Advanced Analytics Incidents Event Fields
Advanced Analytics Incidents Event Fields
The following table lists the Netskope Advanced Analytics Incidents event field names. This list is dynamic and may not contain each available field.
AA Incident Name | Description | Category | Field Group |
---|---|---|---|
Assignee | Assignee name | Dimension | DLP |
Assignee Last Update | Timestamp of when the assignee was last updated | Dimension | DLP |
Attachment | Name of the attachment being sent through mail | Dimension | File |
BCC | Field to search events based on users in the bcc field | Dimension | General |
CC | Field to search events based on users in the cc field | Dimension | General |
DLP Action | Search events based on a specific DLP profile action | Dimension | DLP |
DLP Fingerprint Classification | Search events for the DLP fingerprint classification within the profile that matches the content | Dimension | File |
DLP Fingerprint Match | Search events for the DLP fingerprint file within the profile that matches the content | Dimension | File |
DLP Fingerprint Score | Search events for the DLP fingerprint score within the profile that matches the content | Dimension | File |
DLP Incident Status | Status of the DLP incident (e.g. New, In Progress, Closed) | Dimension | DLP |
DLP Incident Status Last Update | DLP incident status last updated timestamp | Dimension | DLP |
DLP Severity Status | Status of DLP incident severity | Dimension | DLP |
DLP Severity Status Last Update | DLP incident severity last updated timestamp | Dimension | DLP |
Email Subject | Search events based on the email subject | Dimension | General |
Incident ID | Incident Unique Identifier | Dimension | General |
Incident Type | Type of incident includes: DLP, UEBA, Compromised Credentials, Malware, Malsite. | Dimension | General |
Malsite Destination Country | Destination country of the malicious site | Dimension | Malsite |
Malsite Destination Region | Destination region of the malicious site | Dimension | Malsite |
Malsite First Seen | Malsite first seen date | Dimension | Malsite |
Malsite Last Seen | Malsite last seen date | Dimension | Malsite |
Transaction ID | Type of log message | Dimension | General |
Tip
To see specific alerts associated with each incident, use the ‘Merged Query’ feature and merge with the alerts table using the ‘Incident ID’ or ‘DLP Incident ID’ (DLP alerts only) fields.
Enriched Fields
The data fields below are enriched from the data in the Alerts data collection. Use these enriched fields coupled with the “Merged Query’ to view targeted details of your DLP incident.
- Access Method
- Activity
- Application
- Application Activity
- Attachment
- Browser
- CCL
- Connection ID
- Destination Country
- Destination IP
- Destination Location
- Destination Region
- Destination Timezone
- Destination Zipcode
- Device Classification
- Device Type
- DLP File Name
- DLP Fingerprint Classification
- DLP Fingerprint Match
- DLP Fingerprint Score
- DLP Incident ID
- DLP is Unique Count
- DLP Parent ID
- DLP Profile
- DLP Rule
- DLP Rule Count
- DLP Rule Severity
- Event Timestamp
- Exposure
- External Collaborator Count
- File ID
- File Language
- File Owner
- File Path
- File Size
- File Type
- From User
- Hostname
- Instance ID
- Internal Collaborator Count
- MD5
- MIME Type
- Object
- Object ID
- Object Type
- Original File Path
- OS
- OS Version
- Referrer
- Request ID
- Session ID
- Shared With
- Shared With Domains
- Site
- Source Country
- Source IP
- Source Location
- Source Region
- Source Zipcode
- Telemetry App
- To User
- Total Collaborator Count
- Transaction ID
- URL
- User
- User IP