Next Gen Forensics

With forensic, you can save a copy of the file and the DLP match highlights in a forensic storage location. This information can provide incident remediators the much needed evidence along with other information that is available in the DLP incident and the corresponding Skope IT alert.

Next Gen forensics is developed on a new platform whereby it is decoupled from the classic API Data Protection. Previously, forensic was tightly coupled with the classic API Data Protection product where the administrator would set up and configure forensics using the classic API Data Protection grant flow requiring extensive permission scopes from the SaaS/IaaS provider. With Next Gen, forensics can now be configured independently requiring a minimum set of permissions.

To set up forensics, you need to:

1. Configure the storage app(s) you want to store forensics data.

   Currently, Netskope supports Microsoft SharePoint and Azure Blob Storage as forensic destinations on the Next Gen platform.

2. Create a forensic profile.

3. Enable the forensic profile.

You can either configure Microsoft SharePoint or Azure Blob Storage as a forensic destination.

Configure Microsoft SharePoint as a Forensic Destination

To configure Microsoft SharePoint as a forensic destination, follow the steps below:

1. Log in to your Netskope tenant and navigate to Settings > Forensics > Instances.

   

2. Click the Setup Forensic Instance drop-down and select SharePoint.
   The Setup Forensic Instance page opens.

3. Under Office 365 Environment, select Commercial or GCC High.

4. Under Instance Name, enter a name of the SaaS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.

5. Click Grant Access.
   The Microsoft Login window opens.

6. After clicking Grant Access, you will be prompted to log in with your global administrator username and password, and then Accept the permissions and click Close.

   

Refresh your browser, and you should see a green check icon next to the instance name.

Next, you should create a forensic profile. To do so, follow the steps in Create a Forensic Profile.

Configure Microsoft Azure Blob Storage as a Forensic Destination

To configure Microsoft Azure Blob Storage as a forensic destination, there are two step involved. Follow the instruction below.

1. Set up Microsoft Azure Blob Storage Forensic Instance

2. Create and Assign a Custom Role in Azure Portal

Set up Microsoft Azure Blob Storage Forensic Instance

To configure Microsoft Azure Blob Storage forensic instance, follow the steps below:

1. Log in to your Netskope tenant and navigate to Settings > Forensics > Instances.

   

2. Click the Setup Forensic Instance drop-down and select Azure Blob Storage.
   The Setup Forensic Instance page opens.

3. Under Instance Name, enter a name of the Azure Blob Storage instance. You can enter alphanumeric, underscore (_), hyphen (-) characters only.

4. Click Grant Access.
   The Microsoft Login window opens.

5. After clicking Grant Access, you will be prompted to log in with your Azure username and password, and then Accept the permissions and click Close.

   The logged in Azure user should have a minimum set of roles/permissions to grant consent to applications.

   

The Netskope – Forensics for Azure Blob Storage app is installed in the Azure portal with additional permissions once you grant access to the Microsoft Azure Blob Storage app.

Refresh your browser, and you should see a green check icon next to the instance name.

Create and Assign a Custom Role in Azure Portal

Once you have granted access, login to Azure portal, create a custom role, and assign the role to the storage account or container.

1. Log in portal.azure.com as an application administrator or a higher role.

2. Identify the subscription ID where you would like to create a custom role. To do so, navigate to All services > General > Subscriptions. Identify the subscription ID and click it.

3. On the left navigation of the subscription page, click Access Control (IAM). Then, click + Add > Add custom role.

   

   The Create a custom role page opens.

4. Under the Basics tab, enter a name for the custom role. Keep the rest of the fields unchanged.

   

5. Click Next.

6. Under Permissions, click + Add permissions. The Add permissions page opens. On the search bar, enter the following permissions one after the other:

   • Microsoft.Storage/storageAccounts/blobServices/containers/read. Click Microsoft Storage.

     

     Select Read : Get blob container and click Add.

     

   • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read. Click Microsoft Storage.

     Click the Data Actions radio button and select Read : Read Blob and click Add.

     

   • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write. Click Microsoft Storage.
     Click the Data Actions radio button and select Write: Write Blob and click Add.

     

     Once you have added the 3 permissions, the Permissions tab should look like this:

     

7. Click Review + create. The Review + create tab displays the following information. Review it.

   

   Note down the role name. This will be required when you assign the role to a container.

8. Click Create.
   You have successfully created the custom role. Next, you should assign the role to a container.

9. Navigate to All services > Storage > Storage accounts. Identify the storage account and click it.

10. On the left navigation of the storage account page, click Containers. Identify the container to which you would like to assign the custom role. Click it.

11. On the left navigation of the container page, click Access Control (IAM). Then, click + Add > Add role assignment.

    

    The Add role assignment page opens.

12. Search by role name, select the role, and click Next.

    

13. Under Members, click + Select members.

14. Under Select Members, type Netskope – Forensics for Azure. Select the Netskope – Forensics for Azure Blob Storage app and click Select.

