Custom Report Queries
Custom Report Queries
You are viewing classic reports documentation. When Reports (New Experience) is no longer in BETA, the classic reports documentation will be replaced with “Reports” documentation, aka Reports (New Experience).
These are the custom query options for reports as of the Sprint 61 release. Currently, custom reports do not support all the queries that Skope IT supports. Use these query fields to generate reports of Skope IT events.
Note
In prior versions, Event type Page used to be listed as Connection.
| Event Type | Summarizable Query Field | Description |
|---|---|---|
| Alert | app-cci-contacts-data | Search events for apps with ‘Does this application access contacts, calendar data and messages?’ |
| Alert | app-cci-data-per-tenant | Search events for apps with ‘Data segregated by tenant’ |
| Alert | total_collaborator_count | Number of Total Collaborators |
| Alert | dlp_profile | Search events for a specific dlp profile applied to the content (e.g., dlp_profile = dlp-pci) |
| Alert | count | Search for activities with event count greater than 1 to search for events that are suppressed (e.g count gt 1) |
| Alert | dst_latitude | Search events for a specific destination latitude (e.g. dst_latitude > 0) |
| Alert | timestamp | the time the event is generated |
| Alert | src_region | Search events from a specific source state or region (e.g. src_region eq CA) |
| Alert | traffic_type | Search for specific traffic type |
| Alert | app-cci-sso | Search events for apps with ‘SSO/AD hooks’ |
| Alert | instance_id | Search events based on the instance of the app (e.g. for Salesforce, instance_id = production) |
| Alert | activity | Search for events or alerts for a specific user activity (e.g. activity eq Create) |
| Alert | malware_type | This variable holds value for malware type. |
| Alert | app-cci-encrypt-tenant-managed-key | Search events for apps with ‘Does the app allow customer-managed encryption keys?’ |
| Alert | malsite_id | This variable holds hash of malsite url. |
| Alert | app-cci-is-weak-cipher | Search events for apps with ‘Does the app increase the risk of data exposure by supporting weak cipher suites?’ |
| Alert | category | Search events for category (e.g. category = ‘Cloud Storage’) |
| Alert | app-cci-compliance-cert | Search events for apps with ‘What compliance certifications does the app have?’ |
| Alert | app-cci-file-sharing | Search events for apps with ‘Does the app enable file sharing? Â ‘ |
| Alert | app-cci-spf | Search events for apps with ‘Does the app vendor use a Sender Policy Framework to protect customers from spam and phishing emails?’ |
| Alert | app-cci-erase-cust-data | Search events for apps with ‘Is all customer data erased upon cancellation of service? If so, when?’ |
| Alert | app-cci-cc-signup | Search events for apps with ‘Does the app allow signup without a credit card?’ |
| Alert | app_session_id | Search for events with specific application session id (e.g app_session_id eq <app-session-id-number>) |
| Alert | app-gdpr-level | GDPR Readiness level of an application |
| Alert | app-cci-system-operations | Search events for apps with ‘Does this application perform system operations?’ |
| Alert | app-cci-device-based-access | Search events for apps with ‘Does the app support the following device types?’ |
| Alert | app-cci-app-tag | Search events for apps with ‘App Type’ |
| Alert | app-cci-action-based-auth | Search events for apps with ‘Does the app enforce authorization policies on user activities?’ |
| Alert | organization_unit | Search for events from a specific organization unit. Organization name is derived from user id(e.g. org eq ‘netskope.com’) |
| Alert | app-cci-vuln-exploit | Search events for apps with ‘Vulnerabilities & Exploits’ |
| Alert | dst_longitude | Search events for a specific destination longitude (e.g. dst_longitude > 0) |
| Alert | app-cci-securityheaders | Search events for apps with ‘Which HTTP security headers does the app use?’ |
| Alert | app-cci-business-risk | The business risk level of apps (low,medium,high) |
| Alert | app-cci-allow-classify-data | Search events for apps with ‘Does the app allow data classification (e.g., public, confidential, proprietary)?’ |
