New Features And Enhancements In Release 111.0.0
New Features And Enhancements In Release 111.0.0
Here is the list of the new features and enhancements.
API Data Protection
Notification Alert about API Token Expiry
Starting this release, API Data Protection can send a notification to the instance administrator if the API token that is used to grant access has expired.
Netskope will send two types of notification:
-
In-product notification: Navigate to API-enabled Protection > SAAS > <app -name>. The UI displays a banner notification about the expired API token.
-
Email notification: Netskope sends an email notification to the instance administrator (instance setup page > admin email field) every 24 hours until the administrator performs a re-grant access. Ensure that the administrator email address is an actual user.
In case of Salesforce instance, the administrator email is a Salesforce email ID. Salesforce requires setting up of an email service to handle inbound emails to such email addresses. If the email service is not configured, the email delivery will fail. Ensure that the email service is set up for the administrator email in Salesforce. To learn more: Email Services.
Call to Action: Once you see the API token expiry notification, navigate to Settings > Configure App Access > Classic > SAAS, and re-grant access to the expired Salesforce or ServiceNow app instances.
Support Slack Canvas in Slack Enterprise
Slack introduced a new feature “Canvas”. Starting this release, API Data Protection for Slack Enterprise can scan for DLP through direct messages, 1:n messages, channels, threads, and replies within a Slack Canvas. However, API Data Protection cannot scan attachments in Slack Canvas. This is due to lack of underlying Slack API support.
Support ServiceNow Vancouver Release
Netskope has now validated support up till ServiceNow Vancouver release.
Sensitivity Label Integration for Microsoft Information Protection (MIP/Purview Information Protection)
Netskope is now allowing customers to read MIP labels natively with this integration. Customers will be able to define “API Data Protection” policies to read labels and content from MIP encrypted and unencrypted documents.
To learn more: see Digital Rights Management.
Behavior Analytics
Active User Timeline Filter
A new selection on the Incidents > Behavior Analytics page shows active users in the last 48 hours (default), or last 7/30/60 days. This expands the number of active users that can be viewed on the page for the user confidence score (UCI) trend and Behavior Analytics anomalies beyond last 48 hours active users in previous releases.
CASB Real-time Protection
API Support and Control for Open AI
OpenAI connector is now supported with API Post activity. Now admins can get visibility towards the API traffic using tools Postman, Visual Studio and more. Using this, admin can leverage granular policy actions and restrict enterprise data exfiltration.
Github Co-pilot Support via Realtime Policy
Enhanced the Github connector by adding the Github copilot intelligence. With this, you can now gain visibility to all Post activities diverted to Github copilot and leverage the granular policy control.
Download Activity for Microsoft Planner Application
Introduced Download detection in Microsoft Office 365 Planner application.
GCP Inline Browser Support
The inline activity coverage for browser / console traffic for the following GCP services / apps are now supported for real-time protection.
-
GCP Console (Login Page)
-
Compute
-
IAM
-
Firestore
-
Bigtable
-
Pub/Sub
-
Network Services (Load Balance, Cloud DNS)
-
SQL
-
BigQuery
-
Spanner
-
Filestore
The supported browser/console traffic coverage is listed in the Supported GCP Entities for Real-time Protection topic.
Upload Navigation In Azure Devops
Enhanced Azure DevOps connector to provide a detection coverage for a new upload navigation.
ChatGPT (GPT-4) Additional Activity Support for Upload, Download & Copy
Get visibility for newly launched activities supported for ChatGPT (GPT-4). The new set of activities are Upload, Download & Copy. Use these activities with a Real-time Protection policy to ensure admins can support granular access management and control the same at a business unit / user group level.
Support for OpenAI Additional Activities
OpenAI dedicated connector is now supported with Real-time Protection policies. Activities supported are Login Failed, Login Successful, and Login Attempt.
Sensitivity Label Integration for Microsoft Information Protection (MIP/Purview Information Protection)
Netskope is now allowing customers to read MIP labels natively with this integration. Customers will be able to define “Real time protection” policies to read labels and content from MIP encrypted and unencrypted documents. To learn more: see Digital Rights Management.
Data Protection
Updated French INSEE Entity
Updated “Social Security Numbers (FR; INSEE)” Entity to allow for space-delimited NIR/INSEE numbers.
Updated Document Classification Model
Enhanced the DLP machine learning-based document classifiers to improve their accuracy and reduce false positives.
Enhanced Support for Tax-ID–Related Entities (VAT)
-
Added new predefined Entities to support VAT numbers and terms for all 27 member states of the EU, the UK, Northern Ireland, and Switzerland. Added a new aggregate predefined terms-only Entity that detects VAT-number–related terms for all major languages of the EU.
-
Updated the Brazilian tax ID terms Entities to remove matches for digital-ID–related terms such as “cpf eletrônico” and “e-cnpj” (the Entities will match on the “cpf” and “cnpj” portions of the strings, and not the entire string), and better match compound terms such as “c.p.f./r.g.”.
