Skip to main content

Netskope Help

API Data Protection Policy Actions per Cloud App

Note

To view the policy actions for Next Generation API Data Protection cloud apps, see Next Generation API Data Protection Feature Matrix per Cloud App.

You can set up various actions to perform once a policy is triggered. Netskope supports the following actions to mitigate risk exposure:

  • Alerts: Generates alerts on the Skope IT > Alerts page when a DLP policy matches.

  • Change owner to specific user: This action changes the owner of the file to a specific user. Designates the administrative owner of files and folders for which the policy is applied.

  • Encrypt: Allows you to encrypt a file if it matches policy criteria. Encryption must be enabled in your tenant instance to use this feature. Please contact support () if you do not see this as an action in the policies.

  • Quarantine: Allows you to quarantine a file if a user uploads a document that has a DLP violation. This moves the file to a quarantine folder for you to review and take appropriate action (allow the file to be uploaded or block the file from being uploaded).

    Note

    This action is available only if you select a DLP profile from the API Data Protection policy workflow.

  • Legal Hold: Preserves all forms of relevant information when litigation is reasonably anticipated. You can choose to have a copy of the file saved for legal purpose if it matches policy criteria.

  • Forensic: Allows you to apply a forensic profile that flags policy violations and then stores the file in a forensic folder.

  • Azure Rights Management: Azure Rights Management Services (RMS) is cloud-based service which uses encryption, identity, and authorization policies to secure Microsoft files like Word, Excel, PowerPoint, and more. The RMS action applies an RMS template to a Microsoft Office file uploaded in OneDrive for Business only.

  • Vera: Netskope integrates with Information Rights Management (IRM) systems such as Vera to protect your sensitive information from being shared with unauthorized users through cloud applications.

  • Microsoft Information Protection (MIP): Netskope integrates with Information Rights Management (IRM) systems such as MIP to protect your sensitive information from being shared with unauthorized users through cloud applications.

  • Expire Externally Shared Links: Sets an expiration in days for files with publicly shared links.

    Here are the possible actions you can take for each supported cloud app:

    Cloud App

    Alerts

    Change Owner to Specific User

    Encrypt$

    Quarantine$$

    Legal Hold

    Forensic

    RMS

    Vera$

    MIP$

    Expire Externally Shared Links*

    Atlassian Confluence (Next Gen)

    Yes

    No

    No

    No

    No

    No

    No

    No

    No

    No

    Atlassian Jira (Next Gen)

    Yes

    No

    No

    No

    No

    No

    No

    No

    No

    No

    Citrix ShareFile (Next Gen)

    Yes

    No

    No

    No

    No

    No

    No

    No

    No

    No

    Gmail

    Yes**

    No

    No

    No

    No

    No

    No

    No

    No

    No

    Google Cloud Platform

    Yes

    No

    No

    No

    No

    Yes

    No

    No

    No

    No

    Amazon S3

    Yes

    No

    No

    No

    No

    Yes

    No

    No

    No

    No

    Box

    Yes

    No

    Yes

    Yes

    Yes

    Yes

    No

    Yes

    Yes

    Yes***

    Cisco Webex Teams

    Yes

    No

    No

    No

    No

    No

    No

    No

    No

    No

    Dropbox

    Yes

    No

    Yes

    Yes

    No

    No

    No

    Yes

    No

    No

    Egnyte

    Yes

    Yes

    Yes

    No

    No

    Yes

    No

    Yes~

    No

    No

    GitHub

    Yes

    No

    No

    No

    No

    No

    No

    No

    No

    No

    GitHub (Next Gen)

    Yes

    No

    No

    No

    No

    No

    No

    No

    No

    No

    Google Drive^^

    Yes

    Yes

    Yes

    Yes

    Yes

    Yes

    No

    Yes~

    Yes

    No

    Google Drive (Next Gen)

    Yes

    Yes%

    No

    No

    No

    No

    No

    No

    No

    No

    Microsoft Azure Blob Storage

    Yes

    No

    No

    No

    No

    Yes

    No

    No

    No

    No

    Microsoft OneDrive

    Yes

    No

    Yes

    Yes

    Yes

    No%%

    Yes

    Yes

    Yes

    No

    Microsoft 365 OneDrive GCC High (Next Gen)

    Yes

    No

    No

    No

    No

    No

    No

    No

    No

    No

    Microsoft 365 OneDrive Commercial (Next Gen)

