What Are Netskope Incidents?
Resumen: Netskope incidents may be reviewed by following these instructions.
Síntomas
A Netskope incident is any action that falls outside of normal operations as outlined by a Netskope administrator, either using custom or prebuilt profiles. Netskope breaks these incidents out as data loss prevention (DLP) incidents, anomalies, compromised credentials, or files that have been quarantined or placed in a legal hold status.
Affected Products:
Netskope
Causa
Not applicable.
Resolución
To access the Incidents pages:
- In a web browser, go to the Netskope web console:
- United States Datacenter: https://[TENANT].goskope.com/
- European Union Datacenter: https://[TENANT].eu.goskope.com/
- Frankfurt Datacenter: https://[TENANT].de.goskope.com/
- Log in to the Netskope web console.
- Click Incidents.
- Click the appropriate Incidents page.
For more information about incidents, click the appropriate option.
The DLP page contains information regarding DLP incidents in your environment.
The DLP page provides this information about each DLP incident:
- Object: Shows the file or object that triggered the violation. Clicking the object opens a page with more details where you can change status, assign incidents, change severity, and take actions.
- Application: Shows the application that triggered the violation.
- Exposure: Shows files that are categorized by exposure, such as Public - Indexed, Public - Unlisted, Public, Private, Externally Shared, Internally Shared, and Enterprise Shared.
- Violation: Shows the number of violations within the file.
- Last Action: Shows the action that was most recently taken.
- Status: Shows the state of the event. There are three status categories: New, In Progress, and Resolved.
- Assignee: Shows who is tasked with monitoring the event.
- Severity: Shows the level of severity. There are four levels: Low, Medium, High, and Critical.
- Timestamp: Shows the date and time of the violation.
The Anomalies page provides information about the various types of detected anomalies.
There are three Anomalies page categories. For more information, click the appropriate category.
The Summary page shows total anomalies, anomalies by risk level, and anomalous dimensions (percentage per category). There are also tables that show anomalies per profiles and users. A query field may be used to search for specific anomalies. The Summary page also contains filters for anomalies by risk level, all or new, or based on a specific profile.
Click By Profile to view the number of anomalies detected for each type, along with the latest timestamp. Only the profiles for anomalies that are detected are shown.
Click By User to view how many anomalies each user has, along with the risk level distribution. Click an item to open the details page for specific information about profiles or users.
The Details page shows more specifics about anomalies. All or specific anomalies may be acknowledged from this page. A query field may be used to search for specific anomalies. The Details page also contains filters for anomalies by risk level, all or new anomalies, or anomalies based on a specific profile.
The information that is found on the Details page includes:
- Risk level
- User email address
- Profile type
- Description
- Dimension
- Timestamp
Click an item to view detailed risk, application, and user information. To remove one or more of the anomalies, enable the checkbox next to an item and click Acknowledge, or click Acknowledge All.
The Configure page allows you to enable or disable the tracking of anomaly profiles and configure how anomalies are monitored.
To configure a profile, click the pencil icon in the Configuration column. To configure the applications, click Select Applications. Click Apply Changes to save your configurations.
Available profiles:
| Profiles | Usage |
|---|---|
| Applications | Configure the applications that you want to perform anomaly detection. |
| Proximity Event | Configure the distance (in miles) between two locations, or time (in hours), for when the location change happens. In addition, you can allowlist trusted network locations, allowing you to identify your trusted networks and fine-tune the proximity anomaly detection. |
| Rare Event | Configure a time period for a rare event in number of days. |
| Failed Logins | Configure count of failed login and the time interval. |
| Bulk Download of Files | Configure count of files that are downloaded and the time interval. |
| Bulk Upload of Files | Configure count of files that are uploaded and the time interval. |
| Bulk Files Deleted | Configure count of files that are deleted and the time interval. |
| Data Exfiltration | Enable or disable transfer or retrieval of data from a computer or server. |
| Shared Credentials | Configure allowing or disallowing shared credentials using time intervals. |
The Compromised Credentials dashboard informs you about known compromised credentials for the accounts that are used by your employees.
The Compromised Credentials dashboard includes:
- Total number of users with compromised credentials.
- Identified and detected users.
- Media references of data breaches in both table and graph format.
- A compromised user's email address.
- Data source status.
- The source of info.
- The date credentials were compromised.
To remove one or more of the compromised credentials, enable the checkbox next to an item and click either Acknowledge or Acknowledge All.
The Malware page provides information about malware that is found in the environment.
The Malware page includes:
- Malware: The number of malware attacks detected by the scan.
- Users Affected: The number of users that have files that are affected by a specific malware attack.
- Files Affected: The number of files quarantined or that triggered an alert.
- Malware Name: The name of the malware detected.
- Malware Type: The type of malware detected.
- Severity: The severity that is assigned to the malware.
- Last Action Date: The date the first file was detected by the scan and an action was taken based on the quarantine profile selected.
Click an item on the page to see more comprehensive details or to quarantine, restore, or mark the file as safe.
The Malicious Sites page allows you to see what potentially malicious sites endpoints are going to.
The information that is shown on this page includes:
- Sites Allowed: Sites that your users visited and were not blocked.
- Total Malicious Sites: The total number of malicious sites that have been visited.
- Users Allowed: The number of users who are not blocked from visiting a malicious site.
- Site: The malicious site's IP address or URL.
- Severity: The severity rating for the malicious site.
- Category: The type of malicious site detected.
- Site Destination: The location from where the malware was downloaded.
The Quarantine page shows a list of quarantined files.
The Quarantine page has the below information about the quarantined file:
- Date: The date the file was quarantined.
- File Name: The file name of the file at the time of quarantine.
- Original File Name: The original name of the quarantined file.
- Policy Name: The enforced policy name causing the file to be quarantined.
- Violation: The policy violation causing the file to be quarantined.
- File Owner: The owner of the quarantined file.
- Detection Method: The method used to detect the violation.
You can take actions on each of the quarantined files. Select the checkbox beside a quarantined file, and on the bottom-right, click:
- Contact Owners: You can contact the owner of the quarantined file.
- Download Files: You can download the tombstone file.
- Take Action: You can either restore or block the tombstone file.
The Legal Hold page contains a list of files that are placed in legal hold.
The Legal Hold page has the below information about the file that is placed in legal hold:
- Date: The date the file was put in legal hold.
- File Name: The name of the file at the time it was put in legal hold.
- Original File Name: The original name of the file put in legal hold.
- Policy Name: The enforced policy name causing the file to be put in legal hold.
- Violation: The policy violation causing the file to be put in legal hold.
- File Owner: The owner of the file in legal hold.
- Detection Method: The method used to detect the violation.
You can take actions on each of the legal hold files. Select the checkbox beside a legal hold file, and on the bottom-right, click either:
- Contact Owners: This contacts the owner of the file.
- Download Files: This downloads the file.
To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.