# Netskope Logs ## Overview Panther has the ability to fetch Netskope logs by querying the [Netskope REST API v2](https://docs.netskope.com/en/rest-api-v2-overview-312207.html). ## How to onboard Netskope logs to Panther You'll start creating the Netskope source in Panther, generate an API token in Netskope, then return to Panther to finish log source creation. ### Step 1: Start creating a Netskope source in Panther 1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources.** 2. Click **Create New.** 3. Search for "Netskope," then click its tile. 4. In the slide-out panel, click **Start Setup**. 5. Enter a descriptive **Name** for the source, e.g., "My Netskope logs." 6. Click **Setup**. ### Step 2: Create an API token in Netskope 1. In a separate web browser tab, open the [Netskope Admin Console](https://docs.netskope.com/en/admin-console.html). 2. In the left-side navigation bar, click **Settings.** 3. In the left-side navigation bar of the **Settings** page, click **Tools** > **REST API v2**. 4. Click **New Token**. 5. In the popup modal, configure the following fields: * **Token Name**: Enter a descriptive name. * **Expire In**: Set an appropriate expiration period. * **Scope**: Click **Add Endpoint** and select the `/api/v2/events/dataexport/events/audit` scope. 6. Click **Save.** 7. In the confirmation modal, click **Copy Token** and store the value in a secure location, as you will need it in the next step. ### Step 3: Finish creating the Netskope source in Panther 1. Navigate back to the Panther Console, to the **Set Credentials** page where you left off after completing [Step 1](#step-1-start-creating-a-netskope-source-in-panther). 2. In the **Netskope Domain** field, enter the domain name of your Netskope tenant (e.g., `corp.goskope.com`). 3. In the **API Key** field, paste the API token value you copied from the Netskope Admin console in [Step 2](#step-2-create-an-api-token-in-netskope). 4. Click **Setup**. You will be directed to a success screen:
The success screen reads, "Everything looks good! Panther will now automatically pull & process logs from your account"
* You can optionally enable one or more [Detection Packs](https://docs.panther.com/detections/panther-managed/packs). * The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\\
The "Trigger an alert when no events are processed" toggle is set to YES. The "How long should Panther wait before it sends you an alert that no events have been processed" setting is set to 1 Day
## Panther-managed detections See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for Netskope in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/main/rules/netskope_rules). ## Supported log types ### Netskope.Alert.CompromisedCredential Breach and credential exposure alerts from Netskope. For more information, see [Netskope's documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207.html).
Netskope.Alert.CompromisedCredential schema ```yaml schema: Netskope.Alert.CompromisedCredential description: Breach and credential exposure alerts from Netskope referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html fields: - name: _id description: Unique identifier for the alert (not officially supported) type: string - name: appcategory description: Application category (not officially supported) type: string - name: custom_attr description: Custom attributes object (not officially supported) type: json - name: record_type description: Record type (typically 'alert') (not officially supported) type: string - name: timestamp required: true description: The timestamp of the alert type: timestamp timeFormats: - unix isEventTime: true - name: acked description: Whether the alert has been acknowledged type: string - name: alert description: Alert indicator (yes/no) type: string - name: alert_name description: The name of the alert type: string - name: alert_type required: true description: The type of alert (used for classification) type: string - name: app description: The application associated with the alert type: string - name: breach_date description: The date of the breach (unix timestamp) type: bigint - name: breach_description description: Description of the breach type: string - name: breach_id required: true description: Unique identifier for the breach type: string - name: breach_media_references description: Media references for the breach type: string - name: breach_score description: Score indicating breach severity type: string - name: breach_target_references description: Target references for the breach type: string - name: category description: Category of the application type: string - name: cci description: Cloud Confidence Index type: bigint - name: ccl description: Cloud Confidence Level type: string - name: count description: Count of events type: bigint - name: department description: User department type: string - name: distinguishedName description: Active Directory distinguished name type: string - name: division description: User division type: string - name: email_source description: Source of email type: string - name: employeeType description: Type of employee type: string - name: external_email description: External email indicator type: bigint - name: mail description: Email address type: string indicators: - email - name: matched_username description: Username that matched in the breach type: string indicators: - username - name: organization_unit description: Organization unit type: string - name: password_type description: Type of password (e.g., plaintext, hashed) type: string - name: sAMAccountName description: Active Directory sAMAccountName type: string - name: sAMAccountType description: Active Directory account type type: string - name: type description: Event type type: string - name: ur_normalized description: Normalized user identifier type: string indicators: - email - username - name: user required: true description: The user associated with the alert type: string indicators: - username - email - name: userPrincipalName description: Active Directory userPrincipalName type: string indicators: - username - name: userkey description: Unique user key type: string ```
### Netskope.Alert.Content Content inspection alerts from Netskope Endpoint DLP Service. For more information, see [Netskope's documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207.html).
Netskope.Alert.Content schema ```yaml schema: Netskope.Alert.Content description: Content inspection alerts from Netskope Endpoint DLP Service referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html fields: - name: timestamp required: true description: The timestamp of the alert type: timestamp timeFormats: - unix isEventTime: true - name: _id required: true description: Unique identifier for the alert type: string - name: access_method description: Method of access (e.g., Endpoint) type: string - name: action description: Action taken (e.g., alert, block) type: string - name: activity description: Activity type (e.g., Create, Upload) type: string - name: alert description: Alert indicator (yes/no) type: string - name: alert_name description: The name of the alert type: string - name: alert_type required: true description: The type of alert (Content, used for classification) type: string - name: app description: Application name (e.g., explorer.exe) type: string - name: computer_name description: Name of the computer type: string indicators: - hostname - name: count description: Count of events type: bigint - name: destination_file_directory description: Destination file directory path type: string - name: destination_file_name description: Destination file name type: string - name: destination_file_path description: Full destination file path type: string - name: device description: Device identifier type: string - name: device_classification description: Device classification (e.g., managed, unmanaged) type: string - name: dlp_incident_id required: true description: DLP incident identifier type: bigint - name: dlp_profile description: DLP profile name type: string - name: file_size description: File size in bytes type: bigint - name: file_type description: File type description type: string - name: incident_id description: Incident identifier type: bigint - name: md5 description: MD5 hash of the file type: string indicators: - md5 - name: organization_unit description: Organization unit type: string - name: os description: Operating system type: string - name: os_details description: Detailed OS information type: string - name: os_user_name description: OS username type: string indicators: - username - name: pid description: Process ID type: string - name: policy description: Policy name type: string - name: policy_action description: Action defined by policy type: string - name: policy_name_enforced description: Name of the enforced policy type: string - name: process_cert_subject description: Certificate subject of the process type: string - name: process_name description: Name of the process type: string - name: process_path description: Full path to the process type: string - name: sha256 description: SHA256 hash of the file type: string indicators: - sha256 - name: site description: Site or application name type: string - name: traffic_type description: Type of traffic type: string - name: type description: Event type type: string - name: ur_normalized description: Normalized user identifier type: string indicators: - email - username - name: usb_device_type description: Type of USB device type: string - name: user required: true description: The user associated with the alert type: string indicators: - email - username - name: userkey description: Unique user key type: string ```
### Netskope.Alert.CTEP Client Threat Endpoint Protection (IPS/C2) alerts from Netskope. For more information, see [Netskope's documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207.html).
Netskope.Alert.CTEP ```yaml schema: Netskope.Alert.CTEP description: Client Threat Endpoint Protection (IPS/C2) alerts from Netskope referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html fields: - name: timestamp required: true description: The timestamp of the alert type: timestamp timeFormats: - unix isEventTime: true - name: _id description: Unique identifier for the alert (not officially supported) type: string - name: appcategory description: Application category (not officially supported) type: string - name: custom_attr description: Custom attributes object (not officially supported) type: json - name: device description: Device identifier (not officially supported) type: string - name: dstport description: Destination port (not officially supported) type: bigint - name: ip_protocol description: IP protocol (e.g., TCP, UDP) (not officially supported) type: string - name: netskope_pop description: Netskope point of presence (not officially supported) type: string - name: record_type description: Record type (typically 'alert') (not officially supported) type: string - name: srcport description: Source port (not officially supported) type: bigint - name: traffic_type description: Type of traffic (not officially supported) type: string - name: acked description: Whether the alert has been acknowledged type: string - name: action description: Action taken type: string - name: alert description: Alert indicator (yes/no) type: string - name: alert_name description: The name of the alert type: string - name: alert_type required: true description: The type of alert (ctep, used for classification) type: string - name: app description: Application name type: string - name: category description: Category of the application type: string - name: cci description: Cloud Confidence Index type: bigint - name: ccl description: Cloud Confidence Level type: string - name: company description: Company name type: string - name: count description: Count of events type: bigint - name: department description: User department type: string - name: deviceClassification description: Device classification type: array element: type: string - name: dst_country description: Destination country type: string - name: dst_geoip_src description: Destination GeoIP source type: bigint - name: dst_latitude description: Destination latitude type: float - name: dst_location description: Destination location type: string - name: dst_longitude description: Destination longitude type: float - name: dst_region description: Destination region type: string - name: dst_zipcode description: Destination ZIP code type: string - name: dstip description: Destination IP address type: string indicators: - ip - name: gid description: Group ID for signature type: bigint - name: home_pop description: Home point of presence type: string - name: hostname description: Hostname type: string indicators: - hostname - name: http_method description: HTTP method type: string - name: http_port description: HTTP port type: bigint - name: manager description: Manager name type: string - name: metadata description: Additional metadata type: json - name: organization_unit description: Organization unit type: string - name: os description: Operating system type: string - name: other_categories description: Other categories type: array element: type: string - name: profile_id description: Profile identifier type: string - name: referer description: HTTP referer type: string - name: signature required: true description: IPS signature name type: string - name: signature_id description: IPS signature identifier type: bigint - name: site description: Site name type: string - name: src_country description: Source country type: string - name: src_geoip_src description: Source GeoIP source type: bigint - name: src_latitude description: Source latitude type: float - name: src_location description: Source location type: string - name: src_longitude description: Source longitude type: float - name: src_region description: Source region type: string - name: src_zipcode description: Source ZIP code type: string - name: srcip description: Source IP address type: string indicators: - ip - name: transaction_id description: Transaction identifier type: bigint - name: tunnel_id description: Tunnel identifier type: string - name: type description: Event type type: string - name: ur_normalized description: Normalized user identifier type: string indicators: - email - username - name: url description: URL associated with the alert type: string - name: user required: true description: The user associated with the alert type: string indicators: - username - email - name: userPrincipalName description: Active Directory userPrincipalName type: string indicators: - username - name: userip description: User IP address type: string indicators: - ip - name: userkey description: Unique user key type: string ```
### Netskope.Alert.Device Device alerts from Netskope Endpoint DLP Service. For more information, see [Netskope's documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207.html).
