NSCOA_StudentGuide_v24 02

Prévia do material em texto

Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved.
Netskope Security Cloud 
Operation and Administration
Version 24.02
Welcome to the Netskope Security Cloud Operation and Administration Course.
2024 © Netskope. All Rights Reserved. 1
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved.
Introduction
To begin with, let’s take a look at the subject matter this course covers, as well as definitions of a few Netskope 
terms which you’ll encounter frequently throughout the course.
2024 © Netskope. All Rights Reserved. 2
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 4
Class Agenda
1. Netskope Security Cloud Platform
2. Architecture
3. Cloud Confidence Index (CCI)
4. API-enabled Protection
5. Policies*
6. Netskope Client*
7. Threat Protection*
8. Reporting
* = Lab Included
9. Netskope Advanced Analytics*
10. Netskope Digital Experience 
Management (DEM)
11. IaaS*
12. Web Security*
13. Netskope Cloud Firewall*
14. Role-Based Access Control
15. Netskope Borderless SD-WAN
16. Netskope IoT Security
This course includes sixteen chapters. We’ll cover such subjects as the Netskope Security Cloud Platform and its 
architecture, and how to monitor and protect cloud storage, endpoint computers, and Infrastructure-as-a-Service. 
We’ll also discuss Netskope products such as Advanced Analytics, Borderless SD-WAN, and IoT Security.
2024 © Netskope. All Rights Reserved. 4
Netskope Security Cloud Operation and Administration
Netskope terminology
52024 © Netskope. All Rights Reserved.
Managed device
A device that has the Netskope client installed on it and that passes checks as defined in 
the device classification policy.
Unmanaged device
A device that either does not have the Netskope client installed on it or does not pass 
device classification checks.
Managed/sanctioned application instance
An application instance over which the IT team has administrative control. Administrative 
control is necessary to enable API data protection for the application instance.
Unmanaged/unsanctioned application instance
An application instance over which the IT team does not have administrative control and 
therefore cannot have API-enabled protection applied to it.
A few Netskope terms used frequently throughout this course require a bit of clarification. First, let’s define what 
we mean by managed and unmanaged devices. Classifying devices as managed or unmanaged makes it possible 
to use real-time protection policies to perform different types of content inspection, and to apply different actions 
based on device classification status. Normally, only corporate devices can be managed, because an organization 
can not install software on devices it does not own. However, an organization may require contractors to install 
certain software (such as the Netskope client) and satisfy classification rules before they are permitted to access 
any of the organization’s internal resources. So in the context of this course, a managed device has the Netskope 
client installed and passes checks as defined in a device classification policy, while unmanaged devices are 
everything else.
With cloud applications, the situation is more complicated. However, at a basic level, a managed or sanctioned 
application is an application instance over which the IT team has administrative control. This level of control is 
necessary to give the Netskope tenant access to the cloud application's API. Netskope supports API-enabled 
protection for a limited but constantly growing set of cloud applications.
2024 © Netskope. All Rights Reserved. 5
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved.
Netskope Security Cloud Platform
Netskope Security Cloud Operation and Administration
Welcome to the Netskope Security Cloud Platform chapter in our Netskope Security Cloud Operation and 
Administration Course.
2024 © Netskope. All Rights Reserved. 1
Netskope Security Cloud Operation and Administration
2
• Describe the platform on which the Netskope Security Cloud is built
• Discuss the components of the Netskope Security Cloud Platform
2024 © Netskope. All Rights Reserved.
Objectives
The objectives of this chapter are to describe the platform on which the Netskope Security Cloud is built, as well as 
discuss the individual components of the Netskope Security Cloud Platform.
2024 © Netskope. All Rights Reserved. 2
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 3
Netskope Security Cloud Platform
Supporting users connecting from anywhere is driving cloud transformation. It’s changing how work gets done as 
everything is becoming more intuitive, connected, open, and collaborative, and that change is reflected across 
SaaS, IaaS, and web environments, creating new challenges and risks. Netskope Security Cloud addresses these 
new challenges and risks, providing a platform for the convergence of security solutions, the Security Service 
Edge (or SSE), by protecting data and users wherever they are, across cloud, web, and private apps.
2024 © Netskope. All Rights Reserved. 3
Netskope Security Cloud Operation and Administration
42024 © Netskope. All Rights Reserved.
SkopeAI: Unlock the Potential of AI Across the Portfolio
● Discover newly 
connected 
devices and gain 
deeper insights 
into device 
context, activities, 
and behavior.
● Detect behavioral 
anomalies, 
threats, and 
vulnerabilities in 
real time.
● Optimize network 
access through 
enterprise-wide 
predictive 
insights.
● Perform WAN 
access anomaly 
detection, app 
performance flow 
analytics.
● Detect 
unpredictable and 
risky user 
behavior.
● Identify insiders’ 
anomalous 
behavior, 
compromised 
accounts, data 
exfiltration.
● Discover and 
govern the use of 
generative AI and 
novel SaaS apps.
● Protect sensitive 
data across apps 
like ChatGPT, 
and coach 
employees in real 
time.
● Prevent evasive 
attacks, 
polymorphic 
malware, new 
phishing, and 
zero-day threats.
● Perform faster 
detection and 
categorization of 
malware, web 
domains, URLs, 
and web content.
Use pre-trained ML 
classifiers to 
automatically 
protect unstructured 
data with high 
reliability and speed.
SD-WAN 
Optimization
Generative AI and 
SaaS
SkopeAI Data 
Protection
Device Access 
Intelligence
AI/ML Threat 
Protection
User and Entity 
Behavior Analytics
To automatically adapt to the ever-growing data landscape and the corresponding widespread adoption of 
generative Artificial Intelligence and new AI-driven attacks, Netskope has built sophisticated Machine Learning and 
AI capabilities into the Netskope Security Cloud platform. These capabilities, collectively called SkopeAI, provide 
superior and highly responsive security for the data and users in your environment.
SkopeAI provides protection in six areas:
• SkopeAI Data Protection employs pre-trained Machine Learning classifiers to identify sensitive information in 
both structured and unstructured textual data, including specific document types such as patents, merger and 
acquisition contracts, tax forms, and source code, as well as images such as desktop screenshots, whiteboards, 
passports, IDs, and more.
• SkopeAI Threat Protection delivers superior results and speed, in detecting multivarious attacks, polymorphic 
malware, new phishing web domains, zero-day threats, and malicious web content.
• Netskope CASB delivers Machine-Learning-based risk categorization of generative Artificial Intelligence and 
new SaaS apps and discerns app instances, such as corporate versus personal instances.
• Netskope User and Entity Behavior Analytics uses Machine Learning to detect elusive anomalous behavior 
patterns, including malicious insiders, compromised accounts, brute force attacks, and data exfiltration.
• SkopeAI enhances network access and performance with Machine Learningbecome accessible to users 
later. Similarly, an app that is accessible to users today because it is at the “High” level might be blocked later if 
the app's CCI score drops because changes to features have negatively impacted the app's enterprise-readiness, 
or because the app has been involved in a serious data breach.
2024 © Netskope. All Rights Reserved. 11
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 12
CCI Certifications/Standards
Apps compliance and data center certifications
• Compliance HIPAA, PCI
• Data Center Standards SOC 1, SOC 2, ISO 27001
System and Organization Controls 2 (SOC 2)
Built on a set of Trust Services Principles:
• The security, availability, and processing integrity of a service organization's system
• The system's ability to securely protect and process information designated as confidential
• The system's ability to collect, use, retain, disclose, and destroy personal information in 
accordance with the organization's privacy and legal requirements
Here are some of the industry certifications and standards that Netskope considers when assessing the 
enterprise-readiness of cloud apps.
On the compliance front, Netskope checks to see if an app complies with such standards as HIPAA and PCI. For 
data center certifications, Netskope evaluates whether an app is certified for SOC 1, SOC 2, or ISO 27001.
Each of these standards is composed of subsets of principles that govern the security design of IT systems. For 
example, the SOC 2 (or System and Organization Controls 2) standard for data centers is built on the following set 
of trust principles. These principles are as follows:
• The security, availability, and processing integrity of a service organization's system
• The system's ability to securely protect and process information designated as confidential
• The system's ability to collect, use, retain, disclose, and destroy personal information in accordance with the 
organization's privacy and legal requirements
2024 © Netskope. All Rights Reserved. 12
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 13
App Usage and CCL History
Let’s take a few moments to look at the areas in the Cloud Confidence Index user interface where you can view 
app usage and CCL history, compare apps, and generate reports. To begin with, when you search for an app and 
click the app's name in CCI, you are taken to the app details page. On the Usage and Risk tab, you can view 
information about the top users of the app and the amount of bytes downloaded and uploaded. Additionally, you 
can view a history of how an app’s Cloud Confidence Level has changed over time, providing insights into whether 
the app’s creators are actively working to improve the security of the app or not.
2024 © Netskope. All Rights Reserved. 13
Netskope Security Cloud Operation and Administration
Comparing applications
142024 © Netskope. All Rights Reserved.
The Cloud Confidence Index also enables you to compare information for up to three applications. The information 
compared among the three apps includes:
• The CCI score
• Tags that have been applied to the apps
• The number of users and sessions for each app
• Bytes downloaded and uploaded
• Monthly pricing information, if available
• Attribute differences
To compare applications:
1. Search for an application and click the app in the search results.
2. In the upper-right area of the first application’s details page, click Compare.
3. In the Compare Applications dialog, search for and select up to two more applications, then click Compare.
Note that differences in attribute values are indicated by blue dashed boxes around the differing attributes in the 
columns for the second and third applications.
2024 © Netskope. All Rights Reserved. 14
Netskope Security Cloud Operation and Administration
Cloud Confidence Index: PDF report
152024 © Netskope. All Rights Reserved.
On an application’s details page, you can choose to create a CCI report in PDF format. This report includes such 
information as:
• CCI findings
• Usage details
• Similar apps by session
• Top users by session
• Pricing details, if available
To create a report:
1. From the Export drop-down menu, select Download As PDF.
2. Choose whether to include top users by session in the report.
3. Click Download.
2024 © Netskope. All Rights Reserved. 15
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved.
API-enabled Protection
Netskope Security Cloud Operation and Administration
Welcome to the API-enabled Protection chapter in our Netskope Security Cloud Operation and Administration 
Course.
2024 © Netskope. All Rights Reserved. 1
Netskope Security Cloud Operation and Administration
2
• Discuss use cases for API-enabled Protection
• Explain how API-enabled Protection works
• Show how to set up API-enabled Protection
• Search for, filter, and modify content, and discuss violations and 
exposure
2024 © Netskope. All Rights Reserved.
Objectives
The objectives of this chapter are to discuss API-enabled Protection use cases, explain how this technology 
works, and show how to set up API-enabled Protection and perform various tasks.
2024 © Netskope. All Rights Reserved. 2
Netskope Security Cloud Operation and Administration
3
• Overview of API-enabled Protection
• Configuring API-enabled Protection
2024 © Netskope. All Rights Reserved.
API-enabled Protection
First, let’s look at an overview of API-enabled Protection.
2024 © Netskope. All Rights Reserved. 3
Netskope Security Cloud Operation and Administration
42024 © Netskope. All Rights Reserved.
Introduction to API-enabled Protection
• Integrate with APIs of managed applications
– Out-of-band deployment model 
– Direct connection from Netskope to managed application instance
– Provides “introspection” visibility and policy enforcement
– Leverages APIs published by the SaaS provider (supported functionality depends on API functionality 
offered by SaaS provider)
– Leverages the OAuth 2.0 protocol
• Discover sensitive data in managed cloud storage or CRMs
– Use predefined or custom DLP profiles 
– PII, PHI, PCI, or other confidential profiles
Access MethodUser LocationDeployment Options
Mobile app, desktop 
app, sync clientBrowserRemoteOn-Premises
••••Out-of-band / API-enabled Protection
API-enabled Protection is able to integrate with the APIs of managed cloud applications to provide out-of-band 
protection. Because it directly connects Netskope to managed SaaS instances, API-enabled Protection requires 
full administrator access to these instances. Once this connection is established, Netskope has visibility into your 
managed cloud apps and can enforce policies to protect the data stored on these applications.
Note that since API-enabled Protection leverages the APIs published by the SaaS provider, the actions you can 
perform on files stored in your managed cloud apps depends on the specific functionality the SaaS provider has 
built into its APIs. For example, one SaaS provider might enable you to use their API to place files in a legal hold 
folder, while another provider might not.
API-enabled Protection leverages the OAuth 2.0 authorization framework, which gives third-party applications 
limited access to an HTTP service to orchestrate an approval interaction between a resource owner and the HTTP 
service (referred to as the three-legged OAuth model) or by allowing the third-party application to obtain access on 
its own behalf (also called the two-legged OAuth model). An advantage of using OAuth 2.0 is that even if the 
password for logging in to the cloud service changes, reauthorization is not required because Netskope does not 
store passwords, just the tokens that are part of OAuth.
API-enabled Protection discovers sensitive data in managed cloud storage or customer relationship management 
systems using either predefinedor custom DLP profiles, such as Personally Identifiable Information, Protected 
Health Information, Payment Card Industry information, or other confidential profiles.
Once API-enabled Protection is connected to your managed SaaS apps, it can protect data at rest regardless of 
the user’s location or how they are accessing the SaaS apps. Users can be located either on premises or at a 
remote location, and they can be accessing the SaaS apps from their web browser, from a mobile or desktop app, 
or through a sync client. Ultimately, once data is uploaded to the managed SaaS app, API-enabled Protection can 
both scan and protect this data.
2024 © Netskope. All Rights Reserved. 4
Netskope Security Cloud Operation and Administration
API-enabled Protection: Use Cases
5
• Visibility:
– Inventory all users, files and content at rest within your managed apps 
– Verify external access to files and folders
– See full file audit trail and version history
• Data Security:
– Identify sensitive content and potential risks 
– Revoke access to or encrypt sensitive data
– Configure ongoing policies to scan folders for sensitive content and take 
corrective actions
2024 © Netskope. All Rights Reserved.
The use cases for API-enabled Protection fall under two categories—visibility and data security.
To provide visibility, API-enabled Protection creates an inventory of your users’ files and folders on managed SaaS 
storage. It also inspects file and folder ownership and sharing levels to identify gaps in security, so that appropriate 
remediation can be performed, such as taking ownership of sensitive content and changing sharing levels. API-
enabled Protection also provides visibility into the full audit trails and versioning histories for individual files. This 
enables you to track all the file activities that have been performed, such as uploads, downloads, shares, views, 
and deletions. It also enables you to see when file versions have changed so the updated files can be re-scanned 
to detect new sensitive data or potential malware infections.
To provide data security, API-enabled Protection scans the contents of files in cloud storage to detect sensitive 
data as defined by DLP profiles and rules. When such data is found, it can then revoke access to files, encrypt 
files, or take other actions supported by the SaaS provider’s APIs. Additionally, you can configure ongoing scans 
and run policies to ensure cloud storage repositories remain clean after they've been provisioned.
2024 © Netskope. All Rights Reserved. 5
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 6
Classic API-enabled Protection: Instance Dashboard
Main graphs:
• File Exposure
• File Types
• File DLP Violations
• Shared External Domains
• Internal Sub Domains 
(Google Drive)
• File Source, Channel Type 
(Slack)
• File list (click for details)
Reporting:
• Scheduled (email)
• PDF (download or email)
• CSV Export
The main interface for visualizing your company’s data and the users accessing it
The screenshot on the slide shows the API-enabled Protection dashboard, with statistics for a Dropbox application 
instance. These statistics include the amount of publicly-shared content on the instance, file types, file names, 
detected DLP violations and malware, and more.
The dashboard provides deep insights on all files and users within the CASB app instance. Administrators can use 
the dashboard to perform ad-hoc, real-time queries that can quickly group, filter, and drill down on contextualized 
transaction information across an organization’s cloud activities, both at a high level and with granular detail.
Once you have connected a managed CASB app instance to the Netskope tenant, the API-enabled Protection 
dashboard is automatically populated with the relevant files and user data. An API-enabled Protection policy with a 
DLP profile is needed to view relevant violation information.
The dashboard has Files, Internal Users, and External Users pages for all the apps except for Amazon Web 
Services, Microsoft Azure, Workplace by Facebook, Slack, and ServiceNow, all of which have unique pages. 
Google Drive has an additional page for Google Ecosystem, and Salesforce has an additional page for Key 
Management. There are also app-specific pages for AWS, Azure, Gmail, Slack, Outlook, and Cisco WebEx 
Teams.
Once you log in to the Netskope UI tenant, click API-enabled Protection in the left navigation pane to display a list 
of apps, then click an app to view its specific dashboard statistics.
2024 © Netskope. All Rights Reserved. 6
Netskope Security Cloud Operation and Administration
Classic API-enabled Protection: Filters
72024 © Netskope. All Rights Reserved.
• Create filters 
• Quickly find data
• Expand categories
• To remove filters:
– De-select in filter menu
– Click selected filter’s “X” button
You can use filters to quickly find specific details among the large amounts of data collected by API-enabled 
Protection, which is especially useful when your cloud storage repositories have hundreds of thousands of files 
stored on them. Filters are page-specific, so the filters shown in the screenshot on the slide apply specifically to 
the Files page. Filters are organized by categories, such as File ID, path, type and size, owner, exposure, and 
more. When you see a magnifying glass icon next to an item in the filter menu, you must enter the specific value 
you want to filter by, such as a file ID or path. To select other types of filters, expand a category and place a 
checkmark next to the filter you want, then click Apply. To remove a filter from your list of selections, either de-
select the filter in the filter menu, or click the filter’s “X” button.
2024 © Netskope. All Rights Reserved. 7
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 8
Classic API-enabled Protection: Take Action
• Take immediate (bulk) 
action to mitigate risk
• Select one or more files
• Supported actions vary 
by application
You can take actions on files discovered by API-enabled Protection by selecting one or more files. This activates 
the Take Action drop-down list and lets you choose an action. The options that are displayed in the Take Action
list in the screenshot on the slide are the actions that are available with the Box API. The available actions will vary 
depending on the CASB app you are connected to and what its API allows you to do.
To view a list of all possible actions for managed cloud apps, browse to docs.netskope.com and search for:
API Data Protection policy actions
2024 © Netskope. All Rights Reserved. 8
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 9
Classic API-enabled Protection: User Dashboard
Drill down to view details about 
users who are accessing data.
You can also drill-down into the CASB app’s internal and external users. In the screenshot at the top of the slide, 
you can see the number of internal users who have accessed files in the CASB app. Clicking on the number takes 
you to the Users page, where you can view the individual users, how many files they own, how many of those are 
public files, and how many files have non-expiring links. You can also export the data, as well as download, email, 
or schedule a PDF report. Additionally, you can click a username to see more details about the user.
2024 © Netskope. All Rights Reserved. 9
Netskope Security Cloud Operation and Administration
102024 © Netskope. All Rights Reserved.
• Bird’s-eye view of all Next
Gen applications’ content at 
once
• Content is a high-level 
abstraction that combines 
files, messages, comments,
and pages, depending on the 
application
• Use filters to “slice and dice”
the view
• Take manual actions 
depending on the application
Next Gen API-enabled Protection: Content Inventory
API-enabled Protection > CASB API (Next Gen) > Inventory
In parallel tomaintaining and developing the Classic API-enabled Protection framework, Netskope has introduced 
and is rapidly expanding a Next Gen API-enabled Protection framework. Next Gen will eventually replace Classic, 
and all apps from the Classic version will be migrated to the Next Gen framework. For the time being, the two 
frameworks co-exist. New apps are being added to Next Gen, while apps already available in Classic are being 
migrated to Next Gen independently of each other. During this migration process, you may see the same app 
available under both frameworks.
One of the advantages of the Next Gen framework is the introduction of high-level abstractions to allow for a 
unified view of all managed apps on the same page. The fact that a cloud storage app such as Box operates on 
files and folders, while a collaboration app such as Slack operates on files as well as messages and channels, led 
to different and app-specific instance dashboards in the Classic framework. Next Gen combines different content 
entities such as files, messages, comments, or pages, under a higher-level abstraction of content and presents all 
these different kinds of content in a single table view.
2024 © Netskope. All Rights Reserved. 10
Netskope Security Cloud Operation and Administration
112024 © Netskope. All Rights Reserved.
A common abstraction for:
• Channels (MS Teams)
• Folders (MS SharePoint)
• Repositories (GitHub)
• Wikis (Atlassian Confluence)
Next Gen API-enabled Protection: Content Collections
API-enabled Protection > CASB API (Next Gen) > Inventory
Similarly to how the Next Gen API-enabled Protection framework groups individual items such as files and 
messages under high-level abstraction content, it also introduces the higher-level concept of “content collections” 
which organize the content for different apps into channels, folders, repositories, and wikis.
2024 © Netskope. All Rights Reserved. 11
Netskope Security Cloud Operation and Administration
API-enabled Protection: Detecting Changes
12
• Netskope API-enabled Protection uses a polling model
– New files are detected max 5 minutes after being uploaded
– DLP scans happen every 20 minutes on new content
• Many vendors also support Webhooks
– Changes are pushed to Netskope
– Near instant detection of newly uploaded content
2024 © Netskope. All Rights Reserved.
After API-enabled Protection has made a full inventory of all files and folders on a managed SaaS app, it uses two 
different methods to keep track of subsequent changes.
The first method is polling, which API-enabled Protection uses by default. Every 5 minutes, it polls the SaaS app to 
see if there have been any changes. If the app responds in the affirmative, API-enabled Protection scans the new 
items. Additionally, API-enabled Protection performs DLP scans on new files every 20 minutes.
The second method uses Webhooks. This method provides near real-time change detection because the SaaS 
app pushes a notification to Netskope as soon as it detects a change, and API-enabled Protection responds by 
immediately scanning the item. Although this is the preferred method, it is not the default because not all SaaS 
vendors support Webhooks.
2024 © Netskope. All Rights Reserved. 12
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 13
Netskope
Service Provider
Netskope
Service Provider
Did anything 
change?
No
Did anything 
change?
Yes, Item X
Give details 
on Item X
Here you go
Item X has 
changed
Give me details 
on Item X
Here you go
Item X has 
changed
Give me details 
on Item X
Here you go
Polling
Webhooks
Polling vs Webhooks
The diagrams on this slide illustrate the workflows for both the polling and Webhooks methods used by API-
enabled Protection to check for changes on SaaS apps.
With the polling method, Netskope initiates the communication with the SaaS service provider and asks if anything 
has changed. If the provider responds with a “no”, a 5-minute timer is started. After 5 minutes elapses, Netskope 
again asks the service provider if there have been any changes since the last request. If the provider responds 
with a “yes”, Netskope asks for details about the changed item, which the provider supplies. At that point, API-
enabled Protection scans the changed item.
With Webhooks, the service provider initiates the communication with Netskope by sending a notification 
whenever a change occurs. Netskope asks the service provider to provide details about the changed item, the 
provider supplies the requested information, and API-enabled Protection inspects the changed item. This process 
repeats itself each time the service provider detects a change.
2024 © Netskope. All Rights Reserved. 13
Netskope Security Cloud Operation and Administration
14
• Overview of API-enabled Protection
• Configuring API-enabled Protection
2024 © Netskope. All Rights Reserved.
API-enabled Protection
Now let’s discuss how to configure API-enabled Protection.
2024 © Netskope. All Rights Reserved. 14
Netskope Security Cloud Operation and Administration
Classic: Application integrations built 
on the first-generation
API-enabled Protection platform. 
Next Gen: Application integrations 
built on the newer API-enabled 
Protection platform.
Applications will be gradually 
upgraded from Classic to Next Gen.
2024 © Netskope. All Rights Reserved. 15
Overview of API-enabled Protection Configuration
Connect your Netskope Instance to your managed SaaS app.
• Select the application.
• Start the authorization process by clicking Setup Instance. 
Settings > Configure App Access > Classic or Next Gen
API-enabled Protection is configured in your Netskope tenant by navigating to Settings > Configure App Access
and then clicking either Classic or Next Gen. The Classic page shows SaaS apps that use Netskope’s first-
generation API platform to connect, while the Next Gen page shows apps that are able to connect using 
Netskope’s latest API platform. All Classic apps will gradually be upgraded to the Next Gen API platform and 
retired from the Classic platform. Consequently, if you are compelled to configure an app connection on the 
Classic page today because your app does not yet have a Next Gen option, Netskope recommends setting up a 
new connection as soon as that app becomes available on the Next Gen page to avoid a service disruption when 
the Classic connector is retired.
There are several differences between the Classic and Next Gen pages as to how app connections are configured, 
so first we’ll discuss how to configure access on the Classic platform. Once you are on the Classic page, make 
sure that the SaaS tab is selected at the top of the page. Next, select the app you want to connect to and click 
Setup Instance.
2024 © Netskope. All Rights Reserved. 15
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 16
Configuring Classic API-enabled Protection
• Enter the following:
– Application instance details
– Instance name (used throughout 
Netskope tenant interface)
– Email address of app admin account
• Supported functionality for each 
instance:
– CASB API
– Quarantine
– Legalhold
– Malware
– Forensic
The next step in setting up the SaaS app instance is to provide the details Netskope needs in order to configure 
the API connection.
First, specify a name for the instance. This is the name that will identify the app in dashboards, events, incidents, 
and reports in the Netskope tenant.
Next, under Instance Type, select the types of API functionality that you want to use with the app instance. As 
mentioned earlier, the available options may vary from one app to another because not all apps offer the same API 
functionality. To illustrate, we will use Box as our example. As shown in the screenshot on the slide, 5 different API 
functions are supported for Box. The CASB API option allows Netskope to scan the Box instance to create an 
inventoryof files and users and to inspect files. The Quarantine and Legalhold options enable Netskope to move 
files into correspondingly-named folders when DLP scans find that the files contain sensitive content, or they hold 
information that must be retained for pending litigation. The Malware option enables Netskope to scan files for 
malware infections, and the Forensic option lets Netskope move files into a forensics folder for further 
investigation after they are found to violate DLP policies. Note that when you select the Quarantine, Legalhold, and 
Forensic options, Netskope will automatically create corresponding folders on Box.
Finally, specify the email address of a Box administrator who has full access rights to the app, and confirm that 
you have completed the prerequisite configurations on the Box app itself, such as setting up Box Event Stream 
and enabling a JSON Web Token.
Once you have supplied all the needed information, click Save.
2024 © Netskope. All Rights Reserved. 16
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 17
Authorizing Classic API-enabled Protection
• Disable popup blockers and verify you are not logged in to the SaaS app as a different user.
• Click Grant Access.
• Log in to the app with the admin account whose email address you specified earlier and 
approve access rights when prompted.
The app should now show up in the SaaS app list in your Netskope tenant. However, notice that there is a red icon 
with an “X” to the left of the app, indicating that a connection has not yet been established. The next step is to 
actually log in to the app and establish the connection. Before you attempt this, however, make sure you disable 
popup blockers in your web browser. Also, you may need to close all your browser tabs to ensure that you are not 
currently logged in to the SaaS app as a different user.
Once you have done these things, click the app’s Grant Access button. A browser window should pop up, asking 
you to enter the username and password of the app administrator whose email address you specified earlier. This 
should be followed by a screen asking you to verify that you want to give Netskope various access rights to the 
app.
2024 © Netskope. All Rights Reserved. 17
Netskope Security Cloud Operation and Administration
Verifying Authorization of Classic API-enabled Protection
182024 © Netskope. All Rights Reserved.
• If successful:
– A green checkmark 
appears next to the 
instance name.
– If you still see a red 
checkmark, refresh 
the page.
– The account used to 
authorize “secure 
delegated access” 
receives an email.
• Inventory of users, 
files and folders 
starts automatically.
After you have successfully logged in to the SaaS app and approved all requested access rights, return to the 
SaaS app list in your Netskope tenant and verify that the app’s red “X” icon has changed to a green checkmark 
icon. You may need to refresh your browser to see these changes. At this point, Netskope automatically begins 
scanning the app and making an inventory of all users, files, and folders.
2024 © Netskope. All Rights Reserved. 18
Netskope Security Cloud Operation and Administration
192024 © Netskope. All Rights Reserved.
Streamlined instance setup
• No instance type selection
• Granting access is implicit in 
the setup
Next Gen API-enabled Protection
Setting up a managed application instance for the Next Gen API platform is similar to the process for the Classic 
API platform, but there are a number of differences. To set up a Next Gen app instance, perform the following 
steps:
First, on the Next Gen page, select the CASB API tab.
Next, select the SaaS app you want to manage.
Next, click Setup CASB API Instance. Follow any instructions that are displayed and provide instance details as 
requested.
Next, click the Grant Access button.
Finally, authenticate to the managed app instance under the appropriate administrator account.
Note that the process of granting access is part of the setup and is not performed separately. Additionally, instance 
types are absent. Instead of enabling a Threat Protection instance type, the Next Gen framework simply requires a 
policy with a Threat Protection profile for the instance (or for all managed SaaS apps at once).
2024 © Netskope. All Rights Reserved. 19
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved.
Policies
Netskope Security Cloud Operation and Administration
Welcome to the Policies chapter of the Netskope Security Cloud Operation and Administration Course.
2024 © Netskope. All Rights Reserved. 1
Netskope Security Cloud Operation and Administration
2
• Describe Netskope policy flow
• Discuss the two main Netskope policy types: Real-time Protection and 
API-enabled Protection
• Explain the function of DLP rules and create a rule
• Explain the purpose of profiles and how they are used in policies
• Discuss policy actions
• Discuss use cases for quarantine instances and explain how to use 
this capability
2024 © Netskope. All Rights Reserved.
Objectives
The objectives of this chapter are to describe the flow of Netskope policies; discuss the two main Netskope policy 
types—Real-time Protection and API-enabled Protection; explain the purpose and function of DLP rules and how 
to create a rule; explain the purpose of profiles and discuss how they are used in policies; discuss policy actions 
and how to add them to policies; and discuss why you would want to use quarantine instances, as well as explain 
how to configure and use this capability.
2024 © Netskope. All Rights Reserved. 2
Netskope Security Cloud Operation and Administration
Policies
3
• Overview of Netskope Policies 
• DLP Rules/Classifications
• Profiles
• Actions
• Quarantine
2024 © Netskope. All Rights Reserved.
First, let’s describe the flow of Netskope policies, and discuss Netskope API Data Protection and Real-time 
Protection policies.
2024 © Netskope. All Rights Reserved. 3
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 4
Policy flow
Rules
Profile 
Policy
Rule-1 Rule-2 FP
Automotive
DS - DLP
EM
Identifiers ID-1 ID-2 ID-3
API Data Protection
Real-time Protection
CASB
Web
IaaS
Private App
DLP Rule
Dictionary
Exact Match
Fingerprint Classification
DLP/Threat
Name
SSN
CCN
Driver’s License
ML Image Classifiers
Netskope uses a top-down approach to policy building. To illustrate this approach, let’s use DLP policies as an 
example. The first level of the DLP policy creation flow is to select data identifiers. There are more than 3500 
identifiers built into the system to identify such information as first name, last name, social security number, credit 
card number, driver license, Machine Learning image classifiers, and many more types of data. Additionally, you 
can create your own custom data identifiers. 
The next level of the policy flow is rules. As shown in the diagram on the slide, you can roll up multiple data 
identifiers into a single rule. The different types of rules include DLP, dictionary, exact match, and fingerprint 
classification rules.
The next level of the policy flow is profiles. Profile types include DLP, threat, and more. For a DLP profile, you can 
roll up multiple DLP rules into a single profile. Multiple rules within a profile are evaluated using logical “ORs”. For 
example, if rule one or rule two or a fingerprinting rule or an exact match rule are true, then the profile will be 
triggered.
The final level of the policy flow is the policy itself. Profiles are attached to Real-time Protection and API Data 
Protection policies. Other policy types include cloud app, web, IaaS, private app, and firewall policies.
In summary, a typical DLP policy flow works as follows:
First, data identifiers trigger rules.
Second, rules trigger profiles.
Third, profiles trigger actions in policies.
2024 © Netskope. AllRights Reserved. 4
Netskope Security Cloud Operation and Administration
52024 © Netskope. All Rights Reserved.
Real-time Protection 
Policies
• Enforce an action based on:
– Users, groups, and OUs (as 
inclusions or exclusions) and other 
criteria (source IP, user confidence, 
etc.)
– Cloud apps, web page categories, 
private apps, etc.
– Activities (browse, download, 
upload, etc.)
– Constraints (From User, File Type, 
etc.) and criteria (App Instance Tag, 
Destination Country, etc.)
• Define DLP and threat protection 
profiles to protect against data 
loss and malware.
Once you have gained visibility into the cloud apps being used in your organization and users’ activities in those 
apps, the next step is to define policies to enforce your business rules.
Real-time Protection policies enable you to enforce actions in real time, such as blocking file uploads or 
downloads. Policies can be based on source criteria such as:
• Users, groups, and organizational units (as either inclusions or exclusions), as well as source IP address, user 
confidence level, access method, and device classification
• Destination types, including cloud applications, web page categories, private apps, web traffic, and all traffic
• Activities such as login attempt, download, upload, share, post, or copy
• Constraints such as file type, file size, and content coming from or going to a specific user
In addition to this, you can also define DLP and threat protection profiles to inspect traffic and prevent exposure or 
loss of sensitive and critical data. Netskope provides a wizard-driven policy tool that walks you through all the 
steps of policy creation.
2024 © Netskope. All Rights Reserved. 5
Netskope Security Cloud Operation and Administration
6
• Safe cloud enablement with a single policy
Coach users away from apps with a lower than “good” CCL when they try to 
upload data, offering them the corporate solution as an alternative. At the same 
time, still allow downloads from the same apps for collaboration with external 
parties.
• Granular control in a managed app
Block downloads of sensitive data from Salesforce.com to mobile devices as 
soon as users travel outside the US.
2024 © Netskope. All Rights Reserved.
Real-time Protection policies: Use cases
Now let’s consider a couple of use cases for Real-time Protection policies. To begin with, these policies enable 
your users to work safely in the cloud. For example, with a single Real-time Protection policy, you can coach users 
away from cloud apps that have a Cloud Confidence Level that is lower than “good.” When users try to upload data 
to an unapproved cloud app, you can display a block page that alerts them that this action is not recommended, 
and you can direct them to an approved corporate solution that has a much higher CCL score. In the same policy, 
you can also allow downloads from the app so that your users can collaborate with external parties who are using 
the app to share files.
A second use case for Real-time Protection policies is to bring granular control to managed apps. For example, 
you can configure a policy to allow users to download sensitive data from an approved cloud app such as 
Salesforce when they are on their corporate laptop in the United States, but then block downloads when they are 
accessing Salesforce on a mobile phone and are traveling outside of the United States.
2024 © Netskope. All Rights Reserved. 6
Netskope Security Cloud Operation and Administration
Real-time Protection policy processing
Order-specific!
7
• Important! 
– Real-time Protection policies are 
processed sequentially (top to bottom)
DLP = Exception
– A match will stop further processing. 
– Verify the order of your policies!
– Select the rule position when saving the 
policy: Top / Bottom / Before / After
• Drag and drop policies to re-order
Click Apply Changes to save the order. 
Policy changes do not take effect until you 
apply the changes. 
2024 © Netskope. All Rights Reserved.
A crucial concept related to Real-time Protection policies is their processing order. Real-time Protection policies 
are processed sequentially from the top down, and when there is a match on a rule within a policy, no further rules 
or policies are processed. The only exception to this is DLP rules, which continue to be processed after a match is 
found. For all other rules, however, you need to plan your policy ordering carefully.
For example, suppose you want to allow full access to the Box app in your organization, but you want to block all 
other cloud storage apps. To achieve these objectives, you need two different policies. Your “Allow Box” policy 
needs to be placed at the top of the stack, and the “Block all cloud apps” policy needs to be placed below that. 
With the two policies in this order, things will work as intended. Users who try to access Box will be able to do so 
because the “allow” rule in the first policy will trigger a match. Users who try to access any other cloud storage app 
will be blocked, because after the “Allow Box” policy has been evaluated without triggering a match, processing 
will proceed to the “Block all cloud apps” policy, which will trigger a match.
If the order of the two policies is reversed, however, the intended results will not be achieved. With the “Block all 
cloud apps” policy at the top of the stack and the “Allow Box” policy positioned below it, a user who attempts to 
access Box will not be successful, because the “block” rule in the top policy will trigger a match when it identifies 
Box as a cloud storage app. The “Allow Box” policy will never be evaluated because all processing stops when 
there is a match on a rule.
Initial policy position is specified when you save the policy. You are asked whether you want to move the policy to 
the top or bottom of the stack, or before or after a specific policy in the stack. Note that after you have saved a 
policy and specified its initial position, you can change its position at a later time by using the drag handle to the 
left of the policy number, indicated by the two columns of three dots each. When you hover over the drag handle, it 
changes to a vertical double-sided arrow. You can then drag-and-drop the policy to the desired position in the 
stack. Finally, click Apply Changes.
2024 © Netskope. All Rights Reserved. 7
Netskope Security Cloud Operation and Administration
API Data Protection 
Policies
9
Create / Modify Policies
• Active API-enabled Protection
• DLP
• Profiles
• Templates
2024 © Netskope. All Rights Reserved.
Next, let’s discuss API Data Protection policies. These policies use a wizard-driven engine to protect data at rest. 
The look and feel of this wizard is slightly different from the Real-time Protection policy wizard, but it lets you 
quickly specify the application, users, content, and activities to include in the policy, as well as a DLP profile that 
defines the type of data you want to look for, and the action you want to take when sensitive data is detected.
2024 © Netskope. All Rights Reserved. 9
Netskope Security Cloud Operation and Administration
10
• Protect PII information against exposure
Scan all files in the company’s managed cloud storage app for PII content. If 
PII information is shared outside the company, remove the external links or 
shares. 
• Protect classified information against SaaS vendor insider threats
Scan all files in the company’s managed clouds storage app for corporate 
classified data. Automatically encrypt files that match the DLP policy. 
2024 © Netskope. All Rights Reserved.
API Data Protection policies: Use cases
Two common use cases for API Data Protection are protecting PII against exposure and protecting classified 
information against SaaS vendor insider threats.
To protect Personally Identifiable Information, API Data Protection can scan the files in your managed cloud app 
instance to detect personal information such as driver license numbers,social security card numbers, and so forth. 
If files containing sensitive information are found, API Data Protection can remove external links or shares to 
prevent that content from leaving the organization. Keep in mind that API Data Protection requires administrator-
level access to the cloud app to be able to perform these operations.
To protect classified information against SaaS vendor insider threats, API Data Protection can scan the files in 
your organization’s managed cloud app to detect corporate classified data. If the cloud app supports it, API Data 
Protection can encrypt files containing sensitive information. This provides a higher level of protection against 
SaaS vendor insiders who have some level of access to their customers’ cloud app instance and can get to files 
stored on the app. By encrypting sensitive files, these insiders will not be able to access the contents of the files.
2024 © Netskope. All Rights Reserved. 10
Netskope Security Cloud Operation and Administration
11
1. Specify the application, app instance (e.g., Box, Cloud Storage, etc.).
2. Specify the users (All, Selected Users, User Profiles, Groups).
3. Specify the content to scan (Shared Ext/Int, Public, Private, File 
Types.
4. Specify the activities that need to be protected or controlled (e.g., Edit, 
Share, Change permissions, etc.).
5. Optional: Apply DLP.
6. Apply an action (Alert, Encrypt, Restrict Access/sharing, Legal Hold, 
Disable Print/Download).
7. Specify a notification.
2024 © Netskope. All Rights Reserved.
API Data Protection policies: Workflow
The workflow for building API Data Protection policies includes seven main steps.
Step 1 is to specify the application or application instance you want to inspect. The application can be a specific 
SaaS product, such as Box, or a more general category of cloud apps, such as cloud storage. The application 
instance is a specific instance of a cloud app, such as a corporate instance of Box.
Step 2 is to specify users or user groups. These users are different from Real-time Protection policy users. Real-
time Protection policies look at users, groups, and organizational units. API Data Protection policies look at owners 
or users who have permissions to perform operations in the cloud app, such as sharing and modifying files.
Step 3 is to specify the content to scan. Protecting content with API Data Protection can be thought of in terms of 
layers of exposure. Rather than trying to detect and protect all kinds of data at rest in one pass, Netskope breaks 
things down into layers. For example, consider a policy designed to protect a certain category of data, such as PII, 
or to comply with regulatory requirements, such as GDPR. The policy is first run against externally-shared files on 
cloud storage, and any files that are found to contain sensitive data are remediated by removing sharing links. The 
policy is then run against internally-shared files, which are remediated next, then public files, then private files, and 
finally specific file types. After the full initial scan of all files in cloud storage, you would schedule regular retroactive 
scans to make sure that the repository is staying clean.
