This feature provides the DLP forensic details when a policy triggers a violation. Forensic information may contain sensitive content. In order to maintain privacy, you must create a forensic profile to store forensic information.
To create a forensic profile:
- In the Netskope tenant UI, go to Policies > Profiles > Forensic.
- Click New Forensic Profile.
- In Profile Name, enter the name of the forensic profile.
- Under App and Instance, select the appropriate SaaS/IaaS app followed by the corresponding instance name.
On selecting an app, additional fields may get enabled. Enter the appropriate details for the additional fields. For most of the apps, you need to enter the email address of the user. The forensic folder will be created under the email address of this user.
For Egnyte, you can either select a Personal Folder or Team Folder. For more information, see Forensic Folder Support for Egnyte.
For SharePoint, select a site where you would like to store the forensic data.
For Microsoft Azure, you should enter the exact name of the Azure storage account and container where the forensic data will be stored. To get these details, log in to your Azure portal.
- Click Save and Apply Changes.
Once you have created a forensic profile, go to Settings > Forensics, click Edit Settings, enable the forensic feature, select the forensic profile, and click Save.
Forensic Folder Support for Egnyte
A forensic profile can either be created on team folders or personal folders. If the team folder is selected, a forensic folder is created under Shared folder(/Shared/Netskope Forensic Folder). If a personal folder is selected, a forensic folder is created under users’ private folder(/Private/User/Netskope Forensic Folder). In the User Email field, enter the email address of the owner of the forensic folder. The email address should be of either the Egnyte administrator or power user. Standard user email address is not supported. If a DLP policy is triggered, based on the forensic folder selected, a summary of file content is uploaded into forensic folder.
If a forensic profile is created using a non-admin email address, on behalf of the non-admin user, a forensic folder is created under the users’ private/team folder by the instance admin. The folder is accessible to the non-admin user but the folder owner remains the instance admin.