View Security Posture Findings
View Security Posture Findings
SaaS Security Posture Management continuously audits SaaS app resources to identify compliance rule violations. The Findings page provides the status check on all the compliance rules, and SaaS apps resources. To view the Findings page, log in to your Netskope tenant and navigate to API-enabled Protection > Security Posture SaaS > Findings.
You can refresh the page and the Result As Of label shows the date and local time.
You can toggle between Raw Findings, Rules, and Resources to view the audit results.
Click the Raw Findings tab to view the compliance findings of your rules and resources. This page provides an aggregated list of all the rules and resources that have failed, passed, remediated, and muted. You can view data for the last 7, 30, 60, and 90 days.
You can select the check box beside a rule or select multiple check boxes and mute or unmute rule(s). Click a rule name to get a detailed view of the rule.
Under the Raw Findings tab, the table displays the following information:
Note
You can sort the table based on a particular field. The default field is set to Status.
- Status: Status of the rule when checked against the resource. If the resource contains rule violations, the rule status shows Failed.
- Policy: Name of the security posture policy.
- Severity: The level of severity of the violation. There are four levels: Critical, High, Medium, and Low.
- App Suite: Name of the SaaS app.
- App: Name of the application of the SaaS app.
- App Category: The category the cloud application belongs to. This could be collaboration, CRM, email, security, etc.
- Netskope Instance Name: Name of the cloud account instance that is used to connect the cloud app with Netskope.
- Region Name & ID: The location name & ID of the account.
- Rule ID: Unique ID of the rule in use.
- Resource Type: The cloud resource type.
- Failing Since: The date since the rule is failing.
- Last Evaluation Time: The last evaluation time indicated the timestamp when the last evaluation happened.
- Muted: Status if the rule-resource pair is muted.
- Compliance Standard: Gives a brief description of the compliance standard.
- Current Rule Version: Current version of the custom/predefined rule.
You can export the Raw Findings in the CSV file format. Click on the Export button, choose the columns, number of rows and name of the report in the pop-up box and click export to save the report. It will download the filtered data in a CSV format file on your system. Note that the “Failing Since” column in the table will not be included in the CSV file.
Click the Rules tab to view information on rules compliance. The Rules tab gives you an overview of the following:
- Failed Rules: Click the failed rules number to get a filtered view of rules that are non-compliant.
- Passed Rules: Click the passed rules number to get a filtered view of rules that are compliant.
- Total Rules: Combination of failed and passed rules.
- Pass Rate: Pass percentage of compliance rules against a resource. The percentage can be further filtered based on rules or findings. Pass rate is calculated as passed rules divided by total rules.
You can click a rule name to get a detailed view of the rule like severity, definition, compliance standard, remediation guidance, etc. Under the Rules tab, the table displays the following information:
Note
You can sort the table based on a particular field. The default field is set to Status.
- Status: A rule can be checked against multiple resources. The status of the rule is defined as follows:
- if all resources pass, the rule passes.
- if any resources fails, the rule fails.
- if all resources are unknown, the rule is unknown.
- Pass Rate: Pass percentage of compliance rules against a resource. Pass rate is calculated as passed resources divided by total resources.
- App Suite: Name of the SaaS app.
- App: Name of the application of the SaaS app.
- App Category: The category the cloud application belongs to. This could be collaboration, CRM, email, security, etc.
- Compliance Standard: Gives a brief description of the compliance standard.
- Rule Name: The compliance rule name.
- Severity: The level of severity of the violation. There are four levels: Critical, High, Medium, and Low.
- Resource Type: The cloud resource type.
- # Failed Resources: Total number of resources that failed the compliance rule.
- # Unknown Resources: Total number of unknown resources.
- # Passed Resources: Total number of resources that passed the compliance rule.
- # Failed Resources Muted: Total number of failed resources that are muted.
- # Total Resources: Total number of resources checked against a compliance rule.
- # Total Instances: Total number of cloud app instances that are impacted by this rule.
- Rule ID: Unique ID of the rule in use.
- Current Rule Version: Current version of the custom/predefined rule.
Click the Resources tab to view information on the cloud resources. The Resources tab gives you an overview of the following:
- Failed Resources: Click the failed resources number to get a filtered view of cloud resources that are non-compliant.
- Passed Resources: Click the passed resources number to get a filtered view of cloud resources that are compliant.
- Total Resources: Combination of failed and passed resources.
