Netskope Community
01-25-2023 09:04 AM
Hi all,
Wanted to get your thoughts on how to best approach something. We have a specific user account that's leverage for internal pen testing. As expected, there are Real-time Protection Policies that fire off alerts for this account's activity when active.
We've had a request to see if it's possible to filter this account out of either the policies or the alerts. Is there currently a way to omit a given account from a specific policy or alert (triggering)?
Solved! Go to Solution.
01-25-2023 02:56 PM
Netskope has the ability to exclude by source user or group in a real-time policy. If you don't have this feature enabled in your tenant, reach out to your account team for help. Example shown below where a real-time policy is configured to apply to all users with an exclusion for the pen tester account.
01-25-2023 09:47 AM
On the alerts side, you could exclude it from SkopeIt and Analytics by explicitly excluding it via the search condition.
That could then be saved and set as a Shared Search.
But that wouldn't exclude it from showing in pre-built reports and dashboards (such as the home page).
To prevent the Alert from firing at all, I would clone the rule(s) that generate the alert and place the new rule immediately ahead of the cloned rule. Then I would add a source constraint of your pentest user and change the action to Allow.
01-25-2023 02:56 PM
Netskope has the ability to exclude by source user or group in a real-time policy. If you don't have this feature enabled in your tenant, reach out to your account team for help. Example shown below where a real-time policy is configured to apply to all users with an exclusion for the pen tester account.
In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below
Sign In