Next Gen Forensics
Next Gen Forensics
With forensic, you can save a copy of the file and the DLP match highlights in a forensic storage location. This information can provide incident remediators the much needed evidence along with other information that is available in the DLP incident and the corresponding Skope IT alert.
Next Gen forensics is developed on a new platform whereby it is decoupled from the classic API Data Protection. Previously, forensic was tightly coupled with the classic API Data Protection product where the administrator would set up and configure forensics using the classic API Data Protection grant flow requiring extensive permission scopes from the SaaS/IaaS provider. With Next Gen, forensics can now be configured independently requiring a minimum set of permissions.
To set up forensics, you need to:
-
Configure the storage app(s) you want to store forensics data.
Currently, Netskope supports Box, Google Drive, Microsoft Azure Blob Storage, and Microsoft SharePoint as forensic destinations on the Next Gen platform.
Configure Storage App(s)
Here is a list of apps that you can configure as a forensic destination.
Configure Box as a Forensic Destination
To configure Box as a forensic destination, follow the steps below:
-
Prerequisites
-
Authorize Netskope App on Box Admin Console
-
Set up Box Forensic Instance
Prerequisite
-
A Box account with Business, Business Plus, Enterprise, or Enterprise Plus license.
-
A Box admin or co-admin user account.
Authorize Netskope App on Box Admin Console
As an admin/co-admin, you should authorize the Netskope app on Box so that Netskope can make API calls to Box. You can either use a Box admin or a co-admin account to grant access to Netskope.
-
Log in to your Box account using the admin or co-admin user and click Admin Console.
-
Navigate to Admin Console > Apps > Custom Apps Manager. Under Server Authentication Apps, click Add App. Under Client ID, enter the following client ID
jrnqg3rwthiozrbzhtgtcil3p2lunydd
. -
Click Next and Authorize.
Set up Box Forensic Instance
To configure Box forensic instance, follow the steps below:
-
Log in to your Netskope tenant and navigate to Settings > Forensics > Instances.
-
Click the Setup Forensic Instance drop-down and select Box.
The Setup Forensic Instance page opens.
-
Under Instance Name, enter the name of the SaaS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.
-
Click Grant Access. You will be prompted to log in using the Box admin or co-admin account, and then click Authorize. Review the permissions, click Grant access to Box. When the configuration results page opens, click Close.
Refresh your browser, and you should see a green check icon next to the instance name.
Next, you should create a forensic profile. To do so, follow the steps in Create a Forensic Profile.
Configure Google Drive as a Forensic Destination
To configure Google Drive as a forensic destination, follow the steps below:
-
Prerequisites
-
Grant Scopes to the Netskope Service Account
-
Set up Google Drive Forensic Instance
Prerequisite
-
A Google Workspace with Business Standard or Business Plus edition license.
-
A Google super admin account to create a custom role and user for Netskope integration.
-
Ensure that Google Drive is available across all organizational units of your google account. To check, log in to admin.google.com using your Google super admin account and then navigate to Apps > Google Workspace > Drive and Docs and ensure that Service status is set to ON for everyone.
-
Ensure that Google Drive SDK is turned on. To check, log in to admin.google.com using your Google super admin account and then navigate to Apps > Google Workspace > Drive and Docs > Features and Applications and ensure that Drive SDK is turned on.
Create and Assign Custom Role for Netskope
If you do not plan to use the Google super admin account, you can create a custom role and assign the role to a user to grant access to Next Generation API Data Protection. You can grant privileges / scopes using the default Google super admin role or by creating a custom role exclusively for the Netskope integration. This section describes the steps to create a custom role for Netskope.
-
Log in to admin.google.com as a super admin.
-
Click the triple bar on the top-left corner of the home page and navigate to Account > Admin roles.
-
Click Create new role.
-
Enter a name and description for the role and click CONTINUE.
-
Select privilege for the role:
Netskope does not recommend removing the following privileges. Any removal may result in failure of API calls and policy processing.-
Admin console privileges:
The admin console privileges are automatically assigned when a new role is created in Google Workspace. The level of access provided to this role in the admin console depends on what permissions are provided for this role. Here is a list of privileges Netskope requires:
Privilege Needed for… Services > Drive and Docs > Settings
(All 5 privileges)This privilege is to enable the Google drive admin setting. Domain Settings This privilege is required to list the domains under the Google Workspace. Netskope uses the domains list to determine if a user is internal or external. -
Admin API privileges:
The admin API privileges are required to make any API calls.
