Welcome to the Netskope One DSPM Knowledge Base

You will find your answers here!

    Sorry, we didn't find any relevant articles for you.

    Send us your queries using the form below and we will get back to you with a solution.

    Connecting to Azure Synapse Analytics Data Stores

    Table of Contents

    Overview Create Netskope One DSPM Service Principal Register Netskope One DSPM App Service Principal Grant Application Access Create SQL User Retrieve Connection Information Connect Your Data Store Excerpt: Connect Your Data Store: Credentials: Sidecar Pool

    Overview

    Netskope One DSPM supports scanning Azure Synapse Analytics Data Stores. Follow these instructions to setup your Azure Synapse Analytics database and configure its connection to Netskope One DSPM.

    Create Netskope One DSPM Service Principal

    Begin by configuring a Azure Synapse Analytics service principal app registration which will be dedicated to Netskope One DSPM’s use.  We then need to grant the app registration IAM access to relevant resources: Synapse Analytics and any file/data storage which Synapse is expected to read from.

    The following steps may require the assistance of your local database administrator.

     

    Register Netskope One DSPM App Service Principal

    1. Login to your Azure portal and search for App registration
    2. Click on New Registrations and complete the registration by providing app Name. It is recommended  to include "Netskope One DSPM" in the name, to make it easier to identify
    3. Go to Overview of the created app and capture Application ID and Tenant ID (Directory ID)
    4. From Netskope One DSPM App overview, navigate to Certificates & secrets and click on New client secret
    5. Enter Description and validity of secret
    6. On clicking Add the secret is created. Copy and capture the secret value as Application Secret. The secret is never shown again after this step
    7. Additionally, the app registration will need to allow MSAL redirects. Navigate to Authentication, click on Add a platform and select Mobile and desktop applications
    8. Select the third checkbox and Configure

    Grant Application Access

    This step will slightly differ based on Azure storage service being used. Below steps illustrated for the default Azure Data Lake Storage Gen2 storage

    1. Navigate to Open Synapse Studio, Manage section and click Add
    2. Add role as Synapse Administrator and search for above created App registration and click Apply
    3.  Search and navigate to Storage accounts and click on the displayed storage account to be granted access
    4. Navigate to Access Control (IAM) and Add role assignment
    5. Search for role Storage Blob Data Reader, select and move to next tab Members
    6. Select Members and search for above created App registration and click Select
    7. Review + assign and this app should be visible in role assignment

    This storage account access steps 3 to 7 will have to be repeated for other storage accounts

    Create SQL User

    An administrator will need to run the following commands on the Synapse workspace:

    For Serverless: 

    1. On each non-master database, run:
    CREATE USER [Netskope One DSPM_application] FROM EXTERNAL PROVIDER; 
ALTER ROLE db_datareader ADD MEMBER [Netskope One DSPM_application];

    For Dedicated: 

    1. On each non-master database, run:
    CREATE USER [Netskope One DSPM_application] FROM EXTERNAL PROVIDER; 
EXEC sp_addrolemember 'db_datareader', [Netskope One DSPM_application];
    1. Additionally, on the master database, run:
    CREATE LOGIN Netskope One DSPM_application WITH PASSWORD = '<secure password here>'; CREATE USER Netskope One DSPM_application FROM LOGIN Netskope One DSPM_application;

    Retrieve Connection Information

    In addition to configuring a service account, Netskope One DSPM will also require additional information in order to communicate with your Azure Synapse Analytics database. Please follow the steps below to identify the connection values for later use within Netskope One DSPM.

    Highlight Color Corresponding Netskope One DSPM Value Example
    Grey Data Store Endpoint
    Red SQL Pool Type

    Connect Your Data Store

    Excerpt: Connect Your Data Store 1

    Log into the Netskope One DSPM platform. Navigate to the Data Stores > Data Store Invento

    1. Log into the Netskope One DSPM platform.
    2. Navigate to Data Stores → Data Store Inventory.
    3. Use the Discovered tab, then click the CONNECT button under Actions to connect a discovered data store. You'll immediately see the Credentials tab with some fields automatically populated.
    4. Alternately, click the CONNECT A DATA STORE button in the upper right to select a data store type and go through the data store connection UI manually.

    1. The Connect a Data Store modal is displayed, starting with the SELECT DATA STORE tab.
    2. Click on the icon for the Data Store Type you wish to connect. The modal will auto-navigate you to the next tab.
    3. On the PROVIDE CREDENTIALS tab, complete the following fields:
    Field Value
    Azure Account Name Select one of the Azure Accounts defined within the Infrastructure Section screen. The field will default if there is just one Azure account configured.
    Data Store Identifier Friendly name to describe this Data Store. Your value is displayed in other Netskope One DSPM screens such as Policy Management and Classification Management.
    Data Store Endpoint Enter the corresponding value from the prior section above.
    SQL Pool Type Enter the corresponding value from the prior section above.
    Principal ID Application ID captured from Create Netskope One DSPM Service Principal section point 3. 
    Principal Secret Application Secret captured from Create Netskope One DSPM Service Principal section point 6. 
    Scan Frequency Controls how often your Data Store is reviewed for changes, Netskope One DSPM’s recommended frequency is defaulted, which you can override (if desired).
    Sidecar Pool

    Excerpt: Connect Your Data Store: Credentials: Sidecar Pool

    If you will use sidecars to monitor this data store, select a sidecar pool with network visibility to said data store. This field is displayed when there is at least one defined sidecar pool.

    To learn more, please visit our Sidecar Administration article.

    Excerpt: Connect Your Data Store 2

    Click the NEXT button, which will navigate you to the next tab. On the SELECT CAP

    1. Click the NEXT button. The SELECT CAPABILITIES tab is displayed.
    2. Complete the following fields:
    • Assign a Data Owner (optional): define one or more Platform Users responsible for this Data Store and its data sets.
    • Which databases should Netskope One DSPM scan?: utilize the field’s picklist control to select which databases & schemas should be monitored by the Netskope One DSPM application. By default, all databases & schemas are selected.
    • Features: Netskope One DSPM’s recommended feature selections will be defaulted, which you can override if desired. Some features are always-on, some are not applicable (with disabled toggles), while others may request additional configurations.
    Capability Supported for Azure Synapse Analytics
    Discovery Yes (always-on)
    Privilege Analysis Yes
    Shadow Data Analysis No
    Classification Yes
    Data In Use Monitoring Yes (custom query logs only)
    Automation Yes (always-on)

    Excerpt: Connect Your Data Store 3

    Click the NEXT button, which will navigate you to the next tab. On the REVIEW tab

    1. Click the SAVE button, which will navigate you to the next tab.
    2. On the REVIEW tab, Netskope One DSPM will validate your credentials and capability selections. In the event of any issues, follow the on-screen instructions to remediate the displayed warnings or errors.
    3. Click the SAVE button to finalize your connection.

    Was this article helpful?

    Still can't find what you are looking for?

    Contact Netskope Technical Support