New Features And Enhancements In Release 117.0.0
New Features And Enhancements In Release 117.0.0
Here is the list of the new features and enhancements.
Behavior Analytics
Compromised Account Detection
A new advanced UEBA policy detects compromised accounts accessed from known malicious IPs or suspicious IPs such as anonymizing proxies using CASB API and Reverse Proxy traffic events and logs.
CASB Real-time Protection
Instance ID Detection
Added Google Gemini to Google App Suite and synthetic support for consistent instance identification.
Microsoft Copilot Upload Activity
Microsoft Copilot app connector supports Upload activity. This enhances the existing upload capability that was only restricted to image upload.
Cloud Confidence Index (CCI)
URL Domain Addition Request
Added the following domains to their specified applications:
-
cloud.google.com to Google Cloud Platform application.
-
teams.cloud.microsoft to Microsoft Teams
-
outlook.cloud.microsoft to Microsoft Office 365 Outlook.com
Cloud Firewall (CFW)
HTTP Traffic on Non-standard Ports
The HTTP-Auto Detect capability, not only allows identification of HTTP(s) traffic on non-standard port, but also inspects it. CFW can identify web traffic on non-standard ports and send it for complete web inspection. This is beyond custom ports that customers configure today for non-standard ports for web.
Cloud TAP
Stitcher Tool Updates
Enhancements in Netskope stitcher tool CLI:
-
Added new Geneve option –with-decrypted to indicate that TLS traffic has been decrypted
-
Added support for Extrahop’s high-performance interface
-
Updated default options for simplicity
Data Protection
Preview Images in Incidents
For DLP incidents triggered on image and other files embedded in document or archive files, the Incident Details page now includes the ability to preview the images, any extracted text, as well as download both the image and other sub-files. Additionally, the ability to download image and other sub-files may optionally be enabled from the Forensics Configuration page under Settings.
Digital Rights Management (DRM)
MIP Labels Support for O365 webmail
The ability to read MIP/Purview Information Protection labels is extended for O365 webmail. Emails sent can be detected for sensitive labels and corresponding policy action as defined for CASB Inline policy can be taken.
Endpoint DLP (EPDLP)
Optional Description Field
Endpoint DLP device constraints now have an optional description field for extra information about each entry.
See Constraint Profile for more information.
Forensics
Support Google Drive as a Forensic Destination
Starting this release, as part of Next Gen Forensics, Netskope has rolled out Google Drive as a new forensic destination. To learn more: Next Gen Forensics.
Next Generation API Data Protection
General Availability (GA) of Dropbox
Starting this release, Next Generation API Data Protection has introduced the support for Dropbox. Next Generation API Data Protection for Dropbox can now support policy creation, DLP, threat protection using ongoing scan, alerts and more. To learn more:
-
For features supported, see Next Generation API Data Protection Feature Matrix per Cloud App.
-
To configure Dropbox, see Configure Dropbox for the Next Generation API Data Protection.
-
For a list of activities monitored by Netskope, see Activities Monitored by Netskope.
General Availability (GA) of Microsoft 365 Teams (Commercial)
Starting this release, Next Generation API Data Protection has introduced the support for Microsoft 365 Teams (Commercial). Next Generation API Data Protection for Microsoft 365 Teams (Commercial) can now support policy creation, DLP, threat protection using ongoing scan, alerts and more. To learn more:
-
For features supported, see Next Generation API Data Protection Feature Matrix per Cloud App.
-
To configure Microsoft 365 Teams, see Configure Microsoft 365 Teams for the Next Generation API Data Protection.
-
For a list of activities monitored by Netskope, see Activities Monitored by Netskope.
General Availability (GA) of Salesforce
Starting this release, Next Generation API Data Protection has introduced the support for Salesforce. Next Generation API Data Protection for Salesforce can now support policy creation, DLP, threat protection using ongoing scan, alerts and more. To learn more:
-
For features supported, see Next Generation API Data Protection Feature Matrix per Cloud App.
-
To configure Salesforce, see Configure Salesforce for the Next Generation API Data Protection.
-
For a list of activities monitored by Netskope, see Activities Monitored by Netskope.
Support New Restrict Access Actions
Starting this release, Next Generation API Data Protection has introduced two new restrict access actions:
-
Revoke Users Added at the File Level: This action removes individually listed users be it internal or external from accessing the file. This action is currently available for Microsoft 365 OneDrive & SharePoint.
When the Revoke User Added at File Level action triggers, Netskope removes access of:
– People (except owner)
– Office 365 Groups (except Owner, Everyone, and Everyone except external users)
– Links (except Anyone with a link, People in org with a link)
The goal of Revoke User Added at File Level action is to remove access granted to specific users or groups. However, for the special Office 365 group “Everyone”, Next Generation API Data Protection does not treat this as pointing to a specific user or group. As a result, Next Generation API Data Protection does not alter or remove access for the “Everyone” group. This behavior differs from the Classic API Data Protection, which removes the “Everyone” group. -
Revoke Public Sharing: This action removes general access/public links. Only users who have access can open the file. This action is currently available for Google Drive, Microsoft 365 OneDrive & SharePoint.
