Next Generation API Data Protection Feature Matrix per Cloud App

Next Generation API Data Protection Feature Matrix per Cloud App

Next Generation API Data Protection supports the following features for the supported SaaS apps:

  • Policy alerts: Generates alerts on the Skope IT > Alerts page when a policy matches.

  • UEBA alerts: Generates User Entity Behavior Analytics (UEBA) alerts on the Skope IT > Alerts page. To learn more on UEBA: Behavior Analytics.

  • Audit: The audit action generates audit logs/events such as any change made in the SaaS app (upload, download, delete, and more) that Netskope retrieves using API calls. You can view the audit logs/events on the Skope IT > EVENTS > Application Events page of the Netskope UI.

  • DLP: The DLP profiles that enforce compliance and protect sensitive data consist of DLP rules that specify data identifiers. These data identifiers find content that should not be present in cloud app transactions or public cloud storage.

  • Threat Protection: Scans files stored in your cloud storage applications for malware.

    Currently, Netskope allows the default malware profile only. Custom malware profile will be introduced in a future release.
  • Retroactive Scan: A retroactive policy scans all the files, folders, repositories, and entities for the app instance right from the inception of the SaaS app.

  • Dashboard: Similar to Classic API Data Protection, Next Generation API Data Protection has a dashboard page. This page provides a high-level overview of total number of files, files with DLP violations, malware-infected files, internal and external users, file exposure, file DLP violations widget categorized by DLP rule or profile, and more.

  • Inventory: SaaS apps that support entities on the Inventory page. The Next Generation API Data Protection Inventory page provides deep insights on various entities supported by the SaaS apps.

  • Email Notification: Next Generation API Data Protection supports email notification in policy wizard. With this enhancement, you can now define an email notification for events in the policy wizard. These notifications, triggered by events like policy violations or alerts, provide administrators and designated user groups with timely information about important activities.

Cloud AppsPolicy AlertUEBA AlertAuditDLPThreat ProtectionRetroactive ScanDashboardInventoryEmail Notification
Atlassian ConfluenceYesNoYesYesYesYesNoYesYes
Atlassian JiraNoNoYesNoNoNoNoNoNo
ChatGPT EnterpriseYesNoYesYesYesYes###YesYesYes
BoxYesYesYesYesYesYesYesYesYes
Cisco WebexYesYesYesYesYesNoYesYesYes
Citrix ShareFileYesYesYesYesYesYesNoYesYes
DropboxYesYesYesYesYesYesNoYesYes
EgnyteYesYesYesYesYesYesYesYesYes
GitHubYesNoYesYes##
Yes##
Yes#
NoYesYes%
GmailYesYesNoYes$
YesNoYesYes$$
Yes
Google DriveYesYesYesYesYesYesYesYesYes
Microsoft 365 OneDrive (Commercial/GCC)YesYesYesYes~
Yes~
YesYesYesYes
Microsoft 365 OneDrive (GCC High)YesYesYesNoNoNoNoNoYes
Microsoft 365 Outlook (Commercial/GCC)YesNoYesYes~~YesNoYesYes**Yes
Microsoft 365 SharePoint (Commercial/GCC)YesYesYesYes~
Yes~
YesYesYesYes
Microsoft 365 SharePoint (GCC High)YesYesYesNoNoNoNoNoYes
Microsoft 365 Teams (Commercial)YesYesYesYes~
Yes~
NoYesYesYes
Microsoft 365 Teams (GCC High)YesYesYesNoNoNoNoNoNo
Microsoft 365 YammerYesYesYesYesNoNoNoYesYes
OktaNoYesYesNoNoNoNoNoNo
SalesforceYesYesYesYesYesYes$$$NoYesYes
ServiceNowYesNoNoYes%%Yes%%%YesYesYesYes
Slack EnterpriseYesYesYesYesYesYes***YesYesYes
WorkdayYesYesYesYesYesYesNoYesYes
ZendeskNoNoYesNoNoNoNoNoNo
ZoomYesNoYesYes*
NoNoNoYesYes

#You can scan up to the last 10 days for default branch commits only.