Privileges Needed for… Groups > Read This privilege is required to get group information. Users > Read This privilege is required to get user information. Domain Management This privilege is required to list the domains under the Google Workspace. Netskope uses the domains list to determine if a user is internal or external.
-
-
Click CONTINUE, and then click CREATE ROLE.
Once you have created the custom role, you can assign the role to a user. To assign the role to account, navigate to Directory > Users, click the user account, navigate to Admin roles and privileges, and assign the role you created above. The user can then authorize Netskope to grant access to your Google Drive instance.
Grant Scopes to the Netskope Service Account
This section describes the steps required to register the Netskope web application and API client with Google to enable access to data in Google Drive.
-
Log in to admin.google.com as a super admin.
-
Navigate to Security > Access and data control > API controls.
-
On the API controls page, under Domain wide delegation, click Manage Domain Wide Delegation.
-
Click Add new.
A new pop-up opens.
-
For Client ID, enter
.108196482611215472250
-
For OAuth scopes, enter the following scopes:
Enter one scope per line.-
https://www.googleapis.com/auth/admin.directory.user.readonly
-
https://www.googleapis.com/auth/admin.directory.domain.readonly
-
https://www.googleapis.com/auth/drive
-
-
Click Authorize.
-
Verify the steps above by checking if the Netskope for Google app appears in the API clients list.
Set up Google Drive Forensic Instance
To configure Google Drive forensic instance, follow the steps below:
-
Log in to your Netskope tenant and navigate to Settings > Forensics > Instances.
-
Click the Setup Forensic Instance drop-down and select Google Drive.
The Setup Forensic Instance page opens.
-
Under API Admin Email, enter the Google account email of the super admin or a user with a custom role (see Create and Assign Custom Role for Netskope).
-
Under Instance Name, enter a name of the SaaS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.
-
Click Grant Access. You will be prompted to log in using a super admin or a user with a custom role and password, and then click Sign In. When the configuration results page opens, click Close.
Refresh your browser, and you should see a green check icon next to the instance name.
Next, you should create a forensic profile. To do so, follow the steps in Create a Forensic Profile.
Configure Microsoft Azure Blob Storage as a Forensic Destination
To configure Microsoft Azure Blob Storage as a forensic destination, there are two step involved. Follow the instruction below.
-
Prerequisites
-
Create and Assign a Custom Role in Azure Portal
Prerequisite
-
Ensure that you have at least one storage account and container configured.
-
In the Security + Networking section of a storage account, navigate to Networking > Firewalls and virtual networks. Under Public network access, set the option to Enabled for All Networks. If you choose Enabled from selected virtual networks and IP addresses, under the Firewall section, ensure that Netskope IP addresses are in the allow list.
The Netskope IP address link is accessible only to authorized customer contacts via login. If you do not have access, contact your Netskope sales representative or support team.
Set up Microsoft Azure Blob Storage Forensic Instance
To configure Microsoft Azure Blob Storage forensic instance, follow the steps below:
-
Log in to your Netskope tenant and navigate to Settings > Forensics > Instances.
-
Click the Setup Forensic Instance drop-down and select Azure Blob Storage.
The Setup Forensic Instance page opens. -
Under Instance Name, enter a name of the Azure Blob Storage instance. You can enter alphanumeric, underscore (_), hyphen (-) characters only.
-
Click Grant Access.
The Microsoft Login window opens. -
After clicking Grant Access, you will be prompted to log in with your Azure username and password, and then Accept the permissions and click Close.
The logged in Azure user should have a minimum set of roles/permissions to grant consent to applications.
The Netskope – Forensics for Azure Blob Storage app is installed in the Azure portal with additional permissions once you grant access to the Microsoft Azure Blob Storage app.
Refresh your browser, and you should see a green check icon next to the instance name.
Create and Assign a Custom Role in Azure Portal
Once you have granted access, login to Azure portal, create a custom role, and assign the role to the storage account or container.
-
Log in portal.azure.com as an application administrator or a higher role.
-
Identify the subscription ID where you would like to create a custom role. To do so, navigate to All services > General > Subscriptions. Identify the subscription ID and click it.
-
On the left navigation of the subscription page, click Access Control (IAM). Then, click + Add > Add custom role.
The Create a custom role page opens.
