Most users never change their passwords and use the same password in several applications. When unsanctioned apps are hacked, the compromised accounts in these apps can expose accounts in your sanctioned apps. The Netskope Compromised Credentials dashboard informs you about known compromised credentials for the accounts used by your employees.
You can use the Compromised Credentials page to build awareness around the number of compromised credentials in your company. If you have risk officers, they can use this information to assess the need for SSO and 2-factor authentication in sanctioned cloud apps. Using this feature as input, it is possible to setup a workflow to automate remediation actions such as resetting a user’s AD account. Passwords are never checked. To access the Compromised Credentials page, go to Incidents > Compromised Credentials.
Use the Compromised Credentials page to view:
- Total number of users with compromised credentials. Click the link here to view and edit the domains tracked. This number is the total of domain users + non-domain users.
- Total number of domain users.
- Total number of non-domain users. Click the link here to upload a file with user names.
- User – Compromised user’s email address associated with the Netskope account.
- Matched User – email address associated with the breached access method.
A Matched User email may differ from a User email address. For example, firstname.lastname@example.org is the User email associated with Netskope account. But email@example.com is the same person as firstname.lastname@example.org or email@example.com, the Matched User email associated with the breach.
- Edit Email Notification Template – send email to a specific user, selected admins, or all admins for your account.
You can customize the information shown by clicking +Add Filter and selecting specific types of information, plus switch between all acknowledged compromised credentials or just the unacknowledged ones. Use the filter to view by:
- Access Method – the named user used one of these access methods: Explicit Proxy, Secure Forwarder, Mobile Profile, Client, Reverse Proxy, DPOP inline, TAP, AD Importer, CSV Upload, API Connector, and Log when the breach was detected.
- Source of info.
- Date compromised – choices include: Before this Date, After this Date, On this Date, and Custom Range
Click a user’s email address to go to the Skope IT page for more details. To export the Compromised Credentials page information to a spreadsheet, click Export and choose the desired options. To remove one or more of the compromised credentials, enable the checkbox next to an item and click Acknowledge, or click Acknowledge All.
Edit Email Notification Template
Clicking the link on the Compromised Credentials list page opens the template. You can send an email to a specific user, selected admins, or all admins for your account. This allows granular control for admins to explicitly define recipients of this email notification versus an entire admin group.
Select the ‘Selected Admins‘ radio button and click in the Admin = text box to view a list of users that are designated as account admins. Select the checkbox next to their emails to add them to your sender’s list.
To send an email notification, navigate to the list page and click the ellipses (#1 in the image below) at the end of the user’s row and click ‘Send an email notification‘ (#2 in the image below). The email sends immediately.
If the email is sent successfully, you’ll see the following notification at the top of the Compromised Credentials list page.
In addition, you can check Settings > Administration > Audit Log to view the activity.