Netskope Help

Custom Rules using Domain Specific Language

Build custom rules under Policies > Security Posture using Domain Specific Language (DSL) for Security Posture of GitHub, Microsoft 365, Salesforce, ServiceNow, and Zoom resources. 

The following syntax diagram represents the general rule to write a DSL statement.

rule_should_not.png

Rule Format: <entity> [where <condition>] should [not] have <condition>

For example,

O365 should have every MalwareFilterPolicies with [ EnableFileFilter eq true ]
O365 should have atleast one AntiPhishPolicies with [ Name eq "O365 AntiPhish Default" ]
Entity

An entity defines what the rule is checking against. It can be used alone or with a condition to further specify the entity.

entity.png

Here are some examples of using an entity.

<entity> should have <condition>

O365 should have every MalwareFilterPolicies with [ EnableFileFilter eq true ]

O365 should have every AcceptedDomains with [ spfRecordPublished eq true ]

<entity> where <condition>

The "where" condition further defines the entity to narrow down the result.

Repository where private eq true should have fork_count eq 0

For a complete list of supported entities and attributes, see:

Condition

A condition is a standard that the rule uses to check against an entity to narrow down the result.

condition.png

The following table provides examples of using a condition. The formats in this table are applicable to all properties.

<property>

AWS should have CloudTrails

<property> [func()] <operator> <value>

IAMUser should have Name eq “root”

IAMUser should have Policies.Managed len() eq 0

<property> with/contain <condition>

AWS should have IAMUsers with [ Name eq “root” ]

<property> in/notin (<value1>, <value2>, <value3>)

IAMUser should have Name in ( “root”, “name2” )

use quantifiers for list and sequence properties

IAMUser should have atleast one Password eq “1234”

use and, or, not, ( ) for complex conditions

IAMUser should have (Name eq “root”) and (MFAActive eq true)

Function

Use functions in rules to find specific information about entities. Functions use the following syntax:

<entity> <function>(<argument>)

For example,

S3Bucket should have Tags len ( ) gt 0

Protocol in ("-1", "tcp")

The following table provides a complete list of functions available to use in rules.

Function

Property Types

Arguments

Returns property type

Description

len

list, string

none

number

Returns the length of string or list.

numhosts

ip

none

number

Number of hosts in subnet.

isPrivate

ip

none

boolean

Whether IP is private (IPy).

isPublic

ip

none

boolean

Whether IP is public (IPy).

divisibleby

number

number

boolean

Whether LHS number is divisible by argument.

in, notin

string, boolean, ip, number

list

boolean

Whether LHS value is in list (shortcut for long OR).

has

list

list

boolean

Whether LHS list contains any one of the lists passed in as argument.

isLaterThan

number (date)

number, units

boolean

Whether LHS number (date) is later than current time +/- number units (arguments). For example, isLaterThan ( -1, "days") means LHS is later than 1 day ago (from scan time). Units must be one of the following: seconds|minutes|hours|days|weeks.

"days" is most common.

isEarlierThan

number (date)

number, units

boolean

Whether LHS number (date) is earlier than current time +/- number units (arguments). For example, Password.LastUsedTime isEarlierThan ( -90, "days")). Units must be one of the following: seconds|minutes|hours|days|weeks.

"days" is most common.

Property

Property is used to define the condition the rule is checking as well as to narrow down the entity the rule is checking against. Property can be nested using “.” such as, MFADevices.Virtual where the rule checks for all the virtual devices.

The following is the syntax format.

<entity> should [not] have <property>...

<entity> where <property>...

The following table provides the list of property types and the functions they support.

Property Type

Operators and Functions

Example

list

in, notin, contain, with, len()

IAMUsers with [ Name eq “root” ]

sequence

in, notin

MFADevices in ( “ID1”, “ID2” )

string

eq, neq, like, not like, len()

Name eq “root”

number

eq (=), neq (!=), gt (>), gte (>=), lt (<), lte (<=)

Topic.Subscriptions len() > 0

boolean

eq, neq

Password.Enabled eq true

ip

eq, neq

IPRanges with [ ip eq 0.0.0.0/0 ]

Compliance Rules

Netskope provides a list of predefined rules to check your SaaS security posture compliance. For a complete list of predefined rules, see:

Common elements used to write a DSL rule

The following elements are commonly used in a DSL rule.

  • with - To access the elements in any list.

  • "."

  • where - To restrict evaluated assets.

  • Operators - Such as, eq, gte, gt, lt, lte, neq.

  • Functions - Such as, like, has, in, len, isEarlierThan, isLaterThan, len.

  • Numeric range syntax - For example, to check for port 137 and port 138, include the following in the syntax.

    FromPort lte 138 and ToPort gte 13

    Note

    Will match any security group or firewall ruleset that has a port range including 137, 138 or both.