| Alert | org | Search for events from a specific organization. Organization name is derived from user id(e.g. org eq ‘netskope.com’) |
| Alert | src_country | Search events from a specific source country (e.g. src_country eq IN) |
| Alert | to_user | Search events based on the destination user ids (e.g. to_user like Adam) |
| Alert | app-cci-audit-logs | Search events for apps with ‘Does the app provide admin audit logs?’ |
| Alert | app-cci-app-type | The type of the app – Consumer, Departmental, or Enterprise |
| Alert | app-cci-allow-proxy | Search events for apps with ‘The list of platforms through which the app traffic can be proxied:’ |
| Alert | app-cci-allow-download-data | Search events for apps with ‘Is the customer data available for download upon cancellation of service?’ |
| Alert | action | Search for action taken by the user (e.g. Block, Bypass, Alert) |
| Alert | os | Search for events from a specific operating system (e.g. os = Windows) |
| Alert | dst_region | Search events for a specific destination state (e.g. dst_region eq GA) |
| Alert | dstip | Search events for a specific destination IP address (e.g. dstip eq 2.2.2.2) |
| Alert | email_source | The source of the email used in finding compromised credentials. |
| Alert | app | Search events for a specific cloud app (e.g. app = Dropbox) |
| Alert | app-cci-data-center-cert | Search events for apps with ‘To what data center standards does the app adhere?’ |
| Alert | srcip | Search events from a specific source-ip address (e.g. srcip eq 1.1.1.1) |
| Alert | usergroup | when a user group is searched, it includes every user within the group. |
| Alert | first_accessed | Search for first seen time of app |
| Alert | app-cci-app-hosting-location | Search events for apps with ‘From which countries does this app serve data?’ |
| Alert | access_method | Search for events generated from specific access methods such as Client, Secure Forwarder, Logs, Mobile profile etc. (e.g. access_method eq ‘Client’) |
| Alert | app-cci-secure-pass-policy | Search events for apps with ‘Does the app enforce password best practices as policy?’ |
| Alert | app-cci-anonymous-sharing | Search events for apps with ‘Does the app allow anonymous sharing of data?’ |
| Alert | app-cci-upgrade-notification | Search events for apps with ‘Does the app vendor provide notifications to customers about upgrades and changes (e.g., scheduled maintenance, new releases, software/hardware changes)?’ |
| Alert | dlp_rule | Search events for a dlp rule within the profile that matches the content (e.g., dlp_rule = cc_num) |
| Alert | external_collaborator_count | Number of External Collaborators |
| Alert | app-cci-published-dr-plan | Search events for apps with ‘Does the app vendor provide disaster recovery services?’ |
| Alert | from_user | Search events for activities based on login ids for cloud apps (e.g. from_user like john) |
| Alert | src_location | Search events from a specific source city (e.g. src_location eq ‘San Francisco’) |
| Alert | app-cci-access-other-apps | Search events for apps with ‘Does this application access other apps on the device?’ |
| Alert | app-cci-cookies-3rd-party | Search events for apps with ‘Does this application use third-party cookies?’ |
| Alert | app-cci-apphosting-provider | Search events for apps with ‘Which infrastructure or hosting provider is the app hosted on?’ |
| Alert | app-cci-weak-algorithm-keysize | Search events for apps with ‘Does the app increase the risk of data exposure by supporting weak signature algorithm or key size ?’ |
| Alert | browser | Search for events from a specific browser (e.g. browser eq Chrome) |
| Alert | alert_type | Search for alerts triggered by policy action, watchlist, quarantine or dlp (e.g. alert_type eq policy) |
| Alert | app-cci-recent-breach | Search events for apps with ‘Has this application been recently breached (in the past year)?’ |
| Alert | dst_location | Search events for a specific destination location (e.g. dst_location = ‘San Jose’) |
| Alert | app-cci-encrypt-in-transit | Search events for apps with ‘Does the app encrypt data-in-transit?’ |
| Alert | site | Search for specific site |
| Alert | app-cci-who-owns-data | Search events for apps with ‘Who owns the data/content uploaded to the application site? Does the customer own the data or does the application vendor own the data?’ |