Step 4 is to specify the activities that need protection. These activities are different from those specified in Real-
time Protection policies. Real-time Protection is concerned with activities such as uploading and downloading files 
in real time, viewing files, and so forth. API Data Protection is concerned with editing files already on cloud 
storage, creating external sharing links for files, changing file permissions, and so on.
Step 5 is to optionally apply a DLP profile.
Step 6 is to apply an action. Once again, Real-time Protection policies and API Data Protection policies differ. 
Because Real-time Protection is physically sitting inline with traffic, you can take actions such as allowing or 
blocking, bypassing, and so forth. Since API Data Protection is not inline with the traffic, you can only take an 
action after the fact. For example, you can generate alerts, restrict file access and sharing, disable printing and 
downloading, or place files in legal hold.
Step 7 is to specify notifications to send to administrators and users to let them know what actions have been 
taken.
2024 © Netskope. All Rights Reserved. 11
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 12
SaaS “Classic” API Data Protection policies
Policies > API Data Protection > SaaS > Classic
• Processed in parallel.
• Apply to a single managed 
application instance.
• No more than one DLP 
profile.
• Supported actions depend 
on the application.
• Shared between ongoing 
scans and retroactive scans.
API Data Protection for SaaS applications is currently split into two frameworks: Classic and Next Gen. Eventually, 
Netskope will migrate all supported SaaS apps to the Next Gen platform, but at present, you will need to divide 
your policies across the two frameworks, depending on which apps you need to protect. Additionally, there are 
some other points you should be aware of.
When it comes to protecting sensitive data in API Data Protection policies, there are a number of differences from 
Real-time Protection policies. The differences are even more pronounced in the Classic framework of API Data 
Protection.
First, a policy necessarily applies to a single instance of a single application. If you want to detect the same 
sensitive data in different apps, or if you have more than one managed instance of an app, you will need multiple 
API Data Protection policies to achieve this goal.
Next, a policy allows selection of no more than one DLP profile. We will discuss profiles in detail later in this 
chapter, but for the purposes of this overview, know that if you need to detect sensitive data and perform policy 
actions using multiple DLP profiles, you will need multiple policies.
For retroactive scans of SaaS apps, the Classic API Data Protection framework uses the same policies as those 
used for ongoing scans. In other words, if you want to use a retroactive scan to find existing documents that match 
a certain DLP profile, you need to create a normal API Data Protection policy with this DLP profile first. This is 
different from how Next Gen API Data Protection works.
2024 © Netskope. All Rights Reserved. 12
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 13
• Processed in parallel.
• Can apply to:
– All applications
– Category
– Application
– Instance
• Multiple DLP profiles.
• Retroactive scan policies 
are separate from ongoing 
scan policies.
SaaS “Next Gen” API Data Protection policies
Policies > API Data Protection > SaaS > Next Gen
Next Gen API Data Protection aims to bring the experience of using API Data Protection policies closer to that of 
Real-time Protection policies. In particular, with Next Gen API Data Protection policies you can do the following:
First, you can apply a policy either to all managed SaaS app instances, all managed instances belonging to a 
cloud app category (for example, Cloud Storage or Collaboration), all managed instances of the same app, or a 
specific instance. This enables you to use far fewer policies than in the Classic framework. Note that the available 
actions in the policy depend on the application scope, and you will only be able to select the actions supported for 
all apps in the scope. In other words, if you want to use an app-specific action, you need to create a policy for that 
specific app rather than for all apps, or for a category.
Next, you can select multiple DLP profiles in a single policy. This also reduces the number of policies that are 
needed to cover the same use cases, as compared to the Classic API Data Protection policies, thereby making 
policy management easier.
Finally, with retroactive scans, the Next Gen API Data Protection framework has entirely separate sets ofpolicies 
for ongoing scans and retroactive scans.
2024 © Netskope. All Rights Reserved. 13
Netskope Security Cloud Operation and Administration
Filtering and editing policies
142024 © Netskope. All Rights Reserved.
The larger your policy list grows over time, the more difficult it can be to locate specific policies so you can edit 
them as the need arises. The Netskope tenant offers powerful policy filtering features to help you locate the exact 
policies you want to edit. By default, there is a “Policy Name” filter that enables you to search for specific text in the 
names of policies. Additionally, you can click Add Filter to add a wide assortment of other filters to help you locate 
policies by such criteria as User, User Group, Organization Unit, Profile Type, Action, and many more.
After you have located the policy that you want to tune, click the ellipsis button to the right of the policy to access a 
popup menu to choose from options including Edit, Disable, Clone, and more.
2024 © Netskope. All Rights Reserved. 14
Netskope Security Cloud Operation and Administration
Policies
16
• Overview of Netskope Policies 
• DLP Rules/Classifications
• Profiles
• Actions
• Quarantine
2024 © Netskope. All Rights Reserved.
Next, let’s take a look at DLP rules and classifications.
2024 © Netskope. All Rights Reserved. 16
Netskope Security Cloud Operation and Administration
DLP: Use cases
17
• Prevent confidential data from being leaked or uploaded to cloud apps that are 
not enterprise-ready.
• Allow users to work with cloud apps that have less than stellar security but 
block or coach on activities involving sensitive data.
Allow is the new Block!
• Create Real-time Protection policies with DLP profiles to control sensitive data 
in real-time.
• Create API Data Protection policies with DLP profiles to detect and protect 
sensitive files stored in your managed cloud apps.
Examples: Revoke access for external users, encrypt data
2024 © Netskope. All Rights Reserved.
You can use DLP to prevent confidential data from being leaked or uploaded to cloud apps that are not enterprise-
ready. This allows users to collaborate with external parties, such as partners, using cloud apps that are not 
officially approved in your organization, while ensuring that sensitive data is not compromised. If DLP detects that 
a user is trying to transfer sensitive data to such apps, it can block uploads or coach the user that their activity is 
not advised. As Netskope likes to say, “Allow is the new Block!”
You can create Real-time Protection policies that have DLP profiles assigned to them to control the movement of 
sensitive data in real time, and you can also create API Data Protection policies to scan files in cloud storage for 
sensitive data, and then take an action such as revoking external users’ access to files, encrypting files, and so 
forth, provided that the cloud application supports the action.
2024 © Netskope. All Rights Reserved. 17
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 18
Standard, SkopeAI, and Advanced features
AdvancedSkopeAIStandard
Everything in Standard and 
SkopeAI, as well as:
File fingerprinting, Exact 
Data Matching (EDM) and 
Optical Character 
Recognition (OCR)
Everything in Standard as well 
as:
AI/ML classification for patent 
and M&A documents, tax 
forms, source code, images 
(desktop screenshots, 
whiteboards, passports, IDs, 
etc.)
• Data-at-rest and data-in-
motion DLP
• 40+ regulatory compliance 
templates including GDPR, 
PII, PCI, PHI, etc.
• 3,000+ data identifiers, 
1,600+ file types, custom 
regex, patterns
• Two AI/ML standard 
classifiers for resumes and 
source code
• Incident management and 
remediation
Netskope DLP is offered in three different packages.
The Standard package gives you DLP for data-at-rest and data-in-motion in cloud applications. It also includes 
more than 40 templates for regulatory compliance, such as GDPR, PII, PCI, and more. It comes with more than 
3000 predefined data identifiers that enable you to build policy rules to detect specific types of information, such as 
credit card numbers, Social Security numbers, and so forth. It offers detection for more than 1600 true file types. 
“True file type” means a file’s type as determined by its internal format and structure, not merely its filename 
extension. The Standard package also includes support for custom Regex expressions and patterns, as well as 
two Machine Learning classifiers for detecting resumés and source code, and incident management and 
remediation workflows for DLP incidents.
Next, the Skope AI package includes all the features and capabilities of the Standard package, with the addition of 
an extended set of AI and Machine Learning capabilities to identify patents, Merger and Acquisition documents, 
tax forms, and additional types of source code. It's also able to detect sensitive information in images such as 
desktop screenshots and photos of whiteboards, and to identify pictures of passports, government ID cards, and 
so forth.
Finally, the Advanced package includes everything that is in both the Standard and SkopeAI packages, and adds 
file fingerprinting, Exact Data Matching, and Optical Character Recognition.
We will explore all these capabilities in more detail later in this chapter.
2024 © Netskope. All Rights Reserved. 18
Netskope Security Cloud Operation and Administration
19
• A DLP Rule defines what data to look for.
Many predefined rules exist in the system.
• A DLP Profile can be assigned to a policy (Real-time Protection or API Data Protection).
– Can contain several DLP Rules (Logical Order)
– 35+ predefined profiles in the system
2024 © Netskope. All Rights Reserved.
DLP: Rules and profiles
Policies > Profiles > DLP > Edit 
Rules > Data Loss Prevention Policies > Profiles > DLP
As we mentioned earlier, data identifiers describe specific kinds of information, such as first and last names, credit 
card numbers, and so on. Data identifiers are included in DLP rules to define what data to look for in data-at-rest 
or data-in-motion. Netskope DLP offers a wide range of predefined rules to add to your policies, and you can also 
build custom rules as needed.
Multiple rules can be rolled into a DLP profile, which you can then assign to a Real-time Protection or API Data 
Protection policy. For example, the “Payment Card Industry Data Security Standard” profile includes 8 different 
DLP rules. There are more than 35 pre-built DLP profiles, and you can build your own custom profiles that include 
both pre-built and custom DLP rules. The rules in a DLP profile are processed sequentially and joined by "OR" 
operators. For example, if rule 1 or rule 2 or rule 3 are true, the DLP profile is triggered.
2024 © Netskope. All Rights Reserved. 19
Netskope Security Cloud Operation and Administration
DLP rules location
20
• Rules are located under the DLP profile:
Policies > Profiles > DLP > Edit Rules > Data Loss Prevention
• DLP rules contain:
– Predefined identifiers
– Custom identifiers
– Advanced matching options
– Content to be scanned
– Severity Threshold
2024 © Netskope. All Rights Reserved.
DLP rules are found in the Netskope tenant by clicking Policies, then under Profiles clicking DLP. From the Edit 
Rules drop-down list, select Data Loss Prevention.
DLP rules consist of predefined or custom data identifiers; advanced matching options such as Exact Data 
Matching and proximity expressions; details about the content to scan, such as only metadata, only content, or 
both; and the severity threshold, or the number of matches required before a policy action will be taken.
2024 © Netskope. All Rights Reserved. 20
Netskope Security Cloud Operation and Administration
DLP predefined identifiers (1 of 2)
21
• Create rules using 
3,000+ predefined 
data identifiers
– Numbers: SSN, CC, 
Driver License
– Names: People, 
banks, medical, etc.– Addresses: Different 
countries
• With data validation:
– Luhn check on CC
– Prefix check on SSN
2024 © Netskope. All Rights Reserved.
As mentioned earlier, Netskope DLP lets you choose from more than 3000 predefined data identifiers to create 
DLP rules. There are data identifiers for numbers such as Social Security, credit card, and driver license numbers. 
There are also identifiers for proper names such as people's names and the names of businesses, and general 
names such as medical terms. Additionally, there are data identifiers for addresses such as residential and 
business addresses and countries.
To verify that specific types of data are what they appear to be, Netskope DLP performs data validation. For 
example, to identify valid credit card numbers, Netskope DLP performs a Luhn check on likely candidates, such as 
16-digit patterns that look like they could be real credit card numbers. A 16-digit number that consists of repeated 
numbers, such as 16 ones, is immediately dropped from further consideration because it does not correspond to a 
valid pattern for a credit card number. Another example of number patterns that Netskope DLP can validate are 9-
digit numbers that look like they could be U.S. Social Security numbers. It verifies that the first 5 digits correspond 
to a prefix range that has been officially released by the Social Security Administration.
2024 © Netskope. All Rights Reserved. 21
Netskope Security Cloud Operation and Administration
• Quick Search
– Narrow in on a specific 
type of identifier
– Useful for when you’re not sure 
exactly what you’re looking for
• Predefined tags
– Appear in search results
– When browsing by category, all 
tags associated with the 
different data identifiers in the 
category are displayed 
collectively
DLP predefined identifiers (2 of 2)
222024 © Netskope. All Rights Reserved.
If you want to add a predefined data identifier to a DLP rule but you don't know what it's called or where it's 
located, you can use Quick Search to help you find what you're looking for. For example, by typing “Canadian 
addresses” in the Quick Search field, you can quickly see all the data identifiers related to Canadian postal 
addresses. 
Quick Search also makes it easier to see all the data identifiers related to broader terms across all categories. For 
example, to see all the data identifiers and categories related to the medical profession, you could type “medical” 
in the Quick Search field to see an expandable list of all the available medical data identifiers, such as healthcare 
ID numbers, patient information terms, and medical procedures, as well as categories and subcategories such as 
“Medical Data” and “Medical Data Classification Systems”.
Note that there are predefined tags, regions, and languages assigned to data identifiers. They are displayed in 
light-blue boxes below an identifier. They appear in search results, and when you are browsing by category, all the 
tags associated with the different data identifiers in a category are displayed collectively. You can use predefined 
tags as search terms as well. For example, you could perform a Quick Search on the “addresses” tag, the 
“Canada” region, or the “French” language.
2024 © Netskope. All Rights Reserved. 22
Netskope Security Cloud Operation and Administration
DLP custom data identifiers
23
• If you can’t find the 
identifier you need, 
construct your own 
custom identifier.
• Supports Regex and 
keywords.
• Also supports predefined 
identifiers by enclosing 
identifier name in: {{ }}
• Multiple custom 
identifiers can be added 
to a DLP rule.
2024 © Netskope. All Rights Reserved.
Policies > Profiles > DLP > Edit Rules > Data Loss Prevention > New Rule
If you are not able to find a predefined identifier that meets your needs, you can define your own. Custom 
identifiers can include Regex and keywords. You can also include predefined identifiers by enclosing their names 
in double curly brackets.
To add a custom identifier to a DLP rule, select Case Sensitive or Case Insensitive from the first drop-down list, 
then enter a regular expression, a keyword, or a predefined identifier in the first text field. Next, click the “+” button 
to the right of the text field to add the item to the rule. Repeat this process to add more custom identifiers to the 
rule.
2024 © Netskope. All Rights Reserved. 23
Netskope Security Cloud Operation and Administration
DLP dictionary-based identifiers
24
Dictionary files can be used 
as identifiers. 
• Dictionaries can be manually 
imported or automatically 
created.
• Ideal for long lists of keywords 
or regular expressions.
• Multiple dictionaries can be 
selected in a single DLP rule.
2024 © Netskope. All Rights Reserved.
Policies > Profiles > DLP > Edit Rules > Data Loss Prevention > New Rule
In addition to the DLP data identifiers that we have already discussed, you can also use dictionary files as 
identifiers. A dictionary file is a CSV file that can contain either keywords and phrases, or regular expressions. You 
can manually create a dictionary file by adding one keyword or phrase per line in a keyword dictionary, or one 
regular expression per line in a regular expression dictionary, with a limit of 25 regular expressions. Dictionaries 
can also be automatically created when you perform Exact Data Matching. You can select both manually imported 
and automatically created dictionaries on the “Custom” page of the DLP rule wizard by clicking the Saved 
Identifiers tab.
There are two formats for dictionaries—standard and weighted. We will discuss weighted dictionaries in more 
detail on the next slide. Note that you can select multiple dictionaries in a DLP rule. Selected dictionaries appear in 
the “Dictionary Identifiers” list in the right pane of the DLP rule wizard, indicated by a “D” and followed by a 
number, such as D0, D1, and so on.
2024 © Netskope. All Rights Reserved. 24
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 25
Weighted dictionaries (1 of 2)
Weighted dictionaries are only supported with keywords and phrases. The default weight for a dictionary entry is 1, 
but you can assign a custom weight of -100 to +100. The weight value you assign to a dictionary entry goes into 
calculating the violation score. When Netskope DLP scans files and detects a keyword or phrase that matches an 
entry in a weighted dictionary, it adds that entry’s weight value to a running tally. When the scan is complete, 
Netskope DLP uses the final weight total to determine an aggregated violation score, and if the score meets or 
exceeds a severity threshold defined in a DLP rule, and the rule has been configured to take a policy action at that 
severity threshold level, then the prescribed action is taken.
You can upload dictionaries by navigating to Policies in your Netskope tenant, then going to Profiles and DLP
and clicking the Dictionary tab. Click New Dictionary to open a dialog where you can upload a dictionary file. As 
stated earlier, the dictionary file must be in the comma-separated values format. Additionally, the file must be no 
larger than 1 MB.
The screenshot on the right side of this slide shows the contents of a weighted dictionary containing key phrases 
related to heart disease. Note that there is one phrase per line, and the weight of each phrase is set by adding a 
comma after the phrase and then specifying the weight value. If you configure the severity threshold of a DLP rule 
to take a policy action at an aggregated violation score of 100, then a policy action would be taken if Netskope 
DLP detects matching phrases in the content it is scanning, and their weight values add up to 100 or more.
2024 © Netskope. All Rights Reserved. 25
Netskope Security Cloud Operation and Administration
26
• Improve accuracy with weighted dictionaries.
• Improve true positives.
Influence the rule to trigger when high confidence dictionary termsare found
• Especially useful when porting dictionaries from Forcepoint or Symantec.
2024 © Netskope. All Rights Reserved.
Weighted dictionaries (2 of 2)
• John Smith had a heart attack when he saw the 
price.
• John Smith has suffered an acute myocardial 
infarction.
Dictionary Weight
Myocardial infarction, 48
Heart attack – not found
Higher Confidence
Weighted dictionaries help to improve accuracy. The higher the weight value assigned to keywords and phrases, 
the higher the degree of relevancy or importance that Netskope DLP applies to those terms. This in turn helps to 
improve the rate of true positives and trigger DLP rules when there is a high level of confidence that detected 
keywords and phrases are important.
The weighted dictionaries that are supported by Netskope use a standard format, so you can easily import 
dictionaries from other vendors that support this format, such as Forcepoint or Symantec.
The example sentences at the bottom of this slide illustrate how weighted dictionaries can be helpful in detecting 
true positives. Patient medical records are protected by government regulations and privacy laws; however, some 
expressions can have both medical and figurative meanings. For example, in the sentence "John Smith had a 
heart attack when he saw the price", the term "heart attack" is being used in a figurative sense. However, 
Netskope DLP is not able to distinguish between an actual medical condition and a figurative description of John's 
reaction of dismay to the high price of an item. Consequently, this could result in a false positive. On the other 
hand, if a weighted dictionary is attached to a DLP rule, and the official medical term for a heart attack, namely 
"acute myocardial infarction", is assigned a weight of 48, and the term "heart attack" is either not included in the 
dictionary, or is included but is not assigned a custom weight value, then there is a much higher level of 
confidence that if Netskope DLP detects the phrase "heart attack", it will not result in a false positive.
2024 © Netskope. All Rights Reserved. 26
Netskope Security Cloud Operation and Administration
27
Options include: AND, OR, NOT, NEAR and ()
Matching the word “private” within a proximity of 100 characters to the word “confidential”:
2024 © Netskope. All Rights Reserved.
Advanced matching options
Now let’s take a moment to talk about advanced matching options in DLP rules. These options include proximity 
operators to check for data identifiers within a certain distance of each other. The available operators are AND, 
OR, NOT, and NEAR. You can also specify order of operations by enclosing terms in parenthesis characters. The 
NEAR operator is very similar to the AND operator, except the NEAR operator specifies a character range to 
ensure identifiers are close to each other.
In the example on the slide, advanced options are being used to match instances of the custom identifier c0, which 
is the case-insensitive keyword “private”, that is within 100 characters of the custom identifier c1, which is the 
case-insensitive keyword “confidential”.
There are a couple of details and tips related to advanced matching options you should be aware of. First, the 
proximity number is inclusive of all characters, beginning with the first character of the first data identifier and going 
to the last character of the last identifier. So in the case of our example, the words “private” and “confidential” must 
occur within 100 characters of each other, with the 7 characters of the word “private” and the 12 characters of the 
word “confidential” being included as part of that total of 100 characters. Second, take care when you are typing 
the names of the data identifiers in your proximity statements. A common mistake people make is to type the letter 
“O” instead of the number “0” when specifying a data identifier such as “c0”.
2024 © Netskope. All Rights Reserved. 27
Netskope Security Cloud Operation and Administration
28
Options: Metadata, Content, or Metadata & Content
Metadata is data about data.
2024 © Netskope. All Rights Reserved.
Content to be scanned
The next step in the DLP rule wizard is to specify the area of files to scan. By default, Netskope scans both 
metadata and content. If needed, you can choose to only scan metadata or only scan content. Metadata is not the 
actual contents of the file; rather, it's data about the file, such as who created the file, when the file was created or 
last modified, and so on.
2024 © Netskope. All Rights Reserved. 28
Netskope Security Cloud Operation and Administration
292024 © Netskope. All Rights Reserved.
Microsoft Word document metadata
Let’s look at a Microsoft Word document as an example of file metadata. You can view this information by opening 
the document in Microsoft Word, navigating to File, and then selecting Info. Click Show All Properties to view 
information such as Last Modified, Created, and Last Printed dates, as well as other metadata such as title, 
custom tags, status, categories, authors, and so on.
2024 © Netskope. All Rights Reserved. 29
Netskope Security Cloud Operation and Administration
30
If the DLP rule is intended for scanning files that contain rows or records 
(such as spreadsheets), select the Record Based Scan option to scan 
for data identifiers by records or rows.
2024 © Netskope. All Rights Reserved.
Record-based scan
Also on the Content page of the DLP rule wizard, you have the option to specify whether you want the DLP scan to 
be record-based. You should select this option if you intend the rule to be used for scanning files that contain rows 
and columns, such as spreadsheets or CSV files. By specifying a record-based scan, you are telling Netskope 
DLP to look for data identifiers within individual records instead of whole files. In other words, you are specifying 
that identifiers such as first name, last name, credit card number, and so on, must come from a single row in the 
spreadsheet or CSV file. For example, Anne's first name, Joe's last name, and Mary's credit card number might all 
appear in the same spreadsheet file, but they all come from different rows or records within that file. When you 
select Record Based Scan, the DLP rule will only match if all the data identifiers are detected in the same record.
2024 © Netskope. All Rights Reserved. 30
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 31
Example DLP rules
Look for the word private near confidential
Custom Identifiers 
• (C0) - Case Insensitive: private
• (C1) - Case Sensitive: confidential
Expression 
• C1 NEAR C0 
• Proximity Check: 100 characters 
Scan Section 
• Metadata & Content 
• Record Scanning Off 
Severity Threshold 
• Low Severity: 1 
• Medium Severity: 25 
• High Severity: 100 
• Critical Severity: 1000 
• Trigger action at Low
Custom Identifiers 
• (C0) - Case Insensitive: private
• (C1) - Case Sensitive: confidential
Expression 
• C1 NEAR C0 
• Proximity Check: 100 characters 
Scan Section 
• Metadata & Content 
• Record Scanning Off 
Severity Threshold 
• Low Severity: 1 
• Medium Severity: 25 
• High Severity: 100 
• Critical Severity: 1000 
• Trigger action at Low
Any Credit Card
Predefined Identifiers 
(P0) - number/any/cc 
Expression 
P0 
Scan Section 
Record Scanning Off 
Severity Threshold 
• Low Severity: 1 
• Medium Severity: 25 
• High Severity: 100 
• Critical Severity: 1000 
• Trigger action at Low
Predefined Identifiers 
(P0) - number/any/cc 
Expression 
P0 
Scan Section 
Record Scanning Off 
Severity Threshold 
• Low Severity: 1 
• Medium Severity: 25 
• High Severity: 100 
• Critical Severity: 1000 
• Trigger action at Low
This slide shows two different examples of DLP rules.
The rule on the left is looking for the case-insensitive custom identifier C0, which is the keyword "private", near the 
case-sensitive custom identifier C1, which is the keyword "confidential", all within 100 charactersof each other. It 
is scanning both metadata and content, and the “Record Based Scanning” option is not enabled. It also 
establishes the severity threshold, with Low severity set at 1 match, Medium at 25 matches, and so on, with the 
policy action being triggered at the Low severity level. 
The rule on the right is looking for any credit card number, as indicated by the predefined identifier P0. Since there 
is only one data identifier referenced in the rule, no proximity operations are needed. Once again, the “Record 
Based Scanning” option has been left off, and the various severity thresholds have been set, with the policy action 
triggered at the Low severity level.
2024 © Netskope. All Rights Reserved. 31
Netskope Security Cloud Operation and Administration
Fingerprinting and Exact Match
32
Benefits:
• Full coverage – Apply policies for data in motion or data at rest
• Improved accuracy – Reliably detect sensitive data extracted from original files
• Easy policy enforcement – No policy tuning needed; the original content translates the policy
2024 © Netskope. All Rights Reserved.
Identify sensitive 
data in CSV files
Generate an 
Exact Match 
hash
Fingerprinting
Exact Match
Identify sensitive 
data in unstructured 
files
Fingerprint 
the assets
Apply document fingerprinting
Apply binary fingerprinting
(MD5, SHA-256 hash)
Validate DLP rule with Exact Match
Use auto dictionaries in DLP rule
Next, let's discuss two advanced DLP options: fingerprinting and Exact Match.
Fingerprinting is used on unstructured documents, such as Microsoft Word documents, PDF files, source code, 
and essentially any file that does not have the structure of a spreadsheet, CSV, or database file. To begin the 
fingerprinting process, upload an unstructured file to the Netskope tenant. An MD5 or SHA-256 hash of the file is 
then generated so that if the original document is ever manipulated or modified, Netskope DLP can detect the 
mismatch between the hashes of the original file and the modified file and subsequently trigger a DLP policy 
action. More importantly, the fingerprinting process captures a digital DNA of the original document so that when 
Netskope DLP classifies the original document as sensitive, it can trace modified versions of that file back to its 
source, provided that the changed file does not deviate more than 30% from the original file. 
Exact Match works in a similar way to fingerprinting but is used on structured data in CSV files. Each column of 
data in the CSV file must have a header that identifies the type of information contained in that column, such as 
first name, last name, credit card number, and so forth. You upload the CSV file to the Netskope tenant, and 
individual hashes are calculated for each row or record in the file. Additionally, you can choose to automatically 
create dictionaries for each of the columns in the file. The names of these dictionaries are derived from the column 
headers. For example, if the CSV file contains four columns with the headers "First Name", "Last Name", "Phone 
Number", and "Credit Card Number", four Exact Match dictionaries will be created, and they will be named after 
these headers. The dictionaries will also include hashes for the data contained in each field of their respective 
column. When you enable Exact Match for a DLP rule, Netskope DLP will inspect structured data leaving your 
organization and compare it to the hashes in the Exact Match dictionaries that have been generated. If a match is 
found, then a policy action will be triggered. 
Fingerprinting and Exact Match can protect structured sensitive data whether that data is being sent out of your 
organization in real time or is sitting at rest in cloud storage. Their precise methods of analyzing and profiling 
original source content ensure that Netskope DLP can accurately detect sensitive data that has been extracted 
from original sources. Additionally, fingerprinting and Exact Match make it easy to enforce DLP policies because 
the content from the original files serves as the basis for determining whether the data is sensitive and needs to be 
protected.
2024 © Netskope. All Rights Reserved. 32
Netskope Security Cloud Operation and Administration
Exact Match
33
• HR database file holding sensitive PII information
• Includes header row: id, gender, birthdate, maiden_name, etc.
• Map DLP identifier to column
• Identifier P0 – Column 1
2024 © Netskope. All Rights Reserved.
There are three ways to populate the Exact Match database:
1. Upload a data set to your Netskope tenant.
2. Upload a data set to your on-premises Virtual Appliance.
3. Create salted SHA-256 hashes locally, then upload them to 
the Netskope cloud using an on-premises Virtual Appliance.
Here is a more detailed example illustrating how Exact Match works. Suppose you have a text file named 
HRdatabase.txt that consists of comma-separated values. The first line or row of the file contains headers labeled 
“id”, “gender”, “birth date”, and so on. Following the header row are rows of comma-separated data corresponding 
to their respective headers. This file has been uploaded to the Netskope tenant, so a set of automatically 
generated dictionaries will be available for selection when creating a DLP rule. 
On the Exact Match page of the DLP rule wizard, you need to select the Enable Exact Match option. This enables 
you to select the HR database text file from a drop-down list and then map column headers to data identifiers. In 
the example on the slide, the “address” column is mapped to the P0 predefined identifier for US postal addresses, 
and the “postal” column is mapped to the P1 identifier for US postal codes (or ZIP codes). Exact Match also offers 
a feature called “column groups” which makes it possible to create a hash for combinations of columns from the 
uploaded file. For example, you could create a column group for street address, city, and state, and Exact Match 
will create a single hash for that combination of data for each row in the file, rather than creating a separate hash 
for each field on its own. That way, if Netskope DLP detects this specific combination of data during a scan, the 
rule will trigger a match.
There are three ways to populate your Exact Match database. First, you can upload .csv or .txt files through the 
Netskope tenant UI. You can also upload files to your on-premises Netskope virtual appliance and let the 
appliance generate the hashes. Finally, you can create salted SHA-256 hashes locally and then upload these 
hashes to your on-premises Netskope virtual appliance.
2024 © Netskope. All Rights Reserved. 33
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 34
On-premises Exact Match
1. Copy file to Netskope Virtual Appliance.
2. Run DLP command to perform one-way
non-reversible hash. (Process can be automated 
by running cron job.)
3. Virtual Appliance uploads hash to Netskope 
Security Cloud.
On-premises file SHA-256 hash
SSNFirst and Last Name
489-36-8350Robert Aragon
514-14-8905Ashley Borden
690-05-5315Thomas Conley
421-37-1396Susan Davis
458-02-6124Christopher Diaz
612-20-6832Rick Edwards
300-62-3266Victor Faulkner
660-03-8360Lisa Garrison
213-46-8915Marjorie Green
449-48-3135Mark Hall
1
2
3
Virtual Appliance
SSNName
05BABBDA7A3366925050…02B700E235DACDB74600…
939048D97156D4C7D3CC…6B1A5575A73BA0BB7CF1…
253E339B935E58B65268…67168312B82306CF736B…
412283B6EFA9EDE5978D…6E9CB2BE752C314E43EB…
E0DE3F5C12E3277BCF36…48CEDF91E38E304C4A3B…
4E7B19A806EF5A6F2C77…5FD1479A40CA12EB5222…
C5F39976E5E9A15AFADC…275FA04F5566319822A4…
AE796A50B32E19EF7B63…062EC26E878ED2F0135F…
C69F6F1E4408A23ADC6F…98D2844AB8364A7FC28C…
6956720692FFEEAABCB9…3D0557B00D09022D3DD4…
Netskope Security Cloud
Due to security concerns, some organizations might not want to directly upload sensitive files to their Netskope 
tenant when creating Exact Match rules. Even though files uploaded using thethrough enterprise-wide predictive 
insights, SD-WAN access anomaly detection, and application performance flow analytics.
• SkopeAI device intelligence provides Machine-Learning-based identification and categorization of newly 
connected devices, delivering unprecedented device visibility, access control, and Internet-of-Things security.
2024 © Netskope. All Rights Reserved. 4
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 5
Rich policy context of CASB+SWG+DLP
User, Group, OU
Pat from Accounting is using managed laptop to upload files to personal Box instance: DLP check; coach if PCI, PII, etc.
Pat from Accounting is using managed laptop to upload files to company Box instance: Check for malware/threats
Pat from Accounting is using personal mobile device to download files from company Box instance: View only mode
Pat from Accounting is using managed laptop to browse gambling sites on web: Block site, coach user with AUP alert
Device
Managed
Personal
Accounting
Pat Smith Cloud 
Storage 
App
Managed
Unmanaged
App
Personal
Instance
Company
File
Sharing
100+
Categories
URL Category
Upload
File
(up, 
down, 
share, 
view)
Activity
AV/ML
IOCs
Scripts
Macros
Sandbox
Threat
DLP
Profiles
And
Rules
Content Policy Action
Allow
Block
Coach
Encrypt
Legal Hold
Quarantine
etc.
CLOUD XD
Risk
Security
Privacy
Legal/Audit
GDPR
etc.
CCI 
Rating
65K+ Apps
97
The Netskope Security Cloud uses a unified policy engine, which means that you can combine the coverage and 
protection of multiple Netskope security products like CASB, SWG, and DLP in a single policy. Another major 
advantage of this approach is the rich context that can be woven into policies around a user's environment and 
activities.
Policies can include the following types of contextual information:
• Users and the groups and organizational units they belong to
• Types of devices, and whether they are managed or unmanaged
• Managed and unmanaged cloud applications
• Cloud app instance ownership, such as company or private instances
• Risk ratings of cloud apps as identified by Netskope's Cloud Confidence Index
• Categories of the websites and URLs that users visit
• Activities such as uploading, downloading, and sharing files
• Threats posed by files infected with malware, and anomalous behavior that might indicate an organization's 
security has been compromised
• File content such as sensitive and confidential information that can be detected by DLP profiles and rules
• Actions that a policy can perform based on a given set of circumstances, such as allowing or blocking traffic, 
coaching users about acceptable behavior, and so on
Now let's consider some practical examples of the rich policy context that Netskope can provide by uniting CASB, 
SWG, and DLP. Suppose a user named Pat, who belongs to the Accounting department, is uploading files from 
her company-owned and managed laptop to her private instance of Box. You can configure a policy to run a DLP 
scan on the files Pat is trying to upload. If customer credit card data or personally-identifiable information is 
detected, the upload actions can be blocked, or a user notification can be displayed, reminding Pat that 
transferring confidential company information to personal storage is a violation of corporate policy. On the other 
hand, if Pat is using her company laptop to upload files to a corporate Box instance, you can configure a policy to 
allow the upload actions in this case, provided that a threat scan is able to determine that the files are not infected 
with malware.
2024 © Netskope. All Rights Reserved. 5
Netskope Security Cloud Operation and Administration
Next, suppose Pat is trying to download sensitive files from a corporate instance of Box onto her 
personal mobile device that is not secured or protected by her company. You can configure a policy 
that only allows Pat to view the contents of the files on her mobile device, but not actually download the 
files.
Finally, suppose that Pat is on her corporate laptop again, and she is trying to browse gambling 
websites. You can define a policy to block websites that fall under the "Gambling" category, and also 
display an alert to inform Pat, that using corporate devices to visit gambling or gaming websites is a 
violation of corporate acceptable-use policy.
2024 © Netskope. All Rights Reserved. 5
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 6
Netskope CASB API
API
Connector
LOG
Offline
‣ Cloud app discovery
‣ App risk
‣ Basic activity visibility
‣ eDiscovery of DLP 
violations & Malicious 
Threats
‣ Data governance
‣ Policy control for at-rest 
content
Now let’s take a look at the products included in the Netskope Security Cloud. First, we’ll discuss Netskope Cloud 
Access Security Broker, or CASB. In most cases, a top priority of organizations that are moving their business to 
the cloud is to gather information about their internet traffic. They need to understand what their user base is 
doing, which cloud applications they are using and how they are using these applications. When this information 
has been acquired, the organization can determine the controls they need to put in place to reduce risk and limit 
exposure to threats and data loss going forward.
Netskope CASB uses a couple of offline or out-of-band methods to gather information about the cloud apps being 
used in an organization. The first of these methods is log ingestion. This involves importing log files from on-
premises proxy servers and firewalls into the Netskope platform. These logs provide visibility into the cloud apps 
users are accessing, how much data they’re transferring into and out of the apps, and so forth. The information 
gathered from logs can be used to check Netskope’s Cloud Confidence Index, or CCI, and identify the level of risk 
the discovered apps pose to your organization. However, you can not take any direct actions at this point; you 
have only gained visibility into cloud app usage.
This is where the second offline method comes in. Netskope CASB uses API connectors to interact with files 
stored in managed cloud applications, or in other words, cloud applications for which an organization has full 
administrative access. This enables Netskope to hook into the cloud application’s API and perform such 
operations as scanning files for DLP and regulatory compliance violations and malware infections, and then 
applying policy controls such as placing files in quarantine, encrypting files, or changing file-sharing permissions.
2024 © Netskope. All Rights Reserved. 6
Netskope Security Cloud Operation and Administration
Thin Agent /
Mobile Profile
2024 © Netskope. All Rights Reserved. 7
Cloud Inline
Forward 
Proxy
Inline
Explicit Proxy 
/ PAC file
GRE/IPSec
Proxy 
Chaining
‣ Real-time policy control for all cloud apps
‣ Native, browser and mobile app coverage
‣ Mobile and remote coverage for all cloud apps
‣ DLP & Threat Protection
traffic steering options
Thin 
Agent Reverse 
Proxy
Real-time policy 
control for browser 
based managed 
cloud apps only
In addition to CASB API, the Netskope Security Cloud Platform includes Cloud Inline, which, as its name implies, 
provides inline or real-time protection. Inline protection enables you to apply policy actions in real time as users are 
accessing cloud apps and trying to upload and download files. With Cloud Inline, users’ cloud app traffic is steered 
to the Netskope Security Cloud, which then examines any files the users are trying to upload or download and 
applies policy actions, such as blocking files that contain sensitive information or malware.
The most common method of deploying inline protection is using the Netskope thin agent or client. The Netskope 
client is installed on users’ computers and steers their internet traffic based on policies and Netskope tenant 
settings. For example, theNetskope tenant UI go out over port 
443, this might not be adequate for some organizations. This is a use case for the on-premises Netskope Virtual 
Appliance.
If you are using the on-premises method to create hashes for Exact Match, there is a recommended process for 
uploading files to a Netskope Virtual Appliance. First, copy the sensitive file you want to match against to the 
appropriate folder on the virtual appliance. Second, run the DLP command that creates one-way, non-reversible 
SHA-256 hashes of the file's data. Note that you can automate this step with a cron job. When the appliance has 
completed creating the hashes, it will automatically upload the results to the Netskope Security Cloud. The original 
file is then permanently removed from the appliance.
You can find detailed instructions that include the commands for uploading files to the appliance and performing 
the hash operation by browsing to docs.netskope.com and searching for the article entitled “Create a DLP Exact 
Match Hash from a Virtual Appliance.”
2024 © Netskope. All Rights Reserved. 34
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 35
Proximity (NEAR Operator)
• To fine-tune DLP rules, add Boolean and 
proximity operators to the expressions 
used to find sensitive data.
• The NEAR operator implies AND.
• Proximity is measured from the first 
character of the first data identifier to the 
last character of the last data identifier
(including spaces and punctuation).
• The entire data match must fall within the 
defined proximity.
(P0) – Postal Addresses (US)
(P1) – Postal Addresses (US; Postal Codes)
(P2) – Address / ZIP code / US 
(D0) – Bankname
P0 OR P1 OR P2 NEAR D0
Proximity Check: 50 characters
As mentioned earlier, you can use Boolean and proximity operators to fine-tune your DLP rules and improve 
detection results. The proximity operator NEAR is particularly useful for this purpose. The NEAR operator 
performs the same basic function as the AND operator, with the added benefit of letting you define a character 
range within which two or more terms must appear in a file. It is important to note that proximity measurements 
begin at the first character of the first data identifier referenced in the statement, and end at the last character of 
the last data identifier. Empty spaces and punctuation are included in the total character count.
In the illustration on the slide, the colored rectangles each mark off 10 characters in two rows of data in a text file 
that consists of comma-separated values. The proximity statement shown above the illustration is telling Netskope 
DLP to look for US postal addresses, signified by the predefined identifier P0, or US postal codes, signified by P1, 
or a combination of US addresses and ZIP codes, signified by P2, near bank names, signified by the dictionary 
identifier D0. All of these items must occur within 50 characters of each other in the file.
In the first row, the bank name “Bank of America” extends the character count to more than 50 characters, so the 
DLP rule will not match.
In the second row, the entire address, ZIP code, and bank name fall within the prescribed total of 50 characters, 
starting with the “2” of the building number and ending with the “p” in “Citigroup”, with spaces and punctuation 
characters included. Consequently, the DLP rule matches in this case.
A tip to keep in mind when using proximity statements, is to make sure to specify character ranges that are logical 
and relevant. For example, you do not want Netskope DLP to find the first data identifier on page 1 of a document 
and then look for the next identifier as far away as page 10. Being so far apart, there’s probably no correlation 
between the two identifiers. On the other hand, you want the character range to be wide enough to encompass all 
reasonable and relevant combinations of data. For instance, if the proximity value in the NEAR statement in the 
example on the slide would have been set to 60, the DLP rule would have matched with both rows of data because 
“Bank of America” would have fallen within that range. Similarly, if the state abbreviation “CA” had been fully 
spelled out as “California,” the 50-character proximity value would have prevented both rows of data from 
matching.