##Netskope can scan for DLP and threat protection on plain text source code only. Netskope does not scan binary files such as Microsoft Office docs, PDFs, images, executable files, and likes. Each section of a commit that includes any violations will result in a unique incident with a URL linking to that section of the commit. To view a DLP incident, navigate to Incidents > DLP, look for a GitHub incident, and click it.

###You can scan up to the last 90 days from when the retroactive scan is initiated.

%The Owner field does not apply to repository when you configure email notification for GitHub.

%%For ServiceNow, Netskope supports DLP for the record field values and attachment content. However, work notes and comments content are not supported yet.

%%%For ServiceNow, Netskope supports threat protection for attachments only.

~Netskope does not scan any OneNote files for DLP and threat protection on Microsoft 365 OneDrive (Commercial), SharePoint (Commercial), and Teams (Commercial).

~Microsoft 365 Teams (Commercial): Microsoft does not provide any webhook notification for files uploaded through the files and wiki tab of Microsoft 365 Teams. Due to this limitation, Netskope does not support DLP scanning and threat protection for such file uploads. However, Netskope detects files sent as an attachment from a channel’s chat window. For full coverage, you should set up respective API Data Protection instances for Microsoft Office 365 OneDrive and SharePoint.

~~DLP scan and threat protection on outgoing emails (sent folder). Netskope can scan the body of the message (including subject) and attachment.

*DLP scan on Zoom “Team Chat” private and channel message content only. No DLP scanning on “in-meeting” chat messages.

**The Inventory page displays emails that have either violated a policy, or contain an attachment that violated a policy.

***For Slack Enterprise, Netskope provides retroactive scanning of messages and files from the past 90 days.

$DLP scan and threat protection on outgoing emails (sent folder). Netskope can scan the body of the message (including subject) and attachments.

$$The Inventory page displays emails that have either violated a policy, or contain an attachment that violated a policy.

$$$Salesforce supports retroactive scan for file (content document, document, attachment), message (chatter message), page (feed item), and comment (feed comment). However, for message, page, and comment entity types, Netskope only lists and scans entities that were either created or updated within the past 180 days (current time [minus] 180 days).

More feature matrix for the supported SaaS apps:

  • Change Owner to Specific User: This action changes the owner of the file to a specific user. Designates the administrative owner of files and folders for which the policy is applied.

  • Restrict Access to Internal Users: This action restricts the access of the file to users within the organization and domains as defined under Settings > Administration > Internal Domains.

  • Restrict Access to Owner: This action restricts the access of the file to the owner only.

  • Restrict Access to Specific Domains and Internal Users: This action restricts the access of the file to selected domain(s) and internal collaborators as defined in the previous bullet item. On clicking this option, the UI prompts you to enter the domain profile name. Click Proceed.

    If you do not have a domain profile defined, click Manage Domain Profiles to create a new domain profile.
  • Revoke Users Added at the File Level: This action removes individually listed users be it internal or external from accessing the file. Special note on Microsoft 365 OneDrive & SharePoint. To learn more: Policy Action Special Behavior.

  • Revoke Organization-wide Sharing: This action removes any kind of organization-wide sharing links and access.

  • Revoke Public Sharing: This action removes general access/public links. Only users who have access can open the file.

  • Revoke Access from Specific Domains: This action removes access for users matching the specified domain profile. On clicking this option, the UI prompts you to enter the domain profile name. Click Proceed.

