Create a Forensic Profile

Create a Forensic Profile

After you have configured the IaaS/SaaS app for which you want to use forensics, next you need to create a forensic profile.

To create a forensic profile:

  1. In the Netskope tenant UI, go to Policies > Profiles > Forensic.

  2. Click New Forensic Profile.

  3. In Profile Name, enter the name of the forensic profile.

  4. Under App and Instance, select the appropriate SaaS/IaaS app followed by the corresponding instance name.

    On selecting an app, additional fields may get enabled. Enter the appropriate details for the additional fields. For most of the apps, you need to enter the email address of the user. The forensic folder will be created under the email address of this user.
    For Egnyte, you can either select a Personal Folder or Team Folder. For more information, see Forensic Folder Support for Egnyte.
    For SharePoint, select a site where you would like to store the forensic data.
    For Microsoft Azure, you should enter the exact name of the Azure storage account and container where the forensic data will be stored. To get these details, log in to your Azure portal.
  5. You can also select the encryption checkbox. On doing so, Netskope encrypts the forensic content before uploading it on the forensic destination SaaS/IaaS app. Selecting the encryption checkbox encrypts the original file as well if you have chosen to enable original file access on Settings > Forensics > Configuration page.

    Encrypted forensic content can be viewed only via Netskope tenant UI or Netskope REST APIs. Netskope decrypts the encrypted forensic content and displays it in the Incidents > DLP page. Moreover, if the original file access is enabled, a copy of the incident-generated file will be encrypted and when downloaded from Incidents > DLP page, the file will be decrypted.

    Encryption is a limited availability feature. Contact your Netskope sales representative to enable this feature.
    To view forensic content using Netskope REST APIs, see REST APIv2. You should use the following REST APIs to view forensic content:
    • Download forensic content: /api/v2/incidents/dlpincidents/{id}/forensics
    • Download original file: /api/v2/incidents/dlpincidents/{id}/originalfile
  6. Click Save and Apply Changes.

To enable the forensic profile, see Enable a Forensic Profile.

Forensic Folder Support for Egnyte

A forensic profile can either be created on team folders or personal folders. If the team folder is selected, a forensic folder is created under Shared folder(/Shared/Netskope Forensic Folder). If a personal folder is selected, a forensic folder is created under users’ private folder(/Private/User/Netskope Forensic Folder). In the User Email field, enter the email address of the owner of the forensic folder. The email address should be of either the Egnyte administrator or power user. Standard user email address is not supported. If a DLP policy is triggered, based on the forensic folder selected, a summary of file content is uploaded into forensic folder.

If a forensic profile is created using a non-admin email address, on behalf of the non-admin user, a forensic folder is created under the users’ private/team folder by the instance admin. The folder is accessible to the non-admin user but the folder owner remains the instance admin.
Share this Doc

Create a Forensic Profile

Or copy link

In this topic ...