Create a Forensic Profile
After you have configured the IaaS/SaaS app for which your want to use forensics, next you need to create a forensic profile.
To create a forensic profile:
In the Netskope tenant UI, go to Policies > Profiles > Forensic.
Click New Forensic Profile.
In Profile Name, enter the name of the forensic profile.
Under App and Instance, select the appropriate SaaS/IaaS app followed by the corresponding instance name.
Note
On selecting an app, additional fields may get enabled. Enter the appropriate details for the additional fields. For most of the apps, you need to enter the email address of the user. The forensic folder will be created under the email address of this user.
For Egnyte, you can either select a Personal Folder or Team Folder. For more information, see Forensic Folder Support for Egnyte.
For SharePoint, select a site where you would like to store the forensic data.
For Microsoft Azure, you should enter the exact name of the Azure storage account and container where the forensic data will be stored. To get these details, log in to your Azure portal.
Click Save and Apply Changes.
Once you have created a forensic profile, go to Settings > Forensics, click Edit Settings, enable the forensic feature, select the forensic profile, and click Save.
Note
Forensic data cannot be migrated between profiles. If you modify the profile destination, you will need to maintain the old profile until the forensic data for older incidents is not needed.
Forensic Folder Support for Egnyte
A forensic profile can either be created on team folders or personal folders. If the team folder is selected, a forensic folder is created under Shared folder(/Shared/Netskope Forensic Folder). If a personal folder is selected, a forensic folder is created under users' private folder(/Private/User/Netskope Forensic Folder). In the User Email field, enter the email address of the owner of the forensic folder. The email address should be of either the Egnyte administrator or power user. Standard user email address is not supported. If a DLP policy is triggered, based on the forensic folder selected, a summary of file content is uploaded into forensic folder.
Note
If a forensic profile is created using a non-admin email address, on behalf of the non-admin user, a forensic folder is created under the users' private/team folder by the instance admin. The folder is accessible to the non-admin user but the folder owner remains the instance admin.