2024 © Netskope. All Rights Reserved. 35
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 36
DLP Severity Threshold
Specify threshold values for each 
severity level.
1. Select Record or
Aggregate Score.
2. Optional: Select Count only 
unique records.
3. Enter number of matching 
records or a violation score for 
each severity level or accept 
default settings.
4. Specify the severity level at 
which the policy action should be 
taken. 
An alert is sent when a severity level 
is reached for a file.
Policies > Profiles > DLP > Edit Rules > Data Loss Prevention > New Rule
On the Severity Threshold page of the DLP Rule wizard, you can specify the number of matches that must be 
detected in a file to qualify for one of the four severity levels—Low, Medium, High, or Critical. 
First, specify how you want the threshold to be set, either by record or by aggregated score. The Record option 
increments the matching record count each time an instance of sensitive data is detected in a file. So if you have 
the “Low” severity level set to 5 records or more, then at least 5 occurrences of sensitive data must be detected in 
a file in order for the incident to be classified as low severity. The Aggregated Score option is used in conjunction 
with weighted dictionaries. When Netskope DLP is scanning a file, each time it detects a keyword or phrase that is 
referenced in a weighted dictionary, it adds the numerical weight you have assigned to that entry to a running tally. 
After the scan is complete, the sum of all the weighted values becomes the final violation score. So if you have the 
“Low” severity level set to 100 points or more, then Netskope DLP must detect weighted keywords or phrases 
within a file that add up to at least 100 points in order for the incident to be classified as low severity.
DLP rules that are configured to look for numerical data, such as credit card, driver license, or Social Security 
numbers, typically use a record threshold, while rules meant to detect only textual data should use an aggregated 
score threshold.
By default, when Netskope DLP scans a file, each time it encounters a piece of sensitive data it increments the 
record count, even if that data repeats itself. If you want to count only unique occurrences of a specific piece of 
data, select the option Count only unique record. To provide a practical example, suppose you have a DLP rule 
that is set to take a policy action if 10 unique credit card numbers are detected in a file. If a file contains 7 
instances of the same credit card number and only 3 other instances of unique credit card numbers, a policy action 
will be taken by default, because the 7 identical credit card numbers and the 3 unique numbers add up to 10 
occurrences. To avoid this situation, you would select the Count only unique record option. This would count the 
7 identical credit card numbers as 1 occurrence, which added to the 3 unique numbers would total 4 occurrences 
of unique credit card numbers. As a result, no policy action would be taken in this case.
After you have set the threshold values for the 4 severity levels, make sure to specify the severity level at which 
you want the policy action to be taken.
2024 © Netskope. All Rights Reserved. 36
Netskope Security Cloud Operation and Administration
37
• Requires Advanced DLP license.
• Available for both Real-time Protection and
API Data Protection policies.
• Max file size is 4 MB by default.
• OCR supports these file types:
png, pjpeg, jpeg, gif, bmp, jp2, tiff, x-ms-bmp
• Supported images embedded in PDF, MS Office,
and archives are extracted and scanned.
•There is no “OCR Policy.” OCR scanning is a
passive function.
2024 © Netskope. All Rights Reserved.
Optical Character Recognition (OCR)
Optical Character Recognition, or OCR, requires an Advanced DLP license and is available for both Real-time 
Protection and API Data Protection policies. Currently, there is a 4-megabyte size limit on files that OCR can 
process. OCR supports scanning the image file types shown on the slide. Additionally, OCR is able to extract and 
scan supported images that are embedded in PDF and Microsoft Office files. It can also extract and inspect 
images stored in archives such as zip files up to 8 folder levels deep. It is important to note that there is no specific 
OCR policy to configure because OCR scanning is a passive function.
The diagram on the right of the slide depicts the OCR process. Traffic from both the Netskope proxy and API 
connectors arrives at the first level of Netskope servers, which notice that the policy encompasses DLP. So they 
offload the files to a bank of DLP servers, where clear text is extracted and DLP rules are applied. If any image 
files are detected, they are offloaded to a bank of OCR servers which inspect the image files and extract any clear 
text that they can. This text is then fed back into the DLP engine, which scans the content and takes a policy action 
if any violations are detected.
2024 © Netskope. All Rights Reserved. 37
Netskope Security Cloud Operation and Administration
38
• Recommended: Use the built-in regulatory profiles vs. using custom DLP 
profiles when possible. 
• DLP helps manage risk, not eliminate it.
• False positives and false negatives are a fact of life with DLP (the goal is to 
minimize them).
• Identify your high value assets (what matters most).
• Build well defined DLP rules.
– Constraint search using AND increases false negatives.
– Inclusive search using OR increases false positives.
– Include context when building your rules!
– Leverage fingerprinting and Exact Match.
– Adjust the threshold levels to match business process.
2024 © Netskope. All Rights Reserved.
Avoiding DLP misclassification
Netskope has several recommendations and guidelines to help avoid DLP misclassifications.
• We recommend that you use the built-in regulatory profiles, such as GDPR and PCI-DSS, rather than creating 
your own custom profiles. The built-in profiles include everything that is needed to meet statutes and regulations.
• Understand that DLP helps manage risk, but it cannot completely eliminate it. DLP is not a silver bullet.
• Remember that false positives and false negatives are a fact of life with DLP. Take a constructive approach of 
tuning your policies over time until you're seeing more accurate results. 
• Identify your high-value assets first. Identify the files and folders that are the most important and sensitive and 
that could have a significant impact on your organization if they are ever exposed. Once you have secured these 
assets, you can extend DLP policies to less sensitive documents over time.
• Build well-defined DLP rules.
– Using AND statements in your DLP rules tends to increase false negatives. The reason for this is that all 
parts of the statement must be true before the rule will trigger a match.
– Similarly, using OR statements tends to increase false positives, because if any parts of the statement are 
true, then the rule will trigger a match.
– When building DLP rules, make sure to include as much context as possible. Looking for identifiers like driver 
license number and credit card number within a reasonable proximity of associated identifiers such as phone 
number and address will improve the relevancy of your rules.
– Leverage fingerprinting and Exact Match whenever possible.
– Also, tweak severity threshold levels to match your business processes. For example, suppose you're 
creating DLP rules for a large hospital, and you know that the Accounts Receivable administrator is allowed 
to pull up one Social Security number and up to two credit card numbers for an individual patient, because for 
large bills, the charge might need to be spread out across two separate credit cards. As long as the employee 
doesn't try to pull up more information than they are allowed to, you do not want to see a DLP alert, because 
things are going according to standard business process. However, if the employee suddenly tries to pull 
several Social Security numbers and credit card numbers in a very short timeframe, you do want to see DLP 
alerts, because this behavior falls outside of standard business process and needs to be investigated.
2024 © Netskope. All Rights Reserved. 38
Netskope Security Cloud Operation and Administration
Policies
39
• Overview of Netskope Policies 
• DLP Rules/Classifications
• Profiles
• Actions
• Quarantine
2024 © Netskope. All Rights Reserved.
Next, let’s discuss policy profiles.
2024 © Netskope. All Rights Reserved. 39
Netskope Security Cloud Operation and Administration
40
• A profile is essentially a 
container for efficiently 
grouping related rules.
• The rules in the profile 
must be of the same type.
Example: DLP profiles can 
only contain DLP rules and 
Fingerprint Classification 
rules.
• Profiles are located at 
Policies > Profiles.
2024 © Netskope. All Rights Reserved.
Overview of profiles
Profiles are essentially containers that enable you to efficiently group related rules. In the screenshot on the slide, 
you can see that the predefined DLP profile “Payment Card Industry Data Security Standard” contains 8 DLP rules 
designed to detect credit card information to meet regulatory requirements for Payment Card Industry Data 
Security.
Note that the rules and other policy objects in a profile must all be of the same type. For example, DLP profiles can 
only contain DLP rules, classifiers, and fingerprint rules.
To access profiles in the Netskope tenant, go to Policies, and then under Profiles, click a profile type.
2024 © Netskope. All Rights Reserved. 40
Netskope Security Cloud Operation and Administration
412024 © Netskope. All Rights Reserved.
Example of creating a custom profile: DLP
Policies > Profiles > DLP > New Profile
Netskope recommends using predefined profiles as much as possible. However, you can also create custom 
profiles, if needed. For example, to create a custom DLP profile in the Netskope tenant, click Policies. Under the 
“Profiles” heading, click DLP, then click New Profile. The DLP Profile wizard guides you through the process of 
selecting file profiles, DLP rules, classifiers, and fingerprint rules that were created previously, and then specifying 
a name for the profile.
2024 © Netskope. All Rights Reserved. 41
Netskope Security Cloud Operation and Administration
42
Constraint profiles allow you to select Matches or Does not match for 
specific details.
Example: Does not match Business Box users *@netskope.com
2024 © Netskope. All Rights Reserved.
Constraint profile: User
In addition to DLP profiles, you can create a variety of other types of profiles, such as constraints. Constraint 
profiles let you determine whether a specific detail matches or does not match against data that is being inspected. 
The screenshot on the slide shows a user constraint profile for Business Box users that uses the Does not match
option to check for usernames specified in the form of an email address. In this case, the user constraint includes 
an asterisk wildcard before the @netskope.com domain to indicate that if someone is trying to sign in to Business 
Box with a username that does not end in “netskope.com”, they will be blocked.
2024 © Netskope. All Rights Reserved. 42
Netskope Security Cloud Operation and Administration
43
The same concept relates to AWS S3 
buckets in specific regions.
2024 © Netskope. All Rights Reserved.
Constraint profile: Storage
The storage constraint profile lets you specify constraints for cloud storage, such as S3 buckets in the AmazonWeb Services infrastructure. These storage buckets can exist in different geographical regions, so when you're 
setting up a storage constraint, you can choose to match or not match against specific accounts, buckets, and 
regions.
2024 © Netskope. All Rights Reserved. 43
Netskope Security Cloud Operation and Administration
Adding an application instance
44
Application instances can be added at Skope IT > Application Events and 
used in Real-time Protection policies.
2024 © Netskope. All Rights Reserved.
Click the magnifier icon next 
to an Application Event to 
view details.
Click New App Instance to 
add the app instance name.
Netskope is capable of understanding application instance for many types of applications. However, sometimes 
the instance name isn’t automatically detected. Since names are required for referencing app instances in Real-
time Protection policies, Netskope has provided a way to add missing names from the Skope IT Application Events 
page. Locate an event for the application you want to reference in a policy, then click the magnifying glass icon to 
the far left of the event. This opens the event details.
In the example on the slide, the details for a Box event show that the Instance Name field is empty. To specify a 
name for the instance, click the New App Instance link.
2024 © Netskope. All Rights Reserved. 44
Netskope Security Cloud Operation and Administration
Using application instances in Real-time Protection policies
45
Specify an App Instance name:
2024 © Netskope. All Rights Reserved.
In the Real-time Protection Policy, set 
Destination as AppInstance and select the App 
Instance you created.
In the “Create Application Instance” dialog, specify a name for the app instance and click Save. You can then 
choose App Instance as the destination in a Real-time Protection policy and select the specific app instance by 
name.
2024 © Netskope. All Rights Reserved. 45
Netskope Security Cloud Operation and Administration
Policies
46
• Overview of Netskope Policies 
• DLP Rules/Classifications
• Profiles
• Actions
• Quarantine
2024 © Netskope. All Rights Reserved.
Next, let’s talk about policy actions.
2024 © Netskope. All Rights Reserved. 46
Netskope Security Cloud Operation and Administration
47
• Real-time Protection actions
– Depend on policy type and settings
– Are things that can be done to inline 
traffic (e.g., User Alert, Block)
2024 © Netskope. All Rights Reserved.
Policy actions
• API Data Protection actions
– Differ per cloud application
– Are things that can be done to data 
at rest (i.e., User Alert, Block not
supported)
The list of actions available when building policies varies depending on the context you’re working in. For example, 
with Real-time Protection policies, different actions are available depending on policy type and settings. The 
screenshot in the upper-right of the slide shows the list of actions you might see if you are creating a Real-time 
Protection policy of the Web Access type, with specific categories selected (such as Gambling, for example), and 
with no activities or profiles selected. Simply adding another category to the policy can change the list of available 
actions. For example, adding the category Business Process Management after the Gambling category removes 
the User Alert option from the list of available actions because this particular action is not supported for the 
Business Process Management category.
With API Data Protection policies, the list of available actions varies depending on the cloud application and which 
API operations it supports. None of the real-time actions are available in API Data Protection policies, such as 
displaying a popup notification on the user’s endpoint device or blocking users from downloading or uploading 
files. The only supported actions are those that can be performed after the fact, using a cloud app’s APIs to inspect 
data at rest. The screenshot in the lower-right of the slide shows the list of available actions for Google Drive, 
which supports such API operations as Change Ownership, Encrypt, Legal Hold, and more.
********************
Further information
For more information about supported API Data Protection policy actions, refer to the following:
https://docs.netskope.com/en/api-data-protection-policy-actions-per-cloud-app.html
2024 © Netskope. All Rights Reserved. 47
Netskope Security Cloud Operation and Administration
Custom notifications
48
You can customize:
• Logo
• Title
• Subtitle
• Message
• Footer
• Justification
• Action
2024 © Netskope. All Rights Reserved.
Policies > Templates > User Notification
Another feature of policies is the ability to specify custom block pages and user alert or coaching messages, 
otherwise known as user notification templates. For example, you can insert a custom logo, a title and subtitle, a 
message, a footer, justification settings, and an option for the user to take an action. Fields and settings that have 
a red asterisk next to them are mandatory.
2024 © Netskope. All Rights Reserved. 48
Netskope Security Cloud Operation and Administration
Notification variables
49
• Application name
• Category name
• URL accessed by user
• Domain accessed by user
• Activity performed
• Triggered policy name
• User Email / File Owner
• Application Instance
• File name
2024 © Netskope. All Rights Reserved.
User notification templates also allow you to use variables to extract details from event logs and insert this 
information into user alert messages. In the screenshot on the slide, you can see that the Subtitle and Message
fields have an “Insert Variable” option. Two variables have been inserted into the text in the Message field—the 
{{NS_FILENAME}} and {{NS_APP}} variables. These variables will insert the name of the file the user is trying to 
upload and the name of the cloud app that the user is trying to upload the file to.
The available variables for user notifications are:
• Application name
• Category name
• URL accessed by user
• Domain accessed by user
• Activity performed
• Triggered policy name
• User Email / File Owner
• Application Instance
• File name
2024 © Netskope. All Rights Reserved. 49
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 50
Putting it all together: Building a Netskope policy
Custom RuleCustom Rule
Custom Identifiers 
• (C0) - Case Insensitive: private
• (C1) - Case Sensitive: confidential 
Expression 
• C1 NEAR C0 
• Proximity Check: 100 characters 
Scan section 
• Metadata & Content 
• Record Scanning Off 
Severity Threshold 
• Low Severity: 1 
• Medium Severity: 25 
• High Severity: 100 
• Critical Severity: 1000 
• Take policy action at Low Severity
Custom Identifiers 
• (C0) - Case Insensitive: private
• (C1) - Case Sensitive: confidential 
Expression 
• C1 NEAR C0 
• Proximity Check: 100 characters 
Scan section 
• Metadata & Content 
• Record Scanning Off 
Severity Threshold 
• Low Severity: 1 
• Medium Severity: 25 
• High Severity: 100 
• Critical Severity: 1000 
• Take policy action at Low Severity
Real-time Protection PolicyReal-time Protection Policy
User = jali@kkrlogistics.com
Application = Microsoft Office 365 
Outlook.com
Activities = Post, Send
DLP Profile = Custom profile
Action = Block
User = jali@kkrlogistics.com
Application = Microsoft Office 365 
Outlook.com
Activities = Post, Send
DLP Profile = Custom profile
Action = Block
Custom ProfileCustom Profile
Custom ruleCustom rule
Now let's look at an example of policy building that rolls together everything we've been talking about so far. The 
goal of this policy is to block a specific person from using the cloud version of Outlook to post or send content that 
contains a specific keyword.
First, we'll create a custom DLP rule. This rule will check for two custom data identifiers. The first identifier, C0, is 
the case-insensitive keyword “private”. The second identifier,C1, is the case-sensitive keyword “confidential”. The 
rule will check to see whether these two identifiers appear within 100 characters of each other. Both metadata and 
content will be inspected to see if the keywords are present, and “Record Based Scan” will be turned off because 
we intend to use the rule to scan unstructured text files, not structured files such as spreadsheets or CSV files. We 
will set the Severity Threshold so that Low severity is 1 match, Medium is 25, High is 100, and Critical is 1000 
matches. The policy action will be triggered at Low severity.
We will then add the custom rule to a custom DLP profile.
Finally, we will create a Real-time Protection policy for Cloud App Access, selecting a specific user as the source. 
We will select “Microsoft Office 365 Outlook.com” as the destination, with “Post” and “Send” as the activities. We 
will select our custom DLP profile that contains our custom DLP rule, and we will select “Block” as the policy 
action. We'll name the policy and save it, choosing to place the policy at the top of the stack because it is very 
specific, applying only to a very narrow set of criteria.
2024 © Netskope. All Rights Reserved. 50
Netskope Security Cloud Operation and Administration
Policies
51
• Overview of Netskope Policies 
• DLP Rules/Classifications
• Profiles
• Actions
• Quarantine
2024 © Netskope. All Rights Reserved.
Finally, let’s take a few moments to discuss how to use quarantine capabilities in Netskope policies.
2024 © Netskope. All Rights Reserved. 51
Netskope Security Cloud Operation and Administration
Quarantine: Use cases
522024 © Netskope. All Rights Reserved.
Use case 1: Real-time Protection
Some users have been trying to upload confidential files to unmanaged cloud 
storage apps. Company policy dictates that such actions must be blocked until 
the Risk Officer has examined the files, asked users for their justifications, and 
decided on a case-by-case basis whether to allow the uploads. Until this task 
is completed, the blocked files need to be stored in a secure location.
Use case 2: API Data Protection
An organization runs regular scans on data at rest in their managed cloud 
storage app. If PII data is detected, the affected files need to be moved to a 
safe location until the Risk Officer can investigate.
To set the stage for a discussion about using quarantine capabilities in Netskope policies, here are a couple of use 
cases.
The first use case applies to Real-time Protection. Suppose that an organization’s Corporate Security team has 
discovered that some of their users are trying to upload what appear to be confidential files to unmanaged cloud 
storage apps. Company policy dictates that such actions must be blocked until the Risk Officer has had a chance 
to examine the files, has contacted the users and asked them to provide justifications for their actions, and has 
decided on a case-by-case basis whether to allow or continue blocking the upload attempts. Until the Risk Officer 
is able to complete this task, the blocked files need to be stored in a secure location so they can be examined.
The second use case applies to API Data Protection. In this case, suppose that an organization regularly scans 
files stored in their managed cloud storage app. If Personally Identifiable Information, or PII, is ever detected, the 
organization’s standard procedure is for the Risk Officer to review the affected files and determine if any further 
action needs to be taken. In the meantime, the files containing the sensitive information need to be moved to a 
safe location.
These use cases illustrate the kinds of situations that the quarantine function is designed to address.
2024 © Netskope. All Rights Reserved. 52
Netskope Security Cloud Operation and Administration
Quarantine Instances
53
• Quarantine Instances are special
API-enabled Protection app instances.
• Files on managed cloud apps that 
violate DLP policies can be moved 
into a Quarantine Instance.
– When a file is quarantined, a 
“tombstone” file is created in its place.
– A custodian must review quarantined 
files and decide whether to restore or 
block the files.
2024 © Netskope. All Rights Reserved.
Netskope uses special API-enabled Protection app instances called Quarantine Instances to manage file 
quarantine operations. This special instance is created by selecting the Quarantine instance type when you are 
adding access for a managed SaaS app in the Netskope tenant.
You can configure DLP policies to move files into a Quarantine Instance when sensitive data is detected. When a 
file is moved, a “tombstone” file is created in the place of the original file to serve as an indicator to the file’s owner 
that a quarantine operation has taken place. At that point, the original file will remain in the Quarantine Instance 
until an administrator has reviewed the file to determine if the quarantine operation was warranted, and to decide if 
the file should be restored to its original location or remain in its blocked state.
2024 © Netskope. All Rights Reserved. 53
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 54
Quarantine profiles
Policies > Profiles > Quarantine > New Quarantine Profile
File moved into 
quarantine folder
After you have created a Quarantine Instance, you must create a Quarantine Profile. Creating this profile enables 
the Netskope tenant to create a Netskope Quarantine folder in the managed cloud app and lets you add 
quarantine actions to your policies.
To create this profile, go to Policies in the Netskope tenant, and under Profiles, click Quarantine. Click New 
Quarantine Profile and give the profile a name. Next, select a managed cloud app and its Quarantine Instance. In 
the User Email field, provide the email address of a user who has administrative access to the managed cloud 
app. This level of access is required to create the quarantine folder, as well as to move files into the folder and 
back out again as needed. In the Notification Emails field, you can add the email addresses of individuals who 
you want to receive a notification when files are placed in quarantine.
2024 © Netskope. All Rights Reserved. 54
Netskope Security Cloud Operation and Administration
Quarantine: Remediation
55
Access the Quarantined Files dashboard to:
• Download quarantined files for investigation
• Restore or block quarantined files
• Contact file owners via email
2024 © Netskope. All Rights Reserved.
Incidents > Quarantine
The Quarantined Files dashboard in the Netskope tenant enables you to manage files in your Quarantine 
Instances. To access this dashboard, go to Incidents and then click Quarantine.
To remediate a quarantined file, select a profile from the Quarantine Profile drop-down list. All the files that have 
been moved to the Quarantine Instance associated with the selected profile are then displayed. To review the 
contents of a file, select the file and click Download Files. You can also take an action on the file, such as 
Restore or Block, and you can contact the file's owner by email.
2024 © Netskope. All Rights Reserved. 55
Netskope Security Cloud Operation and Administration
Lab A: Metadata DLP Policy
Time: 35 minutes
562024 © Netskope. All Rights Reserved.
This chapter includes a lab to practice some of the concepts you learned about.
2024 © Netskope. All Rights Reserved. 56
Netskope Security Cloud Operation and Administration
Netskope Client (Managed Device)
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved.
Welcome to the Netskope Client chapter, in our Netskope Security Cloud Operation and Administration Course.
The Client is a simple non-intrusive application that steers traffic from the end-user’s device to the Netskope cloud.
2024 © Netskope. All Rights Reserved. 1
Netskope Security Cloud Operation and Administration
2
Objectives
• Explain how the Netskope Clientoperates on various platforms
• Install the Netskope Client on various platforms
• Configure the Netskope Client to steer various traffic
2024 © Netskope. All Rights Reserved.
The objectives covered in this chapter explain how the Netskope Client operates and steers traffic on the various 
platforms the Netskope Client is supported on. We will also go through the installation options of the Netskope 
Client, and how to set up various steering configurations to steer traffic from the Client to the Netskope Cloud.
2024 © Netskope. All Rights Reserved. 2
Netskope Security Cloud Operation and Administration
Netskope Client
3
• Introduction
• Desktop Client
• Mobile App
• Administration and Configuration
• Deployment Options
2024 © Netskope. All Rights Reserved.
Let’s look at an overview of the Netskope Client.
2024 © Netskope. All Rights Reserved. 3
Netskope Security Cloud Operation and Administration
Netskope Client - Introduction
42024 © Netskope. All Rights Reserved.
• One of the many deployment options of the 
Netskope solution
• Forward Proxy Steering Mechanism
• Lightweight
– Only steers the traffic to the Netskope tenant instance
– No packet processing performed on the endpoint
– Non-intrusive application that steers traffic from the 
user’s device to the Netskope cloud
• Available for popular operating systems
The Netskope Client is one of many deployment options of the Netskope solution. It is a forward proxy steering 
mechanism. It provides authentication through the Netskope Security Cloud Platform, or in other words, the data 
plane. With a forward proxy steering mechanism, traffic is steered from the Netskope Client to the Netskope Cloud 
or data plane. The proxy server generates trusted certificates for cloud app domains, serving them up to the 
requesting Clients to establish a trusted path. 
With the Netskope Client, we only steer traffic to the Netskope tenant and do not perform any packet inspection or 
policy processing on the endpoint.
Let’s go over a forward proxy steering example as it relates to Netskope. A user that has the Netskope Client 
installed, browses to a website, for example, box.com. The Client steers this traffic, taking the connection with the 
destination IP address and destination name and runs it through a tunnel to the Netskope Cloud (dataplane). 
Netskope inspects the request and evaluates the policies set and if the policy permits, routes the request to the 
destination on the user’s behalf. The user’s computer doesn’t know that the request has been sent to Netskope 
and thinks that it is connecting directly to box.com. The Netskope Client connects to the Netskope Proxy which 
then connects to box.com. The source IP address will be a Netskope source IP address associated with that 
dataplane. 
You would normally connect to websites using HTTPs. (HTTPs = HTTP using TLS to encrypt normal HTTP 
requests and responses and digitally sign those requests and responses.) When you connect to a secure website, 
for example, www.box.com, the website sends back a server certificate. That server certificate is signed by a 
public certificate authority (CA). The public certificate authority is stored in your CA certificate store or database 
that is either built into your operating system or built into your application. Your web browser uses the CA authority 
certificate to authenticate content sent from web servers, verifying that the content you see is really coming from 
box.com. When the web request is sent to Netskope, the server certificate goes to the Netskope Proxy and 
Netskope issues a new server certificate that was not signed by the public CA. The original server certificate is 
accepted by the NS proxy and used to connect encrypted to box.com. The Netskope Proxy decrypts everything it 
gets from box.com and then if policies allow it, the Netskope Proxy re-encrypts the information with the new server 
certificate and sends it to your Client. This new server certificate is signed by a private certificate authority, namely 
the Netskope tenant. The Netskope’s CA certificate is one of the things that gets installed during a Netskope Client 
installation.
2024 © Netskope. All Rights Reserved. 4
Netskope Security Cloud Operation and Administration
Benefits of the Netskope Client
5
Deploying the Netskope Client enables you to:
• Have visibility into all users on and off premises
• Have visibility into all managed and unmanaged applications
• Browser traffic and native application traffic supported
2024 © Netskope. All Rights Reserved.
The Steering Configuration in the Netskope admin console defines the domains and apps to be steered to the 
Netskope cloud. This configuration is distributed to all the Clients and kept up-to-date on a regular basis. 
You can steer both browser and native application traffic, no matter if the user is on prem or off prem so you can 
have visibility and control of what users’ doing on their devices. 
================================================
Native application = Examples of native applications are Box, OneDrive, and Salesforce. These applications are 
cloud-based applications, and the cloud-based application provider has created a cloud-based app that you can 
install outside of using it in a web browser. This is quite common on mobile devices, installing apps like Box, 
OneDrive, Salesforce, Okta, etc. from the Google Play store or the Apple App store.
Native apps are also prevalent on desktop operating systems as well. There is a Google drive app you can install 
and the google drive shows up as a drive letter after the application installation.
2024 © Netskope. All Rights Reserved. 5
Netskope Security Cloud Operation and Administration
Netskope Client
6
• Introduction
• Desktop Netskope Client
• Mobile App
• Administration and Configuration
• Deployment Options
2024 © Netskope. All Rights Reserved.
Let’s look at the components of the Desktop version of the Netskope Client.
2024 © Netskope. All Rights Reserved. 6
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 7
Netskope Client – Supported Hosts (1 of 2)
Windows hosts
• Windows 10
• Windows 11
• Windows Server 2016, 2019, 2022
Google hosts
• Android OS
 11 (Red Velvet Cake)
 12 (Snow Cone)
 13 (Tiramisu)
• ChromeOS 84 and above
• Android Runtime Version 9, 11
Linux hosts
• Ubuntu 18.04 LTS desktop version
• Ubuntu 20.04 LTS desktop version
• Ubuntu 22.04 LTS desktop version
• Linux Mint versions 19, 20, 21 (Cinnamon Edition)
Multi-user Platforms
• Windows Terminal Server
 2016
 2019
 2022
• VDI
 Citrix Xen Desktop, XenApp 7.13
 Azure Virtual Desktop
Here are the lists of supported platforms that the Netskope Client can run on. Netskope supports a wide range of 
operating systems including Linux based hosts, Windows Terminal Server, and VDI systems like Citrix Xen 
Desktop and Azure Virtual Desktop.
Netskope uses the standard Microsoft formatted installer file, or MSI package to install the Netskope Client on 
Windows platforms. No reboot is required for the installation and the Netskope Client runs on 7MB of RAM. The 
Netskope Client opens a TLS tunnel and uses services inside the operating system to redirect traffic to that tunnel. 
Running a TLS tunnel is easy with little RAM and processing power. No inspection is done locally – everything is 
sent to Netskope to inspect.
==========================================================
Windows based hosts:
• Netskope Private Access (NPA) is not supported for devices running Windows 10 and 11 on Snapdragon-based 
PC.
• CASB/SWG is supported on Windows 11 with the Snapdragon chipset.
• Netskope Private Access is not supported on any Windows device where multiple users are logged in 
concurrently. Examples include Citrix XenApp (Virtual Apps), Microsoft Terminal Servers, and Microsoft AVD 
with multiple concurrent users enabled.
• Windows 8.1: Netskope will only provide bug fixes for identifiedsecurity vulnerabilities. New features (Cloud 
Firewall and Self Protection) will only be available on Windows 10 and later.
• CASB/SWG is supported on Windows 11 with Snapdragon chipset.
• Netskope will provide support for Windows 7 if you have the Microsoft extended support contract.
• Netskope announced end of support for Windows 8.1 in September 2023.
Linux based hosts:
• Netskope Cloud Firewall (CFW) is not supported on the Linux Client. 
• Netskope Private Access (NPA) for Linux Client on Ubuntu 18 and 20 is currently in early availability. Please 
contact your account representative for early access.
2024 © Netskope. All Rights Reserved. 7
Netskope Security Cloud Operation and Administration
Google hosts:
• Netskope has announced end of support for Android 9 and 10. Please check the Support website for 
more details.
• Netskope Client does not support ARM32 based Android devices.
• Cloud Firewall (CFW) is not supported on Netskope Client for Android devices.
Multi-user Platforms:
Citrix Xen Desktop – Supported OS: 
• Windows 2019, Windows 10 (single session only)
• Windows server (multi session)
Azure Virtual Desktop – Supported OS: Windows 10 and 11
2024 © Netskope. All Rights Reserved. 7
Netskope Security Cloud Operation and Administration
macOS hosts
• 11 (Big Sur)
• 12 (Monterey)
• 13 (Ventura)
• 14 (Sonoma)
2024 © Netskope. All Rights Reserved. 8
Netskope Client – Supported Hosts (2 of 2)
iOS hosts:
• 15.1
• 16
• 17
A few items to consider here when installing the Netskope Client on macOS systems.
Big Sur: Starting with macOS 11, Apple has stopped the support of kernel extension (KEXT) in lieu of Network 
extensions.
Support for non-standard web ports has been added to Mac OS 11.x (Big Sur) and 12.x (Monterey).
With macOS 13 (Ventura), Netskope has validated traffic steering and general Netskope Client functions. 
The macOS install package is a pkg based installer that can be distributed with JAMF (mac software distribution 
platform) with a small RAM footprint.
==============================================================================
Notes:
Netskope has observed a few known issues with macOS Ventura running as a virtual machine. To learn more, log 
in to support.netskope.com and view the article "Support for macOS Ventura."
2024 © Netskope. All Rights Reserved. 8
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 9
Desktop Netskope Client – High Level Architecture
TLS Tunnel
The main job of the Netskope Client is to redirect traffic using a TLS tunnel to the Netskope cloud platform.
The ST Agent Service is the technical term for the Netskope Client. The Netskope Client runs a service in the 
operating system that opens a secure tunnel to the Netskope Cloud (or Dataplane), as shown by the orange arrow. 
The Client service finds the dataplane closest to the public IP address of the ISP the Client system is connected to. 
The client periodically downloads files from the Dataplane – configuration changes, CA certificates, gateway host 
and port information, etc. When you need to make configuration changes to the Netskope client, the change is 
made from the Netskope tenant. For example, if you want to update steering exceptions, or set the Client to auto 
upgrade, you log in to the Netskope tenant and make the changes there. These configuration files do not control 
policy. Policy changes are done in the Netskope cloud – it takes less than a minute for policies to be applied from 
the cloud. For configuration changes, the Netskope Client will connect to the Netskope Cloud once an hour to 
check for configuration updates. If the Netskope Client needs to download certificates, it opens a TLS tunnel on 
TCP port 443 (the same kind of tunnel your web browser opens when connecting to your bank’s secure website).
The ST Agent service sends information to the Netskope tenant about the user on the device --- for example, this 
user is millie.meter@acme.com. Netskope distinguishes users by their corporate email address, and this is how 
policies can be applied specifically to that user as well as determine what traffic to steer.
How does the ST Agent service steer traffic? Normally, traffic would go straight through the NIC and out to the 
Internet. With the Netskope Client architecture, we use a native IPC (interprocess connection) filter driver which 
sends the traffic to the ST Agent service. This IP filter driver is built into the operating system (both for Windows 
and macOS systems). The filter driver listens for traffic connecting to certain public IP addresses. The yellow 
arrow represents a network connection between the filter driver process and the ST Agent service process so 
instead of sending the traffic out through the NIC, the IP filter driver redirects the traffic using the IPC connection to 
the ST Agent service (the Netskope Client service) and then sends the traffic through the tunnel to the Netskope 
Cloud where policies are applied.
===============================================
Note: The IP filter driver can listen for traffic to certain IP addresses, and not hostnames, to redirect that traffic to 
the Netskope service. 
2024 © Netskope. All Rights Reserved. 9
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 10
Desktop Client – Packet Flow
2
1
3
4
Browser ST Agent 
Driver
ST Agent 
Service
DNS server
Netskope 
Cloud SaaS server
Agent service establishes a TLS tunnel between 
the endpoint and NSGW
Browser issued a DNS request for a SaaS domain (e.g., box.com)
Browser receives 
DNS response
(e.g., 74.112.184.73)
Browser sends packets 
to SaaS server
(e.g., 74.112.184.73)
Driver captures the 
packets and indicates 
to ST Agent Service
Driver captures DNS response. Creates a map of 
domain and IP address (e.g., box.com – 74.112.184.73)
ST Agent service sends the packet to 
Netskope Gateway in the TLS tunnel
Netskope proxy initiates 
a new connection to 
SaaS domain 
(e.g., box.com)
5
SaaS server (box.com) 
sends response back 
to the client.NSG sends the packets to the ST Agent 
service in TLS tunnel
ST Agent service 
sends ingress 
packets to the driver
Driver injects the 
ingress packets to 
the system stack
6 7
891011
Connection to 
SaaS domain is 
terminated here
Browser 
receives the 
response
Referring to the numbered circles:
(1) Once the Netskope Client is installed and running, the ST Agent service establishes a TLS tunnel to the 
Netskope Cloud or Gateway (NSGW = Netskope Gateway)
(2) When you browse to www.box.com, a DNS request is sent out for an A record for the public IP address of that 
SaaS domain (box.com). 
(3) The ST Agent service (Netskope Client) listens for the answer to that A record. If it’s traffic that doesn’t have a 
steering exception, the ST Agent service creates a map of the domain and IP address and programs the IP 
filter driver so whenever a user needs to connect to box.com, the IP filter driver will send the traffic to 
Netskope instead. This works for both native applications and web browsers because both do DNS requests. 
(4) The browser receives the DNS response with the IP address of 74.112.184.73.
(5) The Browser starts to connect to the public IP address and the ST Agent driver captures the packets, listening 
on TCP ports 80 and 443 (if you are using Netskope for Web and Cloud) for the IP address. The ST Agent 
driver also indicates to the ST Agent service that there is a connection request. 
(6) The request gets redirected to the TLS tunnel to the Netskope Cloud.
(7) Netskope applies policy, and if policy allows, the connection goes through to box.com.
(8) Box.com sends the response back to the Netskope Cloud.
(9) The Netskope Secure Gateway sends the packets through the TLS tunnel to the ST Agent service. 
(10) The ST Agent service sends the packets to the ST Agent driver and
(11) The browser receives the response.
2024 © Netskope. All Rights Reserved.10
Netskope Security Cloud Operation and Administration
Desktop Client – Advanced Features
11
• Support for transparent proxies 
(without SSL inspection)
• Support for explicit proxies
– Multiple proxy IP addresses
– Static configuration
– PAC file configuration
– WPAD configuration
• Interoperability support with most VPN 
clients (Layer 3 and 4 VPNs)
• Client Fail-Open in case of tenant 
connection failure events
– Heartbeat towards Netskope gateway
– Client disables itself upon failure detection
• Backwards compatibility for older 
versions
– 1 release per month, 1 golden release per 
quarter 
– Backward compatibility, support for up to 2 
golden releases 
2024 © Netskope. All Rights Reserved.
Transparent proxies sits between clients and the internet, intercepting connections. The proxy intercepts requests 
by intercepting packets directed to the destination, making it seem as if the request is handled by the destination 
itself. When a transparent proxy is used, the user’s actual IP address is made public in the HTTP header. The 
transparent proxy only verifies and identifies your connection; it does not protect or modify your IP address. 
The Netskope Client provides support for transparent proxies without SSL inspection. If there is SSL decrypting 
between the Netskope Client and the Netskope gateway, this will break the connection and disable the Client. A 
certificate validation is done between the Client and the gateway.
The Netskope Client also provides support for explicit proxies. If you have an explicit proxy on-premise, Netskope 
then determines what HTTP CONNECT requests are being sent out. Some configurations will let the explicit proxy 
handle all the web traffic and the Netskope Client will steer cloud application traffic. 
You can set up an account on support.netskope.com and search support documentation about setting up 
interoperability between the Netskope Client with Cisco, Fortinet, and Palo Alto Networks VPNs interoperability. 
You may need to adjust the third-party VPN connections so that the VPNs wouldn’t be getting the Netskope traffic.
Client Fail-Open (this is the default action):
If the Netskope Client cannot get a connection to the Netskope Tenant, the Client does a Fail-Open. The filter 
driver stops trying to redirect traffic to Netskope. The Netskope Client will continue to send a heartbeat to the 
Netskope Gateway and find an available Netskope data plane. If a data plane is found, the TLS tunnel is 
reestablished, and traffic is routed to Netskope once again. 
Example: You are connected to a hotel guest Wi-Fi connection, and the connection is only valid for 24 hours. After 
that, your connection is dropped, and you must reauthenticate to get connected again.
The Netskope Client is backwards compatible to two golden releases prior to the current release. There is a new 
release every month, and every third release is a golden release. This means that there is a golden release once 
every quarter. So how do you figure out what the golden release versions are?
You can navigate to Settings > Security Cloud Platform > Netskope Client > Client Configuration. Click on 
the Default tenant config and under the Install & Troubleshoot tab, you can see the most recent release and 
most recent golden release. The screenshot shows the latest release is version 109 and the latest golden release 
is version 108. This means Netskope supports older Client versions down to version 102.
2024 © Netskope. All Rights Reserved. 11
Netskope Security Cloud Operation and Administration
12
• During the installation process:
– Client connects to addon-.(eu|de).goskope.com:443
– Client downloads “nsbranding.json”
• After the installation:
– Client connects to addon-.(eu|de.)goskope.com:443
– Client downloads the certificates 
Root, Tenant specific and User certificates
– Client downloads the configuration files
Managed domains, SSL-pinned bypass, 
Exception List
2024 © Netskope. All Rights Reserved.
Desktop Client Installation
High Level Overview
During the installation of the Netskope Client, the Client connects to the add-on service on port 443 of your 
Netskope tenant and downloads the nsbranding.json file. This json file defines the identity of the Client: the user 
key, the organization ID, and the different hosts used by the Client for tenant connections.
After the installation is complete, the Client connects again to the add-on service of the Netskope tenant and 
downloads root, tenant, and user specific certificates, and also the configuration files.
The configuration files include:
• Auto upgrade information
• The version the Client is allowed to auto upgrade to
• The Netskope tenant that the Client connects to
• Any steering exceptions to bypass specific traffic
===================================================
Architecture is consistent for both Windows and MAC systems.
For email invitations sent to the user to download and install the Netskope Client, the installation package is 
unique to the user.
(1) Netskope agent installs CA Cert, branding and configuration files from .goskope.com
• Managed Domains for agents to steer
• SSL Pinned Apps to bypass
(2) Client establishes SSL Tunnel to gateway-netskope.goskope.com:443
In other Netskope Client installation methods, the installation package is not tethered to a specific user identity, 
and user identity is determined after the installation and service starts.