    Yes

    No

    No

    No

    No

    No

    No

    No

    No

    No

    Microsoft SharePoint

    Yes

    No

    Yes

    Yes

    No

    Yes

    No

    Yes

    Yes

    No

    Microsoft 365 SharePoint GCC High (Next Gen)

    Yes

    No

    No

    No

    No

    No

    No

    No

    No

    No

    Microsoft 365 SharePoint Commercial (Next Gen)

    Yes

    No

    No-

    No

    No

    No

    No

    No

    No

    No

    Microsoft Teams

    Yes

    No

    No

    Yes#

    No

    No

    No

    No

    No

    No

    Microsoft 365 Teams GCC High (Next Gen)

    Yes

    No

    No

    No

    No

    No

    No

    No

    No

    No

    Microsoft Outlook

    Yes**

    No

    No

    No

    No

    No

    No

    No

    No

    No

    Microsoft 365 Yammer (Next Gen)

    Yes

    No

    No

    No

    No

    No

    No

    No

    No

    No

    Okta (Next Gen)

    Yes

    No

    No

    No

    No

    No

    No

    No

    No

    No

    Salesforce unstructured data (files)

    Yes

    No

    No

    No

    Yes

    No

    No

    No

    No

    No

    Salesforce structured data (Chatter messages and posts)

    Yes

    No

    No

    No

    Yes

    No

    No

    No

    No

    No

    Slack Team

    Yes

    No

    No

    No

    Yes^

    No

    No

    No

    No

    No

    Slack Enterprise

    Yes

    No

    No

    Yes$$$

    Yes

    No

    No

    No

    No

    No

    ServiceNow

    Yes

    No

    No

    No

    No

    No

    No

    No

    No

    No

    Workday (Next Gen)

    Yes

    Yes

    No

    No

    No

    No

    No

    No

    No

    No

    Workplace by Facebook

    Yes

    No

    No

    No

    No

    No

    No

    No

    No

    No

    Zendesk (Next Gen)

    Yes

    No

    No

    No

    No

    No

    No

    No

    No

    No

    Zoom (Next Gen)

    Yes

    No

    No

    No

    No

    No

    No

    No

    No

    No

    *You can configure the number of days for which you want the link to expire. This is particularly useful for externally shared files and public files.

    **Netskope does not scan emails in deleted/trash folder. Netskope will continue to scan emails in sent folder.

    *** In Box Admin Console > Enterprise Settings > Content > Sharing > Auto-Expiration > Allow item owners and editors to modify the expiration date must be enabled for Expire Externally Shared Links to work.

    $If you use the encrypt policy action, ensure that you have a Netskope real-time deployment i.e., a reverse or forward proxy. The Netskope real-time deployment is required to decrypt the file.

    $$This action is available only if you select a DLP profile from the API Data Protection policy workflow.

    $$$When an external user upload a file on a Slack Connect channel, Netskope cannot perform quarantine action on the file. This is because the file belongs to another organization.

    ~Egnyte and Google Drive apps do not use Vera's partner tags.

    #You cannot create an exclusive quarantine profile for Microsoft Teams. If you have set up an Office 365 OneDrive or SharePoint app, you can leverage the quarantine profile of these apps.

    ^Slack for Team Legal Hold action is applicable to files only.

    ^^Netskope does not get any notification when an internal user edits a file owned by an external user. In a nutshell, externally owned files are not audited by Google. This is a known limitation in Google Drive.

    %Since there is no owner in Google shared drive, Netskope cannot change owner on files or folders in a shared drive. This action applies to My Drive only.

    %%Based on Microsoft's latest Terms of Service, Netskope can no longer support OneDrive as a forensic destination. Due to this, Netskope will not support this feature in any new commercial or federal Netskope DC. Fine prints:

    • For existing customers who are using OneDrive as a forensic destination, the feature will continue to work as expected.

    • For new customers, the instance setup UI for OneDrive will no longer have the forensic checkbox. New forensic OneDrive instances cannot be enabled.

    • For existing customers who have not enabled OneDrive as a forensic destination, cannot enable it going forward.

    • Existing customers using OneDrive as a forensic destination, can disable the forensic checkbox from the UI. However, once disabled, you cannot re-enable it.

      For learn more: Deprecation Notice for OneDrive as a Forensic Destination.

    As an alternative, Netskope recommends to use a public cloud storage (like Azure Blob, AWS S3, or GCP Cloud Storage) as a forensic destination over a SaaS storage app. For more information, see Forensics.