-
Under the Basics tab, enter a name for the custom role. Keep the rest of the fields unchanged.
-
Click Next.
-
Under Permissions, click + Add permissions. The Add permissions page opens. On the search bar, enter the following permissions one after the other:
-
Microsoft.Storage/storageAccounts/blobServices/containers/read
. Click Microsoft Storage.Select Read : Get blob container and click Add.
-
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
. Click Microsoft Storage.Click the Data Actions radio button and select Read : Read Blob and click Add.
-
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
. Click Microsoft Storage.
Click the Data Actions radio button and select Write: Write Blob and click Add.Once you have added the 3 permissions, the Permissions tab should look like this:
-
-
Click Review + create. The Review + create tab displays the following information. Review it.
Note down the role name. This will be required when you assign the role to a container. -
Click Create.
You have successfully created the custom role. Next, you should assign the role to a container. -
Navigate to All services > Storage > Storage accounts. Identify the storage account and click it.
-
On the left navigation of the storage account page, click Data storage > Containers. Identify the container to which you would like to assign the custom role. Click it.
-
On the left navigation of the container page, click Access Control (IAM). Then, click + Add > Add role assignment.
The Add role assignment page opens.
-
Search by role name, select the role, and click Next.
-
Under Members, click + Select members.
-
Under Select Members, type Netskope – Forensics for Azure. Select the Netskope – Forensics for Azure Blob Storage app and click Select.
-
Click Review + assign. The Review + assign tab displays the following information. Review it.
-
Click Review + assign.
The role assignment may take a few minutes. Before you proceed to create a forensic profile in the Netskope UI, give it a few minutes for the role assignment to take effect.You have successfully assigned the custom role to a container. Next, you should create a forensic profile. To do so, follow the steps in Create a Forensic Profile.
Configure Microsoft SharePoint as a Forensic Destination
To configure Microsoft SharePoint as a forensic destination, follow the steps below:
-
Log in to your Netskope tenant and navigate to Settings > Forensics > Instances.
-
Click the Setup Forensic Instance drop-down and select SharePoint.
The Setup Forensic Instance page opens. -
Under Office 365 Environment, select Commercial or GCC High.
-
Under Instance Name, enter a name of the SaaS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.
-
Click Grant Access.
The Microsoft Login window opens. -
After clicking Grant Access, you will be prompted to log in with your global administrator username and password, and then Accept the permissions and click Close.
Refresh your browser, and you should see a green check icon next to the instance name.
Next, you should create a forensic profile. To do so, follow the steps in Create a Forensic Profile.
Create a Forensic Profile
Next, you should create a forensic profile that flags policy violations and stores the files in a forensic folder/container. To create a forensic profile, follow the steps below:
-
Log in to your Netskope tenant and navigate to Policies > Profiles > Forensic.
-
Click New Forensic Profile.
-
Enter the following details:
-
Profile Name: Enter a name of the forensic profile.
-
App: Select either Box (Next Gen Forensics), Google Drive (Next Gen Forensics), SharePoint (Next Gen Forensics), or Azure Blob Storage (Next Gen Forensics).
A few storage apps have two options to choose from. The storage apps with ‘Next Gen Forensics’ next to the storage app name are supported on the Next Gen platform and enable forensic-only instances when creating a new forensic profile. -
Instance Name: Select the appropriate app instance.
-
For Box (Next Gen Forensics), enter the email address of the user. Netskope creates a forensic folder under this users’ home drive.
-
For Google Drive (Next Gen Forensics), enter the email address of the user. Netskope creates a forensic folder under this users’ home drive.
-
For SharePoint (Next Gen Forensics), enter the SharePoint site or sub-site URL in this format:
https://<account-name>.sharepoint.com/sites/<site-name>
. For example:https://netskope.sharepoint.com/sites/forensic-data-site
. If you have selected a GCC High instance, the format will behttps://<account-name>.sharepoint.us/sites/<site-name>
. -
For Azure Blob Storage (Next Gen Forensics), enter the Azure Blob storage account and container name. The names are case-sensitive. To identify the storage account and container names, log in to the Azure portal.
-
(optional) You can also select the encryption checkbox. On doing so, Netskope encrypts the forensic content before uploading it on the forensic destination SaaS/IaaS app. Selecting the encryption checkbox encrypts the original file as well if you have chosen to enable original file access on Settings > Forensics > Configuration page.