Netskope.Alert.Device schema ```yaml schema: Netskope.Alert.Device description: Device alerts from Netskope Endpoint DLP Service referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html fields: - name: timestamp required: true description: The timestamp of the alert type: timestamp timeFormats: - unix isEventTime: true - name: _id required: true description: Unique identifier for the alert type: string - name: custom_attr description: Custom attributes object (not officially supported) type: json - name: record_type description: Record type (typically 'alert') (not officially supported) type: string - name: access_method description: Method of access (e.g., Endpoint) type: string - name: action description: Action taken (e.g., block, allow) type: string - name: activity description: Activity type (e.g., Insert, Remove) type: string - name: alert description: Alert indicator (yes/no) type: string - name: alert_name description: The name of the alert type: string - name: alert_type required: true description: The type of alert (Device, used for classification) type: string - name: computer_name description: Name of the computer type: string - name: connection_type description: Type of connection (e.g., local, network) type: string - name: count description: Count of events type: bigint - name: device_classification description: Device classification (e.g., managed, unmanaged) type: string - name: driver description: Device driver name type: string - name: location description: Geographic location type: string - name: organization_unit description: Organization unit type: string - name: os description: Operating system type: string - name: os_details description: Detailed OS information type: string - name: os_user_name description: OS username type: string indicators: - username - name: policy description: Policy name type: string - name: policy_action description: Action defined by policy type: string - name: policy_name_enforced description: Name of the enforced policy type: string - name: traffic_type description: Type of traffic type: string - name: type description: Event type type: string - name: ur_normalized description: Normalized user identifier type: string indicators: - email - username - name: usb_device_id description: USB device identifier type: string - name: usb_device_name description: USB device name type: string - name: usb_device_sn description: USB device serial number type: string - name: usb_device_type description: Type of USB device (e.g., usb mass storage) type: string - name: usb_is_encrypted required: true description: Whether the USB device is encrypted type: boolean - name: usb_product_id description: USB product identifier type: string - name: usb_vendor_id description: USB vendor identifier type: string - name: user required: true description: The user associated with the alert type: string indicators: - email - username - name: userkey description: Unique user key type: string ```
### Netskope.Alert.DLP Data Loss Prevention alerts from Netskope. For more information, see [Netskope's documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207.html).
Netskope.Alert.DLP schema ```yaml schema: Netskope.Alert.DLP description: Data Loss Prevention alerts from Netskope referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html fields: - name: _id description: Unique identifier for the alert (not officially supported) type: string - name: custom_attr description: Custom attributes object (not officially supported) type: json - name: record_type description: Record type (typically 'alert') (not officially supported) type: string - name: user_confidence_index description: User confidence index score (not officially supported) type: bigint - name: access_method description: Method of access type: string - name: acked description: Whether the alert has been acknowledged type: string - name: act_user description: Act User type: string indicators: - username - email - name: action description: Action taken (e.g., block, allow, alert) type: string - name: activity description: Activity type type: string - name: alert description: Alert indicator (yes/no) type: string - name: alert_name description: The name of the alert type: string - name: alert_type required: true description: The type of alert (DLP, used for classification) type: string - name: app description: Application name type: string - name: app_activity description: App Activity type: string - name: app_session_id description: Application session identifier type: bigint - name: appcategory description: Application category type: string - name: appsuite description: Application suite type: string - name: bcc description: Bcc type: string - name: browser description: Browser name type: string - name: browser_session_id description: Browser session identifier type: bigint - name: browser_version description: Browser version type: string - name: category description: Category of the application type: string - name: cci description: Cloud Confidence Index type: bigint - name: ccl description: Cloud Confidence Level type: string - name: channel description: Channel type: string - name: classification_name description: Classification Name type: string - name: collaborated description: Collaborated type: string - name: connection_id description: Connection Id type: bigint - name: count description: Count of events type: bigint - name: data_type description: Data Type type: string - name: device description: Device identifier type: string - name: device_classification description: Device classification type: string - name: displayName description: Displayname type: string - name: dlp_file description: DLP file identifier type: string - name: dlp_fingerprint_classification description: Dlp Fingerprint Classification type: string - name: dlp_fingerprint_match description: Dlp Fingerprint Match type: string - name: dlp_fingerprint_score description: Dlp Fingerprint Score type: bigint - name: dlp_incident_id description: DLP incident identifier type: bigint - name: dlp_is_unique_count description: Whether DLP unique count is calculated type: string - name: dlp_mail_parent_id description: Parent mail ID for DLP type: string - name: dlp_parent_id description: Parent DLP incident identifier type: bigint - name: dlp_profile description: DLP profile name type: string - name: dlp_rule description: DLP rule name type: string - name: dlp_rule_count description: Number of DLP rules matched type: bigint - name: dlp_rule_score required: true description: Dlp Rule Score type: bigint - name: dlp_rule_severity description: Severity of the DLP rule type: string - name: dlp_unique_count description: Unique count of DLP matches type: bigint - name: dst_country description: Dst Country type: string - name: dst_geoip_src description: Dst Geoip Src type: bigint - name: dst_latitude description: Dst Latitude type: float - name: dst_location description: Dst Location type: string - name: dst_longitude description: Dst Longitude type: float - name: dst_region description: Dst Region type: string - name: dst_timezone description: Dst Timezone type: string - name: dst_zipcode description: Dst Zipcode type: string - name: dstip description: Dstip type: string indicators: - ip - name: dynamic_classification description: Dynamic Classification type: string - name: exposure description: Exposure level of the data type: string - name: external_collaborator_count description: Number of external collaborators type: bigint - name: file_category description: File Category type: string - name: file_cls_encrypted description: File Cls Encrypted type: boolean - name: file_lang description: File language type: string - name: file_password_protected description: Whether the file is password protected (yes/no string) type: string - name: file_path description: File path type: string - name: file_size description: File size in bytes type: bigint - name: file_type description: File type type: string - name: from_storage description: From Storage type: string - name: from_user description: User who sent/shared type: string indicators: - username - email - name: group description: Group type: string - name: hostname description: Hostname type: string indicators: - hostname - name: incident_id description: Incident Id type: bigint - name: instance description: Instance name type: string - name: instance_id description: Instance identifier type: string - name: internal_collaborator_count description: Number of internal collaborators type: bigint - name: local_sha256 description: Local Sha256 type: string indicators: - sha256 - name: mail description: Mail type: string indicators: - email - name: managed_app description: Managed App type: string - name: managementID description: Managementid type: string - name: manager description: Manager type: string - name: md5 description: MD5 hash of the file type: string indicators: - md5 - name: message_id description: Message Id type: string - name: message_size description: Message Size type: bigint - name: mime_type description: MIME type of the file type: string - name: modified description: Modified type: bigint - name: object description: Object name type: string - name: object_id description: Object identifier type: string - name: object_type description: Type of object type: string - name: organization_unit description: Organization unit type: string - name: orignal_file_path description: Orignal File Path type: string - name: os description: Operating system type: string - name: os_version description: Os Version type: string - name: outer_doc_type description: Outer Doc Type type: bigint - name: owner description: Owner of the resource type: string - name: owner_pdl description: Owner Pdl type: string - name: page description: Page type: string - name: page_site description: Page Site type: string - name: parent_id description: Parent Id type: string - name: policy description: Policy name type: string - name: policy_id description: Policy identifier type: string - name: protocol description: Protocol type: string - name: referer description: Referer type: string - name: request_id description: Request Id type: bigint - name: retro_scan_name description: Retro Scan Name type: string - name: sAMAccountName description: Samaccountname type: string - name: sanctioned_instance description: Sanctioned Instance type: string - name: scan_type description: Scan Type type: string - name: severity description: Severity level type: string - name: sha256 description: Sha256 type: string indicators: - sha256 - name: shared_domains description: Domains the file was shared with type: string - name: shared_with description: Users/groups the file was shared with type: string - name: site description: Site name type: string - name: smtp_to description: Smtp To type: array element: type: string - name: src_country description: Src Country type: string - name: src_geoip_src description: Src Geoip Src type: bigint - name: src_latitude description: Src Latitude type: float - name: src_location description: Source location type: string - name: src_longitude description: Src Longitude type: float - name: src_region description: Src Region type: string - name: src_time description: Src Time type: string - name: src_timezone description: Src Timezone type: string - name: src_zipcode description: Src Zipcode type: string - name: srcip description: Srcip type: string indicators: - ip - name: sub_type description: Sub Type type: string - name: suppression_key description: Suppression Key type: string - name: timestamp required: true description: The timestamp of the alert type: timestamp timeFormats: - unix isEventTime: true - name: title description: Title type: string - name: to_storage description: To Storage type: string - name: to_user description: To User type: string indicators: - username - email - name: total_collaborator_count description: Total number of collaborators type: bigint - name: traffic_type description: Type of traffic type: string - name: transaction_id description: Transaction Id type: bigint - name: true_filetype description: True Filetype type: string - name: true_obj_category description: True Obj Category type: string - name: true_obj_type description: True Obj Type type: string - name: true_type_id description: True Type Id type: bigint - name: tss_mode description: Tss Mode type: string - name: type description: Event type type: string - name: universal_connector description: Universal Connector type: string - name: ur_normalized description: Normalized user identifier type: string - name: url description: URL associated with the alert type: string - name: user required: true description: The user associated with the alert type: string indicators: - username - email - name: userCountry description: Usercountry type: string - name: userPrincipalName description: Userprincipalname type: string - name: user_id description: User Id type: string indicators: - username - name: userip description: Userip type: string indicators: - ip - name: userkey description: Unique user key type: string - name: violating_user description: Violating User type: string indicators: - username - email - name: violating_user_type description: Violating User Type type: string - name: web_universal_connector description: Web Universal Connector type: string ```
### Netskope.Alert.Malsite Malicious site detection alerts from Netskope. For more information, see [Netskope's documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207.html).