-
Changed the second-level navigation header under “Company Numbers” (when browsing through Entities to include in Rules) from “Tax ID Numbers” to “Corporate Tax IDs” to better reflect Entities within the hierarchy.
-
Removed “Benelux” and “G20” as search terms for all appropriate Entities and not just tax-related ones.
Case-sensitivity in Entity Validators
Enhanced validation functionality for “Spanish DNI numbers” to ensure accurate verification of numbers containing lowercase letters (for example, “00024680r”).
Sensitivity Label Integration for Microsoft Information Protection (MIP/Purview Information Protection)
Netskope is now allowing customers to read MIP labels natively with this integration. Customers will be able to define “Real time protection,” “Endpoint DLP,” as well as “API Data Protection” policies to read labels and content from MIP encrypted and unencrypted documents. As part of this release, below are the list of use cases that shall be available for customers:
Read MIP Labels from unencrypted documents
Read MIP Labels from encrypted documents
Read content from encrypted and unencrypted documents
Detect if there is encrypted content passing through traffic
To learn more, see Digital Rights Management and Adding a File Profile.
Endpoint Data Loss Protection (EPDLP)
WinMagic SecureDoc Encryption
Endpoint DLP now supports WinMagic SecureDoc removable media encryption.
Additional Status Reporting
The Endpoint DLP agent status reporting is now capable of differentiating between workflows like shutdown/restart and the agent being disabled because of process failures. Additionally, when the agent is stopped due to a shutdown or restart, it no longer reports “Device Control Disabled”.
To learn more: Devices.
Sensitivity Label Integration for Microsoft Information Protection (MIP/Purview Information Protection)
Netskope is now allowing customers to read MIP labels natively with this integration. Customers will be able to define “Endpoint DLP” policies to read labels and content from MIP encrypted and unencrypted documents.
To learn more: see Digital Rights Management.
Forensic
Next Gen Forensics
Starting this release, forensics grants are decoupled from the classic API Data Protection grants. The classic API Data Protection grant required administrators to set up and configure forensics using extensive permission scopes from the storage provider. With the Next Gen forensics grant, forensic profiles can now be configured independently with a minimum set of permissions. To learn more: Next Gen Forensics.
The Next Gen forensic grant includes support for Microsoft 365 SharePoint and Azure Blob Storage as forensic destinations. Netskope will roll out support for additional forensic destinations in due course.
Intrusion Prevention System (IPS)
Cloud Firewall & IPS Integration
IPS signature override view now includes non-web signatures applied in Cloud Firewall. For signatures common to both web and non-web traffic, default action is set for web traffic scenarios. Custom overrides are only applied to web traffic.
To learn more: About IPS Settings.
Enable IPS by Traffic Type
Intrusion Prevention System can now be enabled independently for web, non-web, and cloud app traffic in IPS Settings.
To learn more: About IPS Settings.
Next Generation API Data Protection
New File Sharing Exposure Options
Starting this release, Next Generation API Data Protection has introduced a new set of file sharing exposure options in the policy wizard page. They are:
-
Owner: Not shared with anyone.
-
Internal: Shared between users and groups from one single domain defined in Internal Domains or defined as an internal user in the app instance.
-
All Internal Users: Shared between all users and groups organization-wide.
-
External: Shared with external users and groups.
-
Anonymous: Shared with general public. Accessible by anyone.
The new exposure options are currently rolled out for Microsoft OneDrive, SharePoint, and Google Drive apps only. More apps will be supported in due course. To learn more about file sharing options supported by various SaaS apps: Next Generation File Sharing Exposure.
To start using the new file sharing exposure options: Create a Next Generation API Data Protection Policy. For any queries, reach out to support@netskope.com.
DLP Quarantine
Starting this release, Next Generation API Data Protection supports DLP quarantine for Microsoft OneDrive and SharePoint apps. More apps will be supported in due course.
You can define a quarantine action when you create a Next Generation API Data Protection policy. When a policy matches, Netskope isolates the affected file and tombstones it, and the administrator can take appropriate action on the quarantined file. Few of the salient features are:
-
Define a quarantine action with or without a DLP profile on the policy wizard page.
-
Create a retroactive scan with quarantine action.
-
Ability to apply a default or custom tombstone text/file.
-
Take action on a quarantined incident like restore, block, contact owner, or download the original file.
-
DLP incidents page will now include reporting of quarantine actions.
To learn more:
-
View quarantine incidents: Incidents > Quarantine page
AD User Group
Starting this release, Next Generation API Data Protection supports Active Directory (AD) user group as a collaborator option in the policy wizard page. With this enhancement, you can include AD user groups from 3rd-party identity vendors.
User groups are part of the directory importer installation. Go to Settings > Tools > Directory Tools > SCIM Integration to set up your System for Cross-domain Identity Management (SCIM) integration. To learn more: SCIM-Based User Provisioning.
To start using this new option: Create a Next Generation API Data Protection Policy.
Netskope Secure Web Gateway (NG SWG)
Split Source IP Conditions In Real Time and SSL Decryption Policies
This feature allows users to create Real-time Protection and SSL Decryption policies based on the User Source IP and Egress Source IP simultaneously.
