Netskope Help

Create an API Data Protection Policy

To discover existing data residing within your sanctioned cloud services, create an API Data Protection policy with the desired options and actions. The Netskope UI guides you through the process of configuring policies for your cloud app(s) on a single web page.

Once you log in to the Netskope tenant, navigate to Policies > API Data Protection. Then under the SAAS tab, click the New Policy drop-down list and select the appropriate app. Follow the rest of the instructions below.

Application

In this section, select the appropriate SaaS application and respective instance for which the policy will be created.

  1. In the Application section, select the Microsoft 365 OneDrive for Business app. 

  2. In the Instance section, select the appropriate OneDrive app instance.

  3. When finished, click Next.

Users

In this section, specify the users that can trigger a policy violation.

  1. Select all users, a subset of users, or user profiles. You can search for and select specific users or user profiles. A list displays when you search for a subset of users (plus folders of users) or user profiles. If you select All Users or User Profiles, additional options are available to exclude users and/or exclude user profiles.

    The Exclude Users and Exclude User Profiles options are available for All Users, User Profiles. The Exclude options excludes users or user profiles from triggering a policy.

    Note

    User profiles must be added before they are listed here. To download a CSV file that contains your user profiles, go to Policies > Profiles > User, and then click New User Profile. Complete the steps in the Create User Profile wizard, and then select a user profile.

    Note

    The User Groups option is not supported currently. It will be supported at a later release.

  2. When finished, click Next.

Content

In this section, specify the file sharing options and types of files to scan that can trigger a policy violation.

FILES SHARING OPTIONS TO SCAN

  • All Sharing Options: Scans all sharing options like private, public, shared externally, and shared internally.

  • Specific Sharing Options: With specific sharing options, you can choose all or specific sharing types, like:

    • Private: A file not shared with anyone.

    • Public: A file that is shared or open to the public.

    • Shared internally: A file shared specifically with users within the same sub-domain of the organization.

    • Shared externally: A file shared specifically with users outside the organization. You can select all or specific external domains if they have been configured for the app. You can create a new domain by selecting the Create New option.

    Note

    The following sharing options are not supported currently. They will be supported at a later release.

    • Cross-geo

    • Enterprise Shared

    • Shared with Group(s)

    • AD group enumeration (e.g. user count/threshold evaluation)

FILE TYPES TO SCAN

  • All File Types or Specific File Types to scan.

When finished, click Next.

DLP

In this section, specify the type of DLP profile that can trigger a policy violation.

  1. To use a data loss prevention (DLP) profile, select DLP and click Select Profile. Search for a DLP profile or choose one from the list, which includes both predefined and custom profiles. After selecting a DLP profile, click Save.

  2. When finished, click Next.

Action

In this section, specify the action to be taken when a policy violation occurs.

  1. Select the appropriate action from the drop-down list.

    Table 19. Policy Action List

    Policy Action

    Additional Action

    Description

    Alert

    -

    An alert is generated on the Skope IT > Alerts page when a policy matches.

    Delete

    -

    The item is deleted from the SaaS app when a policy matches.

    Legal Hold

    Select a legal hold profile.

    Note

    Do not select a profile that was created for an instance in the old API Data Protection platform. Select a profile that was created for an instance in the Next Generation API Data Protection platform.

    This action is used to preserve all forms of relevant information when litigation is reasonably anticipated. Users can choose to have a copy of the file saved for legal purposes if it matches policy criteria.

    When a file is placed in legal hold, an email is sent to the custodian and the users who created the file with the appropriate coaching messages.

    Quarantine

    Select a quarantine profile.

    Note

    Do not select a profile that was created for an instance in the old API Data Protection platform. Select a profile that was created for an instance in the Next Generation API Data Protection platform.

    If a file matches a DLP policy criteria, it is moved to the quarantine folder for the administrator to subsequently review and take appropriate action (allow the file to be uploaded or block the file from being uploaded) and the original file is replaced with a tombstone content. The quarantined files are listed in the Netskope UI under Incidents > Quarantine. The administrator can choose to restore or block the file from here.

    When a file is sent to the quarantine folder, an email is sent to the approver and another is sent to the user with the appropriate coaching messages.

    Restrict Access

    Owner

    The policy restricts access of the item to the owner only.

    Remove Public Links

    The policy removes any public sharing link from the item.

    Remove Individual Users

    The policy removes individual users from accessing the item.

    Remove Organization Wide Links

    The policy removes any organization-wide sharing link from the item.

    Restrict Sharing to View

    -

    Permission of the file is restricted to ‘view only’ in the SaaS app when a policy matches.



  2. When finished, click Next.

Notification

In this section, specify who and when to notify users about a policy violation.

  1. Select None if you do not wish to send any notification.

  2. Select the Notify once every option to specify how often to notify recipients and who to notify. Click on the adjacent toggle to specify a interval, or choose to Notify after each event.

  3. To send multiple notifications, select the recipients to notify, and then choose the email template you want to use and enter the email address of the recipient(s). To create custom email templates for each recipient, enable the checkbox for the recipient types, and then select Create New from the drop-down list. Enter the needed info in the Create Email Notification Template window, and then select components to include in the email. When finished, click Save.

  4. Optionally, you can enter your email address so the recipients know who set up this policy. 

  5. When finished, click Next.

Set Policy

In this section, specify the name and description of the policy.

  1. Enter the name of the policy.

  2. Optionally, you can enter a short description of the policy.

When finished, click Save, followed by Apply Changes. The policy that you just created will scan the files and folders specified based on your selections, and the action chosen occurs when there is a policy violation.