Skip to main content

Netskope Help

Create a Next Generation SaaS Security Posture Policy

To create a Next Generation SaaS security posture policy:

  1. Log in to the Netskope tenant UI.

  2. Navigate to Policies > Security Posture. Then, click the Next Gen tab.

    The Security Posture page opens.

  3. Click the New Policy drop-down and select the the SaaS app.

    The New Security Posture Policy page opens.

  4. Under Instance, the UI sets the app by default. Under Instance, you can select the following options:

    • You can leave the Instance field empty. On doing so, all instances will be scanned.

    • You can select a subset of instances.

    • Exceptions: You can set an exception list whereby the policy excludes scanning from the selected instances.

  5. Under Rules & Action, select the following options:

    • Rule: You select rules from a set of predefined and custom rules. In addition, you can also select compliance standards from a list of predefined compliance standards.


      If you choose a cross-app-suite rule in a policy, ensure that you leave the Instance field (step 4 above) empty.

      A cross-app suite rule is a type of rule where the rule can apply to multiple SaaS apps.

    • Action: Select the appropriate policy action when a rule match is found.


      Currently, you can select the Alert action only.

    • Show Rules: You can select this checkbox and view the list of rules you have selected for this policy. In addition, you can selectively enable or disable a rule. On disabling a rule, Netskope will not list and evaluate the resources of the SaaS app in relation to the disabled rule.


      When you disable a rule, it gets disabled from the specific policy only. If the same rule exists in a different policy, the rule remains active in that policy.

  6. Under Policy Name, enter the following details:

    • Enter the name of the policy.

    • (Optional) Expand + Policy Description and enter a short description.

    • On expanding + Email Notification, the Email Notification window opens. Enter the following details:

      • Frequency of the notification.

      • You can send the email notification either to the Netskope instance owner or selected user(s).


        The Netskope instance owner user is the same user that was used to create the app instance in Settings > API-enabled Protection > SaaS.

        An issue is observed where the policy fails to send an email notification to the Netskope instance owner. As a workaround, enter the Netskope instance owner email ID under Selected Users and ensure that you enter any email ID under the From Email text box.

      • Optionally, the sender's email address.

      • Click Done.

  7. Under Status, toggle to enable the policy.

  8. On the top right, click Save to save the policy.

  9. On the Security Posture page, click Apply Changes.

Once you apply changes, Netskope accesses and analyzes the posture of the SaaS appresources, and alerts the administrator for risk and possible remediation.