Updated on April 9, 2025

Next Gen Forensics

Next Gen Forensics

With forensic, you can save a copy of the file and the DLP match highlights in a forensic storage location. This information can provide incident remediators the much needed evidence along with other information that is available in the DLP incident and the corresponding Skope IT alert.

Next Gen forensics is developed on a new platform whereby it is decoupled from the classic API Data Protection. Previously, forensic was tightly coupled with the classic API Data Protection product where the administrator would set up and configure forensics using the classic API Data Protection grant flow requiring extensive permission scopes from the SaaS/IaaS provider. With Next Gen, forensics can now be configured independently requiring a minimum set of permissions.

The forensics feature in DLP incident management is unavailable for tenants located in China data centers.
You can refer the FAQ before proceeding with the configuration.

To set up forensics, you need to:

  1. Configure the storage app(s) you want to store forensics data.

    Currently, Netskope supports Amazon S3, Box, Google Drive, Microsoft Azure Blob Storage, and Microsoft SharePoint as forensic destinations on the Next Gen platform.

  2. Create a forensic profile.

  3. Enable the forensic profile.

Configure Storage App(s)

Here is a list of apps that you can configure as a forensic destination.

Configure Amazon S3 Bucket as a Forensic Destination

To configure Amazon S3 bucket as a forensic destination, follow the instructions below.

  • Prerequisite

  • Set up Amazon Web service (AWS) Forensic Instance

    • Create a CloudFormation Stack

Prerequisite

  • Ensure that you have at least one Amazon S3 bucket configured.

    Netskope recommends having this Amazon S3 bucket exclusively for Netskope forensic data.

  • An AWS administrator user account.

Set up AWS Forensic Instance

To configure AWS forensic instance, follow the steps below:

  1. Log in to your Netskope tenant and navigate to Settings > Forensics > Instances.

  2. Click the Setup Forensic Instance drop-down and select Amazon Web Services.

    The Setup Forensic Instance page opens.

  3. Under AWS Account ID, enter the account ID of your AWS account.

    Once you log in to the AWS portal, you can find the AWS account ID on the top-right.

  4. Under AWS Role Name, enter the name of the Identity & Access Management (IAM) role of your choice.

    Ensure that the role does not exist in your AWS account. Once you grant access, Netskope creates this role automatically. This role allows Netskope to access the Amazon S3 bucket to upload or download forensic data.

  5. Under Instance Name, enter the name of the AWS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.

  6. Click Grant Access.

    The AWS console window opens in a new tab. If not logged in, log in with administrative privileges.

    The following steps will enable you to create a CloudFormation stack.

  7. Under the Quick create stack page, enter the following details:

    • Stack name: Enter the name of this stack.

    • forensicBucketName: Enter the name of the Amazon S3 bucket.

      This is part of the prerequisite as mentioned at the beginning of this article.

    • Under Capabilities, select the checkbox and click Create stack.

      Keep the rest of the fields unchanged.
      The stack may take a few minutes to create.

  8. Verify that the IAM role is created. To do so, navigate to IAM > Roles, search the role by name you entered in step 4.

  9. Go back to the instance setup page, select the Confirm checkbox and click Complete Grant.

Refresh your browser, and you should see a green check icon next to the instance name.

You can regrant, edit, or delete the AWS instance. Under the edit option, you can edit the AWS Role Name only. On doing so, you will be prompted to follow steps 7-9 again.

Next, you should create a forensic profile. To do so, follow the steps in Create a Forensic Profile.

Configure Box as a Forensic Destination

To configure Box as a forensic destination, follow the steps below:

  • Prerequisite

  • Authorize Netskope App on Box Admin Console

  • Set up Box Forensic Instance

Prerequisite

  • A Box account with Business, Business Plus, Enterprise, or Enterprise Plus license.

  • A Box admin or co-admin user account.

Authorize Netskope App on Box Admin Console

As an admin/co-admin, you should authorize the Netskope app on Box so that Netskope can make API calls to Box. You can either use a Box admin or a co-admin account to grant access to Netskope.

  1. Log in to your Box account using the admin or co-admin user and click Admin Console.

  2. Navigate to Admin Console > Apps > Custom Apps Manager. Under Server Authentication Apps, click Add App. Under Client ID, enter the following client ID jrnqg3rwthiozrbzhtgtcil3p2lunydd.

