completed) . Found a better way, and filtered this at plugin level itself, and hence to avoid noise and overwhelm the CE resource. I have observed from the logs that "Justification Type" string parameters has "justification" and "falsepositive". Also, I have noticed the chrome/firefox browser webpages refresh on the user block page, and the alert reports Justification Reason as "N/A". Please find attached snapshots for better understanding.
- I am looking for a simple Business workflow setup, such that "Justify Usage" alerts received on the Cloud Exchange should trigger an email alert to my shared/monitored email box (pre-configured in Notifier plugin). (Work in progress - Awaiting assistance from this forum)
- Any detailed use-case guidance on "Queue" configs (Work in progress - Awaiting assistance from this forum)
Awaiting directions from the community experts.
Thank you.
- Labels:
-
Business Rule
-
Workflow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-16-2023 06:12 AM
@vraj Is there a specific policy that you'd like to monitor for this or are there multiple? I have a similar flow to this setup in a lab to send justifications that are filled out for only a specific policy. The business rule query is:
alertName Is equal "[Web] Block Non-business Sites With Justification Option" && NOT (rawAlert_justification_reason Is equal "")
In this case it filters out only alerts from the Block Non-business Sites policy and ignores ones where the user does not enter a justification. Hopefully this helps but let me know if additional tweaking is needed. Keep in mind, you can also test your query using the test button on the Business Rules page;
Sam Shiflett
Netskope Solution Architect - North America
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-16-2023 04:39 PM
Hi Sam,
Thanks for your response. I have found a alternative approach, and edited the post with my configured filters. Please take a look.
Best Regards.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- World’s Largest and Highest-performing Cloud Network For Security in Additional Discussions
- Using Microsoft Teams to Monitor Netskope Platform Events and Alerts in Additional Discussions
- Netskope Application Risk Exchange ServiceNow in Additional Discussions
- Netskope Cloud Threat Exchange Trend Micro Vision One in Additional Discussions
-
cloud exchange
14 -
DLP
10 -
Threat Protection
6 -
sdwan
5 -
MacOS
5 -
Advanced Analytics
4 -
IaaS
4 -
netskope client
4 -
CASB
3 -
cloud threat exchange
3 -
SASE
3 -
SWG
3 -
ztna
3 -
ipsec
3 -
client update
3 -
API
3 -
Netskope Agent
3 -
SupportPoral
3 -
vpn
2 -
Rest API
2 -
Community Forum
2 -
Proxy
2 -
Real-time Policy
2 -
NPA
2 -
Webinar
2 -
Netskope
2 -
Netskope Client installation mechanism
2 -
steering
2 -
publisher
2 -
Azure
2 -
Netskope Endpoint Client
2 -
technology partner
2 -
Windows 365 Desktop
2 -
Client
2 -
docker
2 -
SCIM
2 -
best practice
2 -
on-prem
2 -
NSClient
2 -
private access
2 -
Azure AD
2 -
Community Resources
2 -
NG-SWG
2 -
Cloud & Threat Challenges
2 -
SAML
2 -
crowdstrike
1 -
user
1 -
Workshops
1 -
IDP
1 -
Netskope Cloud Security
1 -
Netskope Community
1 -
Users Policies
1 -
PAC file
1 -
Netskope Advocacy
1 -
POP Server
1 -
QRadar
1 -
RBAC
1 -
voip
1 -
regex
1 -
Based-Group
1 -
proxy configurations
1 -
Admin
1 -
cisco
1 -
policy
1 -
export
1 -
roadmap
1 -
Based-Users
1 -
explicit proxy over IPSec
1 -
Microsoft Outlook
1 -
skopeit
1 -
MIP
1 -
MS Teams
1 -
Netskope Private Access
1 -
On-Premise Detection
1 -
HELP!
1 -
Infrastructure as Code (IaC)
1 -
SD-WAN
1 -
meraki
1 -
Authentication
1 -
APIv2
1 -
Remote access
1 -
Microsoft Sentinel
1 -
SupportPortal
1 -
Netskope Admin
1 -
cloud app
1 -
Email DLP
1 -
SIEM Integration
1 -
Managed apps
1 -
Verizon
1 -
Home-office
1 -
traffic routing
1 -
OVF-OVA
1 -
json
1 -
coexistence
1 -
VMware
1 -
DBIR
1 -
remote workers
1 -
traffic steering
1 -
Linux based
1 -
restriction
1 -
interoperability
1 -
logs
1 -
Adoption
1 -
Groups
1 -
Virtual Machines
1 -
HA
1 -
NewEdge
1 -
certificate error
1 -
integration
1 -
option
1 -
GRE
1 -
Reporting
1 -
Rest API to fetch the Users from NetSkope
1 -
Azure Virtual Desktop
1 -
PROD
1 -
Communications
1 -
Forensic File Storage
1 -
OSX
1 -
tunnel
1 -
ServiceNow
1 -
SMTP
1 -
Threat and Vulnerability Management
1 -
Provisionning
1 -
Monitoring
1 -
Auto-update
1 -
DLP Violation
1 -
security posture check
1 -
Bug
1 -
Cloud Security
1 -
User Defined Route (UDR)
1 -
scim query postman
1 -
Time Actively Spent on Sites Widget
1 -
CCI
1 -
Macintosh
1 -
Support
1 -
install
1 -
Unmanaged Devices
1 -
Office365
1 -
Internet next hop type
1 -
ChangeManagement
1 -
Technical Success
1 -
API Credentials
1 -
steer traffic
1 -
beta
1 -
single mode
1 -
Active Directory
1 -
Waterfox Browser
1 -
AD
1 -
hub-and-spoke model
1 -
Workflow
1 -
License
1 -
risk management: cloud services
1 -
datacenter
1 -
multi-user mode
1 -
Adapters
1 -
Next Gen SWG
1 -
Network Virtual Appliances (NVA)
1 -
Business Rule
1 -
cloudexchange
1 -
advanced analytics custom
1 -
pop
1 -
peruserconfig
1 -
RBI
1 -
tenant
1 -
AZURE-AD-FREE
1 -
IPSec Tunnels
1 -
Data Loss Prevention
1 -
splunk
1 -
watermark
1 -
training
1 -
SSPM
1 -
Sync
1 -
Cloud Firewall License
1 -
SSO cloud exchange azureAD
1 -
syslog
1
In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below
Sign In