Netskope Logs

Panther supports pulling logs directly from Netskope

Overview

Panther has the ability to fetch Netskope logs by querying the Netskope REST API v2.

How to onboard Netskope logs to Panther

You'll start creating the Netskope source in Panther, generate an API token in Netskope, then return to Panther to finish log source creation.

Step 1: Start creating a Netskope source in Panther

In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Netskope," then click its tile.
In the slide-out panel, click Start Setup.
Enter a descriptive Name for the source, e.g., "My Netskope logs."
Click Setup.

Step 2: Create an API token in Netskope

In a separate web browser tab, open the Netskope Admin Console.
In the left-side navigation bar, click Settings.
In the left-side navigation bar of the Settings page, click Tools > REST API v2.
Click New Token.
In the popup modal, configure the following fields:
- Token Name: Enter a descriptive name.
- Expire In: Set an appropriate expiration period.
- Scope: Click Add Endpoint and select the /api/v2/events/dataexport/events/audit scope.
Click Save.
In the confirmation modal, click Copy Token and store the value in a secure location, as you will need it in the next step.

Step 3: Finish creating the Netskope source in Panther

Navigate back to the Panther Console, to the Set Credentials page where you left off after completing Step 1.
In the Netskope Domain field, enter the domain name of your Netskope tenant (e.g., corp.goskope.com).
In the API Key field, paste the API token value you copied from the Netskope Admin console in Step 2.
Click Setup. You will be directed to a success screen:
- You can optionally enable one or more Detection Packs.
- The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\

Panther-managed detections

See Panther-managed rules for Netskope in the panther-analysis GitHub repository.

Supported log types

Netskope.Alert.CompromisedCredential

Breach and credential exposure alerts from Netskope. For more information, see Netskope's documentation.

Netskope.Alert.CompromisedCredential schema

schema: Netskope.Alert.CompromisedCredential
description: Breach and credential exposure alerts from Netskope
referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html
fields:
  - name: _id
    description: Unique identifier for the alert (not officially supported)
    type: string
  - name: appcategory
    description: Application category (not officially supported)
    type: string
  - name: custom_attr
    description: Custom attributes object (not officially supported)
    type: json
  - name: record_type
    description: Record type (typically 'alert') (not officially supported)
    type: string
  - name: timestamp
    required: true
    description: The timestamp of the alert
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: acked
    description: Whether the alert has been acknowledged
    type: string
  - name: alert
    description: Alert indicator (yes/no)
    type: string
  - name: alert_name
    description: The name of the alert
    type: string
  - name: alert_type
    required: true
    description: The type of alert (used for classification)
    type: string
  - name: app
    description: The application associated with the alert
    type: string
  - name: breach_date
    description: The date of the breach (unix timestamp)
    type: bigint
  - name: breach_description
    description: Description of the breach
    type: string
  - name: breach_id
    required: true
    description: Unique identifier for the breach
    type: string
  - name: breach_media_references
    description: Media references for the breach
    type: string
  - name: breach_score
    description: Score indicating breach severity
    type: string
  - name: breach_target_references
    description: Target references for the breach
    type: string
  - name: category
    description: Category of the application
    type: string
  - name: cci
    description: Cloud Confidence Index
    type: bigint
  - name: ccl
    description: Cloud Confidence Level
    type: string
  - name: count
    description: Count of events
    type: bigint
  - name: department
    description: User department
    type: string
  - name: distinguishedName
    description: Active Directory distinguished name
    type: string
  - name: division
    description: User division
    type: string
  - name: email_source
    description: Source of email
    type: string
  - name: employeeType
    description: Type of employee
    type: string
  - name: external_email
    description: External email indicator
    type: bigint
  - name: mail
    description: Email address
    type: string
    indicators:
      - email
  - name: matched_username
    description: Username that matched in the breach
    type: string
    indicators:
      - username
  - name: organization_unit
    description: Organization unit
    type: string
  - name: password_type
    description: Type of password (e.g., plaintext, hashed)
    type: string
  - name: sAMAccountName
    description: Active Directory sAMAccountName
    type: string
  - name: sAMAccountType
    description: Active Directory account type
    type: string
  - name: type
    description: Event type
    type: string
  - name: ur_normalized
    description: Normalized user identifier
    type: string
    indicators:
      - email
      - username
  - name: user
    required: true
    description: The user associated with the alert
    type: string
    indicators:
      - username
      - email
  - name: userPrincipalName
    description: Active Directory userPrincipalName
    type: string
    indicators:
      - username
  - name: userkey
    description: Unique user key
    type: string

Netskope.Alert.Content

Content inspection alerts from Netskope Endpoint DLP Service. For more information, see Netskope's documentation.

Netskope.Alert.Content schema

schema: Netskope.Alert.Content
description: Content inspection alerts from Netskope Endpoint DLP Service
referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html
fields:
  - name: timestamp
    required: true
    description: The timestamp of the alert
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: _id
    required: true
    description: Unique identifier for the alert
    type: string
  - name: access_method
    description: Method of access (e.g., Endpoint)
    type: string
  - name: action
    description: Action taken (e.g., alert, block)
    type: string
  - name: activity
    description: Activity type (e.g., Create, Upload)
    type: string
  - name: alert
    description: Alert indicator (yes/no)
    type: string
  - name: alert_name
    description: The name of the alert
    type: string
  - name: alert_type
    required: true
    description: The type of alert (Content, used for classification)
    type: string
  - name: app
    description: Application name (e.g., explorer.exe)
    type: string
  - name: computer_name
    description: Name of the computer
    type: string
    indicators:
      - hostname
  - name: count
    description: Count of events
    type: bigint
  - name: destination_file_directory
    description: Destination file directory path
    type: string
  - name: destination_file_name
    description: Destination file name
    type: string
  - name: destination_file_path
    description: Full destination file path
    type: string
  - name: device
    description: Device identifier
    type: string
  - name: device_classification
    description: Device classification (e.g., managed, unmanaged)
    type: string
  - name: dlp_incident_id
    required: true
    description: DLP incident identifier
    type: bigint
  - name: dlp_profile
    description: DLP profile name
    type: string
  - name: file_size
    description: File size in bytes
    type: bigint
  - name: file_type
    description: File type description
    type: string
  - name: incident_id
    description: Incident identifier
    type: bigint
  - name: md5
    description: MD5 hash of the file
    type: string
    indicators:
      - md5
  - name: organization_unit
    description: Organization unit
    type: string
  - name: os
    description: Operating system
    type: string
  - name: os_details
    description: Detailed OS information
    type: string
  - name: os_user_name
    description: OS username
    type: string
    indicators:
      - username
  - name: pid
    description: Process ID
    type: string
  - name: policy
    description: Policy name
    type: string
  - name: policy_action
    description: Action defined by policy
    type: string
  - name: policy_name_enforced
    description: Name of the enforced policy
    type: string
  - name: process_cert_subject
    description: Certificate subject of the process
    type: string
  - name: process_name
    description: Name of the process
    type: string
  - name: process_path
    description: Full path to the process
    type: string
  - name: sha256
    description: SHA256 hash of the file
    type: string
    indicators:
      - sha256
  - name: site
    description: Site or application name
    type: string
  - name: traffic_type
    description: Type of traffic
    type: string
  - name: type
    description: Event type
    type: string
  - name: ur_normalized
    description: Normalized user identifier
    type: string
    indicators:
      - email
      - username
  - name: usb_device_type
    description: Type of USB device
    type: string
  - name: user
    required: true
    description: The user associated with the alert
    type: string
    indicators:
      - email
      - username
  - name: userkey
    description: Unique user key
    type: string

Netskope.Alert.CTEP

Client Threat Endpoint Protection (IPS/C2) alerts from Netskope. For more information, see Netskope's documentation.

Netskope.Alert.CTEP

schema: Netskope.Alert.CTEP
description: Client Threat Endpoint Protection (IPS/C2) alerts from Netskope
referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html
fields:
  - name: timestamp
    required: true
    description: The timestamp of the alert
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: _id
    description: Unique identifier for the alert (not officially supported)
    type: string
  - name: appcategory
    description: Application category (not officially supported)
    type: string
  - name: custom_attr
    description: Custom attributes object (not officially supported)
    type: json
  - name: device
    description: Device identifier (not officially supported)
    type: string
  - name: dstport
    description: Destination port (not officially supported)
    type: bigint
  - name: ip_protocol
    description: IP protocol (e.g., TCP, UDP) (not officially supported)
    type: string
  - name: netskope_pop
    description: Netskope point of presence (not officially supported)
    type: string
  - name: record_type
    description: Record type (typically 'alert') (not officially supported)
    type: string
  - name: srcport
    description: Source port (not officially supported)
    type: bigint
  - name: traffic_type
    description: Type of traffic (not officially supported)
    type: string
  - name: acked
    description: Whether the alert has been acknowledged
    type: string
  - name: action
    description: Action taken
    type: string
  - name: alert
    description: Alert indicator (yes/no)
    type: string
  - name: alert_name
    description: The name of the alert
    type: string
  - name: alert_type
    required: true
    description: The type of alert (ctep, used for classification)
    type: string
  - name: app
    description: Application name
    type: string
  - name: category
    description: Category of the application
    type: string
  - name: cci
    description: Cloud Confidence Index
    type: bigint
  - name: ccl
    description: Cloud Confidence Level
    type: string
  - name: company
    description: Company name
    type: string
  - name: count
    description: Count of events
    type: bigint
  - name: department
    description: User department
    type: string
  - name: deviceClassification
    description: Device classification
    type: array
    element:
      type: string
  - name: dst_country
    description: Destination country
    type: string
  - name: dst_geoip_src
    description: Destination GeoIP source
    type: bigint
  - name: dst_latitude
    description: Destination latitude
    type: float
  - name: dst_location
    description: Destination location
    type: string
  - name: dst_longitude
    description: Destination longitude
    type: float
  - name: dst_region
    description: Destination region
    type: string
  - name: dst_zipcode
    description: Destination ZIP code
    type: string
  - name: dstip
    description: Destination IP address
    type: string
    indicators:
      - ip
  - name: gid
    description: Group ID for signature
    type: bigint
  - name: home_pop
    description: Home point of presence
    type: string
  - name: hostname
    description: Hostname
    type: string
    indicators:
      - hostname
  - name: http_method
    description: HTTP method
    type: string
  - name: http_port
    description: HTTP port
    type: bigint
  - name: manager
    description: Manager name
    type: string
  - name: metadata
    description: Additional metadata
    type: json
  - name: organization_unit
    description: Organization unit
    type: string
  - name: os
    description: Operating system
    type: string
  - name: other_categories
    description: Other categories
    type: array
    element:
      type: string
  - name: profile_id
    description: Profile identifier
    type: string
  - name: referer
    description: HTTP referer
    type: string
  - name: signature
    required: true
    description: IPS signature name
    type: string
  - name: signature_id
    description: IPS signature identifier
    type: bigint
  - name: site
    description: Site name
    type: string
  - name: src_country
    description: Source country
    type: string
  - name: src_geoip_src
    description: Source GeoIP source
    type: bigint
  - name: src_latitude
    description: Source latitude
    type: float
  - name: src_location
    description: Source location
    type: string
  - name: src_longitude
    description: Source longitude
    type: float
  - name: src_region
    description: Source region
    type: string
  - name: src_zipcode
    description: Source ZIP code
    type: string
  - name: srcip
    description: Source IP address
    type: string
    indicators:
      - ip
  - name: transaction_id
    description: Transaction identifier
    type: bigint
  - name: tunnel_id
    description: Tunnel identifier
    type: string
  - name: type
    description: Event type
    type: string
  - name: ur_normalized
    description: Normalized user identifier
    type: string
    indicators:
      - email
      - username
  - name: url
    description: URL associated with the alert
    type: string
  - name: user
    required: true
    description: The user associated with the alert
    type: string
    indicators:
      - username
      - email
  - name: userPrincipalName
    description: Active Directory userPrincipalName
    type: string
    indicators:
      - username
  - name: userip
    description: User IP address
    type: string
    indicators:
      - ip
  - name: userkey
    description: Unique user key
    type: string

Netskope.Alert.Device

Device alerts from Netskope Endpoint DLP Service. For more information, see Netskope's documentation.

