Mappings Field Descriptions
Mapping Field Descriptions
Note: The OCSF versions will be maintained with the update of the plugin.
Alerts
Data Type | Sub Type | Netskope Field | OCSF Field | Default value |
Alerts | anomaly | None | activity_id | 99 |
Alerts | anomaly | None | category_uid | 2 |
Alerts | anomaly | None | class_uid | 2001 |
Alerts | anomaly | _id | finding.uid | None |
Alerts | anomaly | None | finding.title | Alerts – Anomaly |
Alerts | anomaly | None | metadata.product.name | Netskope CE |
Alerts | anomaly | None | metadata.product.vendor_name | Netskope |
Alerts | anomaly | None | metadata.version | 1.1.0 |
Alerts | anomaly | None | severity_id | 99 |
Alerts | anomaly | None | state_id | 99 |
Alerts | anomaly | None | type_uid | 200199 |
Alerts | anomaly | timestamp | time | None |
Alerts | anomaly | srcip | observables[0].value | None |
Alerts | anomaly | None | observables[0].type_id | 2 |
Alerts | anomaly | None | observables[0].type | IP Address |
Alerts | anomaly | None | observables[0].name | Source IP |
Alerts | anomaly | dstip | observables[1].value | None |
Alerts | anomaly | None | observables[1].type_id | 2 |
Alerts | anomaly | None | observables[1].type | IP Address |
Alerts | anomaly | None | observables[1].name | Destination IP |
Alerts | anomaly | user | observables[2].value | None |
Alerts | anomaly | None | observables[2].type_id | 21 |
Alerts | anomaly | None | observables[2].type | User |
Alerts | anomaly | None | observables[2].name | User |
Alerts | anomaly | site | observables[3].value | None |
Alerts | anomaly | None | observables[3].type_id | 99 |
Alerts | anomaly | None | observables[3].type | Other |
Alerts | anomaly | None | observables[3].name | Site Name |
Alerts | anomaly | url | observables[4].value | None |
Alerts | anomaly | None | observables[4].type_id | 6 |
Alerts | anomaly | None | observables[4].type | URL String |
Alerts | anomaly | None | observables[4].name | URL |
Alerts | anomaly | None | enrichments[0].name | Justification |
Alerts | anomaly | justification_type | enrichments[0].value | ‘justification_type’ value not available |
Alerts | anomaly | justification_reason | enrichments[0].data.description | None |
Alerts | anomaly | None | enrichments[1].name | App Name |
Alerts | anomaly | app | enrichments[1].value | ‘app’ value not available |
Alerts | anomaly | appcategory | enrichments[1].data.appcategory | None |
Alerts | anomaly | app_session_id | enrichments[1].data.app_session_id | None |
Alerts | anomaly | ccl | enrichments[1].data.ccl | None |
Alerts | anomaly | cci | enrichments[1].data.cci | None |
Alerts | anomaly | None | enrichments[2].name | Device Name |
Alerts | anomaly | device_name | enrichments[2].value | ‘device_name’ value not available |
Alerts | anomaly | device_classification | enrichments[2].data.device_classification | None |
Alerts | anomaly | nsdeviceuid | enrichments[2].data.nsdeviceuid | None |
Alerts | anomaly | browser | enrichments[2].data.browser | None |
Alerts | anomaly | os | enrichments[2].data.os | None |
Alerts | anomaly | os_version | enrichments[2].data.os_version | None |
Alerts | Compromised Credential | None | activity_id | 99 |
Alerts | Compromised Credential | None | category_uid | 2 |
Alerts | Compromised Credential | None | class_uid | 2001 |
Alerts | Compromised Credential | _id | finding.uid | None |
Alerts | Compromised Credential | None | finding.title | Alerts – Compromised Credential |
Alerts | Compromised Credential | None | metadata.product.name | Netskope CE |
Alerts | Compromised Credential | None | metadata.product.vendor_name | Netskope |
Alerts | Compromised Credential | None | metadata.version | 1.1.0 |
Alerts | Compromised Credential | None | severity_id | 99 |
Alerts | Compromised Credential | None | state_id | 99 |
Alerts | Compromised Credential | None | type_uid | 200199 |
Alerts | Compromised Credential | timestamp | time | None |
Alerts | Compromised Credential | matched_username | observables[0].value | None |
Alerts | Compromised Credential | None | observables[0].type_id | 21 |
Alerts | Compromised Credential | None | observables[0].type | User |
Alerts | Compromised Credential | None | observables[0].name | Matched Username |
Alerts | Compromised Credential | userkey | observables[1].value | None |
Alerts | Compromised Credential | None | observables[1].type_id | 99 |
Alerts | Compromised Credential | None | observables[1].type | Other |
Alerts | Compromised Credential | None | observables[1].name | User Key |
Alerts | Compromised Credential | None | enrichments[0].name | Justification |
Alerts | Compromised Credential | justification_type | enrichments[0].value | ‘justification_type’ value not available |
Alerts | Compromised Credential | justification_reason | enrichments[0].data.description | None |
Alerts | Compromised Credential | None | enrichments[1].name | Breach ID |
Alerts | Compromised Credential | breach_id | enrichments[1].value | ‘breach_id’ value not available |
Alerts | Compromised Credential | breach_media_references | enrichments[1].data.breach_media_references | None |