  3. Click Next and Authorize.

Set up Box Forensic Instance

To configure Box forensic instance, follow the steps below:

  1. Log in to your Netskope tenant and navigate to Settings > Forensics > Instances.

  2. Click the Setup Forensic Instance drop-down and select Box.

    The Setup Forensic Instance page opens.

  3. Under Instance Name, enter the name of the SaaS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.

  4. Click Grant Access. You will be prompted to log in using the Box admin or co-admin account, and then click Authorize. Review the permissions, click Grant access to Box. When the configuration results page opens, click Close.

Refresh your browser, and you should see a green check icon next to the instance name.

Next, you should create a forensic profile. To do so, follow the steps in Create a Forensic Profile.

Configure Google Drive as a Forensic Destination

To configure Google Drive as a forensic destination, follow the steps below:

  • Prerequisite

  • Create and Assign Custom Role for Netskope

  • Grant Scopes to the Netskope Service Account

  • Set up Google Drive Forensic Instance

Prerequisite

  • A Google Workspace with Business Standard or Business Plus edition license.

  • A Google super admin account to create a custom role and user for Netskope integration.

  • Ensure that Google Drive is available across all organizational units of your google account. To check, log in to admin.google.com using your Google super admin account and then navigate to Apps > Google Workspace > Drive and Docs and ensure that Service status is set to ON for everyone.

    Google Drive Service Status.png

  • Ensure that Google Drive SDK is turned on. To check, log in to admin.google.com using your Google super admin account and then navigate to Apps > Google Workspace > Drive and Docs > Features and Applications  and ensure that Drive SDK is turned on.

    Enable Google Drive SDK
Create and Assign Custom Role for Netskope

If you do not plan to use the Google super admin account, you can create a custom role and assign the role to a user to grant access to Next Generation API Data Protection. You can grant privileges / scopes using the default Google super admin role or by creating a custom role exclusively for the Netskope integration. This section describes the steps to create a custom role for Netskope.

  1. Log in to admin.google.com as a super admin.

  2. Click the triple bar on the top-left corner of the home page and navigate to Account > Admin roles.

  3. Click Create new role.

  4. Enter a name and description for the role and click CONTINUE.

  5. Select privilege for the role:

    Netskope does not recommend removing the following privileges. Any removal may result in failure of API calls and policy processing.

    • Admin console privileges:

      The admin console privileges are automatically assigned when a new role is created in Google Workspace. The level of access provided to this role in the admin console depends on what permissions are provided for this role. Here is a list of privileges Netskope requires:

      PrivilegeNeeded for…
      Services > Drive and Docs > Settings
      (All 5 privileges)      		This privilege is to enable the Google drive admin setting.
      Domain SettingsThis privilege is required to list the domains under the Google Workspace. Netskope uses the domains list to determine if a user is internal or external.

    • Admin API privileges:

      The admin API privileges are required to make any API calls.

      PrivilegesNeeded for…
      Groups > ReadThis privilege is required to get group information.
      Users > ReadThis privilege is required to get user information.
      Domain ManagementThis privilege is required to list the domains under the Google Workspace. Netskope uses the domains list to determine if a user is internal or external.

  6. Click CONTINUE, and then click CREATE ROLE.

Once you have created the custom role, you can assign the role to a user. To assign the role to account, navigate to Directory > Users, click the user account, navigate to Admin roles and privileges, and assign the role you created above. The user can then authorize Netskope to grant access to your Google Drive instance.

Grant Scopes to the Netskope Service Account

This section describes the steps required to register the Netskope web application and API client with Google to enable access to data in Google Drive.

If you have already set up Google Drive for the Next Generation API Data Protection, skip this procedure.

  1. Log in to admin.google.com as a super admin.

  2. Navigate to Security > Access and data control > API controls.

  3. On the API controls page, under Domain wide delegation, click Manage Domain Wide Delegation.

  4. Click Add new.

    A new pop-up opens.

  5. For Client ID, enter 108196482611215472250.

  6. For OAuth scopes, enter the following scopes:

    Enter one scope per line.

    • https://www.googleapis.com/auth/admin.directory.user.readonly

    • https://www.googleapis.com/auth/admin.directory.domain.readonly

    • https://www.googleapis.com/auth/drive

  7. Click Authorize.

  8. Verify the steps above by checking if the Netskope for Google app appears in the API clients list.

Set up Google Drive Forensic Instance

To configure Google Drive forensic instance, follow the steps below:

  1. Log in to your Netskope tenant and navigate to Settings > Forensics > Instances.

  2. Click the Setup Forensic Instance drop-down and select Google Drive.

    The Setup Forensic Instance page opens.