Netskope.Alert.Device schema

schema: Netskope.Alert.Device
description: Device alerts from Netskope Endpoint DLP Service
referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html
fields:
  - name: timestamp
    required: true
    description: The timestamp of the alert
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: _id
    required: true
    description: Unique identifier for the alert
    type: string
  - name: custom_attr
    description: Custom attributes object (not officially supported)
    type: json
  - name: record_type
    description: Record type (typically 'alert') (not officially supported)
    type: string
  - name: access_method
    description: Method of access (e.g., Endpoint)
    type: string
  - name: action
    description: Action taken (e.g., block, allow)
    type: string
  - name: activity
    description: Activity type (e.g., Insert, Remove)
    type: string
  - name: alert
    description: Alert indicator (yes/no)
    type: string
  - name: alert_name
    description: The name of the alert
    type: string
  - name: alert_type
    required: true
    description: The type of alert (Device, used for classification)
    type: string
  - name: computer_name
    description: Name of the computer
    type: string
  - name: connection_type
    description: Type of connection (e.g., local, network)
    type: string
  - name: count
    description: Count of events
    type: bigint
  - name: device_classification
    description: Device classification (e.g., managed, unmanaged)
    type: string
  - name: driver
    description: Device driver name
    type: string
  - name: location
    description: Geographic location
    type: string
  - name: organization_unit
    description: Organization unit
    type: string
  - name: os
    description: Operating system
    type: string
  - name: os_details
    description: Detailed OS information
    type: string
  - name: os_user_name
    description: OS username
    type: string
    indicators:
      - username
  - name: policy
    description: Policy name
    type: string
  - name: policy_action
    description: Action defined by policy
    type: string
  - name: policy_name_enforced
    description: Name of the enforced policy
    type: string
  - name: traffic_type
    description: Type of traffic
    type: string
  - name: type
    description: Event type
    type: string
  - name: ur_normalized
    description: Normalized user identifier
    type: string
    indicators:
      - email
      - username
  - name: usb_device_id
    description: USB device identifier
    type: string
  - name: usb_device_name
    description: USB device name
    type: string
  - name: usb_device_sn
    description: USB device serial number
    type: string
  - name: usb_device_type
    description: Type of USB device (e.g., usb mass storage)
    type: string
  - name: usb_is_encrypted
    required: true
    description: Whether the USB device is encrypted
    type: boolean
  - name: usb_product_id
    description: USB product identifier
    type: string
  - name: usb_vendor_id
    description: USB vendor identifier
    type: string
  - name: user
    required: true
    description: The user associated with the alert
    type: string
    indicators:
      - email
      - username
  - name: userkey
    description: Unique user key
    type: string

Netskope.Alert.DLP

Data Loss Prevention alerts from Netskope. For more information, see Netskope's documentation.

Netskope.Alert.DLP schema

schema: Netskope.Alert.DLP
description: Data Loss Prevention alerts from Netskope
referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html
fields:
  - name: _id
    description: Unique identifier for the alert (not officially supported)
    type: string
  - name: custom_attr
    description: Custom attributes object (not officially supported)
    type: json
  - name: record_type
    description: Record type (typically 'alert') (not officially supported)
    type: string
  - name: user_confidence_index
    description: User confidence index score (not officially supported)
    type: bigint
  - name: access_method
    description: Method of access
    type: string
  - name: acked
    description: Whether the alert has been acknowledged
    type: string
  - name: act_user
    description: Act User
    type: string
    indicators:
      - username
      - email
  - name: action
    description: Action taken (e.g., block, allow, alert)
    type: string
  - name: activity
    description: Activity type
    type: string
  - name: alert
    description: Alert indicator (yes/no)
    type: string
  - name: alert_name
    description: The name of the alert
    type: string
  - name: alert_type
    required: true
    description: The type of alert (DLP, used for classification)
    type: string
  - name: app
    description: Application name
    type: string
  - name: app_activity
    description: App Activity
    type: string
  - name: app_session_id
    description: Application session identifier
    type: bigint
  - name: appcategory
    description: Application category
    type: string
  - name: appsuite
    description: Application suite
    type: string
  - name: bcc
    description: Bcc
    type: string
  - name: browser
    description: Browser name
    type: string
  - name: browser_session_id
    description: Browser session identifier
    type: bigint
  - name: browser_version
    description: Browser version
    type: string
  - name: category
    description: Category of the application
    type: string
  - name: cci
    description: Cloud Confidence Index
    type: bigint
  - name: ccl
    description: Cloud Confidence Level
    type: string
  - name: channel
    description: Channel
    type: string
  - name: classification_name
    description: Classification Name
    type: string
  - name: collaborated
    description: Collaborated
    type: string
  - name: connection_id
    description: Connection Id
    type: bigint
  - name: count
    description: Count of events
    type: bigint
  - name: data_type
    description: Data Type
    type: string
  - name: device
    description: Device identifier
    type: string
  - name: device_classification
    description: Device classification
    type: string
  - name: displayName
    description: Displayname
    type: string
  - name: dlp_file
    description: DLP file identifier
    type: string
  - name: dlp_fingerprint_classification
    description: Dlp Fingerprint Classification
    type: string
  - name: dlp_fingerprint_match
    description: Dlp Fingerprint Match
    type: string
  - name: dlp_fingerprint_score
    description: Dlp Fingerprint Score
    type: bigint
  - name: dlp_incident_id
    description: DLP incident identifier
    type: bigint
  - name: dlp_is_unique_count
    description: Whether DLP unique count is calculated
    type: string
  - name: dlp_mail_parent_id
    description: Parent mail ID for DLP
    type: string
  - name: dlp_parent_id
    description: Parent DLP incident identifier
    type: bigint
  - name: dlp_profile
    description: DLP profile name
    type: string
  - name: dlp_rule
    description: DLP rule name
    type: string
  - name: dlp_rule_count
    description: Number of DLP rules matched
    type: bigint
  - name: dlp_rule_score
    required: true
    description: Dlp Rule Score
    type: bigint
  - name: dlp_rule_severity
    description: Severity of the DLP rule
    type: string
  - name: dlp_unique_count
    description: Unique count of DLP matches
    type: bigint
  - name: dst_country
    description: Dst Country
    type: string
  - name: dst_geoip_src
    description: Dst Geoip Src
    type: bigint
  - name: dst_latitude
    description: Dst Latitude
    type: float
  - name: dst_location
    description: Dst Location
    type: string
  - name: dst_longitude
    description: Dst Longitude
    type: float
  - name: dst_region
    description: Dst Region
    type: string
  - name: dst_timezone
    description: Dst Timezone
    type: string
  - name: dst_zipcode
    description: Dst Zipcode
    type: string
  - name: dstip
    description: Dstip
    type: string
    indicators:
      - ip
  - name: dynamic_classification
    description: Dynamic Classification
    type: string
  - name: exposure
    description: Exposure level of the data
    type: string
  - name: external_collaborator_count
    description: Number of external collaborators
    type: bigint
  - name: file_category
    description: File Category
    type: string
  - name: file_cls_encrypted
    description: File Cls Encrypted
    type: boolean
  - name: file_lang
    description: File language
    type: string
  - name: file_password_protected
    description: Whether the file is password protected (yes/no string)
    type: string
  - name: file_path
    description: File path
    type: string
  - name: file_size
    description: File size in bytes
    type: bigint
  - name: file_type
    description: File type
    type: string
  - name: from_storage
    description: From Storage
    type: string
  - name: from_user
    description: User who sent/shared
    type: string
    indicators:
      - username
      - email
  - name: group
    description: Group
    type: string
  - name: hostname
    description: Hostname
    type: string
    indicators:
      - hostname
  - name: incident_id
    description: Incident Id
    type: bigint
  - name: instance
    description: Instance name
    type: string
  - name: instance_id
    description: Instance identifier
    type: string
  - name: internal_collaborator_count
    description: Number of internal collaborators
    type: bigint
  - name: local_sha256
    description: Local Sha256
    type: string
    indicators:
      - sha256
  - name: mail
    description: Mail
    type: string
    indicators:
      - email
  - name: managed_app
    description: Managed App
    type: string
  - name: managementID
    description: Managementid
    type: string
  - name: manager
    description: Manager
    type: string
  - name: md5
    description: MD5 hash of the file
    type: string
    indicators:
      - md5
  - name: message_id
    description: Message Id
    type: string
  - name: message_size
    description: Message Size
    type: bigint
  - name: mime_type
    description: MIME type of the file
    type: string
  - name: modified
    description: Modified
    type: bigint
  - name: object
    description: Object name
    type: string
  - name: object_id
    description: Object identifier
    type: string
  - name: object_type
    description: Type of object
    type: string
  - name: organization_unit
    description: Organization unit
    type: string
  - name: orignal_file_path
    description: Orignal File Path
    type: string
  - name: os
    description: Operating system
    type: string
  - name: os_version
    description: Os Version
    type: string
  - name: outer_doc_type
    description: Outer Doc Type
    type: bigint
  - name: owner
    description: Owner of the resource
    type: string
  - name: owner_pdl
    description: Owner Pdl
    type: string
  - name: page
    description: Page
    type: string
  - name: page_site
    description: Page Site
    type: string
  - name: parent_id
    description: Parent Id
    type: string
  - name: policy
    description: Policy name
    type: string
  - name: policy_id
    description: Policy identifier
    type: string
  - name: protocol
    description: Protocol
    type: string
  - name: referer
    description: Referer
    type: string
  - name: request_id
    description: Request Id
    type: bigint
  - name: retro_scan_name
    description: Retro Scan Name
    type: string
  - name: sAMAccountName
    description: Samaccountname
    type: string
  - name: sanctioned_instance
    description: Sanctioned Instance
    type: string
  - name: scan_type
    description: Scan Type
    type: string
  - name: severity
    description: Severity level
    type: string
  - name: sha256
    description: Sha256
    type: string
    indicators:
      - sha256
  - name: shared_domains
    description: Domains the file was shared with
    type: string
  - name: shared_with
    description: Users/groups the file was shared with
    type: string
  - name: site
    description: Site name
    type: string
  - name: smtp_to
    description: Smtp To
    type: array
    element:
      type: string
  - name: src_country
    description: Src Country
    type: string
  - name: src_geoip_src
    description: Src Geoip Src
    type: bigint
  - name: src_latitude
    description: Src Latitude
    type: float
  - name: src_location
    description: Source location
    type: string
  - name: src_longitude
    description: Src Longitude
    type: float
  - name: src_region
    description: Src Region
    type: string
  - name: src_time
    description: Src Time
    type: string
  - name: src_timezone
    description: Src Timezone
    type: string
  - name: src_zipcode
    description: Src Zipcode
    type: string
  - name: srcip
    description: Srcip
    type: string
    indicators:
      - ip
  - name: sub_type
    description: Sub Type
    type: string
  - name: suppression_key
    description: Suppression Key
    type: string
  - name: timestamp
    required: true
    description: The timestamp of the alert
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: title
    description: Title
    type: string
  - name: to_storage
    description: To Storage
    type: string
  - name: to_user
    description: To User
    type: string
    indicators:
      - username
      - email
  - name: total_collaborator_count
    description: Total number of collaborators
    type: bigint
  - name: traffic_type
    description: Type of traffic
    type: string
  - name: transaction_id
    description: Transaction Id
    type: bigint
  - name: true_filetype
    description: True Filetype
    type: string
  - name: true_obj_category
    description: True Obj Category
    type: string
  - name: true_obj_type
    description: True Obj Type
    type: string
  - name: true_type_id
    description: True Type Id
    type: bigint
  - name: tss_mode
    description: Tss Mode
    type: string
  - name: type
    description: Event type
    type: string
  - name: universal_connector
    description: Universal Connector
    type: string
  - name: ur_normalized
    description: Normalized user identifier
    type: string
  - name: url
    description: URL associated with the alert
    type: string
  - name: user
    required: true
    description: The user associated with the alert
    type: string
    indicators:
      - username
      - email
  - name: userCountry
    description: Usercountry
    type: string
  - name: userPrincipalName
    description: Userprincipalname
    type: string
  - name: user_id
    description: User Id
    type: string
    indicators:
      - username
  - name: userip
    description: Userip
    type: string
    indicators:
      - ip
  - name: userkey
    description: Unique user key
    type: string
  - name: violating_user
    description: Violating User
    type: string
    indicators:
      - username
      - email
  - name: violating_user_type
    description: Violating User Type
    type: string
  - name: web_universal_connector
    description: Web Universal Connector
    type: string

Netskope.Alert.Malsite

Malicious site detection alerts from Netskope. For more information, see Netskope's documentation.

