This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask the community

Omit specific account from Real-Time Protection/Threat Protection policy

Go to solution
AlfaBane
New Contributor III

‎01-25-2023 09:04 AM

Hi all, 

 

Wanted to get your thoughts on how to best approach something. We have a specific user account that's leverage for internal pen testing. As expected, there are Real-time Protection Policies that fire off alerts for this account's activity when active.

 

We've had a request to see if it's possible to filter this account out of either the policies or the alerts. Is there currently a way to omit a given account from a specific policy or alert (triggering)? 

1 Solution
Go to solution
myee
Netskope
Netskope

‎01-25-2023 02:56 PM

Netskope has the ability to exclude by source user or group in a real-time policy.  If you don't have this feature enabled in your tenant, reach out to your account team for help.    Example shown below where a real-time policy is configured to apply to all users with an exclusion for the pen tester account.Screenshot 2023-01-25 at 4.53.44 PM.png

View solution in original post

2 Replies 2
Go to solution
qyost
Contributor III

‎01-25-2023 09:47 AM

On the alerts side, you could exclude it from SkopeIt and Analytics by explicitly excluding it via the search condition.

qyost_0-1674668319547.png

That could then be saved and set as a Shared Search.

qyost_1-1674668431445.png

qyost_2-1674668472642.png

But that wouldn't exclude it from showing in pre-built reports and dashboards (such as the home page).  

To prevent the Alert from firing at all, I would clone the rule(s) that generate the alert and place the new rule immediately ahead of the cloned rule.   Then I would add a source constraint of your pentest user and change the action to Allow.

qyost_3-1674668833482.png

 

--
-Q.
Go to solution
myee
Netskope
Netskope

‎01-25-2023 02:56 PM

Netskope has the ability to exclude by source user or group in a real-time policy.  If you don't have this feature enabled in your tenant, reach out to your account team for help.    Example shown below where a real-time policy is configured to apply to all users with an exclusion for the pen tester account.Screenshot 2023-01-25 at 4.53.44 PM.png

Subscribe
Labels

In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below

Sign In