Netskope Community
3 weeks ago - last edited 2 weeks ago
Hi Community Members,
I have recently deployed cloud exchange in my organization, and integrated few plugins, however I need further support on implementing business rule to a monitored email box for the SOC team to pick up. At this stage, I am looking to maintain a simple workflow.
Current scenario/implementation:
- Deployed Cloud Exchange and integrated with my tenant.
- Have the plugins of Notifier & Netskope ITSM configured
- Able to receive "ALL" the alerts from Netskope tenant to cloud exchange
My further requirement as below:
- When a Web-access category is denied for a user, he may proceed with a suitable justification with "Justify Usage" or "Report False positives" description box enabled (by means of Email notification template) - I have configured this. (Completed)
- I need only the "Justify Usage" notification alerts to be received by the Cloud Exchange vs Compared to "All" the policy alerts being received by Cloud exchange - How do I tweak it ? I need to minimize the log flow here, since not much value on generic allow/deny logs in cloud exchange system. (Completed) . Found a better way, and filtered this at plugin level itself, and hence to avoid noise and overwhelm the CE resource. I have observed from the logs that "Justification Type" string parameters has "justification" and "falsepositive". Also, I have noticed the chrome/firefox browser webpages refresh on the user block page, and the alert reports Justification Reason as "N/A". Please find attached snapshots for better understanding.
- I am looking for a simple Business workflow setup, such that "Justify Usage" alerts received on the Cloud Exchange should trigger an email alert to my shared/monitored email box (pre-configured in Notifier plugin). (Work in progress - Awaiting assistance from this forum)
- Any detailed use-case guidance on "Queue" configs (Work in progress - Awaiting assistance from this forum)
Awaiting directions from the community experts.
Thank you.
2 weeks ago
@vraj Is there a specific policy that you'd like to monitor for this or are there multiple? I have a similar flow to this setup in a lab to send justifications that are filled out for only a specific policy. The business rule query is:
alertName Is equal "[Web] Block Non-business Sites With Justification Option" && NOT (rawAlert_justification_reason Is equal "")
In this case it filters out only alerts from the Block Non-business Sites policy and ignores ones where the user does not enter a justification. Hopefully this helps but let me know if additional tweaking is needed. Keep in mind, you can also test your query using the test button on the Business Rules page;
2 weeks ago
Hi Sam,
Thanks for your response. I have found a alternative approach, and edited the post with my configured filters. Please take a look.
Best Regards.
In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below
Sign In