How to Create a Netskope Profile

Netskope uses profiles with policies. This article covers how to create profiles for Netskope.

Affected Products:

• Netskope Admin Platform

1. In a web browser, go to the Netskope web console:
   • United States Datacenter: https://[TENANT].goskope.com/
   • European Union Datacenter: https://[TENANT].eu.goskope.com/
   • Frankfurt Datacenter: https://[TENANT].de.goskope.com/
   Note: [TENANT] = The tenant name in your environment
2. Log in to the Netskope web console.
   
3. Click Policies.
   
4. From the Policies bar, click the Profile to create. Options may be profiled for:
   • Data Loss Prevention (DLP)
   • Threat Protection
   • Web
   • Intrusion Protection System (IPS)
   • Connected App/Plugin
   • Domain
   • User
   • Constraint
   • Quarantine
   • Legal Hold
   • Forensic
   • Network Location
   
5. Click New Profile in the upper left.
   

For more information about options to be profiled, click the appropriate option.

DLP

6. From the Create Profile menu:
   1. Optionally, click All Regions and then select a region.
   2. Optionally, Search for a keyword.
   3. Select a Rule.
   4. Repeat Steps A, B, & C until all wanted rules are selected.
   5. Click Next.
   
7. Optionally, select any fingerprints that are created. Once finished, click Next.
   
8. Populate a profile name and then click Create Profile.
   

Threat Protection

The default malware scan can be extended by creating a custom malware detection profile. The malware detection profile allows users to add a custom hash list as a blocklist and an allowlist. Known malicious hashes that are sourced from other intelligence sources can be included in the blocklist. Known good files (usually proprietary content specific to the enterprise) can be added to the allowlist so Netskope does not mark them as suspicious. The custom malware detection profiles can be used in the real-time protection policy creation workflow.

6. Optionally, select a different scan and then click Next.
   
7. From the Allowlist menu:
   1. Optionally, click + Create New to create a new file hash and then go to Step 8.
   2. Select a File Hash to allowlist.
   3. Repeat Steps A & B until all wanted file hashes are selected.
   4. Click Next and then go to Step 10.
   
8. From the Add File Hash List menu:
   1. Select either SHA256 or MD5.
   2. Populate the file hash.
   3. Click Next.
   
9. Populate a File Hash List Name and then click Save File Hash List.
   
10. From the Blocklist menu:
    1. Optionally, click + Create New to create a new file hash and then go to Step 11.
    2. Select a File Hash to blocklist.
    3. Repeat steps A & B until all wanted file hashes are selected.
    4. Click Next and then go to Step 13.
    
11. From the Add File Hash List menu:
    1. Select either SHA256 or MD5.
    2. Populate the file hash.
    3. Click Next.
    
12. Populate a File Hash List Name and then click Save File Hash List.
    
13. Populate a Malware Detection Profile Name and then click Save Malware Detection Profile.
    

Web

The custom category feature offers flexibility to supersede the predefined Netskope Uniform Resource Locator (URL) category mapping for a given URL or augment them by defining custom URL categories. This is helpful for situations in which the Netskope predefined URL category does not have a mapping for a URL (uncategorized).

6. From the Categories menu:
   1. Select Categories to block.
   2. Click Next.
   
7. From the Exceptions menu:
   1. Optionally, click + Create New to add custom URLs and the go to Step 8.
   2. Select URLs to Include or Exclude.
   3. Click Next and then go to Step 9.
   
8. Populate any URLs to add to the Inclusion or Exclusion list, and then click Next.
   
9. Populate a URL List Name and then click Save URL List.
   
10. Populate a Custom Category Name, and then click Save Custom Category.
    

IPS

6. From the New IPS Profile menu:
   1. Populate an IPS Profile Name.
   2. Select a Security Level.
   3. Optionally, select Alert Only Mode.
   4. Click Save.
   

Connected App/Plugin

The Connected App/Plugin profile allows you to create a profile consisting of a custom list of Google apps and plugins. Use this profile to detect and prevent users from installing whatever third-party apps they add in Google.

6. Click New Connected App/Plugin Profile.
   
7. Click Select File to upload the .csv file consisting of the list of connected apps/plugins and IDs, and then click Next.
   
   Note:

   • The format of the .csv file should be:
     • connectedApp1,ID
     • connectedApp2,ID
     • connectedApp3,ID
   • Sign in to the Google App Engine website with your Google account's username and password. View the list of App Engine applications on the My Applications page. Each application's App ID is displayed under the Application column.
8. Populate a Profile Name and then click Save Connected App/Plugin Profile.
   

Domain

The domain profile is used to define external domain accounts for email. The domain profile works with application programming interface (API)-enabled protection apps such as Gmail and Microsoft 365 Outlook.com. As part of the policy definition wizard, you can scan email messages that are sent to external domains such as xyz.com or abc.com.

6. Populate Domain(s), and then click Next.
   
7. Populate a Domain Profile Name, and then click Create Domain Profile.
   

User

The user profile is used to select a user profile instead of all users or user groups in an application programming interface (API)-enabled protection policy. User profiles allow you to upload a comma-separated value (CSV) file with all the users' email addresses to include or exclude in a scan for policy violations.

6. From the Upload CSV menu:
   1. Click Select File.
   2. Go to the CSV file of user email addresses and then double-click it.
   3. Click Next.
   
