Next Generation API Data Protection Feature Matrix per Cloud App

Next Generation API Data Protection Feature Matrix per Cloud App

Next Generation API Data Protection supports the following features for the supported SaaS apps:

  • Policy alerts: Generates alerts on the Skope IT > Alerts page when a policy matches.

  • UEBA alerts: Generates User Entity Behavior Analytics (UEBA) alerts on the Skope IT > Alerts page. To learn more on UEBA: Behavior Analytics.

  • Audit: The audit action generates audit logs/events such as any change made in the SaaS app (upload, download, delete, and more) that Netskope retrieves using API calls. You can view the audit logs/events on the Skope IT > EVENTS > Application Events page of the Netskope UI.

  • DLP: The DLP profiles that enforce compliance and protect sensitive data consist of DLP rules that specify data identifiers. These data identifiers find content that should not be present in cloud app transactions or public cloud storage.

  • Threat Protection: Scans files stored in your cloud storage applications for malware.

    Currently, Netskope allows the default malware profile only. Custom malware profile will be introduced in a future release.
  • Retroactive Scan: A retroactive policy scans all the files, folders, repositories, and entities for the app instance right from the inception of the SaaS app.

  • Inventory: SaaS apps that support entities on the Inventory page. The Next Generation API Data Protection Inventory page provides deep insights on various entities supported by the SaaS apps.

  • Email Notification: Next Generation API Data Protection supports email notification in policy wizard. With this enhancement, you can now define an email notification for events in the policy wizard. These notifications, triggered by events like policy violations or alerts, provide administrators and designated user groups with timely information about important activities.

  • Delete: Deletes a file from the cloud app when a policy matches.

  • Legal Hold: Preserves all forms of relevant information when litigation is reasonably anticipated. You can choose to have a copy of the file saved for legal purpose if it matches policy criteria.

Cloud AppsPolicy AlertUEBA AlertAuditDLPThreat ProtectionRetroactive ScanInventoryEmail NotificationDeleteLegal Hold
Atlassian ConfluenceYesNoYesYesYesYesYesYesNoNo
Atlassian JiraNoNoYesNoNoNoNoNoNoNo
Citrix ShareFileYesYesYesYesYesYesYesYesNoNo
DropboxYesYesYesYesYesYesYesYesYesNo
GitHubYesNoYesYes##
Yes##
Yes#
YesYes%NoNo
GmailYesYesNoYes$
YesNoYes$$
YesNoNo
Google DriveYesYesYesYesYesYesYesYesYesYes###
Microsoft 365 OneDrive (Commercial/GCC)YesYesYesYes~
Yes~
YesYesYesYesYes
Microsoft 365 OneDrive (GCC High)YesYesYesNoNoNoNoYesNoNo
Microsoft 365 Outlook (Commercial/GCC)YesNoYesYes~~YesNoYes**YesNoNo
Microsoft 365 SharePoint (Commercial/GCC)YesYesYesYes~
Yes~
YesYesYesYesYes
Microsoft 365 SharePoint (GCC High)YesYesYesNoNoNoNoYesNoNo
Microsoft 365 Teams (Commercial)YesYesYesYes~
Yes~
Yes~~~YesYesNoNo
Microsoft 365 Teams (GCC High)YesYesYesNoNoNoNoNoNoNo
Microsoft 365 YammerYesYesYesYesNoNoYesYesNoNo
OktaNoYesYesNoNoNoNoNoNoNo
SalesforceYesYesYesYesYesYes$$$YesYesYes%%No
WorkdayYesYesYesYesYesYesYesYesNoNo
ZendeskNoNoYesNoNoNoNoNoNoNo
ZoomYesNoYesYes*
NoNoYesYesNoNo

#You can scan up to the last 10 days for default branch commits only.

##Netskope can scan for DLP and threat protection on plain text source code only. Netskope does not scan binary files such as Microsoft Office docs, PDFs, images, executable files, and likes. Each section of a commit that includes any violations will result in a unique incident with a URL linking to that section of the commit. To view a DLP incident, navigate to Incidents > DLP, look for a GitHub incident, and click it.