Netskope.Alert.Malsite schema

schema: Netskope.Alert.Malsite
description: Malicious site detection alerts from Netskope
referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html
fields:
  - name: timestamp
    required: true
    description: The timestamp of the alert
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: _id
    description: Unique identifier for the alert (not officially supported)
    type: string
  - name: custom_attr
    description: Custom attributes object (not officially supported)
    type: json
  - name: record_type
    description: Record type (typically 'alert') (not officially supported)
    type: string
  - name: retro_scan_name
    description: Name of the retrospective scan (not officially supported)
    type: string
  - name: access_method
    description: Method of access
    type: string
  - name: acked
    description: Whether the alert has been acknowledged
    type: string
  - name: action
    description: Action taken
    type: string
  - name: aggregated_user
    description: Aggregated user information
    type: string
  - name: alert
    description: Alert indicator (yes/no)
    type: string
  - name: alert_name
    description: The name of the alert
    type: string
  - name: alert_type
    required: true
    description: The type of alert (malsite, used for classification)
    type: string
  - name: app
    description: Application name
    type: string
  - name: app_session_id
    description: Application session identifier
    type: bigint
  - name: appcategory
    description: Application category
    type: string
  - name: appsuite
    description: Application suite
    type: string
  - name: browser
    description: Browser name
    type: string
  - name: browser_session_id
    description: Browser session identifier
    type: bigint
  - name: browser_version
    description: Browser version
    type: string
  - name: category
    description: Category of the application
    type: string
  - name: cci
    description: Cloud Confidence Index
    type: bigint
  - name: ccl
    description: Cloud Confidence Level
    type: string
  - name: client_bytes
    description: Bytes sent by client
    type: bigint
  - name: co
    description: Country code
    type: string
  - name: conn_duration
    description: Connection duration in seconds
    type: bigint
  - name: connection_id
    description: Connection identifier
    type: bigint
  - name: count
    description: Count of events
    type: bigint
  - name: department
    description: User department
    type: string
  - name: device
    description: Device identifier
    type: string
  - name: device_classification
    description: Device classification
    type: string
  - name: division
    description: User division
    type: string
  - name: dst_country
    description: Destination country
    type: string
  - name: dst_geoip_src
    description: Destination GeoIP source
    type: bigint
  - name: dst_latitude
    description: Destination latitude
    type: float
  - name: dst_location
    description: Destination location
    type: string
  - name: dst_longitude
    description: Destination longitude
    type: float
  - name: dst_region
    description: Destination region
    type: string
  - name: dst_timezone
    description: Destination timezone
    type: string
  - name: dst_zipcode
    description: Destination ZIP code
    type: string
  - name: dsthost
    description: Destination hostname
    type: string
    indicators:
      - hostname
  - name: dstip
    description: Destination IP address
    type: string
    indicators:
      - ip
  - name: dstport
    description: Destination port
    type: bigint
  - name: from_user
    description: User who initiated
    type: string
    indicators:
      - username
      - email
  - name: fromlogs
    description: Source logs
    type: string
  - name: gateway
    description: Gateway information
    type: string
  - name: hostname
    description: Hostname
    type: string
    indicators:
      - hostname
  - name: incident_id
    description: Incident identifier
    type: bigint
  - name: ja3
    description: JA3 fingerprint
    type: string
  - name: ja3s
    description: JA3S fingerprint
    type: string
  - name: log_file_name
    description: Log file name
    type: string
  - name: malicious
    description: Whether the site is malicious
    type: string
  - name: malsite_active
    description: Whether the malicious site is active
    type: string
  - name: malsite_category
    required: true
    description: Categories of malicious site
    type: array
    element:
      type: string
  - name: malsite_confidence
    description: Confidence score of malsite detection
    type: bigint
  - name: malsite_consecutive
    description: Consecutive malsite detections
    type: string
  - name: malsite_country
    description: Country of malicious site
    type: string
  - name: malsite_first_seen
    description: First seen timestamp of malsite
    type: bigint
  - name: malsite_hostility
    description: Hostility level of malsite
    type: string
  - name: malsite_id
    description: Malsite identifier
    type: string
  - name: malsite_ip_host
    description: IP or host of malsite
    type: string
    indicators:
      - ip
      - hostname
  - name: malsite_last_seen
    description: Last seen timestamp of malsite
    type: bigint
  - name: malsite_latitude
    description: Latitude of malsite
    type: float
  - name: malsite_longitude
    description: Longitude of malsite
    type: float
  - name: malsite_region
    description: Region of malsite
    type: string
  - name: malsite_reputation
    description: Reputation score of malsite
    type: string
  - name: managed_app
    description: Managed application indicator
    type: string
  - name: notify_template
    description: Notification template
    type: string
  - name: numbytes
    description: Number of bytes transferred
    type: bigint
  - name: object
    description: Object name
    type: string
  - name: object_type
    description: Type of object
    type: string
  - name: org
    description: Organization
    type: string
  - name: organization_unit
    description: Organization unit
    type: string
  - name: os
    description: Operating system
    type: string
  - name: os_version
    description: OS version
    type: string
  - name: other_categories
    description: Other categories
    type: array
    element:
      type: string
  - name: page
    description: Page URL
    type: string
  - name: page_site
    description: Page site
    type: string
  - name: policy
    description: Policy name
    type: string
  - name: policy_id
    description: Policy identifier
    type: string
  - name: protocol
    description: Network protocol
    type: string
  - name: referer
    description: HTTP referer
    type: string
  - name: req_cnt
    description: Request count
    type: bigint
  - name: request_id
    description: Request identifier
    type: bigint
  - name: resp_cnt
    description: Response count
    type: bigint
  - name: sAMAccountName
    description: Active Directory sAMAccountName
    type: string
  - name: serial
    description: Serial number
    type: string
  - name: server_bytes
    description: Bytes sent by server
    type: bigint
  - name: severity
    description: Severity level
    type: string
  - name: severity_level
    description: Severity level description
    type: string
  - name: severity_level_id
    description: Severity level identifier
    type: bigint
  - name: sfwder
    description: Forwarder information
    type: string
  - name: site
    description: Site name
    type: string
  - name: src_country
    description: Source country
    type: string
  - name: src_geoip_src
    description: Source GeoIP source
    type: bigint
  - name: src_latitude
    description: Source latitude
    type: float
  - name: src_location
    description: Source location
    type: string
  - name: src_longitude
    description: Source longitude
    type: float
  - name: src_region
    description: Source region
    type: string
  - name: src_time
    description: Source time
    type: string
  - name: src_timezone
    description: Source timezone
    type: string
  - name: src_zipcode
    description: Source ZIP code
    type: string
  - name: srcip
    description: Source IP address
    type: string
    indicators:
      - ip
  - name: suppression_end_time
    description: Suppression end time
    type: bigint
  - name: suppression_start_time
    description: Suppression start time
    type: bigint
  - name: telemetry_app
    description: Telemetry application
    type: string
  - name: threat_match_field
    description: Field that matched the threat
    type: string
  - name: threat_match_value
    description: Value that matched the threat
    type: string
  - name: threat_source_id
    description: Threat source identifier
    type: bigint
  - name: traffic_type
    description: Type of traffic
    type: string
  - name: transaction_id
    description: Transaction identifier
    type: bigint
  - name: type
    description: Event type
    type: string
  - name: universal_connector
    description: Universal connector indicator
    type: string
  - name: ur_normalized
    description: Normalized user identifier
    type: string
  - name: url
    description: URL associated with the alert
    type: string
  - name: user
    required: true
    description: The user associated with the alert
    type: string
    indicators:
      - username
      - email
  - name: useragent
    description: User agent string
    type: string
  - name: userip
    description: User IP address
    type: string
    indicators:
      - ip

Netskope.Alert.Malware

Malware detection alerts from Netskope. For more information, see Netskope's documentation.

Netskope.Alert.Malware schema

schema: Netskope.Alert.Malware
description: Malware detection alerts from Netskope
referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html
fields:
  - name: timestamp
    required: true
    description: The timestamp of the alert
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: _id
    description: Unique identifier for the alert (not officially supported)
    type: string
  - name: TSS-scan
    description: TSS scan indicator
    type: string
  - name: access_method
    description: Method of access
    type: string
  - name: acked
    description: Whether the alert has been acknowledged
    type: string
  - name: action
    description: Action taken
    type: string
  - name: activity
    description: Activity type
    type: string
  - name: alert
    description: Alert indicator (yes/no)
    type: string
  - name: alert_name
    description: The name of the alert
    type: string
  - name: alert_type
    required: true
    description: The type of alert (malware, used for classification)
    type: string
  - name: app
    description: Application name
    type: string
  - name: app_name
    description: Application name (alternate field)
    type: string
  - name: app_session_id
    description: Application session identifier
    type: bigint
  - name: appcategory
    description: Application category
    type: string
  - name: appsuite
    description: Application suite
    type: string
  - name: browser
    description: Browser name
    type: string
  - name: browser_session_id
    description: Browser session identifier
    type: bigint
  - name: browser_version
    description: Browser version
    type: string
  - name: category
    description: Category of the application
    type: string
  - name: cci
    description: Cloud Confidence Index
    type: bigint
  - name: ccl
    description: Cloud Confidence Level
    type: string
  - name: company
    description: Company name
    type: string
  - name: connection_id
    description: Connection identifier
    type: bigint
  - name: count
    description: Count of events
    type: bigint
  - name: custom_attr
    description: Custom attributes object (not officially supported)
    type: json
  - name: created_date
    description: Creation date timestamp
    type: bigint
  - name: department
    description: User department
    type: string
  - name: detection_engine
    description: Detection engine that identified the malware
    type: string
  - name: detection_type
    description: Type of detection
    type: string
  - name: device
    description: Device identifier
    type: string
  - name: device_classification
    description: Device classification
    type: string
  - name: dst_country
    description: Destination country
    type: string
  - name: dst_geoip_src
    description: Destination GeoIP source
    type: bigint
  - name: dst_latitude
    description: Destination latitude
    type: float
  - name: dst_location
    description: Destination location
    type: string
  - name: dst_longitude
    description: Destination longitude
    type: float
  - name: dst_region
    description: Destination region
    type: string
  - name: dst_timezone
    description: Destination timezone
    type: string
  - name: dst_zipcode
    description: Destination ZIP code
    type: string
  - name: dstip
    description: Destination IP address
    type: string
    indicators:
      - ip
  - name: fastscan_results
    description: Fast scan results
    type: string
  - name: file_category
    description: File category
    type: string
  - name: file_id
    description: File identifier
    type: string
  - name: file_name
    description: File name
    type: string
  - name: file_path
    description: File path
    type: string
  - name: file_size
    description: File size in bytes
    type: bigint
  - name: file_type
    description: File type
    type: string
  - name: filename
    description: Filename (alternate field)
    type: string
  - name: from_user
    description: User who sent/shared
    type: string
    indicators:
      - username
      - email
  - name: hostname
    description: Hostname
    type: string
    indicators:
      - hostname
  - name: incident_id
    description: Incident identifier
    type: bigint
  - name: instance
    description: Instance name
    type: string
  - name: instance_id
    description: Instance identifier
    type: string
  - name: local_md5
    description: Local MD5 hash
    type: string
    indicators:
      - md5
  - name: local_sha256
    description: Local SHA256 hash
    type: string
    indicators:
      - sha256
  - name: malware_id
    description: Malware identifier
    type: string
  - name: malware_name
    description: Name of the malware
    type: string
  - name: malware_profile
    description: Malware profile name
    type: string
  - name: malware_severity
    description: Severity of the malware
    type: string
  - name: malware_type
    description: Type of malware
    type: string
  - name: managed_app
    description: Managed application indicator
    type: string
  - name: managementID
    description: Management identifier
    type: string
  - name: manager
    description: Manager name
    type: string
  - name: md5
    description: MD5 hash of the file
    type: string
    indicators:
      - md5
  - name: mime_type
    description: MIME type of the file
    type: string
  - name: ml_detection
    description: Machine learning detection indicator
    type: string
  - name: modified_date
    description: Modification date timestamp
    type: bigint
  - name: nsdeviceuid
    description: Netskope device UID
    type: string
  - name: object
    description: Object name
    type: string
  - name: object_id
    description: Object identifier
    type: string
  - name: object_type
    description: Type of object
    type: string
  - name: organization_unit
    description: Organization unit
    type: string
  - name: os
    description: Operating system
    type: string
  - name: os_version
    description: OS version
    type: string
  - name: page
    description: Page URL
    type: string
  - name: page_site
    description: Page site
    type: string
  - name: parent_id
    description: Parent event identifier
    type: string
  - name: policy
    description: Policy name
    type: string
  - name: policy_id
    description: Policy identifier
    type: string
  - name: protocol
    description: Network protocol
    type: string
  - name: referer
    description: HTTP referer
    type: string
  - name: record_type
    description: Record type (typically 'alert') (not officially supported)
    type: string
  - name: request_id
    description: Request identifier
    type: bigint
  - name: sanctioned_instance
    description: Sanctioned instance indicator
    type: string
  - name: scan_time
    description: Scan time timestamp
    type: bigint
  - name: scan_type
    description: Type of scan
    type: string
  - name: scanner_result
    description: Result from scanner
    type: string
  - name: severity
    description: Severity level
    type: string
  - name: severity_id
    description: Severity identifier
    type: bigint
  - name: sha1
    description: SHA1 hash of the file
    type: string
    indicators:
      - sha1
  - name: sha256
    description: SHA256 hash of the file (not officially supported)
    type: string
    indicators:
      - sha256
  - name: shared_type
    description: Type of sharing
    type: string
  - name: shared_with
    description: Users/groups the file was shared with
    type: string
  - name: site
    description: Site name
    type: string
  - name: src_country
    description: Source country
    type: string
  - name: src_geoip_src
    description: Source GeoIP source
    type: bigint
  - name: src_latitude
    description: Source latitude
    type: float
  - name: src_location
    description: Source location
    type: string
  - name: src_longitude
    description: Source longitude
    type: float
  - name: src_region
    description: Source region
    type: string
  - name: src_time
    description: Source time
    type: string
  - name: src_timezone
    description: Source timezone
    type: string
  - name: src_zipcode
    description: Source ZIP code
    type: string
  - name: srcip
    description: Source IP address
    type: string
    indicators:
      - ip
  - name: title
    description: Alert title
    type: string
  - name: traffic_type
    description: Type of traffic
    type: string
  - name: transaction_id
    description: Transaction identifier
    type: bigint
  - name: true_filetype
    required: true
    description: True file type
    type: string
  - name: tss_license
    description: TSS license information
    type: string
  - name: tss_mode
    description: TSS mode
    type: string
  - name: tss_fail_reason
    description: TSS scan failure reason (not officially supported)
    type: string
  - name: tss_scan_failed
    description: Whether TSS scan failed (not officially supported)
    type: string
  - name: type
    description: Event type
    type: string
  - name: ur_normalized
    description: Normalized user identifier
    type: string
  - name: url
    description: URL associated with the alert
    type: string
  - name: user
    required: true
    description: The user associated with the alert
    type: string
    indicators:
      - username
      - email
  - name: user_confidence_index
    description: User confidence index score (not officially supported)
    type: bigint
  - name: userCountry
    description: User country
    type: string
  - name: userPrincipalName
    description: Active Directory userPrincipalName
    type: string
    indicators:
      - username
  - name: user_id
    description: User identifier
    type: string
    indicators:
      - username
  - name: userip
    description: User IP address
    type: string
    indicators:
      - ip
  - name: usr_display_name
    description: User display name
    type: string
  - name: usr_status
    description: User status
    type: string
  - name: usr_title
    description: User title
    type: string
  - name: usr_udf_businesssegmentlevel1
    description: User-defined business segment level 1
    type: string
  - name: usr_udf_businesssegmentlevel2
    description: User-defined business segment level 2
    type: string
  - name: usr_udf_businesssegmentlevel3
    description: User-defined business segment level 3
    type: string
  - name: usr_udf_businesssegmentlevel4
    description: User-defined business segment level 4
    type: string
  - name: usr_udf_companyname
    description: User-defined company name
    type: string
  - name: usr_udf_employeeid
    description: User-defined employee ID
    type: string
  - name: usr_udf_primarydomain
    description: User-defined primary domain
    type: string
  - name: usr_udf_supervisorid
    description: User-defined supervisor ID
    type: string
  - name: usr_udf_supervisorname
    description: User-defined supervisor name
    type: string