| Alert | app-cci-src-ip-enforcement | Search events for apps with ‘Does the app support access control by IP address or range?’ |
| Alert | device_classification | How the device has been classified |
| Alert | hostname | Search for events from a specific device hostname |
| Alert | object_id | Search events for a specific object id such as activity specific value etc. (e.g. object_id = f_12787234) |
| Alert | dlp_rule_count | Search events that number of rules matches the content (e.g., dlp_rule_count = 10) |
| Alert | app-cci-file-capacity | Search events for apps with ‘File Sharing Capacity’ |
| Alert | dst_country | Search events for a specific destination country (e.g. dst_country = US) |
| Alert | src_zipcode | Search for events from a specific source zipcode (e.g. src_zipcode eq 94043) |
| Alert | dstport | Search events for a specific destination port (e.g. dstport = 443) |
| Alert | app-cci-dispersed-data-center | Search events for apps with ‘Does the application vendor utilize geographically dispersed data centers to serve customers?’ |
| Alert | app-cci-backup-user-data | Search events for apps with ‘Does the app vendor back up customer data in a separate location from the main data center?’ |
| Alert | app-cci-sharing-personal-info-3rd-party | Search events for apps with ‘Does this app share users’ personal information (e.g., name, email, address) with third parties?’ |
| Alert | http_transaction_count | Search for http transaction count |
| Alert | object | Search events for a specific object name. Object name displays the actual filename, folder name, report name, document name etc. (e.g. object like xls) |
| Alert | app-cci-multi-fact-auth | Search events for apps with ‘Does the app support multi-factor authentication?’ |
| Alert | app-cci-user-audit-logs | Search events for apps with ‘Does the app provide user audit logs?’ |
| Alert | user | Search events from a specific user e.g user eq john@abc.com |
| Alert | internal_collaborator_count | Number of Internal Collaborators |
| Alert | device | Search for events from a specific device (e.g. device = Windows) |
| Alert | app-cci-status-report | Search events for apps with ‘Does the app vendor provide infrastructure status reports?’ |
| Alert | acked | Search for alerts that have been acknowledged or not (e.g. acked eq true/false) |
| Alert | dst_zipcode | Search events for a specific zip code (e.g. dst_zipcode eq 94043) |
| Alert | url | Search URL accessed by user |
| Alert | ccl | cloud confidence level of an application |
| Alert | alert_name | Search for alerts triggered by specific policy, watchlist or dlp (e.g. alert_name eq ‘Cloud storage Policy’) |
| Alert | app-cci-encrypt-at-rest | Search events for apps with ‘Does the app encrypt data-at-rest?’ |
| Alert | cci | Search for CCI score |
| Alert | workspace | Workspace Name |
| Alert | enterprise | Enterprise Name |
| Alert | app-cci-treat-classify-data | Search events for apps with ‘If yes, does the app allow admins to take action on classified data (e.g., encrypt, control access)?’ |
| Alert | app-cci-role-based-access | Search events for apps with ‘Does the app support role-based authorization?’ |
| Alert | app-cci-access-logs | Search events for apps with ‘Does the app provide data access audit logs?’ |
| Application | app-cci-contacts-data | Search events for apps with ‘Does this application access contacts, calendar data and messages?’ |
| Application | app-cci-data-per-tenant | Search events for apps with ‘Data segregated by tenant’ |
| Application | total_collaborator_count | Number of Total Collaborators |
| Application | dlp_profile | Search events for a specific dlp profile applied to the content (e.g., dlp_profile = dlp-pci) |
| Application | dst_latitude | Search events for a specific destination latitude (e.g. dst_latitude > 0) |
| Application | timestamp | the time the event is generated |
| Application | src_region | Search events from a specific source state or region (e.g. src_region eq CA) |
| Application | traffic_type | Search for specific traffic type |
| Application | app-cci-sso | Search events for apps with ‘SSO/AD hooks’ |
| Application | instance_id | Search events based on the instance of the app (e.g. for Salesforce, instance_id = production) |