  3. Under API Admin Email, enter the Google account email of the super admin or a user with a custom role (see Create and Assign Custom Role for Netskope).

  4. Under Instance Name, enter a name of the SaaS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.

  5. Click Grant Access. You will be prompted to log in using a super admin or a user with a custom role and password, and then click Sign In. When the configuration results page opens, click Close.

Refresh your browser, and you should see a green check icon next to the instance name.

Next, you should create a forensic profile. To do so, follow the steps in Create a Forensic Profile.

Configure Microsoft Azure Blob Storage as a Forensic Destination

To configure Microsoft Azure Blob Storage as a forensic destination, follow the instructions below.

  • Prerequisite

  • Set up Microsoft Azure Blob Storage Forensic Instance

  • Create and Assign a Custom Role in Azure Portal

Prerequisite

  • Ensure that you have at least one storage account and container configured.

  • In the Security + Networking section of a storage account, navigate to Networking > Firewalls and virtual networks. Under Public network access, set the option to Enabled for All Networks. If you choose Enabled from selected virtual networks and IP addresses, under the Firewall section, ensure that Netskope IP addresses are in the allow list.

    The Netskope IP address link is accessible only to authorized customer contacts via login. If you do not have access, contact your Netskope sales representative or support team.
Set up Microsoft Azure Blob Storage Forensic Instance

To configure Microsoft Azure Blob Storage forensic instance, follow the steps below:

  1. Log in to your Netskope tenant and navigate to Settings > Forensics > Instances.

  2. Click the Setup Forensic Instance drop-down and select Azure Blob Storage.
    The Setup Forensic Instance page opens.

  3. Under Instance Name, enter a name of the Azure Blob Storage instance. You can enter alphanumeric, underscore (_), hyphen (-) characters only.

  4. Click Grant Access.
    The Microsoft Login window opens.

  5. After clicking Grant Access, you will be prompted to log in with your Azure username and password, and then Accept the permissions and click Close.

    The logged in Azure user should have a minimum set of roles/permissions to grant consent to applications.

The Netskope – Forensics for Azure Blob Storage app is installed in the Azure portal with additional permissions once you grant access to the Microsoft Azure Blob Storage app.

Refresh your browser, and you should see a green check icon next to the instance name.

Create and Assign a Custom Role in Azure Portal

Once you have granted access, login to Azure portal, create a custom role, and assign the role to the storage account or container.

A storage account may include multiple containers. Though you can assign the custom role to a storage account, Netskope recommends a least-access strategy, meaning restrict the custom role assignment at a container level.

  1. Log in portal.azure.com as an application administrator or a higher role.

  2. Identify the subscription ID where you would like to create a custom role. To do so, navigate to All services > General > Subscriptions. Identify the subscription ID and click it.

  3. On the left navigation of the subscription page, click Access Control (IAM). Then, click + Add > Add custom role.

    The Create a custom role page opens.

  4. Under the Basics tab, enter a name for the custom role. Keep the rest of the fields unchanged.

  5. Click Next.

  6. Under Permissions, click + Add permissions. The Add permissions page opens. On the search bar, enter the following permissions one after the other:

    • Microsoft.Storage/storageAccounts/blobServices/containers/read. Click Microsoft Storage.

      Select Read : Get blob container and click Add.

    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read. Click Microsoft Storage.

      Click the Data Actions radio button and select Read : Read Blob and click Add.

    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write. Click Microsoft Storage.
      Click the Data Actions radio button and select Write: Write Blob and click Add.

      Once you have added the 3 permissions, the Permissions tab should look like this:

  7. Click Review + create. The Review + create tab displays the following information. Review it.

    Note down the role name. This will be required when you assign the role to a container.

  8. Click Create.
    You have successfully created the custom role. Next, you should assign the role to a container.

  9. Navigate to All services > Storage > Storage accounts. Identify the storage account and click it.

  10. On the left navigation of the storage account page, click Data storage > Containers. Identify the container to which you would like to assign the custom role. Click it.

    Do not select the Microsoft internal container $logs as a forensics destination. Microsoft does not permit upload operations to this container type, preventing Netskope from successfully uploading forensic data.

  11. On the left navigation of the container page, click Access Control (IAM). Then, click + Add > Add role assignment.

    The Add role assignment page opens.