Netskope.Alert.Policy

Policy violation alerts from Netskope. For more information, see Netskope's documentation.

Netskope.Alert.Policy schema

schema: Netskope.Alert.Policy
description: Policy violation alerts from Netskope
referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html
fields:
  - name: timestamp
    required: true
    description: The timestamp of the alert
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: _id
    description: Unique identifier for the alert
    type: string
  - name: access_method
    description: Method of access
    type: string
  - name: acked
    description: Whether the alert has been acknowledged
    type: string
  - name: action
    description: Action taken (e.g., block, allow, alert)
    type: string
  - name: activity
    description: Activity type
    type: string
  - name: alert
    description: Alert indicator (yes/no)
    type: string
  - name: alert_name
    description: The name of the alert
    type: string
  - name: alert_type
    required: true
    description: The type of alert (policy, used for classification)
    type: string
  - name: app
    description: Application name
    type: string
  - name: app_session_id
    description: Application session identifier
    type: bigint
  - name: appcategory
    description: Application category
    type: string
  - name: appsuite
    description: Application suite
    type: string
  - name: browser
    description: Browser name
    type: string
  - name: browser_session_id
    description: Browser session identifier
    type: bigint
  - name: category
    description: Category of the application
    type: string
  - name: cci
    description: Cloud Confidence Index
    type: bigint
  - name: ccl
    description: Cloud Confidence Level
    type: string
  - name: connection_id
    description: Connection identifier
    type: bigint
  - name: count
    description: Count of events
    type: bigint
  - name: device
    description: Device identifier
    type: string
  - name: device_classification
    description: Device classification
    type: string
  - name: dst_country
    description: Destination country
    type: string
  - name: dst_location
    description: Destination location
    type: string
  - name: dstip
    description: Destination IP address
    type: string
    indicators:
      - ip
  - name: hostname
    description: Hostname
    type: string
    indicators:
      - hostname
  - name: organization_unit
    description: Organization unit
    type: string
  - name: os
    description: Operating system
    type: string
  - name: page
    description: Page URL
    type: string
  - name: policy
    required: true
    description: Policy name
    type: string
  - name: policy_actions
    description: Actions defined by the policy
    type: array
    element:
      type: string
  - name: policy_id
    required: true
    description: Policy identifier
    type: string
  - name: protocol
    description: Network protocol
    type: string
  - name: referer
    description: HTTP referer
    type: string
  - name: severity
    description: Severity level
    type: string
  - name: site
    description: Site name
    type: string
  - name: src_country
    description: Source country
    type: string
  - name: src_location
    description: Source location
    type: string
  - name: srcip
    description: Source IP address
    type: string
    indicators:
      - ip
  - name: traffic_type
    description: Type of traffic
    type: string
  - name: transaction_id
    description: Transaction identifier
    type: bigint
  - name: type
    description: Event type
    type: string
  - name: ur_normalized
    description: Normalized user identifier
    type: string
  - name: url
    description: URL associated with the alert
    type: string
  - name: user
    required: true
    description: The user associated with the alert
    type: string
    indicators:
      - username
      - email
  - name: useragent
    description: User agent string
    type: string
  - name: userip
    description: User IP address
    type: string
    indicators:
      - ip
  - name: userkey
    description: Unique user key
    type: string

Netskope.Alert.Quarantine

Quarantine action alerts from Netskope. For more information, see Netskope's documentation.

Netskope.Alert.Quarantine schema

schema: Netskope.Alert.Quarantine
description: Quarantine action alerts from Netskope
referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html
fields:
  - name: timestamp
    required: true
    description: The timestamp of the alert
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: access_method
    description: Method of access
    type: string
  - name: acked
    description: Whether the alert has been acknowledged
    type: string
  - name: action
    description: Action taken
    type: string
  - name: alert
    description: Alert indicator (yes/no)
    type: string
  - name: alert_name
    description: The name of the alert
    type: string
  - name: alert_type
    required: true
    description: The type of alert (quarantine, used for classification)
    type: string
  - name: app
    description: Application name
    type: string
  - name: appcategory
    description: Application category
    type: string
  - name: browser
    description: Browser name
    type: string
  - name: category
    description: Category of the application
    type: string
  - name: cci
    description: Cloud Confidence Index
    type: bigint
  - name: ccl
    description: Cloud Confidence Level
    type: string
  - name: count
    description: Count of events
    type: bigint
  - name: department
    description: User department
    type: string
  - name: departmentNumber
    description: Department number
    type: string
  - name: device
    description: Device identifier
    type: string
  - name: dlp_profile
    description: DLP profile name
    type: string
  - name: exposure
    description: Exposure level of the data
    type: string
  - name: file_id
    description: File identifier
    type: string
  - name: file_path
    description: File path
    type: string
  - name: file_size
    description: File size in bytes
    type: bigint
  - name: file_type
    description: File type
    type: string
  - name: from_user
    description: User who sent/shared
    type: string
    indicators:
      - username
      - email
  - name: instance_id
    description: Instance identifier
    type: string
  - name: manager
    description: Manager name
    type: string
  - name: md5
    description: MD5 hash of the file
    type: string
    indicators:
      - md5
  - name: mime_type
    description: MIME type of the file
    type: string
  - name: modified
    description: Modification timestamp
    type: bigint
  - name: object
    description: Object name
    type: string
  - name: object_id
    description: Object identifier
    type: string
  - name: object_type
    description: Type of object
    type: string
  - name: organization_unit
    description: Organization unit
    type: string
  - name: orignal_file_path
    description: "Original file path (note: typo in API)"
    type: string
  - name: os
    description: Operating system
    type: string
  - name: other_categories
    description: Other categories
    type: array
    element:
      type: string
  - name: owner
    description: Owner of the resource
    type: string
  - name: policy
    description: Policy name
    type: string
  - name: profile_emails
    description: Profile email addresses
    type: array
    element:
      type: string
  - name: q_admin
    description: Quarantine admin
    type: string
  - name: q_app
    description: Quarantine app
    type: string
  - name: q_instance
    description: Quarantine instance
    type: string
  - name: q_original_filename
    description: Quarantine original filename
    type: string
  - name: q_original_filepath
    description: Quarantine original filepath
    type: string
  - name: q_original_shared
    description: Quarantine original shared status
    type: string
  - name: q_original_version
    description: Quarantine original version
    type: string
  - name: quarantine_file_id
    description: Quarantine file identifier
    type: string
  - name: quarantine_file_name
    description: Quarantine file name
    type: string
  - name: quarantine_profile
    description: Quarantine profile name
    type: string
  - name: quarantine_profile_id
    required: true
    description: Quarantine profile identifier
    type: string
  - name: scan_type
    description: Type of scan
    type: string
  - name: shared_with
    description: Users/groups the file was shared with
    type: string
  - name: site
    description: Site name
    type: string
  - name: suppression_key
    description: Suppression key for deduplication
    type: string
  - name: traffic_type
    description: Type of traffic
    type: string
  - name: type
    description: Event type
    type: string
  - name: ur_normalized
    description: Normalized user identifier
    type: string
  - name: url
    description: URL associated with the alert
    type: string
  - name: user
    required: true
    description: The user associated with the alert
    type: string
    indicators:
      - username
      - email
  - name: user_id
    description: User identifier
    type: string
    indicators:
      - username
  - name: userkey
    description: Unique user key
    type: string

Netskope.Alert.Remediation

Remediation action alerts from Netskope. For more information, see Netskope's documentation.