To learn more: Create a Next Generation API Data Protection Policy.
For a list of SaaS apps that support these actions, see Next Generation API Data Protection Feature Matrix per Cloud App.
Support Legal Hold
Starting this release, Next Generation API Data Protection has introduced legal hold as a policy action. This feature allows organizations to preserve all forms of relevant information when litigation is reasonably anticipated. If a file meets the policy criteria, you can opt to save a copy specifically for legal purposes.
You can define the legal hold profile under Policies > PROFILE > Legal Hold > Next Gen.
Currently, legal hold as a destination is supported for Microsoft 365 OneDrive, SharePoint, and Google Drive. To learn more: Legal Hold Profile.
Severity-based Remediation Actions for Threat Protection
Starting this release, Next Generation API Data Protection has introduced severity-based remediation action for threat protection policy action. This feature allows an administrator to have finer controls over malware remediation actions and quarantined content protection. You can configure a severity-based remediation action – low, medium, and high. For each severity, you can define an action. A threat protection policy defines the severity based action executed in case of a policy match and a password to protect the quarantined content.
Currently, this feature is supported for Dropbox, Google Drive, Microsoft 365 OneDrive, SharePoint, and Salesforce. To learn more: Create a Next Generation API Data Protection Policy.
– As part of this feature rollout, Next Generation API Data Protection will not support any 3rd party Endpoint Detection & Response (EDR). When you configure a severity-based remediation action for threat quarantine, there will be no option to select a remediation endpoint. You cannot configure a remediation profile under Policies > Threat Protection. As an alternative, you can leverage and perform the same actions using Netskope Cloud Exchange. For more information, see:
– Carbon Black Plugin for Threat Exchange
– CrowdStrike Plugin for Threat Exchange
Netskope Private Access (NPA)
New Netskope Client UI Indicator For NPA
This feature was previously available as Beta in version 113.0.0 and is now available for all tenants from this release.
Enhanced the Netskope Client for Windows to show Internet Security and Private Access tunnel statuses on:
-
The system tray client icon tooltip
-
One-click menu
-
Netskope Client icon colors
To learn more: Using Netskope Client
SRP Optimization
Improved robustness, sustainability, and capability for the NPA MP service to either survive or quickly recover from traffic spikes. A compacted format was introduced while maintaining backward compatibility with existing Client versions. This change significantly reduces the SRP size and provides a better end-user experience when NPA connections are initiated. This feature is supported with Client version R114.0.11 and above, and no additional changes are required.
Netskope Secure Web Gateway (NG SWG)
Block Partial Content Requests
When advanced file scanning (that is, Large File Scanning) is enabled, Netskope SWG trickles few bytes of data to the client for large file downloads while content inspection is going on. If the verdict is block, Netskope SWG terminates the connection. However, some clients initiate retries (partial content requests) for the remaining data as few bytes were trickled already. The client may succeed in downloading the remaining data despite a Block policy being configured.
This enhancement handles blocking the retries for partial content initiated by clients.
SSL Decryption Support
All the apps now show up in SSL Decryption but if they have overlapping domains, then a warning message is displayed.
Domain Fronting Exceptions
Netskope detects domain fronting when the SNI and HTTP request Host header are mismatched allowing admins to either block or bypass this traffic. However, there are cases where the SNI mismatches the Host header, or research teams use domain fronting for testing purposes. With this feature, Netskope REST APIs are available to configure wildcard domains or full-domain matches to set domain fronting exceptions (global list across the entire tenant). Domain Fronting Profile REST APIs that comply with the Netskope REST API v2 standard.
Remote Browser Isolation (RBI)
Copy Image and Clipboard Text Option
When a text is selected on top of an image and the RBI Context Menu is opened, it shows the options to copy the text and to copy the image since both operations are possible. Previously, only the Copy Image option was available.
Extended RBI Batch R117
RBI has added support for the following 15 categories in the “Extended RBI License”:
-
Adult Content
-
Auctions & Marketplaces
-
Business Process Management
-
Collaboration
-
Dating
-
Development Tools
-
Entertainment
-
Lifestyle
-
Logistics
-
Marijuana
-
Shopping
-
Social & Affiliation Organizations
-
Telecommuting
-
Trading & Investing
-
Web design
Fallback Action for non-isolable Requests
Introduced a new feature that allows RBI customers to modify the current action that RBI applies, for requests that match an isolate policy and are deemed non isolable (that is, not a webpage), “proxy to next hop”.
When this feature is enabled, all non isolable input requests are blocked instead of being proxied to the next hop. This is a tenant level setting and when the feature is enabled, it applies to all non-isolable requests.
Browser Source Criteria
RBI isolates traffic corresponding to a user, visiting a webpage with a web browser (for example, Chrome, Firefox, etc.,).