Encryption is a limited availability feature. Talk to your Netskope sales representative to learn more.Encrypted forensic content can be viewed only via Netskope tenant UI or Netskope REST APIs. Netskope decrypts the encrypted forensic content and displays it in the Incidents > DLP page. Moreover, if the original file access is enabled, a copy of the incident-generated file will be encrypted and when downloaded from Incidents > DLP page, the file will be decrypted.
To view forensic content using Netskope REST APIs, see REST APIv2. You should use the following REST APIs to view forensic content:- Download forensic content:
/api/v2/incidents/dlpincidents/{id}/forensics
- Download original file:
/api/v2/incidents/dlpincidents/{id}/originalfile
- Download forensic content:
-
-
Click Save.
Note on Azure Blob Storage as a forensic destination – Once you save the configuration, Netskope validates it. Once validated successfully, Netskope uploads a README.md file to the container in Azure portal. You can log in to the Azure portal to verify the upload.
You have successfully created a Next Gen forensic profile. Next, you should enable the forensic profile.
Enable the Forensic Profile
Next, you should enable the forensic profile. To do so, follow the steps below:
-
Log in to your Netskope tenant and navigate to Settings > Forensics > Configuration.
-
Under Forensics, click Edit.
-
Enable the Forensic Status toggle button.
-
From the drop-down list, select the forensic profile you created earlier.
-
(optional) Select Enable original file access if you want to download the violated file that caused a DLP incident. To learn more: About DLP.
-
(optional) Select Enable sub-file access – For DLP incidents involving images and other files embedded within documents or archive files, the Incidents page offers the ability to preview the images, view any extracted text, and download both the images and sub-files. Furthermore, the option to download these images and sub-files can be enabled with this checkbox.
Enable original file access and Enable sub-file access are limited availability features. Talk to your Netskope sales representative to learn more. -
Click Save
Frequently Asked Questions
-
I have already configured forensics using the classic API Data Protection for SharePoint. Do I need to switch to Next Gen forensics now?
If you currently use classic API Data Protection for Microsoft 365 SharePoint and use it as a forensic destination, you can switch to Next Gen forensics at the same time you switch to Next Generation API Data Protection for Microsoft 365 SharePoint. Netskope is rapidly enhancing the Next Generation API Data Protection for Microsoft 365 SharePoint to offer all the features that exist in classic API Data Protection for Microsoft 365 SharePoint. Refer this link to see if all the features you use for classic API Data Protection for Microsoft 365 SharePoint are available in the Next Generation API Data Protection for Microsoft 365 SharePoint. If they are available, you may consider switching to Next Generation API Data Protection for Microsoft 365 SharePoint and Next Gen Forensics and use Microsoft 365 SharePoint as a forensic destination.
If you currently do not use classic API Data Protection for Microsoft 365 SharePoint but have set up a classic API Data Protection SharePoint instance for forensics purposes only, you may consider to switch to the Next Gen forensics platform.
-
If I switch to Next Gen forensics, what will happen to the forensics information that is already stored for previously generated incidents?
-
For new incidents generated after enabling Next-Gen Forensics, all uploads and downloads will happen through the Next-Gen forensics framework.
-
For old incidents, they will continue to use classic API Data Protection instances to download forensics as long as the old instance is not deleted, and the API Data Protection grant is intact. The administrator should not delete the old instance, until the retention period for those incidents expire.
-
-
Will Next Gen forensics work only with Next Generation API Data Protection application instances? I am currently using API Data Protection and all my app instances are configured on classic API Data Protection.
Next Gen forensics works across classic API Data Protection apps, Next Generation API Data Protection apps, CASB Inline, and SMTP email.
-
I am currently using Microsoft SharePoint as my forensic destination. This is configured using the classic API Data Protection. Now, if I switch to Next Gen forensics, what are the steps I should follow? Are there any key issues I should know before making the switch?
The grant for the classic API Data Protection instances should remain intact until the retention period has expired to enable downloading forensics for historical incidents. Follow the steps documented in this article to configure Next Gen forensics.
-
I am currently using Box as the forensics destination. If I switch to Microsoft SharePoint using Next Gen forensics, will I be able to have old incidents continue to refer to the forensics on Box and the new incidents refer to the forensics on Microsoft SharePoint?
Yes, users should be able to download historical forensics from the Box app as long as the grant for the classic API Data Protection for Box instance is active.