| Application | app-cci-encrypt-tenant-managed-key | Search events for apps with ‘Does the app allow customer-managed encryption keys?’ |
| Application | app-cci-is-weak-cipher | Search events for apps with ‘Does the app increase the risk of data exposure by supporting weak cipher suites?’ |
| Application | category | Search events for category (e.g. category = ‘Cloud Storage’) |
| Application | app-cci-compliance-cert | Search events for apps with ‘What compliance certifications does the app have?’ |
| Application | app-cci-file-sharing | Search events for apps with ‘Does the app enable file sharing? Â ‘ |
| Application | app-cci-spf | Search events for apps with ‘Does the app vendor use a Sender Policy Framework to protect customers from spam and phishing emails?’ |
| Application | app-cci-erase-cust-data | Search events for apps with ‘Is all customer data erased upon cancellation of service? If so, when?’ |
| Application | app-cci-cc-signup | Search events for apps with ‘Does the app allow signup without a credit card?’ |
| Application | app_session_id | Search for events with specific application session id (e.g app_session_id eq <app-session-id-number>) |
| Application | app-gdpr-level | GDPR Readiness level of an application |
| Application | app-cci-system-operations | Search events for apps with ‘Does this application perform system operations?’ |
| Application | app-cci-device-based-access | Search events for apps with ‘Does the app support the following device types?’ |
| Application | audit_type | Search audit events for a specific audit type. audit_type displays the actual audit event name we get from SaaS app |
| Application | app-cci-app-tag | Search events for apps with ‘App Type’ |
| Application | app-cci-action-based-auth | Search events for apps with ‘Does the app enforce authorization policies on user activities?’ |
| Application | organization_unit | Search for events from a specific organization unit. Organization name is derived from user id(e.g. org eq ‘netskope.com’) |
| Application | app-cci-vuln-exploit | Search events for apps with ‘Vulnerabilities & Exploits’ |
| Application | dst_longitude | Search events for a specific destination longitude (e.g. dst_longitude > 0) |
| Application | app-cci-securityheaders | Search events for apps with ‘Which HTTP security headers does the app use?’ |
| Application | app-cci-business-risk | The business risk level of apps (low,medium,high) |
| Application | app-cci-allow-classify-data | Search events for apps with ‘Does the app allow data classification (e.g., public, confidential, proprietary)?’ |
| Application | userkey | Search events from a specific user/email e.g userkey eq john@abc.com |
| Application | org | Search for events from a specific organization. Organization name is derived from user id(e.g. org eq ‘netskope.com’) |
| Application | src_country | Search events from a specific source country (e.g. src_country eq IN) |
| Application | to_user | Search events based on the destination user ids (e.g. to_user like Adam) |
| Application | app-cci-audit-logs | Search events for apps with ‘Does the app provide admin audit logs?’ |
| Application | app-cci-app-type | The type of the app – Consumer, Departmental, or Enterprise |
| Application | app-cci-allow-proxy | Search events for apps with ‘The list of platforms through which the app traffic can be proxied:’ |
| Application | app-cci-allow-download-data | Search events for apps with ‘Is the customer data available for download upon cancellation of service?’ |
| Application | action | Search for action taken by the user (e.g. Block, Bypass, Alert) |
| Application | os | Search for events from a specific operating system (e.g. os = Windows) |
| Application | dst_region | Search events for a specific destination state (e.g. dst_region eq GA) |
| Application | dstip | Search events for a specific destination IP address (e.g. dstip eq 2.2.2.2) |
| Application | app | Search events for a specific cloud app (e.g. app = Dropbox) |
| Application | app-cci-data-center-cert | Search events for apps with ‘To what data center standards does the app adhere?’ |
| Application | srcip | Search events from a specific source-ip address (e.g. srcip eq 1.1.1.1) |