Netskope.Alert.Malsite schema ```yaml schema: Netskope.Alert.Malsite description: Malicious site detection alerts from Netskope referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html fields: - name: timestamp required: true description: The timestamp of the alert type: timestamp timeFormats: - unix isEventTime: true - name: _id description: Unique identifier for the alert (not officially supported) type: string - name: custom_attr description: Custom attributes object (not officially supported) type: json - name: record_type description: Record type (typically 'alert') (not officially supported) type: string - name: retro_scan_name description: Name of the retrospective scan (not officially supported) type: string - name: access_method description: Method of access type: string - name: acked description: Whether the alert has been acknowledged type: string - name: action description: Action taken type: string - name: aggregated_user description: Aggregated user information type: string - name: alert description: Alert indicator (yes/no) type: string - name: alert_name description: The name of the alert type: string - name: alert_type required: true description: The type of alert (malsite, used for classification) type: string - name: app description: Application name type: string - name: app_session_id description: Application session identifier type: bigint - name: appcategory description: Application category type: string - name: appsuite description: Application suite type: string - name: browser description: Browser name type: string - name: browser_session_id description: Browser session identifier type: bigint - name: browser_version description: Browser version type: string - name: category description: Category of the application type: string - name: cci description: Cloud Confidence Index type: bigint - name: ccl description: Cloud Confidence Level type: string - name: client_bytes description: Bytes sent by client type: bigint - name: co description: Country code type: string - name: conn_duration description: Connection duration in seconds type: bigint - name: connection_id description: Connection identifier type: bigint - name: count description: Count of events type: bigint - name: department description: User department type: string - name: device description: Device identifier type: string - name: device_classification description: Device classification type: string - name: division description: User division type: string - name: dst_country description: Destination country type: string - name: dst_geoip_src description: Destination GeoIP source type: bigint - name: dst_latitude description: Destination latitude type: float - name: dst_location description: Destination location type: string - name: dst_longitude description: Destination longitude type: float - name: dst_region description: Destination region type: string - name: dst_timezone description: Destination timezone type: string - name: dst_zipcode description: Destination ZIP code type: string - name: dsthost description: Destination hostname type: string indicators: - hostname - name: dstip description: Destination IP address type: string indicators: - ip - name: dstport description: Destination port type: bigint - name: from_user description: User who initiated type: string indicators: - username - email - name: fromlogs description: Source logs type: string - name: gateway description: Gateway information type: string - name: hostname description: Hostname type: string indicators: - hostname - name: incident_id description: Incident identifier type: bigint - name: ja3 description: JA3 fingerprint type: string - name: ja3s description: JA3S fingerprint type: string - name: log_file_name description: Log file name type: string - name: malicious description: Whether the site is malicious type: string - name: malsite_active description: Whether the malicious site is active type: string - name: malsite_category required: true description: Categories of malicious site type: array element: type: string - name: malsite_confidence description: Confidence score of malsite detection type: bigint - name: malsite_consecutive description: Consecutive malsite detections type: string - name: malsite_country description: Country of malicious site type: string - name: malsite_first_seen description: First seen timestamp of malsite type: bigint - name: malsite_hostility description: Hostility level of malsite type: string - name: malsite_id description: Malsite identifier type: string - name: malsite_ip_host description: IP or host of malsite type: string indicators: - ip - hostname - name: malsite_last_seen description: Last seen timestamp of malsite type: bigint - name: malsite_latitude description: Latitude of malsite type: float - name: malsite_longitude description: Longitude of malsite type: float - name: malsite_region description: Region of malsite type: string - name: malsite_reputation description: Reputation score of malsite type: string - name: managed_app description: Managed application indicator type: string - name: notify_template description: Notification template type: string - name: numbytes description: Number of bytes transferred type: bigint - name: object description: Object name type: string - name: object_type description: Type of object type: string - name: org description: Organization type: string - name: organization_unit description: Organization unit type: string - name: os description: Operating system type: string - name: os_version description: OS version type: string - name: other_categories description: Other categories type: array element: type: string - name: page description: Page URL type: string - name: page_site description: Page site type: string - name: policy description: Policy name type: string - name: policy_id description: Policy identifier type: string - name: protocol description: Network protocol type: string - name: referer description: HTTP referer type: string - name: req_cnt description: Request count type: bigint - name: request_id description: Request identifier type: bigint - name: resp_cnt description: Response count type: bigint - name: sAMAccountName description: Active Directory sAMAccountName type: string - name: serial description: Serial number type: string - name: server_bytes description: Bytes sent by server type: bigint - name: severity description: Severity level type: string - name: severity_level description: Severity level description type: string - name: severity_level_id description: Severity level identifier type: bigint - name: sfwder description: Forwarder information type: string - name: site description: Site name type: string - name: src_country description: Source country type: string - name: src_geoip_src description: Source GeoIP source type: bigint - name: src_latitude description: Source latitude type: float - name: src_location description: Source location type: string - name: src_longitude description: Source longitude type: float - name: src_region description: Source region type: string - name: src_time description: Source time type: string - name: src_timezone description: Source timezone type: string - name: src_zipcode description: Source ZIP code type: string - name: srcip description: Source IP address type: string indicators: - ip - name: suppression_end_time description: Suppression end time type: bigint - name: suppression_start_time description: Suppression start time type: bigint - name: telemetry_app description: Telemetry application type: string - name: threat_match_field description: Field that matched the threat type: string - name: threat_match_value description: Value that matched the threat type: string - name: threat_source_id description: Threat source identifier type: bigint - name: traffic_type description: Type of traffic type: string - name: transaction_id description: Transaction identifier type: bigint - name: type description: Event type type: string - name: universal_connector description: Universal connector indicator type: string - name: ur_normalized description: Normalized user identifier type: string - name: url description: URL associated with the alert type: string - name: user required: true description: The user associated with the alert type: string indicators: - username - email - name: useragent description: User agent string type: string - name: userip description: User IP address type: string indicators: - ip ```
### Netskope.Alert.Malware Malware detection alerts from Netskope. For more information, see [Netskope's documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207.html).
