Endpoint Events Data Collection and Dashboard
Endpoint Events Data Collection and Dashboard
This feature may require additional licensing. Contact your Netskope Sales and Support team to enable this in your account.
The Endpoint Events data collection and dashboard are available in the Netskope Library. Navigate to Advanced Analytics > Explore > Data Collection > Endpoint Events to access the dashboard.
Admins can gain insight from endpoint events in Netskope Advanced Analytics (NAA) through out-of-the-box reports / dashboards, and customizable reporting options using 70+ data attributes.
Benefits include:
- Comprehensive insight into user actions and behaviors
- Flexibility to create reports that meet specific business needs
Prerequisites
- Your account must have Endpoint DLP enabled in order to generate / populate data for your dashboard.
- You account must have NAA enabled (trial or license) to access the data collection and dashboard.
Endpoint Events Dashboard
This dashboard shows general information and trends over time for endpoint alerts and files transferred by file size. In addition you can quickly see the number of users, devices, and triggered alerts. The default event date time is the last seven days.
User Insights
The Users dashboard tracks top users triggering alerts, including DLP profiles, and actions taken.
Data Analysis
This dashboard monitors DLP profiles and rules triggered, along with file types, file size, and actions taken.
Device Breakdown
This dashboard provides a detailed analysis by device type (USB, printer, network share), including file types, sizes, and actions.
Endpoint Event Data Fields
| FIELD NAME | CATEGORY | DESCRIPTION | TYPE |
|---|---|---|---|
| Access Method | Dimension | This field shows the actual access method that triggered the event. | String |
| Action | Dimension | Action that triggered the event. | String |
| Activity | Dimension | Activity performed by the user, e.g. copy, move, save. | String |
| Alert (Yes / No) | Dimension | Indicates whether alert is generated or not. Populated as yes for all alerts. | Yes/No |
| Alert Name | Dimension | Name of the alert / action that is triggered. | String |
| Content Process ID | Dimension | String | |
| Content Process Name | Dimension | String | |
| Content Process path | Dimension | String | |
| DLP Incident ID | Dimension | Incident ID associated with sub file. For example a zip file, this is the incident ID for files within the zip file. | String |
| DLP Profile | Dimension | DLP profile that triggered the event (Alerts page). | String |
| DLP Rule | Dimension | DLP rule name. | String |
| Destination File Directory | Dimension | Content file directory details. | String |
| Destination File Name | Dimension | Content file name. | String |
| Destination File Path | Dimension | Content file path details. | String |
| Device ID | Dimension | USB device ID. | String |
| Device Name | Dimension | Device name for the USB. | String |
| Driver | Dimension | Printer driver provided by printer manufacture. | String |
| Enforced Policy Name | Dimension | Policy that triggered the event. | String |
| Event Date | Dimension | Timestamp when the event/alert occured. | Date date |
| Event Day of Month | Dimension | Timestamp when the event/alert occurred. | Date day of month |
| Event Day of Week | Dimension | Timestamp when the event/alert occurred. | Date day of week |
| Event Day of Week Index | Dimension | Timestamp when the event/alert occurred. | Date day of week index |
| Event Day of Year | Dimension | Timestamp when the event/alert occurred. | Date day of year |
| Event Hour | Dimension | Timestamp when the event/alert occurred. | Date hour |
| Event Hour of Day | Dimension | Timestamp when the event/alert occurred. | Date hour of day |
| Event Minute5 | Dimension | Timestamp when the event/alert occurred. | Date minute5 |
| Event Month | Dimension | Timestamp when the event/alert occurred. | Date month |
| Event Month Name | Dimension | Timestamp when the event/alert occurred. | Date month name |
| Event Month Num | Dimension | Timestamp when the event/alert occurred. | Date month num |
| Event Month of Quarter | Dimension | Timestamp when the event/alert occurred. | String |
| Event Quarter | Dimension | Timestamp when the event/alert occurred. | Date quarter |
| Event Timestamp | Dimension | Timestamp when the event/alert occurred. | Date time |
| Event Type | Dimension | Lists the device control events or content control events. | String |
| Event Week | Dimension | Timestamp when the event/alert occurred. | Date week |
| Event Week of Year | Dimension | Timestamp when the event/alert occurred. | Date week of year |
| Event Year | Dimension | Timestamp when the event/alert occurred. | Date year |
| Executable Hash | Dimension | Executable hash. | String |
| Executable Signed (Y/N) (Yes / No) | Dimension | Executable Signed (Y/N). | Yes/No |
| File Origin | Dimension | Content file origin details. | String |
| File SHA256 | Dimension | Content sha256 for the file. | String |
| File Size | Dimension | Size of the file in bytes. | Number |
| File Type | Dimension | True file type. | String |
| Hardware Device Type | Dimension | USB device type. | String |
| Hostname | Dimension | Hostname. | String |
| Location | Dimension | IP address, URL, or human-readable address. | String |
| MD5 | Dimension | Content MD5 hash of the file. | String |
| OS | Dimension | Endpoint host Operating System. | String |
| OS Details | Dimension | Endpoint host Operating System details. | String |
| OS Username | Dimension | Name of the user being used on the OS. | String |
| Organization Unit | Dimension | String | |
| Policy Name | Dimension | Name of the policy configured by admin. This is the policy that should have triggered. | String |
| Port | Dimension | Name of printer config port on windows. | String |
| Printer Type | Dimension | Type of printer (i.e. Network Printer, Local Printer). | String |
| Process Certificate Subject | Dimension | Subject from certificate, identifying what app triggered event. | String |
| Product ID | Dimension | USB product ID. | String |
| Serial Number | Dimension | Serial number of the USB. | String |
| UNC Path | Dimension | Identifier for printer, printer address. | String |
| User Group | Dimension | User group for which the event correlates. This ties to user information extracted from Active Directory using the AD Importer / Connector application. | String |
| Username | Dimension | User email. | String |
| Vendor ID | Dimension | USB Vendor ID . | String |
| Alerts | Measure | Count | |
| Devices | Measure | The unique count of devices by USB device ID. | Count distinct |
| Events | Measure | Sum | |
| Files | Measure | Unique count of files transferred that hit a policy. | Count distinct |
| Policy | Measure | Unique count of policy name. | Count distinct |
| Users | Measure | Unique count of users by user email. | Count distinct |
| Event Date | Measure | Date time | |
| Event Date | Measure | Date time | |
| File Size | Measure | Sum | |
| Measures Sum - File Size (GB) | Measure | Sum | |
| Measures Sum - File Size (KB) | Measure | Sum | |
| Measures Sum - File Size (MB) | Measure | Sum |