| Application | usergroup | When a user group is searched, it includes every user within the group. |
| Application | app-cci-app-hosting-location | Search events for apps with ‘From which countries does this app serve data?’ |
| Application | access_method | Search for events generated from specific access methods such as Client, Secure Forwarder, Logs, Mobile profile etc. (e.g. access_method eq ‘Client’) |
| Application | app-cci-secure-pass-policy | Search events for apps with ‘Does the app enforce password best practices as policy?’ |
| Application | app-cci-anonymous-sharing | Search events for apps with ‘Does the app allow anonymous sharing of data?’ |
| Application | app-cci-upgrade-notification | Search events for apps with ‘Does the app vendor provide notifications to customers about upgrades and changes (e.g., scheduled maintenance, new releases, software/hardware changes)?’ |
| Application | dlp_rule | Search events for a dlp rule within the profile that matches the content (e.g., dlp_rule = cc_num) |
| Application | external_collaborator_count | Number of External Collaborators |
| Application | app-cci-published-dr-plan | Search events for apps with ‘Does the app vendor provide disaster recovery services?’ |
| Application | from_user | Search events for activities based on login ids for cloud apps (e.g. from_user like john) |
| Application | src_location | Search events from a specific source city (e.g. src_location eq ‘San Francisco’) |
| Application | app-cci-access-other-apps | Search events for apps with ‘Does this application access other apps on the device?’ |
| Application | count | Search for activities with event count greater than 1 to search for events that are suppressed (e.g count gt 1) |
| Application | app-cci-cookies-3rd-party | Search events for apps with ‘Does this application use third-party cookies?’ |
| Application | app-cci-apphosting-provider | Search events for apps with ‘Which infrastructure or hosting provider is the app hosted on?’ |
| Application | app-cci-weak-algorithm-keysize | Search events for apps with ‘Does the app increase the risk of data exposure by supporting weak signature algorithm or key size ?’ |
| Application | browser | Search for events from a specific browser (e.g. browser eq Chrome) |
| Application | app-cci-recent-breach | Search events for apps with ‘Has this application been recently breached (in the past year)?’ |
| Application | dst_location | Search events for a specific destination location (e.g. dst_location = ‘San Jose’) |
| Application | app-cci-encrypt-in-transit | Search events for apps with ‘Does the app encrypt data-in-transit?’ |
| Application | app-cci-who-owns-data | Search events for apps with ‘Who owns the data/content uploaded to the application site? Does the customer own the data or does the application vendor own the data?’ |
| Application | app-cci-src-ip-enforcement | Search events for apps with ‘Does the app support access control by IP address or range?’ |
| Application | activity | Search for events or alerts for a specific user activity (e.g. activity eq Create) |
| Application | device_classification | How the device has been classified |
| Application | hostname | Search for events from a specific device hostname |
| Application | dlp_rule_count | Search events that number of rules matches the content (e.g., dlp_rule_count = 10) |
| Application | app-cci-file-capacity | Search events for apps with ‘File Sharing Capacity’ |
| Application | dst_country | Search events for a specific destination country (e.g. dst_country = US) |
| Application | src_zipcode | Search for events from a specific source zipcode (e.g. src_zipcode eq 94043) |
| Application | dstport | Search events for a specific destination port (e.g. dstport = 443) |
| Application | app-cci-dispersed-data-center | Search events for apps with ‘Does the application vendor utilize geographically dispersed data centers to serve customers?’ |
| Application | app-cci-backup-user-data | Search events for apps with ‘Does the app vendor back up customer data in a separate location from the main data center?’ |
| Application | app-cci-sharing-personal-info-3rd-party | Search events for apps with ‘Does this app share users’ personal information (e.g., name, email, address) with third parties?’ |