You can click a resource name to get a detailed view of the cloud resource like resource type, cloud provider, Netskope instance name, region, compliance data, etc. Under the Resources tab, the table displays the following information:
- Status: Status of the resource when checked for compliance. If the resource contains rule violations, the resource status shows Failed.
- Pass Rate: Pass percentage of the cloud resource against a rule.
- Resource Name & ID: The name and ID of the cloud resource.
- Resource Type: The cloud resource type.
- App Suite: Name of the SaaS app.
- App: Name of the application of the SaaS app.
- App Category: The category the cloud application belongs to. This could be collaboration, CRM, email, security, etc.
- # Failed Rules: The total number of compliance rules that failed against a resource.
- # Unknown Rules: Total number of rules which could not be evaluated for the resource.
- # Passed Rules: The total number of compliance rules that passed against a resource.
- # Total Rules: The total number of compliance rules checked against a resource.
- # Failed Muted Rules: Total number of failed rules that are muted.
- Resource Tags: A user can create a tag for a SaaS resource. This field displays such tags.
- Netskope Instance Name: Name of the cloud account instance that is used to connect the cloud app with Netskope.
Filters
By default, the Raw Findings, Rules, and Resources tabs display the latest audit results. You can choose to view the results for a specific date.
To filter your view by a specific date,
- Click the Time drop-down to select Latest Result or As of Date to select a specific date.
- Specify the date and time in the date picker. Click Apply.
You can filter the result displayed on the page by selecting Resource Type, Tags, and App Suite. To further narrow the result on the page, click Add Filter and select an option from the list.
You can choose to filter based on the following options:
- Status: Select Failed, Passed, or Unknown.
- Muted: Select Yes or No.
- Rule name: Select Rule Name and enter a rule name in the search field.
- Policy: Select security assessment policy from the list.
- Severity: Select a severity level. There are four levels: Critical, High, Medium, and Low.
- Compliance Standard: Select or search for a compliance standard. For example, NIST-CSF-1.1.
- Resource ID: Enter the resource ID of the cloud app. You can get the resource ID from the Raw Findings tab, then look for Resource Name & ID field.
- Resource Name: Select Resource Name and enter a resource name in the search field.
- App: Select the app of the cloud service provider.
- App Category: Select the category the cloud application belongs to. This could collaboration, CRM, email, security, etc.
- Instance ID: Unique ID of the SaaS account
- Instance Name: Select the name of the SaaS account instance that is used to connect the cloud app with Netskope.
- Netskope Instance Name: Name of the Netskope instance associated with the SaaS account under which this resource is listed.
- Region: Select Region and select a region from the list or enter the region in the search field.
You can save the created filter using the save button to the right of the filter attributes, give a filter name and save the filter. You can see the saved filters in the Filters dropdown > Created By Me tab and use these already saved filters later. You can also see the shared filters in the Shared With Me tab which are shared with you.
Go to the Filters dropdown > Manage Filters to rename, delete and share the filters you created within the tenant.
Rule Detail
You can click on a rule in the rules table in the Rules or Raw Findings pages to view detailed information about the rule. The Rule Detail window provides a description of the rule.
The window contains the following three tabs,
- Definition: The rule syntax defining the predefined or custom rule. Custom rules can be defined using Netskope Governance Language.
- Remediation: The remediation action to be performed to remediate the violation. Some rules also provide manual steps to remediate the violation.
- Compliance: The various compliance standards that the rule satisfies. This tab provides the compliance standard, section, control, and description of the rule defined in the compliance standard’s documentation.
- Other: Displays the rule description, service the resource uses, and rule type; custom or predefined.
Manage Compliance Findings
You can mute failed assessments to indicate false positives or allow the DevOps team some time to remediate. The mute feature does the following:
- Automatically acknowledges any alerts generated from an assessment. The alerts are muted indefinitely, until you unmute. This allows you to grant a DevOps team a window of time to remediate the service configurations to get compliant.
- Excludes the failed resources (when muted) in computing the compliance score for a profile.
You can access the mute and unmute capabilities under API-enabled Protection > Security Posture IaaS > Compliance.
To mute a rule-resource pair,
- Click on Raw Findings tab.
- Click the More Options icon (…) to the right of the rule name and click Mute.
- In the Mute window, select how long you want to mute this finding. You can add a short label under Justification Label to justify why you’re muting this finding.
- Click Mute.
Since every finding has a corresponding Skope IT alert, muting a finding auto acknowledges the corresponding alert. You will stop receiving alerts related to failed rule-resource pairs until you click Unmute.