Custom Rules using Domain Specific Language
Warning
SaaS Security Posture Management (SSPMv1) will be made EOL (end of life) soon. Customers who are on the SSPMv1 platform should migrate to Next Generation SSPM platform. In addition, the SSPMv1 documentation will be deprecated by June '23. Additional documentation links:
Build custom rules under Policies > Security Posture using Domain Specific Language (DSL) for Security Posture of GitHub, Microsoft 365, Salesforce, ServiceNow, and Zoom resources.
The following syntax diagram represents the general rule to write a DSL statement.
Rule Format: <entity> [where <condition>] should [not] have <condition>
For example,
O365 should have every MalwareFilterPolicies with [ EnableFileFilter eq true ]
O365 should have atleast one AntiPhishPolicies with [ Name eq "O365 AntiPhish Default" ]
Entity
An entity defines what the rule is checking against. It can be used alone or with a condition to further specify the entity.
Here are some examples of using an entity.
<entity> should have <condition> | O365 should have every MalwareFilterPolicies with [ EnableFileFilter eq true ] O365 should have every AcceptedDomains with [ spfRecordPublished eq true ] |
<entity> where <condition> The "where" condition further defines the entity to narrow down the result. | Repository where private eq true should have fork_count eq 0 |
For a complete list of supported entities and attributes, see:
Condition
A condition is a standard that the rule uses to check against an entity to narrow down the result.
The following table provides examples of using a condition. The formats in this table are applicable to all properties.
<property> | AWS should have CloudTrails |
<property> [func()] <operator> <value> | IAMUser should have Name eq “root” IAMUser should have Policies.Managed len() eq 0 |
<property> with/contain <condition> | AWS should have IAMUsers with [ Name eq “root” ] |
<property> in/notin (<value1>, <value2>, <value3>) | IAMUser should have Name in ( “root”, “name2” ) |
use quantifiers for list and sequence properties | IAMUser should have atleast one Password eq “1234” |
use and, or, not, ( ) for complex conditions | IAMUser should have (Name eq “root”) and (MFAActive eq true) |
Function
Use functions in rules to find specific information about entities. Functions use the following syntax:
<entity> <function>(<argument>)
For example,
S3Bucket should have Tags len ( ) gt 0
Protocol in ("-1", "tcp")
The following table provides a complete list of functions available to use in rules.
Function | Property Types | Arguments | Returns property type | Description |
|---|---|---|---|---|
len | list, string | none | number | Returns the length of string or list. |
numhosts | ip | none | number | Number of hosts in subnet. |
isPrivate | ip | none | boolean | Whether IP is private (IPy). |
isPublic | ip | none | boolean | Whether IP is public (IPy). |
divisibleby | number | number | boolean | Whether LHS number is divisible by argument. |
in, notin | string, boolean, ip, number | list | boolean | Whether LHS value is in list (shortcut for long OR). |
has | list | list | boolean | Whether LHS list contains any one of the lists passed in as argument. |
isLaterThan | number (date) | number, units | boolean | Whether LHS number (date) is later than current time +/- number units (arguments). For example, isLaterThan ( -1, "days") means LHS is later than 1 day ago (from scan time). Units must be one of the following: seconds|minutes|hours|days|weeks. "days" is most common. |
isEarlierThan | number (date) | number, units | boolean | Whether LHS number (date) is earlier than current time +/- number units (arguments). For example, Password.LastUsedTime isEarlierThan ( -90, "days")). Units must be one of the following: seconds|minutes|hours|days|weeks. "days" is most common. |
Property
Property is used to define the condition the rule is checking as well as to narrow down the entity the rule is checking against. Property can be nested using “.” such as, MFADevices.Virtual where the rule checks for all the virtual devices.
The following is the syntax format.
<entity> should [not] have <property>...
<entity> where <property>...
The following table provides the list of property types and the functions they support.
Property Type | Operators and Functions | Example |
|---|---|---|
list | in, notin, contain, with, len() | IAMUsers with [ Name eq “root” ] |
sequence | in, notin | MFADevices in ( “ID1”, “ID2” ) |
string | eq, neq, like, not like, len() | Name eq “root” |
number | eq (=), neq (!=), gt (>), gte (>=), lt (<), lte (<=) | Topic.Subscriptions len() > 0 |
boolean | eq, neq | Password.Enabled eq true |
ip | eq, neq | IPRanges with [ ip eq 0.0.0.0/0 ] |
Compliance Rules
Netskope provides a list of predefined rules to check your SaaS security posture compliance. For a complete list of predefined rules, see:
Common elements used to write a DSL rule
The following elements are commonly used in a DSL rule.
with- To access the elements in any list."."
where- To restrict evaluated assets.Operators - Such as, eq, gte, gt, lt, lte, neq.
Functions - Such as, like, has, in, len, isEarlierThan, isLaterThan, len.
Numeric range syntax - For example, to check for port 137 and port 138, include the following in the syntax.
FromPort lte 138 and ToPort gte 13
Note
Will match any security group or firewall ruleset that has a port range including 137, 138 or both.