Netskope Help

New Features And Enhancements In Release 91.0.0

Here is the list of the new features and enhancements.

Domain Exclusion for Storage Applications

API Data Protection now supports domain exclusion in policy wizards for Box, Dropbox, Google Drive, Microsoft Office 365 OneDrive, and SharePoint applications. This new feature, when enabled, excludes domains from a policy trigger. The All External Domains Except option is available as part of the API Data Protection policy wizard under Content > Specific Sharing Options.

Access Restriction to Internal Users

API Data Protection now restricts access to internal users in the policy wizard for Microsoft Office 365 OneDrive and SharePoint applications. This new feature, when enabled, restricts file-sharing access to internal users only. This action removes any external user who has access to the file and removes any public link on the file. The Internal Users option is available as part of the API Data Protection policy wizard under Action > Restrict Access > Restrict Access Level.

Note

This is a Limited Availability feature. Contact your Netskope sales representative for more information.

Mark as Allowed Action for User and Entity Behavior Analytics (UEBA) Detection

The Mark as Allowed action enables you to:

  • Allow a detected anomalous activity.

  • Remove the impact of the UCI deduction for the detection.

  • Restore the user's UCI score immediately.

It also provides input to Netskope to improve machine learning algorithms with the feedback for that user and activity.

Rename Network Location to Reflect Exclusive vs Inclusive Criterion

The Network Location field in the Behavior Analytics Proximity policy is implemented as an exclusion criterion. In this release, the user interface(UI) is updated to clarify this behavior. The default value is None and no network locations are excluded by default.

Support for 50 AWS Browser Services

In the past, Netskope supported 50 AWS services across all associated API traffic. With this release, there is parity and support for browser/console traffic across these 50 AWS services.

To learn more: 50 Services and Activities.

Google Forms Activity Detection

With this release, Netskope added a new coverage for the Google Form browser platform. A POST activity is detected whenever you fill and submit the Form.

Atlassian Confluence Copy Event

In this release, Netskope adds a new coverage for Copy activity in the Atlassian Confluence browser platform. This generates an event whenever you use the Copy feature in Confluence.

DLP Support for SurveyMonkey

Netskope now enables DLP support for Edit, Create, and Post activities in the SurveyMonkey browser application. You can now apply DLP policies for your content followed by DLP inspection.

New App Connector Support for Guidewire

The new app connector support for the Guidewire application on the browser platform allows you to detect the following activities:

  • Login Successful

  • Login Attempt

  • Upload

  • Download

  • Logout

Activity Detection in Asana

In this release, Netskope added a new Asana app connector and activity detection on the browser platform for the following activities:

  • Login Successful

  • Logout

  • Login Failed

  • Login Attempt

  • Upload

  • Download

Japan Entities Support

In this release, Netskope includes the following Japan-specific predefined data identifiers in DLP rules:

  • Postal Addresses (JP)

  • Regional Identifiers (JP)

Multiple DLP Profile Matches Report

Netskope introduces an enhancement to the incident details displayed when multiple DLP profiles match in a Real-time Protection policy.

Whenever there are multiple DLP profile matches in a policy, the resulting incident lists all profiles that match along with their corresponding forensic information. There are no changes in terms of the action taken, the most restrictive action continues to be taken, and also reported in the incident details. In addition, each profile match results in a DLP alert.

In the current version of the product, in the event of multiple DLP profile matches, only the profile associated with the most restrictive action is reported in an incident. This enhancement provides a complete view of the types of data involved in an incident along with the corresponding forensic details.

Entity Modifiers in a DLP Rule

You can now modify the entity to narrow down the search results associated with that entity while creating a custom or data entity.

The entity modifier includes the ability to add conditions to include or exclude specific keywords or regexes. You can find this feature under Advanced Options as part of the Create Entity UI for creating custom entities. The options to modify the entity include the following conditions that you can add to the entity:

  • Begins with

  • Does not begin with

  • Ends with

  • Does not end with

  • Does not match

To learn more: DLP Entity.

File Encryption Classification Information to UEBA

In this release, Netskope introduces a new DLP bypass alert that is generated when an unknown file type is detected to be as encrypted by the ML-based encryption detection module in DLP.  DLP does not inspect such files. UEBA uses these bypass alerts to identify new and specific insider risk scenarios.