  • Restrict Access: Depending on the app, there are different options available to restrict a publicly or externally shared file. Here are the restriction options for each supported cloud app:

    Cloud App

    Restrict Access to Owner

    Restrict Access to Internal User

    Restrict Access - Remove Individual Users

    Restrict Access to Specific Domain

    Restrict Access - Remove Public Links

    Restrict Access - Remove Organization Wide Link

    Restrict Collaborators to View-only Permission

    Restrict Access - Allowlist External Domains

    Atlassian Confluence (Next Gen)

    No

    No

    No

    No

    No

    No

    No

    No

    Atlassian Jira (Next Gen)

    No

    No

    No

    No

    No

    No

    No

    No

    Citrix ShareFile (Next Gen)

    No

    No

    No

    No

    No

    No

    No

    No

    Gmail

    No

    No

    No

    No

    No

    No

    No

    No

    Google Cloud Platform

    No

    No

    No

    No

    No

    No

    No

    No

    Amazon S3

    No

    No

    No

    No

    No

    No

    No

    No

    Box

    Yes

    Yes

    No

    Yes

    Yes

    No

    Yes~

    Yes

    Cisco Webex Teams

    No

    No

    No

    No

    No

    No

    No

    No

    Dropbox

    Yes

    Yes

    No

    Yes

    Yes

    No

    No

    Yes

    Egnyte

    Yes

    Yes

    No

    Yes

    Yes

    No

    No

    Yes

    GitHub

    No

    No

    No

    No

    No

    No

    No

    No

    GitHub (Next Gen)

    No

    No

    No

    No

    No

    No

    No

    No

    Google Drive

    Yes

    Yes

    No

    Yes

    Yes

    No

    Yes

    Yes

    Google Drive (Next Gen)

    Yes%

    Yes

    No

    Yes

    No

    Yes

    No

    No

    Microsoft Azure Blob Storage

    No

    No

    No

    No

    No

    No

    No

    No

    Microsoft OneDrive

    Yes

    Yes

    Yes

    No

    Yes

    Yes

    No

    No

    Microsoft 365 OneDrive GCC High (Next Gen)

    No

    No

    No

    No

    No

    No

    No

    No

    Microsoft 365 OneDrive Commercial (Next Gen)*

    Yes

    Yes

    No

    Yes

    No

    Yes

    No

    No

    Microsoft SharePoint

    Yes

    Yes

    Yes

    No

    Yes

    Yes

    No

    No

    Microsoft 365 SharePoint GCC High (Next Gen)

    No

    No

    No

    No

    No

    No

    No

    No

    Microsoft 365 SharePoint Commercial (Next Gen)*

    Yes

    Yes

    No

    Yes

    No

    Yes

    No

    No

    Microsoft Teams

    No

    No

    No

    No

    No

    No

    No

    No

    Microsoft 365 Teams GCC High (Next Gen)

    No

    No

    No

    No

    No

    No

    No

    No

    Microsoft Outlook

    No

    No

    No

    No

    No

    No

    No

    No

    Microsoft 365 Yammer (Next Gen)

    No

    No

    No

    No

    No

    No

    No

    No

    Okta (Next Gen)

    No

    No

    No

    No

    No

    No

    No

    No

    Salesforce unstructured data (files)

    No

    No

    No

    No

    No

    No

    No

    No

    Salesforce structured data (Chatter messages and posts)

    No

    No

    No

    No

    No

    No

    No

    No

    Slack Team

    No

    No

    No

    No

    No

    No

    No

    No

    Slack Enterprise

    No

    No

    No

    No

    No

    No

    No

    No

    ServiceNow

    No

    No

    No

    No

    No

    No

    No

    No

    Workday (Next Gen)

    No

    No

    No

    No

    No

    No

    No

    No

    Workplace by Facebook

    No

    No

    No

    No

    No

    No

    No

    No

    Zendesk (Next Gen)

    No

    No

    No

    No

    No

    No

    No

    No

    Zoom (Next Gen)

    No

    No

    No

    No

    No

    No

    No

    No

    ~Box does not directly support the view only action. To support this action, the file is locked and the permissions of all the collaborators in the Box folder are set to Previewer Uploader access level so that the collaborators cannot unlock the file.

    *In Microsoft 365 OneDrive & SharePoint, files can inherit sharing links from a parent folder. Such sharing links cannot be deleted or trimmed at the file level, but must be deleted at the folder where they originate. For a given file, when executing remediation actions (either manually from the Inventory page or through policies), the Next Generation API Data Protection automatically deletes inherited sharing links at the parent folder level, if deemed necessary, in order to remove file access from a user in violation of a policy.

