Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Release notes for version 71 of Netskope. Affected Products: Netskope Affected Operating Systems: WindowsMaciOSAndroid
Not applicable.
This update of Netskope contains New Features and Enhancements, Hotfix Updates, Fixed Issues, and Known Issues, and New Resource Types Supported in Continuous Security Assessment. For more information, click the appropriate topic. Note: For release notes of other versions of Netskope, reference Netskope Release Notes. New Features and Enhancements CategoryFeatureDetailed Description and BenefitsApp ConnectorAmazon S3Added 'to_storage' and 'from_storage' fields for Copy and Move events. Activities: Changed Edit to Move, so whenever a file is renamed or cut and paste, a 'Move' activity triggers.App ConnectorMicrosoft GCC High CoverageActivities: Login Attempt, Login Successful, Login Failed, Create, Edit, Rename, Upload, Download, Send, Share, Delete, Post Platform: Browser DLP: YesApp ConnectorGitLabActivities: Create, Edit, Delete Platform: Browser DLP: Create, EditApp ConnectorGoogle SuiteFeature: Creating docs, sheets, slides, forms using the shortcut URL Activities: Create Platform: BrowserApp ConnectorMicrosoft AzureActivities: Create, Edit, Delete, Upload, Download Platform: Browser, CLI DLP: YesApp ConnectorSlackActivities: Log in Attempt. Log in Successful, Log in Failed, Log out Platforms: Browser, Windows NativeApp ConnectorWorkday Human Capital ManagementAdded support for Workday Drive. Activities: Upload, Download, Edit Platform: Browser DLP: YesDLPImproved DLP efficacy on Microsoft PowerPoint documentsWhen inspecting Microsoft PowerPoint files, we can now extract the headers and footers from the notes and handouts section and apply the DLP rules.DLPAdditional File Type SupportDLP has added support for additional file types including analytics software such as Microsoft Power BI and Tableau. With this change, DLP can now support over 1200 file types.DLPFile Filter for Threat ProtectionAdditional criteria have been added to the File Filter profile for Threat Protection. Admins can now use the File Filter profile to allowlist or blocklist files for threat protection based on attributes such as file name, extension, size, and Object ID.DLPDLP Machine Learning ModelsIn this release we have added new machine learning models for detection of passports, driver licenses, and screenshots. These classifiers allow detection of sensitive information accurately without the need for deep content inspections.DLP-EntityBrazil LGPDIn this release, the LGPD enhancements include several additional Brazil entities, such as Voter ID, vehicle registration numbers, corresponding rules, and a profile that combines the rules. For information about newly supported entities in this release, see New DLP Entities in version 71 .IaaSNew Bulk Setup for AWSTo simplify setup (particularly bulk-setup) and to enable the new Storage Scan architecture (leveraging CloudWatch), the setup process for AWS was redesigned. For details, click Setting Up Multiple AWS Accounts Using the New UI to access the help topic. Contact Dell Data Security ProSupport to enable this feature in your account.IntrospectionNew Salesforce Retro FunctionalityWe now support retro V3 functionality for Salesforce.NotificationsCustomizable Suppression Interval for Client NotificationsAdmins can customize the suppression interval for duplicate pop-ups that are triggered by a block action. The default is set to 60 seconds. To modify the default setting, contact Dell Data Security ProSupport.NotificationsDisplay Remaining Time to Close in the Notification Pop-upOn the Netskope client notification window, end users see the remaining time left configured by the admin. This helps end users to know the remaining time before the admin configured action is taken.Netskope Private Access (NPA)New Product AvailableNPA provides secure access to private applications that are behind an enterprise firewall in the data center and the public cloud.Netskope for WebAlcohol Category AdditionThe Alcohol category was previously mapped to 'food and drinks'. It is now a separate category. The new mapping for Alcohol includes sites that show alcoholic drinks such as cocktails, beer, and wine. Examples include whiskey, vodka, merlot, ale, and so on.Netskope for WebProhibited URL AccessNetskope for Web customers can now prevent access to prohibited sites using translators such as Google and Bing. The available options include blocking the translators using the Translation category or using existing Inline policies that also trigger when a prohibited web page is accessed using the above translators. For CASB only customers, the only way to prevent access is to block the translator apps. Note: Browser-based notifications, user-alert, and MFA actions are not supported due to a limitation of those domains. Netskope for WebInline Traffic SSL DecryptionYou can now leverage your own certificate for SSL decryption. For details, go to the Signing Certificate section in the Certificates help topic. Online help in your account > Administration > Certificates > Signing Certificate or Knowledge Hub > Manage > Certificates > Signing CertificateNetskope for WebAuto-download Incomplete Certificate ChainDuring the SSL handshake to certain servers, when the Netskope proxy receives no information about the certificate issuer, the SSL connection is torn down. With this release, admins can configure the action by going to the Security Cloud Platform settings to select if the Netskope proxy should automatically fetch the information when the authority information (AIA) is available. By default, it is enabled