2024 © Netskope. All Rights Reserved. 12
Netskope Security Cloud Operation and Administration
Desktop Client Installation
Components
13
• nsbranding.json
Defines the identity of the app: user key, organization ID, the different hosts used by the 
app for tenant connections, …
• nsconfig.json
– Configuration file for the Netskope app, containing update settings and versions
– Allows you to set log debug level, packet capture, …
• nsdomain.json
The list of managed domains
• nsbypass.json
The list of bypassed applications (SSL Pinned Apps)
• nsexception.json
The list of configured exceptions (Settings > Applications > Exception List)
2024 © Netskope. All Rights Reserved.
Here is a list of the json files that are downloaded during the Client installation.
============================================================
For reference:
The installation files are stored in:
MacOSx files: /Library/Application Support/Netskope/STAgent
Windows files: /program data/netskope/stapp/data
2024 © Netskope. All Rights Reserved. 13
Netskope Security Cloud Operation and Administration
Desktop Client Config Files and Logs
14
Client configuration files and debug logs are the primary sources of 
information for troubleshooting Client issues. They are found in the 
following locations:
• Windows:
Client configuration files: C:\ProgramData\netskope\stagent
Debug logs: C:\Users\Public\netSkope
• Mac:
Client configuration files: /Library/Application Support/Netskope/STAgent
Debug logs: /Library/Logs/netSkope
2024 © Netskope. All Rights Reserved.
The client configuration files and debug log files are located as shown. These files provide useful information in 
troubleshooting Netskope Client issues.
2024 © Netskope. All Rights Reserved. 14
Netskope Security Cloud Operation and Administration
152024 © Netskope. All Rights Reserved.
Desktop Client Operation
Built-in Checks
• The app checks if proxy is present (example: Cisco)
• The app establishes a TLS tunnel towards:
gateway-.(eu|de).goskope.com
– The app verifies the offered certificate
• Needs to be tenant or another trusted certificate 
• The app verifies the proxy (tenant) health (every minute)
– Fail-open protection mechanism
The built-in checks include checking for the presence of an on-prem proxy service. If you have an explicit proxy, 
for example, a Cisco proxy configured in the Client configuration files, Netskope checks for this and steers traffic 
through the local proxy service.
============================================================Certificate example:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3315097 (0x329599)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=CA, L=Los Altos, O=Netskope Inc, OU=a0086ca398d1354afb6e204634fc8cf2, 
CN=ca.emeaNSCOA.eu.goskope.com/emailAddress=certadmin@netskope.com
Validity
Not Before: Jan 7 11:25:48 2019 GMT
Not After : Jan 4 11:25:48 2029 GMT
Subject: C=US, ST=CA, L=Los Altos, O=Netskope Inc, OU=a0086ca398d1354afb6e204634fc8cf2, 
CN=dsinclair@netskope.com/emailAddress=dsinclair@netskope.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
2024 © Netskope. All Rights Reserved. 15
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 16
Linux Deployment
1
3
2
1
Currently, you need to contact Netskope Support to download the Linux installer.
To install the Netskope Linux Client:
1. Download the Client to the end-user system. From your terminal, run the following command: sudo 
./NSClient.run
2. After the installation is complete, a popup window displays to provide the Netskope Tenant name and select 
the tenant domain.
3. Click Next to continue with enrollment. The user is redirected to their IdP login screen. The Authentication 
status message is displayed in the browser.
Once the user enrollment is complete, you can see the Netskope Client icon on the taskbar.
2024 © Netskope. All Rights Reserved. 16
Netskope Security Cloud Operation and Administration
Netskope Client
17
• Introduction
• Desktop Client
• Mobile App
• Administration and Configuration
• Deployment Options
2024 © Netskope. All Rights Reserved.
Let’s look at the deployment of the mobile versions of the Netskope Client. 
2024 © Netskope. All Rights Reserved. 17
Netskope Security Cloud Operation and Administration
Mobile Deployments
iOS Profiles
18
• Support for iOS 15.1 and higher
• The iOS profile consists of
– A VPN configuration
• Certificate based, split tunnel, on-demand VPN
• Triggered by traffic towards any managed cloud application
• Split tunnel mode instructs iOS to consult the PAC before DNS
– A PAC file
• Contains the list of managed applications
• Resolves all apps to the unique proxy IP and port reachable through the VPN 
tunnel
2024 © Netskope. All Rights Reserved.
The Netskope Client for iOS is called iOS mobile profile. For iOS deployments, we install a mobile profile with a 
split tunnel VPN and a PAC file. 
The Netskope iOS mobile profile you use in iOS consists of two things. One is a VPN tunnel that connects to a 
gateway service in the Netskope data plane and directs traffic through that tunnel. The VPN tunnel is set up to a 
unique proxy IP and port for the tenant instance. This isn’t all that different from what the desktop Netskope Client 
does. 
This is a certificate based split tunnel because only the domains that are being steered are being sent through it, 
anything else that isn’t steered goes out through the NIC. The split tunnel mode instructs iOS to consult the PAC 
file before checking DNS.
The second item that is needed is a PAC profile that is on the iOS. The PAC file contains the tenant specific list of 
managed applications and resolves all the apps to the unique proxy IP address and port reachable through the 
VPN. We use this method because there isn’t a filter driver on mobile devices.
2024 © Netskope. All Rights Reserved. 18
Netskope Security Cloud Operation and Administration
Netskope iOS Profile
iOS Onboarding (1 of 2)
19
• When using manual deployment methods, the user is requested to 
install the mobile profile
2024 © Netskope. All Rights Reserved.
The user needs to click Install to install the Netskope iOS mobile profile.
2024 © Netskope. All Rights Reserved. 19
Netskope Security Cloud Operation and Administration
Netskope iOS Profile
iOS Onboarding (2 of 2)
20
• Click on More Details to review settings
2024 © Netskope. All Rights Reserved.
Settings > General
Once the Netskope iOS mobile profile is installed, you can view Netskope’s CA certificates and user certificates on 
the iOS device.
2024 © Netskope. All Rights Reserved. 20
Netskope Security Cloud Operation and Administration
Netskope iOS Profile 
Operation
21
• Managed cloud apps are steered to the Netskope tenant 
• The VPN badge appears in the top left corner
2024 © Netskope. All Rights Reserved.
After installation, how does the mobile profile work?
When you connect to an application on your iOS device, the application checks the PAC file first, then connects to 
the network proxy. When the on-demand VPN is connected, you will see the VPN badge in the top left corner. You 
are now steered to the Netskope Tenant. 
2024 © Netskope. All Rights Reserved. 21
Netskope Security Cloud Operation and Administration
Mobile Deployments
Netskope Android App
22
• Support for Android 11 and higher*
• The Android app traffic interception: 
– Closely resembles the desktop app design
– At app start-up, a TUN interface is created (VPN virtual interface)
Connecting to Netskope gateway associated with the tenant instance
– Managed cloud apps are redirected into the TUN interface via TCP-IP stack 
integration
* SSL traffic inspection is currently not possible on Nougat (7.x) onwards, due to a system level change 
in trust of certificate authorities (CAs) affecting ALL vendors.
• Netskope will tunnel and bypass all HTTPs traffic and no corresponding events will be displayed in 
Skope IT.
• Netskope will not perform man in the middle (MITM) due to hardcoded certificate restrictions
2024 © Netskope. All Rights Reserved.
On Android systems, the Netskope Client is installed as a lightweight non-intrusive application that steers traffic 
from the user’s device to the Netskope Cloud. The Android Netskope mobile deployment is available on the 
Google Play store as an APK. The install is a VPN tunnel interface, connecting to the closest Netskope gateway 
or POP and associated with the Netskope tenant. 
Android has removed the ability to have non-public certificate authorities added to their operating system. SSL 
traffic inspection is limited to browser traffic since Android version 7.0 (Nougat). By default, Netskope will tunnel 
and bypass all HTTPs traffic and no corresponding events will be displayed in Skope IT. Netskope will not perform 
man in the middle (MITM) due to Android’s hardcoded certificate restrictions.
============================================================
Netskope Client on Google Play store:
https://play.google.com/store/apps/details?id=com.netskope.netskopeclient
2024 © Netskope. All Rights Reserved. 22
Netskope Security Cloud Operation and Administration
Netskope Android App 
Android Onboarding
23
• App installation from email invitation link
• Accept the certificate name
• Enable screen lock credentials
2024 © Netskope. All Rights Reserved.
You can install the Netskope Client using the email invitation sent from the Netskope tenant admin console. 
Follow the instructions to install the Netskope Client from the Google Play Store. 
In Android devices, a CA certificate can only be installed in the user cert store irrespective of device ownership 
and enrollment method. Starting with Android 7.0 (Nougat), Netskope certificates stored in the user certificate 
store are not trusted by Android and 3rd party app services, since Google does not trust the certificates installed in 
the user store. This leads to errors during SSL inspection - native or 3rd party mobile applications would drop the 
SSL handshake because server certificates presented by Netskope SWG isn’t recognized as trusted certificates. 
However, web-browsers would still be able to verify chain of trust against the user cert store and therefore SSL 
inspection won’t cause issues.
One option to get around this Android limitation is to disable SSL inspection for Android. At the time of Netskope 
client distribution and enrollment,CA certificate distribution can be skipped. The Netskope Client won’t find a CA 
certificate on the device and will signal the upstream proxy that SSL inspection should not be performed. The 
traffic will still be tunneled via NewEdge according to the steering configuration.
2024 © Netskope. All Rights Reserved. 23
Netskope Security Cloud Operation and Administration
Netskope Client
24
• Introduction
• Desktop Client
• Mobile App
• Administration and Configuration
• Deployment Options
2024 © Netskope. All Rights Reserved.
Let’s look at the administration and configuration of the Netskope Client.
2024 © Netskope. All Rights Reserved. 24
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 25
Netskope Client – Users & Groups
Settings > Security Cloud Platform 
> Netskope Client > Users
Settings > Security Cloud Platform 
> Netskope Client > Groups
To see the list of users’ IDs that are running the Netskope client on their system, navigate to Settings > Security 
Cloud Platform > Netskope Client > Users. The second screenshot showing Groups displays the groups of 
users that you have in your Directory services. Users and Groups information can be obtained using Directory 
Importer. Directory Importer connects to a domain controller to periodically fetch user and group membership 
information, and then posts this information to the organization’s Netskope tenant instance in the cloud. 
Organizations that are using the Netskope client can leverage this user and group membership information to send 
client invitations and to set up cloud application policies.
For a Netskope Client to connect as a particular user, the Netskope tenant needs to know their user IDs and what 
groups they are a member of. That way, Netskope can apply policy to that user when that user connects with the 
Netskope Client. Netskope obtains this list of users and groups from either Active Directory connector services or 
SCIM services.
One of the crucial steps towards deploying the Client in your environment is importing your users into your 
Netskope tenant. Netskope Cloud Platform leverages its own directory to apply security policies across all 
deployment modes and operating systems. 
Email ID and User Principal Name (UPN) is a mandatory field during user import. 
• Email ID is mandatory in all deployment modes because it represents the user identity across the Netskope 
Secure Cloud Platform.
• UPN is mandatory for the transparent deployment of the Netskope Client and is highly recommended.
The supported methods to import users into your Netskope tenant are:
• Manual Import
• Using SCIM App
• Using Directory Importer
======================================
SCIM – System for Cross-domain Identity Management defines a standard for exchanging identity information 
across different cloud app vendors. SCIM is used when a SSO or SAML provider is used.
2024 © Netskope. All Rights Reserved. 25
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 26
Netskope Client – Devices (1 of 2) Settings > Security Cloud Platform 
> Netskope Client > Devices
To verify the state of and control the configuration of the Netskope Client, go to Settings > Security Cloud 
Platform > Netskope Client > Devices. You can configure when the Client performs upgrades, upgrades to what 
versions, whether to do auto upgrades, and to fail open or fail close.
This example shows the devices that have connected to the Netskope Cloud in the last 7 days. You can view the 
hostname, Device classification, OS platform, the user that was logged into that device, installed and uninstalled 
devices, whether Internet Security and Private Access has been enabled, and what the last event was.
==================================================
Note: You can also pull the information on the Devices page via the API.
2024 © Netskope. All Rights Reserved. 26
Netskope Security Cloud Operation and Administration
272024 © Netskope. All Rights Reserved.
Netskope Client: Devices (2 of 2)
Export 
User Key
On the Devices page, click the ellipsis to the right of a device, and select View Details to see the details of the 
device and manage the device’s client.
You can enable or disable traffic steering and pause or restart the Endpoint DLP service under the Manage Client 
button. (The option for Endpoint DLP service is available only if you have the license.)
The Collect Log button will collect the logs for the specified device and send you an email when the logs are 
ready to be downloaded. Click the Download Log button when the logs are ready to be downloaded. The logs are 
encrypted with a tenant-specific encryption key. 
The ellipsis button is to export the user key.
Event History, Group Membership, and Organization Unit details can be viewed further down on this page.
2024 © Netskope. All Rights Reserved. 27
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 28
Client Configuration – Default tenant config
Settings > Security Cloud Platform > Netskope Client > 
Client Configuration
As stated in the description under Client Configuration, the Default tenant config is the out of the box 
configuration that applies to all the Netskope Clients in your deployment. For more granular control over Client 
behaviors at a user group or OU level, you can create a new Client configuration.
2024 © Netskope. All Rights Reserved. 28
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 29
Client Configuration Options – Tunnel settings (1 of 3)
Settings > Security Cloud Platform > Netskope Client > 
Client Configuration > New Client Configuration
1
2
Under Client Configuration, you can apply a new client configuration for different user groups or organization units.
On the Tunnel Settings tab referring to the numbered circles:
(1) Enable DTLS (Data Transport Layer Security): By default, network traffic is steered over a TLS tunnel. If you 
want to use DTLS instead, you can enable DTLS here.
(2) On-Premises Detection: Enable on premises detection if you want the Netskope client to detect if it is on-
prem (at a corporate office). This option is used if you want different steering configurations for when the Client is 
on-prem versus off-prem. For example, your company uses a firewall in your on-prem network to manage web 
traffic and only use Netskope to steer cloud traffic. Then for off-prem Clients, you configure Netskope to steer both 
cloud and web traffic. You can use dynamic steering to detect device location and use the appropriate steering 
methods. You need to set up on-prem detection rules to enable on-premises detection.
There are two ways to set up on-premises detection rules. Select Use HTTP option to have the Client look for a 
web server that only exists on-prem by providing a web server IP address or hostname under the FQDN/IP 
Address field and adding a timeout setting. If the Client gets the HTTP response code of 200, the device is 
deemed to be on-premise. Select Use DNS option to have the Client do a DNS lookup for a DNS record that 
would only get an A record on-prem.
2024 © Netskope. All Rights Reserved. 29
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 30
Client Configuration Options – Tunnel settings (2 of 3)
3
4
Tunnel Settings tab – Referring to the numbered circles:
(3) Pre-logon for Private Apps: The Client will connect to private apps when the user tunnel is not set up or if the 
user is not logged into the device.
(4) Periodic re-authentication for Private Apps: Private Apps refer to the on-prem applications that are in your 
data center or private cloud that can be steered by Netskope. Enabling this option forces users to re-authenticate 
after a certain time period for greater security. You need to set the re-authentication interval and grace period. The 
re-authentication interval examplehere is to have users re-authenticate every 24 hours, with a grace period of 60 
minutes after the authentication expires. You can only use this option if you are using a single sign-on provider 
because the Client needs to be able to direct the user to the SSO login screen to re-authenticate.
2024 © Netskope. All Rights Reserved. 30
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 31
Client Configuration Options – Tunnel settings (3 of 3)
5
6
7
Tunnel Settings tab - Under Advanced, referring to the numbered circles:
(5) Interoperate with Proxy: If you enable this feature, you can configure proxies regardless of the Client’s 
location. You need to provide an on-prem proxy IP address and listening port, and enter a brief description about 
the proxy connection. The Netskope Client always detects and intercepts traffic that is sent to proxies listed here. It 
is not mandatory to select this feature, but you can use it whenever multiple proxies are deployed on the network.
(6) Enable device classification and client-based end user notifications when the client is not tunneling 
traffic: Enable this option if you want the Client to show warning, block, or coaching notifications to end users but 
not tunnel traffic. This option is for when the Client is on-prem and you use a different steering method for on-prem 
devices but still want to show user notifications.
(7) Perform SNI (Server Name Indication) check: Netskope steers traffic to public IP addresses. What if a public 
IP address had multiple domains behind it? Use SNI check in addition to DNS to make steering decisions. If a web 
hosting service uses a single public IP address for different types of websites, Netskope can perform a SNI check 
to get the domain name from SNI and the Client then validates the traffic based on the SNI check. For example: 
YouTube, drive.google.com, and plus.google.com are resolved with the same IP address. The unmanaged 
YouTube traffic is allowed to the Netskope proxy because the Client steers web traffic based on the IP address. To 
eliminate this IP address overlapping, you can configure the Client to steer the traffic based on SNI instead of IP 
address. The SNI feature is supported on Windows 7 and higher versions.
2024 © Netskope. All Rights Reserved. 31
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 32
Client Configuration Options - Endpoint DLP and Tamperproof
Endpoint DLP tab:
Enable Endpoint DLP: Select Enable Endpoint DLP to enable endpoint data loss prevention for the client 
configuration and apply content and device control policies to your users’ devices. Endpoint DLP is an add-on 
feature for the Netskope client. You need to contact your account manager or sales representative to enable this 
feature.
Tamperproof tab:
Allow disabling of Clients: Selecting this option allows users to disable the Netskope Client on their devices. If 
users disable the Netskope Client, their traffic is no longer tunneled to Netskope since Netskope fails open by 
default. If you uncheck this option, you also need to enable the Password protect client uninstallation option as 
well. This applies to Windows systems only. Why might you ask? If the user is a local administrator on the 
Windows system, the user can still stop the Netskope service and uninstall the Netskope Client unless you enable 
password protection. 
Hide Client Icon on System Tray: Hides the Client icon from the users’ devices system tray. This will also 
prevent Client notifications from being displayed to the user. Please note that if you choose to hide the Client icon, 
users will not be able to see notifications.
Password protect Client uninstallation: Enabling this option prevents unauthorized uninstallation of the Client 
from users’ devices. Uninstalling the Client will require a password. The password protect uninstallation is 
supported on Windows, macOS, and Linux devices.
Protect Client configuration and resources: Selecting this option prevents users from altering any files, folders, 
and processes of the Netskope Client installation. This prevents users from modifying, renaming, or deleting 
Netskope processes, folders, files, and registry keys. This option is supported on Windows 10 and higher versions.
Fail Close: Blocks all traffic when a tunnel to Netskope is not established or a user device is not provisioned in the 
Netskope Cloud. If a Netskope tunnel fails to come up, we recommend that you block the steered traffic from that 
device. If you enable the Fail Close option, the Password protect client uninstallation option is also enabled
and the option Allow disabling of Clients is disabled.
2024 © Netskope. All Rights Reserved. 32
Netskope Security Cloud Operation and Administration
When you enable the Fail Close option, there are a few granular options to configure:
• Exclude Private App Traffic: Use this option to allow private apps to keep working when Fail Close 
is triggered.
• Show notification: Fail Close notifications will be shown even if the Client icon is hidden. A Fail 
Close popup message is displayed whenever the tunneling to Netskope is blocked.
• Captive Portal Detection Timeout (minutes): This option temporarily disables Fail Close for the 
specified time value (up to 10 minutes) when users are behind a captive portal, allowing users to 
perform captive portal authentication. 
=======================================
Captive Portal: A captive portal is a webpage that the user of a public network is required to view and 
interact with before they can access the network. Captive portals are typically used by business 
centers, airports, hotel lobbies, coffee shops, and other public venues that offer free Wi-Fi hotspots for 
internet users.
2024 © Netskope. All Rights Reserved. 32
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 33
Client Configuration Options - Install & Troubleshoot
Netskope Client menu
1
2
3
4
4
On the Install & Troubleshoot tab, referring to the numbered circles: 
(1) Upgrade Client Automatically to Latest Golden Release: You can choose from the upgrade options listed for 
the Netskope Clients. Click the down arrow and specify to automatically upgrade to the latest Golden release, the 
latest release, or a specific Golden release. Golden release versions includes hotfix release updates. You can set 
all clients to be upgraded to a specific golden release. Click the pencil icon to choose which Golden release you 
want your Netskope Clients to be upgraded to. The screenshot shows the latest golden release is version 108. 
This means Netskope supports older Client versions down to version 102. If you use a specific Golden release to 
upgrade to, you can also check the Opt-in dot upgrade option which will upgrade your Clients to the minor 
revisions of that version. For example, the latest release shown is version 108.1.0 – the 1.0 is a minor update after 
the release of version 108.
Select the option Show upgrade notification to end users if you want to send notification to end users about an 
upcoming Client upgrade.
If auto upgrade is disabled, updates should be installed using the System Center Configuration Manager (SCCM). 
By default, the Client will poll hourly for the latest configuration update; and poll every 4 hours for any upgrade 
packages if available and reboot the system to force an update.
(2) Uninstall clients automatically when users are removed from Netskope: With this option, you can have 
the Netskope Client uninstalled automatically when users are removed from the Netskope tenant. Users does not 
need to manually uninstall the Client from their system. This option is supported on Windows and macOS 
systems.*
(3) Allow users to unenroll: If the Netskope Client is provisioned using IdP, this option is available. The use case 
for this option is if you have a computer that multiple users log in to, usersNetskope client steers traffic that is destined for managed cloud apps through a secure 
tunnel to the Netskope Security Cloud, where policy actions are then applied.
Netskope offers other methods for steering traffic to the Netskope Security Cloud as well. These include agents 
and profiles for mobile devices, proxy chaining and GRE and IPsec tunnels for on-premises devices, and Proxy 
Auto-Configuration files that can be used as an explicit proxy on operating systems that do not support the 
Netskope client. Additionally, Netskope offers a Reverse Proxy steering mechanism that supports managed cloud 
apps that can only be accessed through a web browser.
In this course, we will focus mainly on the most commonly-used steering method, the Netskope client.
2024 © Netskope. All Rights Reserved. 7
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 8
Securing Managed SaaS with Near Real-time Visibility 
and Control 
• File name/owner/size/type and path
• App and instance name 
• Audit trail with activity, user, access date 
• File version history 
• Encryption status 
• Shared link expiration
• Slack messages and channels
• ServiceNow incidents
• Registered and owned devices 
• DLP policy triggers 
• External users (and access to internal files) 
• Search and filter on a variety of conditions 
• File access to external domains
• Google and Slack ecosystems 
• DLP policies
• Download 
• Restrict access
• Revoke access
• Change ownership
• Quarantine
• Legal hold
• Encrypt/decrypt
• Notify original owner / end user
V
IS
IB
IL
IT
Y
C
O
N
T
R
O
L
As mentioned earlier, Netskope CASB uses API connectors to hook into supported SaaS cloud apps and gain 
visibility and control over the apps. From a visibility perspective, Netskope can identify a wide range of file 
information, such as filename, ownership, size and type, and the paths of files stored on the managed cloud app. It 
can also provide a full audit trail of user activity on the files and folders stored on the app, as well as file version 
history, encryption status, and much more.
With this visibility comes control. Once you identify issues that need to be addressed, Netskope API connectors 
enable you to apply DLP policies to examine the actual data and to block downloads, restrict or revoke access, 
change inappropriate file ownership, and more.
2024 © Netskope. All Rights Reserved. 8
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 9
Public Clouds Data Centres
PRIVATE APPS
Remote workers
Netskope 
Publisher
CLOUD APPS WEBSITES
Security Cloud
Zero 
Trust 
Network 
Access
(ZTNA)
Fast and 
Scalable 
Access
Next Generation
Secure Web Gateway (NG SWG)
Data and Threat 
Protection
Managed Devices 
• NS Client installed and enabled
• Forward Proxy
Securing Real-time Traffic: NG SWG, ZTNA, Client, Fwd/Rvs Proxy
Unmanaged Devices
• NS Client not installed or disabled
• Reverse Proxy
Netskope provides a variety of methods for securing real-time internet traffic, whether that traffic is traveling to and 
from websites, cloud apps, or private apps hosted on IaaS resources or on premises in data centers.
Earlier we talked about Cloud Inline protection. Netskope Next Generation Secure Web Gateway, or NG SWG, is 
the product that provides this real-time protection for both cloud apps and web traffic. NG SWG enables you to 
control access to websites, block users from uploading and downloading confidential files on cloud apps, block the 
transfer of files infected with malware, and so on. These real-time protection capabilities rely on traffic steering 
provided by the Netskope client and the Forward Proxy PAC file for managed endpoint computers, and Reverse 
Proxy for unmanaged devices.
Netskope also offers Zero Trust Network Access capabilities as a replacement for VPN software to protect access 
to private apps hosted on-premises or on Infrastructure-as-a-Service resources. We will discuss Netskope's ZTNA 
product, Netskope Private Access, in more detail later in this chapter.
2024 © Netskope. All Rights Reserved. 9
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 10
Monitoring and visibility
• Observe user behavior on the Internet
• CASB monitoring SaaS apps and activities
• Risk level for SaaS applications
Source: Gartner – Critical Capabilities for Secure Web Gateways, Dec. 2018
Malware and advanced threat detection
• Analyze Internet traffic bi-directionally
• UEBA analysis of cloud account activity for compromise or insiders
• AVs, IPS/exploits, script analysis, pre-execution heuristics, cloud sandboxing
Connect offices and mobile workers
• Rapid adoption of SaaS apps is driving remote offices direct-to-internet
• Cloud based security stack protects remote and mobile workers 
Primary NG SWG Use Cases
Before moving on to talking about securing data in the public cloud, let’s consider some use cases for Secure Web 
Gateways and how Netskope Next-Gen SWG addresses these situations. These use cases are based on a 
Gartner report summarizing critical capabilities for Secure Web Gateways.
The first use case is monitoring and gaining visibility into user behavior and activity on the web and in cloud apps, 
as well as determining the risk level of cloud apps. Netskope NG SWG provides inline visibility into all HTTP, SSL, 
and TLS web traffic, including managed and unmanaged apps. For managed apps, it provides controls for real-
time inline traffic as well as API controls for data at rest. It also provides controls for more than a thousand 
unmanaged apps via a custom API inline proxy, with the ability to learn new or custom apps. The Cloud 
Confidence Index provides risk ratings for tens of thousands of apps, as well as risk profiles based on CSA 
attributes including security, risk, privacy, compliance, vulnerabilities, and more.
The second use case is protecting against infections from malicious websites and from web traffic containing 
known malware and ransomware, as well as unknown threats. Netskope Next Gen SWG inspects all HTTP, SSL, 
and TLS web traffic to provide inline visibility, including detection of macros and phishing URLs in webmail. It 
provides multi-layered threat prevention, including anti-malware, IoC hashes and URLs, pre-execution heuristics, 
and client traffic exploit prevention to detect known threats. It also provides multi-layered threat detection, including 
dynamic sandboxing and AI analysis of malware, ransomware, and cloud storage to detect unknown threats.
The third use case is adapting to the evolution of networks away from hub-and-spoke architecture, where offices 
backhaul internet traffic over costly dedicated links, and remote users access central resources over Virtual 
Private Networks, leading to a poor user experience. Netskope Next Gen SWG addresses these challenges by 
providing direct-to-net cloud access over GRE and IPsec tunnels for both main office and remote office web traffic. 
It also provides a way to bypass sensitive traffic, such as encrypted traffic containing personal health or finance 
information, to keep data secure. Finally, Netskope Next Gen SWG provides direct-to-net cloud access for mobile 
workers via a lightweight steering client for all apps, or transparently to managed apps via Single Sign-on or 
Identity and Access Management solutions.
2024 © Netskope. All Rights Reserved. 10
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 11
Shadow IaaS
Security
Posture 
Management
Data Exfiltration
With inline, Netskope 
extends visibility into 
unmanaged IaaS and 
PaaS services
Enhance visibility, 
prevent security 
exposure, and simplify 
governance and 
compliance
Configuration Data in Motion (Real-time Visibility & Control)
Control access to data 
and apps, and prevent 
sensitive data 
movement to 
unmanaged cloud 
infrastructure (e.g., S3) 
Data andneed to sign in and then sign out when 
they are done with the system so other users can log in and authenticate.
(4) Enable advanced debug option: This option allows you to display the Advanced Debugging option from the 
Netskope Client menu on users’ systems and collect logs. You can set the log level to debug if there are issues 
with the Netskope Client. You would enable this option if you are working with Netskope Support, and they need to 
2024 © Netskope. All Rights Reserved. 33
Netskope Security Cloud Operation and Administration
see the Client logs. The best practice here is to only have the log level set to debug to troubleshoot 
issues. Once done, it’s best to change the log level back to info.
=================================================
*Note: When selecting Uninstall clients automatically when users are removed from Netskope on 
macOS devices, the administrator needs to select the Removable System Extension option under 
the System Extension Type in the MDM profile used to deploy the Netskope Client. Otherwise, the 
uninstallation fails due to the macOS restriction.
2024 © Netskope. All Rights Reserved. 33
Netskope Security Cloud Operation and Administration
Advanced Debugging
342024 © Netskope. All Rights Reserved.
To continue reviewing the Advanced Debugging menu from the Netskope Client menu options:
Log Management: Set the specific log level you need to capture logs. The log levels in nsdebug.log are displayed 
as info, warning, error, and critical. The log files are stored in the default locations:
Windows devices: %PUBLIC%/Netskope/ndebug.log
macOS devices: /Library/Logs/Netskope/nsdebusg.log
Packet Capture: You can capture the inner and outer packets of the tunnel traffic connecting to Netskope.
Speed Test: The speed test allows for testing downloads and uploads along with different file sizes. The 
recommendation here is to test with at least 10mb file size. This is testing the connection to the Netskope Cloud. 
Private Access: The Private Access tab shows your Client is steering private apps and its connection status with 
bytes sent and received.
2024 © Netskope. All Rights Reserved. 34
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 35
Client Installation Verification
If the Netskope Client is installed successfully, you will see the Netskope Client spinner on the system tray. When 
you hover over the Netskope Client icon, it shows the Netskope Client is enabled. Right click on the Client icon to 
view the Netskope Client Configuration.
2024 © Netskope. All Rights Reserved. 35
Netskope Security Cloud Operation and Administration
Steering Configuration – Steered Traffic
362024 © Netskope. All Rights Reserved.
Settings > Security Cloud Platform > 
Traffic Steering > Steering Configuration
As stated in the description under Steering Configuration, the steering configuration controls what types of traffic 
gets steered to Netskope for real-time deep analysis, and what types of traffic gets bypassed. The Default tenant 
config applies to all users. For more granular control over different user groups or OU, you can create a new 
configuration for that OU or user group.
The screenshot of the Steered Traffic tab shows that all web traffic and all private apps are being steered to 
Netskope, except for any items listed on the Exceptions tab.
2024 © Netskope. All Rights Reserved. 36
Netskope Security Cloud Operation and Administration
Steering Configuration
Exceptions List and Certificate pinned apps
372024 © Netskope. All Rights Reserved.
The Exceptions list is pre-loaded by Netskope with steering exceptions for certificate pinned applications. 
Certificate pinned applications refer to applications that users install on their system. When the app is installed, it is 
considered pinned. These pinned apps won’t affect browser traffic. Certificate Pinned Apps don’t allow SSL 
inspection because trusted certificates are hardcoded. There are no steering exceptions for browser-based traffic. 
The default action for certificate pinned apps is Bypass. The Bypass action means that this app won’t be steered 
to Netskope and is allowed to go directly to the Internet. If the app gets steered to Netskope, the app will not work. 
The Block action will block the app, so the app won’t work. 
If you select the action Bypass and Tunnel Mode, this sends the traffic to Netskope, but Netskope does not 
decrypt it. The purpose for selecting Tunnel Mode is if you want the traffic to go to that application but come from a 
Netskope public IP address. If the app is a managed app, you can set your managed apps to only accept traffic 
from Netskope public IP addresses and from your own on-prem IP addresses. Then, users with a personal device 
that does not have the Netskope Client installed cannot log into your managed apps because you configured the 
managed app (on the managed app website) to only accept traffic from the Netskope public IP addresses and your 
on-prem IP addresses. 
If you select the action Bypass and Managed Devices, this means only allow bypass if the device is classified as 
managed.
==================================================================
To add steering configuration exceptions:
1. Navigate to Settings > Security Cloud Platform > Traffic Steering > Steering Configuration.
2. Select the steering configuration you are adding steering configuration exceptions to.
3. Click the Exceptions tab and add a New Exception or edit an existing Exception.
4. Under Edit Exceptions, you can see the Exception Type as Certificate Pinned App: Dropbox (on the 
screenshot example)
5. Under Actions, you can set which systems to bypass.
2024 © Netskope. All Rights Reserved. 37
Netskope Security Cloud Operation and Administration
Steering Configuration
Traffic steering & Non-standard ports
382024 © Netskope. All Rights Reserved.
1
2
3
4
What kind of traffic do you want to steer to Netskope?
(1) Enable Dynamic Steering: You would enable dynamic steering and have different steering configurations if 
you need steering to be different for on-prem versus off-prem Clients. To enable dynamic steering, you need to 
first enable On-Premises Detection located under the Client Configuration section and then enable it in the 
Default tenant config, for this feature to be functional.
(2) Traffic to be steered: Cloud Apps Only | Web Traffic | All Traffic
• Cloud Apps Only: Steers only Cloud Apps, for example, all the cloud app web domains listed in Netskope’s 
Cloud Confidence Index (CCI).
• Web Traffic: Steers all web traffic, HTTP and HTTPs to Netskope except any items listed on the Exceptions 
list.
• All Traffic: Steers all web and non-web traffic, TCP, UDP, and ICMP to Netskope. 
The type of traffic Netskope will steer depends on the license you have. If you only have the CASB license, you 
can only steer Cloud Apps traffic. If you have the SWG license, you can steer web traffic, and if you have the 
Cloud Firewall license, non-web traffic like TCP, UDP, and ICMP are steered to Netskope.
(3) Private Apps - Steer private apps: Select this option if you want to steer private apps and if you have the 
license to use Netskope’s Private Access feature. You will need to create policies to allow access to private apps 
and log events when enabling this feature. There is an option to steer all private apps or just specific ones and also 
the option to steer or not steer private apps in the presence of other steering methods.
Non-Standard Ports tab:
(4) Web Traffic – Steer non-standard ports: Enable this option if you need to steer web traffic running on non-
standard ports. This is web traffic that is not using the standard TCP ports 80 or 443. In the example shown, a non-
standard port has been added for Australia’s Medicare site which uses port 5447.
2024 © Netskope. All Rights Reserved. 38
Netskope Security Cloud Operation and Administration
Device Classification - Managed Devices392024 © Netskope. All Rights Reserved.
Settings > Manage > Device Classification
To set a Netskope Client device as a managed device, you need to specify what constitutes a managed device. 
Here, we define managed devices as trusted devices.
Navigate to Settings > Manage > Device Classification to set up a device classification rule for the specific 
operating system. The type of classification rules you have will be different for the different operating systems 
since different OSes have different things to check for. You can implement specific firewall policies for trusted, 
managed devices and more stringent firewall policies for unmanaged devices.
2024 © Netskope. All Rights Reserved. 39
Netskope Security Cloud Operation and Administration
Device Classification - Managed Devices for Windows OS
402024 © Netskope. All Rights Reserved.
You can set up a classification rule to identify a device by monitoring the encryption status, registry setting, 
process, file, joined to an Active Directory Domain or check for a certificate installed on the device. The example 
shown here is a classification rule set up for Windows operating systems which checks for a specific file called 
NetskopeManaged.txt. If this file is found on the system, then the device is classified as a managed device. 
The Netskope Client checks the device for the required configuration defined in the device classification rule and 
sends the notification to the Netskope Cloud whether the device is managed or unmanaged. The Netskope Client 
does not check for this configuration again until the service stops and starts again, which usually happens when a 
system reboots.
Troubleshooting tip: If a device still shows as unmanaged, even though the device classification rule is enabled, 
the device may need to be rebooted so the Netskope Client service is restarted, and the classification check is 
performed. 
2024 © Netskope. All Rights Reserved. 40
Netskope Security Cloud Operation and Administration
Netskope Client
41
• Introduction
• Desktop Client
• Mobile App
• Administration and Configuration
• Deployment Options
2024 © Netskope. All Rights Reserved.
Let’s look at the different deployment options for the Netskope Client.
2024 © Netskope. All Rights Reserved. 41
Netskope Security Cloud Operation and Administration
Client Deployment
42
• Netskope Client can be provisioned in multiple ways:
– Invitation via Email
– Deployment via a Software Management Suite
– Deployment via an MDM solution
– Deployment via SSO app Enforcement
2024 © Netskope. All Rights Reserved.
There are several ways to deploy the Netskope Client. The various ways are listed on the slide here and also an 
expanded list in the Notes section.
============================================================
Netskope supports the following options to deploy the Netskope Client on your device:
• Email Invite
• Deploy Netskope Client via IdP
• Microsoft Endpoint Configuration Manager
• VMware Workspace ONE
• Microsoft Intune
• Microsoft Group Policy Object (GPO)
• JAMF
• Kandji
• MobileIron Cloud
• MobileIron Core
• XenMobile
• Amazon WorkSpaces
• Azure Virtual Desktop
• Citrix Virtual Apps and Desktop
2024 © Netskope. All Rights Reserved. 42
Netskope Security Cloud Operation and Administration
43
• Once the user clicks on the link, downloader changes MSI and 
appends user hash key, tenant ID, and add-on manager host name
• Installer uses these info to connect to the tenant/add-on manager and 
grabs nsbranding.json to complete the installation process
• Once installation is done, client fetches certs & config files from Client 
services
• Client uses certs to authenticate with the Gateway
2024 © Netskope. All Rights Reserved.
Email Based Installation
What Happens During Client Install
From an administrator’s standpoint, the easiest way to deploy the Netskope Client is through an email invitation. 
Users’ email addresses are added into Netskope either manually or imported using a csv file and then the email 
invitation is sent out to the users. The email invitation is customizable and includes a link specific for the operating 
system the user is running and is specific only for that user. Installation of the Netskope Client requires 
administrator rights on the device. 
• Once the user clicks on the link, the downloader changes the MSI file and appends the user hash key, tenant ID, 
and add-on manager hostname.
• The installer uses the information to connect to the Netskope tenant and the add-on manager, and also retrieves 
the nsbranding.json file to finish the installation process.
• Once the Client installation is done, the Client retrieves the certificates and configuration files from Client 
services.
• The Netskope Client uses the certificates to authenticate with the Gateway.
2024 © Netskope. All Rights Reserved. 43
Netskope Security Cloud Operation and Administration
44
• Onboarding of any supported 
device type
• Invite
– Individual Users 
– Active Directory Users/Groups
• Customize
– Email invitations
– Download requests
– Download errors
2024 © Netskope. All Rights Reserved.
Client Deployment
via Email Invitation (1 of 3)
An email invitation can be sent to individual users or groups. The invitations are customized to the specific user.
The caveat of using an email invitation is that the user just receives the email and does not need to be 
authenticated with Active Directory or SSO. The only verification is the email address, and the assumption is that 
the email address is sent to the correct user and the user’s email has not been compromised. The user can 
forward their specific email invitation to another user so after the Client installation, there are now two users 
registered as the same user.
The recommendation here is to only use the email invitation deployment for small solutions or for a proof of 
concept to show what Netskope can do.
2024 © Netskope. All Rights Reserved. 44
Netskope Security Cloud Operation and Administration
452024 © Netskope. All Rights Reserved.
Client Deployment
via Email Invitation (2 of 3)
Settings > Security Cloud Platform > Netskope Client > Users
Users are added in Settings > Security Cloud Platform > Netskope Client > Users. Once the email invitation is 
configured, select the users, and click Send Invitation to send the email. There will be a popup message asking 
do you really want to send the emails with Client invitations to the selected users.
2024 © Netskope. All Rights Reserved. 45
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 46
Client Deployment
via Email Invitation (3 of 3)
Customize the email invitation:
• Email address of the end-user
• Email address of the tenant admin
• Name of the company
• URL download links for the different OSs
• The URL to go to resume earlier activity
To customize the email invitation template, go to Settings > Tools > Templates.
The templates use HTML and the built-in variables to replace message links. Click on Insert Variable and insert 
the options listed to include in the email invitation.