With this new feature RBI now requires adding the “browser” source criteria to all “isolate” policies, preventing non-browser traffic match these RBI policies. List of browsers restricted to supported RBI Browsers.
Customers create more effective “isolate” and reduce not isolable requests sent to RBI, which might affect user experience due to unnecessary traffic processing.
Existing “isolate” policies will keep working as is, with no changes. New and edited “isolate” policies will require the “browser” criteria.
To learn more, visit RBI Best Practices
Popup Message Isolation Indicators
Support in RBI templates for a complete customization of the Pop-up Message isolation indicator is now Generally Available. This feature improves isolation indicators efficacy to communicate RBI related information tailored to their RBI end users. RBI admins modify the warning pop-up to facilitate the adoption of RBI:
-
Pop-up box border color
-
Pop-up message position
-
Images as corporate logos (jpg, png and so on) with 3 fixed size options like Small, Medium and Large
-
Custom text message with HTML tags (for example, hyperlinks like FAQ link, portal) and predefined variables support (URL accessed by user, RBI settings disabled)
No admin action required. This feature will be enabled by default for all RBI customers. Existing RBI templates will continue working.
To learn more visit RBI templates
REST API
Token Authentication
The /api/v2 API requests coming from the Web UI Swagger page from now require an API token authentication. Requests using web session authentication will be rejected. This is a user experience improvement measure meant to prevent confusion, where API requests submitted from the Swagger page with no tokens appeared to the user as succeeding despite being unauthenticated, while they were actually succeeding using the active Web dashboard session cookie.
Risk Insights
Support for On-prem Appliances
Starting from R113, appliances can be remotely diagnosed by Netskope Support in case of issues faced by a customer. This is done by having Netskope Support connect to an Appliance from its tethered Netskope cloud. This capability increases the efficiency at which customer issues can be addressed by Netskope.
This feature is enabled by default and can be disabled through nsshell using “troubleshooting diagnostic-agent stop” command.
SaaS Security Posture Management (SSPM)
APRA CPS 234 Compliance Standard
Added support for new compliance standard `APRA CPS 234`.
Refer Prudential Standard CPS 234 article for more information.
Support for Visibllity & Risk Profiling of 3rd Party Apps for Okta
SSPM now provides you with visibility and risk profiling of third party apps in your Okta instances.
New Rule Templates Introduced in R117
Added a new predefined template for Workday.
To learn more on how to use the templates, refer Create Posture Rule using Template
Threat Protection
Scan and Alert for Phishing
Netskope Threat Protection scans cloud email body of inboxes with API connectors and generates alert for malicious links.
Traffic Steering
Antivirus (AV) and OS Check Support
Introduced separate AV and OS checks in Device Classification for macOS devices.
OS Version Check
This feature checks and classifies device compliance for the detected OS version that matches or is above the version information configured by the administrator.
Supported OS: macOS (Beta), Windows (Beta).
Already supported in iOS and Android.
AV check
This feature checks the status of the selected AV running in the macOS devices.
-
Supported Antivirus products: CrowdStrike, SentinelOne, Carbon Black, Microsoft Defender.
-
Supported OS: Windows, macOS
To learn more, view Device Classification for macOS.
Flexible Dynamic Steering
This feature was earlier in Controlled-GA and is now available for all new tenants. The feature still continues with the same enhancements that were made in the Beta release.
Flexible Dynamic Steering is currently in GA and is available to new tenants by default. For existing tenants, contact Netskope Support to enable this feature.
In flexible dynamic steering:
-
On-Prem detection enhancement support multiple IPs for DNS detection and multiple HTTP hosts detection.
-
For the steering traffic mode, you can switch traffic mode between On-Prem, Off-Prem and the new mode None. When the traffic mode is None, the client will establish a tunnel but will not steer traffic. Exceptions will not be processed as they are only applicable for steered traffic.
-
For the steering exception rules:
-
Firewall app exceptions contains separate sets of rules between On-Prem and Off-Prem in All steering traffic mode.
-
Category exceptions contains set of rules between On-Prem and Off-Prem in Web or All mode.
-
If the packet matches configured exceptions and needs to be bypassed, you can select new exception bypass options to bypass locally on the client device, or bypass by tunnelling on backend.
-
To learn more, view Dynamic Steering.
Gateway Selection Enhancements
This feature is now available for all new tenants by default.
As part of improving user experience through Netskope cloud, a new service is created that helps Netskope Client in finding the optimal datacenter for tunnel establishment based on machine learning algorithms. To learn more: Netskope Client Network Configuration.
Additional Documentation Updates
-
Netskope IPSec with Aruba EdgeConnect SD-WAN: Updated the IPSec VPN tunnel integration guide for Aruba EdgeConnect SD-WAN (formerly Silver Peak EdgeConnect).
-
Netskope Client Network Configuration: Enhanced content with some additional details regarding Client and Publisher outbound connectivity requirements along with NewEdge traffic management gateway selection.