Netskope.Alert.Malware schema ```yaml schema: Netskope.Alert.Malware description: Malware detection alerts from Netskope referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html fields: - name: timestamp required: true description: The timestamp of the alert type: timestamp timeFormats: - unix isEventTime: true - name: _id description: Unique identifier for the alert (not officially supported) type: string - name: TSS-scan description: TSS scan indicator type: string - name: access_method description: Method of access type: string - name: acked description: Whether the alert has been acknowledged type: string - name: action description: Action taken type: string - name: activity description: Activity type type: string - name: alert description: Alert indicator (yes/no) type: string - name: alert_name description: The name of the alert type: string - name: alert_type required: true description: The type of alert (malware, used for classification) type: string - name: app description: Application name type: string - name: app_name description: Application name (alternate field) type: string - name: app_session_id description: Application session identifier type: bigint - name: appcategory description: Application category type: string - name: appsuite description: Application suite type: string - name: browser description: Browser name type: string - name: browser_session_id description: Browser session identifier type: bigint - name: browser_version description: Browser version type: string - name: category description: Category of the application type: string - name: cci description: Cloud Confidence Index type: bigint - name: ccl description: Cloud Confidence Level type: string - name: company description: Company name type: string - name: connection_id description: Connection identifier type: bigint - name: count description: Count of events type: bigint - name: custom_attr description: Custom attributes object (not officially supported) type: json - name: created_date description: Creation date timestamp type: bigint - name: department description: User department type: string - name: detection_engine description: Detection engine that identified the malware type: string - name: detection_type description: Type of detection type: string - name: device description: Device identifier type: string - name: device_classification description: Device classification type: string - name: dst_country description: Destination country type: string - name: dst_geoip_src description: Destination GeoIP source type: bigint - name: dst_latitude description: Destination latitude type: float - name: dst_location description: Destination location type: string - name: dst_longitude description: Destination longitude type: float - name: dst_region description: Destination region type: string - name: dst_timezone description: Destination timezone type: string - name: dst_zipcode description: Destination ZIP code type: string - name: dstip description: Destination IP address type: string indicators: - ip - name: fastscan_results description: Fast scan results type: string - name: file_category description: File category type: string - name: file_id description: File identifier type: string - name: file_name description: File name type: string - name: file_path description: File path type: string - name: file_size description: File size in bytes type: bigint - name: file_type description: File type type: string - name: filename description: Filename (alternate field) type: string - name: from_user description: User who sent/shared type: string indicators: - username - email - name: hostname description: Hostname type: string indicators: - hostname - name: incident_id description: Incident identifier type: bigint - name: instance description: Instance name type: string - name: instance_id description: Instance identifier type: string - name: local_md5 description: Local MD5 hash type: string indicators: - md5 - name: local_sha256 description: Local SHA256 hash type: string indicators: - sha256 - name: malware_id description: Malware identifier type: string - name: malware_name description: Name of the malware type: string - name: malware_profile description: Malware profile name type: string - name: malware_severity description: Severity of the malware type: string - name: malware_type description: Type of malware type: string - name: managed_app description: Managed application indicator type: string - name: managementID description: Management identifier type: string - name: manager description: Manager name type: string - name: md5 description: MD5 hash of the file type: string indicators: - md5 - name: mime_type description: MIME type of the file type: string - name: ml_detection description: Machine learning detection indicator type: string - name: modified_date description: Modification date timestamp type: bigint - name: nsdeviceuid description: Netskope device UID type: string - name: object description: Object name type: string - name: object_id description: Object identifier type: string - name: object_type description: Type of object type: string - name: organization_unit description: Organization unit type: string - name: os description: Operating system type: string - name: os_version description: OS version type: string - name: page description: Page URL type: string - name: page_site description: Page site type: string - name: parent_id description: Parent event identifier type: string - name: policy description: Policy name type: string - name: policy_id description: Policy identifier type: string - name: protocol description: Network protocol type: string - name: referer description: HTTP referer type: string - name: record_type description: Record type (typically 'alert') (not officially supported) type: string - name: request_id description: Request identifier type: bigint - name: sanctioned_instance description: Sanctioned instance indicator type: string - name: scan_time description: Scan time timestamp type: bigint - name: scan_type description: Type of scan type: string - name: scanner_result description: Result from scanner type: string - name: severity description: Severity level type: string - name: severity_id description: Severity identifier type: bigint - name: sha1 description: SHA1 hash of the file type: string indicators: - sha1 - name: sha256 description: SHA256 hash of the file (not officially supported) type: string indicators: - sha256 - name: shared_type description: Type of sharing type: string - name: shared_with description: Users/groups the file was shared with type: string - name: site description: Site name type: string - name: src_country description: Source country type: string - name: src_geoip_src description: Source GeoIP source type: bigint - name: src_latitude description: Source latitude type: float - name: src_location description: Source location type: string - name: src_longitude description: Source longitude type: float - name: src_region description: Source region type: string - name: src_time description: Source time type: string - name: src_timezone description: Source timezone type: string - name: src_zipcode description: Source ZIP code type: string - name: srcip description: Source IP address type: string indicators: - ip - name: title description: Alert title type: string - name: traffic_type description: Type of traffic type: string - name: transaction_id description: Transaction identifier type: bigint - name: true_filetype required: true description: True file type type: string - name: tss_license description: TSS license information type: string - name: tss_mode description: TSS mode type: string - name: tss_fail_reason description: TSS scan failure reason (not officially supported) type: string - name: tss_scan_failed description: Whether TSS scan failed (not officially supported) type: string - name: type description: Event type type: string - name: ur_normalized description: Normalized user identifier type: string - name: url description: URL associated with the alert type: string - name: user required: true description: The user associated with the alert type: string indicators: - username - email - name: user_confidence_index description: User confidence index score (not officially supported) type: bigint - name: userCountry description: User country type: string - name: userPrincipalName description: Active Directory userPrincipalName type: string indicators: - username - name: user_id description: User identifier type: string indicators: - username - name: userip description: User IP address type: string indicators: - ip - name: usr_display_name description: User display name type: string - name: usr_status description: User status type: string - name: usr_title description: User title type: string - name: usr_udf_businesssegmentlevel1 description: User-defined business segment level 1 type: string - name: usr_udf_businesssegmentlevel2 description: User-defined business segment level 2 type: string - name: usr_udf_businesssegmentlevel3 description: User-defined business segment level 3 type: string - name: usr_udf_businesssegmentlevel4 description: User-defined business segment level 4 type: string - name: usr_udf_companyname description: User-defined company name type: string - name: usr_udf_employeeid description: User-defined employee ID type: string - name: usr_udf_primarydomain description: User-defined primary domain type: string - name: usr_udf_supervisorid description: User-defined supervisor ID type: string - name: usr_udf_supervisorname description: User-defined supervisor name type: string ```
### Netskope.Alert.Policy Policy violation alerts from Netskope. For more information, see [Netskope's documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207.html).
Netskope.Alert.Policy schema ```yaml schema: Netskope.Alert.Policy description: Policy violation alerts from Netskope referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html fields: - name: timestamp required: true description: The timestamp of the alert type: timestamp timeFormats: - unix isEventTime: true - name: _id description: Unique identifier for the alert type: string - name: access_method description: Method of access type: string - name: acked description: Whether the alert has been acknowledged type: string - name: action description: Action taken (e.g., block, allow, alert) type: string - name: activity description: Activity type type: string - name: alert description: Alert indicator (yes/no) type: string - name: alert_name description: The name of the alert type: string - name: alert_type required: true description: The type of alert (policy, used for classification) type: string - name: app description: Application name type: string - name: app_session_id description: Application session identifier type: bigint - name: appcategory description: Application category type: string - name: appsuite description: Application suite type: string - name: browser description: Browser name type: string - name: browser_session_id description: Browser session identifier type: bigint - name: category description: Category of the application type: string - name: cci description: Cloud Confidence Index type: bigint - name: ccl description: Cloud Confidence Level type: string - name: connection_id description: Connection identifier type: bigint - name: count description: Count of events type: bigint - name: device description: Device identifier type: string - name: device_classification description: Device classification type: string - name: dst_country description: Destination country type: string - name: dst_location description: Destination location type: string - name: dstip description: Destination IP address type: string indicators: - ip - name: hostname description: Hostname type: string indicators: - hostname - name: organization_unit description: Organization unit type: string - name: os description: Operating system type: string - name: page description: Page URL type: string - name: policy required: true description: Policy name type: string - name: policy_actions description: Actions defined by the policy type: array element: type: string - name: policy_id required: true description: Policy identifier type: string - name: protocol description: Network protocol type: string - name: referer description: HTTP referer type: string - name: severity description: Severity level type: string - name: site description: Site name type: string - name: src_country description: Source country type: string - name: src_location description: Source location type: string - name: srcip description: Source IP address type: string indicators: - ip - name: traffic_type description: Type of traffic type: string - name: transaction_id description: Transaction identifier type: bigint - name: type description: Event type type: string - name: ur_normalized description: Normalized user identifier type: string - name: url description: URL associated with the alert type: string - name: user required: true description: The user associated with the alert type: string indicators: - username - email - name: useragent description: User agent string type: string - name: userip description: User IP address type: string indicators: - ip - name: userkey description: Unique user key type: string ```
### Netskope.Alert.Quarantine Quarantine action alerts from Netskope. For more information, see [Netskope's documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207.html).
Netskope.Alert.Quarantine schema ```yaml schema: Netskope.Alert.Quarantine description: Quarantine action alerts from Netskope referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html fields: - name: timestamp required: true description: The timestamp of the alert type: timestamp timeFormats: - unix isEventTime: true - name: access_method description: Method of access type: string - name: acked description: Whether the alert has been acknowledged type: string - name: action description: Action taken type: string - name: alert description: Alert indicator (yes/no) type: string - name: alert_name description: The name of the alert type: string - name: alert_type required: true description: The type of alert (quarantine, used for classification) type: string - name: app description: Application name type: string - name: appcategory description: Application category type: string - name: browser description: Browser name type: string - name: category description: Category of the application type: string - name: cci description: Cloud Confidence Index type: bigint - name: ccl description: Cloud Confidence Level type: string - name: count description: Count of events type: bigint - name: department description: User department type: string - name: departmentNumber description: Department number type: string - name: device description: Device identifier type: string - name: dlp_profile description: DLP profile name type: string - name: exposure description: Exposure level of the data type: string - name: file_id description: File identifier type: string - name: file_path description: File path type: string - name: file_size description: File size in bytes type: bigint - name: file_type description: File type type: string - name: from_user description: User who sent/shared type: string indicators: - username - email - name: instance_id description: Instance identifier type: string - name: manager description: Manager name type: string - name: md5 description: MD5 hash of the file type: string indicators: - md5 - name: mime_type description: MIME type of the file type: string - name: modified description: Modification timestamp type: bigint - name: object description: Object name type: string - name: object_id description: Object identifier type: string - name: object_type description: Type of object type: string - name: organization_unit description: Organization unit type: string - name: orignal_file_path description: "Original file path (note: typo in API)" type: string - name: os description: Operating system type: string - name: other_categories description: Other categories type: array element: type: string - name: owner description: Owner of the resource type: string - name: policy description: Policy name type: string - name: profile_emails description: Profile email addresses type: array element: type: string - name: q_admin description: Quarantine admin type: string - name: q_app description: Quarantine app type: string - name: q_instance description: Quarantine instance type: string - name: q_original_filename description: Quarantine original filename type: string - name: q_original_filepath description: Quarantine original filepath type: string - name: q_original_shared description: Quarantine original shared status type: string - name: q_original_version description: Quarantine original version type: string - name: quarantine_file_id description: Quarantine file identifier type: string - name: quarantine_file_name description: Quarantine file name type: string - name: quarantine_profile description: Quarantine profile name type: string - name: quarantine_profile_id required: true description: Quarantine profile identifier type: string - name: scan_type description: Type of scan type: string - name: shared_with description: Users/groups the file was shared with type: string - name: site description: Site name type: string - name: suppression_key description: Suppression key for deduplication type: string - name: traffic_type description: Type of traffic type: string - name: type description: Event type type: string - name: ur_normalized description: Normalized user identifier type: string - name: url description: URL associated with the alert type: string - name: user required: true description: The user associated with the alert type: string indicators: - username - email - name: user_id description: User identifier type: string indicators: - username - name: userkey description: Unique user key type: string ```
### Netskope.Alert.Remediation Remediation action alerts from Netskope. For more information, see [Netskope's documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207.html).