===========================================
Mac Client: {{NS_MACADDON}}
Windows Client: {{NS_WINADDON}}
iOS Profile: {{NS_IOSPROFILE}}
Android Client: {{NS_ANDROIDCLIENT}}
2024 © Netskope. All Rights Reserved. 46
Netskope Security Cloud Operation and Administration
47
• Generic MSI is distributed (SCCM, LANDesk, …)
• Once user logs in
– SCCM instructs Windows to execute the installer with parameters
– Package will get the UPN and download nsbranding.json to complete the installation 
process
• Client fetches ‘certs & config files’ from the add-on manager
• Client uses the certs to authenticate with the Netskope Gateway
• Check the online help for deployment details
• Prerequisite Components
– Netskope Directory Importer
– Netskope Client pre-processing package (MSI file)
2024 © Netskope. All RightsReserved.
Client Deployment
Using SCCM
You can use most any system that can deploy MSI software packages in a Windows environment to deploy the 
Netskope Client. One method is SCCM (System Center Configuration Manager) with Active Directory. If you use 
SCCM with a directory service like Active Directory, you will need to also install the Netskope Directory Importer.
Directory Importer is installed on any domain member (but not on an end user’s computer) and used to export the 
user information in Directory Services like Active Directory to the Netskope tenant database.
Directory Importer reads the user information and group information from the Domain Controllers (DC) in the 
network and exports the information to the provisioner. Directory Importer monitors the addition, modification and 
deletion of user information in the Directory Servers and updates the information to Netskope Cloud.
The MSI file used for SCCM is different than the MSI file used in the email invitation. The MSI file used for SCCM 
is not tied to any specific user identity.
===================================================
Directory Importer monitors the following attributes of the user accounts:
• User First Name
• User Last Name
• email ID
• UserPrincipalName
• OU information of the user
• Set of Group Names user account is part of - This includes only the groups configured in the group filter or all 
groups the user is part of, if the group filter is left empty.
Similarly, the following attributes of the groups are monitored:
• Group Name
• Canonical name
In Windows Active Directory, a User Principal Name (UPN) is the name of a system user in an email address 
format. A UPN (for example: john.doe@domain.com) consists of the user name (logon name), separator (the @ 
symbol), and domain name (UPN suffix).
2024 © Netskope. All Rights Reserved. 47
Netskope Security Cloud Operation and Administration
The branding file is required to bootstrap the Client. This file is downloaded during Client provisioning 
when the Client is installed for first time on the end user's machine. Future client updates will not 
change the contents of this file. 
On a Windows system, this file is installed in: %ProgramData%\Netskope\STAgent. 
On a Mac system, this file is installed in: /Library/Application Support/Netskope/STAgent folder.
2024 © Netskope. All Rights Reserved. 47
Netskope Security Cloud Operation and Administration
48
• Create a source distribution folder
• Create a distribution package
• Create installer
• Specify Run with Admin privileges
• Distribute package to endpoints
• Create advertisement to install on all client machines
• Install command example:
2024 © Netskope. All Rights Reserved.
SCCM – Create Installer Package
msiexec /I NSClient.msi token= host=addon‐
[.region].goskope.com [mode=peruserconfig 
[userconfiglocation=]] [autoupdate=on|off] 
[/l*v %PUBLIC%nscinstall.log]
At a high level, to create the installer package, download the MSI file and insert into the software distribution 
system you are using. 
The steps listed here are specific to using SCCM to create and distribute the MSI file for installing the Netskope 
Client on a Windows operating system.
First create a source distribution folder and the distribution package. Create the installer with the MSI file and run it 
with admin privileges. Then distribute the package to users’ systems. 
The generic format of MSIEXEC command to install the Client is shown here. Highlighted in blue are required 
parameters, and the parameters in black are optional, depending on the deployment mode used in your script.
Check the Notes section for details about the parameters of this command.
==============================================
Command parameters:
The msiexec /I is the windows command used to mass deploy the Netskope Client (MSI packages) on Windows 
devices. The NSClient.msi is the MSI file downloaded from Netskope. The token is the token specific from your 
Netskope tenant and the host is the Netskope tenant to connect to download all the configuration files. The syntax 
here should be addon plus the full tenant URL. (Example: host=addon-academy-central.goskope.com) 
Optional parameters:
• mode=peruserconfig: Use this option for installing in a multi-user system. Don’t specify a user mode if you want 
to use single user mode/config.
• Userconfiglocation=: Specifies the user-specific directory used for storing the user configuration. This is 
recommended to be used only for the multi-user environment. By default, the path is: 
%AppData%NetskopeSTAgent.
• autoupdate=on|off: This option tells the Windows OS to allow the Netskope Client to auto update during the 
installation. This option tells the Netskope client to allow auto updates. If the autoupdate is turned on, the 
Netskope tenant will automatically send out Client updates to the Netskope Client.
• /l*v %PUBLIC%nscinstall.log: Specifies where to store the installation log.
2024 © Netskope. All Rights Reserved. 48
Netskope Security Cloud Operation and Administration
49
• Installing the Netskope Client on a macOS using JAMF requires the 
following downloads to the JAMF server
– User configuration script: jamfnsclientconfig.sh
– Netskope Client installer: NSClient.pkg
– Post-install script: jampfpostinstallScript.sh
• Modes of Deployment
– Single-User mode: email-based (via UI or Directory Importer)
– UPN mode: (requires Directory Importer)
– Multi-user mode: (requires Directory Importer)
2024 © Netskope. All Rights Reserved.
Client Deployment 
Using JAMF (macOS)
One method to install the Netskope Client on macOS systems is using JAMF, which requires downloading the 
user configuration script, the Netskope Client installer, and the post-install script to the JAMF server.
You can install the Netskope Client on macOS systems using single-user mode by email invitation, UPN mode 
that requires the Netskope Directory Importer, or multi-user mode also requiring Directory importer. 
===============================================================
JAMF: An enterprise mobility management tool that is used for endpoint management of macOS devices.
For detailed information using JAMF to deploy the Netskope Client:
https://docs.netskope.com/en/netskope-help/netskope-client/netskope-client-deployment-options/jamf/
The Netskope Adapters enable running various features that can integrate with your Active Directory and other 
directory services to collect user and user activity information. The Netskope Adapters provide three tools:
• Directory Importer: Connects to a domain controller (DC) and periodically fetches user and group information 
from the DC and posts that info to your tenant instance in the Netskope cloud. 
• AD Connector: Connects to the DC and periodically fetches user login events, extracts the User to IP mapping, 
and posts that info to Secure Forwarder (deprecated)
• DNS Connector: Integrates with a DNS server to populate the forwarding zones.
To download the NSAdapters.msi package, go to your Netskope tenant and navigate to Settings > Tools > 
Directory Tools > On-Prem Integration and click on the Download Tools button.
2024 © Netskope. All Rights Reserved. 49
Netskope Security Cloud Operation and Administration
Install the Client for a Multi-User System
50
For multi-user systems, the Client is installed with the peruserconfig parameter. For 
every AD user, a new branding file is installed so all the AD users are uniquely identified by 
Netskope. The Client tunnels the traffic only from the AD users. Since the branding file is 
not installed for local users, traffic from local users is not tunneled in this case.
The Client operates as follows for multi-user systems:
• AD User A logs into the PC for the first time after the installation. Branding information file is not 
available for the user for the first login. The Netskope Client installer identifies the logged-on user and 
uses the APIto download the configuration file. After the first download whenever User A logs in, the 
configuration file is already available and is used.
• AD User B logs into the same PC. Branding information file is not available for User B. The 
Netskope Client installer will identify the logged-on user and downloads the configuration file for the 
user.
• Local User C logs into the same PC. In this case, we cannot fetch the branding file and the Client 
will remain disabled.
2024 © Netskope. All Rights Reserved.
This goes into more detail about using the peruserconfig parameter for multi-user systems. When the Netskope 
Client is installed with the peruserconfig parameter, it allows authenticated users to be uniquely identified by 
Netskope.
For example, Bob logs into the PC for the first time after the Netskope Client installation. The Netskope Client 
installer identifies Bob as a legitimate user and uses the API to download the configuration file specific for Bob. 
After Bob is done with using the PC, Jill logs in to that same PC. There is no branding information file, but the 
Netskope Client installer identifies Jill also as a legitimate user and downloads the configuration file for Jill. If Tim 
comes along and logs into the same PC but as a local user and not an authenticated user, the Client will remain 
disabled and not steer any traffic.
2024 © Netskope. All Rights Reserved. 50
Netskope Security Cloud Operation and Administration
51
• Netskope apps / profiles can be pushed automatically using MDM to 
managed mobile devices
• Supported platforms:
– MobileIron (Core / Cloud)
– VMware AirWatch
– Citrix XenMobile
– Microsoft Intune
– IBM MaaS360
• Check the online help for deployment details
2024 © Netskope. All Rights Reserved.
App Deployment - using an MDM solution
The Netskope app or mobile profile can be pushed out automatically using Mobile Device Management (MDM) to 
manage mobile devices. Check out the online help for deployment details about the supported platforms listed 
here.
===================================================================
Installing via MDM on Apple mobile devices
Up to macOS 10.13.3, Apple made special consideration for software being deployed via MDM tools so that if the 
software is being deployed to enrolled devices, it will not require user approval to load any third-party kernel 
extensions.
However, from macOS version 10.13.4 onwards, this consideration has been removed. This leads to two 
scenarios: 
• If the Netskope Client was installed on macOS 10.13.3 or earlier using JAMF, the user would not have been 
prompted to approve the kernel extension. However, when upgraded to 10.13.4, the Netskope Client would 
remain in disabled state until the user manually approves the kernel extension. 
• If the Netskope Client is installed on macOS 10.13.4, the user would need to manually approve the kernel 
extension. Subsequent macOS upgrades will not require approval. 
2024 © Netskope. All Rights Reserved. 51
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 52
MDM Distributions Settings > Security Cloud Platform > Netskope Client 
> MDM Distribution
You can also go to Settings > Security Cloud Platform > Netskope Client >MDM Distribution for the different 
MDM deployments with links to detailed instructions on docs.netskope.com.
2024 © Netskope. All Rights Reserved. 52
Netskope Security Cloud Operation and Administration
53
• SCIM can be used to provision the users onto the Tenant
• User authenticates to the app via a SSO broker, app gets pushed 
before the user gets authorized
• Supported SSO solutions:
– Okta: source IP based enforcement (SAML)
– OneLogin: source IP based enforcement (SAML)
– Ping: custom connector (Multi-Factor Authentication)
– ADFS Proxy: Endpoint URL or PowerShell Re-direct
2024 © Netskope. All Rights Reserved.
Client Provisioning - via SSO App Enforcement
To deploy the Netskope Client using Okta (SSO broker), the basic steps are:
• Create an admin account with access to the Okta admin console.
• Create a SCIM 2.0 app in the Okta admin console.
• Configure a Netskope SCIM app with sign-on and user-attribute options.
• Assign users to the Netskope SCIM app.
You will need the SCIM URL from the Tenant. Log in to your Netskope cloud account and go to Settings > Tools
> Directory Tools. In the Directory Tools page, select the SCIM Integration tab to get the SCIM Server URL.
2024 © Netskope. All Rights Reserved. 53
Netskope Security Cloud Operation and Administration
54
• If a user manually disables the Netskope Client
– Rebooting the machine will not re-enable the Client 
– It must be enabled via the Admin Console or manually by the user
• Switching between stacks/tenants should not be done on an existing install
– Always uninstall and re-install the client instead of “upgrading” the client
• The client will disable itself if the Netskope tenant is not available (Fail Open)
– This is also the case for the short interruptions during upgrades
• The client will always use/reconnect over the most optimal network interface
• Manually killed client services will restart automatically
2024 © Netskope. All Rights Reserved.
Netskope Client – Remarks
Here are some closing remarks regarding the Netskope Client. 
If a user is allowed to disable the Netskope Client, rebooting the system will not re-enable the Client. The user 
must manually enable it again or a Tenant Admin can enable it via the Admin Console.
It is highly recommended if you need a Netskope Client to switch to a different Tenant, always uninstall and 
reinstall the Client to do this.
The Netskope Client will disable itself if the Netskope Tenant is not available (Fail Open).
The Netskope Client will always reconnect over the most optimal network interface.
Manually killed client services will restart automatically.
2024 © Netskope. All Rights Reserved. 54
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 55
Netskope Client Time Checks
DescriptionFrequencyCheck-in Type
Enabling or disabling of client, first-login one time retrieval of “branding 
file”
On-demandOperational
This interval is also used to do administrative tasks such as sending a 
Disable command (if done so by the admin) or collecting logs for 
supportability
5 minutesAdministrative
Every client will reach out to their respective Netskope tenant once 
every 60 minutes to check if there has been a configuration update.
60 minutesConfig check
Netskope provides a convenient feature for customers that are not 
already using an Enterprise software management tool. With this 
functionality, every client will reach out to the Netskope cloud service to 
determine if there is a new client software version available.
4 hoursAuto-update check
Note: Customers will still need to establish a strategy for the initial rollout of the 
Netskope client.
This table shows the Netskope Client time checks.
• The Client checks every 60 minutes for configuration file changes
• The Client checks every 4 hours for version changes
• For large deployments, it is recommended to disable auto upgrade
• Smaller deployments are easier to manage using auto upgrade
• We recommend to stay on a Golden Release version for production environments.
2024 © Netskope. All Rights Reserved. 55
Netskope Security Cloud Operation and Administration
Lab B: Netskope Client
Time: 60 minutes
562024 © Netskope. All Rights Reserved.
This chapter includes a lab to practice some of the concepts you learned about.
2024 © Netskope. All Rights Reserved. 56
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved.
Threat Protection
Netskope Security Cloud Operation and Administration
Welcome to the Netskope Threat Protection chapter, in our Netskope Security Cloud Operation and Administration 
Course.
2024 © Netskope. All Rights Reserved. 1
Netskope SecurityCloud Operation and Administration
2
• Explain the Netskope Threat Protection feature
• Configure Threat Protection for Real-time Protection
• Configure Threat Protection for API-enabled Protection
2024 © Netskope. All Rights Reserved.
Objectives
The objectives of this chapter are to explain the Netskope Threat Protection feature and how to configure different 
aspects of threat protection for real-time and API-enabled protection.
2024 © Netskope. All Rights Reserved. 2
Netskope Security Cloud Operation and Administration
Threat Protection
3
• Overview of Netskope Threat Protection
• Configure Threat Protection for Real-time Protection
• Configure Patient Zero Protection 
• Configure Threat Protection for API-enabled Protection
• Integration with third-party solutions
• Intrusion Prevention System (IPS)
• Configure User and Entity Behavior Analytics (UEBA)
2024 © Netskope. All Rights Reserved.
Let’s look at an overview of Netskope Threat Protection.
2024 © Netskope. All Rights Reserved. 3
Netskope Security Cloud Operation and Administration
Threat Protection – Standard vs Advanced
4
Standard Threat Protection
• Anti-malware
• Intrusion Prevention System (IPS)
• True file type detection
• Over 40 threat intelligence feeds
• Cloud-enabled threat research from Netskope 
Threat Labs
• Custom allow lists and block lists
• De-obfuscation and recursive file unpacking to 
sandbox Portable Executable (PE) files
• Sequential anomaly rules to detect; bulk 
uploads, downloads, deletes, rare events, failed 
logins, risky countries, proximity, and data 
exfiltration between company and personal 
instances
Advanced Threat Protection
• De-obfuscation and recursive file unpacking of 
over 350 families of installers, packers, and 
compressors
• Pre-execution analysis and heuristics for over 
3,500 file format families using over 3,000 static 
binary threat indicators
• Bare-metal sandboxing to over 30 file types for 
analysis the ability to use behavioral analysis to 
defeat evasive techniques
• Netskope Threat Labs manages multiple 
machine learning (ML) models for threat 
detection
• Third party sandboxing for secondary threat 
analysis, plus proxy chaining to remote browser 
isolation (RBI) solutions
• Patient Zero protection
2024 © Netskope. All Rights Reserved.
Netskope provides two levels of threat protection: Standard and Advanced. 
Standard Threat Protection includes the following features:
• An anti-malware engine applied to all files capable of delivering harm, based on the true file type detection.
• Detection of hash and URL-based indicators of compromise, based on the Netskope Threat Lab own research, 
over 40 additional threat intelligence feeds, and custom URL and hash lists.
• A machine learning (or ML) classifier, that scans Portable Executable (or PE) files, which is the executable file 
format for Windows and is the most common type of malicious files.
• An ML classifier for detecting previously unknown phishing domains and web sites.
• A web IPS engine that scans traffic directed to the user’s device for indicators of network-based attacks.
• Standard sandboxing to corroborate anti-malware and machine learning detections.
• Bidirectional threat intel sharing with EDR, SIEM, SOAR, and other types of solutions via the Netskope Cloud 
Threat Exchange platform.
Standard Threat Protection is often bundled with Standard UEBA or behavior analytics. Standard Behavior 
Analytics can detect bulk uploads, downloads, and deletes; failed logins; simultaneous or nearly simultaneous 
logins from far away locations; data exfiltration between company and personal instances; and other unusual and 
rare events based on the configured rules.
Advanced Threat Protection includes everything from Standard Threat Protection and additionally applies many 
more sophisticated engines to detect zero-day threats and provide a more detailed detection report. These 
advanced engines include:
• Additional anti-malware engines, including the YARA engine with signatures developed by Netskope Threat Lab.
• Pre-execution heuristic analysis for over 3,500 file format families using over 3,000 static binary threat 
indicators.
• Cloud sandboxing for over 30 file types and bare-metal sandboxing for second verdicts.
• Recursive unpacking and de-obfuscation of over 350 families of installers, packers, and compressors.
• ML classifier for detecting malicious executables, PDFs, Microsoft Office files, and malicious URLs in files.
2024 © Netskope. All Rights Reserved. 4
Netskope Security Cloud Operation and Administration
• Patient Zero alerts when a threat is missed by the standard threat protection engines but detected by 
the advanced threat protection.
• Patient Zero protection when a file is held until the final verdict from the advanced threat protection is 
produced.
The following slides will discuss all these features in more detail.
2024 © Netskope. All Rights Reserved. 4
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 5
Threat Protection Bundle Comparison
Advanced Threat ProtectionStandard Threat ProtectionThreat Protection Capabilities
✓✓AV
✓✓Threat Intelligence
✓✓Custom Allowlist/Blocklist
✓✓Advanced Heuristic Analysis
✓✓Cloud Sandbox
✓✗Ransomware Encrypted File Detection
✓✗Third-party Sandbox Integrations
✓✗Patient Zero protection
✓✓Third-party EDR Integrations
✓✓Export Netskope detections (file hashes)
✓✓Import Intel (hashes) into Netskope
Here is a comparison chart between what is provided in Standard Threat Protection versus Advanced Threat 
Protection.
Standard Threat Protection includes a set of static engines whose purpose is to detect known malware via 
signatures or static machine learning classifiers. The standard threat protection includes:
• An OEM antivirus engine.
• A proprietary machine learning classifier for Portable Executables.
• The Netskope Threat Intelligence (a combination of feeds, research by Netskope Labs, and the Indicators of 
Compromise derived from the malware detected via the Advanced Threat Protection).
• Standard sandboxing to provide additional corroboration by the Advanced Threat Protection engines for a 
detection made by the above Standard Threat Protection engines. The purpose of standard sandboxing is to 
provide more evidence for a positive detection rather than augmenting the detection capabilities.
Advanced Threat Protection, on the contrary, augments the detection capabilities, by extending heuristic analysis, 
machine learning classifiers, and sandboxing to more file types, and by applying more, and more sophisticated 
static analysis engines. Advanced Threat Protection also provides more detailed reports, including forensics data 
derived from heuristic and sandbox analysis. And on top of that, Advanced Threat Protection has patient zero 
alerts and patient zero protection features and provides APIs for retrospective hash queries and for submitting 
portable executables to the sandboxing engine.
For all these advanced features, the Advanced Threat Protection license is required, which is a part of enterprise-
level bundles or can be purchased as an add-on.
2024 © Netskope. All Rights Reserved. 5
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 6
All-mode Threat Protection 
Risk Insights
Identify malicious network activity
Proprietary threat research
Complemented by 40+ 3rd party 
feeds
API-enabled 
Protection
Scan Managed Cloud Applications
Malware Scan
Retroactive scanning
Alert/Quarantine
Real-time 
Protection
Real-time Protection scanning for 
malicious files
Full app protection 
Managed/Shadow
Actions based on severity
Allowlist / Blocklist Hash SHA / 
MD5
Threat protection is applied to the customer data across all the different data streams.
At the Risk Insights or Discovery level, the threat detection is applied to the log data pulled in from proxies and 
firewalls and identifies maliciousURLs and IP addresses based on the various threat intel feeds that go into the 
engines.
For the cloud application instances configured for API-enabled protection, the threat module provides introspection 
malware scanning, triggered by the user activities, as well as retroactive scanning to detect dormant threats. 
Available remediation actions will depend on the application and are determined by the application’s vendor and 
what is supported by their APIs. Besides alerting, these actions often include the ability to quarantine the malicious 
file.
And for the traffic steered to the Netskope, thread protection is applied inline in real-time and allows blocking the 
threats for all kinds of applications both managed and unmanaged before the malware has any chance to cause 
harm.
Both API-enabled Protection and Real-time Protection support different actions based on the severity level of the 
detected threat.
2024 © Netskope. All Rights Reserved. 6
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 7
Allow/
Block
File 
received
Metadata and IOCs
Deepscan Service – Advanced Threat 
Protection
Malware Detection Architecture: Threat Detection Flow
Customer traffic
(Data in Motion)
or
Customer data 
(Data at Rest)
API/ 
Introspection
Pre-execution
& heuristics 
analysis 
THREAT SCANNING SERVICE
regular 
updates
Inline Fastscan 
Service
Hash blocklists
Tenant portal/UI
Third parties Cloud Exchange
Alert/
Quarantine
Advanced 
Malware Analysis Engines
Admin
Event service
AV engines, TFT
Phishing ML classifier
Domain, 
URL, web 
filtering
IPS/
RBI
Local 
allowlist/ 
blocklist
ML classifiers
(PE and doc 
malware)
Malicious 
URL lookup
Yara + 
additional AV 
engines
Cloud 
sandbox
Bare-metal 
sandbox
Advanced 
Sandbox Engines
Malware alert
Alert/Quarantine
Malware alert
Malware alert
Allow/
Block
Allow/
Block
File 
received
Browse
API access
PE ML classifiers
The diagram explains the flow of information between the different engines and subsystems. Depending on the 
source of the customer’s data, different engines are involved. 
For data intercepted in the traffic, or data in motion, the first layer of defense is hosted in the Netskope inline proxy. 
At this level, domain, URL and web filtering is applied to block connections to malicious or suspicious websites 
based on predefined or custom categories. Netskope inline proxy can also apply an intrusion prevention system, 
or IPS, and Netskope’s proprietary remote browser isolation technology, or RBI, to further reduce the surface of 
attack. All of these features are discussed in detail later in the course.
The inline proxy then extracts the payload from the traffic and sends it to the threat scanning service. The threat 
scanning service is divided into the fast scan service and the deep scan service which roughly correspond to the 
standard threat protection engines and additional advanced threat protection engines. 
The fast scan service applies the standard threat protection engines: true file type detection, an OEM anti-malware 
engine, machine learning classifier for portable executables, and threat intelligence for IOC detection. All these 
engines produce a verdict in a short time and this verdict is then used to evaluate policies and apply policy actions 
at the proxy level, which in this context really means blocking. In other words, the decision to block certain activity 
because it represents a malware threat is made by the proxy based on the verdicts provided in real-time by the 
fast scan service.
The deep scan service hosts the engines of the advanced threat protection: advanced heuristics, additional anti-
malware engines and machine learning classifiers, and most notably, two sandbox engines. These engines take 
longer time to produce a result and therefore are not used for applying real-time policy actions. They will produce 
alerts and malware incidents, that can trigger further responses. 
The alerts and incidents can be processed by the administrator in the Netskope tenant UI. They can also be 
accessed through API for automated processing or shared via Netskope Cloud Exchange with 3rd-party solutions 
such as EDR, MDR, SIEM, and SOAR. These integrations can be used to set up automated responses.
Netskope Cloud Exchange can share data in the opposite direction and supply additional threat intelligence from 
third-party solutions in the form of URL and hash lists, that can then be used for URL filtering and hash filtering at 
the inline proxy level and by the fast scan service respectively. 
2024 © Netskope. All Rights Reserved. 7
Netskope Security Cloud Operation and Administration
There is also a feedback loop between the deep scan service and fast scan service. When the deep 
scan service detects a malware for any tenant, the hash of this malware and associated domains and 
URLs are shared with the fast scan service. Tenants with advanced threat protection receive these 
hashes within 1 hour, whereas tenants with standard threat protection receive these hashes within 24 
hours.
Threat intelligence created or curated by the Netskope Threat Labs is updated much more often. Hash 
blocklist is updated every 15 minutes and the URL threat feed is partially updated every 10 minutes 
and fully synchronized once a day.
If the data comes not from the traffic but rather from a cloud app connector, there would be no 
processing on the inline proxy level, and therefore no domain or URL filtering, no IPS, and no RBI. The 
files would be sent directly to the threat scanning service. However, because API protection is not real-
time and is not time-constrained in the same way, policy actions will be applied based on both the fast 
scan and deep scan services verdicts. A malicious file will be quarantined even if it is detected only by 
a sandboxing engine.
The following slides will discuss threat detection engines in more detail.
2024 © Netskope. All Rights Reserved. 7
Netskope Security Cloud Operation and Administration
8
AI/ML classifiers in Fastscan service
• PE file classifier analyses Portable Executable files to detect novel malware.
• Phishing classifier analyzes URL structure and web page content to detect 
novel phishing pages.
AI/ML classifiers in Deepscan service
Office document classifier detects novel malware in various document formats.
2024 © Netskope. All Rights Reserved.
SkopeAI Threat Protection
Let’s start with the engines that are using artificial intelligence and machine learning.
AI and ML technologies play an important role in threat protection. They are one of the best tools for detecting 
novel malware that is not yet covered by signatures or threat intelligence. Trained on vast collections of known 
malicious and benign files they can learn subtle differences that can help identify novel malware files and zero-day 
attacks.
Netskope Threat Scanning Service employs a few pre-trained ML classifiers. Two of them are in the fast scan 
service:
• A PE file classifier analyzes portable executable files to detect previously unseen malware in Windows 
executables and libraries.
• A phishing classifier similarly analyzes web pages and their URLs to detect phishing content. Unlike other anti-
phishing engines in the pipeline that are based on URL filtering and only need the web traffic to be steered to 
Netskope, phishing classifier analyzes HTML files that constitute the web page and as such needs a threat 
protection policy to send HTML files to the Threat Scanning Service.
Another ML classifier in the deep scan service analyzes office documents of various formats and detects novel 
malware in them.
These are just the models that are used directly in the Threat Scanning Service. Netskope uses many more AI/ML 
models to, among other things, produce threat intelligence and optimize data processing.
2024 © Netskope. All Rights Reserved. 8
Netskope Security Cloud Operation and Administration
9
• Web Security– Visited by user
• Not Blocked
• Severity
• Category
2024 © Netskope. All Rights Reserved.
Malicious Sites Incidents
Let’s now look at URL filtering that happens before any file analysis takes place.
To find detected malicious web sites, use the side menu of the tenant UI to navigate to Incidents and then to 
Malicious Sites. There are very little pre-requisites for this kind of detection. As long as the organization has at 
least the Standard Threat Protection license and steers traffic to the New Edge, the Netskope Web Security will 
scan the traffic and detect malicious domains, URLs and IPs. There’s no need to create a policy or a threat 
protection profile to enable malicious sites alerts. You do need to create a policy to block malicious sites, though. 
This will be covered in the Web Security chapter. Some sites can also be blocked by the IPS feature that is 
discussed later in this chapter.
The malicious sites page shows the primary metrics in the panels on top, and a table with more specific 
information below. The search field above the primary metrics allows you to filter the malicious sites shown on the 
page by entering keywords. 
The metrics shown at the top of the page include the following: 
• Under Sites Allowed, you will find the number of web sites that your users visited and were not blocked. 
• Under Total Malicious Sites, the total number of malicious sites that users have visited. 
• And under Users Allowed, the total number of users not blocked from visiting a malicious site. 
The table below for each detected malicious site shows these details:
• Under Threat Match Value, the pattern used to detect the malicious web site.
• Under Severity, the severity rating for the malicious site: Critical, High, Medium, or Low. 
• Under Category, the type of malicious site detected: for example, a phishing site.
• Under Users Count, how many users tried to visit the malicious site.
• And under Site Destination, the country that the malicious site is hosted in.
2024 © Netskope. All Rights Reserved. 9
Netskope Security Cloud Operation and Administration
10
• Users Affected
• Malware Detected
• Total Incidents
• Severity categories:
– High
– Medium
– Low
• Detection Date
• and more…
• Drill down to view 
comprehensive details
2024 © Netskope. All Rights Reserved.
Malware Incidents
Incidents > Malware
In a similar way, you can find detected malicious files by using the side menu to navigate to Incidents and then to 
Malware. These detections won’t appear unless you have a policy with a threat protection profile or unless you 
have enabled threat protection for SaaS instances configured for classic API-enabled protection. We will cover 
both configurations later in this chapter.
In the Malware section, you can find the overall detection statistics and a table of all detected malware that also 
leads to more details. The overall statistics shows, how many different types of malware were detected, how many 
incidents were created as a result, and how many users were affected. 
The table below lists all detected files indexed by their hash. If there were several files with the same hash but 
different names, the File Name column of the table will list all file names. This table also includes the names of the 
engines that produced a positive verdict, the names of the detected malware combined from all the engines, the 
severity level of the malware and other details. You can select which columns are visible in the table by clicking 
the gear-shaped icon in the upper-right corner of the table.
Clicking on the file name in the table opens a new page which reveals detection details for the file from each of the 
detection engines: anti-malware, threat intelligence, heuristics, and sandbox.
2024 © Netskope. All Rights Reserved. 10
Netskope Security Cloud Operation and Administration
11
• Signature-less 
malware detection
• Static analysis without 
file execution
• Scans binary files to 
identify indicators of 
malicious activity and 
analyses files against 
3,000+ threat 
indicators
• Decomposes, unpacks, 
and de-obfuscates files 
to extract all objects for 
analysis
2024 © Netskope. All Rights Reserved.
Advanced Heuristic Analysis
Incidents > Malware > [file name]
Let’s look more closely at the Advanced Heuristic Analysis.
Attackers are increasingly using layers of obfuscation and packing, to evade conventional detection and analysis 
tools. Netskope recursively unpacks files and extracts internal objects, to make them fully available for analysis. 
Advanced Heuristic Analysis of binary files performs a deep analysis of the file components without executing the 
file. This pre-execution analysis identifies over 3000 threat indicators across a wide range of file types, including 
Windows, Mac OS, Linux, iOS, and Android, and supports over 3500 file format families. To use advanced 
heuristic analysis, an advanced threat protection license is required.
The Advanced Heuristic Analysis page shows the following information: 
• File Details shows certificate information for files that have a digital signature. And for container files, it shows 
how many files there are in the container and how many of them are malicious.
• Network References lists all the URLs identified in the file body.
• Key Capabilities shows what the malware can do in general terms.
• And Indicators lists more concrete behaviors or artifacts related to the key capabilities.
Importantly, the indicators are identified by a static analysis which does not involve file execution. The heuristic 
analysis can show that the file contains code to perform certain actions but does not show how these actions relate 
to each other or in what order they are executed or if they are executed at all. To understand how the file behaves 
requires a dynamic analysis in a sandbox.
2024 © Netskope. All Rights Reserved. 11
Netskope Security Cloud Operation and Administration
12
• Detonates files in 
controlled, sandbox 
environment
• Monitors for wide range 
of malicious behavior
• Immune to common 
sandbox evasion 
techniques
• Built on Netskope’s 
high performance, 
cloud-scale security 
platform to enable 
advanced threat 
protection at scale
2024 © Netskope. All Rights Reserved.
Dynamic Sandbox Analysis
Sandboxing is a kind of behavioral analysis and is a key technology for security teams to detect advanced threats. 
By detonating suspicious files, also called samples, in a controlled, sandbox environment, the detection engine can 
observe and log the file behavior and then analyze these logs for patterns of malicious activity. 
Netskope's cloud-based dynamic sandbox analysis engine is effective against malware evasion techniques and is 
built on Netskope's high-performance, cloud-scale security platform. To use cloud sandbox analysis, an advanced 
threat protection license is required.
To view the Cloud Sandbox Analysis, go to Incidents, and then to Malware. Click on an item on the Malware
page, which opens a page with details about the malware. In the File Name column, click on the file name, which 
opens the detailed detection report page. The Netskope Cloud Sandbox section of this page shows the following: 
• Under Observed Behavior, the detonated file activity observed in the sandbox grouped by the type of activity. 
• Under Screenshots, what appeared on the virtual machine’s monitor during the detonation process. Some of 
the screenshots may catch benign behavior, but others may provide important insights.
• Under Processes Monitored, you will find the entire flow of what occurred when the analyzed sample was 
running. 
• Under Sandbox Files Dropped, there’s a list of file names and hashes of the files appeared in the sandbox 
during the sample execution. 
• And under Accessed Hosts, there’s a list and the geolocation map of the hosts accessed by the detonated 
sample. The details include the host name, IP address, country and protocol.
2024 © Netskope. All Rights Reserved.12
Netskope Security Cloud Operation and Administration
• Integration with endpoint detection and response (EDR) solutions:
– CrowdStrike Falcon
– Carbon Black
• Integration with advanced threat detection solutions:
– Palo Alto Networks Wildfire
– Check Point SandBlast
– Juniper SkyATP
• Netskope Cloud Exchange
• Netskope REST API
132024 © Netskope. All Rights Reserved.
Netskope Integration capabilities
Besides the detection engines and policy actions provided by Netskope directly, you can integrate your Netskope 
solution with third-party solutions to take advantage of additional detections, actions, and analysis tools that those 
solutions can provide.
Integration scenarios are mostly outside the scope of this training. To learn about how to integrate your Netskope 
solution with third-party applications for the purposes of using those application capabilities to extend and enhance 
the Netskope solution, you should sign up for the Netskope Security Cloud Implementation and Integration class.
That said, in this section we will provide an overview of various integration options that can be used with Netskope 
Threat Protection.
Some of these options may be available in your Netskope tenant UI, depending on your license and the tenant 
backend settings.
Two of the solutions you can integrate with from your tenant UI, from Carbon Black and CrowdStrike, belong to the 
endpoint detection and response, or EDR, category. EDR solutions typically have an endpoint agent that monitors 
all activity on the computer, the collected telemetry data is then used for automated and human-powered threat 
hunting, and the endpoint agent then is used for various response measures: from fetching files for deeper 
analysis, to killing processes and deleting files, to blocking files network connections and more. By integrating with 
EDR solutions, Netskope can initiate endpoint responses following a threat detection in the traffic or in a cloud app.
The other three solutions in the Netskope tenant UI, from Juniper, Check Point, and Palo Alto Networks, belong to 
advanced threat detection. These are basically third-party sandboxing solutions that can provide a second look at 
suspicious files. Netskope Threat Scan Service can send either all or only a subset of files to these services and 
add their verdicts into the alerts.
Integrating with EDR solutions, among other things mentioned above, lets Netskope share its detections as 
indicators of compromise. This in turn lets the EDR agents block threats on the endpoints, where Netskope cloud 
platform can’t reach. The same result can be achieved for a much broader range of third-party solutions by using 
Netskope Cloud Exchange, an appliance that can be deployed in the cloud or on premises and that can share 
threat intelligence bidirectionally between Netskope and SIEM, SOAR, EDR and other solutions that can either 
provide their own threat intelligence feeds or can benefit from injecting threat intelligence from the Netskope 
tenant.
2024 © Netskope. All Rights Reserved. 13
Netskope Security Cloud Operation and Administration
Under the hood, Netskope Cloud Exchange interacts with the Netskope tenant using Netskope REST 
API. These can be used directly to support custom integration scenarios. In this training, we do not 
cover either Netskope Cloud Exchange or REST API. To learn more, sign up for the Netskope Security 
Cloud Implementation and Integration class.
2024 © Netskope. All Rights Reserved. 13
Netskope Security Cloud Operation and Administration
Threat Protection
14
• Overview of Netskope Threat Protection
• Configure Threat Protection for Real-time Protection
• Configure Patient Zero Protection 
• Configure Threat Protection for API-enabled Protection
• Integration with third-party solutions
• Intrusion Prevention System (IPS)
• Configure User and Entity Behavior Analytics (UEBA)
2024 © Netskope. All Rights Reserved.
Let’s now look at how to configure threat protection for inline traffic, also called real-time threat protection.
2024 © Netskope. All Rights Reserved. 14
Netskope Security Cloud Operation and Administration
Configure Real-time Protection Policy
15
• Source and destination
• Threat protection profile
• Action and notification template
• Remediation Profile (EDR)
2024 © Netskope. All Rights Reserved.
Policies > Real-time Protection
To apply threat scanning service to the steered traffic, all you need is a real-time protection policy with a threat 
protection profile added. As long as your tenant has the threat protection functionality enabled, it will have a 
predefined threat protection profile called Default Malware Scan that you can use in the policies out of the box. 
You can also create custom threat protection profiles and we will cover this shortly.
To create a threat protection policy, follow the steps below:
1. In the tenant UI, navigate to Policies and then to Real-time Protection.
2. Click Add policy and select Threat Protection from the drop-down menu. This will automatically add the field 
to select a threat protection profile to the policy settings. Alternatively, you can select a Cloud App Access 
policy or a Web Access policy and then use the Add profile option in the Profile & Action section of the 
policy settings to add a threat protection profile to your policy.
3. Select source and destination conditions. The best practice is to apply threat protection to all traffic. This can 
be achieved by a combination of two settings. First, in the Source section of the policy, set the User
parameter equal to All Users. Then, in the Destination section, selecting Category from the drop-down list of 
destination types, and after that select All categories. 
4. In the Activities field, add Download and Upload.
5. In the Threat Protection Profile field, select a predefined or a custom threat protection profile.
6. For each of low, medium, and high threat severity levels, select the action. The available action choices may 
depend on other settings in the tenant, but the best practice for a global threat protection policy is to set 
Action to Block for all severity levels. When you select the Block action, you should select the template for 
the blocking message the user will see. There is a default template out of the box, but you can create a 
custom template to better explain to the user what’s going on.
There is also an option to select a remediation profile for each severity level. This refers to remediation via the 3rd-
party EDR integration and we will cover this feature later in the chapter.
Finally, name and save your policy. You will then be asked where to put it in the policy list. The best practice is to 
put threat protection policies at the top, before any other kind of processing and control could be applied. You don’t 
2024 © Netskope. All Rights Reserved. 15
Netskope Security Cloud Operation and Administration
want to analyze malicious files for DLP violations, you just want to block them regardless of who 
accesses them. 
That said, the threat protection policy should not necessarily be the very top policy. For example, utility 
policies, such as a policy to block DNS over HTTPS, should go before any other policies. You will find 
more best practices throughout this course.
2024 © Netskope. All Rights Reserved. 15
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 16
Real-time Protection Threat Protection Profile
Policies > Profiles > Threat Protection
The predefined threat protection profile simply applies all appropriate Netskope scanning engines to the analyzed 
data. This profile cannot be changed. In a custom profile you can add block lists to augment detection or an allow 
list to exclude certain files from scanning. A block list, for example, can be a result of IoC sharing from a third-party 
solution via Netskope Cloud Threat Exchange appliance.
To create a custom threat protection profile, follow thesesteps:
1. Select Policies from the main menu, then select Threat Protection in the Profiles section of the menu.
2. Under Malware Detection Profiles, click New Malware Detection Profile.
3. Under Threat Scan, just click Next. This step shows you the the selected file scanner which cannot be 
changed.
4. Under Allowlist, select zero or more preconfigured file profiles with scan exclusions.
5. Under Blocklist, select zero or more preconfigured file profiles with additional files to block.
6. Under Set profile, give your profile a name.
Once you create a custom threat protection profile, you can use it in your real-time protection policies and next gen 
API protection policies.
You may have noticed, that in order to customize a threat protection profile you need to have a preconfigured file 
profile to act as a block list or an allow list. Next, we will cover, how to configure such a file profile.
2024 © Netskope. All Rights Reserved. 16
Netskope Security Cloud Operation and Administration
File Hash List
17
• Used for Allowlist / Blocklist
• MD5 and SHA256 Support
• Upload via CSV
• Add manually one hash per 
line
• Use API
– https://.goskope.com/api/v1/updateFileHashList
2024 © Netskope. All Rights Reserved.
Policies > Profiles > File > New File Profile
File profiles are not exclusive to threat protection, they can also be used for DLP purposes to restrict the scope of 
files undergoing DLP analysis.