  12. Search by role name, select the role, and click Next.

  13. Under Members, click + Select members.

  14. Under Select Members, type Netskope – Forensics for Azure. Select the Netskope – Forensics for Azure Blob Storage app and click Select.

  15. Click Review + assign. The Review + assign tab displays the following information. Review it.

  16. Click Review + assign.

    The role assignment may take a few minutes. Before you proceed to create a forensic profile in the Netskope UI, give it a few minutes for the role assignment to take effect.

    You have successfully assigned the custom role to a container. Next, you should create a forensic profile. To do so, follow the steps in Create a Forensic Profile.

Configure Microsoft SharePoint as a Forensic Destination

To configure Microsoft SharePoint as a forensic destination, follow the steps below:

  1. Log in to your Netskope tenant and navigate to Settings > Forensics > Instances.

  2. Click the Setup Forensic Instance drop-down and select SharePoint.
    The Setup Forensic Instance page opens.

  3. Under Office 365 Environment, select Commercial or GCC High.

  4. Under Instance Name, enter a name of the SaaS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.

  5. Click Grant Access.
    The Microsoft Login window opens.

  6. After clicking Grant Access, you will be prompted to log in with your global administrator username and password, and then Accept the permissions and click Close.

Refresh your browser, and you should see a green check icon next to the instance name.

Next, you should create a forensic profile. To do so, follow the steps in Create a Forensic Profile.

Create a Forensic Profile

Next, you should create a forensic profile that flags policy violations and stores the files in a forensic folder/container. To create a forensic profile, follow the steps below:

  1. Log in to your Netskope tenant and navigate to Policies > Profiles > Forensic.

  2. Click New Forensic Profile.

  3. Enter the following details:

    • Profile Name: Enter a name of the forensic profile.

    • App: Select either Amazon Web Services (Next Gen Forensics), Box (Next Gen Forensics), Google Drive (Next Gen Forensics), SharePoint (Next Gen Forensics), or Azure Blob Storage (Next Gen Forensics).

      A few storage apps have two options to choose from. The storage apps with ‘Next Gen Forensics’ next to the storage app name are supported on the Next Gen platform and enable forensic-only instances when creating a new forensic profile.

    • Instance Name: Select the appropriate app instance.

    • For Amazon Web Services (Next Gen Forensics), enter the Amazon S3 bucket name that was used to create the IAM role as part of the CloudFormation stack (forensicBucketName). The name is case-sensitive. To identify the Amazon S3 bucket name, log in to the AWS console.

    • For Box (Next Gen Forensics), enter the email address of the user. Netskope creates a forensic folder under this users’ home drive.

    • For Google Drive (Next Gen Forensics), enter the email address of the user. Netskope creates a forensic folder under this users’ home drive.

    • For SharePoint (Next Gen Forensics), enter the SharePoint site or sub-site URL in this format: https://<account-name>.sharepoint.com/sites/<site-name>. For example: https://netskope.sharepoint.com/sites/forensic-data-site. If you have selected a GCC High instance, the format will be https://<account-name>.sharepoint.us/sites/<site-name>.

    • For Azure Blob Storage (Next Gen Forensics), enter the Azure Blob storage account and container name. The names are case-sensitive. To identify the storage account and container names, log in to the Azure portal.

  4. Click Save and Apply Changes.

    Note on Amazon S3 & Azure Blob Storage as a forensic destination – Once you save the configuration, Netskope validates it. After successful validation, Netskope uploads a README.md file to the Amazon S3 bucket & container in Azure portal. You can log in to the AWS console or Azure portal to verify the upload.

You have successfully created a Next Gen forensic profile. Next, you should enable the forensic profile.

Enable the Forensic Profile

Next, you should enable the forensic profile. To do so, follow the steps below:

  1. Log in to your Netskope tenant and navigate to Settings > Forensics.

  2. Under Configuration, click Edit.

  3. Enable the Forensic Status toggle button.

  4. (optional) You can select the Encryption checkbox. On doing so, Netskope encrypts the forensic content before uploading it on the forensic destination SaaS/IaaS app. Selecting the encryption checkbox encrypts the original file as well if you have chosen to store original file access on the Edit Forensic Configuration page.

    Encryption is a controlled GA feature. Talk to your Netskope sales representative to learn more.

    This setting was previously under Policies > Profiles > Forensic > New Forensic Profile but has now moved to Edit Forensic Configuration. The change is happening in phases, so if you don’t see it in the new location, check the original page.

