Skip to main content

Netskope Help

DLP Entity

Starting with release 90, the DLP Rules UI has been updated with a new option called Entities. In Netskope DLP, Entities refer to data identifiers and dictionaries. Data identifiers are common terms used to categorize certain types of identifiable data, and dictionaries are files with keyword and regular expressions. Entities are used in a rule to identify sensitive data.

To open the Entities page, in the Netskope UI go to Policies > Profiles > DLP > Edit Rules and select Data Loss Prevention. Then click on the Entities tab.

dlp_entity.png
Data Identifier

Netskope provides a wide list of predefined data identifiers with meaningful names and descriptions. The full list of predefined data identifiers can be seen in the New DLP Rule workflow.

To view the full list of predefined data identifiers, in the Rules tab of the Data Loss Prevention Rules page, click New Rule. In the New DLP Rule dialog box, all the predefined identifiers are listed under categories.

You can also create your own custom data identifiers.

To create custom data identifiers,

  1. In the Entity tab, click New Entity. The Create Entity dialog box is displayed with the Data Identifiers option selected.

    dlp_create_custom_data_identifier.png
  2. Provide a name for the custom data identifier and choose whether the new identifier is case-sensitive or not.

  3. Add a predefined data identifier in the format {{predefined_data_identifier}}, a keyword, or a regular expression. For example, a predefined identifier such as {{Full Names (US)}}, a keyword such as Name, or a regex such as \d[5,10].

    Click the Validate Regex button to validate the syntax of the regular expression. For more information on the supported operators, quantifiers, and metacharacters for regular expressions, see Building Regular Expressions.

  4. Under Advanced Options, you can set various conditions to narrow down the results when this identifier is used in a DLP rule. For more information, see the Advanced Options section.

Dictionary

A dictionary can be a keyword dictionary or a regular expressions dictionary. Dictionary file is a CSV file that can contain keywords and phrases, or regular expressions you want to find using a DLP rule. Each dictionary file can contain either keywords and phrases, or regular expressions.

To use a dictionary file, create a CSV file with one keyword, phrase, or regular expression per line. A regular expressions dictionary file can contain up to 25 entries. For more information on the supported operators, quantifiers, and metacharacters for regular expressions, see Building Regular Expressions.

Netskope also supports weighted dictionaries where you can specify a weight for each keyword or phrase. The weight of a keyword is the number based on which the violation score is calculated. Violation score of a rule is the sum of weights of the rule count where, a rule count is the number of times a rule is matched. The higher the keyword weight, the higher the violation score. The violation score determines when to trigger a rule in case of a violation. If a weight is not specified, then a default weight of 1 is assigned to the keyword or phrase.

Note

Weight is not assigned to regular expressions.

To define the keyword in the CSV file, use the format [keyword],[weight] where the weight is optional and can be any value between -100 and 100. Use positive values to increase the violation score and negative values to decrease the violation score.

Example 1. Example

For example, if you are creating a DLP policy to identify AWS access keys, your access key dictionary can contain the following keywords and phrases with weights.

access key ID, 50
AWS, 10
AWS access key, 100
AWSAccessKeyId, 100
access keys
access, -20
Public Cloud, -100

If you created a rule such as C0 NEAR D0 where,

  • C0 is a custom identifier (?<![A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9]) to identify an AWS access key ID, and

  • D0 is the access key dictionary.

As an example, if a document is found to contain the following statements,

"Generate the access key"

"Enter the AWS access key ID AKIAIVLZMKR5WEXAMPLE"

then, the rule count for "Generate the access key" is zero and the rule count for "Enter the AWS access key ID AKIAIVLZMKR5WZSQO5ZA" is one.

The total violation score for this document will be 100.



To create a new dictionary,

  1. In the Entity tab, click New Entity. The Create Entity dialog box is displayed.

  2. Select Dictionary and then select Keyword Dictionary or RegEx Dictionary.

    dlp_create_dictionary.png
  3. Provide a name for the dictionary and choose whether the new dictionary is case-sensitive or not.

  4. Click Select File. Locate and select your dictionary file, click Open to upload the file.

  5. Under Advanced Options, you can set various conditions to narrow down the results when this dictionary is used in a DLP rule. For more information, see the Advanced Options section.

Advanced Options

The Advanced Options enable you to set conditions that can help you narrow down the search results for the entity when used in a DLP rule. The following are the Advanced Options.

  • Begins with, Ends with, Does not match provides you options to add conditions to include or exclude specific keywords or regexes.

    dlp_new_entity_advop_1.png
  • Use Filters provides two filters, Common-Sense filter, and Unlikely Matches. The common-sense filter rejects match that has repeating or sequential characters. For example, aabbcc, or 22222.

    The unlikely matches filter rejects an unlikely match by examining the characters present before or after the matched data. For example, aabbcc-Augustine.

  • Use Validators For Regex provides three different validation algorithm options, Luhn, Elfproef, and Verhoeff to reject matches that do not pass the validation check for the selected algorithm.