Showing results for 
Search instead for 
Did you mean: 

Omit specific account from Real-Time Protection/Threat Protection policy

New Contributor II

Hi all, 


Wanted to get your thoughts on how to best approach something. We have a specific user account that's leverage for internal pen testing. As expected, there are Real-time Protection Policies that fire off alerts for this account's activity when active.


We've had a request to see if it's possible to filter this account out of either the policies or the alerts. Is there currently a way to omit a given account from a specific policy or alert (triggering)? 


On the alerts side, you could exclude it from SkopeIt and Analytics by explicitly excluding it via the search condition.


That could then be saved and set as a Shared Search.



But that wouldn't exclude it from showing in pre-built reports and dashboards (such as the home page).  

To prevent the Alert from firing at all, I would clone the rule(s) that generate the alert and place the new rule immediately ahead of the cloned rule.   Then I would add a source constraint of your pentest user and change the action to Allow.




Netskope has the ability to exclude by source user or group in a real-time policy.  If you don't have this feature enabled in your tenant, reach out to your account team for help.    Example shown below where a real-time policy is configured to apply to all users with an exclusion for the pen tester account.Screenshot 2023-01-25 at 4.53.44 PM.png

In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below

Sign In