Netskope.Alert.Remediation schema ```yaml schema: Netskope.Alert.Remediation description: Remediation action alerts from Netskope referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html fields: - name: timestamp required: true description: The timestamp of the alert type: timestamp timeFormats: - unix isEventTime: true - name: access_method description: Method of access type: string - name: acked description: Whether the alert has been acknowledged type: string - name: action description: Action taken type: string - name: actions_taken description: Detailed actions taken during remediation type: string - name: activity description: Activity type type: string - name: alert description: Alert indicator (yes/no) type: string - name: alert_name description: The name of the alert type: string - name: alert_type required: true description: The type of alert (remediation, used for classification) type: string - name: all_policy_matches description: All policies that matched type: array element: type: string - name: app description: Application name type: string - name: app_session_id description: Application session identifier type: bigint - name: appcategory description: Application category type: string - name: appsuite description: Application suite type: string - name: browser description: Browser name type: string - name: browser_session_id description: Browser session identifier type: bigint - name: category description: Category of the application type: string - name: cci description: Cloud Confidence Index type: bigint - name: ccl description: Cloud Confidence Level type: string - name: connection_id description: Connection identifier type: bigint - name: count description: Count of events type: bigint - name: device description: Device identifier type: string - name: device_classification description: Device classification type: string - name: dlp_profile description: DLP profile name type: string - name: dst_country description: Destination country type: string - name: dst_geoip_src description: Destination GeoIP source type: bigint - name: dst_latitude description: Destination latitude type: float - name: dst_location description: Destination location type: string - name: dst_longitude description: Destination longitude type: float - name: dst_region description: Destination region type: string - name: dst_timezone description: Destination timezone type: string - name: dst_zipcode description: Destination ZIP code type: string - name: dstip description: Destination IP address type: string indicators: - ip - name: edr_app description: EDR application name type: string - name: endpoint_count description: Number of endpoints affected type: bigint - name: endpoints description: List of affected endpoints type: string - name: file_size description: File size in bytes type: bigint - name: file_type description: File type type: string - name: from_user description: User who initiated type: string indicators: - username - email - name: hostname description: Hostname type: string indicators: - hostname - name: incident_id description: Incident identifier type: bigint - name: instance_id description: Instance identifier type: string - name: malware_id description: Malware identifier type: string - name: malware_name description: Name of the malware type: string - name: malware_severity description: Severity of the malware type: string - name: malware_type description: Type of malware type: string - name: managed_app description: Managed application indicator type: string - name: managementID description: Management identifier type: string - name: md5 description: MD5 hash of the file type: string indicators: - md5 - name: notify_template description: Notification template type: string - name: nsdeviceuid description: Netskope device UID type: string - name: object description: Object name type: string - name: object_type description: Type of object type: string - name: organization_unit description: Organization unit type: string - name: os description: Operating system type: string - name: os_version description: OS version type: string - name: page description: Page URL type: string - name: page_site description: Page site type: string - name: policy description: Policy name type: string - name: policy_id description: Policy identifier type: string - name: profile_hits description: Profile hits type: array element: type: string - name: protocol description: Network protocol type: string - name: remediation_profile required: true description: Remediation profile name type: string - name: request_id description: Request identifier type: bigint - name: sanctioned_instance description: Sanctioned instance indicator type: string - name: severity description: Severity level type: string - name: site description: Site name type: string - name: src_country description: Source country type: string - name: src_geoip_src description: Source GeoIP source type: bigint - name: src_latitude description: Source latitude type: float - name: src_location description: Source location type: string - name: src_longitude description: Source longitude type: float - name: src_region description: Source region type: string - name: src_time description: Source time type: string - name: src_timezone description: Source timezone type: string - name: src_zipcode description: Source ZIP code type: string - name: srcip description: Source IP address type: string indicators: - ip - name: traffic_type description: Type of traffic type: string - name: transaction_id description: Transaction identifier type: bigint - name: tss_mode description: TSS mode type: string - name: type description: Event type type: string - name: ur_normalized description: Normalized user identifier type: string - name: url description: URL associated with the alert type: string - name: user required: true description: The user associated with the alert type: string indicators: - username - email - name: userip description: User IP address type: string indicators: - ip ```
### Netskope.Alert.SecurityAssessment Security assessment findings from Netskope. For more information, see [Netskope's documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207.html).
Netskope.Alert.SecurityAssessment schema ```yaml schema: Netskope.Alert.SecurityAssessment description: Security assessment findings from Netskope referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html fields: - name: timestamp required: true description: The timestamp of the alert type: timestamp timeFormats: - unix isEventTime: true - name: access_method description: Method of access type: string - name: account_id description: Cloud account identifier type: string - name: account_name description: Cloud account name type: string - name: acked description: Whether the alert has been acknowledged type: string - name: action description: Action taken type: string - name: activity description: Activity type type: string - name: alert description: Alert indicator (yes/no) type: string - name: alert_name description: The name of the alert type: string - name: alert_type required: true description: The type of alert (security assessment, used for classification) type: string - name: app description: The application associated with the alert type: string - name: appcategory description: Application category type: string - name: asset_id description: Cloud asset identifier type: string - name: asset_object_id description: Cloud asset object identifier type: string - name: browser description: Browser name type: string - name: category description: Category of the application type: string - name: cci description: Cloud Confidence Index type: bigint - name: ccl description: Cloud Confidence Level type: string - name: compliance_standards description: List of compliance standards type: array element: type: string - name: count description: Count of events type: bigint - name: device description: Device identifier type: string - name: iaas_asset_tags description: IaaS asset tags type: array element: type: string - name: iaas_remediated description: Whether the IaaS issue was remediated type: string - name: instance_id description: Instance identifier type: string - name: object description: Object name type: string - name: object_type description: Type of object type: string - name: organization_unit description: Organization unit type: string - name: os description: Operating system type: string - name: policy description: Policy name type: string - name: policy_id description: Policy identifier type: bigint - name: region_id description: Cloud region identifier type: string - name: region_name description: Cloud region name type: string - name: resource_category description: Resource category type: string - name: resource_group description: Resource group name type: string - name: sAMAccountName description: Active Directory sAMAccountName type: string - name: sa_profile_id description: Security assessment profile ID type: bigint - name: sa_profile_name description: Security assessment profile name type: string - name: sa_rule_id required: true description: Security assessment rule ID type: string - name: sa_rule_name description: Security assessment rule name type: string - name: sa_rule_severity description: Security assessment rule severity type: string - name: site description: Site name type: string - name: traffic_type description: Type of traffic type: string - name: type description: Event type type: string - name: ur_normalized description: Normalized user identifier type: string - name: user required: true description: The user associated with the alert type: string indicators: - username - email - name: userkey description: Unique user key type: string ```
### Netskope.Alert.UBA User Behavior Analytics alerts from Netskope. For more information, see [Netskope's documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207.html).