    Encrypted forensic content can be viewed only via Netskope tenant UI or Netskope REST APIs. Netskope decrypts the encrypted forensic content and displays it in the Incidents > DLP page. Moreover, if the original file access is enabled, a copy of the incident-generated file will be encrypted and when downloaded from Incidents > DLP page, the file will be decrypted.

    To view forensic content using Netskope REST APIs, see REST APIv2. You should use the following REST APIs to view forensic content:
    • Download forensic content: /api/v2/incidents/dlpincidents/{id}/forensics
    • Download original file: /api/v2/incidents/dlpincidents/{id}/originalfile
    • Download sub-file: /api/v2/incidents/dlpincidents/{id}/subfile

  5. From the drop-down list, select the forensic profile you created earlier.

  6. (optional) Select Store original file to store files associated with DLP incidents in the designated forensic folder. These files will be available for download when viewing the incidents. Enabling this option may require increasing the quota limit for your forensic folder.

  7. (optional) Select Store original file for Endpoint DLP to store files associated with Endpoint DLP incidents in the designated forensic folder. These files will be available for download when viewing the incidents. Enabling this option may require increasing the quota limit for your forensic folder.

    Store original file for Endpoint DLP is a controlled GA feature. Talk to your Netskope sales representative to learn more.

  8. (optional) Select Store sub-file – For DLP incidents involving images and other files embedded within documents or archive files, the Incidents page offers the ability to preview the images, view any extracted text, and download both the images and sub-files. Furthermore, the option to download these images and sub-files can be enabled with this checkbox. Enabling this option may require increasing the quota limit for your forensic folder.

    Store sub-file is a controlled GA feature. Talk to your Netskope sales representative to learn more.

  9. You can either click Save or continue to configure match-criteria forensic profiles.

Match-Criteria Forensic Profiles

A forensic profile allows customers to store an evidence trail for DLP violations. It captures forensic metadata, the original file, and any sub-files, all of which are considered sensitive. To ensure security and compliance, Netskope requires customers to use a self-managed cloud destination for storing this data.

Currently, each tenant can have only one forensic destination, making forensic data collection an all-or-nothing function. Forensic data is recorded for all DLP incidents, without the ability to choose whether to store it or where it is stored.

With match-criteria forensic configuration, you can now:

  • Enable or disable forensic logging, including sub-file and original file storage, based on the associated DLP profile.

  • Select a forensic destination profile based on the DLP profile.

Match-criteria is a controlled GA feature. Talk to your Netskope sales representative to learn more.

To configure match-criteria forensic profiles, follow the steps below:

Forensic profiles based on match criteria take precedence over the default forensic profile mentioned in step 5 under Enable the Forensic Profile.

  1. Enable the match criteria toggle button.

  2. Under the match criteria table, you can add:

    • DLP Profile: Select from a list of pre-defined and custom DLP profiles. You can add multiple DLP profiles.

    • Store Status: You can enable or disable this toggle button.

      • Enable: Store forensic data in a forensic profile.

      • Disable: Do not store forensic data.

    • Forensic Profile: If Store Status is enabled, choose a forensic profile.

      To create a forensic profile, see Create a Forensic Profile.

    • Content Status: If Store Status is enabled, you can choose to store the original file, and sub-file.

      • Store original file: Store original files associated with DLP incidents in the designated forensic folder. These files will be available for download when viewing the incidents. Enabling this option may require increasing the quota limit for your forensic folder.

      • Store sub-file: For DLP incidents involving images and other files embedded within documents or archive files, the Incidents page offers the ability to preview the images, view any extracted text, and download both the images and sub-files. Furthermore, the option to download these images and sub-files can be enabled with this checkbox. Enabling this option may require increasing the quota limit for your forensic folder.

  3. You can add more match criteria rows by clicking Add Match Criteria.

    You can create as many as 25 match-criteria forensic profiles.

  4. You can delete a match criterion row by clicking the ellipses (…) > Delete.

  5. The match criteria are ranked in an ascending order with 1 taking the highest rank followed by 2, 3, and so on. To change the rank order, you can drag and drop the match criterion row.

    For more information on the match criteria logic, best practices, see Match-Criteria Ranking & Evaluation, Match Criteria Logic for Container File, and Best Practices for Match-Criteria Forensic Profiles.

  6. Click Save.

Match-Criteria Ranking & Evaluation

You can create multiple match criteria rules, each associated with multiple DLP profiles. These match criteria rules are prioritized using a rank number, where 1 is the highest ranked, followed by 2, 3, and so on.