Netskope.Alert.Remediation schema

schema: Netskope.Alert.Remediation
description: Remediation action alerts from Netskope
referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html
fields:
  - name: timestamp
    required: true
    description: The timestamp of the alert
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: access_method
    description: Method of access
    type: string
  - name: acked
    description: Whether the alert has been acknowledged
    type: string
  - name: action
    description: Action taken
    type: string
  - name: actions_taken
    description: Detailed actions taken during remediation
    type: string
  - name: activity
    description: Activity type
    type: string
  - name: alert
    description: Alert indicator (yes/no)
    type: string
  - name: alert_name
    description: The name of the alert
    type: string
  - name: alert_type
    required: true
    description: The type of alert (remediation, used for classification)
    type: string
  - name: all_policy_matches
    description: All policies that matched
    type: array
    element:
      type: string
  - name: app
    description: Application name
    type: string
  - name: app_session_id
    description: Application session identifier
    type: bigint
  - name: appcategory
    description: Application category
    type: string
  - name: appsuite
    description: Application suite
    type: string
  - name: browser
    description: Browser name
    type: string
  - name: browser_session_id
    description: Browser session identifier
    type: bigint
  - name: category
    description: Category of the application
    type: string
  - name: cci
    description: Cloud Confidence Index
    type: bigint
  - name: ccl
    description: Cloud Confidence Level
    type: string
  - name: connection_id
    description: Connection identifier
    type: bigint
  - name: count
    description: Count of events
    type: bigint
  - name: device
    description: Device identifier
    type: string
  - name: device_classification
    description: Device classification
    type: string
  - name: dlp_profile
    description: DLP profile name
    type: string
  - name: dst_country
    description: Destination country
    type: string
  - name: dst_geoip_src
    description: Destination GeoIP source
    type: bigint
  - name: dst_latitude
    description: Destination latitude
    type: float
  - name: dst_location
    description: Destination location
    type: string
  - name: dst_longitude
    description: Destination longitude
    type: float
  - name: dst_region
    description: Destination region
    type: string
  - name: dst_timezone
    description: Destination timezone
    type: string
  - name: dst_zipcode
    description: Destination ZIP code
    type: string
  - name: dstip
    description: Destination IP address
    type: string
    indicators:
      - ip
  - name: edr_app
    description: EDR application name
    type: string
  - name: endpoint_count
    description: Number of endpoints affected
    type: bigint
  - name: endpoints
    description: List of affected endpoints
    type: string
  - name: file_size
    description: File size in bytes
    type: bigint
  - name: file_type
    description: File type
    type: string
  - name: from_user
    description: User who initiated
    type: string
    indicators:
      - username
      - email
  - name: hostname
    description: Hostname
    type: string
    indicators:
      - hostname
  - name: incident_id
    description: Incident identifier
    type: bigint
  - name: instance_id
    description: Instance identifier
    type: string
  - name: malware_id
    description: Malware identifier
    type: string
  - name: malware_name
    description: Name of the malware
    type: string
  - name: malware_severity
    description: Severity of the malware
    type: string
  - name: malware_type
    description: Type of malware
    type: string
  - name: managed_app
    description: Managed application indicator
    type: string
  - name: managementID
    description: Management identifier
    type: string
  - name: md5
    description: MD5 hash of the file
    type: string
    indicators:
      - md5
  - name: notify_template
    description: Notification template
    type: string
  - name: nsdeviceuid
    description: Netskope device UID
    type: string
  - name: object
    description: Object name
    type: string
  - name: object_type
    description: Type of object
    type: string
  - name: organization_unit
    description: Organization unit
    type: string
  - name: os
    description: Operating system
    type: string
  - name: os_version
    description: OS version
    type: string
  - name: page
    description: Page URL
    type: string
  - name: page_site
    description: Page site
    type: string
  - name: policy
    description: Policy name
    type: string
  - name: policy_id
    description: Policy identifier
    type: string
  - name: profile_hits
    description: Profile hits
    type: array
    element:
      type: string
  - name: protocol
    description: Network protocol
    type: string
  - name: remediation_profile
    required: true
    description: Remediation profile name
    type: string
  - name: request_id
    description: Request identifier
    type: bigint
  - name: sanctioned_instance
    description: Sanctioned instance indicator
    type: string
  - name: severity
    description: Severity level
    type: string
  - name: site
    description: Site name
    type: string
  - name: src_country
    description: Source country
    type: string
  - name: src_geoip_src
    description: Source GeoIP source
    type: bigint
  - name: src_latitude
    description: Source latitude
    type: float
  - name: src_location
    description: Source location
    type: string
  - name: src_longitude
    description: Source longitude
    type: float
  - name: src_region
    description: Source region
    type: string
  - name: src_time
    description: Source time
    type: string
  - name: src_timezone
    description: Source timezone
    type: string
  - name: src_zipcode
    description: Source ZIP code
    type: string
  - name: srcip
    description: Source IP address
    type: string
    indicators:
      - ip
  - name: traffic_type
    description: Type of traffic
    type: string
  - name: transaction_id
    description: Transaction identifier
    type: bigint
  - name: tss_mode
    description: TSS mode
    type: string
  - name: type
    description: Event type
    type: string
  - name: ur_normalized
    description: Normalized user identifier
    type: string
  - name: url
    description: URL associated with the alert
    type: string
  - name: user
    required: true
    description: The user associated with the alert
    type: string
    indicators:
      - username
      - email
  - name: userip
    description: User IP address
    type: string
    indicators:
      - ip

Netskope.Alert.SecurityAssessment

Security assessment findings from Netskope. For more information, see Netskope's documentation.

Netskope.Alert.SecurityAssessment schema

schema: Netskope.Alert.SecurityAssessment
description: Security assessment findings from Netskope
referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html
fields:
  - name: timestamp
    required: true
    description: The timestamp of the alert
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: access_method
    description: Method of access
    type: string
  - name: account_id
    description: Cloud account identifier
    type: string
  - name: account_name
    description: Cloud account name
    type: string
  - name: acked
    description: Whether the alert has been acknowledged
    type: string
  - name: action
    description: Action taken
    type: string
  - name: activity
    description: Activity type
    type: string
  - name: alert
    description: Alert indicator (yes/no)
    type: string
  - name: alert_name
    description: The name of the alert
    type: string
  - name: alert_type
    required: true
    description: The type of alert (security assessment, used for classification)
    type: string
  - name: app
    description: The application associated with the alert
    type: string
  - name: appcategory
    description: Application category
    type: string
  - name: asset_id
    description: Cloud asset identifier
    type: string
  - name: asset_object_id
    description: Cloud asset object identifier
    type: string
  - name: browser
    description: Browser name
    type: string
  - name: category
    description: Category of the application
    type: string
  - name: cci
    description: Cloud Confidence Index
    type: bigint
  - name: ccl
    description: Cloud Confidence Level
    type: string
  - name: compliance_standards
    description: List of compliance standards
    type: array
    element:
      type: string
  - name: count
    description: Count of events
    type: bigint
  - name: device
    description: Device identifier
    type: string
  - name: iaas_asset_tags
    description: IaaS asset tags
    type: array
    element:
      type: string
  - name: iaas_remediated
    description: Whether the IaaS issue was remediated
    type: string
  - name: instance_id
    description: Instance identifier
    type: string
  - name: object
    description: Object name
    type: string
  - name: object_type
    description: Type of object
    type: string
  - name: organization_unit
    description: Organization unit
    type: string
  - name: os
    description: Operating system
    type: string
  - name: policy
    description: Policy name
    type: string
  - name: policy_id
    description: Policy identifier
    type: bigint
  - name: region_id
    description: Cloud region identifier
    type: string
  - name: region_name
    description: Cloud region name
    type: string
  - name: resource_category
    description: Resource category
    type: string
  - name: resource_group
    description: Resource group name
    type: string
  - name: sAMAccountName
    description: Active Directory sAMAccountName
    type: string
  - name: sa_profile_id
    description: Security assessment profile ID
    type: bigint
  - name: sa_profile_name
    description: Security assessment profile name
    type: string
  - name: sa_rule_id
    required: true
    description: Security assessment rule ID
    type: string
  - name: sa_rule_name
    description: Security assessment rule name
    type: string
  - name: sa_rule_severity
    description: Security assessment rule severity
    type: string
  - name: site
    description: Site name
    type: string
  - name: traffic_type
    description: Type of traffic
    type: string
  - name: type
    description: Event type
    type: string
  - name: ur_normalized
    description: Normalized user identifier
    type: string
  - name: user
    required: true
    description: The user associated with the alert
    type: string
    indicators:
      - username
      - email
  - name: userkey
    description: Unique user key
    type: string

Netskope.Alert.UBA

User Behavior Analytics alerts from Netskope. For more information, see Netskope's documentation.

Netskope.Alert.UBA schema

schema: Netskope.Alert.UBA
description: User Behavior Analytics alerts from Netskope
referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html
fields:
  - name: timestamp
    required: true
    description: The timestamp of the alert
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: _id
    description: Unique identifier for the alert (not officially supported)
    type: string
  - name: custom_attr
    description: Custom attributes object (not officially supported)
    type: json
  - name: record_type
    description: Record type (typically 'alert') (not officially supported)
    type: string
  - name: sha256
    description: SHA256 hash of the file (not officially supported)
    type: string
    indicators:
      - sha256
  - name: user_confidence_index
    description: User confidence index score (not officially supported)
    type: bigint
  - name: AccountType
    description: Account type
    type: string
  - name: TSS-scan
    description: TSS scan indicator
    type: string
  - name: User_SPACE_Id
    description: User ID (with space in name)
    type: string
  - name: User_SPACE_Name
    description: User name (with space in name)
    type: string
  - name: access_method
    description: Method of access
    type: string
  - name: acked
    description: Whether the alert has been acknowledged
    type: string
  - name: act_user
    description: Acting user
    type: string
    indicators:
      - username
      - email
  - name: action
    description: Action taken
    type: string
  - name: activity
    description: Activity type
    type: string
  - name: activity_status
    description: Status of the activity
    type: string
  - name: alert
    description: Alert indicator (yes/no)
    type: string
  - name: alert_id
    description: Alert identifier
    type: string
  - name: alert_name
    description: The name of the alert
    type: string
  - name: alert_type
    required: true
    description: The type of alert (UBA, used for classification)
    type: string
  - name: all_policy_matches
    description: All policies that matched
    type: array
    element:
      type: string
  - name: anomalyData
    description: Anomaly detection data
    type: json
  - name: anomaly_type
    required: true
    description: Type of anomaly detected
    type: string
  - name: app
    description: Application name
    type: string
  - name: app_activity
    description: Application-specific activity
    type: string
  - name: app_category
    description: Application category
    type: string
  - name: app_session_id
    description: Application session identifier
    type: bigint
  - name: appcategory
    description: Application category (alternate field)
    type: string
  - name: appsuite
    description: Application suite
    type: string
  - name: audit_category
    description: Audit category
    type: string
  - name: audit_type
    description: Audit type
    type: string
  - name: bin_timestamp
    description: Binned timestamp
    type: bigint
  - name: browser
    description: Browser name
    type: string
  - name: browser_session_id
    description: Browser session identifier
    type: bigint
  - name: browser_version
    description: Browser version
    type: string
  - name: category
    description: Category
    type: string
  - name: cci
    description: Cloud Confidence Index
    type: bigint
  - name: ccl
    description: Cloud Confidence Level
    type: string
  - name: connection_id
    description: Connection identifier
    type: bigint
  - name: count
    description: Count of events
    type: bigint
  - name: createdTime
    description: Creation time
    type: string
  - name: device
    description: Device identifier
    type: string
  - name: device_classification
    description: Device classification
    type: string
  - name: displayName
    description: Display name
    type: string
  - name: distinguishedName
    description: Active Directory distinguished name
    type: string
  - name: division
    description: User division
    type: string
  - name: download_app
    description: Download application
    type: string
  - name: dst_country
    description: Destination country
    type: string
  - name: dst_geoip_src
    description: Destination GeoIP source
    type: bigint
  - name: dst_latitude
    description: Destination latitude
    type: float
  - name: dst_location
    description: Destination location
    type: string
  - name: dst_longitude
    description: Destination longitude
    type: float
  - name: dst_region
    description: Destination region
    type: string
  - name: dst_timezone
    description: Destination timezone
    type: string
  - name: dst_zipcode
    description: Destination ZIP code
    type: string
  - name: dstip
    description: Destination IP address
    type: string
    indicators:
      - ip
  - name: employeeType
    description: Type of employee
    type: string
  - name: event_type
    description: Event type
    type: string
  - name: evt_src_chnl
    description: Event source channel
    type: string
  - name: file_category
    description: File category
    type: string
  - name: file_size
    description: File size in bytes
    type: bigint
  - name: file_type
    description: File type
    type: string
  - name: from_user
    description: User who sent/shared
    type: string
    indicators:
      - username
      - email
  - name: from_user_category
    description: Category of the from user
    type: string
  - name: group
    description: Group name
    type: string
  - name: hostname
    description: Hostname
    type: string
    indicators:
      - hostname
  - name: incident_id
    description: Incident identifier
    type: bigint
  - name: instance_id
    description: Instance identifier
    type: string
  - name: last_app
    description: Last application used
    type: string
  - name: last_country
    description: Last country
    type: string
  - name: last_device
    description: Last device
    type: string
  - name: last_location
    description: Last location
    type: string
  - name: last_region
    description: Last region
    type: string
  - name: last_timestamp
    description: Last timestamp
    type: bigint
  - name: logintype
    description: Login type
    type: string
  - name: loginurl
    description: Login URL
    type: string
  - name: mail
    description: Email address
    type: string
    indicators:
      - email
  - name: managed_app
    description: Managed application indicator
    type: string
  - name: managementID
    description: Management identifier
    type: string
  - name: manager
    description: Manager name
    type: string
  - name: md5
    description: MD5 hash of the file
    type: string
    indicators:
      - md5
  - name: netskope_activity
    description: Netskope activity classification
    type: string
  - name: object
    description: Object name
    type: string
  - name: object_count
    description: Count of objects
    type: bigint
  - name: object_id
    description: Object identifier
    type: string
  - name: object_type
    description: Type of object
    type: string
  - name: organization_unit
    description: Organization unit
    type: string
  - name: os
    description: Operating system
    type: string
  - name: os_version
    description: OS version
    type: string
  - name: page
    description: Page URL
    type: string
  - name: page_site
    description: Page site
    type: string
  - name: parent_id
    description: Parent event identifier
    type: string
  - name: policy
    description: Policy name
    type: string
  - name: policy_actions
    description: Actions defined by the policy
    type: array
    element:
      type: string
  - name: policy_id
    description: Policy identifier
    type: string
  - name: policy_name
    description: Policy name (alternate field)
    type: string
  - name: profile_id
    description: Profile identifier
    type: string
  - name: protocol
    description: Network protocol
    type: string
  - name: referer
    description: HTTP referer
    type: string
  - name: request_id
    description: Request identifier
    type: bigint
  - name: request_type
    description: Type of request
    type: string
  - name: risk_level
    description: Risk level
    type: string
  - name: risk_level_id
    description: Risk level identifier
    type: bigint
  - name: sAMAccountName
    description: Active Directory sAMAccountName
    type: string
  - name: sanctioned_instance
    description: Sanctioned instance indicator
    type: string
  - name: scopes
    description: Permission scopes
    type: array
    element:
      type: string
  - name: score
    description: Anomaly score
    type: string
  - name: severity
    description: Severity level
    type: string
  - name: shared_credential_user
    description: User with shared credentials
    type: string
  - name: site
    description: Site name
    type: string
  - name: src_country
    description: Source country
    type: string
  - name: src_geoip_src
    description: Source GeoIP source
    type: bigint
  - name: src_latitude
    description: Source latitude
    type: float
  - name: src_location
    description: Source location
    type: string
  - name: src_longitude
    description: Source longitude
    type: float
  - name: src_region
    description: Source region
    type: string
  - name: src_time
    description: Source time
    type: string
  - name: src_timezone
    description: Source timezone
    type: string
  - name: src_zipcode
    description: Source ZIP code
    type: string
  - name: srcip
    description: Source IP address
    type: string
    indicators:
      - ip
  - name: suppression_end_time
    description: Suppression end time
    type: bigint
  - name: suppression_start_time
    description: Suppression start time
    type: bigint
  - name: surhn
    description: SURHN field
    type: string
  - name: telemetry_app
    description: Telemetry application
    type: string
  - name: threshold
    description: Threshold value
    type: bigint
  - name: threshold_time
    description: Threshold time
    type: bigint
  - name: to_object
    description: Destination object
    type: string
  - name: to_user
    description: Recipient user
    type: string
    indicators:
      - username
      - email
  - name: to_user_category
    description: Category of the to user
    type: string
  - name: traffic_type
    description: Type of traffic
    type: string
  - name: transaction_id
    description: Transaction identifier
    type: bigint
  - name: tss_fail_reason
    description: TSS failure reason
    type: string
  - name: tss_mode
    description: TSS mode
    type: string
  - name: tss_scan_failed
    description: Whether TSS scan failed
    type: string
  - name: two_factor_auth
    description: Two-factor authentication status
    type: string
  - name: type
    description: Event type
    type: string
  - name: uba_ap1
    description: UBA application 1
    type: string
  - name: uba_ap2
    description: UBA application 2
    type: string
  - name: uba_inst1
    description: UBA instance 1
    type: string
  - name: uba_inst2
    description: UBA instance 2
    type: string
  - name: ur_normalized
    description: Normalized user identifier
    type: string
  - name: url
    description: URL associated with the alert
    type: string
  - name: user
    required: true
    description: The user associated with the alert
    type: string
    indicators:
      - username
      - email
  - name: userPrincipalName
    description: Active Directory userPrincipalName
    type: string
    indicators:
      - username
  - name: user_category
    description: User category
    type: string
  - name: user_id
    description: User identifier
    type: string
    indicators:
      - username
  - name: user_name
    description: User name
    type: string
    indicators:
      - username
  - name: user_role
    description: User role
    type: string
  - name: useragent
    description: User agent string
    type: string
  - name: userip
    description: User IP address
    type: string
    indicators:
      - ip
  - name: userkey
    description: Unique user key
    type: string
  - name: web_universal_connector
    description: Web universal connector indicator
    type: string
  - name: windowId
    description: Window identifier (millisecond epoch timestamp)
    type: bigint

