Creating a Threat Protection Policy for Real-time Protection

Creating a Threat Protection Policy for Real-time Protection

Netskope can scan files stored in your cloud storage applications for malware. Real-time Protection policies scan files for malware by default. For added protection, optional configurations include allowlist and blocklist file hash lists for malware detection, and integrating Carbon Black for endpoint protection to use remediation profiles while creating an Real-time Protection policy.

To use the optional configurations in a Real-time Protection policy, configure these options before creating the Real-time Protection policy:

  • Create a file hash list: Specify the type of hash lists to detect in a malware scan.
  • Create a detection profile: Specify which hash list file types to allowlist and blocklist.
  • Integrate endpoint detection and remediation: Set up a 3rd-party integration, like with Carbon Black or CrowdStrike, for endpoint protection.
  • Create a remediation profile: Specify the action to take, like Isolate, Alert, or Add to Watchlist/Blocklist.

To configure threat protection for Real-time Protection policies:

  1. In the Netskope tenant UI, go to Policies > Real-time Protection and click New Policy. Select Threat Protection.
  2. Enter the settings in the Real-time Protection policy page for Source (Users) and Destination (Cloud App/Category) first.
  3. Next, in the Profile and Action section, select a Threat Protection Profile.
  4. Select the Action for each severity level. The recommended action for every severity level is Block. This ensures the best protection for users. To apply a remediation profile for each severity level, select a remediation profile from the dropdown list.

    Note

    When the Fallback Action for Advanced File Scanning is set to Alert or Block, some events might not have policy name if:

    • There’s a TSS or DLP fail reason.
    • There’s no rule hit because you excluded the Threat Protection or DLP rule.
    • You don’t have a catch-all rule at the end of the policy.
  5. Optionally, if you selected File Type constraints and chose a Block action for a severity level, you can see the Block till benign verdict by dynamic threat analysis option. Select to block users from uploading or downloading a file until Netskope dynamic threat analysis provides a benign verdict. The analysis can take up to 10 minutes. See Creating a Threat Protection Policy for Patient Zero.
    The Block till benign verdict by dynamic threat analysis option in the Profile and Action section.
  6. Enter a name for the policy and click Save.

Now you are ready to use the malware and malicious sites pages.

Share this Doc

Creating a Threat Protection Policy for Real-time Protection

Or copy link

In this topic ...