    %Since there is no owner in Google shared drive, Netskope cannot restrict access to owner on files or folders in a shared drive. This action applies to My Drive only.

  • Block Access: Netskope blocks channel messages, direct messages, and attachments that violate a DLP policy. When a message is sent and received as a direct message or in a channel, and if the message is DLP sensitive, the policy applies the block access action. The policy blocks the message for the sender as well as the recipient(s). On the MS Teams chat app, the sender and recipient(s) receive this block message - This message was blocked. What can I do? The sender can click the What can I do? link to report the issue to the administrator.

    Though the policy blocks the message for the sender and recipient(s), the sender can still view and edit the message. Once edited, the message becomes unblocked if it does not violate the DLP policy. However if the edited message is DLP sensitive, the policy applies the block access action again.

    The Netskope tenant administrator can see the message details that has been blocked under Incidents > DLP, but cannot download the message content.

    Important

    • This action can be applied for DLP policies only.

    • This action applies to Microsoft Office 365 Teams only.

  • DLP: The DLP profiles that enforce compliance and protect sensitive data consist of DLP rules that specify data identifiers. These data identifiers find content that should not be present in cloud app transactions or public cloud storage.

  • Threat Protection: Scans files stored in your cloud storage applications for malware.

  • Audit: The audit action generates audit logs/events such as any change made in the SaaS app (upload, download, delete, and more) that Netskope retrieves using API calls. You can view the audit logs/events on the Skope IT > EVENTS > Application Events page of the Netskope UI.

  • Delete: Deletes a file from the cloud app when a policy matches.

    Note

    This action is available only if you select a DLP profile from the API Data Protection policy workflow.

  • Retroactive Scan: A retroactive policy scans all the files and folders for the app instance right from the inception of the SaaS app.

    Note

    Netskope supports one active retroactive scan per application instance. If you intend to scan the same content against multiple policies, you can do so by combining these policies together under a single retroactive scan.

    Cloud App

    Restrict Access - Blocklist External Domains

    Restrict Collaborators - Disable Print and Download

    Block Access***

    DLP

    Threat Protection / Malware

    Audit*

    Delete$

    Retroactive Scan

    Atlassian Confluence (Next Gen)

    No

    No

    No

    No

    No

    Yes

    No

    No

    Atlassian Jira (Next Gen)

    No

    No

    No

    No

    No

    Yes

    No

    No

    Citrix ShareFile (Next Gen)

    No

    No

    No

    Yes

    Yes

    Yes

    No

    Yes

    Gmail

    No

    No

    No

    Yes^

    No

    No

    No

    No

    Google Cloud Platform

    No

    No

    No

    No

    No

    No

    No

    No

    Amazon S3

    No

    No

    No

    Yes

    Yes

    Yes

    No

    Yes

    Box

    Yes

    Yes**

    No

    Yes

    Yes

    Yes

    Yes

    Yes

    Cisco Webex Teams

    No

    No

    No

    Yes

    No

    No

    Yes

    No

    Dropbox

    Yes

    No

    No

    Yes

    Yes

    Yes

    Yes

    Yes

    Egnyte

    Yes

    No

    No

    Yes

    Yes

    Yes

    No

    Yes

    GitHub

    No

    No

    No

    No

    No

    Yes

    No

    No

    GitHub (Next Gen)

    No

    No

    No

    Yes

    No

    Yes

    No

    No

    Google Drive

    Yes

    Yes

    No

    Yes

    Yes

    Yes

    Yes

    Yes

    Google Drive (Next Gen)

    Yes

    No

    No

    Yes

    Yes

    Yes

    No

    Yes

    Microsoft Azure Blob Storage

    No

    No

    No

    Yes

    Yes

    No

    No

    Yes

    Microsoft OneDrive

    No

    No

    No

    Yes

    Yes

    Yes

    Yes

    Yes

    Microsoft 365 OneDrive GCC High (Next Gen)

    No

    No

    No

    No

    No

    Yes

    No

    No

    Microsoft 365 OneDrive Commercial (Next Gen)

    Yes

    No

    No

    Yes^^^

    Yes^^^

    Yes

    No

    Yes

    Microsoft SharePoint

    No

    No

    No

    Yes

    Yes

    Yes

    No

    Yes

    Microsoft 365 SharePoint GCC High (Next Gen)

    No

    No

    No

    No

    No

    Yes

    No

    No

    Microsoft 365 SharePoint Commercial (Next Gen)