Netskope.Alert.Watchlist

Watchlist match alerts from Netskope. For more information, see Netskope's documentation.

Netskope.Alert.Watchlist schema

schema: Netskope.Alert.Watchlist
description: Watchlist match alerts from Netskope with comprehensive DLP, malware, file, and network fields
referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html
fields:
  - name: timestamp
    required: true
    description: The timestamp of the alert
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: TSS-scan
    description: TSS scan indicator
    type: string
  - name: access_method
    description: Method of access
    type: string
  - name: acked
    description: Whether the alert has been acknowledged
    type: string
  - name: act_user
    description: Acting user
    type: string
    indicators:
      - username
      - email
  - name: activity
    description: Activity type
    type: string
  - name: aggregated_user
    description: Aggregated user information
    type: string
  - name: alert
    description: Alert indicator (yes/no)
    type: string
  - name: alert_name
    description: The name of the alert
    type: string
  - name: alert_type
    required: true
    description: The type of alert (watchlist, used for classification)
    type: string
  - name: all_policy_matches
    description: All policies that matched
    type: array
    element:
      type: string
  - name: app
    description: Application name
    type: string
  - name: app_activity
    description: Application-specific activity
    type: string
  - name: app_name
    description: Application name (alternate field)
    type: string
  - name: app_session_id
    description: Application session identifier
    type: bigint
  - name: appcategory
    description: Application category
    type: string
  - name: appsuite
    description: Application suite
    type: string
  - name: audit_category
    description: Audit category
    type: string
  - name: audit_type
    description: Audit type
    type: string
  - name: browser
    description: Browser name
    type: string
  - name: browser_session_id
    description: Browser session identifier
    type: bigint
  - name: browser_version
    description: Browser version
    type: string
  - name: category
    description: Category
    type: string
  - name: cci
    description: Cloud Confidence Index
    type: bigint
  - name: ccl
    description: Cloud Confidence Level
    type: string
  - name: client_bytes
    description: Bytes sent by client
    type: bigint
  - name: conn_duration
    description: Connection duration in seconds
    type: bigint
  - name: connection_id
    description: Connection identifier
    type: bigint
  - name: count
    description: Count of events
    type: bigint
  - name: data_type
    description: Type of data
    type: string
  - name: detection_engine
    description: Detection engine that identified the threat
    type: string
  - name: device
    description: Device identifier
    type: string
  - name: device_classification
    description: Device classification
    type: string
  - name: dlp_fail_reason
    description: DLP failure reason
    type: string
  - name: dlp_file
    description: DLP file identifier
    type: string
  - name: dlp_incident_id
    description: DLP incident identifier
    type: bigint
  - name: dlp_is_unique_count
    description: Whether DLP unique count is calculated
    type: string
  - name: dlp_parent_id
    description: Parent DLP incident identifier
    type: bigint
  - name: dlp_profile
    description: DLP profile name
    type: string
  - name: dlp_rule
    description: DLP rule name
    type: string
  - name: dlp_rule_count
    description: Number of DLP rules matched
    type: bigint
  - name: dlp_rule_severity
    description: Severity of the DLP rule
    type: string
  - name: dlp_scan_failed
    description: Whether DLP scan failed
    type: string
  - name: dst_country
    description: Destination country
    type: string
  - name: dst_geoip_src
    description: Destination GeoIP source
    type: bigint
  - name: dst_latitude
    description: Destination latitude
    type: float
  - name: dst_location
    description: Destination location
    type: string
  - name: dst_longitude
    description: Destination longitude
    type: float
  - name: dst_region
    description: Destination region
    type: string
  - name: dst_timezone
    description: Destination timezone
    type: string
  - name: dst_zipcode
    description: Destination ZIP code
    type: string
  - name: dsthost
    description: Destination hostname
    type: string
    indicators:
      - hostname
  - name: dstip
    description: Destination IP address
    type: string
    indicators:
      - ip
  - name: dstport
    description: Destination port
    type: bigint
  - name: enterprise
    description: Enterprise name
    type: string
  - name: enterprise_id
    description: Enterprise identifier
    type: string
  - name: exposure
    description: Exposure level of the data
    type: string
  - name: external_collaborator_count
    description: Number of external collaborators
    type: bigint
  - name: file_category
    description: File category
    type: string
  - name: file_id
    description: File identifier
    type: string
  - name: file_lang
    description: File language
    type: string
  - name: file_name
    description: File name
    type: string
  - name: file_path
    description: File path
    type: string
  - name: file_size
    description: File size in bytes
    type: bigint
  - name: file_type
    description: File type
    type: string
  - name: from_object
    description: Source object
    type: string
  - name: from_storage
    description: Source storage
    type: string
  - name: from_user
    description: User who sent/shared
    type: string
    indicators:
      - username
      - email
  - name: from_user_category
    description: Category of the from user
    type: string
  - name: fromlogs
    description: Source logs
    type: string
  - name: hostname
    description: Hostname
    type: string
    indicators:
      - hostname
  - name: incident_id
    description: Incident identifier
    type: bigint
  - name: instance
    description: Instance name
    type: string
  - name: instance_id
    description: Instance identifier
    type: string
  - name: internal_collaborator_count
    description: Number of internal collaborators
    type: bigint
  - name: justification_reason
    description: Justification reason
    type: string
  - name: justification_type
    description: Justification type
    type: string
  - name: local_md5
    description: Local MD5 hash
    type: string
    indicators:
      - md5
  - name: local_sha256
    description: Local SHA256 hash
    type: string
    indicators:
      - sha256
  - name: log_file_name
    description: Log file name
    type: string
  - name: malware_id
    description: Malware identifier
    type: string
  - name: malware_name
    description: Name of the malware
    type: string
  - name: malware_profile
    description: Malware profile name
    type: string
  - name: malware_severity
    description: Severity of the malware
    type: string
  - name: malware_type
    description: Type of malware
    type: string
  - name: managed_app
    description: Managed application indicator
    type: string
  - name: managementID
    description: Management identifier
    type: string
  - name: manager
    description: Manager name
    type: string
  - name: md5
    description: MD5 hash of the file
    type: string
    indicators:
      - md5
  - name: mime_type
    description: MIME type of the file
    type: string
  - name: ml_detection
    description: Machine learning detection indicator
    type: string
  - name: modified
    description: Modification timestamp
    type: bigint
  - name: netskope_activity
    description: Netskope activity classification
    type: string
  - name: network
    description: Network name
    type: string
  - name: notify_template
    description: Notification template
    type: string
  - name: nsdeviceuid
    description: Netskope device UID
    type: string
  - name: numbytes
    description: Number of bytes transferred
    type: bigint
  - name: object
    description: Object name
    type: string
  - name: object_count
    description: Count of objects
    type: bigint
  - name: object_id
    description: Object identifier
    type: string
  - name: object_type
    description: Type of object
    type: string
  - name: org
    description: Organization
    type: string
  - name: organization_unit
    description: Organization unit
    type: string
  - name: os
    description: Operating system
    type: string
  - name: os_version
    description: OS version
    type: string
  - name: owner
    description: Owner of the resource
    type: string
  - name: page
    description: Page URL
    type: string
  - name: page_site
    description: Page site
    type: string
  - name: parent_id
    description: Parent event identifier
    type: string
  - name: policy
    description: Policy name
    type: string
  - name: policy_id
    description: Policy identifier
    type: string
  - name: protocol
    description: Network protocol
    type: string
  - name: referer
    description: HTTP referer
    type: string
  - name: req_cnt
    description: Request count
    type: bigint
  - name: request_id
    description: Request identifier
    type: bigint
  - name: resp_cnt
    description: Response count
    type: bigint
  - name: sAMAccountName
    description: Active Directory sAMAccountName
    type: string
  - name: sanctioned_instance
    description: Sanctioned instance indicator
    type: string
  - name: scan_type
    description: Type of scan
    type: string
  - name: scanner_result
    description: Result from scanner
    type: string
  - name: serial
    description: Serial number
    type: string
  - name: server_bytes
    description: Bytes sent by server
    type: bigint
  - name: severity
    description: Severity level
    type: string
  - name: severity_id
    description: Severity identifier
    type: bigint
  - name: sfwder
    description: Forwarder information
    type: string
  - name: shared_domains
    description: Domains the file was shared with
    type: string
  - name: shared_with
    description: Users/groups the file was shared with
    type: string
  - name: site
    description: Site name
    type: string
  - name: src_country
    description: Source country
    type: string
  - name: src_geoip_src
    description: Source GeoIP source
    type: bigint
  - name: src_latitude
    description: Source latitude
    type: float
  - name: src_location
    description: Source location
    type: string
  - name: src_longitude
    description: Source longitude
    type: float
  - name: src_region
    description: Source region
    type: string
  - name: src_time
    description: Source time
    type: string
  - name: src_timezone
    description: Source timezone
    type: string
  - name: src_zipcode
    description: Source ZIP code
    type: string
  - name: srcip
    description: Source IP address
    type: string
    indicators:
      - ip
  - name: suppression_end_time
    description: Suppression end time
    type: bigint
  - name: suppression_key
    description: Suppression key for deduplication
    type: string
  - name: suppression_start_time
    description: Suppression start time
    type: bigint
  - name: telemetry_app
    description: Telemetry application
    type: string
  - name: title
    description: Alert title
    type: string
  - name: to_object
    description: Destination object
    type: string
  - name: to_storage
    description: Destination storage
    type: string
  - name: to_user
    description: Recipient user
    type: string
    indicators:
      - username
      - email
  - name: to_user_category
    description: Category of the to user
    type: string
  - name: total_collaborator_count
    description: Total number of collaborators
    type: bigint
  - name: traffic_type
    description: Type of traffic
    type: string
  - name: transaction_id
    description: Transaction identifier
    type: bigint
  - name: true_obj_category
    description: True object category
    type: string
  - name: true_obj_type
    description: True object type
    type: string
  - name: true_type_id
    description: True type identifier
    type: bigint
  - name: tss_fail_reason
    description: TSS failure reason
    type: string
  - name: tss_mode
    description: TSS mode
    type: string
  - name: tss_scan_failed
    description: Whether TSS scan failed
    type: string
  - name: two_factor_auth
    description: Two-factor authentication status
    type: string
  - name: type
    description: Event type
    type: string
  - name: universal_connector
    description: Universal connector indicator
    type: string
  - name: ur_normalized
    description: Normalized user identifier
    type: string
  - name: url
    description: URL associated with the alert
    type: string
  - name: user
    required: true
    description: The user associated with the alert
    type: string
    indicators:
      - username
      - email
  - name: userPrincipalName
    description: Active Directory userPrincipalName
    type: string
    indicators:
      - username
  - name: user_category
    description: User category
    type: string
  - name: user_id
    description: User identifier
    type: string
    indicators:
      - username
  - name: useragent
    description: User agent string
    type: string
  - name: userip
    description: User IP address
    type: string
    indicators:
      - ip
  - name: userkey
    description: Unique user key
    type: string
  - name: web_universal_connector
    description: Web universal connector indicator
    type: string
  - name: web_url
    description: Web URL
    type: string
  - name: workspace
    description: Workspace name
    type: string
  - name: workspace_id
    required: true
    description: Workspace identifier
    type: string

