cancel
Showing results for 
Search instead for 
Did you mean: 

Omit specific account from Real-Time Protection/Threat Protection policy

AlfaBane
New Contributor II

Hi all, 

 

Wanted to get your thoughts on how to best approach something. We have a specific user account that's leverage for internal pen testing. As expected, there are Real-time Protection Policies that fire off alerts for this account's activity when active.

 

We've had a request to see if it's possible to filter this account out of either the policies or the alerts. Is there currently a way to omit a given account from a specific policy or alert (triggering)? 

2 REPLIES 2
qyost
Contributor

On the alerts side, you could exclude it from SkopeIt and Analytics by explicitly excluding it via the search condition.

qyost_0-1674668319547.png

That could then be saved and set as a Shared Search.

qyost_1-1674668431445.png

qyost_2-1674668472642.png

But that wouldn't exclude it from showing in pre-built reports and dashboards (such as the home page).  

To prevent the Alert from firing at all, I would clone the rule(s) that generate the alert and place the new rule immediately ahead of the cloned rule.   Then I would add a source constraint of your pentest user and change the action to Allow.

qyost_3-1674668833482.png

 

--
-Q.
myee
Netskope
Netskope

Netskope has the ability to exclude by source user or group in a real-time policy.  If you don't have this feature enabled in your tenant, reach out to your account team for help.    Example shown below where a real-time policy is configured to apply to all users with an exclusion for the pen tester account.Screenshot 2023-01-25 at 4.53.44 PM.png

In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below

Sign In