Risk Exchange Module
Risk Exchange Module
The Risk Exchange v1 module replaces the original User Risk Exchange and Application Risk Exchange workflows. This new module is designed to ingest one or multiple plugged-in vendors’ user or device risk scores, and create a single view of individual contributors to the companies overall risk score. Its rules-based engine matches single or multiple vendor scores, or a derived weighted score, to trigger notifications and drive highly-focused orchestrated actions to reduce the risk from individual users or devices.
Click play to learn how to set up User Risk Exchange to drive zero trust enforcement inside Netskope.
Risk Exchange Global Settings
Only write access users can change Risk Exchange Global Settings. After the Risk Exchange module is enabled (Settings > General), go to Settings > Risk Exchange. There are four tabs: General, Logs Cleanup, Flap Suppression, and Records Cleanup.
On the General tab, you can enable generating alerts that are shared with the Ticket Orchestrator module. Select the maintenance window time interval, and during this time, interval Risk Exchange actions (that are configured to be performed in the maintenance window) will be performed.
On the Logs Cleanup tab, you can specify how often to delete logs.
On the Flap Suppression tab, you can prevent an action from being triggered multiple times in a short duration.
On the Records Cleanup tab, set the option to enable/disable data purging, and then set a time duration for the records to remain inactive. After that, the duration records will be deleted from Cloud Exchange as specified.
Schema Editor
A write-access user can manage Risk Exchange schemas and their fields.
View Risk Exchange Entities
View and edit any of the created entities and their fields.
- Go to Risk Exchange > Schema Editor.
- A list of all the available fields in the selected entity will be displayed.
Create New Fields
A write-access user can create Risk Exchange entity fields. The supported field types are explained in the following sections.
Calculated Field Type
A calculator field can be used to create a single numeric value by using 1 or more numeric fields in a mathematical expression.
Value Map Field Type
A value map field can be used to convert some string values to a numeric value which then can be used in business rules and action parameters
Range Map Field Type
A range map field can be used to convert a numerical range into a string value.
Perform Action on an Entity Field
A write-access user can manage Risk Exchange entity fields.
Edit Field
Users can edit any of the created fields.
- Go to Risk Exchange > Schema Editor.
- Select the relevant Entity from the dropdown.
- Click the Edit icon and make modifications.
- Click Save.
Delete Field
Users can delete any of the created fields.
- Navigate to Risk Exchange > Schema Editor.
- Select the relevant Entity from the dropdown.
- Click the Delete icon.
- Click Save.
Manage Risk Exchange Business Rules
A write-access user can manage Risk Exchange Business Rules.
View Risk Exchange Business Rules
View business rules in either list view or grid view. Toggle between the grid and list views using the button beside the Refresh button.
You can expand each folder to see the business rules in that folder, and also delete a whole folder of business rules.
Create Risk Exchange Business Rules
A write-access user can configure Risk Exchange queries towards users, allowing them to specify which users to take actions upon.
- Go to Risk Exchange > Business Rules.
- Click Create New Rule.
- Enter a rule name.
- Select the entity you want to apply the filter on.
- Select or enter a query in the record filter. At least one filter must be selected.
- Enter the folder name that you want to add it to, or you can select the existing folders. At max we can go up to 3 levels of hierarchy.
- Click Save.
Perform an Action on Risk Exchange Business Rules
You can manage all the business rules from a single place on the platform at the Business Rules page. A write-access user can mute one or multiple business rules, edit the query for business rules, or delete the business rules or test the Business Rule from this page.
Clone a Risk Exchange Business Rule
You can clone any of the existing business rules.
Mute a Risk Exchange Business Rule
Muting can be used to temporarily ignore any changes to users or hosts scores that would normally trigger the action workflow.
Delete Risk Exchange Business Rules
To delete a business rule, select the Trash icon on the rule and confirm the action.
View Matching Records of Risk Exchange Business Rules
View Matching records action can be used to view all the records that match the created business rules.
Map a Risk Exchange Business Rule to an Action
Users can map business rules with actions so that when a user or host matches a business rule, the configured action will be performed on the user.
- Go to Risk Exchange > Actions.
- Click Add Action Configuration.
- Select a Business Rule, and then a Configuration.
- Based on the selected configuration, a list of Actions will be populated. Select an action that you want to map to the business rule.
- If the action has some required parameters, you will need to fill those out as well. You can use the Source option to dynamically provide any of the fields of the matching record as the value for any action parameters.
- Enable Generate Alert if you would like to receive alerts in the Ticket Orchestrator module whenever an action is performed. Using this feature, users can receive alerts into your ITSM platform or receive notifications when an action is performed on users or hosts. Note that this feature requires that the Ticket Orchestrator module be enabled.
- Enable Require Approval if you do not want the action to be performed automatically when a record matches the business rule. If enabled, when a record matches the business rule, an action log will be added to the Action Logs page that you will have to manually approve in order to perform the action.
- Click Save.
Actions
Configured actions can be managed from Risk Exchange > Actions.
Edit Actions
A write-access user can update an action or the parameters of an existing action.
- Click the Edit icon.
- Update required fields.
- Click Save.
Sync Actions
A write-access user can sync an already configured action. This will trigger a re-evaluation of all the existing records and the selected action will be performed for all the matching records.