Netskope.Application

User application activity events from Netskope. For more information, see Netskope's documentation.

Netskope.Application schema

schema: Netskope.Application
description: User application activity events from Netskope
referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html
fields:
  - name: timestamp
    required: true
    description: The timestamp of the event
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: CononicalName
    description: Canonical name
    type: string
  - name: _id
    required: true
    description: Unique identifier for the event
    type: string
  - name: app-cci-apphosting-provider
    description: Application hosting provider CCI (not officially supported)
    type: string
  - name: custom_attr
    description: Custom attributes object (not officially supported)
    type: json
  - name: dlp_fail_reason
    description: DLP scan failure reason (not officially supported)
    type: string
  - name: dlp_scan_failed
    description: Whether DLP scan failed (not officially supported)
    type: string
  - name: dom
    description: Domain information (not officially supported)
    type: string
  - name: justification_reason
    description: Justification reason (not officially supported)
    type: string
  - name: justification_type
    description: Justification type (not officially supported)
    type: string
  - name: legal_hold_profile_name
    description: Legal hold profile name (not officially supported)
    type: string
  - name: lh_custodian_email
    description: Legal hold custodian email (not officially supported)
    type: string
    indicators:
      - email
  - name: lh_custodian_name
    description: Legal hold custodian name (not officially supported)
    type: string
  - name: lh_dest_app
    description: Legal hold destination app (not officially supported)
    type: string
  - name: lh_dest_instance
    description: Legal hold destination instance (not officially supported)
    type: string
  - name: lh_fileid
    description: Legal hold file ID (not officially supported)
    type: string
  - name: lh_filename
    description: Legal hold filename (not officially supported)
    type: string
  - name: lh_filepath
    description: Legal hold file path (not officially supported)
    type: string
  - name: lh_original_filename
    description: Legal hold original filename (not officially supported)
    type: string
  - name: lh_shared
    description: Legal hold shared status (not officially supported)
    type: string
  - name: lh_shared_with
    description: Legal hold shared with (not officially supported)
    type: string
  - name: lh_version
    description: Legal hold version (not officially supported)
    type: string
  - name: ns_activity
    description: Netskope activity (not officially supported)
    type: string
  - name: oauth
    description: OAuth information (not officially supported)
    type: string
  - name: os_family
    description: Operating system family (not officially supported)
    type: string
  - name: q_shared_with
    description: Quarantine shared with (not officially supported)
    type: string
  - name: record_type
    description: Record type (typically 'event') (not officially supported)
    type: string
  - name: retro_scan_name
    description: Retrospective scan name (not officially supported)
    type: string
  - name: tss_fail_reason
    description: TSS scan failure reason (not officially supported)
    type: string
  - name: tss_scan_failed
    description: Whether TSS scan failed (not officially supported)
    type: string
  - name: user_confidence_index
    description: User confidence index score (not officially supported)
    type: bigint
  - name: user_confidence_level
    description: User confidence level (not officially supported)
    type: string
  - name: zip_password
    description: ZIP file password (not officially supported)
    type: string
  - name: access_method
    description: Method of access
    type: string
  - name: action
    description: Action performed
    type: string
  - name: activity
    description: Activity type
    type: string
  - name: alert
    description: Alert indicator (yes/no)
    type: string
  - name: alert_type
    description: Type of alert if present
    type: string
  - name: app
    description: Application name
    type: string
  - name: app_activity
    description: Application-specific activity
    type: string
  - name: app_session_id
    description: Application session identifier
    type: bigint
  - name: appcategory
    description: Application category
    type: string
  - name: appsuite
    description: Application suite
    type: string
  - name: audit_category
    description: Audit category
    type: string
  - name: audit_type
    description: Audit type
    type: string
  - name: browser
    description: Browser name
    type: string
  - name: browser_session_id
    description: Browser session identifier
    type: bigint
  - name: browser_version
    description: Browser version
    type: string
  - name: category
    description: Category
    type: string
  - name: cci
    description: Cloud Confidence Index
    type: bigint
  - name: ccl
    description: Cloud Confidence Level
    type: string
  - name: channel_id
    description: Channel identifier
    type: string
  - name: client_bytes
    description: Bytes sent by client
    type: bigint
  - name: conn_duration
    description: Connection duration in seconds
    type: bigint
  - name: connection_id
    description: Connection identifier
    type: bigint
  - name: count
    description: Count of events
    type: bigint
  - name: custom_connector
    description: Custom connector name
    type: string
  - name: data_center
    description: Data center location
    type: string
  - name: data_type
    description: Type of data
    type: string
  - name: device
    description: Device identifier
    type: string
  - name: device_classification
    description: Device classification
    type: string
  - name: dlp_file
    description: DLP file identifier
    type: string
  - name: dlp_incident_id
    description: DLP incident identifier
    type: bigint
  - name: dlp_is_unique_count
    description: Whether DLP unique count is calculated
    type: string
  - name: dlp_mail_parent_id
    description: Parent mail ID for DLP
    type: string
  - name: dlp_parent_id
    description: Parent DLP incident identifier
    type: bigint
  - name: dlp_profile
    description: DLP profile name
    type: string
  - name: dlp_rule
    description: DLP rule name
    type: string
  - name: dlp_rule_count
    description: Number of DLP rules matched
    type: bigint
  - name: dlp_rule_severity
    description: Severity of the DLP rule
    type: string
  - name: dlp_unique_count
    description: Unique count of DLP matches
    type: bigint
  - name: dst_country
    description: Destination country
    type: string
  - name: dst_geoip_src
    description: Destination GeoIP source
    type: bigint
  - name: dst_latitude
    description: Destination latitude
    type: float
  - name: dst_location
    description: Destination location
    type: string
  - name: dst_longitude
    description: Destination longitude
    type: float
  - name: dst_region
    description: Destination region
    type: string
  - name: dst_timezone
    description: Destination timezone
    type: string
  - name: dst_zipcode
    description: Destination ZIP code
    type: string
  - name: dsthost
    description: Destination hostname
    type: string
    indicators:
      - hostname
  - name: dstip
    description: Destination IP address
    type: string
    indicators:
      - ip
  - name: dstport
    description: Destination port
    type: bigint
  - name: exposure
    description: Exposure level of the data
    type: string
  - name: file_lang
    description: File language
    type: string
  - name: file_path
    description: File path
    type: string
  - name: file_size
    description: File size in bytes
    type: bigint
  - name: file_type
    description: File type
    type: string
  - name: from_user
    description: User who sent/shared
    type: string
    indicators:
      - username
      - email
  - name: from_user_category
    description: Category of the from user
    type: string
  - name: fromlogs
    description: Source logs
    type: string
  - name: hostname
    description: Hostname
    type: string
    indicators:
      - hostname
  - name: instance
    description: Instance name
    type: string
  - name: instance_id
    description: Instance identifier
    type: string
  - name: internal_collaborator_count
    description: Number of internal collaborators
    type: bigint
  - name: ja3
    description: JA3 fingerprint
    type: string
  - name: ja3s
    description: JA3S fingerprint
    type: string
  - name: log_file_name
    description: Log file name
    type: string
  - name: logintype
    description: Login type
    type: string
  - name: loginurl
    description: Login URL
    type: string
  - name: managed_app
    description: Managed application indicator
    type: string
  - name: managementID
    description: Management identifier
    type: string
  - name: md5
    description: MD5 hash of the file
    type: string
    indicators:
      - md5
  - name: mime_type
    description: MIME type of the file
    type: string
  - name: modified
    description: Modification timestamp
    type: bigint
  - name: netskope_activity
    description: Netskope activity classification
    type: string
  - name: netskope_pop
    description: Netskope point of presence
    type: string
  - name: notify_template
    description: Notification template
    type: string
  - name: nsdeviceuid
    description: Netskope device UID
    type: string
  - name: numbytes
    description: Number of bytes transferred
    type: bigint
  - name: object
    description: Object name
    type: string
  - name: object_id
    description: Object identifier
    type: string
  - name: object_type
    description: Type of object
    type: string
  - name: org
    description: Organization
    type: string
  - name: organization_unit
    description: Organization unit
    type: string
  - name: orignal_file_path
    description: "Original file path (note: typo in API)"
    type: string
  - name: os
    description: Operating system
    type: string
  - name: os_version
    description: OS version
    type: string
  - name: other_categories
    description: Other categories
    type: array
    element:
      type: string
  - name: outer_doc_type
    description: Outer document type
    type: bigint
  - name: owner
    description: Owner of the resource
    type: string
  - name: page
    description: Page URL
    type: string
  - name: page_site
    description: Page site
    type: string
  - name: parent_id
    description: Parent event identifier
    type: string
  - name: policy
    description: Policy name
    type: string
  - name: policy_id
    description: Policy identifier
    type: string
  - name: protocol
    description: Network protocol
    type: string
  - name: referer
    description: HTTP referer
    type: string
  - name: req_cnt
    description: Request count
    type: bigint
  - name: request_id
    description: Request identifier
    type: bigint
  - name: resp_cnt
    description: Response count
    type: bigint
  - name: sAMAccountName
    description: Active Directory sAMAccountName
    type: string
  - name: sanctioned_instance
    description: Sanctioned instance indicator
    type: string
  - name: scan_type
    description: Type of scan
    type: string
  - name: serial
    description: Serial number
    type: string
  - name: server_bytes
    description: Bytes sent by server
    type: bigint
  - name: sessionid
    description: Session identifier
    type: string
  - name: severity
    description: Severity level
    type: string
  - name: sfwder
    description: Forwarder information
    type: string
  - name: sha256
    description: SHA256 hash of the file
    type: string
    indicators:
      - sha256
  - name: shared_with
    description: Users/groups the file was shared with
    type: string
  - name: site
    description: Site name
    type: string
  - name: smtp_to
    description: SMTP recipients
    type: array
    element:
      type: string
  - name: src_country
    description: Source country
    type: string
  - name: src_geoip_src
    description: Source GeoIP source
    type: bigint
  - name: src_latitude
    description: Source latitude
    type: float
  - name: src_location
    description: Source location
    type: string
  - name: src_longitude
    description: Source longitude
    type: float
  - name: src_region
    description: Source region
    type: string
  - name: src_time
    description: Source time
    type: string
  - name: src_timezone
    description: Source timezone
    type: string
  - name: src_zipcode
    description: Source ZIP code
    type: string
  - name: srcip
    description: Source IP address
    type: string
    indicators:
      - ip
  - name: suppression_end_time
    description: Suppression end time
    type: bigint
  - name: suppression_key
    description: Suppression key for deduplication
    type: string
  - name: suppression_start_time
    description: Suppression start time
    type: bigint
  - name: telemetry_app
    description: Telemetry application
    type: string
  - name: title
    description: Event title
    type: string
  - name: to_user
    description: Recipient user
    type: string
    indicators:
      - username
      - email
  - name: total_collaborator_count
    description: Total number of collaborators
    type: bigint
  - name: traffic_type
    description: Type of traffic
    type: string
  - name: transaction_id
    description: Transaction identifier
    type: bigint
  - name: true_obj_category
    description: True object category
    type: string
  - name: true_obj_type
    description: True object type
    type: string
  - name: tss_mode
    description: TSS mode
    type: string
  - name: type
    description: Event type
    type: string
  - name: universal_connector
    description: Universal connector indicator
    type: string
  - name: ur_normalized
    description: Normalized user identifier
    type: string
  - name: url
    description: URL associated with the event
    type: string
  - name: user
    required: true
    description: The user associated with the event
    type: string
    indicators:
      - username
      - email
  - name: userPrincipalName
    description: Active Directory userPrincipalName
    type: string
    indicators:
      - username
  - name: user_category
    description: User category
    type: string
  - name: user_id
    description: User identifier
    type: string
    indicators:
      - username
  - name: useragent
    description: User agent string
    type: string
  - name: userip
    description: User IP address
    type: string
    indicators:
      - ip
  - name: userkey
    description: Unique user key
    type: string
  - name: web_universal_connector
    description: Web universal connector indicator
    type: string
  - name: workspace
    description: Workspace name
    type: string
  - name: workspace_id
    description: Workspace identifier
    type: string