| Application | object | Search events for a specific object name. Object name displays the actual filename, folder name, report name, document name etc. (e.g. object like xls) |
| Application | app-cci-multi-fact-auth | Search events for apps with ‘Does the app support multi-factor authentication?’ |
| Application | app-cci-user-audit-logs | Search events for apps with ‘Does the app provide user audit logs?’ |
| Application | user | Search events from a specific user e.g user eq john@abc.com |
| Application | internal_collaborator_count | Number of Internal Collaborators |
| Application | device | Search for events from a specific device (e.g. device = Windows) |
| Application | app-cci-status-report | Search events for apps with ‘Does the app vendor provide infrastructure status reports?’ |
| Application | first_accessed | Search for first seen time of app |
| Application | dst_zipcode | Search events for a specific zip code (e.g. dst_zipcode eq 94043) |
| Application | ccl | cloud confidence level of an application |
| Application | app-cci-encrypt-at-rest | Search events for apps with ‘Does the app encrypt data-at-rest?’ |
| Application | cci | Search for CCI score |
| Application | workspace | Workspace Name |
| Application | enterprise | Enterprise Name |
| Application | app-cci-treat-classify-data | Search events for apps with ‘If yes, does the app allow admins to take action on classified data (e.g., encrypt, control access)?’ |
| Application | app-cci-role-based-access | Search events for apps with ‘Does the app support role-based authorization?’ |
| Application | app-cci-access-logs | Search events for apps with ‘Does the app provide data access audit logs?’ |
| Network | action | Search events for a specific action (e.g. action = block) |
| Network | app | Search events for a specific cloud app (e.g. app = Dropbox) |
| Network | dstip | Search events for a specific destination IP address (e.g. dstip eq 2.2.2.2) |
| Network | usergroup | When a user group is searched, it includes every user within the group. |
| Network | ip_protocol | Search events based on IP protocol. |
| Network | os | Search for events from a specific operating system (e.g. os = Windows) |
| Network | os_version | Search for a specific OS version. |
| Network | organization_unit | Search for events from a specific organization unit. Organization name is derived from user id (e.g. organization_unit eq ‘netskope.com’) |
| Network | port | Search events based on port (e.g. port = 443) |
| Network | src_country | Search events from a specific source country (e.g. src_country eq IN) |
| Network | srcip | Search events from a specific source IP address (e.g. srcip eq 1.1.1.1) |
| Network | src_location | Search events from a specific source city (e.g. src_location eq ‘San Francisco’) |
| Network | timestamp | Search events based on the time the event is generated |
| Network | user | Search events from a specific user (e.g user eq john@abc.com) |
| Page | app-cci-contacts-data | Search events for apps with ‘Does this application access contacts, calendar data and messages?’ |
| Page | app-cci-data-per-tenant | Search events for apps with ‘Data segregated by tenant’ |
| Page | count | Search for activities with event count greater than 1 to search for events that are suppressed (e.g count gt 1) |
| Page | dst_latitude | Search events for a specific destination latitude (e.g. dst_latitude > 0) |
| Page | timestamp | Search events based on the time the event is generated |
| Page | src_region | Search events from a specific source state or region (e.g. src_region eq CA) |
| Page | app-cci-sso | Search events for apps with ‘SSO/AD hooks’ |
| Page | domain | Search for specific domain |
| Page | app-cci-encrypt-tenant-managed-key | Search events for apps with ‘Does the app allow customer-managed encryption keys?’ |
| Page | aggregated_user | Search events where the user field is a network location (e.g. aggregated_user eq True) |
| Page | app-cci-is-weak-cipher | Search events for apps with ‘Does the app increase the risk of data exposure by supporting weak cipher suites?’ |
| Page | category | Search events for category (e.g. category = ‘Cloud Storage’) |