Netskope.Alert.UBA schema ```yaml schema: Netskope.Alert.UBA description: User Behavior Analytics alerts from Netskope referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html fields: - name: timestamp required: true description: The timestamp of the alert type: timestamp timeFormats: - unix isEventTime: true - name: _id description: Unique identifier for the alert (not officially supported) type: string - name: custom_attr description: Custom attributes object (not officially supported) type: json - name: record_type description: Record type (typically 'alert') (not officially supported) type: string - name: sha256 description: SHA256 hash of the file (not officially supported) type: string indicators: - sha256 - name: user_confidence_index description: User confidence index score (not officially supported) type: bigint - name: AccountType description: Account type type: string - name: TSS-scan description: TSS scan indicator type: string - name: User_SPACE_Id description: User ID (with space in name) type: string - name: User_SPACE_Name description: User name (with space in name) type: string - name: access_method description: Method of access type: string - name: acked description: Whether the alert has been acknowledged type: string - name: act_user description: Acting user type: string indicators: - username - email - name: action description: Action taken type: string - name: activity description: Activity type type: string - name: activity_status description: Status of the activity type: string - name: alert description: Alert indicator (yes/no) type: string - name: alert_id description: Alert identifier type: string - name: alert_name description: The name of the alert type: string - name: alert_type required: true description: The type of alert (UBA, used for classification) type: string - name: all_policy_matches description: All policies that matched type: array element: type: string - name: anomalyData description: Anomaly detection data type: json - name: anomaly_type required: true description: Type of anomaly detected type: string - name: app description: Application name type: string - name: app_activity description: Application-specific activity type: string - name: app_category description: Application category type: string - name: app_session_id description: Application session identifier type: bigint - name: appcategory description: Application category (alternate field) type: string - name: appsuite description: Application suite type: string - name: audit_category description: Audit category type: string - name: audit_type description: Audit type type: string - name: bin_timestamp description: Binned timestamp type: bigint - name: browser description: Browser name type: string - name: browser_session_id description: Browser session identifier type: bigint - name: browser_version description: Browser version type: string - name: category description: Category type: string - name: cci description: Cloud Confidence Index type: bigint - name: ccl description: Cloud Confidence Level type: string - name: connection_id description: Connection identifier type: bigint - name: count description: Count of events type: bigint - name: createdTime description: Creation time type: string - name: device description: Device identifier type: string - name: device_classification description: Device classification type: string - name: displayName description: Display name type: string - name: distinguishedName description: Active Directory distinguished name type: string - name: division description: User division type: string - name: download_app description: Download application type: string - name: dst_country description: Destination country type: string - name: dst_geoip_src description: Destination GeoIP source type: bigint - name: dst_latitude description: Destination latitude type: float - name: dst_location description: Destination location type: string - name: dst_longitude description: Destination longitude type: float - name: dst_region description: Destination region type: string - name: dst_timezone description: Destination timezone type: string - name: dst_zipcode description: Destination ZIP code type: string - name: dstip description: Destination IP address type: string indicators: - ip - name: employeeType description: Type of employee type: string - name: event_type description: Event type type: string - name: evt_src_chnl description: Event source channel type: string - name: file_category description: File category type: string - name: file_size description: File size in bytes type: bigint - name: file_type description: File type type: string - name: from_user description: User who sent/shared type: string indicators: - username - email - name: from_user_category description: Category of the from user type: string - name: group description: Group name type: string - name: hostname description: Hostname type: string indicators: - hostname - name: incident_id description: Incident identifier type: bigint - name: instance_id description: Instance identifier type: string - name: last_app description: Last application used type: string - name: last_country description: Last country type: string - name: last_device description: Last device type: string - name: last_location description: Last location type: string - name: last_region description: Last region type: string - name: last_timestamp description: Last timestamp type: bigint - name: logintype description: Login type type: string - name: loginurl description: Login URL type: string - name: mail description: Email address type: string indicators: - email - name: managed_app description: Managed application indicator type: string - name: managementID description: Management identifier type: string - name: manager description: Manager name type: string - name: md5 description: MD5 hash of the file type: string indicators: - md5 - name: netskope_activity description: Netskope activity classification type: string - name: object description: Object name type: string - name: object_count description: Count of objects type: bigint - name: object_id description: Object identifier type: string - name: object_type description: Type of object type: string - name: organization_unit description: Organization unit type: string - name: os description: Operating system type: string - name: os_version description: OS version type: string - name: page description: Page URL type: string - name: page_site description: Page site type: string - name: parent_id description: Parent event identifier type: string - name: policy description: Policy name type: string - name: policy_actions description: Actions defined by the policy type: array element: type: string - name: policy_id description: Policy identifier type: string - name: policy_name description: Policy name (alternate field) type: string - name: profile_id description: Profile identifier type: string - name: protocol description: Network protocol type: string - name: referer description: HTTP referer type: string - name: request_id description: Request identifier type: bigint - name: request_type description: Type of request type: string - name: risk_level description: Risk level type: string - name: risk_level_id description: Risk level identifier type: bigint - name: sAMAccountName description: Active Directory sAMAccountName type: string - name: sanctioned_instance description: Sanctioned instance indicator type: string - name: scopes description: Permission scopes type: array element: type: string - name: score description: Anomaly score type: string - name: severity description: Severity level type: string - name: shared_credential_user description: User with shared credentials type: string - name: site description: Site name type: string - name: src_country description: Source country type: string - name: src_geoip_src description: Source GeoIP source type: bigint - name: src_latitude description: Source latitude type: float - name: src_location description: Source location type: string - name: src_longitude description: Source longitude type: float - name: src_region description: Source region type: string - name: src_time description: Source time type: string - name: src_timezone description: Source timezone type: string - name: src_zipcode description: Source ZIP code type: string - name: srcip description: Source IP address type: string indicators: - ip - name: suppression_end_time description: Suppression end time type: bigint - name: suppression_start_time description: Suppression start time type: bigint - name: surhn description: SURHN field type: string - name: telemetry_app description: Telemetry application type: string - name: threshold description: Threshold value type: bigint - name: threshold_time description: Threshold time type: bigint - name: to_object description: Destination object type: string - name: to_user description: Recipient user type: string indicators: - username - email - name: to_user_category description: Category of the to user type: string - name: traffic_type description: Type of traffic type: string - name: transaction_id description: Transaction identifier type: bigint - name: tss_fail_reason description: TSS failure reason type: string - name: tss_mode description: TSS mode type: string - name: tss_scan_failed description: Whether TSS scan failed type: string - name: two_factor_auth description: Two-factor authentication status type: string - name: type description: Event type type: string - name: uba_ap1 description: UBA application 1 type: string - name: uba_ap2 description: UBA application 2 type: string - name: uba_inst1 description: UBA instance 1 type: string - name: uba_inst2 description: UBA instance 2 type: string - name: ur_normalized description: Normalized user identifier type: string - name: url description: URL associated with the alert type: string - name: user required: true description: The user associated with the alert type: string indicators: - username - email - name: userPrincipalName description: Active Directory userPrincipalName type: string indicators: - username - name: user_category description: User category type: string - name: user_id description: User identifier type: string indicators: - username - name: user_name description: User name type: string indicators: - username - name: user_role description: User role type: string - name: useragent description: User agent string type: string - name: userip description: User IP address type: string indicators: - ip - name: userkey description: Unique user key type: string - name: web_universal_connector description: Web universal connector indicator type: string - name: windowId description: Window identifier (millisecond epoch timestamp) type: bigint ```
### Netskope.Alert.Watchlist Watchlist match alerts from Netskope. For more information, see [Netskope's documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207.html).
Netskope.Alert.Watchlist schema ```yaml schema: Netskope.Alert.Watchlist description: Watchlist match alerts from Netskope with comprehensive DLP, malware, file, and network fields referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html fields: - name: timestamp required: true description: The timestamp of the alert type: timestamp timeFormats: - unix isEventTime: true - name: TSS-scan description: TSS scan indicator type: string - name: access_method description: Method of access type: string - name: acked description: Whether the alert has been acknowledged type: string - name: act_user description: Acting user type: string indicators: - username - email - name: activity description: Activity type type: string - name: aggregated_user description: Aggregated user information type: string - name: alert description: Alert indicator (yes/no) type: string - name: alert_name description: The name of the alert type: string - name: alert_type required: true description: The type of alert (watchlist, used for classification) type: string - name: all_policy_matches description: All policies that matched type: array element: type: string - name: app description: Application name type: string - name: app_activity description: Application-specific activity type: string - name: app_name description: Application name (alternate field) type: string - name: app_session_id description: Application session identifier type: bigint - name: appcategory description: Application category type: string - name: appsuite description: Application suite type: string - name: audit_category description: Audit category type: string - name: audit_type description: Audit type type: string - name: browser description: Browser name type: string - name: browser_session_id description: Browser session identifier type: bigint - name: browser_version description: Browser version type: string - name: category description: Category type: string - name: cci description: Cloud Confidence Index type: bigint - name: ccl description: Cloud Confidence Level type: string - name: client_bytes description: Bytes sent by client type: bigint - name: conn_duration description: Connection duration in seconds type: bigint - name: connection_id description: Connection identifier type: bigint - name: count description: Count of events type: bigint - name: data_type description: Type of data type: string - name: detection_engine description: Detection engine that identified the threat type: string - name: device description: Device identifier type: string - name: device_classification description: Device classification type: string - name: dlp_fail_reason description: DLP failure reason type: string - name: dlp_file description: DLP file identifier type: string - name: dlp_incident_id description: DLP incident identifier type: bigint - name: dlp_is_unique_count description: Whether DLP unique count is calculated type: string - name: dlp_parent_id description: Parent DLP incident identifier type: bigint - name: dlp_profile description: DLP profile name type: string - name: dlp_rule description: DLP rule name type: string - name: dlp_rule_count description: Number of DLP rules matched type: bigint - name: dlp_rule_severity description: Severity of the DLP rule type: string - name: dlp_scan_failed description: Whether DLP scan failed type: string - name: dst_country description: Destination country type: string - name: dst_geoip_src description: Destination GeoIP source type: bigint - name: dst_latitude description: Destination latitude type: float - name: dst_location description: Destination location type: string - name: dst_longitude description: Destination longitude type: float - name: dst_region description: Destination region type: string - name: dst_timezone description: Destination timezone type: string - name: dst_zipcode description: Destination ZIP code type: string - name: dsthost description: Destination hostname type: string indicators: - hostname - name: dstip description: Destination IP address type: string indicators: - ip - name: dstport description: Destination port type: bigint - name: enterprise description: Enterprise name type: string - name: