Netskope Help

Create a Storage Scan Policy

Use this endpoint to create a storage scan policy. After creating a policy, use the Apply Changes endpoint to update your tenant.

Request Endpoint
https://<tenant-name>.goskope.com/api/v1/storage_scan_policies/?token=<token>&op=create

Valid parameters include:

Key

Type

Value

Description

op

string

create

Required. Operation performed.

policy_name

string

Ex: LQ_storage

Required. Must be the name of an existing storage scan policy.

cloud_provider

string

aws | googlecloud

Required. The storage platform provider.

instanceConditional

JSON array of object

AWS

accountID: AWS account ID.

GCP

projectID: GCP Project ID.

folderID: GCP Folder ID.

organisationID: GCP Organisation ID.

Optional. If explicit instances are used, and if DLP profiles are used in the policy, all the instances must have DLP service checked in the Instance setup.

If explicit instances are used, and if Threat Protection profiles are used in the policy, all the instances must have Threat Protection service checked in the Instance setup.

If blocklist is true => won't scan, return here; if allowlist is true => go to next conditional.

objectContainerConditional

JSON array of object

AWS

name: Name of the bucket.

region: Region where the bucket is available.

tags: Tags associated with the AWS bucket.

access: "private", "public". Objects can be public.

GCP

name: Name of the GCP Bucket.

region: Region where the GCP bucket is available.

labels: Labels as key value pair used with GCP Buckets.

storageClass: Valid Storage Class for GCP are: "STANDARD", "NEARLINE", "COLDLINE", and "ARCHIVE"

access: "private", "public"

Optional. If explicit, this will be used to narrow down a scan to file events that match the conditional for object store attributes. The attributes listed here pertain to the container/store of objects. For example, for AWS it would be buckets, for Azure it would be StorageAccount etc.

If blocklist is true => won't scan, return here; if allowlist is true => go to next conditional.

objectConditional

JSON array of object

AWS

name: Name of the object.

key: Path to the object, including the Object name.

owner: Owner name of the AWS object.

contentType: The mimeType as determined by AWS.

storageClass: Valid storage class for AWS are "STANDARD", "REDUCED_REDUNDANCY", "STANDARD_IA", "ONEZONE_IA", "INTELLIGENT_TIERING", "GLACIER", "DEEP_ARCHIVE", "OUTPOSTS"

serverSideEncryption: Server side encryption available in AWS, has to be one of "AES256", "aws:kms".

extension: FileExtension of the object.

tags: Tags associated with objects.

access: "private", "public"

GCP:

name: Name of the object.

key: Path to the object including the Object name.

owner: Owner name of the GCP object.

contentType: The mimeType as determined by GCP.

extension: FileExtension of the object.

access: "private", "public"

Optional. If explicit, it will be used to narrow down a scan to file events that match the conditionals for object attributes. The attributes that are listed here correspond to objects or files.

If blocklist is true => won't scan, return here; if allowlist is true => send for scan.

dlp.profileNames

string

Array of strings

Optional.

Must be an existing DLP profile name.

iaas_storage_dlp_enabled must be enabled. Can be an empty array.

Cannot be used with tss.profileNames.

tts.profileNames

string

Array of strings

Required if dlp.profileNames is not provided.

Must be an existing Threat Protection profile name.

iaas_storage_dlp_enabled must be enabled. Can be an empty array.

Cannot be used with dlp.profileNames.

enabled

boolean

true | false

Required. Use true to enable the policy. User false to disable the policy.

maxScanFrequency

string

3h | 6h | 12h | 24h | 7d |30d

Optional. Determines how frequent to re-scan any resource (e.g. object), which can be used to manage scan costs.

notify

object

interval: Time interval between notifications.

to_users: Groups of users who will get notified.

emails: Email addresses of additional users to notify.

from_user: Email address from which the email will be sent.

Details for email notification.

Example Create Policy Request
POST 'https://<tenant>/api/v1/storage_scan_policies?token=<token>op=create' \
--header 'Content-Type: application/json' \
--data-raw '{
    "name": "policyName",
    "cloud_provider": "aws",
    "instanceConditional": {
      ...
    },
    "objectContainerConditional": {
      ...
    },
    "objectConditional": {
      ...
    },
    "dlp": {
        "profileNames": [
            "DLP Profile 1",
            "DLP Profile 2"
        ]
    },
    "maxScanFrequency": "3h",
    "action": "Alert",
    "enabled": true,
    "notify": {
      "interval": "30",
      "to_users": [
        "admin"
      ],
      "emails": [
        "abc@netskope.com"
      ],
      "from_user": "abc@netskope.com"
    }
}'