- Click the Sync icon.
- Enter the Time Period (in days). Only the records updated during this period will be considered while evaluating the business rule. Checking the All Time will evaluate the records from last year.
- Click Fetch. This will display the number of records this action will be performed on. Review this carefully as the next step cannot be undone from Risk Exchange.
- Click Sync.
Delete Actions
A write-access user can delete any of the existing configured actions.
- Click the Delete icon for the action you want to delete.
- Click Delete.
Records
Risk Exchange maintains a list of all the fetched records and their metadata received from various plugins.
- The lists can be viewed from Risk Exchange > Records.
- A list of all the records in the selected entity will be displayed. The list is paginated with a default user display count of 10.
A write-access user can create a negative filter by selecting Not in the upper left-hand corner. For more than one filter criteria, move the mouse to the upper right of the filter box to see and select Add Rule. Then select the appropriate comparison operator And or Or by moving the mouse over the And button in the upper left, creating a multi-variable match as shown in the screenshot below. Individual rules can be deleted by clicking on the red trash icon to the right of the rule. For alternative multi-data criteria, select Add Group. Rules will be processed from top to bottom. Move the mouse to the upper right of the filter box to see the Add Group option.
Click Clear to remove the custom filter.
After selecting the desired filter, click Apply Filter. Users/Hosts matching the filtering criteria will be listed. Also, users can enter the filter query manually and can load the filters according to the query.
Action Logs
Action logs are logs of actions performed on users or hosts. A write-access user can view and filter through action logs to view actions taken.
- Go to Risk Exchange > Action Logs.
- The logs indicate the business rule that triggered the action, and the time when this action was performed. Action Logs with status Scheduled indicate that the action is scheduled to be performed within the next few minutes or during the maintenance period if it is configured.
Approve or Decline Pending Actions
A write-access user can approve pending actions.
- Go to Risk Exchange > Action Logs.
- Action logs with status Pending Approval indicate that the action is not executed and requires approval to be completed.
- Action logs can be expanded to see the details of the record as they were at the time when the record matched the specified business rule.
- To approve the pending action, follow these steps:
- Select the action and click Approve to approve the action.
- Click Approve.
- The Action Log status should now change to Scheduled and it will be performed within the next few minutes or the configured maintenance window duration.
- Select the action and click Approve to approve the action.
- To decline the pending action, follow these steps:
- Select the action and click Decline to decline the action.
- Click Decline.
- The Action Log status should now change to Declined.
- Select the action and click Decline to decline the action.
Articles
- Configure 3rd-party Risk Exchange v1.0.0 Plugins
- Microsoft Entra ID v1.0.0 Plugin for Risk Exchange
- CrowdStrike Falcon Identity Protection v1.0.0 Plugin for Risk Exchange
- CrowdStrike Falcon Cloud Security v1.0.0 Plugin for Risk Exchange
- Okta v1.1.0 Plugin for Risk Exchange
- Microsoft Defender for Endpoint v1.0.0 Plugin for Risk Exchange
- CrowdStrike v1.0.0 Plugin for Risk Exchange
- Jamf v1.0.0 Plugin for Risk Exchange
- ServiceNow v1.0.0 Plugin for Risk Exchange
- Illumio v1.0.0 Plugin for Risk Exchange
- Elastic v1.0.0 Plugin for Risk Exchange
- LDAP v1.0.0 Plugin for Risk Exchange
- KnowBe4 v1.0.0 Plugin for Risk Exchange
- Mimecast v1.0.0 Plugin for Risk Exchange
- AWS Verified Access v1.0.0 Plugin for Risk Exchange
- Risk Exchange Custom Plugin Developers Guide
- User Risk Exchange Workflow
- Configure 3rd-party User Risk Exchange Plugins
- Azure AD Plugin for User Risk Exchange
- BeyondCorp Plugin for User Risk Exchange
- CrowdStrike Falcon Identity Protection Plugin for User Risk Exchange
- Crowdstrike Plugin for User Risk Exchange
- CyberArk Plugin for User Risk Exchange
- Elastic Plugin for User Risk Exchange
- LDAP Plugin for User Risk Exchange
- Mimecast Plugin for User Risk Exchange
- Okta Plugin for User Risk Exchange
- Proofpoint Plugin for User Risk Exchange
- Security Advisor Plugin for User Risk Exchange
- Plugin Activity
- Manage User Risk Exchange Business Rules
- View User Risk Exchange Business Rules
- Manage Configured User Risk Exchange Actions
- List Users/Hosts and Use Filter Options
- Edit User and Host Scores
- Action Logs
- User Risk Exchange Custom Plugin Developers Guide
- Configure 3rd-party User Risk Exchange Plugins
- Application Risk Exchange Workflow
- Configure 3rd-party Application Risk Exchange Plugins
- View Application Risk Exchange Configured Plugins
- Perform Actions on Application Risk Exchange Configured Plugins
- View Application Risk Exchange Business Rules
- Create Application Risk Exchange Business Rules
- Perform Actions on Application Risk Exchange Business Rules
- Map an Application Risk Exchange Business Rule to a Target
- Delete Risk Exchange Applications
- Manage Application Risk Exchange Configured Sharing
- List Applications and Use Filter Options
- Application Risk Exchange Custom Plugin Developers Guide