Updated on January 29, 2024

Endpoint Events

About Endpoint Events

With Endpoint Data Loss Protection (DLP), Netskope monitors your users and USB storage devices for policy violations. You can view all user and device activities that haven’t violated a policy in Skope IT > Endpoint Events.

When events violate your Device or Content Control policies, Netskope generates an alert for the event, which you can view in Skope IT Alerts (Skope IT > Alerts). Events that violate your Content Control policies also trigger a DLP incident (Incidents > DLP).

Viewing Device Events

To view events triggered by Device Control policies in your organization, go to Skope IT > Endpoint Events > Device.

You can select from a wide range of filter options. Your most recent filter selection will be displayed when you revisit the page.

On the Device Events page, you can:

  1. Refresh the device results.
  2. Filter device events by a specific time frame. You can use a predefined time frame or choose Date Range to use the calendar and time menus to customize your own.
  3. Search and filter the device events by user. Click + Add Filter to add other filters to narrow your search results. You also can click The Save Filter icon. to save the filter combination for future searches.
  4. View a list of device events. For each event, you can see the following information:
    • Time (Default)
    • Activity (Default)
    • USB Device Name (Default)
    • User (Default)
    • Computer Name (Default)
    • Event Type
    • Offline Event
    • USB Device ID
    • USB Device SN
    • USB Device Type
    • Model
    • Manufacturer
    • OS User Name
    • OS
    • OS Details
    • Policy Name
    • Policy Name Enforced
    • Policy Version
    • Policy Action
    • Policy Action Enforced
  5. Click The Preview icon. to view more information on the device event. Following are some helpful fields for investigating the event:
    • Manufacturer: The manufacturer of the USB device, as stored on the device. This may be a text name or the USB-IF-issued vendor ID.
    • Device ID: The instance ID for the device.
    • Device SN: The serial number of the device.
    • Device Type: The device class.
    • Model: The model of the USB device. This may be a text name or a numeric product ID.
    • Device: The name of the device.
    Endpoint Device Event Details window in Skope IT
  6. Sort the table by the time the device events occurred.
  7. Export all device events (up to 500,000 rows) to a CSV file.
  8. Click The Settings icon. to customize table columns or restore the default ones.
  9. View up to 100 device events per page.
  10. View multiple pages of the table.
The Device tab in Endpoint Events.

Viewing Content Events

To view events triggered by Content Control policies in your organization, go to Skope IT > Endpoint Events > Content.

On the Content Events page, you can:

  1. Refresh the content results.
  2. Filter content events by a specific time frame. You can use a predefined time frame or choose Date Range to use the calendar and time menus to customize your own.
  3. Search and filter the content events by user. Click + Add Filter to add other filters to narrow your search results. You also can click The Save Filter icon. to save the filter combination for future searches.
  4. View a list of content events. For each event, you can see the following information:
    • Time (Default)
    • File Name (Default)
    • Activity (Default)
    • USB Device Name (Default)
    • User (Default)
    • Computer Name (Default)
    • File Directory
    • File Path
    • Executable Hash
    • Executable Signed
    • File MD5
    • File SHA256
    • File Origin
    • File Size
    • File Type
    • Event Type
    • Offline Event
    • USB Device ID
    • USB Device SN
    • USB Device Type
    • Model
    • Manufacturer
    • OS User Name
    • DLP Profile Name
    • DLP Rule
    • OS
    • OS Details
    • PID
    • Process Cert Subject
    • Process Name
    • Process Path
    • Policy Name
    • Policy Name Enforced
    • Policy Version
    • Policy Action
    • Policy Action Enforced
  5. Click The Preview icon. to view more information on the content event. Following are some helpful fields for investigating the event:
    • File Type: The type of file.
    • Size (Bytes): The file size in bytes.
    • File Directory: The directory where the file is stored.
    • File Name: The name of the file.
    • File Path: The full file path.
    • Process ID: The process ID for the process that performs the file operation.
    • Process Name: The name of the process that performs the file operation.
    • Process Path: The full path of the executable for the process that performs the file operation.
    • MD5: The MD5 hash of the file. You can use this hash value to filter Skope IT events and view other activity associated with the file.
    • SHA256: The SHA-256 hash of the file. You can use this hash value to filter Skope IT events and view other activity associated with the file.
    The Endpoint Content Event Details window in Skope IT.
  6. Sort the table by the time the content events occurred.
  7. Export all content events (up to 500,000 rows) to a CSV file.
  8. Click The Settings icon. to customize table columns or restore the default ones.
  9. View up to 100 content events per page.
  10. View multiple pages of the table.
The Content tab in Endpoint Events.
Share this Doc

Endpoint Events

Or copy link

In this topic ...