Netskope.Audit

Audit logs from the Netskope Audit API. For more information, see Netskope's documentation.

Netskope.Audit schema

schema: Netskope.Audit
description: Audit logs from the Netskope Audit API
referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html
fields:
  - name: timestamp
    required: true
    description: The timestamp of the audit log.
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: type
    required: true
    description: The type of the audit log.
    type: string
  - name: user
    required: true
    description: The user associated with the audit log.
    type: string
    indicators:
      - email
      - username
  - name: is_netskope_personnel
    description: Indicates whether the user is Netskope personnel.
    type: boolean
  - name: severity_level
    description: The severity level of the audit log.
    type: int
  - name: audit_log_event
    required: true
    description: The event description of the audit log.
    type: string
  - name: supporting_data
    required: true
    description: Supporting data associated with the audit log.
    type: json
  - name: organization_unit
    description: The organization unit associated with the audit log.
    type: string
  - name: ur_normalized
    description: The normalized user identifier.
    type: string
  - name: count
    description: The count of the audit log.
    type: int
  - name: _insertion_epoch_timestamp
    description: The timestamp of the log insertion.
    type: int
  - name: _id
    required: true
    description: The ID of the audit log.
    type: string
  - name: record_type
    description: Record type (typically 'audit') (not officially supported)
    type: string
  - name: details
    description: The audit log details.
    type: json
  - name: ccl
    description: The Cloud confidence level of the audit log.
    type: string
  - name: sAMAccountName
    description: Active Directory sAMAccountName for the audit log.
    type: string
  - name: userPrincipalName
    description: Active Directory userPrincipalName for the audit log.
    type: string

Netskope.Incident

DLP incidents with forensic detail from Netskope. For more information, see Netskope's documentation.

Netskope.Incident schema

schema: Netskope.Incident
description: DLP incidents with forensic detail from Netskope
referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html
fields:
  - name: timestamp
    required: true
    description: The timestamp of the incident
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: _id
    required: true
    description: Unique identifier for the incident (used for classification)
    type: string
  - name: created
    description: Creation timestamp (not officially supported)
    type: bigint
  - name: destination_site
    description: Destination site (not officially supported)
    type: string
  - name: device
    description: Device identifier (not officially supported)
    type: string
  - name: endpoint_policy_match
    description: Endpoint policy matches (not officially supported)
    type: array
    element:
      type: string
  - name: ext_labels
    description: External labels array (not officially supported)
    type: json
  - name: justification
    description: Justification text (not officially supported)
    type: string
  - name: modified
    description: Modification timestamp (not officially supported)
    type: bigint
  - name: object_id
    description: Object identifier (not officially supported)
    type: string
  - name: record_type
    description: Record type (typically 'incident') (not officially supported)
    type: string
  - name: shared_with
    description: Users/groups shared with (not officially supported)
    type: string
  - name: usb_device
    description: USB device identifier (not officially supported)
    type: string
  - name: access_method
    description: Method of access
    type: string
  - name: acting_user
    description: User performing the action
    type: string
    indicators:
      - username
      - email
  - name: activity
    description: Activity type
    type: string
  - name: app
    description: Application name
    type: string
  - name: app_session_id
    description: Application session identifier
    type: bigint
  - name: assignee
    description: Person assigned to the incident
    type: string
  - name: bcc
    description: BCC recipients
    type: string
  - name: cc
    description: CC recipients
    type: string
  - name: channel
    description: Communication channel
    type: string
  - name: classification
    description: Incident classification (e.g., fingerprint, ML-based)
    type: string
  - name: connection_id
    description: Connection identifier
    type: bigint
  - name: destination_app
    description: Destination application
    type: string
  - name: destination_instance_id
    description: Destination instance identifier
    type: string
  - name: dlp_file
    description: DLP file identifier
    type: string
  - name: dlp_incident_id
    description: DLP incident identifier
    type: bigint
  - name: dlp_match_info
    description: Detailed DLP match information
    type: array
    element:
      type: object
      fields:
        - name: dlp_action
          description: DLP action taken
          type: string
        - name: dlp_forensic_id
          description: Forensic identifier
          type: bigint
        - name: dlp_policy
          description: DLP policy name
          type: string
        - name: dlp_policy_hash
          description: Policy hash
          type: string
        - name: dlp_profile_name
          description: DLP profile name
          type: string
        - name: dlp_scan_type
          description: Type of DLP scan
          type: string
        - name: action_threshold_met
          description: Whether action threshold was met
          type: boolean
        - name: dlp_rules
          description: DLP rules that matched
          type: array
          element:
            type: object
            fields:
              - name: dlp_incident_rule_count
                description: Number of rule incidents
                type: bigint
              - name: dlp_match_type
                description: Type of match
                type: string
              - name: dlp_rule_name
                description: Rule name
                type: string
              - name: dlp_rule_severity
                description: Rule severity
                type: string
  - name: dlp_parent_id
    description: Parent DLP incident identifier
    type: bigint
  - name: dst_location
    description: Destination location
    type: string
  - name: exposure
    description: Exposure level of the data
    type: string
  - name: file_lang
    description: File language
    type: string
  - name: file_path
    description: File path
    type: string
  - name: file_size
    description: File size in bytes
    type: bigint
  - name: file_type
    description: File type
    type: string
  - name: from_user
    description: User who sent/shared
    type: string
    indicators:
      - username
      - email
  - name: inline_dlp_match_info
    description: Inline DLP match information
    type: array
    element:
      type: object
      fields:
        - name: dlp_action
          description: DLP action taken
          type: string
        - name: dlp_forensic_id
          description: Forensic identifier
          type: bigint
        - name: dlp_policy
          description: DLP policy name
          type: string
        - name: dlp_policy_hash
          description: Policy hash
          type: string
        - name: dlp_profile_name
          description: DLP profile name
          type: string
        - name: dlp_scan_type
          description: Type of DLP scan
          type: string
        - name: action_threshold_met
          description: Whether action threshold was met
          type: boolean
        - name: dlp_rules
          description: DLP rules that matched
          type: array
          element:
            type: object
            fields:
              - name: dlp_incident_rule_count
                description: Number of rule incidents
                type: bigint
              - name: dlp_match_type
                description: Type of match
                type: string
              - name: dlp_rule_name
                description: Rule name
                type: string
              - name: dlp_rule_severity
                description: Rule severity
                type: string
  - name: instance
    description: Instance name
    type: string
  - name: instance_id
    description: Instance identifier
    type: string
  - name: latest_incident_id
    description: Latest incident identifier
    type: bigint
  - name: md5
    description: MD5 hash of the file
    type: string
    indicators:
      - md5
  - name: object
    description: Object name
    type: string
  - name: object_type
    description: Type of object
    type: string
  - name: original_file_snapshot_id
    description: Original file snapshot identifier
    type: string
  - name: owner
    description: Owner of the resource
    type: string
  - name: owner_pdl
    description: Owner PDL (public distribution list)
    type: string
  - name: referer
    description: HTTP referer
    type: string
  - name: severity
    description: Severity level
    type: string
  - name: site
    description: Site name
    type: string
  - name: src_location
    description: Source location
    type: string
  - name: status
    required: true
    description: Incident status
    type: string
  - name: title
    description: Incident title
    type: string
  - name: to_user
    description: Recipient user
    type: string
    indicators:
      - username
      - email
  - name: true_obj_category
    description: True object category
    type: string
  - name: true_obj_type
    description: True object type
    type: string
  - name: url
    description: URL associated with the incident
    type: string
  - name: user
    required: true
    description: The user associated with the incident
    type: string
    indicators:
      - username
      - email
  - name: user_id
    description: User identifier
    type: string
    indicators:
      - username
  - name: zip_file_id
    description: ZIP file identifier
    type: string

PreviousMongoDB Atlas Logs NextNginx Logs

Last updated 29 days ago

Was this helpful?

hashtagOverview

hashtagHow to onboard Netskope logs to Panther

hashtagStep 1: Start creating a Netskope source in Panther

hashtagStep 2: Create an API token in Netskope

hashtagStep 3: Finish creating the Netskope source in Panther

hashtagPanther-managed detections

hashtagSupported log types

hashtagNetskope.Alert.CompromisedCredential

hashtagNetskope.Alert.Content

hashtagNetskope.Alert.CTEP

hashtagNetskope.Alert.Device

hashtagNetskope.Alert.DLP

hashtagNetskope.Alert.Malsite

hashtagNetskope.Alert.Malware

hashtagNetskope.Alert.Policy

hashtagNetskope.Alert.Quarantine

hashtagNetskope.Alert.Remediation

hashtagNetskope.Alert.SecurityAssessment

hashtagNetskope.Alert.UBA

hashtagNetskope.Alert.Watchlist

hashtagNetskope.Application

hashtagNetskope.Audit

hashtagNetskope.Incident

Overview

How to onboard Netskope logs to Panther

Step 1: Start creating a Netskope source in Panther

Step 2: Create an API token in Netskope

Step 3: Finish creating the Netskope source in Panther

Panther-managed detections

Supported log types

Netskope.Alert.CompromisedCredential

Netskope.Alert.Content

Netskope.Alert.CTEP

Netskope.Alert.Device

Netskope.Alert.DLP

Netskope.Alert.Malsite

Netskope.Alert.Malware

Netskope.Alert.Policy

Netskope.Alert.Quarantine

Netskope.Alert.Remediation

Netskope.Alert.SecurityAssessment

Netskope.Alert.UBA

Netskope.Alert.Watchlist

Netskope.Application

Netskope.Audit

Netskope.Incident