    If you do not have a domain profile defined, click Manage Domain Profiles to create a new domain profile.
Cloud AppsChange Owner to Specific UserRestrict Access to Internal UsersRestrict Access to OwnerRestrict access to Specific Domains and Internal UsersRevoke Users Added at the File LevelRevoke Organization-wide SharingRevoke Public SharingRevoke Access from Specific Domains
Atlassian ConfluenceNoYesNoYesNoNoNoYes
Atlassian JiraNoNoNoNoNoNoNoNo
Box##Yes#YesYesYesYesYesYesYes
ChatGPT EnterpriseNoNoNoNoNoNoNoNo
Cisco WebexNoNoNoNoNoNoNoNo
Citrix ShareFileNoNoNoNoNoNoNoNo
Dropbox##NoYesNoYesYesYesYesYes
EgnyteNoYesNoYesYes~~~YesYesYes~~~
GitHubNoYes~
NoNoNoNoNoNo
GmailNoNoNoNoNoNoNoNo
Google Drive**YesYesYesYesNoYesYesYes
Microsoft 365 OneDrive (Commercial/GCC)*
NoYesYesYesYesYesYesYes
Microsoft 365 OneDrive (GCC High)NoNoNoNoNoNoNoNo
Microsoft 365 Outlook (Commercial/GCC)NoNoNoNoNoNoNoNo
Microsoft 365 SharePoint (Commercial/GCC)*
NoYesYesYesYesYesYesYes
Microsoft 365 SharePoint (GCC High)NoNoNoNoNoNoNoNo
Microsoft 365 Teams (Commercial)NoNoYesNoNoNoNoNo
Microsoft 365 Teams (GCC High)NoNoNoNoNoNoNoNo
Microsoft 365 YammerNoNoNoNoNoNoNoNo
OktaNoNoNoNoNoNoNoNo
SalesforceNoNoNoNoNoNoNoNo
ServiceNowNoNoNoNoNoNoNoNo
Slack EnterpriseNoNoNoNoNoNoNoNo
WorkdayYes***
YesYesYesNoYesNoYes
ZendeskNoNoNoNoNoNoNoNo
ZoomNoNoNoNoNoNoNoNo

#Box supports changing the owner of the file only, not the folder.

##For the restrict or revoke access remediation actions, the default setting does not restrict or revoke inherited permissions when they match the policy. If you would like to enable this feature for Box and Dropbox, talk to your Netskope sales representative.