enterprise_id description: Enterprise identifier type: string - name: exposure description: Exposure level of the data type: string - name: external_collaborator_count description: Number of external collaborators type: bigint - name: file_category description: File category type: string - name: file_id description: File identifier type: string - name: file_lang description: File language type: string - name: file_name description: File name type: string - name: file_path description: File path type: string - name: file_size description: File size in bytes type: bigint - name: file_type description: File type type: string - name: from_object description: Source object type: string - name: from_storage description: Source storage type: string - name: from_user description: User who sent/shared type: string indicators: - username - email - name: from_user_category description: Category of the from user type: string - name: fromlogs description: Source logs type: string - name: hostname description: Hostname type: string indicators: - hostname - name: incident_id description: Incident identifier type: bigint - name: instance description: Instance name type: string - name: instance_id description: Instance identifier type: string - name: internal_collaborator_count description: Number of internal collaborators type: bigint - name: justification_reason description: Justification reason type: string - name: justification_type description: Justification type type: string - name: local_md5 description: Local MD5 hash type: string indicators: - md5 - name: local_sha256 description: Local SHA256 hash type: string indicators: - sha256 - name: log_file_name description: Log file name type: string - name: malware_id description: Malware identifier type: string - name: malware_name description: Name of the malware type: string - name: malware_profile description: Malware profile name type: string - name: malware_severity description: Severity of the malware type: string - name: malware_type description: Type of malware type: string - name: managed_app description: Managed application indicator type: string - name: managementID description: Management identifier type: string - name: manager description: Manager name type: string - name: md5 description: MD5 hash of the file type: string indicators: - md5 - name: mime_type description: MIME type of the file type: string - name: ml_detection description: Machine learning detection indicator type: string - name: modified description: Modification timestamp type: bigint - name: netskope_activity description: Netskope activity classification type: string - name: network description: Network name type: string - name: notify_template description: Notification template type: string - name: nsdeviceuid description: Netskope device UID type: string - name: numbytes description: Number of bytes transferred type: bigint - name: object description: Object name type: string - name: object_count description: Count of objects type: bigint - name: object_id description: Object identifier type: string - name: object_type description: Type of object type: string - name: org description: Organization type: string - name: organization_unit description: Organization unit type: string - name: os description: Operating system type: string - name: os_version description: OS version type: string - name: owner description: Owner of the resource type: string - name: page description: Page URL type: string - name: page_site description: Page site type: string - name: parent_id description: Parent event identifier type: string - name: policy description: Policy name type: string - name: policy_id description: Policy identifier type: string - name: protocol description: Network protocol type: string - name: referer description: HTTP referer type: string - name: req_cnt description: Request count type: bigint - name: request_id description: Request identifier type: bigint - name: resp_cnt description: Response count type: bigint - name: sAMAccountName description: Active Directory sAMAccountName type: string - name: sanctioned_instance description: Sanctioned instance indicator type: string - name: scan_type description: Type of scan type: string - name: scanner_result description: Result from scanner type: string - name: serial description: Serial number type: string - name: server_bytes description: Bytes sent by server type: bigint - name: severity description: Severity level type: string - name: severity_id description: Severity identifier type: bigint - name: sfwder description: Forwarder information type: string - name: shared_domains description: Domains the file was shared with type: string - name: shared_with description: Users/groups the file was shared with type: string - name: site description: Site name type: string - name: src_country description: Source country type: string - name: src_geoip_src description: Source GeoIP source type: bigint - name: src_latitude description: Source latitude type: float - name: src_location description: Source location type: string - name: src_longitude description: Source longitude type: float - name: src_region description: Source region type: string - name: src_time description: Source time type: string - name: src_timezone description: Source timezone type: string - name: src_zipcode description: Source ZIP code type: string - name: srcip description: Source IP address type: string indicators: - ip - name: suppression_end_time description: Suppression end time type: bigint - name: suppression_key description: Suppression key for deduplication type: string - name: suppression_start_time description: Suppression start time type: bigint - name: telemetry_app description: Telemetry application type: string - name: title description: Alert title type: string - name: to_object description: Destination object type: string - name: to_storage description: Destination storage type: string - name: to_user description: Recipient user type: string indicators: - username - email - name: to_user_category description: Category of the to user type: string - name: total_collaborator_count description: Total number of collaborators type: bigint - name: traffic_type description: Type of traffic type: string - name: transaction_id description: Transaction identifier type: bigint - name: true_obj_category description: True object category type: string - name: true_obj_type description: True object type type: string - name: true_type_id description: True type identifier type: bigint - name: tss_fail_reason description: TSS failure reason type: string - name: tss_mode description: TSS mode type: string - name: tss_scan_failed description: Whether TSS scan failed type: string - name: two_factor_auth description: Two-factor authentication status type: string - name: type description: Event type type: string - name: universal_connector description: Universal connector indicator type: string - name: ur_normalized description: Normalized user identifier type: string - name: url description: URL associated with the alert type: string - name: user required: true description: The user associated with the alert type: string indicators: - username - email - name: userPrincipalName description: Active Directory userPrincipalName type: string indicators: - username - name: user_category description: User category type: string - name: user_id description: User identifier type: string indicators: - username - name: useragent description: User agent string type: string - name: userip description: User IP address type: string indicators: - ip - name: userkey description: Unique user key type: string - name: web_universal_connector description: Web universal connector indicator type: string - name: web_url description: Web URL type: string - name: workspace description: Workspace name type: string - name: workspace_id required: true description: Workspace identifier type: string ```
### Netskope.Application User application activity events from Netskope. For more information, see [Netskope's documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207.html).
Netskope.Application schema ```yaml schema: Netskope.Application description: User application activity events from Netskope referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html fields: - name: timestamp required: true description: The timestamp of the event type: timestamp timeFormats: - unix isEventTime: true - name: CononicalName description: Canonical name type: string - name: _id required: true description: Unique identifier for the event type: string - name: app-cci-apphosting-provider description: Application hosting provider CCI (not officially supported) type: string - name: custom_attr description: Custom attributes object (not officially supported) type: json - name: dlp_fail_reason description: DLP scan failure reason (not officially supported) type: string - name: dlp_scan_failed description: Whether DLP scan failed (not officially supported) type: string - name: dom description: Domain information (not officially supported) type: string - name: justification_reason description: Justification reason (not officially supported) type: string - name: justification_type description: Justification type (not officially supported) type: string - name: legal_hold_profile_name description: Legal hold profile name (not officially supported) type: string - name: lh_custodian_email description: Legal hold custodian email (not officially supported) type: string indicators: - email - name: lh_custodian_name description: Legal hold custodian name (not officially supported) type: string - name: lh_dest_app description: Legal hold destination app (not officially supported) type: string - name: lh_dest_instance description: Legal hold destination instance (not officially supported) type: string - name: lh_fileid description: Legal hold file ID (not officially supported) type: string - name: lh_filename description: Legal hold filename (not officially supported) type: string - name: lh_filepath description: Legal hold file path (not officially supported) type: string - name: lh_original_filename description: Legal hold original filename (not officially supported) type: string - name: lh_shared description: Legal hold shared status (not officially supported) type: string - name: lh_shared_with description: Legal hold shared with (not officially supported) type: string - name: lh_version description: Legal hold version (not officially supported) type: string - name: ns_activity description: Netskope activity (not officially supported) type: string - name: oauth description: OAuth information (not officially supported) type: string - name: os_family description: Operating system family (not officially supported) type: string - name: q_shared_with description: Quarantine shared with (not officially supported) type: string - name: record_type description: Record type (typically 'event') (not officially supported) type: string - name: retro_scan_name description: Retrospective scan name (not officially supported) type: string - name: tss_fail_reason description: TSS scan failure reason (not officially supported) type: string - name: tss_scan_failed description: Whether TSS scan failed (not officially supported) type: string - name: user_confidence_index description: User confidence index score (not officially supported) type: bigint - name: user_confidence_level description: User confidence level (not officially supported) type: string - name: zip_password description: ZIP file password (not officially supported) type: string - name: access_method description: Method of access type: string - name: action description: Action performed type: string - name: activity description: Activity type type: string - name: alert description: Alert indicator (yes/no) type: string - name: alert_type description: Type of alert if present type: string - name: app description: Application name type: string - name: app_activity description: Application-specific activity type: string - name: app_session_id description: Application session identifier type: bigint - name: appcategory description: Application category type: string - name: appsuite description: Application suite type: string - name: audit_category description: Audit category type: string - name: audit_type description: Audit type type: string - name: browser description: Browser name type: string - name: browser_session_id description: Browser session identifier type: bigint - name: browser_version description: Browser version type: string - name: category description: Category type: string - name: cci description: Cloud Confidence Index type: bigint - name: ccl description: Cloud Confidence Level type: string - name: channel_id description: Channel identifier type: string - name: client_bytes description: Bytes sent by client type: bigint - name: conn_duration description: Connection duration in seconds type: bigint - name: connection_id description: Connection identifier type: bigint - name: count description: Count of events type: bigint - name: custom_connector description: Custom connector name type: string - name: data_center description: Data center location type: string - name: data_type description: Type of data type: string - name: device description: Device identifier type: string - name: device_classification description: Device classification type: string - name: dlp_file description: DLP file identifier type: string - name: dlp_incident_id description: DLP incident identifier type: bigint - name: dlp_is_unique_count description: Whether DLP unique count is calculated type: string - name: dlp_mail_parent_id description: Parent mail ID for DLP type: string - name: dlp_parent_id description: Parent DLP incident identifier type: bigint - name: dlp_profile description: DLP profile name type: string - name: dlp_rule description: DLP rule name type: string - name: dlp_rule_count description: Number of DLP rules matched type: bigint - name: dlp_rule_severity description: Severity of the DLP rule type: string - name: dlp_unique_count description: Unique count of DLP matches type: bigint - name: dst_country description: Destination country type: string - name: dst_geoip_src description: Destination GeoIP source type: bigint - name: dst_latitude description: Destination latitude type: float - name: dst_location description: Destination location type: string - name: dst_longitude description: Destination longitude type: float - name: dst_region description: Destination region type: string - name: dst_timezone description: Destination timezone type: string - name: dst_zipcode description: Destination ZIP code type: string - name: dsthost description: Destination hostname type: string indicators: - hostname - name: dstip description: Destination IP address type: string indicators: - ip - name: dstport description: Destination port type: bigint - name: exposure description: Exposure level of the data type: string - name: file_lang description: File language type: string - name: file_path description: File path type: string - name: file_size description: File