Payment Card Entities Updates

This release includes numerous payment card entities updates and improvements, including the Payment Card Numbers vendor/brand–specific entities. Some of the updates include:

  • Addition of dot-delimited support to Major Networks (all) and several other cards.

  • A group of cards from obsolete brands was renamed to start with “Defunct”.

  • IIN (Issuer Identification Number) updates for various cards.

In addition, Netskope added the following 15 new payment card entities (including support for the Mir and RuPay networks):

  • Defunct Card Numbers (Diners Club NA)

  • Defunct Card Numbers (Diners Club enRoute)

Defunct Card Numbers (all) - Use this entity to match obsolete numbers. This allows a single convenient entity rather than having to OR each of the following seven together manually:

  • Defunct Card Numbers (Bankcard)

  • Defunct Card Numbers (Diners Club NA)

  • Defunct Card Numbers (Diners Club enRoute)

  • Defunct Card Numbers (InstaPayment)

  • Defunct Card Numbers (Laser)

  • Defunct Card Numbers (Solo)

  • Defunct Card Numbers (Switch)

  • Card Numbers (Major Networks; with dots)

  • Card Numbers (Mir)

  • Card Numbers (RuPay)

Domestic Card Numbers (all) - Consists of the following new entities:

  • Domestic Card Numbers (AM, ArCa)

  • Domestic Card Numbers (BY, BelKart)

  • Domestic Card Numbers (KG, Elcart)

  • Domestic Card Numbers (RS, DinaCard)

  • Domestic Card Numbers (SE, ICA)

  • Domestic Card Numbers (TR, Troy)

  • Domestic Card Numbers (UA, NSMEP)

  • Domestic Card Numbers (UZ, Humo)

Even though only the entities are updated, it affects the rules and profiles that use these entities and have either fewer or more matches due to overall changes to IIN ranges, formatting, and other support.

Finally, this release also improves all predefined PAN-related Rules (both US and International), and all Finance and PCI–related profiles. Similarly, this also improves custom rules that utilize the predefined Payment Card Numbers entities.

Forensics Capture in AWS and GCP

You can now select AWS S3 or Google Cloud Storage as a destination to store incident forensics. To enable this for your tenant, select the Forensics checkbox on the Instance Settings page. Afterward, you can create a forensics profile using AWS or Google Cloud Storage to make this profile active for the tenant.

Support Granular Policy Controls in AWS (Storage Scan)

You can now set up granular data loss prevention (DLP) policies using the UI to focus scans on critical parts of the cloud infrastructure. Granular policy controls include container-level attributes like bucket name, tags, region, and access. You can also build policies using object-level attributes like name, key, content type, extension, and so on.

Note

This is currently behind a feature flag. Contact Support or your account team to have this enabled for your tenant.

Support Malware Scanning as part of API Data Protection Policy

This feature provides granular controls for malware scanning. Using attributes at the container and object levels, users can set coarse or fine-grained malware policies across their GCP and AWS accounts.

The benefits of using this granular policy feature include:

  • Cost optimization by creating focused scans.

  • Mitigate alert fatigue by reducing false positives on scans.

Note

This feature requires a feature flag to be enabled. Please contact your account team or the support team to enable this feature.

Confluence And Jira Instance ID Enhancements

In this release, Netskope modified the logic for instance_id extraction for the Confluence and Jira application. Now, instance_ids are based on your Confluence and Jira domains respectively rather than the from_user variable. For example, if you have < netskope.atlassian.net > as your domain, then you get Netskope as instance_id even though login from_user is "user@netcracker.com".

Correlate Transaction Events with App Events

In this release, a new field x-transaction-id is added to the end of each transaction event. The transaction ID is also included in the application event and can be used to identify the transaction associated with the application event.

Single URL Entry

You can now have a single entry (*.domain. com) instead of two entries (*.domain. com and domain.com) in a URL list to derive a custom category. You can use the custom category in various places such as policy. If you create other configurations where domain names are accepted directly (such as policy), you need to specify two separate entries to match subdomains as well as the domain itself. Future changes include other Netskope subsystems to merge *.domain.com and domain.com.

Remote Browser Isolation (RBI) Template Policy in Real-time Protection Policies

Netskope introduces a new RBI template policy in the admin console for Real-time Protection policies. The RBI template assists customers in:

  • RBI policy creation.

  • Pre-filling supported categories and additional criteria.

  • Providing warning messages if policy deviates from supported use cases.