For the purposes of threat protection, the standard practice is to base block lists and allow lists on file hashes. 
There are other conditions you can use in a file profile, such as file name or extension, file type, and file size, but in 
general, they are not precise enough to be useful for threat scanning, neither as exclusions, nor as additional 
indicators of compromise.
Netskope file profiles support the most commonly-used types of file hashes: MD5 and SHA256. You can either 
copy and paste them into the list, upload from a CSV file or use API to automate adding hashes into a file profile 
from some external source. And if automation is your goal, there’s an even better way to ingest third-party threat 
intelligence into your tenant, and it is by using Netskope Cloud Exchange appliance. We don’t cover Netskope 
Cloud Exchange in this course. If you’re interested, you should attend our Netskope Security Cloud Integration and 
Implementation training.
For the purposes of threat protection, block lists are typically used for ingesting 3rd-party threat intelligence and are 
usually populated automatically. Allow lists, on the other hand, are mostly used to exclude false positives, benign 
files that are detected as malicious. As such they are more typically populated manually. A security analyst would 
start from a malware alert or a malware incident in the Netskope tenant, copy the file hash from the incident details 
and add it to the file profile acting as an allow list. This should be a temporary measure, though. If you believe that 
Netskope falsely blocks a benign file, create a support ticket and use an allow list only for mitigating the issue until 
the ticket is resolved.
2024 © Netskope. All Rights Reserved. 17
Netskope Security Cloud Operation and Administration
Threat Protection
18
• Overview of Netskope Threat Protection
• Configure Threat Protection for Real-time Protection
• Configure Patient Zero Protection
• Configure Threat Protection for API-enabled Protection
• Integration with third-party solutions
• Intrusion Prevention System (IPS)
• Configure User and Entity Behavior Analytics (UEBA)
2024 © Netskope. All Rights Reserved.
Next, we will discuss protection against zero-day threats which is directly related to real-time threat protection.
2024 © Netskope. All Rights Reserved. 18
Netskope Security Cloud Operation and Administration
19
• Patient Zero protection includes Patient Zero alerts and Patient Zero 
prevention policies.
• Patient Zero alerts are raised when the fast scan hasn’t detected a 
threat, but the deep scan has.
• Patient Zero prevention is a feature of real-time protection policies 
that:
– Guards against unknown threats by blocking downloads/uploads of previously 
unseen files until a “benign” verdict from the deep scan has been returned.
– Is recommended primarily for high-risk cases (risky file types, users, applications, 
and locations; unknown web sites).
2024 © Netskope. All Rights Reserved.
What is Patient Zero protection?
Patient zero is the user who becomes the first victim of a novel malware or other kind of threat. Even though 
sometimes a new malware can be detected through its similarity to previously known malware, or through obvious 
indicators of malicious behavior, that’s not always the case. However, even though zero-day threats are inevitable, 
there are ways to mitigate risks associated with them. 
Netskope Patient Zero protection has two aspects. There are Patient Zero alerts which don’t require any special 
configuration beyond having a threat protection policy. These alerts are raised automatically every time the fast 
scan service doesn’t detect a file as malicious, and the deep scan service does. The deep scan service is much 
better equipped to detect zero-day threats and targeted attacks by using advanced heuristics and sandboxing. But 
these advanced engines take time and are not used for policy actions to avoid creating delays across the board. 
They inform about zero-day threats after the fact with alerts. You can only get Patient Zero alerts if you have 
Advanced Threat Protection.
Patient Zero prevention is a feature that can be enabled in a real-time threat protection policy. Patient Zero 
prevention guards your organization against unknown threats that have not yet been detected by Netskope’s 
signature-based threat protection analysis. For example, if a user attempts to download a file that has never been 
analyzed by the Netskope’s fast scan service (and consequently does not yet have a file hash to identify it), Patient 
Zero prevention blocks the download until the file has been submitted to the deep scan service for more thorough 
analysis and a “benign” verdict has been returned for the file. After the deep scan determines that the file is safe, 
this verdict is communicated to the fast scan so that subsequent attempts to download the file will be allowed. 
Generally, the deep scan analysis can take up to 10 minutes, and the verdict will be communicated back to the fast 
scan within an hour for customers who have the Advanced Threat Protection license. For customers with the 
Standard Threat Protection license, hashes of new files that have been analyzed by the deep scan will be shared 
with the fast scan after 24 hours.
Note that to use Patient Zero prevention, you may need to request enablement of this feature on your Netskope 
tenant. You don’t need any special accommodations for Patient Zero alerts.
Netskope recommends that Patient Zero prevention be used with discretion, primarily for high-risk cases such as 
risky file types, risky users (that is, users with a low Behavior Analytics User Confidence Index), risky applications 
(that is, applications with a low Cloud Confidence Index score), risky locations, and unknown websites.
2024 © Netskope. All Rights Reserved. 19
Netskope Security Cloud Operation and Administration
202024 © Netskope. All Rights Reserved.
Patient Zero Protection: Process flow for “malicious” verdict
Deepscan service
(Advanced Threat Protection)
Fastscan service
(Standard Threat Protection) Advanced sandbox engines
User attempts to 
download or 
upload file; file is 
sent to Fastscan
No malware is detected, 
but file is unknown (i.e.,
no matching file hash)
Malware is detected
Standard block 
message is displayed
SkopeIT alert 
is generated
Upload/download is 
blocked; file is sent 
to Deepscan
File hash is reported 
back to Fastscan
File is sent to 
Deepscan for 
further analysis
User attempts to 
downloador 
upload the same 
file later
Let’s follow the flow of a file through threat protection pipeline in the presence of a patient zero prevention policy. 
When the file is intercepted in the traffic it is first of all analyzed by the policy engine. If the file matches the 
conditions of a threat protection policy, it is sent to the threat scanning service for analysis. The threat scanning 
service first sends the file to the Fast scan service and when the Fast scan service returns a verdict, reports this 
verdict to the policy engine. Up until this point there is no difference between how this works for a normal threat 
protection policy and for a policy with patient zero prevention. A policy action is always taken based on the verdict 
from the Fast scan service.
Without patient zero prevention, a threat protection policy has two choices. If the file is detected as malicious, the 
configured policy actions is applied, which usually blocks the file in the traffic. If the file is not detected as 
malicious, the policy applies no action. The file may still be blocked by other policies, but as far as this policy is 
concerned, it is allowed.
Now when the patient zero prevention option is enabled, the policy has not two, but three choices. Files detected 
as malicious are still blocked. Those detected as known benign files are allowed. And files, detected as neither, 
meaning they are not present in the global allow list, are blocked with a special notification to the user that the file 
is unknown and requires further analysis.
Meanwhile, the threat scanning service sends the file for further scanning to the Deep scan service. Once the 
Deep scan produces a verdict, this verdict is propagated back to the Fast scan service via the global allow list and 
block list. And from that point on the file is no longer unknown. It is either a known malicious file and is blocked 
with the standard blocking message, or it is a known benign file and is allowed.
If the Deep scan service finds the file malicious after the Fast scan service didn’t, a patient zero alert is raised. 
This happens regardless of whether patient zero prevention is enabled or not. The mismatch between the Fast 
scan and Deep scan verdicts is enough for alerting.
2024 © Netskope. All Rights Reserved. 20
Netskope Security Cloud Operation and Administration
212024 © Netskope. All Rights Reserved.
Configuring a Patient Zero prevention policy (1 of 3)
Select risky categories.
Select activities.
Add the File Type activity constraint.
Policies > Real-time Protection > New Policy > Threat Protection
2
3
4
Select risky users or groups.1
Here’s how to create a Patient Zero prevention policy.
Before planning to implement this type of policy, remember that patient zero prevention should be used judiciously, 
focusing only on the highest risk areas of your organization. Patient Zero prevention policies that are configured to 
be too broad can have a negative impact on user experience and can reduce productivity across your organization 
(for example by blocking harmless files that users need to do their jobs, such as downloading routine reports).
To create a Patient Zero prevention policy, navigate to Policies and then to Real-time Protection, then click the 
New Policy drop-down menu and select Threat Protection.
To configure the policy, follow these recommendations:
1. For Source, select risky users or groups. This is not something you have out of the box, but you can create 
and maintain a risky users group in the user directory that is synchronized with your tenant. Or, instead, you 
can add the User confidence source criterion and apply the policy to users whose confidence index is lower 
than certain threshold. We cover user confidence index in the user and entity behavior analysis section of this 
chapter.
2. For Destination, select those categories you consider highest risk for your organization.
3. For Destination, Activities, select the activities you want to protect (for example, Download and Upload).
4. Add the File Type activity constraint.
2024 © Netskope. All Rights Reserved. 21
Netskope Security Cloud Operation and Administration
222024 © Netskope. All Rights Reserved.
Configuring a Patient Zero prevention policy (2 of 3)
Limit file type selections to 
high-risk file types.
5
6
5. Once you’ve added the File Type constraint, under Activity Constraints, click Select File Type.
6. Select the types of files you want to analyze. Netskope recommends that you limit your selections to high-risk 
file types (such as, Binary and Executable, Spreadsheet, Word Processor, and File Type Not Detected).
2024 © Netskope. All Rights Reserved. 22
Netskope Security Cloud Operation and Administration
232024 © Netskope. All Rights Reserved.
Configuring a Patient Zero prevention policy (3 of 3)
7
8
9
Select a threat protection profile.
Set severity-based 
actions to Block.
Select Block till benign verdict.
7. Select a threat protection profile.
8. Set severity-based actions to Block.
9. Select the option Block till benign verdict by dynamic threat analysis. This is the option that instructs Fast 
scan to block unknown files until Deep scan has returned a “benign” verdict.
If you don’t see the Block till benign option, double-check that your policy has the following parameters:
• Activities: Download, Upload, or both;
• File Type constraint;
• Block action for at least one of the severity levels.
Finally, name and save your policy. When asked where to put the new policy in the policy list, make sure to put the 
patient zero prevention policy above all other threat protection policies. And no – a patient zero prevention policy 
can’t be your only threat protection policy because it doesn’t and shouldn’t cover all users, destinations, and files. 
You need a general threat protection policy that covers all users, categories, and files, besides the patient zero 
prevention policy.
2024 © Netskope. All Rights Reserved. 23
Netskope Security Cloud Operation and Administration
242024 © Netskope. All Rights Reserved.
Example of a Patient Zero alert
Here is an example of a Patient Zero alert that was generated when a user in the “Risky Users” group attempted to 
download an unknown file, and Deep scan returned a verdict that the file contained malware. Deep scan 
subsequently reported the file’s hash to Fast scan so the file will be immediately recognized as malware in the 
future and blocked by the Netskope with a standard block dialog displayed to the user.
Note that Patient Zero alerts are generated whenever Deep scan detects malware in a previously unknown file. 
These alerts only require an Advanced Threat Protection license; they do not require enablement of the Patient 
Zero prevention feature on your tenant or the configuration of a Patient Zero prevention policy. If you want to do 
more than just receive alerts about zero-day threats, however, and you want to prevent users from downloading 
unknown files until Deep scan has returned a benign verdict, you must both request enablement of Patient Zero 
prevention on your tenant and configure a Patient Zero prevention policy.
2024 © Netskope. All Rights Reserved. 24
Netskope Security Cloud Operation and Administration
Threat Protection
25
• Overview of Netskope Threat Protection
• Configure Threat Protection for Real-time Protection
• Configure Patient Zero Protection 
• Configure Threat Protection for API-enabled Protection
• Integration with third-party solutions
• Intrusion Prevention System (IPS)
• Configure User and Entity Behavior Analytics (UEBA)
2024 © Netskope. All Rights Reserved.
Next, let’s see how to configure threat protection for API-enabled protection.
2024 © Netskope. All Rights Reserved. 25
Netskope Security Cloud Operation and Administration
26
• Malware scan 
is enabled per 
application 
instance
• Action 
settings are 
shared by all 
instances
• No policies
• No custom 
threat 
protection 
profilesThreat 
Protection
Identify sensitive data 
in Cloud Storage
Data at Rest
Detect malware in 
Cloud Storage
Private Access
Secure and 
transparent access to 
private applications 
without needing to 
backhaul via traditional 
VPN
API Inline
Securing Data in the Public Cloud
To secure data in the public cloud, Netskope offers Cloud Security Posture Management, which provides multi-
cloud visibility and control over your IaaS inventory and configuration in Amazon Web Services, Microsoft Azure, 
and Google Cloud. 
One of Netskope’s differentiators is our Data-at-Rest security, which includes DLP and malware scans for IaaS 
storage buckets. You can protect your IaaS resources with the same policies you've built to protect your SaaS 
applications. Everything to the left in the illustration on the slide, indicated in orange and gray, is API-based and 
provides deep visibility into your managed IaaS resources. For visibility and control over real-time activities in 
unmanaged IaaS resources, Netskope offers Data-in-Motion protection, as indicated to the right in blue.
2024 © Netskope. All Rights Reserved. 11
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 12
DATA PROTECTION
Scan content in buckets to 
identify sensitive data
AzureAWS GCP
THREAT PROTECTION
Scan content in buckets to 
identify malware
• Exact match
• Fingerprinting
• OCR
Across 1,000+ file types, using 3,000+ data 
identifiers. 
• Pattern/keyword matching
• Proximity analysis
• Metadata extraction
• Pre-filter
• AV
• Threat Intel
Supported by Netskope Threat Research Labs 
(uniquely focused on cloud security threats)
• Cloud sandbox
• Heuristic analysis
Data & Threat Protection for Cloud (IaaS) Storage
To expand a bit on what we mentioned in the previous slide, Netskope can scan files in managed IaaS storage 
buckets using techniques such as exact matching, fingerprinting, OCR, pattern and keyword matching, and more. 
Netskope DLP supports more than 1000 file types and uses more than 3000 data identifiers to identify sensitive 
data.
In the Threat Protection department, Netskope scans IaaS storage using pre-filtering, antivirus, threat intel, a cloud 
sandbox to detonate suspicious files and observe their behavior, and heuristic analysis.
2024 © Netskope. All Rights Reserved. 12
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 13
Securing Managed IaaS / PaaS with Near Real-time 
Visibility and Control
• Perform DLP inspection on S3 buckets
• Leverage Cloud Trails integration to monitor and audit activities and detect anomalous 
behavior
• Identify non-standard configurations of AWS resources
• Leverage GCP integration to monitor and audit activities and detect anomalous behavior
• Identify non-standard configurations of GCP resources
• Leverage DLP Scans to prevent and remediate data loss activities
• Utilize Threat Protection capabilities to identify malware and other threats
• Leverage Security Posture and Forensic capabilities
Here are some examples of how Netskope secures managed instances of Amazon Web Services, Google Cloud, 
and Microsoft Azure. For all three services, Netskope can monitor and audit activities to detect anomalous 
behavior, as well as identify non-standard or incorrect configurations that could put your IaaS and PaaS resources 
at risk. For AWS and Azure, Netskope can perform DLP scans on IaaS storage. For Azure, Netskope can provide 
Threat Protection to identify malware and other threats.
2024 © Netskope. All Rights Reserved. 13
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 14
Web Private Apps SaaS 
CASB Web Security Zero Trust Data center
Single 
Console
Single 
Client
Netskope Private Access: Unified Secure Access as a 
Service for SaaS, Web, and Private Apps
The Netskope Security Cloud platform unifies Zero Trust Network Access, CASB, and SWG, into an integrated 
Security Service Edge solution, with one client, one policy engine, and a single management console. This 
provides organizations with clear visibility, consistent policy enforcement, and ease of management.
Netskope Private Access is network-agnostic and can be deployed as an overlay on top of your existing network 
infrastructure, enabling your organization to reap the benefits of Zero Trust Network Access immediately. A 
modern alternative to remote-access Virtual Private Networks, Netskope Private Access dynamically connects 
your users anywhere to your private apps on-premises, in private data centers, or in public cloud environments. 
With application discovery and API for automation, Netskope Private Access further simplifies the operations 
around private application management, user access provisioning, and ongoing maintenance.
2024 © Netskope. All Rights Reserved. 14
Netskope Security Cloud Operation and Administration
Netskope Cloud Confidence Index TM (CCI)
152024 © Netskope. All Rights Reserved.
We’ve briefly referred to the Cloud Confidence Index earlier in this chapter. Although this topic will be covered in 
greater detail later in this course, here’s a brief review of the importance of the Cloud Confidence Index as a 
resource for evaluating the enterprise-readiness of the cloud apps being used in your organization, as well as 
assessing apps you might be considering for use in the future.
The Cloud Confidence Index is a database of cloud apps that Netskope has evaluated based on objective criteria 
adapted from the Cloud Security Alliance. These criteria measure the enterprise-readiness of cloud apps, taking 
into consideration an app’s security, auditability, and business continuity. The app database is updated frequently, 
adding new applications and updating enterprise-readiness scores for apps that are already in the database. There 
are currently more than 70,000 apps in the Cloud Confidence Index, which you can filter by name, domain, and 
app properties to determine the enterprise-readiness of specific cloud apps. For cloud apps detected in your 
organization, you can view usage statistics, such as how many users are accessing an app, when it was first 
accessed, and how much data is being downloaded from and uploaded to the app.
2024 © Netskope. All Rights Reserved. 15
Netskope Security Cloud Operation and Administration
An Objective Assessment of Enterprise Readiness
16
• Based on rating of ~50 different attributes
For example: Password rules, MFA support, encryption, file-sharing features, security 
certifications, etc.
• CCI attribute automation using Netskope’s Machine Learning (ML) model 
– 26 CCI attributes are processed using ML
– Hybrid process improves both velocity and accuracy by integrating ML results into the research 
workflow
• Scores are objective; no cloud trust “marketing” with partners
• No app score is fixed; adjusted when apps have un-remediated vulnerabilities
• App weightings may be adjusted by customers; weightings applied to app or category
• App scores can be used in policies
2024 © Netskope. All Rights Reserved. 16
To determine the level of enterprise-readiness for a cloud app, the Cloud Confidence Index takes more than 50 
attributes into consideration. These attributes include such things as password complexity requirements, support 
for multi-factor authentication, file encryption and sharing features, and security certifications. The app assessment 
process is partially automated using a Machine Learning model for 26 attributes, significantly improving the speed 
and accuracy of the results. Cloud Confidence Index scores are objective and are not subject to marketing 
agreements with partners. App scores can either go up or down over time, depending on how vendors respond to 
gaps in security. Additionally, your organization can adjust the weightings of attributes at the app and category 
levels to better reflect the importance you place on specific items. Finally, you can use Cloud Confidence2024 © Netskope. All Rights Reserved.
Classic API-enabled Protection 
Settings > Configure App Access > Classic
Currently, Netskope offers two frameworks for API-enabled protection: classic and next gen. In general, an 
application is supported for either the classic or next gen framework. And with each framework come different 
capabilities and configuration workflows. Eventually all SaaS applications that are currently available under the 
classic framework will be migrated to next gen framework. Until then, you need to understand how to configure 
threat protection for SaaS applications connected to both frameworks. And we will start with the classic framework.
In the classic API-enabled protection framework, you can enable and disable threat protection on a per instance 
basis. First, in your tenant, navigate to Settings, then to Configure App Access, and then to Classic, and select 
one of the cloud applications that has instances configured for API-enabled protection. In the lower half of the 
page, you will see a table with configured instances and activated features. Threat protection status is displayed in 
the Malware column. If you want to enable or disable threat protection for an app instance, click the instance name 
and toggle the Malware checkbox under the Instance Type label.
As soon as you enable threat protection for a SaaS application instance, Netskope API connector will start sending 
files, accessed by the app users, for scanning according to the global threat protection settings.
2024 © Netskope. All Rights Reserved. 26
Netskope Security Cloud Operation and Administration
27
• Severity-based action: Alert, Quarantine, Remediation
• Profiles: Quarantine, Remediation
• Zip Password for files in Quarantine
• Notifications
2024 © Netskope. All Rights Reserved.
Configure Classic API-enabled Protection Settings
Settings > Threat Protection > API-enabled Protection
Under classic API-enabled protection framework, there are no threat protection policies. Instead, there are global 
threat protection settings that are applied across all classic SaaS instances. You can access these settings in the 
tenant UI by navigating to Settings, then to Threat Protection, and then to API-enabled Protection.
These global settings define actions for each of the three malware severity levels: low, medium, and high. The 
available actions are alert and quarantine. 
If you have integration with a supported EDR solution and configured a remediation profile, you can enable the 
remediation option for some or all malware severity levels. We will explain EDR integration capabilities and 
benefits later in this chapter.
Since API-enabled protection scans the files already stored in the cloud applications after the fact, blocking is not 
possible. Therefore, the next best thing is the ability to quarantine the malicious file. Quarantining means copying 
the malicious file into a separate folder and replacing the original file with a so-called tombstone. A tombstone is a 
document with a message explaining what happened to the original file and where to address any questions.
The destination folder for quarantined files and the parameters of the tombstone file are defined in the quarantine 
profile, which we will discuss shortly. Under global protection settings you only have to select which quarantine 
profile to use. It is a good practice to have separate quarantine folders and hence separate quarantine profiles for 
malware and for DLP violations.
When a malicious file is moved to the quarantine it is compressed into a ZIP archive with a password. This is a 
precaution against accidentally running the malware. You can define the password in the global threat protection 
settings.
Lastly, you can select whom to notify by email when a malicious file is detected in a cloud app instance. The 
options are: users whose emails are listed in the quarantine profile, file owner, cloud app instance admin, and 
everyone who has access to the file in the cloud app instance.
2024 © Netskope. All Rights Reserved. 27
Netskope Security Cloud Operation and Administration
Policies > Profiles > Quarantine 
> New Quarantine Profile
2024 © Netskope. All Rights Reserved. 28
Quarantine
To be able to quarantine malicious files you need a Quarantine profile. The profile will define which cloud app 
instance will host the quarantine folder, and what should the malicious files be replaced with.
The cloud app instance to host the quarantine folder should not necessarily be the same instance or even the 
same cloud app where the malicious file was found. Considering that for Classic API-enabled protection, the action 
settings, including which quarantine profile to use for the quarantine action, are global, it is not even possible to 
keep quarantined malware in the same cloud app as long as you have more than one cloud app.
The cloud app instance for quarantine can be selected from the instances configured for API-enabled protection. 
Besides that, the Quarantine feature should be enabled in the instance settings, in your Netskope tenant. To view 
or change instance settings, navigate to Settings, then to Configure App Access, and then to Classic, and click 
the instance name. Then enable the Quarantine checkbox under Instance Type. Netskope supports creating a 
quarantine folder only for some cloud apps. If the instance settings lack the Quarantine checkbox, it means that 
this cloud app can’t be used to host the quarantine folder. In general, apps that belong to the Cloud Storage 
category are good for this purpose.
Once you have at least one instance with the Quarantine option enabled, you can create a quarantine profile. To 
do this follow the steps below:
1. Navigate to Policies, then to Profiles, and then to Quarantine, and click New Quarantine Profile. 
2. Select the cloud app of your instance and the instance itself.
3. For User Email, type the email identifier of one of the users of the selected cloud app instance. The 
quarantine folder will be created in this user’s workspace. Usually this should be the instance administrator.
Other settings are optional. If you switch to the Tombstone tab in the quarantine profile settings, you will be able 
to type a custom text for the tombstone file. There are text boxes for both DLP tombstone files and threat 
protection tombstone files. Although this allows you to have a single quarantine folder for both DLP violations and 
malicious files, it is better to have them separated, just because malicious files are dangerous and files with DLP 
violations usually are not. It could be a costly mistake if somebody opens a malicious document by accident. Of 
course, malicious files are protected by a password, but in this area the more layers of protection the better. And 
keeping the malware quarantine apart from the DLP quarantine is another such layer.
2024 © Netskope. All Rights Reserved. 28
Netskope Security Cloud Operation and Administration
When you configure your profile to use default or custom text for tombstone files, this implicitly sets the 
file format as plain text. This can be confusing for the user, since the tombstone file will assume the 
name and extension of the original file. Let’s say malicious code was found in a Microsoft Excel 
spreadsheet called finances.xls. The file will be quarantined and its contents will be replaced with 
tombstone text as plain text. Now, when a user tries to open the file either in the cloud app or locally on 
their computer, they will very likely receive the message that the file format is damaged or unknown. 
That is because the cloud app or the computer operating system will try to parse the file as an Excel 
spreadsheet, and the file doesn’t have that format anymore. 
A more user-friendly way to handle the situation is to replace the original file with a tombstone file of 
the same format. You will need to prepare such tombstone files in advance. Once you have them, you 
can use the customtombstone files option in the Quarantine Profile settings to select different 
replacement files based on the original file extension.
2024 © Netskope. All Rights Reserved. 28
Netskope Security Cloud Operation and Administration
292024 © Netskope. All Rights Reserved.
1. Create a Next Gen API 
Data Protection policy.
2. Select application 
instances to protect.
3. Select Threat Protection 
for Profile.
4. Select a Threat Protection 
profile.
5. Select Action.
Configure Next Gen API-enabled Threat Protection
Policies > API Data Protection > Next Gen > New Policy
2
3
4
5
In the Next Gen API-enabled Protection framework, Threat Protection configuration more closely resembles that of 
Real-time Protection than of Classic API-enabled Protection. You don’t need to enable or disable threat protection 
on a per instance basis and you don’t have global threat protection settings. To control the scope of threat 
protection and the actions, you use policies and threat protection profiles, just like with real-time protection. 
To create a threat protection policy for application instances configured under the Next Gen framework, follow 
these steps:
1. Navigate to Policies, then to API Data Protection, and select Next Gen. Then click New Policy.
2. Select protected application instances. You can select specific instances, all instances of a particular cloud 
application, all instances of all cloud application belonging to a category, or just all instances of all categories. 
Additionally, you can select specific resources to scan, or exclude specific resources from scanning, and 
restrict the scan scope by file type.
3. In the Profile menu, select Threat Protection.
4. Select one of the threat protection profiles. These are the same threat protection profiles that are used in real-
time protection policies.
5. Configure actions. Available actions differ depending on the application and if the policy is applied to multiple 
applications, only the actions common to all of them will be available. If you want to take advantage of more 
flexible actions for a particular application, create a separate threat protection policy for that application.
To summarize the threat protection under the Next Gen framework, compared to the classic framework:
• You don’t need to enable Threat Protection in the managed instance settings; you only need to directly or 
indirectly select the instances that need protection in the policy settings.
• You have the flexibility to create different Threat Protection policies for different applications or instances with 
different Threat Protection profiles or different actions.
• Retroactive threat scans are not tied to retroactive DLP scans; you simply create a retroactive scan for a Next 
Gen instance and configure a retroactive scan policy with a threat protection profile.
2024 © Netskope. All Rights Reserved. 29
Netskope Security Cloud Operation and Administration
Threat Protection
30
• Overview of Netskope Threat Protection
• Configure Threat Protection for Real-time Protection
• Configure Patient Zero Protection 
• Configure Threat Protection for API-enabled Protection
• Integration with third-party solutions
• Intrusion Prevention System (IPS)
• Configure User and Entity Behavior Analytics (UEBA)
2024 © Netskope. All Rights Reserved.
Now, let’s discuss integration options that provide remediation actions via third-party solutions.
2024 © Netskope. All Rights Reserved. 30
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 31
Threat remediation with EDR integration
EDR Endpoint
• Threat scan service scans a file and identifies the file to be 
malware
• Netskope tenant contacts the EDR service and sends the 
file name and hash
• The EDR service queries its DB to determine the IP 
addresses of the machines with the mentioned file hash
• Configured actions are performed by the EDR on the end 
machines
EDR CLOUD
Netskope Security 
Cloud
Let’s see, how integration with an EDR service can enhance threat detection responses. In the following 
description we assume that the threat protection policy is configured with a remediation profile, linked to an EDR 
service that the Netskope tenant is integrated with. 
When a malicious file is detected, the Netskope tenant sends a request to the EDR service with the malicious file 
details: hash and name. The EDR service will query its database for the IP addresses of the endpoints where this 
file had been seen before, if any, and send these addresses back to the Netskope tenant. The tenant will then add 
these addresses to the malware alert data.
In addition to that, Netskope tenant can send a query to add the detected file hash to the EDR service’s own list of 
indicators of compromise. This will cause the EDR service to treat this file as a threat and apply its own configured 
actions whenever this file is detected by the EDR agents.
Finally, Netskope can send a third kind of request to the EDR service, to apply the isolation action to the affected 
endpoints. This is supported for Carbon Black EDR only, and entails blocking network connections to and from the 
endpoint to prevent malware from spreading.
The above chain of events can be triggered by detecting malware both in the traffic by a real-time threat protection 
policy and in the cloud apps by the introspection engine.
2024 © Netskope. All Rights Reserved. 31
Netskope Security Cloud Operation and Administration
32
• Select EDR Vendor: Carbon Black or CrowdStrike
• Enter authentication credentials
– Carbon Black: API Key
– CrowdStrike: API Client ID & Secret
• Select Cloud or (Carbon Black only) On-premises
• Enter EDR Server address
• (On-premises only) Select Secure Forwarder
• Name your integration instance
2024 © Netskope. All Rights Reserved.
EDR Integration (1 of 2)
Settings > Threat Protection > Integration
To take advantage of the described scenario, you need to have one of the two supported EDR solutions deployed 
in your organization. This can be a cloud deployment, or in the case of Carbon Black, also an on-premises 
deployment.
If you have that, then you need to configure two entities in your Netskope tenant:
• An integration with the EDR service.
• And a remediation profile tied to that integration.
To configure the integration, navigate to Settings, then to Threat Protection, and then to Integration, and click 
the tile with the EDR vendor: Carbon Black or Crowd Strike. Then configure the connection parameters:
1. Configure the authentication settings. For Carbon Black it’s a single API key. For Crowd Strike it’s a pair of API 
client ID and API client secret.
2. Configure the address of the EDR service, that your Netskope tenant will send the requests to. 
For Crowd Strike, only the cloud deployment is supported, and you need to put the service URL into the Server
field. For Carbon Black, you can configure integration with either the cloud server or an on-premises server. Cloud 
integration is analogous to that of CrowdStrike. Integration with an on-premises Carbon Black server has an 
additional step. 
Since requests to the EDR service are send from the Netskope tenant in the cloud they will not be able to reach an 
on-premises server without additional accommodations. The proper way to deliver these requests across the 
perimeter is to set up a Secure Forwarder in the same network as the on-premises Carbon Black server. Secure 
Forwarder is one of the roles of the Netskope virtual appliance, and in that role, it maintains a secure connection to 
the tenant which the tenant uses to communicate with on-premises servers, such as the EDR server. Once you 
have deployed Netskope Secure Forwarder on your premises and connected it to your Netskope tenant, you will 
have to select this Secure Forwarder in the Carbon Black integration settings.
Finally, you need to name your EDR configuration instance. You will use this name later when configuring a 
remediationprofile.
2024 © Netskope. All Rights Reserved. 32
Netskope Security Cloud Operation and Administration
33
• Select EDR integration
• Select actions
– Isolate
– Alert
– Add to watchlist/blocklist
2024 © Netskope. All Rights Reserved.
EDR Integration (2 of 2) Policies > Profiles > Threat Protection
And once the integration settings are in place, you can go on and create a remediation profile. To start, navigate to 
Policies, then to Profiles, and then to Threat Protection, and select the Remediation Profiles tab. Then click 
New Malware Remediation Profile. To configure the profile, follow these steps:
1. For Remediation Profile Name, type a recognizable name.
2. For Connect to EDR Server, put checkboxes next to the configured EDR server instances that you want to 
use in this profile. For a cloud EDR service you would most likely have just one instance. In the case of an on-
premises EDR deployment you may have different servers in different regions, and you may want to configure 
different remediation profiles for those regions.
3. For Take Actions, select which actions you want to take upon malware detection:
• Isolate means to apply the isolate action to the endpoints, where the EDR service has seen the detected file 
hash in the past. This action is supported for Carbon Black only, and the precise meaning of the action 
depends on the Carbon Black settings, but generally means blocking incoming and outgoing network 
connections on the endpoint to prevent malware spreading.
• Alert means requesting the addresses of the affected endpoints from the EDR service with the purpose of 
adding them to the SkopeIT alert details in the Netskope Tenant.
• Add to watchlist/blocklist means sharing the detected file hash as an indicator of compromise with the 
EDR service. The EDR service will start treating this hash as a threat and applying its own actions according 
to its own policies. CrowdStrike will only accept this indicator of compromise if it has already been seen on 
some of the endpoints.
Remember that you need to select the remediation profile in the threat protection policies for real-time and next 
gen API-enabled protection and in the global threat protection settings for classic API-enabled protection.
2024 © Netskope. All Rights Reserved. 33
Netskope Security Cloud Operation and Administration
Threat Protection
34
• Overview of Netskope Threat Protection
• Configure Threat Protection for Real-time Protection
• Configure Patient Zero Protection
• Configure Threat Protection for API-enabled Protection
• Integration with third-party solutions
• Intrusion Prevention System (IPS)
• Configure User and Entity Behavior Analytics (UEBA)
2024 © Netskope. All Rights Reserved.
Next, we will discuss Netskope Intrusion Prevention system.
2024 © Netskope. All Rights Reserved. 34
Netskope Security Cloud Operation and Administration
35
• Scans network traffic to protect against exploits delivered by compromised or 
malicious applications, services, and websites
• Scans HTTP/S traffic after Real-time Protection policy actions have been 
performed
• Is enabled with a simple on/off switch (there are no IPS policies to configure; 
however, you can override signatures of the default profile)
• Supported with the following steering methods:
– Netskope client
– GRE
– IPsec
– Explicit proxy mode (standard HTTP/S ports only)
• Included in both Standard and Advanced Threat Protection for Netskope NG SWG
2024 © Netskope. All Rights Reserved.
Netskope Intrusion Prevention System (IPS) (1 of 2)
Intrusion Prevention System, or IPS, is a technology that scans network traffic to protect against client-side attacks 
delivered by compromised or malicious applications, services, and websites.
IPS scans are run on the HTTP and HTTPS traffic after all Real-time Protection policies have been evaluated and 
their associated actions (for example, block actions) have been performed.
You can enable IPS functionality in the Netskope tenant settings with a simple on/off switch. There are no IPS 
policies to configure, although you can specify signature overrides for the default profile.
IPS is supported with the following steering methods:
• Netskope client.
• GRE tunnel.
• IPsec tunnel.
• And Explicit proxy (for standard HTTP and HTTPS ports only).
IPS is included in both the Standard and Advanced Threat Protection licenses for Netskope Next Gen Secure Web 
Gateway.
2024 © Netskope. All Rights Reserved. 35
Netskope Security Cloud Operation and Administration
Netskope Intrusion Prevention System (IPS) (2 of 2)
36
• Detects IoCs by means of 20,000+ signatures updated twice monthly
– Signatures based on CVEs published by the National Vulnerability Database
– Safeguards popular applications/products
• Microsoft products, Adobe products
• Browsers: Microsoft IE, Mozilla Firefox, Google Chrome, Safari, etc.
• Databases: Oracle, MySQL, etc.
– Protects against vulnerabilities and attacks
• File format vulnerabilities (PDF, MS Office, executables/binary files, etc.)
• JavaScript exploits
• Cross-site scripting (XSS)
• Browser exploits
• OS vulnerabilities (Windows, Linux, MacOS, Android, iOS, etc.)
• Malware (backdoor, C&C, shellcode, obfuscation, etc.)
• Part of the Microsoft Active Protections Program (MAPP)
2024 © Netskope. All Rights Reserved.
IPS offers more than 20,000 signatures to enable detection of known IoCs (or Indicators of Compromise) for 
exploits. These signatures are updated twice monthly, with one of the updates coinciding with Microsoft Patch 
Tuesday. 
IPS signatures come from different sources, including Netskope Threat Lab’s own research, Netskope security 
partners and cybersecurity community, and, importantly, CVEs published in the National Vulnerability Database. 
CVEs are Common Vulnerabilities and Exposures, a list of publicly-disclosed cybersecurity vulnerabilities 
maintained by the National Cybersecurity Federally Funded Research and Development Center operated by the 
MITRE Corporation.
Besides that, Netskope participates in the Microsoft Active Protections Program (MAPP), a program for security 
software providers where Microsoft gives early access to vulnerability information so that Netskope and other 
cybersecurity companies can more quickly provide updated protections to customers.
IPS safeguards such popular applications and products as:
• Microsoft and Adobe products.
• Web browsers, including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Safari, etc.
• Databases such as Oracle, MySQL, and others.
IPS protects against vulnerabilities and attacks, including:
• File format vulnerabilities (in such files as PDF, MS Office, executables and binary files, and more).
• JavaScript exploits.
• Cross-site scripting (or XSS).
• Browser exploits.
• OS vulnerabilities (in Windows, Linux, MacOS, Android, iOS, etc.)
• Malware (such as backdoor, C&C (or Command and Control), shellcode, obfuscation, and others).
2024 © Netskope. All Rights Reserved. 36
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 37
IPS Settings (1 of 2)
IPS on/off switch
Traffic to exclude from IPS scans
Settings > Threat Protection > IPS Settings
You can find IPS settings in the Netskope tenant by going to Settings, then Threat Protection, and then IPS 
Settings.
As mentioned earlier, IPS does not require any policies and is enabled or disabled with a simple on/off switch.
The settings you can modify to customize the behavior of IPS are User Notification, Allow List, and Signature 
Overrides:
• User notification is what the user sees in their web browser when IPS blocks a threat. You can customize the 
default template with your own message and corporate logo by going to Policies, then Templates, and then 
User Notification in the Netskope tenant and editing the IPS Default Template.
• On the Allow List tab you can select domains and source and destination IP addresses or address ranges that 
you want to excludefrom IPS scans. Before you can select allow lists on this tab, you must first create the lists. 
You can do it by navigating to Policies, then to Profiles, and then to Network Location.
2024 © Netskope. All Rights Reserved. 37
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 38
IPS Settings (2 of 2)
Signature overrides allow you to do two things. First, you can enable Alert Only Mode so that IPS only generates 
alerts and does not block web traffic when threats are detected. Second, you can override the default IPS behavior 
for specific threat signatures. For example, if you want to exclude a signature from being detected, you can set its 
status to Disabled. Or if you only want to prevent blocking, you can override the default action and set it to Alert
rather than Block. 
To add a signature override, click New Override and search by signature number or a keyword in the signature 
name. You can also filter the signature list by the CVE reference number, or the CVSS severity level. As 
mentioned earlier, CVE stands for Common Vulnerabilities and Exposures database, and CVSS stands for 
Common Vulnerability Scoring System.
Follow the links below for more information on CVE and CVSS:
• https://cve.mitre.org/cve/search_cve_list.html
• https://nvd.nist.gov/vuln-metrics/cvss
2024 © Netskope. All Rights Reserved. 38
Netskope Security Cloud Operation and Administration
Threat Protection
39
• Overview of Netskope Threat Protection
• Configure Threat Protection for Real-time Protection
• Configure Patient Zero Protection
• Configure Threat Protection for API-enabled Protection
• Integration with third-party solutions
• Intrusion Prevention System (IPS)
• Configure User and Entity Behavior Analytics (UEBA)
2024 © Netskope. All Rights Reserved.
Now, in the last section of this chapter, let’s discuss the user and entity behavior analytics feature.
2024 © Netskope. All Rights Reserved. 39
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 40
User and Entity Behavior Analytics (UEBA)
SANCTIONED UNSANCTIONED PRIVATE INTERNET
Detect 
malicious 
insiders, 
compromised 
accounts, data 
exfiltration, 
brute force, and 
other attacks.
Behavior Analytics gathers information about users using sanctioned and unsanctioned apps, 
private and public internet, and then creates a profile to look for unusual behavior.
User and Entity Behavior Analytics, or simply Behavior Analytics, or just UEBA, gathers information about users as 
they are using sanctioned and unsanctioned apps, as well as private and public internet, and then creates a user 
behavior profile and correlates all of it together to look for unusual behavior.
The Behavior Analytics page in the Incidents menu provides information about the various types of detected 
insider threats and compromised accounts. You can use the Behavior Analytics dashboard to address some 
common use cases, such as insider threats, compromised accounts, compromised devices, and data exfiltration.
• For compromised accounts, an example would be an external attacker who is abusing stolen account 
credentials to impersonate an employee and access cloud resources.
• A compromised device is a device that has been accessed by an attacker or infected with malware and may 
communicate with attacker-controlled infrastructure to phone home, receive commands, or fetch malicious 
content.
• Data exfiltration happens when an attacker is abusing a compromised account or a compromised device to steal 
data from the victim. Many campaigns have been found using cloud-based services, such as webmail and file-
sharing services, as C&C servers to blend in with normal traffic and avoid detection.