| Page | app-cci-compliance-cert | Search events for apps with ‘What compliance certifications does the app have?’ |
| Page | app-cci-file-sharing | Search events for apps with ‘Does the app enable file sharing? Â ‘ |
| Page | app-cci-spf | Search events for apps with ‘Does the app vendor use a Sender Policy Framework to protect customers from spam and phishing emails?’ |
| Page | network | Search events from a network (e.g. network eq NET24:172.16.168.0) |
| Page | user_generated | Search for events for user generated page events |
| Page | app-cci-erase-cust-data | Search events for apps with ‘Is all customer data erased upon cancellation of service? If so, when?’ |
| Page | app-cci-cc-signup | Search events for apps with ‘Does the app allow signup without a credit card?’ |
| Page | app-gdpr-level | GDPR Readiness level of an application |
| Page | traffic_type | Search for specific traffic type |
| Page | app-cci-system-operations | Search events for apps with ‘Does this application perform system operations?’ |
| Page | app-cci-device-based-access | Search events for apps with ‘Does the app support the following device types?’ |
| Page | app-cci-app-tag | Search events for apps with ‘App Type’ |
| Page | app-cci-action-based-auth | Search events for apps with ‘Does the app enforce authorization policies on user activities?’ |
| Page | organization_unit | Search for events from a specific organization unit. Organization name is derived from user id(e.g. org eq ‘netskope.com’) |
| Page | app-cci-vuln-exploit | Search events for apps with ‘Vulnerabilities & Exploits’ |
| Page | dst_longitude | Search events for a specific destination longitude (e.g. dst_longitude > 0) |
| Page | app-cci-securityheaders | Search events for apps with ‘Which HTTP security headers does the app use?’ |
| Page | app-cci-business-risk | The business risk level of apps (low,medium,high) |
| Page | app-cci-allow-classify-data | Search events for apps with ‘Does the app allow data classification (e.g., public, confidential, proprietary)?’ |
| Page | org | Search for events from a specific organization. Organization name is derived from user id (e.g. org eq ‘netskope.com’) |
| Page | src_country | Search events from a specific source country (e.g. src_country eq IN) |
| Page | app-cci-audit-logs | Search events for apps with ‘Does the app provide admin audit logs?’ |
| Page | app-cci-app-type | The type of the app – Consumer, Departmental, or Enterprise |
| Page | app-cci-allow-proxy | Search events for apps with ‘The list of platforms through which the app traffic can be proxied:’ |
| Page | app-cci-allow-download-data | Search events for apps with ‘Is the customer data available for download upon cancellation of service?’ |
| Page | os | Search for events from a specific operating system (e.g. os = Windows) |
| Page | dst_region | Search events for a specific destination state (e.g. dst_region eq GA) |
| Page | dstip | Search events for a specific destination IP address (e.g. dstip eq 2.2.2.2) |
| Page | app | Search events for a specific cloud app (e.g. app = Dropbox) |
| Page | app-cci-data-center-cert | Search events for apps with ‘To what data center standards does the app adhere?’ |
| Page | srcip | Search events from a specific source-ip address (e.g. srcip eq 1.1.1.1) |
| Page | usergroup | When a user group is searched, it includes every user within the group. |
| Page | app-cci-app-hosting-location | Search events for apps with ‘From which countries does this app serve data?’ |
| Page | conn_duration | Search events based on how long the connection was established in seconds (e.g conn_duration > 10000) |
| Page | access_method | Search for events generated from specific access methods such as Client, Secure Forwarder, Logs, Mobile profile etc. (e.g. access_method eq ‘Client’) |
| Page | app-cci-secure-pass-policy | Search events for apps with ‘Does the app enforce password best practices as policy?’ |
| Page | app-cci-anonymous-sharing | Search events for apps with ‘Does the app allow anonymous sharing of data?’ |
| Page | app-cci-upgrade-notification | Search events for apps with ‘Does the app vendor provide notifications to customers about upgrades and changes (e.g., scheduled maintenance, new releases, software/hardware changes)?’ |