to allow the proxy to fetch the missing information automatically.Traffic SteeringNetskope Client: IdPbased provisioning for multi-user mode deploymentThe IdP-based provisioning feature for the Netskope Client has been enhanced to support multi-user mode.Traffic SteeringInteroperability: Netskope Client on Windows Server 2019The Netskope Client release 71 has been validated to interoperate with Windows Server 2019.Traffic SteeringInteroperability: Netskope Client on Microsoft Windows 10 build 1909The Netskope Client release 71 has been validated to interoperate with Windows 10 build 1909.Web UIRefresh buttonA refresh button is available for the SkopeIT and Incidents pages that are listed below. If the UI is idle for a time and new events or alerts have been added, click the refresh button to fetch the new data without having to refresh the browser page. SkopeIT: ApplicationsSitesUsersApplications EventsPage EventsNetwork EventsAlerts Incidents: DLPAnomaliesCompromised CredentialsMalwareMalicious SitesQuarantineLegal Hold Web UIConfigurable Timeout per TenantFor notification pop-up timeouts, the Netskope proxy has a default value of 60 seconds. With this release, admins can configure a timeout value from the UI that should not exceed 600 seconds. The default timeout is 60 seconds and the timer text is visible in the notification window. You must be an admin to configure this option.Web UIDisallow Concurrent Logins by an AdminYou can ensure that an admin can log in to a tenant only once, instead of being able to log in to a tenant multiple times concurrently. The default setting allows concurrent logins. To change the default, go to Settings > Administration > Admins. On the top right side, click the Tools icon to open the Configure dialog box. Activate 'Disallow Concurrent Logins by same Admin' and click Save. Hotfix Updates This section provides descriptions for the hotfix updates released for the 70.1.0 release. CategoryIssue NumberIssue DescriptionIaaS91655, 91779Serverless functions added to the Compute tab in Inventory. This issue is related to issue 91779: On the Accounts and Regions pages, the #Compute column includes only asset_type="Compute Instance". All other places, Compute includes both "Compute Instance" and "Function".IaaS91063With this fix, admins can export all Raw Findings page data when the table is not sorted by Status. When the table is sorted by Status, a 100K cap still applies. The 100K cap limitation is fixed in the upcoming release. Fixed Issues CategoryIssue NumberIssue DescriptionApp Connector72251, 93592, 90907, 91252Instance ID detection improvements for the following: G SuiteWFBAWS LambdaAtlassianZendeskSlack IaaS92508Remediated rules show as failures due to case-sensitive matching. With the fix, the 'LIKE' operator for IaaS DSL is now case insensitive.IaaS90204Fixed an issue which excluded re-listed deleted* resources from scans. From Netskope's perspective, the resource was deleted but it was not necessarily deleted from the Cloud Service Provider account.IaaS78955Wrapper Rule results will now show the `account name & id` field on the Compliance > Raw Findings page. Old results that have a blank account name & id continue to remain blank. They remain blank to maintain historical customer data.IaaS93347There is a new workflow available for multi-account set up capability. Contact Dell Data Security ProSupport to enable the aws_multi_account_setup_enabled feature and upgrade your account. With the multi-account set up, you see the new UI and can use the new workflow which enables multi-account set up with Cross Role Access capability. All existing tenants that are licensed and using Audit Log continue to see the original UI.IaaS92336In this release where 'aws_multi_account_setup_enabled' is enabled, accounts have limited access for the REST APIs. For create, update, and grant workflows, support only exists for the 'securityscan' option.Introspection88566Retroscan uses 'UID' instead of 'Domain' which results in a failure of the retroscan.Introspection89879For O365 OneDrive and SharePoint, the 'Organization Wide Link' option in Introspection Policies > Content > 'File sharing options to scan' has been removed from the UI.Netskope Proxy88591, 74550Accessing a xxx.com.au or xxx.co.uk website is recorded and listed as a xxx.com website name in SkopeIT.Web UI88470IaaS API performance is slower than expected. The system now remembers time, filter, tab, page size from your last visit. Subsequent visits to the same view are faster.Web UI89695Muted rules are appearing in Compliance reports. To fix this issue, Netskope has: Added a new filter in Compliance reports: Muted = Yes/NoPDF/CSV download contains only muted rules if Muted = YesPDF/CSV download does not contain muted rules if Muted = No Web UI90982The Service Monitoring page has been updated with the following: Keep only the global 'Status' metric for each instance in the Service Monitoring section.When an admin clicks Service Monitoring from the General Section of the Settings area, the service monitoring page for the instance appears. Previously, the landing page displays the aggregate service monitoring across all instances.If there are multiple instances set up, then the admin sees the first instance that was set up for the tenant. The order is the same as the Introspection navigation bar. Known Issues CategoryIssue NumberIssue DescriptionApp Connector77845Inconsistent behavior for DLP and user alerts.App Connector68407AWS log in activities are not properly detected in SkopeIT.App Connector70320, 58450Encryption is not working correctly for a successful quarantine for BOX.Client68975Cisco AnyConnect is disconnecting