    

15. Click Review + assign. The Review + assign tab displays the following information. Review it.

    

16. Click Review + assign.

    The role assignment may take a few minutes. Before you proceed to create a forensic profile in the Netskope UI, give it a few minutes for the role assignment to take effect.

    You have successfully assigned the custom role to a container. Next, you should create a forensic profile. To do so, follow the steps in Create a Forensic Profile.

Create a Forensic Profile

Next, you should create a forensic profile that flags policy violations and stores the files in a forensic folder/container. To create a forensic profile, follow the steps below:

1. Log in to your Netskope tenant and navigate to Policies > Profiles > Forensic.

2. Click New Forensic Profile.

   

3. Enter the following details:

   • Profile Name: Enter a name of the forensic profile.

   • App: Select either SharePoint (Next Gen Forensics) or Azure Blob Storage (Next Gen Forensics).

     A few storage apps have two options to choose from. The storage apps with ‘Next Gen Forensics’ next to the storage app name are supported on the Next Gen platform and enable forensic-only instances when creating a new forensic profile.

   • Instance Name: Select the appropriate app instance.

   • For SharePoint (Next Gen Forensics), enter the SharePoint site or sub-site URL in this format: https://<account-name>.sharepoint.com/sites/<site-name>. For example: https://netskope.sharepoint.com/sites/forensic-data-site. If you have selected a GCC High instance, the format will be https://<account-name>.sharepoint.us/sites/<site-name>.

     

   • For Azure Blob Storage (Next Gen Forensics), enter the Azure Blob storage account and container name. The names are case-sensitive. To identify the storage account and container names, log in to the Azure portal.

     

     Once you save the configuration, Netskope validates it. Once validated successfully, Netskope uploads a README.md file to the container in Azure portal. You can log in to the Azure portal to verify the upload.

4. Click Save.

You have successfully created a Next Gen forensic profile.

Enable the Forensic Profile

Next, you should enable the forensic profile. To do so, follow the steps below:

1. Log in to your Netskope tenant and navigate to Settings > Forensics > Configuration.

   

2. Under Forensics, click Edit.

3. Enable the Forensic Status toggle button.

4. From the drop-down list, select the forensic profile you created earlier.

5. (optional) Select Enable original file access if you want to download the violated file that caused a DLP incident. To learn more: About DLP.

   

   This is a limited availability feature. Contact your Netskope sales representative to enable this feature.

6. Click Save

Frequently Asked Questions

1. I have already configured forensics using the classic API Data Protection for SharePoint. Do I need to switch to Next Gen forensics now?

   If you currently use classic API Data Protection for Microsoft 365 SharePoint and use it as a forensic destination, you can switch to Next Gen forensics at the same time you switch to Next Generation API Data Protection for Microsoft 365 SharePoint. Netskope is rapidly enhancing the Next Generation API Data Protection for Microsoft 365 SharePoint to offer all the features that exist in classic API Data Protection for Microsoft 365 SharePoint. Refer this link to see if all the features you use for classic API Data Protection for Microsoft 365 SharePoint are available in the Next Generation API Data Protection for Microsoft 365 SharePoint. If they are available, you may consider switching to Next Generation API Data Protection for Microsoft 365 SharePoint and Next Gen Forensics and use Microsoft 365 SharePoint as a forensic destination.

   If you currently do not use classic API Data Protection for Microsoft 365 SharePoint but have set up a classic API Data Protection SharePoint instance for forensics purposes only, you may consider to switch to the Next Gen forensics platform.

2. If I switch to Next Gen forensics, what will happen to the forensics information that is already stored for previously generated incidents?

   • For new incidents generated after enabling Next-Gen Forensics, all uploads and downloads will happen through the Next-Gen forensics framework.

   • For old incidents, they will continue to use classic API Data Protection instances to download forensics as long as the old instance is not deleted, and the API Data Protection grant is intact. The administrator should not delete the old instance, until the retention period for those incidents expire.

3. Will Next Gen forensics work only with Next Generation API Data Protection application instances? I am currently using API Data Protection and all my app instances are configured on classic API Data Protection.

   Next Gen forensics works across classic API Data Protection apps, Next Generation API Data Protection apps, CASB Inline, and SMTP email.

4. I am currently using Microsoft SharePoint as my forensic destination. This is configured using the classic API Data Protection. Now, if I switch to Next Gen forensics, what are the steps I should follow? Are there any key issues I should know before making the switch?

   The grant for the classic API Data Protection  instances should remain intact until the retention period has expired to enable downloading forensics for historical incidents. Follow the steps documented in this article to configure Next Gen forensics.

5. I am currently using Box as the forensics destination. If I switch to Microsoft SharePoint using Next Gen forensics, will I be able to have old incidents continue to refer to the forensics on Box and the new incidents refer to the forensics on Microsoft SharePoint?

   Yes, users should be able to download historical forensics from the Box app as long as the grant for the classic API Data Protection for Box instance is active.