When a forensic match occurs, Netskope checks the match criteria in order. If a match is found in rank 1, the defined action is taken immediately, and no further match criteria are checked. If there is no match, Netskope moves to the next match criteria in the rank order until it finds one. Once a match is found, the defined action is taken immediately, and no further match criteria are checked.

This ensures that forensic actions are applied based on the highest-ranked match, optimizing the enforcement process.

If no matching rule is found amongst the configured rules, Netskope defaults to the standard forensic configuration as mentioned in step 5 under Enable the Forensic Profile.

Match-Criteria Logic for Container File

When a DLP match occurs on a container file (such as a ZIP file), the original file is stored based on the first match in the forensic policy. For example:

Forensic profile definition:

  • Match Criteria 1: If the file matches PCI, store it in Forensics Profile A.

  • Match Criteria 2: If the file matches PII, store it in Forensics Profile B.

A container file (.zip) contains two files:

  • File 1 matches the PCI DLP profile → Incident 1

  • File 2 matches the PII DLP profile → Incident 2

Since only one copy of the original file is stored per transaction, it is saved based on the first match in the forensic policy. In this case, the original ZIP file is stored in Forensics Profile A (PCI match).

This ensures consistency in forensic storage and prevents duplication.

Best Practices for Match-Criteria Forensic Profiles

  • Default storage sufficiency: Most customers do not need to enable this functionality. Storing all data in a single location is sufficient for general use cases.

  • Prioritize exclusions: Rules that prevent specific DLP profile match data from being stored should be placed at the top of the rule set.

  • Restrict file storage: Rules that prevent storing the original file or sub-file should follow next.

  • Define specific storage locations: Rules that require storing data in a designated location should come after exclusion and restriction rules.

  • Fallback to default: Any remaining data that does not meet the above conditions should follow the default forensic profile.

Frequently Asked Questions

  1. I have already configured forensics using the classic API Data Protection for SharePoint. Do I need to switch to Next Gen forensics now?

    If you currently use classic API Data Protection for Microsoft 365 SharePoint and use it as a forensic destination, you can switch to Next Gen forensics at the same time you switch to Next Generation API Data Protection for Microsoft 365 SharePoint. Netskope is rapidly enhancing the Next Generation API Data Protection for Microsoft 365 SharePoint to offer all the features that exist in classic API Data Protection for Microsoft 365 SharePoint. Refer this link to see if all the features you use for classic API Data Protection for Microsoft 365 SharePoint are available in the Next Generation API Data Protection for Microsoft 365 SharePoint. If they are available, you may consider switching to Next Generation API Data Protection for Microsoft 365 SharePoint and Next Gen Forensics and use Microsoft 365 SharePoint as a forensic destination.

    If you currently do not use classic API Data Protection for Microsoft 365 SharePoint but have set up a classic API Data Protection SharePoint instance for forensics purposes only, you may consider to switch to the Next Gen forensics platform.

  2. If I switch to Next Gen forensics, what will happen to the forensics information that is already stored for previously generated incidents?

    • For new incidents generated after enabling Next-Gen Forensics, all uploads and downloads will happen through the Next-Gen forensics framework.

    • For old incidents, they will continue to use classic API Data Protection instances to download forensics as long as the old instance is not deleted, and the API Data Protection grant is intact. The administrator should not delete the old instance, until the retention period for those incidents expire.

  3. Will Next Gen forensics work only with Next Generation API Data Protection application instances? I am currently using API Data Protection and all my app instances are configured on classic API Data Protection.

    Next Gen forensics works across classic API Data Protection apps, Next Generation API Data Protection apps, CASB Inline, and SMTP email.

  4. I am currently using Microsoft SharePoint as my forensic destination. This is configured using the classic API Data Protection. Now, if I switch to Next Gen forensics, what are the steps I should follow? Are there any key issues I should know before making the switch?

    The grant for the classic API Data Protection  instances should remain intact until the retention period has expired to enable downloading forensics for historical incidents. Follow the steps documented in this article to configure Next Gen forensics.

  5. I am currently using Box as the forensics destination. If I switch to Microsoft SharePoint using Next Gen forensics, will I be able to have old incidents continue to refer to the forensics on Box and the new incidents refer to the forensics on Microsoft SharePoint?

    Yes, users should be able to download historical forensics from the Box app as long as the grant for the classic API Data Protection for Box instance is active.

Share this Doc

Next Gen Forensics

Or copy link

In this topic ...