To learn more: Real-time Protection Policies and Add a Policy for SSL Decryption
Policy based Dedicated Egress IP (DEIP)
You can selectively route traffic to use DEIP based on a policy. The policy can be comprised of various source and destination criteria. DEIP will apply to traffic matched to any specified criteria in the policy. If no criteria is specified, dedicated egress IP will apply to all traffic.
Allow Differentiation in SSL Decryption by OS and Access Method
Introduced the ability to restrict SSL Decryption policies on specific Access Method and OS.
Netskope Private Access (NPA)
Netskope Traffic Management
As part of improving user experience via Netskope cloud, Private Access Client and Publisher will now find the optimal datacenter for tunnel establishment using Netskope Traffic Management. To learn more: NewEdge Traffic Management.
NPA for China DC
NPA is now also available through NewEdge China PoPs. To learn more: Upgrade a Publisher for PRC (China).
Remote Browser Isolation (RBI)
RBI Support for German Language
RBI has added support for German language for all standard messages. RBI Users that have their browser configured in German /(de-*) will automatically see all RBI standard messages (for example, RBI warning messages, pop-up isolation indicator…) in German. With this addition, RBI now supports 3 languages: English, Spanish and German.
Threat and DLP Integration for RBI
Support for DLP and Threat Protection policies for file upload and download traffic through RBI is now Generally Available for Targeted RBI and Extended RBI customers. With this feature RBI customers can safely enable uploads and downloads in isolated browsing sessions, creating additional real time protection policies to scan the files for Threat Protection and DLP.
The integration of RBI with Netskope Threat Protection and Data Protection services allows NG-SWG to process all traffic generated in isolation and brings additional benefits to RBI customers:
-
Configurable File Uploads and Downloads settings in RBI templates
-
Full visibility of user activity in isolation, leveraging app inline connectors to detect user activities
-
Leverage Threat Protection and DLP profiles for isolated and not-isolated traffic
-
Increased visibility over potential threats stopped by RBI
-
Localized content in isolation
To learn more: Threat and Data Protection for RBI
SaaS Security Posture Management (SSPM)
New Predefined Rules Added in SSPM
Added 144 new predefined rules. These are for the following categories:
-
Apps:
- Microsoft Entra: 122
- Microsoft 365: 3
- Salesforce: 4
- GoogleWorkspace: 14
- Microsoft 365: 1
-
MITRE ATT&CK:
- Defense Evasion: 120
- Initial Access: 10
- Impact: 2
- Exfiltration: 6
- Discovery: 9
-
Security Domains:
- Application: 8
- Data and File Security: 12
- Device Security: 118
- Email Security: 2
- IAM: 12
Support for Exporting Posture Findings
With this feature, you can export the Findings > Raw Findings details in the CSV file format.
Refer the View Security Posture Findings document to learn more.
Traffic Steering
Install Date Information for Windows
To resolve the interop issue with other third-party tools, when users collect log bundle for Netskope troubleshooting, Netskope also collects software installation date information in nsdebuglog.log to know the recent software changes on the machine. This feature is only applicable on Windows.
OnDemandConnectionsHoldTimeout VPN profile
Optimzed Netskope Client hold time for iOS App. Added a variable OnDemandConnectionsHoldTimeout define wait time by the App. The default value is ‘0’. You can change this value to let the App wait by defining a Key: Value pair in MDM VPN Profile.
Windows And macOS Client Enhancement
Introduced a new feature flag, ignoreLoopbackProxy, for Windows and macOS. The default value is set to disabled. When it is enabled, the Netskope Client bypasses local loopback proxy traffic.
CA Installation Client Status Events
With the new option to activate new certificates automatically in Settings > Manage > Certificates, you can now view the certificate change events for each certificate change activity in Devices. The following events are displayed in the event of a certificate update:
-
CA Installation Failure: This event is displayed when the CA(Certificate Authority) installation fails. Any consecutive failure events are not posted on the webUI and the status changes only in the event of a successful CA installation.
-
CA Installation Success: This event is displayed when the CA installation succeeds after a failed CA installation.
-
CA Installation Change: When the CA rotation is detected, Netskope Client posts the CA installation status “CA Installation Change” event for cert rotation monitoring.
To learn more: Devices.
Device Classification Picker
Changed the UI for Device Classification Picker in Realtime Policy. Merged Managed and Unmanaged section into one. If the user selects both Managed and Unmanaged, a warning message pops up under picker that says it is a invalid selection. If you still click on Save, both options are removed.
Device Classification Custom Label
Netskope Client supports custom device classifications that can be leveraged to configure multiple device classification labels and assign rules under them.
A device is validated against classifications configured from top to bottom order and when it matches to the classification policy the respective label is assigned.
- This feature was previously in Beta(version 110.0.0) and is now in Controlled GA. Contact your Netskope Support or Sales Representative to enable this feature for your tenant.
- Netskope Private Access(NPA) is currently not supported for Custom Device Classification.
To learn more: Device Classification.