Netskope Help

Rule-Based Policies

To access the Rule-Based policy page, go to Policies > Behavior Analytics > Rule-Based tab.

Rule_Based_Policies9.png

There are nine default Rule-Based policies:

  1. Bulk Delete: Detect suspicious/harmful user activity. Monitor potential risky users for any malicious activity that would cause data loss.

  2. Bulk Download: Detect anomalous download activity from applications/instances where corporate data is stored. Identifies suspicious activity indicative of risky insider activity.

  3. Bulk Failed Log ins: Identify attempts to breach corporate user accounts.

  4. Bulk Upload: Detect suspicious data movement to authorized or unsanctioned applications/sites. Identifies potential exposure of corporate data.

  5. Proximity: Proximity Detector will detect login activities that are geographically distant that should mark as anomalies.

  6. Rare Event: Detect user activity that is rarely observed e.g. user has never downloaded from a particular app in the past 90 days.

  7. Risky Countries: Identify access/activity on applications/sites hosted in risky countries. Helps detect potential compromised or malware infected devices.

  8. Shared Credentials: Detect unauthorized sharing of user credentials that may violate corporate security policies.

    Note

    The Shared Credentials severity is fixed at Medium.

  9. Suspicious Data Movement: Detect accidental or intentional data exfiltration. Identifies movement of data from corporate sanctioned application instances to personal or non-corporate applications/sites.

Custom Rule-Based Policies

Click the UEBANewCustomPolicy.png dropdown to create a rule-based policy. You can create a new policy or create a policy from the template library.

New Policy From Template

The template library contains the following templates for the new Behavior Analytics custom rule-based policies for potential suspicious activity. You can change any option once you select a template. The right panel edit window opens to enable editing.

  • Download / Delete: Download and Delete, 20 repetitions in one hour on Box.

  • Share / Delete: Share and Delete, 10 repetitions in one hour on Dropbox.

  • Upload / Share: Upload and Share, 10 repetitions in one hour on Google Drive.

Policies are defined using a set of variables. These variables define the criteria for detecting policy violations. Specify the match criteria for the activity sequence that you want to be alerted on. Each sequence is defined based on a single user, app, and object. All match criteria are 'And'ed.

To create a new custom policy:

  1. On the Rule-Based Policies page, select the UEBANewCustomPolicy.png > New. The New Custom Policy right panel window opens.

    UEBANewCustomPolicyWizard.png
  2. Type a name for the new policy.

  3. Optionally, type a policy description.

  4. Select a Scan Type, either Real-time Protection or API-enabled Protection. Real-time Protection will monitor all Inline activities including Client, Reverse Proxy, GRE, and Forward Proxy. API Protection monitors all Introspection traffic which is captured by the APIs.

  5. Select a severity for this new policy.

    UEBASeverity.png

    Note

    The Shared Credentials severity is fixed at Medium.

  6. Define the policy for apps or app instance. Based on your Access Method selection, the list will dynamically generate the available choices for apps or app instance.

    UEBAapp.png

    OR

    UEBAappInstance.png
  7. Select the Sequence of activities that will trigger the policy. You cannot have more than four activities listed in the sequence and actions cannot be the same.

    UEBASequence.png
  8. Max duration time cannot exceed 3600 seconds. This is the max duration of time for the sequence of activities that will trigger the policy.

  9. Number of times the activity was repeated. The number must be greater than zero.

  10. Add an activity. Your choices may include the following or a subset based on your Access Method selection:

    UEBAactivitySelection.png
  11. Select the Rigid text box if you want to enforce the order of activities.

  12. Enable Status to activate the policy. By default this is option is not enabled.

  13. Click Save to create the new policy. The policy name appears in the Rule-Based tab under the Custom Rule-Based Policies section.

    UEBACustomRuleBasedPolicy.png