    Yes

    No

    No

    Yes^^^

    Yes^^^

    Yes

    No

    Yes

    Microsoft Teams

    No

    No

    Yes

    Yes~

    Yes

    Yes

    No

    No

    Microsoft 365 Teams GCC High (Next Gen)

    No

    No

    No

    No

    No

    Yes

    No

    No

    Microsoft Outlook

    No

    No

    No

    Yes^

    No

    Yes

    No

    No

    Microsoft 365 Yammer (Next Gen)

    No

    No

    No

    Yes

    Yes

    Yes

    No

    No

    Okta (Next Gen)

    No

    No

    No

    No

    No

    Yes

    No

    No

    Salesforce unstructured data (files)

    No

    No

    No

    Yes

    Yes

    Yes

    No

    Yes

    Salesforce structured data (Chatter messages and posts)

    No

    No

    No

    Yes

    Yes

    Yes

    No

    Yes

    Slack Team

    No

    No

    No

    Yes

    No

    No

    No

    No

    Slack Enterprise

    No

    No

    No

    Yes

    Yes^^

    Yes

    Yes$$$

    No

    ServiceNow

    No

    No

    No

    Yes

    Yes$$

    No

    No

    Yes

    Workday (Next Gen)

    No

    No

    No

    Yes

    Yes

    Yes

    No

    Yes

    Workplace by Facebook

    No

    No

    No

    Yes

    No

    Yes

    Yes#

    No

    Zendesk (Next Gen)

    No

    No

    No

    No

    No

    Yes

    No

    No

    Zoom (Next Gen)

    No

    No

    No

    Yes##

    No

    Yes

    No

    No

    *The audit action generates audit logs/events such as any change made in the SaaS app (upload, download, delete, and more) that Netskope retrieves using API calls. You can view the audit logs/events on the Skope IT > EVENTS > Application Events page of the Netskope UI.

    **Box does not directly support the disable download action for certain users. To support this action, the file is locked along with the disable download action enabled.

    ***This action applies to Microsoft Office 365 Teams only.

    $This action is available only if you select a DLP profile from the API Data Protection policy workflow.

    $$Threat protection/malware for ServiceNow applies to files and attachments only.

    $$$When an external user upload a file on a Slack Connect channel, Netskope cannot perform delete (write) action on the file. This is because the file belongs to another organization.

    $$$Once Netskope performs a delete action on a file, the Netskope tenant administrator may still have access to the deleted file from the Incidents > DLP page. This can happen if the Slack enterprise account has a retention policy to preserve the file. Though Netskope deletes the file from the Slack channel, the file may still be available to downloaded from the Netskope tenant. Please check your data retention policy with Slack support.

    ^Netskope does not scan emails in deleted/trash folder. Netskope will continue to scan emails in sent folder. Regular file attachments get scanned for DLP. If you attach a file using Google Drive, note the following behavior:

    • Insert file as a link - DLP policy hit on the body and subject of the sent email.

    • Insert file as an attachment - DLP policy hit on the body and subject of the sent email.

    ^^Threat protection for Slack Enterprise applies to files only. Chat messages are snippets are not supported.

    Note

    The disable download action disables download for collaborators who have the view permission. For collaborators with the edit permission, the download remains enabled.

    ^^^Netskope does not scan any OneNote files for DLP and threat protection on Microsoft 365 OneDrive Commercial (Next Gen) and SharePoint Commercial (Next Gen).

    ~Microsoft does not provide any webhook notification for files uploaded through the files and wiki tab of Microsoft Teams. Due to this limitation, Netskope does not support DLP scanning for such file uploads. However, Netskope detects files sent as an attachment from a channel's chat window. For full DLP coverage, you should set up respective API Data Protection instances for Microsoft Office 365 OneDrive and SharePoint.

    #The delete action for Workplace by Facebook applies to group posts and comments. This action does not apply to chat messages.

    ##DLP scan on Zoom "Team Chat" private and channel message content only. No DLP scanning on "in-meeting" chat messages.

Order of Policy Actions Within a Single App

For multiple policies with different actions, Netskope executes all the actions applicable to the notification in the following order:

  1. Threat Quarantine

  2. Threat Alert

  3. Alert/ DLP Alert

  4. Revoke

  5. Legal Hold

  6. File Classification

  7. Disable Download

  8. Restrict to View

  9. Restrict Access

  10. Expire Link 

  11. Delete

  12. RMS (After this action exit policy processing)

  13. IRM

  14. Quarantine

  15. Encrypt

  16. Change Ownership

  17. Block Access