###Netskope does not support Google Jamboard and Google Apps Script file types for legal hold.

%The Owner field does not apply to repository when you configure email notification for GitHub.

%%For Salesforce file like content document, document, and attachment, Netskope supports a soft-delete only. This is due to upstream API limitation. On performing the delete action, Netskope moves the file to the recycle bin.

~Netskope does not scan any OneNote files for DLP and threat protection on Microsoft 365 OneDrive (Commercial), SharePoint (Commercial), and Teams (Commercial).

~~DLP scan on outgoing emails (sent folder). Netskope can scan the body of the message (including subject) and attachment.

~~~For Microsoft 365 Teams (commercial), files and messages created or updated in the past 90 days will be scanned. Currently, Netskope does not store the objects discovered during this retroactive scan in the database, so these files and messages do not appear on the inventory page. In one-to-one, group, and meeting chats, messages sent by users with a valid Entra ID license will be scanned.

*DLP scan on Zoom “Team Chat” private and channel message content only. No DLP scanning on “in-meeting” chat messages.

**The Inventory page displays emails that have either violated a policy, or contain an attachment that violated a policy.

$DLP scan on outgoing emails (sent folder). Netskope can scan the body of the message (including subject) and attachments.

$$The Inventory page displays emails that have either violated a policy, or contain an attachment that violated a policy.

$$$Salesforce supports retroactive scan for file (content document, document, attachment), message (chatter message), page (feed item), and comment (feed comment). However, for message, page, and comment entity types, Netskope only lists and scans entities that were either created or updated within the past 180 days (current time [minus] 180 days).

More feature matrix for the supported SaaS apps:

  • Change owner to specific user: This action changes the owner of the file to a specific user. Designates the administrative owner of files and folders for which the policy is applied.

  • Restrict access to owner: This action restricts the access of the file to the owner only.

  • Restrict access to internal collaborators: This action restricts the access of the file to users within the organization and domains as defined under Settings > Administration > Internal Domains.

  • Restrict access to specific domains and internal collaborators: This action restricts the access of the file to selected domain(s) and internal collaborators as defined in the previous bullet item. On clicking this option, the UI prompts you to enter the domain profile name. Click Proceed.

    If you do not have a domain profile defined, click Manage Domain Profiles to create a new domain profile.
  • Revoke Users Added at the File Level: This action removes individually listed users be it internal or external from accessing the file. Special note on Microsoft 365 OneDrive & SharePoint. To learn more: Policy Action Special Behavior.

  • Revoke organization-wide sharing: This action removes any kind of organization-wide sharing links and access.

  • Revoke Public Sharing: This action removes general access/public links. Only users who have access can open the file.

  • Revoke specific domains: This action removes access for users matching the specified domain profile. On clicking this option, the UI prompts you to enter the domain profile name. Click Proceed.

    If you do not have a domain profile defined, click Manage Domain Profiles to create a new domain profile.
  • Quarantine: Allows you to quarantine a file if a user uploads a document that has a DLP violation. This moves the file to a quarantine folder for you to review and take appropriate action.

  • Threat Protection Quarantine: This action quarantines a malware-infected file. This moves the file to a quarantine folder for you to review and take appropriate action.

Cloud AppsChange Owner to Specific UserRestrict Access to OwnerRestrict Access to Internal CollaboratorsRestrict access to Specific Domains and Internal CollaboratorsRevoke Users Added at the File LevelRevoke Organization-wide SharingRevoke Public SharingRevoke Specific DomainsQuarantineThreat Protection Quarantine
Atlassian ConfluenceNoNoYesYesNoNoNoYesNoNo
Atlassian JiraNoNoNoNoNoNoNoNoNoNo
Citrix ShareFileNoNoNoNoNoNoNoNoNoNo
DropboxNoNoYes~~Yes~~NoYes~~NoYes~~YesYes
Microsoft 365 Teams (GCC High)NoNoNoNoNoNoNoNoNoNo
GitHubNoNoYes~
NoNoNoNoNoNoNo
GmailNoNoNoNoNoNoNoNoNoNo
Google Drive**YesYesYesYesNoYesYesYesYesYes
Microsoft 365 OneDrive (Commercial/GCC)*
NoYesYesYesYesYesYesYesYes$Yes
Microsoft 365 OneDrive (GCC High)NoNoNoNoNoNoNoNoNoNo
Microsoft 365 Outlook (Commercial/GCC)NoNoNoNoNoNoNoNoNoNo
Microsoft 365 SharePoint (Commercial/GCC)*
NoYesYesYesYesYesYesYesYes$Yes
Microsoft 365 SharePoint (GCC High)NoNoNoNoNoNoNoNoNoNo
Microsoft 365 Teams (Commercial)NoYesNoNoNoNoNoNoNoNo
Microsoft 365 YammerNoNoNoNoNoNoNoNoNoNo
OktaNoNoNoNoNoNoNoNoNoNo
SalesforceNoNoNoNoNoNoNoNoYes~~~Yes
WorkdayYes***
YesYesYesNoYesNoYesNoNo
ZendeskNoNoNoNoNoNoNoNoNoNo
ZoomNoNoNoNoNoNoNoNoNoNo

$If you have any Microsoft Purview Information Protection (formerly Microsoft Information Protection)-encrypted files in Microsoft 365 OneDrive or SharePoint, Netskope cannot tombstone such encrypted files. This is due to a limitation in the Microsoft Graph API.

~Currently, Netskope does not support Restrict Access to Internal Collaborators remediation action in GitHub from the Incidents page. As a workaround, you can restrict access to internal collaborators either from the policy wizard page or navigate to API-enabled Protection > CASB API (Next Gen) > Inventory, then click the Content Collections drop-down and select Repository. Identify the repository name, and take the appropriate action.

~~Dropbox restricts permissions at file level. Netskope does not restrict permissions which are inherited from the folder because restricting inherited permission will also impact other files’ permissions.

