Netskope Help

Add the Azure Subscription in Netskope API-enabled Protection

Once you have created an Azure Active Directory application and assigned the relevant permissions/roles, you can now create an Azure app instance in the Netskope UI.

To create an Azure instance:

  1. Log in to the Netskope tenant UI.

  2. Navigate to Settings > API-enabled Protection > IaaS > Microsoft Azure > SETUP.

    The New Setup window opens.

  3. In the New Setup window, enter the following parameters: 

    1. In the Azure Subscription section, enter the following details:

      1. Azure Subscription Name: Enter a unique name for the Azure subscription.

      2. Admin Email: Enter the email address of the administrator for email notification.

      3. In the Connection Type, select the appropriate connection type:

        Note

        Few of the instance type options may be disabled. Contact your Netskope sales representative for additional information.

        1. DLP: Select this option to scan Azure Blob Storage against DLP policies. On selecting this option, you need to create an API Data Protection policy.

        2. Threat Protection: Select this option to scan Azure Blob Storage for malware.

          Note

          The Threat Protection feature is optional. Select this option if you intend to scan Blob storage for malware. You can view the malware alerts in SkopeIT > Alerts and Incidents > Malware pages.

        3. Security Assessment: Select this option to periodically assess the configuration of the Azure services to monitor risks in your infrastructure. You have the option to run the policy at intervals (30 minutes, 60 minutes, 2 hours, 6 hours, and 24 hours). On selecting this option, you need to create a security assessment policy.

          Note

          Netskope recommends setting the interval to 60 minutes or more.

        4. Forensic: Select this option for Netskope to store forensic-related logs in Blob storage.

          Note

          Once you set up the instance with forensic enabled, you should create a forensic profile in Policies > Profiles > Forensic. Then, enable forensics in Settings > Forensics.

    2. In the Cloud Provider Information section, enter the following details:

      1. Directory ID: Enter the directory ID you noted from "Step-2: Get the Application ID and Directory ID" of configuring an Azure AD application.

      2. Application ID: Enter the application ID you noted from "Step-2: Get the Application ID and Directory ID" of configuring an Azure AD application.

      3. Client Key: Enter the authentication key you noted from "Step-3: Get the Authentication Key" of configuring an Azure AD application.

  4. Click Save, then click Grant Access for the Azure instance you just created.

Refresh your browser, and you should see a green check icon next to the instance name. You can proceed to create a policy based on the instance connection type selected:

  • Blob Storage Scanning (API Data Protection): Navigate to the Policies > API Data Protection page to create an Azure Blob Storage policy.

  • Security Assessment: Navigate to the Polices > Security Assessment page to create a security assessment policy, profile, and rule.

For Blob Storage Scanning (API Data Protection), Netskope carries out DLP scans on your Blob storage. You can view the DLP alerts in the SkopeIT > Alerts and Incident > DLP pages.

Note

Azure Blob storage scanning does not have a dedicated API Data Protection dashboard; administrators and select users receive email alerts specified in the policy, as well as SkopeIT alerts and through Incident Management.

For malware, you can view the alerts in the SkopeIT > Alerts and Incidents > Malware pages.

For Security Assessment, Netskope accesses and analyzes the posture of the Azure resources and alerts the administrator for risk and possible remediation. You can view the Azure dashboard page by navigating to the Cloud Infrastructure page.