Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products

What Are Netskope Incidents?

Summary: Netskope incidents may be reviewed by following these instructions.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.

Symptoms

A Netskope incident is any action that falls outside of normal operations as outlined by a Netskope administrator, either using custom or prebuilt profiles. Netskope breaks these incidents out as data loss prevention (DLP) incidents, anomalies, compromised credentials, or files that have been quarantined or placed in a legal hold status.


Affected Products:

Netskope


Cause

Not applicable.

Resolution

To access the Incidents pages:

  1. In a web browser, go to the Netskope web console:
    • United States Datacenter: https://[TENANT].goskope.com/
    • European Union Datacenter: https://[TENANT].eu.goskope.com/
    • Frankfurt Datacenter: https://[TENANT].de.goskope.com/
Note: [TENANT] = The tenant name in your environment
  1. Log in to the Netskope web console.

Netskope web console

  1. Click Incidents.

Incidents

  1. Click the appropriate Incidents page.

Selecting an incidents page

For more information about incidents, click the appropriate option.

The DLP page contains information regarding DLP incidents in your environment.

DLP page

The DLP page provides this information about each DLP incident:

  • Object: Shows the file or object that triggered the violation. Clicking the object opens a page with more details where you can change status, assign incidents, change severity, and take actions.
  • Application: Shows the application that triggered the violation.
  • Exposure: Shows files that are categorized by exposure, such as Public - Indexed, Public - Unlisted, Public, Private, Externally Shared, Internally Shared, and Enterprise Shared.
  • Violation: Shows the number of violations within the file.
  • Last Action: Shows the action that was most recently taken.
  • Status: Shows the state of the event. There are three status categories: New, In Progress, and Resolved.
  • Assignee: Shows who is tasked with monitoring the event.
  • Severity: Shows the level of severity. There are four levels: Low, Medium, High, and Critical.
  • Timestamp: Shows the date and time of the violation.

The Anomalies page provides information about the various types of detected anomalies.

Anomalies page

There are three Anomalies page categories. For more information, click the appropriate category.

The Summary page shows total anomalies, anomalies by risk level, and anomalous dimensions (percentage per category). There are also tables that show anomalies per profiles and users. A query field may be used to search for specific anomalies. The Summary page also contains filters for anomalies by risk level, all or new, or based on a specific profile.

Click By Profile to view the number of anomalies detected for each type, along with the latest timestamp. Only the profiles for anomalies that are detected are shown.

Summary page by profile

Click By User to view how many anomalies each user has, along with the risk level distribution. Click an item to open the details page for specific information about profiles or users.

Summary page by user

The Details page shows more specifics about anomalies. All or specific anomalies may be acknowledged from this page. A query field may be used to search for specific anomalies. The Details page also contains filters for anomalies by risk level, all or new anomalies, or anomalies based on a specific profile.

Details page

The information that is found on the Details page includes:

  • Risk level
  • User email address
  • Profile type
  • Description
  • Dimension
  • Timestamp

Click an item to view detailed risk, application, and user information. To remove one or more of the anomalies, enable the checkbox next to an item and click Acknowledge, or click Acknowledge All.

The Configure page allows you to enable or disable the tracking of anomaly profiles and configure how anomalies are monitored.

Configure page

To configure a profile, click the pencil icon in the Configuration column. To configure the applications, click Select Applications. Click Apply Changes to save your configurations.

Available profiles:

Profiles Usage
Applications Configure the applications that you want to perform anomaly detection.
Proximity Event Configure the distance (in miles) between two locations, or time (in hours), for when the location change happens. In addition, you can allowlist trusted network locations, allowing you to identify your trusted networks and fine-tune the proximity anomaly detection.
Rare Event Configure a time period for a rare event in number of days.
Failed Logins Configure count of failed login and the time interval.
Bulk Download of Files Configure count of files that are downloaded and the time interval.
Bulk Upload of Files Configure count of files that are uploaded and the time interval.
Bulk Files Deleted Configure count of files that are deleted and the time interval.
Data Exfiltration Enable or disable transfer or retrieval of data from a computer or server.
Shared Credentials Configure allowing or disallowing shared credentials using time intervals.

The Compromised Credentials dashboard informs you about known compromised credentials for the accounts that are used by your employees.

Compromised Credentials page

The Compromised Credentials dashboard includes:

  • Total number of users with compromised credentials.
  • Identified and detected users.
  • Media references of data breaches in both table and graph format.
  • A compromised user's email address.
  • Data source status.
  • The source of info.
  • The date credentials were compromised.

To remove one or more of the compromised credentials, enable the checkbox next to an item and click either Acknowledge or Acknowledge All.

The Malware page provides information about malware that is found in the environment.

Malware page

The Malware page includes:

  • Malware: The number of malware attacks detected by the scan.
  • Users Affected: The number of users that have files that are affected by a specific malware attack.
  • Files Affected: The number of files quarantined or that triggered an alert.
  • Malware Name: The name of the malware detected.
  • Malware Type: The type of malware detected.
  • Severity: The severity that is assigned to the malware.
  • Last Action Date: The date the first file was detected by the scan and an action was taken based on the quarantine profile selected.

Click an item on the page to see more comprehensive details or to quarantine, restore, or mark the file as safe.

The Malicious Sites page allows you to see what potentially malicious sites endpoints are going to.

Malicious sites page

The information that is shown on this page includes:

  • Sites Allowed: Sites that your users visited and were not blocked.
  • Total Malicious Sites: The total number of malicious sites that have been visited.
  • Users Allowed: The number of users who are not blocked from visiting a malicious site.
  • Site: The malicious site's IP address or URL.
  • Severity: The severity rating for the malicious site.
  • Category: The type of malicious site detected.
  • Site Destination: The location from where the malware was downloaded.

The Quarantine page shows a list of quarantined files.

Quarantine page

The Quarantine page has the below information about the quarantined file:

  • Date: The date the file was quarantined.
  • File Name: The file name of the file at the time of quarantine.
  • Original File Name: The original name of the quarantined file.
  • Policy Name: The enforced policy name causing the file to be quarantined.
  • Violation: The policy violation causing the file to be quarantined.
  • File Owner: The owner of the quarantined file.
  • Detection Method: The method used to detect the violation.

You can take actions on each of the quarantined files. Select the checkbox beside a quarantined file, and on the bottom-right, click:

  • Contact Owners: You can contact the owner of the quarantined file.
  • Download Files: You can download the tombstone file.
  • Take Action: You can either restore or block the tombstone file.

The Legal Hold page contains a list of files that are placed in legal hold.

Legal hold page

The Legal Hold page has the below information about the file that is placed in legal hold:

  • Date: The date the file was put in legal hold.
  • File Name: The name of the file at the time it was put in legal hold.
  • Original File Name: The original name of the file put in legal hold.
  • Policy Name: The enforced policy name causing the file to be put in legal hold.
  • Violation: The policy violation causing the file to be put in legal hold.
  • File Owner: The owner of the file in legal hold.
  • Detection Method: The method used to detect the violation.

You can take actions on each of the legal hold files. Select the checkbox beside a legal hold file, and on the bottom-right, click either:

  • Contact Owners: This contacts the owner of the file.
  • Download Files: This downloads the file.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Additional Information

 

Videos

 

Affected Products

Netskope
Article Properties
Article Number: 000126829
Article Type: Solution
Last Modified: 20 dec 2022
Version:  11
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.