7. Populate a User Profile Name, and then click Create User Profile.
   

Constraint

A constraint profile is used in real-time protection policies. Constraint profiles define what a user can do for a specific activity in an app. In the case of Amazon S3, constraints detect and prevent insider threat activities.

For example:

• Users can share contents only within the organization from Google Drive or bypass inspection if the user is logging into their personal instance of Gmail.
• Users cannot copy or sync data from corporate owned Amazon S3 buckets to personal or non-corporate Amazon S3 buckets.

User and Storage constraint profiles can be applied to specific activities when creating a real-time protection policy for an app. Click the appropriate profile for more information.

User

6. From the Create User Constraint Profile menu:
   1. Populate the Constraint Profile Name.
   2. Select the match type.
   3. Populate the email domain.
   4. Optionally, click + Add Another and then repeat steps B & C until all wanted email addresses are populated.
   5. Click Save Constraint Profile.

Storage

6. Click the Storage tab.
   
7. Click New Storage Constraint Profile.
   
8. From the Create Storage Constraint Profile menu:
   1. Populate the Constraint Profile Name.
   2. Select the Match Type.
   3. Select the Amazon S3 Buckets to be matched.
   4. Click Save Constraint Profile.

Quarantine

A Quarantine profile is used for specifying where the file must be quarantined when there is a policy action of Quarantine. Use tombstone files to replace the content of the original file. The name and extension of the original file are preserved.

6. From the Settings menu:
   1. Select an App.
   2. Select an Instance.
   3. Populate the User Email to own the quarantine folder.
   4. Populate email addresses separated by commas to receive notifications when a file is uploaded to the quarantine folder.
   5. Click Next.
   
7. From the Customize menu:
   1. Select Default or Custom for the Tombstone Text.
   2. If Custom Text was selected, populate custom tombstone text. Otherwise, go to Step C.
   3. Select Default or Custom for the Malware Tombstone Text.
   4. If Custom Text was selected, populate custom malware tombstone text. Otherwise, go to Step E.
   5. Optionally, select Use Uploaded Tombstone File.
   6. Optionally, click Customer Provided Tombstone Files and then go to Step 8.
   7. Click Next and then go to Step 9.
   
   Note: Custom tombstone text does not apply for file extensions .xls(x) and .ppt(x). For these file types, Netskope displays the default tombstone text.
8. From the Customer Provided Tombstone Files menu:
   1. Populate a Tombstone File Extension.
   2. Click Select File to upload a tombstone file.
   3. Click Upload.
   
9. Populate a Quarantine Profile Name and then click Create Quarantine Profile.
   

Legal Hold

Legal hold is a process that an organization uses to preserve all forms of relevant information when litigation is reasonably anticipated. A legal hold profile is used for specifying where the files must be held for legal purposes.

6. From the Create Legal Hold Profile Settings menu:
   1. Select the App where you want the files to be uploaded for legal hold purposes.
   2. Select the Instance of the app.
   3. Populate a Custodian Email to own the legal hold folder.
   4. Populate Notification Emails of any administrators that should be notified when a file is uploaded to the legal hold folder.
   5. Click Next.
   
   Note:

   • For more information about creating an instance, reference How to Create Netskope API-Enabled Protection Instances.
   • Before setting up a legal hold profile for Microsoft 365 OneDrive/SharePoint apps, the custodian should log in to the Microsoft 365 account and set up the OneDrive/SharePoint app.
   • For the Slack for Enterprise app, the email address should be the same as that you entered during the Slack for Enterprise instance setup.
7. Populate a Legal Hold Profile Name and then click Create Legal Hold Profile.
   

Forensic

This feature provides the data loss prevention (DLP) forensic details when a policy triggers a violation. Forensic information may contain sensitive content. In order to maintain privacy, you must select a forensic profile to store forensic information.

6. From the Create Forensic Profile menu:
   1. Select the App for which you want to enable incident management.
   2. Select the Instance of the app.
   3. Populate the app-specific information.
   4. Click Next.
   
   Note:

   • Step 6C varies based on the application chosen. This information is used to identify the data to monitor.
   • For more information about creating an instance, reference How to Create Netskope API-Enabled Protection Instances.
   • If using Microsoft Azure, populate the Azure storage account name. To locate the storage account name, log in to portal.azure.com. Go to All services, Storage, then Storage Account. The page displays a list of storage accounts. Enter the Azure container name. Netskope uploads the forensic file in this container. To locate the container name, log in to portal.azure.com. Go to All services, Storage, Storage Account. The page displays a list of storage accounts. Click a storage account name and then go to Blob service and then Blobs. The page displays a list of containers.
   • Before setting up a forensic profile for the Microsoft 365 OneDrive app, the owner should log in to the Microsoft 365 account and set up the OneDrive app.
7. Populate the Forensic Profile Name and then click Create Forensic Profile.
   
8. Click Settings.
   
9. Click Incident Management.
   
10. From the Edit Settings menu:
    1. Click to Enable Forensic.
    2. Select a Forensic Profile.
    3. Click Save.
    

Network Location

You can add a single object or multiple object network location.

6. From the Addresses menu:
   1. Populate either an IP address, IP address range, or a classless inter-domain routing (CIDR) netmask.
   2. Click the + to the right.
   3. Click Next.
   
7. Populate a Network Location Object Name, and then click Save Network Location.