~~~You cannot specify Salesforce as a quarantine destination. However, an offending file or an object can be quarantined to a different SaaS app as a destination (like Google Drive, Microsoft 365 OneDrive or SharePoint).

*In Microsoft 365 OneDrive & SharePoint, files can inherit sharing links from a parent folder. Such sharing links cannot be deleted or trimmed at the file level, but must be deleted at the folder where they originate. For a given file, when executing remediation actions (either manually from the Inventory page or through policies), the Next Generation API Data Protection automatically deletes inherited sharing links at the parent folder level, if deemed necessary, in order to remove file access from a user in violation of a policy.

**Important points to note on Google Drive:

  • Change owner to a specific user – Since there is no owner in Google shared drive, Netskope cannot change owner on files or folders in a shared drive. This action applies to My Drive only.

  • Restrict access to owner – Since there is no owner in Google shared drive, Netskope cannot restrict access to owner on files or folders in a shared drive. This action applies to My Drive only.

  • Restrict access for inherited permission – Netskope does not delete inherited permissions from files or folders in a shared drive, as removing these inherited permissions would also remove them from any files or folders that have those permissions. Therefore, Netskope retains inherited permissions and does not remove them.

  • Policy action for files and folders in a shared drive – Netskope only applies policy actions to files or folders in a shared drive if there is a user with a Manager/Content Manager/Writer role on the shared drive. Netskope impersonates that user to carry out the policy action. If there are no permissions granted to any user with these roles on the shared drive, Netskope will not perform the policy action, even if there is a policy hit.

  • Quarantine: Netskope does not support Google Jamboard and Google Apps Script file types for quarantine.

***Workday automatically restricts the access to the new owner only. The others including the previous owner will no longer have access to the file.

Share this Doc

Next Generation API Data Protection Feature Matrix per Cloud App

Or copy link

In this topic ...