The intention of this document is to level set on the base set of policies, policy grouping, and policy evaluation behavior that is generally applicable to all inline(CASB/NS-SWG) customers.
We are also working on runbooks to accompany each of the policy groups highlighted in the presentation, which will be posted in the near future.
Justin, this is by far the best approach I have ever seen to ensure interoperability between real time policy types. We have adopted this approach with our clients at Optiv and it has been a huge success. Thank you so much for taking the time to put this together and communicating it out there to the Netskope community.
Justin, this doc is great. I'm wondering if you can elaborate on the sanctioned instance tagging. In your doc you state "you have to tag the instance before you can set an
instance id policy. instance_id !~ 'NULL'" which is how Ive been identifying my sanctioned apps in the data but how do you tag using that query so it can be used in a real-time policy?
Thanks for the question 🙂 It seems that the query needs to be modified post-R90 MP, you can leverage this skopeit query, [instance_id != '' ], under application events to pull up all of the events with an instance id. Then you can review the list to tag the instances that don't have an existing Instance Name associated with the detected instance_id.
Please let me know if this helps.