• Insider threats refer to security risks caused by malicious users within a corporate network. This type of attack is 
different from one caused by a compromised credential, where an external attacker has used valid stolen 
account credentials to impersonate an employee and access a network. In the case of a malicious insider, the 
user typically is acting with intent and likely knows that they are breaking policy and potentially the law.
2024 © Netskope. All Rights Reserved. 40
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 41
Data Flow Into UEBA
Inline and API Connector
Data Sources
UEBA
• Trigger rules
• Build Models
• Find Anomalies
• Adjust UCI
Netskope UI
• Incidents
• UCI Scores
Alerts
Application Events
Network Events
At the core of Netskope Behavior Analytics is the following data flow. The UEBA engine ingests alerts and different 
kinds of events generated by various other modules in the Netskope Tenant. These include application events 
detected both in real-time and through API access; alerts from most detection engines, such as DLP, threat 
protection, web security, etc., as well as other events.
The UEBA engine uses incoming data to trigger rule-based policies as well as to train machine-learning-based 
models, establish baselines and detect abnormal behaviors. UEBA detections then adjust users’ risk scores, so 
called user confidence index. This score can then be used in the policies to drive different actions depending on 
the user risk. You can also observe user scores directly in the tenant UI as well as analyze and process UEBA 
alerts and incidents.
2024 © Netskope. All Rights Reserved. 41
Netskope Security Cloud Operation and Administration
Standard vs Advanced Behavior Analytics
42
Standard UEBA
• Sequential anomaly rules (9) 
to detect cloud app bulk 
uploads, downloads, 
deletes, plus proximity, failed 
logins, shared credentials, 
rare events, risky countries, 
and data exfiltration between 
company and personal 
instances
• Instance awareness for apps 
in sequential anomaly rules
Advanced UEBA
• Machine learning (ML) based anomaly detection for 
insiders, compromised accounts, and data exfiltration
• User Confidence Index (UCI) scoring and event 
correlation timelines with the ability to invoke policy 
actions based on score
• REST API for UCI export + Cloud Risk Exchange for 
risk curation and remediation actions with technology 
partners
• UEBA custom sequential anomaly rules with pre-
defined templates for 8 inline apps and 6 API apps
2024 © Netskope. All Rights Reserved.
The exact capabilities available in your tenant depend on the UEBA feature pack included in the license. Just like 
Netskope Threat Protection, Netskope Behavior Analytics has two functional levels: Standard UEBA and 
Advanced UEBA.
Standard Behavior Analytics gives predefined anomaly detection rules based on looking for a certain sequence of 
events. There are 9 such rules in the Standard UEBA and they are designed to detect bulk uploads, downloads, 
and deletes using cloud apps; proximity detection, when credentials are used from different distant locations; failed 
logins; access from risky countries; data exfiltration between company and personal instances; and rare event 
detection.
Advanced Behavior Analytics offers much more. In addition to many more predefined sequential anomaly 
detection rules, there’s support for custom rules. Then, there are machine learning based anomaly detection 
policies with user and tenant level models. With Advanced UEBA each user is assigned a risk score, called User 
Confidence Index or UCI, with the ability to invoke policy action based on that score. There’s also support for 
sharing the UCI with third-party solutions directly via Netskope REST API or in a more guided manner via 
Netskope Cloud Risk Exchange.
2024 © Netskope. All Rights Reserved. 42
Netskope Security Cloud Operation and Administration
User Confidence Index To Find Risky Users
43
1. Unknown threats exhibit unusual behaviors
2. UEBA detections identify individual anomalous behaviors
3. UEBA engine combines anomalies into a score: User Confidence Index (UCI)
4. Organization investigates users with poorUCI scores
2024 © Netskope. All Rights Reserved.
Insider threat
✖ Corporate 
Downloads
✖ Personal Uploads
✖ DLP violations
UEBA
Detections 🔔Sensitive Corporate 
Data Movement
Anomalies
Risk 
Score
Risky Users
332
Netskope Behavior Analytics encapsulates risky user behavior into a risk score (User Confidence Index or UCI) 
and applies it to each user. The risk score is presented on the UI, showing which users constitute the most risk to 
the organization at any given time and are in need of further investigation.
The UCI can be used in policies to base policy actions on the user’s risk score. The UCI can also be shared with 
third-party solutions via the Cloud Risk Exchange feature of Netskope Cloud Exchange to promote risk-based 
policies beyond the Netskope solution.
2024 © Netskope. All Rights Reserved. 43
Netskope Security Cloud Operation and Administration
How is the User Confidence Index (UCI) calculated?
44
• A dynamic score assigned to 
each user, which indicates risk
• Starts at 1000
• Reduced for each alert
• Previously accumulated 
deduction decays over time
2024 © Netskope. All Rights Reserved.
Let’s look in more detail into how the User Confidence Index is calculated.
The initial value of UCI for a new user is 1000. Each time the user triggers a Behavior Analytics alert, the score is 
reduced by a fixed numerical value defined in the violated Behavior Analytics policy settings. The score is 
dynamic. At the beginning of a day the total score deficit from the previous day is reduced by a certain percentage, 
thus increasing the score. This way the risk score gradually improves over time, unless new alerts keep reducing 
the score.
You can see on the screenshot how the user’s score incurred a new penalty of 101 from a triggered UEBA rule 
and that was added to 387, which is the accumulated and depreciated penalty transferred from the previous day. 
This makes the total deduction for the day equal to 488 and amounts to the User Confidence Index of 512. This 
day’s total deduction of 488 will be multiplied by a depreciation factor and transferred to the next day.
Note, that user confidence index is only available with Advanced Behavior Analytics.
2024 © Netskope. All Rights Reserved. 44
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 45
User Risk-Based Policies
You can use this risk score in real-time protection policies to dynamically restrict user access if their score falls 
below a certain threshold. To do that, follow the steps below:
1. Navigate to Policies, then to Real-time Protection.
2. Create a new real-time protection policy. A Cloud App Access policy would be a good candidate for this 
feature.
3. Next to Source, click Add criteria and select User Confidence. The User confidence field will appear in the 
policy settings.
4. Click in the User confidence field and select the criteria Less than or More than, then select the Threshold. 
You can type your own custom threshold too.
You should then fill the policy with other appropriate details, such as the Cloud App or Category, possibly a DLP 
profile, and the Action.
2024 © Netskope. All Rights Reserved. 45
Netskope Security Cloud Operation and Administration
Sequential anomaly rules
46
• Trigger based on specific set conditions 
• Do not include behavioral baselines
• Can be customized to suit an organization’s needs
• (with Advanced UEBA) support custom rules and UCI
Example of rule-based detection for Bulk Downloads:
• Rule-based Behavior Analytics policy will alert on a user downloading 
500 files, even though this may happen on a regular basis. 
• Must be manually tuned if this is not relevant.
2024 © Netskope. All Rights Reserved.
Let’s now look at how Behavior Analytics can detect risky behavior, starting with sequential anomaly rules. 
“Sequential” here refers to the fact that these rules trigger when a certain sequence of events is observed. For 
example, a rule may trigger after 100 file download events observed within 1 hour. These events can come from 
both the API-enabled protection and from real-time protection.
Sequential anomaly rules don’t support training and don’t have any baseline to compare with. You can manually 
change the threshold from 100 to 500 or 50, based on what’s more relevant for the organization. You can also 
change the observation window from 1 hour to a different period. And you can further fine-tune the rule in terms of 
which users and which applications it pays attention to.
Remember, that under Standard Behavior Analytics, there’s no user confidence index. Instead, when a rule is 
triggered, only an alert is generated. You can customize the severity level of the alert in the rule properties.
With Advanced UEBA, you get more types of predefined rules, the ability to define your own event sequences to 
look out for in custom rules, and you can set the user confidence index penalty associated with each rule.
2024 © Netskope. All Rights Reserved. 46
Netskope Security Cloud Operation and Administration
Predefined Rule-based Policies
Standard UEBA
47
• 9 predefined rules 
with configurable 
parameters:
– Threshold
– Tracked users
– Tracked apps or app 
instances
– Severity
• Proximity tracks 
Reverse Proxy access 
method only
• Shared Credentials 
has a fixed Medium
severity
2024 © Netskope. All Rights Reserved.
Policies > Behavior Analytics
With just Standard UEBA, there are 9 pre-defined rule types also called rule-based policies. There is only one 
policy of each type that can be either enabled or disabled, if you decide that the rule is not relevant for your 
organization. That means that for each of the 9 scenarios you can only have a single set of parameters for the 
entire organization. It’s impossible to have different bulk download thresholds for different apps or user groups. 
Advanced UEBA overcomes this restriction with custom rule-based policies and machine-learning-based policies.
All rules have tags which point to the scenarios in which the rules can be used. All Standard UEBA rules have the 
corresponding eponymous tag, so that you can easily find them even if you have Advanced UEBA enabled for 
your tenant. More importantly, the rules have such tags as Real-time Protection and API-enabled protection. 
These show what kind of events can trigger the rule. Nearly all Standard UEBA rules have both these tags, 
meaning that they process events coming both from traffic analysis and API-based introspection. The only 
exception is the Proximity rule that relies exclusively on real-time protection events and among those only on the 
events coming from the Reverse Proxy access method.
2024 © Netskope. All Rights Reserved. 47
Netskope Security Cloud Operation and Administration
Tuning Rule-based Policies
Recommendations
48
The following Rule-based policies would 
track for sanctioned app instances
only:
• Bulk Delete
• Bulk Download
• Bulk Failed Logins
• Suspicious Data Movement
• Proximity
• Rare Event
• Risky Countries
Before tuning the rule-based policies, 
make sure to create all required app 
instances. 
• Add all relevant app instances
• Set appropriate threshold
• Set the severity by configuring the 
UCI score
2024 © Netskope. All Rights Reserved.
By default, the rules are not fine-tuned in any way. They will dutifully count relevant events for all users and for all 
applications, including possibly personal application instances. Depending on the scenario, this may or may not 
produce the best results. For example, in the bulk delete scenario an organization would care much more if this 
happened to a corporate application instance rather than some user’s personal instance. With bulk uploads it is 
arguably the other way round. And to meaningfully detect suspicious data movement, both a corporate and a 
personal instance must be involved.
This all raises the question of defining corporate application instances and using this information in the policy 
settings.In the rule settings such applications or application instances are called ”sanctioned”.
There are a few way to delineate sanctioned applications and instances in the Netskope tenant. First of all, any 
application instance configured for API-enabled protection is sanctioned. In this sense, any events coming from 
API-based introspection are events about sanctioned application instances. Netskope introspection cannot monitor 
activities in users’ personal applications.
Real-time protection can generate events about any instance, as long as user’s activity in the instance is captured 
in the traffic. To separate activity in corporate and non-corporate instances, you need to mark corporate instances 
as sanctioned. The steps to do that will be discussed shortly.
Note, that application instances configured for API-enabled protection and therefore sanctioned in relation to 
introspection or API connector access method, are not automatically sanctioned in relation to inline activity 
detection. Out of the box there are no sanctioned instances for inline.
2024 © Netskope. All Rights Reserved. 48
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 49
Instance Awareness (inline)
To make an application instance sanctioned for inline processing and consequently for UEBA, follow the steps 
below:
1. Navigate to Skope IT, then to Application Events, and find events related to the application instance you 
consider corporate or sanctioned.
2. Click View details to display event data in the side bar.
3. Scroll the event details down to the Application section.
4. Next to Instance Name field, click the New App Instance link.
5. In a new window, give this instance a recognizable name, and select an appropriate tag: sanctioned or 
unsanctioned.
6. Click Save.
This creates a named instance, which can be tagged as sanctioned, unsanctioned, or neither. If you want to find all 
named instances, navigate to Policies, then Profiles, then App Instances. There you can change the instance 
tag or delete the instance.
These sanctioned instances are important for UEBA but can also be used as conditions in real-time protection 
policies.
2024 © Netskope. All Rights Reserved. 49
Netskope Security Cloud Operation and Administration
Example: Bulk Delete
50
• Goal: track bulk deletes in 
corporate instances of cloud apps
• Recommendation: limit coverage 
to sanctioned instances of cloud 
apps for both real-time and API-
enabled instances
• (Optionally) select users
• Set file count and time interval
• Severity (Standard UEBA) or UCI 
score impact (Advanced UEBA)
2024 © Netskope. All Rights Reserved.
Let’s now look at the configuration options for a pre-defined rule-based UEBA policy. Most of the parameters of 
pre-defined rules are common to all rule types, but there can also be unique settings specific to a particular 
rule. We will use the Bulk Delete rule as an example.
To change the rule settings, hover your mouse pointer over the rule tile and then click the pen-shaped Edit icon in 
the lower-right corner of the tile. Then configure the following parameters:
1. Severity. You can choose between Informational, Low, Medium, High, and Critical. The severity level of the 
rule defines the severity level of the alerts generated when the rule is triggered. You can choose severity directly 
only if your tenant doesn’t have Advanced Behavior Analytics. Otherwise, you will configure the User confidence 
index score impact, which will define the severity level.
2. User confidence index score impact. This is available with Advanced Behavior Analytics and not available 
with Standard Behavior Analytics. When available, this parameter has a numerical value, which is deduced from 
the user’s UCI score when the rule is triggered.
3. User. You can select which users the rule will track. Only events associated with selected users will be used to 
evaluate the rule conditions. You can select individual users, which is not very practical, or user groups, or 
organizational units.
4. App. You can select which application instances will be considered when evaluating the rule conditions. Here, 
too, you have several options. First, you can select applications by name, which again is not very practical 
because it doesn’t allow you to distinguish between sanctioned and unsanctioned instances. Second and better 
option, is to select configured application instances. These will be instances configured for API-enabled protection, 
and named instances configured for inline protection, discussed previously. And there’s the third option to apply 
the rule to sanctioned apps. Sanctioned apps are not the same as sanctioned instances. To mark the entire 
application as sanctioned, you need to find it in the CCI database and apply a predefined Sanctioned tag to the 
application. This will be less accurate than tagging application instances.
Other rule settings will depend on the rule type. For the Bulk Delete rule these include two parameters that define 
the threshold of what is bulk: Count of files deleted and Time interval. The meaning of the parameters is self-
explanatory. Note, that the rule counts deleted files, rather than deletion events. This is achieved by analyzing 
activity details such as file ID within the cloud app and provides better accuracy by avoiding double counting.
2024 © Netskope. All Rights Reserved. 50
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 51
Custom Rule-based Policy 
from Template
Policies > Behavior Analytics
Advanced Behavior Analytics extends rule-based policies in two ways. First, there are over 30 predefined rules 
with Advanced Behavior Analytics, compared to Standard Behavior Analytics. Second, Advanced Behavior 
Analytics allows you to create custom sequential rules.
There are two way to do this. You can create a new rule from a template, or you can create a new rule entirely 
from scratch. The templates simply provide default values for some parameters and mostly serve as examples of 
the kinds of rules you can create. They don’t offer any unique capabilities compared to rules created from scratch.
There are three templates for custom rule-based policies in Advanced Behavior Analytics:
• Download / Delete to detect twenty repetitions of download followed by delete in one hour on Box.
• Share / Delete to detect ten repetitions of share followed by delete in one hour on Dropbox.
• Upload / Share to detect ten repetitions of upload followed by share in one hour on Google Drive.
All these activities can be a sign of data exfiltration either by an attacker using a compromised device, or by a 
malicious insider.
Every parameter of the template can be modified before saving the rule: the number of repetitions, the time period, 
the activities, and the app.
To create a custom rule-based policy from scratch follow the steps below:
1. Navigate to Policies, then to Behavior Analytics.
2. Click New Custom Rule Policy and select New. You can also select New From Template and choose a 
template. This will only provide you with default values for some of the rule settings but will not restrict you 
from customizing the rule the way you want.
2024 © Netskope. All Rights Reserved. 51
Netskope Security Cloud Operation and Administration
52
• UCI impact
• Tracked users
• Tracked apps
• Risky countries
• Activity sequence:
– Activities
– Rigid order or not
– Repeats
– Duration
2024 © Netskope. All Rights Reserved.
Custom Rule-based Policy 
from Scratch
3. Name you rule-based policy.
4. For Scan Type, select Real-time Protection or API Data Protection. This defines the source of events that 
the rule will pay attention to. Your choice will also automatically add the corresponding tag to your custom 
policy and let you search for it by tag later.
5. Set the value of User Confidence Index Score Impact. The value will be subtracted from the offending user’s 
UCI score and alsodefine the severity of the alerts generated by the policy. UCI score impact from 0 to 50 
corresponds to Informational severity level, 51 to 100 means Low, 101 to 150 means Medium, 151 to 250 
means High, and 251 or more means Critical.
6. Select the users whose activities the rule will track. You can select individual users, user groups, or 
organizational units.
7. Select applications to track. Like in predefined rules, it is recommended to select from previously configured 
application instances, but you can also apply your policy to all applications, selected applications from the CCI 
database or applications with the Sanctioned tag.
8. Optionally, select risky countries. These would be the countries the user connects from. When a user connects 
from a risky country, even relatively benign activities could be considered suspicious and warrant creating a 
rule to alert about them.
9. Under Sequence, use the Add activity button in the lower-left corner to built a sequence of activities you want 
to detect. This could be a single activity, such as a failed or successful login. Or this could be a sequence such 
as upload and then delete. If the order of the activities is important, enable the Rigid flag in the lower-right 
corner. Otherwise, the policy will trigger for activities performed in any order, as long as all the selected 
activities are detected.
Note that when the policy evaluates a sequence, it always matches events for the same application, user and 
object. If one user uploads a file to the application and then a different user deletes a file, this would not match 
the sequence, because the user is different, even if the app and the file are the same. 
10. Still under Sequence, set the maximum duration and number of repeats. The policy will trigger only if the 
specified number of repeats is detected within the specified duration. Each repetition of the sequence can be 
2024 © Netskope. All Rights Reserved. 52
Netskope Security Cloud Operation and Administration
about a different file, user, or application. The user, app, and file must be the same only within one 
sequence.
11. Finally, set the policy status to Enabled and Save the policy.
Custom rule-based policies can be edited, deleted, or cloned. Cloning allows you to quickly create 
similar but different policies for different apps or user groups.
2024 © Netskope. All Rights Reserved. 52
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 53
Machine Learning Behavior Analytics Policies
Even with custom rule-based policies you need to spend time fine-tuning the thresholds before finding a good 
balance between useful alerts and false positives. And this is exactly the kind of tedious process that machine-
learning approaches can automate.
With Netskope Advanced Behavior Analytics you get dozens of ML-based policies, and the list is constantly 
growing. These ML-based policies target the same scenarios as the rule-based policies, but also other scenarios 
that sequence-based detection can’t capture. 
You can easily find either all Machine Learning policies, or the ones targeting a specific scenario using the filter 
options on the left.
2024 © Netskope. All Rights Reserved. 53
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 54
User vs. Tenant Level Models 
User Models Tenant Models
● Each user is modeled separately
● Anomalous behavior was only found 
compared to the model for this user
● One model for the whole tenant
● Anomalous behavior was found 
compared to the overall tenant model
Example: Colin normally downloads 10 files per 
day, but today he downloaded 1,000 files. There 
are other people in the organization who 
download 2,000 files per day.
Example: Colin normally downloads 10 files per 
day, but today he downloaded 1,000 files. 
Everyone else in the organization downloads no 
more than 500 files per day.
Lower Severity Higher Severity
The ML-based detections are meant to capture baselines from customer environments and alert on large 
deviations from the baseline. This is done through two kinds of models that can be applied in two different ways.
The two kinds of models are quantitative and categorical. Quantitative models learn typical values for a certain 
statistics such as total number of files downloaded or uploaded over a certain period of time, and alert when 
significant deviations from the baseline happen. There are numerous statistics that Netskope Behavior Analytics 
learns and alerts about.
Categorical models alert about rare or first-time events, such as a first-time login to a corporate instance of AWS 
from a particular country or by a particular user.
Both kinds of models can be applied as user-level models or tenant-level models. 
User-level models build a model for each user independently of all other users. First, a baseline is established for 
that user only, and then when an anomaly is found, the system will trigger on that anomaly for that individual user.
For example, Colin from accounting normally downloads 10 files a day, but on this day, he downloaded 1,000 files. 
Other people in the organization sometimes download up to 2,000 files per day. But in Colin’s case, this is not their 
normal behavior, so the system generates an anomaly just for Colin. 
Tenant-level models build one baseline for the entire tenant, or in other words, for the entire organization. A 
tenant-level model triggers on behavior that is abnormal to everyone in the organization.
For example, everyone in the organization downloads no more than 500 files per day. So, when Colin downloads 
1,000 files in a day, their behavior isn’t normal compared to everyone else in the organization. In this case, their 
behavior triggers an anomaly compared to the rest of the organization. This should be considered a higher severity 
anomaly compared to just a user-level deviation from the baseline. 
This is reflected in the default UCI score impact set for ML-based policies. Tenant-level ML-based policies have a 
higher UCI impact than corresponding user-level policies.
2024 © Netskope. All Rights Reserved. 54
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 55
What are ML-based detections?
Model a feature
(Example: bytes 
downloaded per day)
Learn patterns
Track over time
(3+ weeks)
Model a feature
(Example: bytes 
downloaded per day)
Learn patterns
Track over time
(3+ weeks)
Filter events
(feature and entity)
Compare to the 
model
Calculate the 
probability
Filter events
(feature and entity)
Compare to the 
model
Calculate the 
probability
Build ModelsBuild Models Analyze Relevant EventsAnalyze Relevant Events
Mature models only
(minimum data requirement)
All conditions are 
met
Spikes / First Time / 
Rare
Mature models only
(minimum data requirement)
All conditions are 
met
Spikes / First Time / 
Rare
Trigger AnomaliesTrigger Anomalies
Here’s a simplified description of how ML-based detections work.
A machine-learning model is an algorithm that is trained to recognize certain patterns. In the case of Netskope 
Behavior Analytics, models recognize patterns of normal behavior in the stream of events.
A non-machine-learning model would be coded by humans to recognize these patterns. This is how sequential 
detection rules work. A machine-learning model is not entirely coded by humans. It starts as a generalized model 
with a vast number of undetermined parameters and through a process of training automatically fine-tunes the 
parameters for better and better recognition of the desired patterns.
Netskope Behavior Analytics models are not pre-trained and start from a blank slate. Therefore, they start by 
building specific detection models based on the customer data. 
Each model has certain minimum data requirements typically expressed in terms of minimum observation time, 
usually about 3 weeks, and minimum number of events. Both are important.A model may happen to meet its data 
requirements in a single day, if it’s a particularly busy day for the organization. But this may not necessarily be a 
typical day and if the training were stopped after just this one day, the model could produce a lot of false positives. 
Likewise, if a user-level model has been learning a user’s behavior for 3 weeks, it may still lack data for good 
predictions. The user may have been on vacation most of that time and there simply wasn’t enough data to build a 
good baseline.
That’s why until all minimum data requirements are met, the model doesn’t produce any alerts. It is in a purely 
training mode. Once the minimum data requirements for the model are satisfied, the model becomes a mature 
model and switches into a hybrid training and evaluation mode. If the model detects a large deviation from the 
baseline, it will trigger an alert. But it will also use incoming data to continue adjusting its baseline. After all, user 
behaviors are not constant and can change over time.
2024 © Netskope. All Rights Reserved. 55
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 56
User Confidence Alerts
You can find UEBA Alerts among other alerts on the Alerts page in Skope IT. And you can also find them on the 
Behavior Analytics page in the Incidents menu, where incidents are organized around users and presented in a 
more informative way. Let’s explore an example screenshot of that page.
Here on the left, you have the list of all users and their current user confidence score. You can filter the list by UCI 
brackets: Poor, Moderate, Good, or All. And you can search users by their name.
On the right, you can see the breakdown of the user’s UCI score. The graph shows how the score changed over 
time, and below the graph you can see which alerts contributed to the score on a particular date, as well as how 
much deduction was transferred from the previous date. By default, the current date is selected, but you can select 
any date by clicking the points on the graph.
Although the incidents page gives you a good overview of which users have a low score and may require attention, 
you may also want to be alerted when a user’s score falls below a certain threshold. To enable these kinds of 
alerts, click User Confidence Alert in the summary tile at the top, switch on the flag to raise an alert when the 
user’s UCI drops below the set threshold, and select the threshold.
2024 © Netskope. All Rights Reserved. 56
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 57
Behavior Analytics Incidents Management
As with all alerts, Behavior Analytics alerts should be processed in a proper manner. Once an operator reviewed 
the alert details and taken any appropriate escalation measures, they should acknowledge the alert. To do this, 
click the alert under the UCI graph and then click Acknowledge Alert. This simply marks the alert as 
acknowledged and it stops being displayed in the default view of the Alerts page in Skope IT.
Occasionally you may find that what Behavior Analytics detected as an anomaly turned out to be a normal user 
behavior with a legitimate purpose. In such cases you wouldn’t want to penalize the user. This can be done by 
clicking the Mark Allowed button. What this does is set the UCI impact for this particular alert to 0, recalculates 
the user’s risk score accordingly and suspends the triggered Behavior Analytics policy for the same user for a 
certain time. The action is permanent and can’t be undone.
2024 © Netskope. All Rights Reserved. 57
Netskope Security Cloud Operation and Administration
582024 © Netskope. All Rights Reserved.
Compromised Credentials
To wrap up the discussion of threat protection, there’s one more topic that is not directly tied to neither threat 
scanning nor behavior analytics, although still important. The topic is compromised user credentials. Netskope 
Threat Lab keeps track of data breaches and user data being shared on the dark web. If Netskope notices one of 
the known compromised usernames in its data sources, whether its customers logs ingested via the risk insights 
feature, app activity monitored through an API connector, or activity in the traffic, a compromised credentials alert 
will be raised.
You can find such alerts on the Compromised Credentials page in the Incidents menu. For each compromised 
username you can see the timestamp when the user’s activity has been detected, the date of when the username 
is known to have been compromised and the name of the corresponding data breach. You can also see where the 
tenant detected the activity, or in other words, what access method was used to detect it.
Note that Netskope doesn’t track the use of the compromised password, only the use of a compromised 
username. This means a compromised credentials alert doesn’t necessarily mean the data is in danger. The 
password that’s become known to criminals may be for an entirely unrelated app, or the user may have already 
changed their password after the breach happened. Still, these alerts are important to follow through, contact the 
user and ensure they are following best practices of credential hygiene. 
2024 © Netskope. All Rights Reserved. 58
Netskope Security Cloud Operation and Administration
Lab C: SaaS Threat Protection
Time: 45 minutes
592024 © Netskope. All Rights Reserved.
This chapter includes a lab to practice some of the concepts you learned about.
2024 © Netskope. All Rights Reserved. 59
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved.
Reporting
Netskope Security Cloud Operation and Administration
Welcome to the Reporting chapter, in our Netskope Security Cloud Operation and Administration Course.
2024 © Netskope. All Rights Reserved. 1
Netskope Security Cloud Operation and Administration
2
• The Reports interface allows you to: 
– Create, edit and manage reports 
• Reports provide a deep level of visibility 
• Generate reports that satisfy:
– Regulatory standards
– Determine how to best steer traffic
2024 © Netskope. All Rights Reserved.
Reporting Overview
The Reports interface allows you to create, edit, and manage reports. Reports provide a deep level of visibility to 
generate reports that satisfy various regulatory standards, and helps you determine how to best steer traffic to 
protect your organization. Standard reporting allows you to include up to the last 90 days of data from Skope IT.
A quick note here: If you have Advanced Analytics on your tenant, you will not see the Reporting option.
This chapter describes the primary components in the Reports interface.
2024 © Netskope. All Rights Reserved. 2
Netskope Security Cloud Operation and Administration
Reports Interface
3
• The first time you access reports, you will see the screen shown below.
• On subsequent log-ins, you will see the main reports list page.
2024 © Netskope. All Rights Reserved.
To open the Reports interface, click Reports in the Netskope admin console. The first time you access reports, 
you will see this screen. For subsequent log ins, you will see the main reports list page. You have a choice to 
either create a report using Netskope’s Template Library or create a new report from scratch.
To view the template library, click the Checkout our Template Library tile. Click the Create a New Report from 
scratch to create a completely customized report.
Each report has a template, historical runs, and ad hoc runs available.
2024 © Netskope. All Rights Reserved. 3
Netskope Security Cloud Operation and Administration
4
• A report can include a combination of:
– New and predefined widgets
– Saved queries
• For example, a cloud risk assessment report can include lists and widgets (table, bar, 
column, pie, line) side-by-side to help you analyze a wide range of data more easily.
2024 © Netskope. All Rights Reserved.
Generating a ReportThese reports are a collection of new and predefined widgets and saved queries.
If you choose to use a template with predefined widgets, click Template Library, and select a predefined template 
from the list. You can also choose to clone a report from the existing reports located in the Created By Me or 
Shared With Me lists, Regardless of the method you use, you are creating a template that you either add widgets 
to or already has widgets already in it.
=================================================
More information on creating reports:
https:/docs.netskope.com/en/create-a-report.html
2024 © Netskope. All Rights Reserved. 4
Netskope Security Cloud Operation and Administration
52024 © Netskope. All Rights Reserved.
Create a new report from scratch
Use the New Report button to build a template from scratch. Choosing to create your own custom widget requires 
a bit more effort. 
You can create your own custom widgets by writing a Skope IT query to define what data you want to include from 
Skope IT to use for your custom widget. The results of a data query is called a data set. 
2024 © Netskope. All Rights Reserved. 5
Netskope Security Cloud Operation and Administration
Template Library
62024 © Netskope. All Rights Reserved.
Widgets
Reports > Template Library
To use the predefined templates, choose a template from the Template Library. In this example, the App Usage 
Summary template is selected. You can see the three widgets that make up the App Usage Summary.
The first two widgets provides data on what are users uploading and downloading based on the applications’ CCI 
levels for the last 90 days. The third widget provides information about the top applications users are running for 
the last 90 days.
After you select the template, click Use Template. The template is copied to your reports folder where you can 
use the template as is or make changes to it.
2024 © Netskope. All Rights Reserved. 6
Netskope Security Cloud Operation and Administration
Build A Template
72024 © Netskope. All Rights Reserved.
Next, name your report.
You can customize the template by changing the Time Range, editing the existing widgets in the template, or 
adding new widgets. You can customize the Time Range for all the predefined widgets or per widget for newly 
added widgets. 
For the widgets, you can clone, rename, delete or add new widgets to the template.
2024 © Netskope. All Rights Reserved. 7
Netskope Security Cloud Operation and Administration
Add Widgets
82024 © Netskope. All Rights Reserved.
Choose whether you want 
to query:
• An Alert event
• An Application event
• A Page event
When you click Add Widget, this opens the Add Widget side panel and guides you through the Add Widget 
process. Each widget you create is based on the event, format, and value options you select. You can add up to 
20 widgets per template. You can choose whether you want to query an alert event, application event, or page 
event: 
• Alerts are generated when a policy, DLP, or watchlist is matched. For log discovery using Palo Alto Networks 
(PAN) firewall logs, alerts show the list of apps blocked by the PAN firewall. For every event blocked by PAN we 
generate a corresponding alert. 
• Page events are generated for the actual HTTP connection and contain the app, app category, CCL, source, 
destination, bytes and latency details. For log discovery using PAN firewall logs, connection events also show 
the details of all the cloud apps that are allowed in the network. 
• Application events record more details of the user activity inside the cloud app. For log discovery using PAN 
firewall logs, this is identified using the URL recorded in the PAN logs. 
• You can enter a query to execute. For example, if you want to query the users who use Box, enter app eq Box 
in the query field. When you enter words in the query field, a list of options opens and changes to help you find 
the specific code strings needed to create a query. You can also choose from your saved queries. Click the 
Choose from Saved Queries link to open a dialog box which lists your saved queries, and also search for 
specific queries as well.
2024 © Netskope. All Rights Reserved. 8
Netskope Security Cloud Operation and Administration
92024 © Netskope. All Rights Reserved.
Create Report Schedule
A report can be scheduled Daily, Weekly or Monthly or run ad hoc, when needed.
There is a maximum of ten report runs that can be saved per report.
Once you select the frequency of when the report runs, you then select the time and time zone. 
To get the results of the report, you can either log in to the tenant and look at the report or have the option to notify 
users through email and attach the report as a pdf.
2024 © Netskope. All Rights Reserved. 9
Netskope Security Cloud Operation and Administration
List of Reports
102024 © Netskope. All Rights Reserved.
You can view your reports under the Created By Me list. The Shared With Me list are reports shared with you by 
other tenant administrators. Click the report name to view options for the report.
2024 © Netskope. All Rights Reserved. 10
Netskope Security Cloud Operation and Administration
Reports – Historical Runs
112024 © Netskope. All Rights Reserved.
The Historical Runs tab shows scheduled reports. 
A best practice tip here is to schedule your reports to run automatically and have them emailed to users as a PDF. 
Up to 10 historical runs can be stored. After the report is generated, you can download the report as a PDF or CSV 
with your choice of rows (up to 100K).
Click on the ellipse menu and you can see the options for this report including editing the schedule and sharing the 
report.
The option Move to Another Group allows you to move reports to different groups or folders for organization if 
you have a lot of reports.
2024 © Netskope. All Rights Reserved. 11
Netskope Security Cloud Operation and Administration
Reports – Ad Hoc Run
122024 © Netskope. All Rights Reserved.
Ad Hoc Run
• Report Can Be Exported
o PDF
o CSV
The Ad Hoc option runs the report on demand.
Use ad-hoc runs to generate a report outside of a regularly scheduled time period using the latest data. Only one 
ad-hoc report run can be stored at a time and is replaced with each ad-hoc run you generate. After the ad-hoc 
report is generated, you can also download the report as a PDF or CSV (with your choice of rows up to 100K).
2024 © Netskope. All Rights Reserved. 12
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved.
Netskope Advanced Analytics
Netskope Security Cloud Operation and Administration
Welcome to the Netskope Advanced Analytics chapter, in our Netskope Security Cloud Operation and 
Administration Course.
2024 © Netskope. All Rights Reserved. 1
Netskope Security Cloud Operation and Administration
Netskope Advanced Analytics - Features
2
• Custom dashboards with all available data:
– Create custom reports on 500+ data fields logged for events 
& alerts including Active Directory data & custom attributes 
– Use numerous visualizations like geomap, scatter plot, 
sankey etc
– Slice & dice all data
– Export, Share, Schedule
– Interactive reports with ability to drill down
• Predefined dashboards: 
– Customizable predefined operational and executive 
dashboards targeting different personas
– Automated Cloud Risk Assessment
2024 © Netskope. All Rights Reserved.
The Advanced Analytics platform offers access to an extended set of data — over 500 fields logged for events and 
alerts including Active Directory data and custom attributes. The platform offers numerous visualization options 
such as geo-maps, scatter plots, and Sankey plots. You also can export the data, share reports with team 
members, and schedule recurring reports. Advanced Analytics reports are interactive, with the ability to drill down 
to underlying data. 
Netskope offers a set of predefined dashboards to addresskey use cases such as operational reporting, executive 
reporting, and threat protection. You can further customize these dashboards easily for your specific analytical 
needs. We will take a closer look at some of these use cases in the next slides. 
2024 © Netskope. All Rights Reserved. 2
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 3
Advanced Reports - CISO Dashboard
Policy violations
Traffic blocked/allowed
Unsanctioned/risky applications
Risky users
Different types of threats
Total threats defended and adoption metrics
Advanced Analytics provides a customizable dashboard with a comprehensive view of the activity across 
applications to help drive CISO level decision making. For example, The Cloud Risk Assessment reports provide 
visibility into which risky applications are being used or where risky users may be located. Next, the Threat 
Prevention dashboards build on that information to provide insights on the types of threats and malware that are 
prevalent in the applications being used, as well as metrics on how the current security setup is defending the 
organization against them. In addition, the Data Protection dashboards provide information on the types of data 
being handled by the different applications and whether that data is being used appropriately. 
Note that a CISO dashboard with Organization Units (OUs) is available for organizations with Active Directory 
integrations. 
2024 © Netskope. All Rights Reserved. 3
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 4
Advanced Reports - Data Protection Dashboard
• The Data Protection dashboard provides an overview of information related to data security and data loss. One 
key aspect of this dashboard is the numeric count at the top which metrics on what kinds of data violations are 
taking place, their severity and whether they are related to PII/PHI/PCI data.
• The DLP Policy/ Profile Hits Sankey graph provides information on which policies and profiles have been 
activated as well as the locations of users and which applications were involved. 
• In the Top Policy & Risky Users section, you can see the top 20 policies, users, and applications related to 
DLP violations.
• The Data Exfiltration section provides a look at the Top 20 applications involved in uploading of data to an 
unsanctioned instance or application, as well as downloading of data from a corporate resource.
• The Exposure section provides an overview of Risk related to files being exposed externally to users outside 
the organization. 
• Convertor Applications provides a perspective on data ownership for different kinds of data. Remember that 
CCI data is also available in Advanced Analytics to use along with data on incidents and alerts for a more 
holistic perspective on data ownership.
Finally, trending data is available to see overall trends in DLP violations by application or destination country. 
2024 © Netskope. All Rights Reserved. 4
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 5
Advanced Analytics - Cloud Risk Assessment
The Cloud Risk Assessment dashboard provides a comprehensive view of risk related to cloud applications, 
highlighting different aspects of risk. For example, the Risky Cloud Applications chart shows the percentage of 
currently used applications in the network that are deemed risky according to the their CCI level. The doughnut 
charts alongside provide further breakdown of the cloud applications by CCL, number of bytes flowing through 
these applications, and how many of these are uploads vs. downloads.
The next section provides information on the usage of risky applications by Organizational Units.
The Data Protection section is a high-level view of top policy hits and top users.
The Compliance section provides instance-level visibility for key aspects of compliance such as GDPR or certain 
certifications.
The Users section provides the locations of users using different representations, similar to the CISO dashboards. 
2024 © Netskope. All Rights Reserved. 5
Netskope Security Cloud Operation and Administration
• Application name
• Category
• Cloud Confidence Level
• Instance
• Sanctioned
2024 © Netskope. All Rights Reserved. 6
Data logged by Netskope 
Application
User
Activity
File
Source & 
Destination
Alerts
Others
• Activity
• Bytes uploaded/downloaded
• Source IP address and location
• Destination IP address and location
• AD data (OU, user group, etc.)
• Custom attributes (manager, 
department, etc.)
• User name
• User agent
• Browser, OS
• Device
• Device classification
• File name
• Size
• Exposure
• Type
• Path
• Language
• Shared with
• Data Loss Prevention
o Severity
o Profile
o Rule hits
• Maware and malsites
• Anomalies
• User justification reason
500+ fields logged/derived
As discussed before, Advanced Analytics provides access to the complete set of Cloud XD data. Almost anything 
available in the tenant UI can be included in your reports as a data attribute (with over 500 fields). You can 
combine and recombine this data in different ways to gain multiple perspectives on the security of your network. 
2024 © Netskope. All Rights Reserved. 6
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 7
The Netskope difference
Instance 
Awareness
Managed vs 
Unmanaged
Contextual 
visibility in 
cloud activity
Advanced Analytics provides extensive visual customizations. The type of diagram shown here is the Sankey
report, where you can see Netskope’s instance awareness capabilities to help you identify which applications are 
being used with which instances and then map them back to security concerns such as unmanaged cloud activity. 
The Sankey report provides contextual visibility into the type of cloud activity and provides details on what types of 
actions are being performed. These kinds of visualizations are powerful because they enable you to zero in on 
what kinds of actions your organization may need to take to strengthen the security posture or modify and shape 
user’s behavior.
2024 © Netskope. All Rights Reserved. 7
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 8
Extensive Visual Customizations
Advanced Analytics also offers several other visualizations options such as geo-maps, trends, and thermometers 
for risk. Depending on whether the audience you need to communicate with is from the Risk team, upper 
management or the application owner, you can select from the different options to represent the data to the 
specific audience and drill down to the dataset to investigate further. 
2024 © Netskope. All Rights Reserved. 8
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 9
Standard Reports vs Advanced Analytics Capabilities
Advanced AnalyticsStandard Reporting
• Slice and dice ~500+ attributes for events and alerts
• Report on API Protection, Incidents, Policies & CSA data sets
• Availability of Active Directory data & custom attributes
• Ability to report on detail & summary data
• Slice and dice ~40 key attributes for 
events and alerts
• Report on summary data
Data Availability
• Numerous visualization options to choose from: Bar, Pie, Area, 
Trend lines, Table, Pivots, Scatter plots, GeoMap
• Advanced options like Sankey, Treemap, Gauge & others
Basic visualizations: bar, pie, table, 
trend lines
Visualizations
• Additional predefined canned reports addressing different 
personas: such as security operations or executives; in different 
areas such as DLP, threats, usage etc.
