Netskope Help

Alerts

To view SkopeIT™ Alerts monitored by the Netskope analytics engine, go to SkopeIT> Events > Alerts.

The default Alerts page table information includes:

  • Time: The day and hour the alert occurred.

  • Name: The policy that triggered the alert.

  • Type: What triggered the alert, like policy, DLP, malware, anomaly, etc.

  • Action: Type of remediation taken, like alert, block, and detection.

  • Activity: What the user was doing when the violation occurred.

  • Username: Email address of the user who caused the violation.

  • Application: App used when the violation occurred.

  • Site: Site where the violation occurred.

  • Object: Actual file name, folder name, etc., that caused the alert. For example, a download activity shows an object value of CreditReportAAA111.pdf. Corresponds with the following column.

  • Object Type: Files, folders, messages (chat message), email, etc. The variable will change based on the type of activity. Corresponds to the objects in the previous column.

  • Account Name: Name of the account.

This Alerts page has these components:

  • Alerts table: Displays specified alerts information. To change the information displayed, use the Customize Columns dialog box. Use the Sort By list in the table header row to arrange the listings in the table. Time is when the alert occurred in the cloud platform.

  • Refresh Page button: To update the page with the most current information, click the Refresh icon next to the page title.

    RefreshButton.png
  • Customize Columns dialog box: To customize the columns shown for each alert, click the gear icon GearIcon.png located at the far right of the table column header row, and then select the columns you want to see. For more details, refer to Customize Columns below.

  • Date Range list: In the top right corner of the page is a date range filter. Click the toggle and select one of these date ranges.

    DateRangeMenu.png
  • Application search filter: This search field helps you find applications and then filter results. Enter a name and then select from the list.

    FiltersAppSearch.png
  • Acknowledge setting: To remove an alert from this page, enable the check boxes beside one or more alerts, click Acknowledge, and then choose Acknowledge Selected or Acknowledge All.

    Note

    If you have a query or filter, selecting the Acknowledge All option acknowledges all the alerts from the current query or filter.

  • Add Filter lists: To create a filter, click + Add Filter, select what to include what to find in the search, and then click Apply.

    FiltersAlerts.png

    Tip

    You can choose multiple items for some options. The options with the SearchIcon.png icon allows you to search.

  • Save Filter button: After adding a filter, you can save it for future searches by clicking Save Filter.

    FilterSave.png
  • Add to Watchlist button: To add filter values or query strings to a watchlist, click Add to Watchlist.

    FilterAddToWatchlist.png
  • Query Mode button: Optionally, switch to query mode Query_mode.png and enter a query in the search field. For example, to specify which app to search for, the domain, and the user's email address, enter the following query.   

    app eq 'Google Drive' and instance_id eq '<yourcompany.com>' and user eq '<user@yourcompany.com>'

    You can pin the query by clicking the pin icon Pin.png to remember the query across the Application Events, Page Events, and Alerts pages.

    To change back to the filter view, click Filter Mode.

    FilterModeButton.png
  • Export button: Click Export to get the entire list of application events. First select the columns to export (those displayed, or specify which columns), and the number of rows, then click Export again. Your column and row selections are retained for future exports.

    You will be sent an email with a link that allows you to download the list in CSV format.

  • Alert Details panel: Click the magnifying glass icon View.png besides any listing to view more details about the alert. The default view shows the alerts for the last 7 days unless you change the date range setting.

    AlertDetails.png
  • Rows per page list: At the bottom right corner of the page, the Rows per page list allows you to display 10, 20, 30, 50, or 100 rows per page.

Customize Columns

Use the Customize Columns dialog box to specify the information you want to see.

AlertsPageColumns.png
  • Alert: Includes Name, Type, Action, Activity, and Acknowledged information.

  • Rule: Includes Policy Name, DLP Profile Name, DLP Rule Name, SA Profile Name, SA Rule Name, and SA Rule Severity information.

  • User: Includes Username, IP Address, Host Name, OS, Device Type, Device Classification, User Group, and OU information.

  • Application: Includes Application, Category, Site, CCL, Instance ID, URL, Account Name, and Region information.

  • Object: Includes Object, Object Type, and Resource Category information.

  • General: Includes Traffic Type, Access Method, Managed Application, and Browser information.

  • Source: Includes Source IP Address, Source Location, Source Region, Source Zip Code, and Source Country information.

  • Destination: Includes Destination IP Address, Destination Port, Destination Location, Destination Region, and Destination Country information.

Click Restore Defaults to restore column-related default settings.