~Currently, Netskope does not support Restrict Access to Internal Collaborators remediation action in GitHub from the Incidents page. As a workaround, you can restrict access to internal collaborators either from the policy wizard page or navigate to API-enabled Protection > CASB API (Next Gen) > Inventory, then click the Content Collections drop-down and select Repository. Identify the repository name, and take the appropriate action.

~~~A sharing link with multiple recipients will be deleted even if a single recipient’s access is revoked.

*In Microsoft 365 OneDrive & SharePoint, files can inherit sharing links from a parent folder. Such sharing links cannot be deleted or trimmed at the file level, but must be deleted at the folder where they originate. For a given file, when executing remediation actions (either manually from the Inventory page or through policies), the Next Generation API Data Protection automatically deletes inherited sharing links at the parent folder level, if deemed necessary, in order to remove file access from a user in violation of a policy.

**Important points to note on Google Drive:

  • Change owner to a specific user – Since there is no owner in Google shared drive, Netskope cannot change owner on files or folders in a shared drive. This action applies to My Drive only.

  • Restrict access to owner – Since there is no owner in Google shared drive, Netskope cannot restrict access to owner on files or folders in a shared drive. This action applies to My Drive only.

  • Restrict access for inherited permission – Netskope does not delete inherited permissions from files or folders in a shared drive, as removing these inherited permissions would also remove them from any files or folders that have those permissions. Therefore, Netskope retains inherited permissions and does not remove them.

  • Policy action for files and folders in a shared drive – Netskope only applies policy actions to files or folders in a shared drive if there is a user with a Manager/Content Manager/Writer role on the shared drive. Netskope impersonates that user to carry out the policy action. If there are no permissions granted to any user with these roles on the shared drive, Netskope will not perform the policy action, even if there is a policy hit.

  • Quarantine: Netskope does not support Google Jamboard and Google Apps Script file types for quarantine.

***Workday automatically restricts the access to the new owner only. The others including the previous owner will no longer have access to the file.

More feature matrix for the supported SaaS apps:

  • Restrict Access to Owner’s Domain: Restrict access to users within the current domain. Remove file permissions if a user’s email domain differs from the file owner’s. Only users in the current domain will have access.

  • Restrict Access to Specific Domains: Restrict access to users of the domains in the domain profile. Only users matching the specified domain profile will have access.

  • Restrict Access to Specific Users: Restrict access only to the users in the user profile. Only users matching the specified user profile will have access.

  • Revoke Access from Specific Users: Revoke access to all users except the ones in block-list user profiles. Remove access for users matching the specified user profile.

  • Disable Print & Download: Restrict users from printing and downloading files. You can apply this policy action to restrict access to view only.

    This action applies to users who have viewing and commenting permissions only.
  • Set Link Expiration Date: Publicly shared links will expire after ‘x’ days.

  • Restrict Sharing to View: Remove edit and comment permissions from files and folders.

    Cloud AppRestrict Access to Owner's DomainRestrict Access to Specific DomainsRestrict Access to Specific UsersRevoke Access from Specific UsersDisable Print & DownloadSet Link Expiration DateRestrict Sharing to View
    Atlassian ConfluenceYesYesNoNoNoNoNo
    Atlassian JiraNoNoNoNoNoNoNo
    ChatGPT EnterpriseNoNoNoNoNoNoNo
    Box***YesYesYesYesYes*Yes^^Yes**
    Cisco WebexNoNoNoNoNoNoNo
    Citrix ShareFileNoNoNoNoNoNoNo
    Dropbox***YesYesYesYesYes^NoYes$$
    EgnyteYes$Yes##Yes##Yes##NoNoYes
    GitHubNoNoNoNoNoNoNo
    GmailNoNoNoNoNoNoNo
    Google DriveYesYesYesNoYesNoYes
    Microsoft 365 OneDrive (Commercial/GCC)YesYesYesYesNoNoYes#
    Microsoft 365 OneDrive (GCC High)NoNoNoNoNoNoNo
    Microsoft 365 Outlook (Commercial/GCC)NoNoNoNoNoNoNo
    Microsoft 365 SharePoint (Commercial/GCC)YesYesYesYesNoNoYes#
    Microsoft 365 SharePoint (GCC High)NoNoNoNoNoNoNo
    Microsoft 365 Teams (Commercial)NoNoNoNoNoNoNo
    Microsoft 365 Teams (GCC High)NoNoNoNoNoNoNo
    Microsoft 365 YammerNoNoNoNoNoNoNo
    OktaNoNoNoNoNoNoNo
    SalesforceNoNoNoNoNoNoNo
    ServiceNowNoNoNoNoNoNoNo
    Slack EnterpriseNoNoNoNoNoNoNo
    WorkdayYesYesYesNoNoNoNo
    ZendeskNoNoNoNoNoNoNo
    ZoomNoNoNoNoNoNoNo

^Netskope disables downloads for shared links, but users or groups with file access permissions can still download the file.

^^Log in to Box as an admin, then navigate to Admin Console > Enterprise Settings > Content & Sharing tab. Scroll down to the Auto-Expiration setting and enable Allow item owners and editors to modify the expiration date. This setting is required for this action to work.

*Box does not directly support the disable download action. To support this action, Netskope locks the file so that you cannot download the file.