intermittently when the Netskope client is enabled. This is working as designed, and the workaround is to add the VPN server IP address to the Netskope IP Exception list.Client68435When the Netskope client is disconnected, the system tries to stop the driver module. This is resulting in the system not working properly.Client Services79181A user is seeing an "Email Invitation Expired" message during the SAML client enforcement flow, when the Netskope client is installed but disabled.DAPII90764When using the reverse proxy mode and after the idle timeout expires, the logout URL is redirected. However, intermittently the redirect may not happen.DLP79419, 79415The DLP Forensics capture must have an option to store in AWS S3.DLP73085, 79310Need DLP sampling or entire file scan.IaaS94576, 74864, 78848The Overview page filters are not displaying data as expected.IaaS94572, 94571, 93767The Inventory storage buckets should display a sortable field for the Storage Inventory page and show the total GB in each storage bucket.IaaS94558Currently, users can create ad-hoc CSV reports, but can only create PDF scheduled reports. Users should be able to select CSV for scheduled reports.IaaS93817Error messaging must be expanded to include asset listing errors.IaaS92123AR exception handling through the API is not working as expected.IaaS89904Storage scan support for Azure files is not working as expected.IaaS71692, 89626, 72074, 87724Need to properly capture the justification when remediating compliance findings.IaaS66748, 89352CloudInstance is not correctly categorized as 'Database'.IaaS83999Provide a script to create a custom role.IaaS73198, 79991The ability to control by account and by bucket is not working properly.IaaS69977, 79768Need CSA type detections for Google SaaS services.IaaS72076, 77830DOM for AWS, listener support for load balancers is not working as expected.IaaS69977, 74860Netskope for IaaS allows customers to write a custom DSL to include an allowlist of IPs allowed to access key vault in Azure. This DSL may also be used to ensure that all key vault instances have a consistent compliance check to detect configuration drifts. An example of this DSL: KeyVault should have NetworkACLs . IpRules with [ value eq 192.10.18.0/24 ] and NetworkACLs . IpRules with [ value eq 206.18.32.6/32 ] and NetworkACLs . DefaultAction eq "Deny" and NetworkACLs . ByPass eq "AzureServices"IaaS74866, 71835The ability to test custom DSL in a selected AWS/Azure/GCP account is not working as expected.IaaS72066, 70778Support for an External ID per account: A user has an API to request from us OR, provide to us an External ID per account on demand. Note: This means that the external ID might change at a time much later than the time it was set up. The user would associate the unique external ID per IAM role that would be set up in each of their AWS accounts.IaaS66718The option for configuring regions is incorrectly required to be enabled from the security scan policy.IaaS95343If a grant fails due to a misconfiguration on the CSP side, trying to grant again displays a pop-up error in the UI or the return data from the REST API may show an error similar to the following: "Error: Instance not found for tenantid ####, appname aws, instance " The workaround is to edit the account by clicking its name in the Netskope UI.Introspection91204No files are seen in Incidents > Quarantine, but the SkopeIT event shows Quarantine.Introspection70596, 85214Validate that Introspection works in O365 GCC environments correctly.Introspection84962Prevent duplicate DLP alerts when email metadata changes.Introspection70320, 74878A user uploaded a file, and the policy action executed, but the quarantine action did not.Introspection70596, 72236The Select All functionality for Introspection file actions is not working properly.iOS VPN Solution80510This limitation is from Microsoft. Microsoft Onedrive / OneNote does not use the PAC file, traffic is not getting tunneled.Netskope Proxy94088Browser based justification for translating URLs is not supported.REST APINot applicableIn the online help, the Get Client Data REST API topic is missing. However, it is available in the Knowledge Hub: Get Client Data REST API Reverse Proxy94865There are some limitations when using Microsoft PowerPoint and Teams through reverse proxy, you cannot perform the following: UploadPost events from the Chat and Teams tabDownload events from the Chat tab for Microsoft TeamsDownload events are seen only while downloading a file in the Team Files tab SAML Proxy72934Client certificate validation through the Cert checker option is disabled for Chromebook from release 62 onward. By default, the Chromebook sign in and enrollment is blocked. However, two flags to bypass the sign-in and enrollment flows are available. Contact Dell Data Security ProSupport to enable those flags in your tenant.SAML Proxy70385Bypass Android and iOS devices with Google MDM on reverse proxy.User Justification67146If a policy with a user alert is triggered and the user adds a justification, a user Justification event is generated, but it does not have policy details for which the justification was given or the event was generated.Web UI67438There is not a way to tell if a Client invitation was sent through the UI. New Resource Types Supported in Continuous Security Assessment Cloud ProviderEntityAttribute ChangesAzurenoneUser entity has the following new attribute: LastTokenChange To contact support, reference Dell Data Security International Support Phone Numbers.Go to TechDirect to generate a technical support request online.For additional insights and resources, join the Dell Security Community Forum.