Netskope Global Technical Success (GTS)

Next Gen Forensics - Netskope
Configure Cloud Storage with Netskope Next Gen Forensics

Netskope Cloud Version - 128

Objective
This article provides a detailed overview of Netskope Data Loss Prevention (DLP) Forensics, outlining its core objectives, applicable use cases, and the types of forensic data captured. It is intended to help security teams leverage forensic artifacts for faster incident response, investigation, and policy refinement.

Reference: Next Gen Forensics

Use Cases & Scenarios
 

Supported Forensics Types
Netskope provides a robust set of forensic capabilities to enhance visibility and investigative depth during DLP policy violations. Below is a breakdown of the forensic evidence types supported across inline and API-based enforcement models:

1. File & Object Forensics

• Captures the original file or object (e.g., documents, spreadsheets, images, archives) that triggered a DLP violation.
• Enables detailed examination of the actual content involved, supporting incident validation and compliance audits.
• Artifacts are securely offloaded to external repositories such as Amazon S3, Azure Blob Storage, Google Drive, Box, or SharePoint, depending on the configured forensic profile.
• Supported across both inline (SWG) and API-based protection, contingent on forensic profile assignment and policy configuration.

2. Email Forensics

• Captures complete MIME content of email messages—including headers, body, and attachments—where a DLP violation is detected.
• Applicable for supported SaaS platforms such as Microsoft 365 and Google Workspace via API protection.
• Forensic data is routed to designated cloud storage as defined in the associated forensic profile, ensuring secure evidence retention.

3. Text / Web-form Forensics

• Extracts textual inputs entered into web forms, chat fields, or other text submission areas that violate DLP rules.
• This includes sensitive data typed or pasted into browser-based interfaces (e.g., webmail, upload portals, collaboration apps).
• Available only in inline deployments with SSL decryption enabled, as this visibility requires inspection of encrypted traffic.
• Text artifacts are collected and stored according to the configured forensic profile.

4. Metadata & Contextual Forensics

• Captures comprehensive metadata associated with the violation, including:
  • User identity
  • Device information
  • Application or service name
  • Activity type (e.g., upload, download)
  • File name and size
  • URL and timestamp
• This metadata is universally available across inline, API, and Private Access deployments and is critical for correlating user actions with data movement.
• Serves as the foundation for event investigation, behavioral analysis, and audit reporting.

Data Captured in Forensics

DLP rule violation gives visibility to matched entities/words which have triggered DLP incidents.

You can purview the content matched within the file.

You can download the original file which has triggered the DLP incident.

Configuration & Operational Flow
 

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, If any such platform changes are brought to our attention, we will promptly update the documentation to reflect them.

 
Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
• You can follow the same approach to create instances for other applications.