Cloud Exchange - Justify Usage - business rule workflow config

  • 12 May 2023
  • 2 replies
  • 41 views

Badge +2
  • Netskope Partner
  • 1 reply

Hi Community Members,

 

I have recently deployed cloud exchange in my organization, and integrated few plugins, however I need further support on implementing business rule to a monitored email box for the SOC team to pick up. At this stage, I am looking to maintain a simple workflow.

 

Current scenario/implementation:
- Deployed Cloud Exchange and integrated with my tenant.
- Have the plugins of Notifier & Netskope ITSM configured
- Able to receive "ALL" the alerts from Netskope tenant to cloud exchange

 

My further requirement as below:
- When a Web-access category is denied for a user, he may proceed with a suitable justification with "Justify Usage" or "Report False positives" description box enabled (by means of Email notification template) - I have configured this. (Completed)
- I need only the "Justify Usage" notification alerts to be received by the Cloud Exchange vs Compared to "All" the policy alerts being received by Cloud exchange - How do I tweak it ? I need to minimize the log flow here, since not much value on generic allow/deny logs in cloud exchange system. (Completed) .   Found a better way, and filtered this at plugin level itself, and hence to avoid  noise and overwhelm the CE resource. I have observed from the logs that "Justification Type" string parameters has "justification" and "falsepositive". Also, I have noticed the chrome/firefox browser webpages refresh on the user block page, and the alert reports Justification Reason as "N/A".  Please find attached snapshots for better understanding.
- I am looking for a simple Business workflow setup, such that "Justify Usage" alerts received on the Cloud Exchange should trigger an email alert to my shared/monitored email box (pre-configured in Notifier plugin). (Work in progress - Awaiting assistance from this forum)

- Any detailed use-case guidance on "Queue" configs  (Work in progress - Awaiting assistance from this forum)

 

Awaiting directions from the community experts.

Thank you.


2 replies

Userlevel 6
Badge +16

@vraj Is there a specific policy that you'd like to monitor for this or are there multiple?  I have a similar flow to this setup in a lab to send justifications that are filled out for only a specific policy.  The business rule query is:

alertName Is equal "[Web] Block Non-business Sites With Justification Option" && NOT (rawAlert_justification_reason Is equal "")

In this case it filters out only alerts from the Block Non-business Sites policy and ignores ones where the user does not enter a justification.   Hopefully this helps but let me know if additional tweaking is needed.  Keep in mind, you can also test your query using the test button on the Business Rules page;

 

Badge +2

Hi Sam,

Thanks for your response. I have found a alternative approach, and edited the post with my configured filters. Please take a look.

 

Best Regards.

Reply