size in bytes type: bigint - name: file_type description: File type type: string - name: from_user description: User who sent/shared type: string indicators: - username - email - name: from_user_category description: Category of the from user type: string - name: fromlogs description: Source logs type: string - name: hostname description: Hostname type: string indicators: - hostname - name: instance description: Instance name type: string - name: instance_id description: Instance identifier type: string - name: internal_collaborator_count description: Number of internal collaborators type: bigint - name: ja3 description: JA3 fingerprint type: string - name: ja3s description: JA3S fingerprint type: string - name: log_file_name description: Log file name type: string - name: logintype description: Login type type: string - name: loginurl description: Login URL type: string - name: managed_app description: Managed application indicator type: string - name: managementID description: Management identifier type: string - name: md5 description: MD5 hash of the file type: string indicators: - md5 - name: mime_type description: MIME type of the file type: string - name: modified description: Modification timestamp type: bigint - name: netskope_activity description: Netskope activity classification type: string - name: netskope_pop description: Netskope point of presence type: string - name: notify_template description: Notification template type: string - name: nsdeviceuid description: Netskope device UID type: string - name: numbytes description: Number of bytes transferred type: bigint - name: object description: Object name type: string - name: object_id description: Object identifier type: string - name: object_type description: Type of object type: string - name: org description: Organization type: string - name: organization_unit description: Organization unit type: string - name: orignal_file_path description: "Original file path (note: typo in API)" type: string - name: os description: Operating system type: string - name: os_version description: OS version type: string - name: other_categories description: Other categories type: array element: type: string - name: outer_doc_type description: Outer document type type: bigint - name: owner description: Owner of the resource type: string - name: page description: Page URL type: string - name: page_site description: Page site type: string - name: parent_id description: Parent event identifier type: string - name: policy description: Policy name type: string - name: policy_id description: Policy identifier type: string - name: protocol description: Network protocol type: string - name: referer description: HTTP referer type: string - name: req_cnt description: Request count type: bigint - name: request_id description: Request identifier type: bigint - name: resp_cnt description: Response count type: bigint - name: sAMAccountName description: Active Directory sAMAccountName type: string - name: sanctioned_instance description: Sanctioned instance indicator type: string - name: scan_type description: Type of scan type: string - name: serial description: Serial number type: string - name: server_bytes description: Bytes sent by server type: bigint - name: sessionid description: Session identifier type: string - name: severity description: Severity level type: string - name: sfwder description: Forwarder information type: string - name: sha256 description: SHA256 hash of the file type: string indicators: - sha256 - name: shared_with description: Users/groups the file was shared with type: string - name: site description: Site name type: string - name: smtp_to description: SMTP recipients type: array element: type: string - name: src_country description: Source country type: string - name: src_geoip_src description: Source GeoIP source type: bigint - name: src_latitude description: Source latitude type: float - name: src_location description: Source location type: string - name: src_longitude description: Source longitude type: float - name: src_region description: Source region type: string - name: src_time description: Source time type: string - name: src_timezone description: Source timezone type: string - name: src_zipcode description: Source ZIP code type: string - name: srcip description: Source IP address type: string indicators: - ip - name: suppression_end_time description: Suppression end time type: bigint - name: suppression_key description: Suppression key for deduplication type: string - name: suppression_start_time description: Suppression start time type: bigint - name: telemetry_app description: Telemetry application type: string - name: title description: Event title type: string - name: to_user description: Recipient user type: string indicators: - username - email - name: total_collaborator_count description: Total number of collaborators type: bigint - name: traffic_type description: Type of traffic type: string - name: transaction_id description: Transaction identifier type: bigint - name: true_obj_category description: True object category type: string - name: true_obj_type description: True object type type: string - name: tss_mode description: TSS mode type: string - name: type description: Event type type: string - name: universal_connector description: Universal connector indicator type: string - name: ur_normalized description: Normalized user identifier type: string - name: url description: URL associated with the event type: string - name: user required: true description: The user associated with the event type: string indicators: - username - email - name: userPrincipalName description: Active Directory userPrincipalName type: string indicators: - username - name: user_category description: User category type: string - name: user_id description: User identifier type: string indicators: - username - name: useragent description: User agent string type: string - name: userip description: User IP address type: string indicators: - ip - name: userkey description: Unique user key type: string - name: web_universal_connector description: Web universal connector indicator type: string - name: workspace description: Workspace name type: string - name: workspace_id description: Workspace identifier type: string ```
### Netskope.Audit Audit logs from the Netskope Audit API. For more information, see [Netskope's documentation](https://docs.netskope.com/en/logging.html).
Netskope.Audit schema ```yaml schema: Netskope.Audit description: Audit logs from the Netskope Audit API referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html fields: - name: timestamp required: true description: The timestamp of the audit log. type: timestamp timeFormats: - unix isEventTime: true - name: type required: true description: The type of the audit log. type: string - name: user required: true description: The user associated with the audit log. type: string indicators: - email - username - name: is_netskope_personnel description: Indicates whether the user is Netskope personnel. type: boolean - name: severity_level description: The severity level of the audit log. type: int - name: audit_log_event required: true description: The event description of the audit log. type: string - name: supporting_data required: true description: Supporting data associated with the audit log. type: json - name: organization_unit description: The organization unit associated with the audit log. type: string - name: ur_normalized description: The normalized user identifier. type: string - name: count description: The count of the audit log. type: int - name: _insertion_epoch_timestamp description: The timestamp of the log insertion. type: int - name: _id required: true description: The ID of the audit log. type: string - name: record_type description: Record type (typically 'audit') (not officially supported) type: string - name: details description: The audit log details. type: json - name: ccl description: The Cloud confidence level of the audit log. type: string - name: sAMAccountName description: Active Directory sAMAccountName for the audit log. type: string - name: userPrincipalName description: Active Directory userPrincipalName for the audit log. type: string ```
### Netskope.Incident DLP incidents with forensic detail from Netskope. For more information, see [Netskope's documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207.html).
Netskope.Incident schema ```yaml schema: Netskope.Incident description: DLP incidents with forensic detail from Netskope referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html fields: - name: timestamp required: true description: The timestamp of the incident type: timestamp timeFormats: - unix isEventTime: true - name: _id required: true description: Unique identifier for the incident (used for classification) type: string - name: created description: Creation timestamp (not officially supported) type: bigint - name: destination_site description: Destination site (not officially supported) type: string - name: device description: Device identifier (not officially supported) type: string - name: endpoint_policy_match description: Endpoint policy matches (not officially supported) type: array element: type: string - name: ext_labels description: External labels array (not officially supported) type: json - name: justification description: Justification text (not officially supported) type: string - name: modified description: Modification timestamp (not officially supported) type: bigint - name: object_id description: Object identifier (not officially supported) type: string - name: record_type description: Record type (typically 'incident') (not officially supported) type: string - name: shared_with description: Users/groups shared with (not officially supported) type: string - name: usb_device description: USB device identifier (not officially supported) type: string - name: access_method description: Method of access type: string - name: acting_user description: User performing the action type: string indicators: - username - email - name: activity description: Activity type type: string - name: app description: Application name type: string - name: app_session_id description: Application session identifier type: bigint - name: assignee description: Person assigned to the incident type: string - name: bcc description: BCC recipients type: string - name: cc description: CC recipients type: string - name: channel description: Communication channel type: string - name: classification description: Incident classification (e.g., fingerprint, ML-based) type: string - name: connection_id description: Connection identifier type: bigint - name: destination_app description: Destination application type: string - name: destination_instance_id description: Destination instance identifier type: string - name: dlp_file description: DLP file identifier type: string - name: dlp_incident_id description: DLP incident identifier type: bigint - name: dlp_match_info description: Detailed DLP match information type: array element: type: object fields: - name: dlp_action description: DLP action taken type: string - name: dlp_forensic_id description: Forensic identifier type: bigint - name: dlp_policy description: DLP policy name type: string - name: dlp_policy_hash description: Policy hash type: string - name: dlp_profile_name description: DLP profile name type: string - name: dlp_scan_type description: Type of DLP scan type: string - name: action_threshold_met description: Whether action threshold was met type: boolean - name: dlp_rules description: DLP rules that matched type: array element: type: object fields: - name: dlp_incident_rule_count description: Number of rule incidents type: bigint - name: dlp_match_type description: Type of match type: string - name: dlp_rule_name description: Rule name type: string - name: dlp_rule_severity description: Rule severity type: string - name: dlp_parent_id description: Parent DLP incident identifier type: bigint - name: dst_location description: Destination location type: string - name: exposure description: Exposure level of the data type: string - name: file_lang description: File language type: string - name: file_path description: File path type: string - name: file_size description: File size in bytes type: bigint - name: file_type description: File type type: string - name: from_user description: User who sent/shared type: string indicators: - username - email - name: inline_dlp_match_info description: Inline DLP match information type: array element: type: object fields: - name: dlp_action description: DLP action taken type: string - name: dlp_forensic_id description: Forensic identifier type: bigint - name: dlp_policy description: DLP policy name type: string - name: dlp_policy_hash description: Policy hash type: string - name: dlp_profile_name description: DLP profile name type: string - name: dlp_scan_type description: Type of DLP scan type: string - name: action_threshold_met description: Whether action threshold was met type: boolean - name: dlp_rules description: DLP rules that matched type: array element: type: object fields: - name: dlp_incident_rule_count description: Number of rule incidents type: bigint - name: dlp_match_type description: Type of match type: string - name: dlp_rule_name description: Rule name type: string - name: dlp_rule_severity description: Rule severity type: string - name: instance description: Instance name type: string - name: instance_id description: Instance identifier type: string - name: latest_incident_id description: Latest incident identifier type: bigint - name: md5 description: MD5 hash of the file type: string indicators: - md5 - name: object description: Object name type: string - name: object_type description: Type of object type: string - name: original_file_snapshot_id description: Original file snapshot identifier type: string - name: owner description: Owner of the resource type: string - name: owner_pdl description: Owner PDL (public distribution list) type: string - name: referer description: HTTP referer type: string - name: severity description: Severity level type: string - name: site description: Site name type: string - name: src_location description: Source location type: string - name: status required: true description: Incident status type: string - name: title description: Incident title type: string - name: to_user description: Recipient user type: string indicators: - username - email - name: true_obj_category description: True object category type: string - name: true_obj_type description: True object type type: string - name: url description: URL associated with the incident type: string - name: user required: true description: The user associated with the incident type: string indicators: - username - email - name: user_id description: User identifier type: string indicators: - username - name: zip_file_id description: ZIP file identifier type: string ```
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/data-onboarding/supported-logs/netskope.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.