NPA DNS Traffic over UDP and TCP

With this release, the Netskope client steers NPA DNS traffic over both UDP and TCP. This does not require any additional configuration beyond configuring the Publisher DNS capability for the associated private apps.

Qualified CN and SAN Entries

The CN and SAN entries of a cert must be Fully Qualified Domain Names (or wildcard of an FQDN). The UI verifies and rejects if the CN and SAN entries are incorrect.

NPA APIs

NPA now supports APIs for publisher and application management to streamline operations. These APIs enable administrators to automate the process of configuring (publishing) private applications as well as management of publisher instances. The APIs offered have parity to the Netskope UI. In other words, administrators can execute the same operations using the Netskope UI or APIs.

To learn more: Private Access REST APIs

HTTP Header Usernames in Clientless Requests

Authenticated username (email) from SAML assertion (part of the NPA authentication cookie) gets added to browser access requests to private apps. The username is encoded in Base64 encoding format. Username gets added using 'X-Authenticated-User' HTTP header in HTTP request towards private-app.

System-Level Publisher Upgrades

You can apply system-level and publisher image updates under the Upgrade menu, at the same time or separately.

NPA Publisher SNAT

In this release, Netskope enhanced the NPA Publisher to support NAT mode transmission of traffic to private apps. This enhancement reduces port consumption and increases throughput, resulting in an improved private app access experience.

NPA Reconnect

In this release, Netskope enhanced the NPA Cloud to support the dynamic routing of traffic to private apps when publishers reconnect. This enhancement reduces client and app re-connections by dynamically routing traffic to available publishers.

URL Performance Statistics

The new command option in nsdiag -r <URL> displays the URL performance statistics like connect time, look-up time, and so on. For example, the command: ./nsdiag -r www.google.com, displays the following statistics:

  • NameLookupTime: 0.1

  • ConnectTime: 0.2

  • AppConnectTime: 0.0

  • PretransferTime: 0.2

  • StarttransferTime: 0.7

  • TotalTime: 0.9

  • RedirectTime: 0.0

  • DownloadSpeed: 19669 bytes/sec

Netskope Client Logs as Strings

With this release, Netskope improves client log readability by representing log level details in Strings instead of Numbers.

  • 5 is represented as debug.

  • 4 is represented as info.

  • 3 is represented as a warning.

  • 2 is represented as an error.

  • 1 is represented as critical.

Change Log File Size

The default file size of nsdebuglog.log is 10 Mb. Use the command nsdiag -m < File Size > to change the log file size maximum up to 1 GB. For example, nsdiag -m 5. This changes the nsdebug.log file size to 5 MB.

Gateway IP displays in Netskope Client Configuration

In earlier releases, you can only see the Gateway IP on the client UI. With this enhancement, the client UI displays the POP name along with the gateway IP. There is no impact on the client functionality and improves current configuration information on the client UI. For example, Gateway IP: xx.xx.xx.xx POP: IN-DEL1.

Dynamic Steering and Cloud Firewall Configurations on Netskope Tenant

Enabling dynamic steering and cloud firewall on the Netskope tenant sets the traffic steering type on the Netskope client to All Traffic. On the other hand, enabling dynamic steering and disabling cloud firewall on the Netskope tenant, sets the traffic steering type on the Netskope client to All Web Traffic.

Netskope Client Golden Release

Release 90.2 is the current golden release of the Netskope Client. Release 90.2 binaries are available, from the Support page. To learn about supported platforms and deployment instructions: Netskope Client Installation guide.

Clear Browser Access Authentication Information

Use Skope IT > Users option to clear the user's browser access authentication information. As a result, the user needs to authenticate again to access the private app.

Rename Mark as Safe to Add to File Profile

The Mark as Safe functionality allows you to add specific files to a selected file profile. The DLP and Threat Protection use the file profile to allow the inclusion or exclusion of specific files based on the different attributes of a file. With this release, the Mark as Safe option is renamed as Add to File Profile to reflect the functionality more accurately.

To learn more: About Malware.

Rename Reject to Block

In this release, the Reject action is renamed to Block making it consistent with the signature action on the flow, i.e it results in the blocking of the affected flow.

To learn more: Creating a Signature Override.

Netskope Adapters

The Netskope Adapter (NS Adapter) has been tested to ensure compatibility with the current cloud platform. Its version number has been updated to confirm this compatibility. No other changes have been made to the NS Adapter in this release.

In addition to documenting all new and improved features, here is the list of articles with key documentation updates: