Welcome to the Netskope One DSPM Knowledge Base

You will find your answers here!

    Sorry, we didn't find any relevant articles for you.

    Send us your queries using the form below and we will get back to you with a solution.

    Creating New Policies

    Table of Contents

    Basic Info Policy Conditions Test Policy/ Policy Simulation Workflows

    To create a new policy from scratch, click on the “Create a New Policy” button at the top right of the Policy Engine page. The policy editor will appear. This allows you to create a policy with no code.

    Basic Info

    On this page, you can:

    • Select Policy Type:  Netskope One DSPM supports the following policy types.
      • Data Store Discovered: Generates an alert when a new Data Stores are discovered in Accounts that have Auto-Discovery Enabled.
      • Classification:  Creates a Task when business defined policy conditions are met.
      • Data Access: Generates an alert per Data Store per User, when permissions to access a dataset is detected for a DB User/Employee.
      • Data Store Posture: Generates an Alert when Data Store-specific conditions are met, including Contained Data Tags and/or Contained Data Types
      • Data Exfiltration:  Generates an alert when a query returned/produced sensitive data. 
      • Privacy Violation:  Generates an alert when a query contains sensitive data to target an individual’s data.  
      • Data Modified:  Generates an alert when a specific field(s) is modified by a query.

    NOTE: Each of these policies can be customized to conditions which when matched would generate an Alert/Task.

    • Name your policy.  Provide a short description of the policy.
    • Describe your policy (optional):  Provide a more detailed description of the policy.
    • Severity:  The severity of the alert if/when the policy is triggered. You can select between Low, Medium, High, and Critical for all policies, with the exception of Classification Policy (which generates task vs. alerts when the Policy is triggered).
    • Categories:  You can (optionally) categorize your new policy in one or policy categories. See the Policy Categories page to add additional Policy Categories.

    Policy Conditions

    On the Policy Conditions page, you can build the business logic of the policy.  

    You can include rules for the following metadata signals:

    • Employee related:
      • Individual Employees (which can be uploaded and managed in the Employee Directory)
      • Employee Tags (also managed in the Employee Directory)
      • Employee metadata that has been uploaded in the employee directory, like Cost Center, Department, Division, Manager
    • Data related:
      • Specific data sets in your data store
      • Sensitive data types
      • Data tags
      • Data sensitivity level
    • Data store related:
      • Data Store
      • Data Store Sensitivity
      • Data Tags (applied directly to the data store)
      • Contained Data Tags (applied at any level below the data store, from database/schema down to the fields / files)
      • Contained Data Types
      • Platform
      • Service
      • Field / File Count
      • Sensitive Field / File Count
    • Misconfiguration related:
      • Misconfiguation risk
      • Encryption
      • Backup
      • Publicly Inaccessability
    • Query related:
      • Day of week
      • Time of day
      • Number of rows produced
    • Any combination of the above, in arbitrary groups (with nesting) of ands and ors

    A few notes on creating new conditions:

    • To create a new condition, simply click on “+” button to the right of the “AND/OR” button, and click “New Condition”.
    • To create a new group of conditions, click on the “+” button to the right of the “AND/OR” button and click “New Group.”
    • Click on “AND” or “OR” to control how conditions are joined.  For example, this rule “(Employee Risk Tag=Medium AND Rows Produced >10,000) OR (Employee Risk Tag = High AND Rows Produced > 1,000)”would be expressed in the policy editor like this:

      Notes on Rows Produced:
    • In Netskope One DSPM, you can write policies based on the number of rows produced by a query.  
    • Note:  some data stores do not return # of rows produced. Also, the number of rows produced by a query is sometimes unknown (due to cached results). 
    • If you are going to write a policy based on the number of rows produced, it is important to specify what happens when the number of rows produced is unknown.  You can do 1 of two things:
      • You can check the “Or Unknown” box to the right of the # of rows produced:
      • You can write a stand-alone condition to target “Rows produced is unknown”

    Test Policy/ Policy Simulation

    A TEST POLICY button is available if you wish to run the simulation; otherwise, the results will be logged as Alerts/Tasks on the next data store scan. 

    Click the TEST POLICY button to test the conditions entered against the existing data and past logs. This shows you which violations (if any) would have triggered the policy retrospectively and allows you to go back and edit the policy. Note: this simulation is limited to 1000 results and could take several minutes, depending on the volume of data. You can close this window at any time to return to the Policy editor and finish the creating the Policy.

    Workflows

    On this page, you will be able to select the workflow(s) to associate with this policy. When a policy triggers an alert, workflows dictate who should be notified and through which channel. Associate an existing workflow by clicking on the checkbox next to the workflow. Click on the workflow name to see the details of the workflow. You'll only be able to associate existing workflows with this policy. If you want to create a new workflow, click on the ICON on the right top to Create a New Workflow.

    Was this article helpful?

    Still can't find what you are looking for?

    Contact Netskope Technical Support