**Box does not directly support the view only action. To support this action, Netskope locks the file and the permissions of all the collaborators in the Box file/folder are set to viewer access level so that the collaborators cannot unlock the file.

***For the restrict or revoke access remediation actions, the default setting does not restrict or revoke inherited permissions when they match the policy. If you would like to enable this feature for Box and Dropbox, talk to your Netskope sales representative.

#The Restrict Access to View action for Microsoft 365 OneDrive & SharePoint relies on ‘beta’ Microsoft Graph APIs. So the behavior might be inconsistent.

##A sharing link with multiple recipients will be deleted even if a single recipient’s access is revoked.

$Egnyte’s file owner is categorized as following:

  • File in shared folder: Owner is set to Egnyte instance’s connected OAuth user.

  • File in private folder: Owner is set to the admin/power user who owns the private folder.

A sharing link with multiple recipients will be deleted even if a single recipient’s access is revoked.

$$In Dropbox, a file could either have a shared link with view access or write access. With this action, Netskope removes the write access shared link to make sure the file is read only.

More feature matrix for the supported SaaS apps:

  • Delete: Deletes a file from the cloud app when a policy matches.

  • Legal Hold: Preserves all forms of relevant information when litigation is reasonably anticipated. You can choose to have a copy of the file saved for legal purpose if it matches policy criteria.

  • Quarantine: Allows you to quarantine a file if a user uploads a document that has a DLP violation. This moves the file to a quarantine folder for you to review and take appropriate action.

  • Threat Protection Quarantine: This action quarantines a malware-infected file. This moves the file to a quarantine folder for you to review and take appropriate action.

  • DRM (Box Label): Box allows users to classify, label, and protect data as part of its security classification capability. Next Generation API Data Protection has introduced a new policy action – Apply Sensitivity Label. With this action, you can now apply a Box classification label on DLP-sensitive Box files.

  • DRM (Microsoft Purview Information Protection): Microsoft Purview Information Protection (MPIP, formerly Microsoft Information Protect) is a Digital Rights Management (DRM) solution provided by Microsoft to help classify, label, and protect data. Next Generation API Data Protection has introduced a new policy action – Apply Sensitivity Label. With this action, you can apply an MPIP label on DLP-sensitive files.

  • DRM (Google Badged Label): Netskope supports Google’s badged label, a content classification feature. With this new capability, Netskope can read through the badged labels in Google Drive and apply a policy action. For example, if a document matches a badged label value which is deemed sensitive, an alert action can be taken. To learn more: Create a Next Generation API Data Protection Policy

Cloud AppDeleteLegal HoldQuarantineThreat Protection QuarantineDRM
(Box Label)
DRM
(Microsoft Purview Information Protection)
DRM
(Google Badged Label)
Atlassian ConfluenceNoNoNoNoNoNoNo
Atlassian JiraNoNoNoNoNoNoNo
ChatGPT EnterpriseNoNoNoNoNoNoNo
BoxYes#YesYesYesYesYesNo
Cisco WebexYesNoNoNoNoNoNo
Citrix ShareFileNoNoNoNoNoNoNo
DropboxYesYesYesYesNoYesNo
EgnyteYesYesYesYesNoYesNo
GitHubNoNoNoNoNoNoNo
GmailNoNoNoNoNoNoNo
Google DriveYesYes###YesYesNoYesYes (read only)
Microsoft 365 OneDrive (Commercial/GCC)YesYesYes$YesNoYesNo
Microsoft 365 OneDrive (GCC High)NoNoNoNoNoNoNo
Microsoft 365 Outlook (Commercial/GCC)NoNoNoNoNoNoNo
Microsoft 365 SharePoint (Commercial/GCC)YesYesYes$YesNoYesNo
Microsoft 365 SharePoint (GCC High)NoNoNoNoNoNoNo
Microsoft 365 Teams (Commercial)NoNoNo$$NoNoNoNo
Microsoft 365 Teams (GCC High)NoNoNoNoNoNoNo
Microsoft 365 YammerNoNoNoNoNoNoNo
OktaNoNoNoNoNoNoNo
SalesforceYes%%Yes~~~Yes~~~YesNoNoNo
ServiceNowNoNoNoNoNoNoNo
Slack EnterpriseYesYesYesYesNoNoNo
WorkdayNoNoNoNoNoNoNo
ZendeskNoNoNoNoNoNoNo
ZoomNoNoNoNoNoNoNo

#The choice between moving files to trash or permanently deleting them in Box is determined in the Box admin console. To configure this setting, go to Admin Console > Enterprise Settings > Content & Sharing > Trash. Customers can make this decision based on their preferences.

###Netskope does not support Google Jamboard and Google Apps Script file types for legal hold.

%%For Salesforce file like content document, document, and attachment, Netskope supports a soft-delete only. This is due to upstream API limitation. On performing the delete action, Netskope moves the file to the recycle bin.

$If you have any Microsoft Purview Information Protection (formerly Microsoft Information Protection)-encrypted files in Microsoft 365 OneDrive or SharePoint, Netskope cannot tombstone such encrypted files. This is due to a limitation in the Microsoft Graph API.

$$Files that are uploaded to Microsoft Teams chats or channels are stored in Microsoft 365 OneDrive or SharePoint respectively. For reference, read this Microsoft article. You can create a policy with a quarantine profile in Microsoft 365 OneDrive or SharePoint instances. Hosted contents are currently not supported.

~~~You cannot configure Salesforce as a legal hold or quarantine destination. However, an offending file or an object can be can be copied or quarantined to a different SaaS app as a destination (like Google Drive, Microsoft 365 OneDrive, SharePoint, or any other app that supports legal hold or quarantine as a destination).

Share this Doc

Next Generation API Data Protection Feature Matrix per Cloud App

Or copy link

In this topic ...