• Automated Cloud Risk Assessment
• Interactive widgets & reports - ability to drill down
10 predefined canned reportsDashboards/Reports
• Simplified report building experience
• More export options like excel, txt, csv, pdf
• Scheduling, sharing
• Custom fields andIndex 
scores in your policies to determine what actions to take based on an app’s enterprise readiness.
2024 © Netskope. All Rights Reserved. 16
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved.
Architecture
Netskope Security Cloud Operation and Administration
Welcome to the Architecture chapter in the Netskope Security Cloud Operation and Administration Course.
2024 © Netskope. All Rights Reserved. 1
Netskope Security Cloud Operation and Administration
2
• Describe how Netskope data center locations are set up
• Explain Netskope steering methods
2024 © Netskope. All Rights Reserved.
Objectives
When you complete this chapter, you will be able to describe how Netskope data center locations are set up and 
explain Netskope steering methods.
2024 © Netskope. All Rights Reserved. 2
Netskope Security Cloud Operation and Administration
Architecture
3
• Data center locations
• Steering
• Netskope tenant admin UI
2024 © Netskope. All Rights Reserved.
First, let’s talk about Netskope data center locations.
2024 © Netskope. All Rights Reserved. 3
Netskope Security Cloud Operation and Administration
The NewEdge Global Security Network
* Indicates single DP regions where LZs increase resilience, in addition 
to ensuring a localized experience
2024 © Netskope. All Rights Reserved. 4
Here you can see the data centers that make up the NewEdge global security network. Today there are data 
centers in 70 regions globally, and more than 200 localization zones. Localization zones extend NewEdge global 
coverage by providing the same experience as direct-to-net, with native language and localized content support 
for all websites, even when there’s no in-country Data Plane. Netskope also has extensive peering with many of 
the leading cloud and SaaS providers, such as Microsoft, Google, Amazon Web Services, and more. Peering 
enables users to get onto the Netskope security network and access their applications as close to their 
geographical location as possible.
2024 © Netskope. All Rights Reserved. 4
Netskope Security Cloud Operation and Administration
5
Management Plane (MP)
• The system backend
• Where metadata is processed, stored, and presented to admins
• Where the web interface, API connections, and
SMTP Proxy (Email DLP) functionality are located
• Typically has large databases
The Three Platforms of the Netskope Security Cloud
Data Plane (DP)
• Typically located remotely, close to users, to 
reduce latency and to increase performance 
and stability
• Inline with customer traffic
• Sends metadata to the MP for analysis
Non-production environments
Where the software is developed and tested 
before deployment to production environments
2024 © Netskope. All Rights Reserved.
There are several components that make up the NewEdge network. The first of these is the Management Plane. 
This can be equated to the system backend, where metadata is processed, stored, and presented to Netskope 
tenant administrators, and where the tenant user interface, API connections, and Email DLP functionality reside. 
The Management Plane typically hosts a series of large databases that accommodate all the information that is 
presented in the Netskope tenant UI.
The next component is the Data Plane. Typically, these are located remotely, as close to end users as possible to 
reduce latency and to increase performance and stability. The Data Plane examines inline user traffic in real time, 
sending metadata to the Management Plane for further analysis.
Finally, there are non-production environments where Netskope develops and tests its software before deploying it 
to customer production environments.
2024 © Netskope. All Rights Reserved. 5
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 6
Tenant
Config
Data Store
(Local)
Customer 
Tenant
Data Plane
Data Store
(NoSQL)
Data Store
(OLAP)
Event Service
Query Service
Anomaly Detection
Engine
Management Plane from 50k Feet
API SMTP 
ProxyUI
Here is a graphical representation of the Management Plane, showing its relationship to the Netskope tenant UI, 
the API connectors, the SMTP Proxy Service, and the Data Plane. When you log in to the Netskope tenant, the 
web interface and tenant settings you interact with are stored in the Management Plane. When you create new 
policies, malware scanning profiles, and so on, all this information is stored in the Management Plane as part of 
the tenant configuration.
When you configure a policy to perform DLP operations or scan for malware in data at rest in a SaaS or IaaS 
environment, or to detect misconfigured settings in a cloud resource as part of Security Posture analysis, these 
API calls are handled by the Management Plane. Additionally, the SMTP Proxy service used for Netskope Email 
DLP operations resides in the Management Plane.
For real-time traffic that is steered through the Data Plane, events generated by user actions (such as files being 
blocked by a DLP policy or websites being blocked by a web category filtering policy) are sent from the Data Plane 
to the Management Plane’s Event Service and are then stored either in an OLAP data store or a NoSQL data 
store, depending on the version of your tenant. This enables you to log in to your Netskope tenant UI and use the 
Query Service to view and investigate these events. Finally, information about detected anomalies, such as 
anomalous user behavior, is fed into the Anomaly Detection Engine, which also resides in the Management Plane. 
This information is also stored in the Management Plane’s data stores, where it can be queried and analyzed.
2024 © Netskope. All Rights Reserved. 6
Netskope Security Cloud Operation and Administration
Management Plane Availability
7
• Management Plane (MP) is not globally distributed like the Data Plane 
(DP)
• MP is designed to be highly available and fault tolerant within a single 
data center only
• MP for a tenant cannot be renamed
• MP cannot be moved
2024 © Netskope. All Rights Reserved.
Unlike the Data Plane, the Management Plane is not distributed globally. The Management Plane is designed to 
be highly available and fault-tolerant within a single data center. However, it is not designed to fail-over to a 
different Management Plane.
When Netskope is setting up your tenant for the first time, it is important that you communicate to your sales 
representative the exact naming structure you want to use, because once your tenant has been created, it can not 
be renamed. If you do decide you want a different name for your tenant after it has been created, you must ask for 
your existing tenant to be deleted and a new tenant to be created with the new name.
Similarly, once you have selected the geographical zone where you want your Management Plane to reside, you 
can not move this location at a later date. For example, if your organization is located in the European Union, you 
would initially have your Management Plane created in this region to satisfy regulatory requirements, but if your 
organization later moves to a different region, you can not simply ask that your Management Plane be moved to 
the new location. Instead, you must request the removal of your existing Management Plane and have a new 
Management Plane created in the appropriate region.
2024 © Netskope. All Rights Reserved. 7
Netskope Security Cloud Operation and Administration
Data Plane Availability
8
The Netskope Data Plane is globally distributed across all data centers.
• A Data Plane hosts multiple services (gateways, VPN, etc.).
• By default, organizations are served by any data center globally, and they are 
automatically routed to an optimal Data Plane.
• As new data centers are built, your organization will only be able to access the 
Data Plane in these new facilities if it’s in your assigned zone.
• In almost all cases, organizations are assigned to the Global Zone, so they 
willfilters, table calculations, more sorting options
Export to csv/pdf, scheduling, sharingOther features
Here is a summary of the comparison between the capabilities of Standard Reporting and Advanced Analytics. 
Most important to note here is the significant additional number of data attributes that Advanced Analytics provides 
access to, enabling you to gain a more complete picture of the applications, users, incidents, and policies in your 
network. The advanced visualization options such as the Sankey, GeoMap, and Trendlines can help you represent 
the data in meaningful ways for specific audiences and analytical needs. Advanced Analytics has many more 
features and options available over Standard Reporting such as more export options, and more scheduling and 
sharing options. It also offers the ability to create custom fields and calculations.
2024 © Netskope. All Rights Reserved. 9
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 10
Advanced Analytics License
Advanced Analytics is available for use with the purchase of a license. If you would like to enable it for your 
organization, please contact your Netskope representative for more information. 
2024 © Netskope. All Rights Reserved. 10
Netskope Security Cloud Operation and Administration
Lab D: Netskope Advanced Analytics
Time: 35 minutes
112024 © Netskope. All Rights Reserved.
This chapter includes a lab to practice some of the concepts you learned about.
2024 © Netskope. All Rights Reserved. 11
Netskope Security Cloud Operation and Administration
Netskope Digital Experience Management
2024 © Netskope. All Rights Reserved.
Netskope Security Cloud Operation and Administration
Welcome to the Netskope Digital Experience Management chapter, in our Netskope Security Cloud Operation and 
Administration Course.
2024 © Netskope. All Rights Reserved. 1
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 2
Objectives
2024 © Netskope. All Rights Reserved.
Utilize the Digital Experience Management (DEM) dashboard to:
– Monitor traffic speeds from your Netskope tenant
– Identify traffic latency issues
– Get insight into the performance of applications managed through 
the Netskope Cloud
– Monitor the health and status of the Netskope platform
2
The objectives covered in this chapter explain how to utilize the Digital Experience Management dashboard to 
view and evaluate the traffic and performance of your tenant.
2024 © Netskope. All Rights Reserved. 3
Netskope Security Cloud Implementation and Integration
Netskope Digital Experience Management Agenda
• DEM Features
• Tenant Overview
• Network Steering
• Client Steering
• NPA
• Bandwidth Consumption
2024 © Netskope. All Rights Reserved. 3
Let’s look at the features of Netskope Digital Experience Management.
Netskope Security Cloud Operation and Administration
Digital Experience Management (DEM)
42024 © Netskope. All Rights Reserved.
Netskope DEM provides insight 
to answer some important 
questions like:
• What is the latency between the end user and Netskope Data Centers (Netskope NewEdge?
• What about the latency between the Netskope NewEdge and Cloud Apps?
• What is the amount of Client Connection Requests from the users to each Netskope Data Center?
• How many Netskope clients are installed on your network? What client versions are running?
• What IPsec and GRE tunnels are configured in your infrastructure?
Digital Experience Management (DEM) provides insight into the performance of applications that are managed 
through the Netskope cloud. You can monitor the traffic speeds from your Netskope tenant and identify latency 
issues. Using real user traffic monitoring and analysis, you can improve user experience.
DEM enables you to:
• Monitor all traffic for a tenant in near real-time
• Gain greater visibility into the health and status of the Netskope platform
• Proactively monitor the user experience for SaaS, web, and private applications
==============================================================================
Important terms used in network troubleshooting and performance:
Latency: Amount of time that a packet takes to get from its source to its destination. It is measured in milliseconds 
(ms).
Round Trip Time (RTT): The time it takes a packet to go from a source to its destination and back again to its 
original source (request-response). It is also measured in milliseconds (ms)
Note: Netskope Sales or CSM team must be contacted to enable DEM on the Netskope Tenant.
2024 © Netskope. All Rights Reserved. 4
Netskope Security Cloud Operation and Administration
DEM Features
52024 © Netskope. All Rights Reserved.
Summary of activity over the last seven days, including users, service consumption, 
traffic volume, sessions, data centers accessed. Filtered views by application, data 
center, or time frame are available to drill into client-side or cloud-to-application 
latency, as well as trend data on bytes transferred.
Map view of configured GRE and IPsec tunnels, with insights into global distribution 
and number of tunnels in use at each data center, as well as near real-time status of 
tunnel health with details on throughput per tunnel.
Visibility on users including active user counts, licensed seat counts, client versions 
being used, as well as uploaded and downloaded bytes. Filtered views by data center 
or time frame provide additional per-minute granularity on client connection requests, 
daily session counts, and client version usage trends.
Specifically, for NPA, summary information on bytes transferred, data centers 
accessed, user and session counts, active publishers, and discovered applications.
Filtered views by user, application, publisher, or time frame provide deeper insights
and trend data on top applications, user activity, session counts, bytes transferred,
triggered policies, and more.
Provides information about the bandwidth consumption of various applications that can 
be filtered by event timestamp, application, user, source, IP, Netskope, POP, and 
access method.
The options available in Digital Experience Management depends on the Netskope licensed products you have.
One of the options listed here, NPA displays summary information on bytes transferred, data centers accessed, 
user and session counts, active publishers, and discovered applications. You can filter views by user, application, 
publisher, time frame, and more.
2024 © Netskope. All Rights Reserved. 5
2024 © Netskope. All Rights Reserved. 6
Netskope Security Cloud Implementation and Integration
Netskope Digital Experience Management Agenda
• DEM Features
• Tenant Overview
• Network Steering
• Client Steering
• NPA
• Bandwidth Consumption
2024 © Netskope. All Rights Reserved. 6
Let’s look at the Tenant Overview section of Netskope Digital Experience Management.
Netskope Security Cloud Operation and Administration
Tenant Overview
72024 © Netskope. All Rights Reserved.
Select the Netskope 
POP to get info from
Select a Monitored App to get data. The list 
of Netskope Monitored Apps will grow as 
Netskope launches new DEM releases.
Select access method.
This option depends on 
the steering methods 
configured on the tenant.
1 2 3
Note: If you leave the option selected 
as “any value” it means that all POPs, 
Apps, and Access methods available 
will be shown.
The widgets on the Tenant Overview page give you an overview of the traffic and performance of your tenant. 
There are two sets of widgets on this page. The widgets in the top section provide a summary of the last 7 days 
and cannot be filtered. The Filtered Widgets section provides information based on the timeframe you select using 
the filters on top of the page.
In the filtered widgets section, you can select the Netskope POP to get information from, select a monitored app to 
get data, and select the access method. The access method option depends on the steeringautomatically be able to access all new DCs.
2024 © Netskope. All Rights Reserved.
The Data Plane is globally distributed across all Netskope data centers. It hosts multiple services, such as client, 
IPsec, GRE, and Netskope Private Access gateways, as well as VPN gateways and other services. By default, an 
organization’s users are served by any data center globally, and they are automatically routed to the optimal Data 
Plane closest to their location. For example, if an employee of a company based in the United States travels to 
Australia, that user will connect to a Netskope Data Plane located in Australia. As a result of this design, users 
experience reduced latency, increased throughput, and fewer network issues.
As new Netskope data centers are built throughout the world, an organization’s ability to access the Data Plane in 
these new facilities depends on the geographical zone that was assigned to them when their Netskope tenant was 
created. By default, Netskope customers are assigned to the Global Zone, so most organizations will automatically 
be able to access the Data Plane in every new data center that comes online. However, if a customer requested to 
be assigned to a more specific zone, such as the United States Zone, they will only be able to access new data 
centers in that zone. For example, if a new data center is built in Paris, France, organizations who are assigned to 
the United States Zone will not be able to access the Paris Data Plane. However, companies in the United States 
who are assigned to the Global Zone will be able to access this Data Plane.
2024 © Netskope. All Rights Reserved. 8
Netskope Security Cloud Operation and Administration
Netskope Security Cloud Platform: High Availability
9
• Local traffic management within a data center location makes use of 
load-balanced redundant hardware.
• Optional Global Traffic Management (GTM) between data center 
locations is load-balanced across redundant sites.
• “Fail open” design for all Real-time Protection deployment methods; 
all protocols have built-in heartbeat mechanisms.
2024 © Netskope. All Rights Reserved.
For high availability of the Netskope Security Cloud Platform, data centers are equipped with load-balanced 
redundant hardware. If any of that hardware goes down, Netskope uses Global Traffic Management to provide 
load-balancing across redundant sites. This causes traffic to be sent to the next nearest data center. Additionally, 
Netskope’s real-time protection models all use a fail-open design. In other words, if a failure occurs, Netskope 
allows all traffic to pass through, rather than using a fail-closed model where all traffic is blocked.
All Netskope protocols have built-in heartbeat mechanisms that help determine whether to go into fail-open mode. 
For example, the Netskope client creates an SSL tunnel between itself and the Netskope tenant and sends out a 
heartbeat once per minute inside that tunnel. This mechanism determines whether the tunnel is up or down. If the 
tunnel is down, the client goes into fail-open mode and sends traffic out to the proxy firewall just like it was doing 
before.
2024 © Netskope. All Rights Reserved. 9
Netskope Security Cloud Operation and Administration
Architecture
10
• Datacenter Locations
• Steering
• Netskope tenant admin UI
2024 © Netskope. All Rights Reserved.
Next, let’s discuss how the Netskope Security Cloud Platform steers traffic.
2024 © Netskope. All Rights Reserved. 10
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 11
How We Gather Data and Steer Traffic
Out of Band
► Risk Exposure
► Visibility
► Data Governance
► Policy Control (Data at Rest)
Inline
► Real-Time Policy Control
► Mobile Device Support
► Single Sign On (Reverse Proxy)
► SMTP Proxy
www
Log 
Streaming
APIs
Netskope 
Client
GRE, 
IPsec
Mobile 
Profile
Explicit 
Proxy
Proxy 
Chaining
Reverse 
Proxy
SMTP 
Proxy
As discussed earlier in this course, Netskope provides out-of-band protection for data at rest in cloud apps, and 
inline protection for data in motion. These types of protection use a number of methods to gather data and steer 
traffic to the Netskope Security Cloud.
Items in blue on this slide indicate methods used for out-of-band protection.
• With log streaming, proxy or firewall logs are gathered from your on-premises network devices and sent to the 
Netskope Security Cloud, either directly or via a virtual Netskope appliance. Netskope extracts traffic information 
from this data and identifies the cloud apps being used in your organization and how these apps are being used.
• Netskope APIs protect data stored in the cloud by authenticating and connecting to managed cloud apps and 
enforcing DLP and threat protection policies on files stored on those apps.
Items in orange on the slide indicate steering methods for inline protection.
• The most commonly-used steering method for inline traffic is the Netskope client. Client software is available 
for Windows, Mac, and Linux.
• With IPsec and GRE tunnels, you can securely send port 80 and port 443 traffic to Netskope.
• Available for IOS and Android devices, mobile profiles provide similar functionality to the Netskope client.
• The Explicit Proxy steering method uses a PAC file on users’ computers to direct traffic to Netskope.
• A PAC file is also used with the Proxy Chaining method, where users’ computers are first steered to an on-
premises proxy server, which in turn steers traffic to the Netskope Security Cloud.
• The Reverse Proxy steering method enables you to protect data flowing through unmanaged devices. It 
involves integrating with Identity Providers and Single Sign-On and applying different DLP policies depending on 
the user’s location, such as allowing sensitive files to be downloaded from a corporate instance of a cloud app if 
a user is in a corporate office, but blocking this activity if the user is in a remote location.
• With the SMTP Proxy method, email traffic from Microsoft and Google email services is steered to Netskope, 
where the contents of the mail can be scanned and DLP policies can be enforced.
2024 © Netskope. All Rights Reserved. 11
Netskope Security Cloud Operation and Administration
Differentiating Traffic
12
The Netskope platform can enforce 
different policies based on how a user 
is accessing resources (i.e., from a 
managed or unmanaged device).
• On work laptop (Policy A)
• On unmanaged device (Policy B)
2024 © Netskope. All Rights Reserved.
Auth
Proxy
3
4
5
Data
Activity
App (Instance)
Identity
TCP/IP
SSL/TLS
HTTP
DAPII
OS, Device, Browser
SNI, UserID
IP, GEO Location
Micro Services
A
cc
es
s 
C
on
tr
ol
D
LP
T
hr
ea
t 
P
ro
te
ct
io
n
E
nc
ry
pt
io
n
A
ud
it 
an
d 
F
or
en
si
cs
W
E
B
Netskope PROXY
…
…
META 
DATA
ANALYTICS
CCI
UNIFIED 
POLICIES
MANAGEMENT
PLANE
DATA
PLANE
REVERSE 
PROXY
AUTH 
PROXY
The Netskope Security Cloud platform can determine whether a user is accessing cloud resources from a 
managed or an unmanaged device. This opens up the possibility of enforcing different policies based on different 
access methods. For example, if you are on a work laptop, you might have Policy "A" applied to you which allows 
you to download and upload files on a corporate cloud app because you're accessing data from a managed 
device. However, when you come in on an unmanaged device through Reverse Proxy, for example, you might 
have Policy "B" applied to you which only allows you to view files but not transfer them. So whether you’re 
accessing cloud resources through the Netskope client, Reverse Proxy, GRE or IPsec tunnels and so forth, 
Netskope can apply different controls to data based on the delivery mechanism or access method.
2024 © Netskope. All Rights Reserved. 12
Netskope Security Cloud Operation and Administration
Differentiating Traffic: Netskope Client
13
• A device is managed when it has the Netskopeclient installed and enabled. 
• When a managed device has the client 
installed, the SSL termination request comes 
from an SSL Tunnel IP.
• The authentication request can be viewed in 
the client certificate.
– This device is using a client.
– It is a trusted device.
– The device is using a Real-time Protection 
deployment method.
2024 © Netskope. All Rights Reserved.
Subject: C=US, ST=CA, L=Los Altos, O=Netskope Inc, 
OU=a0086ca398d1354afb6e204634fc8cf2, 
CN=dsinclair@netskope.com/emailAddress=dsinclair@netskope.com
Auth
Proxy
3
4
5
Data
Activity
App (Instance)
Identity
TCP/IP
SSL/TLS
HTTP
DAPII
OS, Device, Browser
SNI, UserID
IP, GEO Location
Micro Services
A
cc
es
s 
C
on
tr
ol
D
LP
T
hr
ea
t 
P
ro
te
ct
io
n
E
nc
ry
pt
io
n
A
ud
it 
an
d 
F
or
en
si
cs
W
E
B
Netskope PROXY
…
…
META 
DATA
ANALYTICS
CCI
UNIFIED 
POLICIES
MANAGEMENT
PLANE
DATA
PLANE
REVERSE 
PROXY
AUTH 
PROXY
Let's take a closer look at how traffic differentiation works when data arrives at the Netskope tenant from a 
managed device, or more specifically, from a device where the Netskope client is installed and enabled and has 
passed security posture checks.
As part of the process of installing the Netskope client on an endpoint device, a certificate is downloaded to the 
endpoint. This establishes a trust relationship between the endpoint and the Netskope tenant and enables the 
tenant to decrypt SSL traffic coming from the device. Additionally, the client is deployed with admin rights, so it can 
look up the user that is currently logged in to the device and send that information to the Netskope tenant for 
correlation with the user information already in the tenant.
When the Netskope client is installed and enabled on a device, traffic arriving at the Netskope tenant from that 
device always travels up the Netskope stack. First, it goes through the TCP/IP level, where the device's IP address 
is extracted and its geolocation is determined. Next, the traffic is sent to the SSL decryption engine, where the 
Server Name Indication value and the User ID are extracted. At this point, the traffic is clear text and can be sent 
through an HTTP process, where the operating system, device, and web browser are identified. Next, the data is 
sent to the Deep API Inspection Engine. From here, the identity of the user, the application or application instance 
that is being used, and any activities that are being performed are all extracted. Lastly, the data the user is working 
with is extracted and sent to the microservices such as access control, DLP, threat protection, encryption, audit, 
forensics, web, and so on. At this point, policy decisions are made, such as blocking or allowing file downloads or 
uploads, delivering notifications to train users, and so forth.
2024 © Netskope. All Rights Reserved. 13
Netskope Security Cloud Operation and Administration
Differentiating Traffic: Reverse Proxy
14
When an unmanaged device uses SAML 
to authenticate with the Auth Proxy, the 
SSL termination request comes from the 
Reverse Proxy IP.
A device is identified as unmanaged when 
it does not have Netskope client installed, 
or the client has been disabled.
• It is an untrusted device.
• A unique policy set can be created for 
untrusted devices.
2024 © Netskope. All Rights Reserved.
Auth
Proxy
3
4
5
Data
Activity
App (Instance)
Identity
TCP/IP
SSL/TLS
HTTP
DAPII
OS, Device, Browser
SNI, UserID
IP, GEO Location
Micro Services
A
cc
es
s 
C
on
tr
ol
D
LP
T
hr
ea
t 
P
ro
te
ct
io
n
E
nc
ry
pt
io
n
A
ud
it 
an
d 
F
or
en
si
cs
W
E
B
Netskope PROXY
…
…
META 
DATA
ANALYTICS
CCI
UNIFIED 
POLICIES
MANAGEMENT
PLANE
DATA
PLANE
REVERSE 
PROXY
AUTH 
PROXY
SAML
IdP
Next, let's talk about how traffic differentiation works when data arrives at the Netskope tenant from an unmanaged 
device. An unmanaged device could be a personal device that does not have the Netskope client installed on it, or 
it could be a corporate device that has the Netskope client installed but not enabled, basically turning it into an 
unmanaged asset. In either case, Netskope sees the device as untrusted. This is a use case for Reverse Proxy.
With the Reverse Proxy method, when traffic from an unmanaged, untrusted device arrives at the Netskope 
tenant, it does not immediately go up the stack like traffic from managed devices does. Instead, the unmanaged 
device will be integrated with SAML via an Identity Provider such as Okta, and that Identity Provider will 
communicate with the Netskope Authentication Proxy. The Authentication Proxy then communicates back to the 
Reverse Proxy component. Note that the Authentication Proxy and the Reverse Proxy components are both 
located on the Netskope tenant. Once the unmanaged device is identified by SAML and authenticated to go 
through the Reverse Proxy, its traffic goes up the Netskope stack just like the Netskope client example. The ability 
to differentiate Reverse Proxy traffic as it arrives at the Netskope tenant means that you can create a unique policy 
set for unmanaged, untrusted devices.
2024 © Netskope. All Rights Reserved. 14
Netskope Security Cloud Operation and Administration
Proxy Chaining
15
Netskope requires: 
• The public NAT’d IP of your organization’s on-premises proxy
• Installation of the Netskope CA cert on your on-premises proxy
• The X-Forwarded-For and X-Authenticated-User headers
2024 © Netskope. All Rights Reserved.
IP
Proxy NAT
Now let's consider the Proxy Chaining method of steering. There are a couple of requirements that must be met to 
use Proxy Chaining. First, you must configure your Netskope tenant with the public NAT'd IP address of your 
organization's on-premises proxy server so your tenant knows to expect traffic from the proxy. Next, you must 
install the Netskope Root Certificate on your proxy server to establish a trust relationship between your proxy and 
the Netskope Security Cloud proxy. Finally, you must configure the Netskope tenant with the X-Forwarded-For and 
X-Authenticated-User headers originating from your source user traffic. The X-Forwarded-For header provides the 
IP address of the endpoint device where the traffic originated from. Without this information, the Netskope tenant 
would only receive the IP address of your on-premises proxy server. The X-Authenticated-User header provides 
information about the specific user who is generating the traffic on their endpoint device, as opposed to just a user 
account or service account on your on-premises proxy. Without this header, all the traffic arriving at the Netskope 
tenant from your onsite proxy, regardless of how many individual users are actually generating the traffic, would 
appear to be coming from a single user on the proxy server.
2024 © Netskope. All Rights Reserved. 15
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 16
Unmanaged DevicesManaged Devices
Off-PremisesOn-PremisesOff-PremisesOn-Premises
Managed App
Unmanaged 
Instance or 
App
Netskope 
Client
IPSec
GRE
SD-WAN
Explicit
Proxy
IPSec
GRE
SD-WAN
Netskope 
Client
Explicit
Proxy
Netskope 
Client
Explicit
Proxy
IPSec
GRE
SD-WAN
Netskope 
Client
Explicit
Proxy
IPSec
GRE
SD-WAN
Recommended Steering Method
Note: SSL Decryption will need 
to be bypassed for devices 
without a certificate
Comparing Traffic Steering Methods
The table on this slide provides a side-by-side comparison of the various methods available for steering traffic to 
the Netskope tenant and when each method can be used. It also indicates the recommended method for a given 
set of circumstances, such as whether the traffic is coming from a managed or unmanaged device, on premises 
or off premises, or from a managed or unmanaged cloud app.
2024 © Netskope. All Rights Reserved. 16
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved.
Cloud Confidence Index (CCI)Netskope Security Cloud Operation and Administration
Welcome to the Cloud Confidence Index chapter in the Netskope Security Cloud Operation and Administration 
Course.
2024 © Netskope. All Rights Reserved. 1
Netskope Security Cloud Operation and Administration
2
• Explain the functionality of the Cloud Confidence Index (CCI)
• Discuss how to use CCI
2024 © Netskope. All Rights Reserved.
Objectives
The objectives of this chapter are to explain the functionality of the Cloud Confidence Index and to discuss how to 
use this index.
2024 © Netskope. All Rights Reserved. 2
Netskope Security Cloud Operation and Administration
Cloud Confidence Index™
Use cases
3
• Discover cloud applications and application overlap.
• Optimize app license usage.
– Detect apps for which you have more licenses than users.
– Detect apps for which you have more users than licenses.
• Identify non-compliant apps.
– Which apps don’t encrypt my data at rest?
– Which apps have unclear ownership terms?
2024 © Netskope. All Rights Reserved.
The Cloud Confidence Index, or CCI, helps you discover cloud applications in your organization and understand 
how these applications are being used. For example, if Netskope discovers that Box is being used in your 
company, it keeps track of such information as top users, session counts, the amounts of data being downloaded 
from and uploaded to Box, and so forth. All of these details are sent to CCI. CCI also helps you identify similar 
cloud applications being used in your environment so that you can consolidate to make administration easier. For 
example, if you discover that 10 cloud storage apps are being used in your organization, CCI can help you identify 
the 5 best cloud storage apps that meet users needs.
CCI can also help you optimize application license usage by showing you which apps have more licenses than 
users, enabling you to reduce the number of licenses you have and save money. Conversely, CCI can help you 
identify if you have more users than licenses and need to purchase more licenses for your most-used cloud 
applications.
CCI also enables you to identify apps that are not compliant with your organization's security requirements so you 
can find better alternatives. There are many reasons why an application might be non-compliant. For example, if 
you are a regulated industry that deals with payment card data, a non-compliant cloud app would be one that does 
not encrypt data at rest. If your organization deals with important intellectual property, a non-compliant cloud app 
might be one that has unclear terms about who owns the data once it is stored on the app.
2024 © Netskope. All Rights Reserved. 3
Netskope Security Cloud Operation and Administration
Cloud Confidence Index™
The Database
4
• Netskope database 
(70,000+ apps) 
• Quickly verify an app’s 
enterprise readiness
• Find the best apps per 
category
• Search engine/ 
advanced queries
2024 © Netskope. All Rights Reserved.
The Cloud Confidence Index database currently includes more than 70,000 applications, and that number is 
constantly increasing with every platform release. As we mentioned earlier, the CCI database enables you to 
quickly verify the enterprise-readiness of a cloud app and to find the apps with the best security ratings in each 
category. Additionally, you can use the CCI search engine to perform a simple search for a specific app, or you 
can use advanced query capabilities to filter by sets of app properties.
2024 © Netskope. All Rights Reserved. 4
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 5
CCI filtering 
CCI apps can be filtered by:
ExamplesAttribute
Excellent, High, Medium, Low, Poor,
Discovery Only
Cloud Confidence
Level (CCL)
Application Suite, Cloud Storage, Cloud Backup, 
Webmail, etc.
Application category
All, Discovered, CustomizedApplication range
sanctioned, consumer, departmental, enterprisePre-defined tags
Any customer-created tagsCustom tags
For help on advanced CCI queries, go to docs.netskope.com and search for: Skope IT Query Language
Here are the different categories of app properties or attributes that can be queried using the Advanced Search 
functionality in CCI.
First, you can filter by Cloud Confidence Level. We will talk about these levels in more detail on the next slide.
You can also filter by application category, such as Application Suite, Cloud Storage, Cloud Backup, Webmail, and 
so forth. Note that in the context of the CCI search engine, application category refers to CASB app categories 
only. This differs from the categories you can select in Real-time Protection policies, which encompass both CASB 
and website categories.
Next, you can filter by application range. The available ranges are All, Discovered, and Customized. If you want to 
filter by applications that the Netskope tenant has not yet seen on your network, you should filter by the All 
application range. To filter by apps that have already been seen on your network, use the Discovered range. If you 
want to filter by apps whose attribute risk weights you have adjusted in CCI, you would select the Customized 
range.
Next, you can filter by pre-defined tags that have been applied to apps, such as sanctioned, consumer, 
departmental, or enterprise. Note that pre-defined tags are just text values built into the system for the sake of 
convenience, and they do not hold any particular significance to CCI. You can manually apply pre-defined tags to 
apps as you see fit.
Finally, you can filter by custom tags. You can assign any text to custom tags and then apply the tags to apps in 
the CCI database so you can filter searches by tags that have significance to you.
For more detailed information on writing advanced CCI queries, visit the docs.netskope.com website and search 
for “Skope IT Query Language”.
2024 © Netskope. All Rights Reserved. 5
Netskope Security Cloud Operation and Administration
The Cloud Confidence Level (CCL)
6
• Based on a score (between 0 and 100) representing the enterprise 
readiness of a cloud app
• Consists of 5 score groups and a “Discovery Only” group:
– Poor = 0 to 49
– Low = 50 to 59
– Medium = 60 to 74
– High = 75 to 89
– Excellent = 90 to 100
– Discovery Only
2024 © Netskope. All Rights Reserved.
Each app in the Cloud Confidence Index database is assigned an enterprise-readiness score of 0-100. Based on 
that score, the app is placed into a Cloud Confidence Level. These levels are Poor, Low, Medium, High, and 
Excellent. Each level consists of a specific range of CCI scores and is represented by a color-coded icon in the 
CCI interface. If an app is discovered in your environment but does not yet have an entry in the CCI database, it is 
assigned to the Discovery-Only group.
2024 © Netskope. All Rights Reserved. 6
Netskope Security Cloud Operation and Administration
Cloud Confidence Index™
How does Netskope gather the information?
7
Netskope has a team of engineers and legal specialists to investigate 
applications.
2024 © Netskope. All Rights Reserved.
Public Non-Technical Information
Information from App 
Website
Business Name
Physical Address
Favicon
App Capability
Years of Existence
And more …
Public Technical information
Myip.ms info – IP, Hosting 
Provider, DNS host, IP 
range 
DR and Business Continuity 
features
Data Retention Polices
Data Ownership Policies
Log Policies
And more …
Derived Information
Information from Hosting 
Provider like AWS or Equinix
Compliance and DR 
information from Hosting 
Providers
Hosting Provider Locations 
and Geography
Private SaaS Provider 
information
Application Specific 
Information
Trials and decoding of 
Application
Questionnaire with pre-filled 
answers to SaaS provider 
introducing Netskope as a 
Security Broker
Netskope has a dedicated team of engineers and legal specialists who are tasked with keeping up with changes to 
the enterprise-readiness of apps inthe CCI database, as well as investigating cloud apps that have not yet been 
added to CCI. The engineers on the team pull apps apart from a technical perspective, seeing how they work and 
how they process data, and verifying vendor claims about product features and functionality. The legal specialists 
verify vendor claims about secure handling of customer data and meeting regulatory compliance requirements.
The team gathers as much information as possible from a variety of sources. As shown on the slide, these sources 
include the following:
• Public non-technical information available on the app vendor's website, such as business name, physical 
address, advertised app capabilities, the length of time the vendor has been in business, and so on.
• Public technical information, such as hosting provider, DNS host, business continuity plans, data retention 
and data ownership policies, and more.
• Derived information, such as compliance and disaster recovery policies of hosting providers and the physical 
locations of hosting provider facilities.
• Private SaaS provider information, which is collected by testing the app in a lab environment to observe its 
behavior and see how it handles data. The team then sends their findings to the app vendor in the form of a 
questionnaire with the answers filled out, presents themselves as a security broker, and asks the vendor to verify 
the accuracy of their findings.
2024 © Netskope. All Rights Reserved. 7
Netskope Security Cloud Operation and Administration
Customizing attribute risk weights
8
• Organizations might want to change the default risk weights of the app attributes 
used to determine CCI scores.
2024 © Netskope. All Rights Reserved.
• Custom weighting is:
– Performed on a per-attribute 
basis.
– Accomplished by moving a 
slider left to a negative value 
(less important) or right to a 
positive value (more 
important).
– Added to the penalties 
associated with the app to 
determine the final CCI score.
The CCI score is an objective score determined by examining a wide range of cloud app attributes. Netskope 
assigns a default risk weight to each attribute, but your organization might find that it places a different degree of 
importance on some attributes. For example, you might find it very important for an app vendor to maintain a 
backup of customer data in a different geographic location than their main datacenter, while Netskope assigns a 
medium importance to this consideration by default.
To accommodate the need to adjust risk weights, Netskope enables you to personalize settings on a per-attribute 
basis. The risk weight for each attribute is expressed as an integer. By default, Netskope assigns a risk weight of 0 
to each attribute. You can adjust a weight to a negative value if you consider an attribute to be less important to 
you, or to a positive value if you consider it more important. Netskope adds your customized risk weights to the 
penalties associated with the app to determine the app’s final CCI score.
2024 © Netskope. All Rights Reserved. 8
Netskope Security Cloud Operation and Administration
Viewing application details
92024 © Netskope. All Rights Reserved.
To view app details and edit attribute risk weights, search for the app by name and click the app's link in the 
search results.
2024 © Netskope. All Rights Reserved. 9
Netskope Security Cloud Operation and Administration
CCI attribute refresh
10
• P1 apps = 6 months 
• P2 apps = 12 months
• All other = On demand
To request re-evaluation of 
an existing app in CCI,
click Report/Request
on the app’s details page.
2024 © Netskope. All Rights Reserved.
To request evaluation of an app 
not currently in CCI, click 
Request New App
on the CCI landing page.
Netskope updates information in the Cloud Confidence Index on a prioritized basis. Priority 1 apps are re-
evaluated at least every 6 months, while Priority 2 apps are re-evaluated every 12 months. All other apps are 
updated on request.
If you want to request re-evaluation of an app because you think that Netskope's information about specific app 
attributes is incorrect, you can click the Report/Request button in the app's detail page. If you want to request a 
new evaluation of an app that is not currently in the Cloud Confidence Index database, you can click Request New 
App on the CCI landing page.
2024 © Netskope. All Rights Reserved. 10
Netskope Security Cloud Operation and Administration
2024 © Netskope. All Rights Reserved. 11
CCI Score Cloud Confidence Level
ENTERPRISE-READY
Excellent90 – 100 
High75 – 89 
NOT ENTERPRISE-READY
Medium60 – 74 
Low50 – 59 
Poor0 – 49
The seven categories of the Cloud Confidence Index and their 
relative importance
Disaster Recovery and Business Continuity
How robust is the app vendor’s data infrastructure?
Auditability
What level of detail/traceability (if any) is provided in the audit logs?
Attack Surface Management 
Is the app susceptible to attacks that could lead to a data breach? 
Data Protection 
What data protection capabilities are offered? What data 
classification, encryption, and security features are employed? 
Legal and Privacy 
How does the app handle data ownership and 
privacy? How is privacy handled in mobile vs. browser 
environments?
Certifications and Standards
Does the app comply with data center regulations or compliance 
certifications?
Access Control 
How does the app manage role-based access or enforce 
authorization policy?
CLOUD CONFIDENCE INDEX
• Uses a system of rewards and penalties to derive a score for every cloud 
service.
• Rewards and penalties are based on 40+ security attributes within seven 
categories.
• Only attributes relevant to the cloud service (or category) are used, e.g.:
• Consumer cloud services are not penalized for lacking encryption at rest.
• Finance cloud services are penalized significantly for lacking encryption at 
rest.
• Scores are normalized to take into account the highest possible score in each 
category. This is used to calculate each cloud service’s score and provide 
parity across categories.
Cloud Confidence Index: What determines score?
⇢
The application attributes on which Netskope bases its CCI scores are grouped into the 7 different categories 
shown on the left side of this slide. Note that these categories carry different weights of importance in calculating a 
CCI score, as indicated by the colored bars in the diagram. The “Legal and Privacy” category carries the greatest 
weight of importance, while “Disaster Recovery and Business Continuity” carries the least weight, with the other 5 
categories falling somewhere in between.
When you customize risk weights for various app attributes by moving sliders to a higher or lower value, you are in 
effect increasing or decreasing the weight of importance of these 7 categories. Your changes to the default values 
are fed into the algorithm that is used to calculate the final CCI score.
Once final scores are calculated, apps are assigned to one of the Cloud Confidence Levels, as mentioned earlier. 
You can use these levels in Real-time Protection policies to control users' access to cloud apps. For example, you 
could build a policy for cloud storage applications that only allows users to upload files to those apps if they are at 
a Cloud Confidence Level of “Excellent” or “High”, and to block all access to apps that are at the “Medium”, “Low”, 
or “Poor” level.
When you are using policies based on Cloud Confidence Levels, keep in mind that CCI scores are dynamic. For 
example, a cloud app might have a CCI score of 59 today, placing it in the “Low” Cloud Confidence Level. 
However, if the app's vendor significantly improves the enterprise-readiness of their app in the coming months, its 
CCI score might increase to an 80 at a later time, placing it at the “High” level. Consequently, an app that is being 
blocked today by a policy that is based on Cloud Confidence Levels might suddenly