Hi Munster,

Could you please try the steps below and let me know if they help? I'm also reaching out to other community members for their input.

To approach this, you can:

• Configure Netskope to log both the shortened URL and the resolved destination URL when users interact with a coaching page.
• Implement custom logging or integrate with a SIEM solution to correlate these URLs for better tracking.
• Leverage Netskope's advanced threat protection features to analyze the content of both the shortened and actual URLs.

Configuration Considerations:

• Ensure SSL inspection is correctly configured to inspect encrypted traffic and capture relevant details.
• Verify that your policies are set up to log and manage interactions with URL shorteners effectively.

User Access Context:

• Correlate URL data with user identity information to track and maintain context around who accessed specific content.

In Netskope I don’t think this is possible unless a feature request is created and implemented for Netskope to log what true URL the shortened URL redirects to.

How I would do it as a POC:

1. Download event logs from the data export alerts API with a script
2. For each event where a user accessed a shortened URL: using curl or selenium, access that short URL and record the full URL post-redirection.
3. Using the data from the initial Netskope alert, send a SYSLOG message to a SIEM with information from the Netskope alert (user, netskope alert ID, short url etc...) and also include the redirection URL discovered with the custom script.