Skip to main content

Netskope Help

Create a Next Generation API Data Protection Policy

To create a Next Generation API Data Protection policy, follow the instruction below:

  1. Log in to the Netskope tenant UI.

  2. Navigate to Policies > API Data Protection.

    The API Data Protection page loads.

  3. Under SAAS, click the Next Gen tab.

  4. Click New Policy.

    The New API Data Protection Policy page loads.

  5. Exposure: Users are individuals or bots associated with an account in the protected application, and with (read or write) access to content in the application. Based on your requirements, select the following options:

    Note

    • You can leave the User field empty (except for Microsoft Yammer). If you do so, all users will be scanned.

    • Workday note: Netskope uses the primary email of the user to calculate the domain exposure.

    • User Profile: A set of users as defined in the user profile. User profiles allow you to upload a CSV file with all the users email addresses to include or exclude in a scan for policy violations.

      Note

      User profiles must be added before they are listed here. To download a CSV file that contains your user profiles, go to Policies > Profiles > User, and then click New User Profile. Complete the steps in the New User Profile wizard, and then select a user profile here.

    • Internal Domains: A user within the same domain of the organization. To configure an internal domain, navigate to Settings > Administration > Internal Domains. For more information, see Internal Domains.

      Note

      • GitHub note: Since GitHub does not provide email addresses, internal domains refer to users not labeled as external collaborators in GitHub.

      • Citrix ShareFile & Workday note: Currently, Netskope does not use the internal domains setting to calculate the exposure level for Citrix ShareFile and Workday.

    • External Domains & Anonymous Users: A user outside the domain of the organization. External domains and anonymous users refer to users with email addresses not belonging to the internal domains.

      Note

      • GitHub note: Since GitHub does not provide email addresses, external domains and anonymous users are limited to users labeled as external collaborators in GitHub.

      • Microsoft Yammer note: Anonymous user does not exist in Microsoft Yammer. All users are on the Yammer organization.

    • Domain Profiles: You can select a domain profile consisting of a list of custom domains. To create a domain profile, navigate to Policies > PROFILES > Domain.

      Note

      • GitHub note: Since GitHub does not provide email addresses, Netskope does not support domain profiles for GitHub.

      • Citrix ShareFile & Workday note: Currently, Netskope does not use the domain profiles setting to calculate the exposure level for Citrix ShareFile and Workday.

    • Exclusions: You can set an exclusion list whereby the policy excludes scanning. You can set an exception list from user profiles, internal & external domains, anonymous users, and domain profiles.

      Note

      GitHub note: Currently, GitHub does not support the exception setting.

    • # Internal Collaborators >: To set thresholds for when content sharing triggers a policy violation, select the More Than or Less Than radio button and enter the number of internal collaborators that need to be detected for a policy violation to occur.

  6. Under Object, based on your requirements, select the following options:

    • All Applications: Apply the policy to all SaaS apps and instances.

    • Applications: Apply the policy to the respective SaaS app(s) you select. On selecting this option, all app instances of a specific SaaS app gets included for policy scanning.

    • App Instance: Apply this policy to the respective SaaS app instance(s) you select.

    • Categories: Apply the policy based on the type of SaaS app solution. If you select a category, all the corresponding SaaS app and instances are included for policy scanning. Here are the SaaS app categories and corresponding SaaS apps:

      • Development Tools: Atlassian Jira, GitHub

      • Cloud Storage: Microsoft 365 OneDrive GCC High, Citrix ShareFile

      • Collaboration: Atlassian Confluence, Microsoft 365 Teams GCC High, Microsoft 365 SharePoint GCC High, and Microsoft 365 Yammer, and Zoom.

      • Helpdesk Management: Zendesk

      • HR: Workday

      • Identity & Access Management: Okta

      For Application and Categories, you can also exclude certain SaaS apps and instances from the purview of policy scanning. To do so, select the Application or Categories option from the Object drop-down list and click the Exclusions drop-down list and select the SaaS app/instance.

    • File Type: Apply the policy for a specific file type category. A few file type category examples are audio, image, word processor, presentation, video, etc.

      Note

      • The file type option is available for HR, cloud storage apps only.

      • The file type criterion will only be matched against files. Other non-file resources will ignore this criteria.

  7. Under Profile & Action, select the following options:

    • Profile: You can either select the following options:

    • Action: The action to be taken when a policy violation occurs. When you select Alert and a policy violation occurs, Netskope sends a notification in Skope IT > Alerts page.

      Note

      Alerts are generated for the last 30 days only.

  8. Under Policy Name, enter the policy name. and a short description.

  9. Under Status, based on your requirement, select the following options:

    • Disabled: Keep the policy disabled and enable it later.

    • Enabled: Enable the policy so that it takes effect immediately.

  10. On the top-right, click Save followed by Apply Changes.

    You should see the newly created policy on the policy home page.

    Note

    If you have kept the policy disabled, make sure to enable the policy. You can click the more options icon (...) to the right of the policy entry and click Enable followed by Apply Changes.

Next, you can view the DLP incidents under Incidents > DLP. For more information on DLP incidents, see About DLP.