| Page | app-cci-published-dr-plan | Search events for apps with ‘Does the app vendor provide disaster recovery services?’ |
| Page | src_location | Search events from a specific source city (e.g. src_location eq ‘San Francisco’) |
| Page | app-cci-access-other-apps | Search events for apps with ‘Does this application access other apps on the device?’ |
| Page | latency_min | Search events based on the min latency values from proxy to app in ms (e.g. latency_min > 200) |
| Page | app-cci-cookies-3rd-party | Search events for apps with ‘Does this application use third-party cookies?’ |
| Page | app-cci-apphosting-provider | Search events for apps with ‘Which infrastructure or hosting provider is the app hosted on?’ |
| Page | latency_max | Search events based on the max latency values from proxy to app in ms (e.g. latency_max > 200) |
| Page | app-cci-weak-algorithm-keysize | Search events for apps with ‘Does the app increase the risk of data exposure by supporting weak signature algorithm or key size ?’ |
| Page | userkey | Search events from a specific user/email e.g userkey eq john@abc.com |
| Page | browser | Search for events from a specific browser (e.g. browser eq Chrome) |
| Page | app-cci-recent-breach | Search events for apps with ‘Has this application been recently breached (in the past year)?’ |
| Page | dst_location | Search events for a specific destination location (e.g. dst_location = ‘San Jose’) |
| Page | app-cci-encrypt-in-transit | Search events for apps with ‘Does the app encrypt data-in-transit?’ |
| Page | latency_total | Search events based on the total latency values from proxy to app in ms (e.g. latency_total gt 200) |
| Page | site | Search for specific site |
| Page | app-cci-who-owns-data | Search events for apps with ‘Who owns the data/content uploaded to the application site? Does the customer own the data or does the application vendor own the data?’ |
| Page | app-cci-src-ip-enforcement | Search events for apps with ‘Does the app support access control by IP address or range?’ |
| Page | hostname | Search for events from a specific device hostname |
| Page | app-cci-file-capacity | Search events for apps with ‘File Sharing Capacity’ |
| Page | dst_country | Search events for a specific destination country (e.g. dst_country = US) |
| Page | src_zipcode | Search for events from a specific source zipcode (e.g. src_zipcode eq 94043) |
| Page | dstport | Search events for a specific destination port (e.g. dstport = 443) |
| Page | app-cci-dispersed-data-center | Search events for apps with ‘Does the application vendor utilize geographically dispersed data centers to serve customers?’ |
| Page | app-cci-backup-user-data | Search events for apps with ‘Does the app vendor back up customer data in a separate location from the main data center?’ |
| Page | app-cci-sharing-personal-info-3rd-party | Search events for apps with ‘Does this app share users’ personal information (e.g., name, email, address) with third parties?’ |
| Page | http_transaction_count | Search for http transaction count |
| Page | app-cci-multi-fact-auth | Search events for apps with ‘Does the app support multi-factor authentication?’ |
| Page | app-cci-user-audit-logs | Search events for apps with ‘Does the app provide user audit logs?’ |
| Page | user | Search events from a specific user e.g user eq john@abc.com |
| Page | device | Search for events from a specific device (e.g. device = Windows) |
| Page | app-cci-status-report | Search events for apps with ‘Does the app vendor provide infrastructure status reports?’ |
| Page | first_accessed | Search for first seen time of app |
| Page | dst_zipcode | Search events for a specific zip code (e.g. dst_zipcode eq 94043) |
| Page | ccl | cloud confidence level of an application |
| Page | app-cci-encrypt-at-rest | Search events for apps with ‘Does the app encrypt data-at-rest?’ |
| Page | cci | Search for CCI score |
| Page | app-cci-treat-classify-data | Search events for apps with ‘If yes, does the app allow admins to take action on classified data (e.g., encrypt, control access)?’ |
| Page | app-cci-role-based-access | Search events for apps with ‘Does the app support role-based authorization?’ |
| Page | app-cci-access-logs | Search events for apps with ‘Does the app provide data access audit logs?’ |