Alerts | Compromised Credential | breach_score | enrichments[1].data.breach_score | None |
Alerts | Compromised Credential | breach_date | enrichments[1].data.breach_date | None |
Alerts | Compromised Credential | breach_target_references | enrichments[1].data.breach_target_references | None |
Alerts | Compromised Credential | None | enrichments[2].name | Device Name |
Alerts | Compromised Credential | device_name | enrichments[2].value | ‘device_name’ value not available |
Alerts | Compromised Credential | device_classification | enrichments[2].data.device_classification | None |
Alerts | Compromised Credential | nsdeviceuid | enrichments[2].data.nsdeviceuid | None |
Alerts | Compromised Credential | browser | enrichments[2].data.browser | None |
Alerts | Compromised Credential | os | enrichments[2].data.os | None |
Alerts | Compromised Credential | os_version | enrichments[2].data.os_version | None |
Alerts | policy | None | activity_id | 99 |
Alerts | policy | None | category_uid | 2 |
Alerts | policy | None | class_uid | 2001 |
Alerts | policy | _id | finding.uid | None |
Alerts | policy | None | finding.title | Alerts – Policy |
Alerts | policy | None | metadata.product.name | Netskope CE |
Alerts | policy | None | metadata.product.vendor_name | Netskope |
Alerts | policy | None | metadata.version | 1.1.0 |
Alerts | policy | None | severity_id | 99 |
Alerts | policy | None | state_id | 99 |
Alerts | policy | None | type_uid | 200199 |
Alerts | policy | timestamp | time | None |
Alerts | policy | hostname | observables[0].value | None |
Alerts | policy | None | observables[0].type_id | 1 |
Alerts | policy | None | observables[0].type | Hostname |
Alerts | policy | None | observables[0].name | Host Name |
Alerts | policy | srcip | observables[1].value | None |
Alerts | policy | None | observables[1].type_id | 2 |
Alerts | policy | None | observables[1].type | IP Address |
Alerts | policy | None | observables[1].name | Source IP |
Alerts | policy | dstip | observables[2].value | None |
Alerts | policy | None | observables[2].type_id | 2 |
Alerts | policy | None | observables[2].type | IP Address |
Alerts | policy | None | observables[2].name | Destination IP |
Alerts | policy | site | observables[3].value | None |
Alerts | policy | None | observables[3].type_id | 99 |
Alerts | policy | None | observables[3].type | Other |
Alerts | policy | None | observables[3].name | Site Name |
Alerts | policy | user | observables[4].value | None |
Alerts | policy | None | observables[4].type_id | 21 |
Alerts | policy | None | observables[4].type | User |
Alerts | policy | None | observables[4].name | User |
Alerts | policy | referer | observables[5].value | None |
Alerts | policy | None | observables[5].type_id | 6 |
Alerts | policy | None | observables[5].type | URL String |
Alerts | policy | None | observables[5].name | Referer URL |
Alerts | policy | url | observables[6].value | None |
Alerts | policy | None | observables[6].type_id | 6 |
Alerts | policy | None | observables[6].type | URL String |
Alerts | policy | None | observables[6].name | URL |
Alerts | policy | None | enrichments[0].name | Justification |
Alerts | policy | justification_type | enrichments[0].value | ‘justification_type’ value not available |
Alerts | policy | justification_reason | enrichments[0].data.description | None |
Alerts | policy | None | enrichments[1].name | App Name |
Alerts | policy | app | enrichments[1].value | ‘app’ value not available |
Alerts | policy | appcategory | enrichments[1].data.appcategory | None |
Alerts | policy | app_session_id | enrichments[1].data.app_session_id | None |
Alerts | policy | ccl | enrichments[1].data.ccl | None |
Alerts | policy | cci | enrichments[1].data.cci | None |
Alerts | policy | None | enrichments[2].name | Device Name |
Alerts | policy | device_name | enrichments[2].value | ‘device_name’ value not available |
Alerts | policy | device_classification | enrichments[2].data.device_classification | None |
Alerts | policy | nsdeviceuid | enrichments[2].data.nsdeviceuid | None |
Alerts | policy | browser | enrichments[2].data.browser | None |
Alerts | policy | os | enrichments[2].data.os | None |
Alerts | policy | os_version | enrichments[2].data.os_version | None |
Alerts | Legal Hold | None | activity_id | 99 |
Alerts | Legal Hold | None | category_uid | 2 |
Alerts | Legal Hold | None | class_uid | 2001 |
Alerts | Legal Hold | _id | finding.uid | None |
Alerts | Legal Hold | None | finding.title | Alerts – Legal Hold |
Alerts | Legal Hold | None | metadata.product.name | Netskope CE |
Alerts | Legal Hold | None | metadata.product.vendor_name | Netskope |
Alerts | Legal Hold | None | metadata.version | 1.1.0 |
Alerts | Legal Hold | None | severity_id | 99 |
Alerts | Legal Hold | None | state_id | 99 |
Alerts | Legal Hold | None | type_uid | 200199 |
Alerts | Legal Hold | timestamp | time | None |
Alerts | Legal Hold | hostname | observables[0].value | None |
Alerts | Legal Hold | None | observables[0].type_id | 1 |
Alerts | Legal Hold | None | observables[0].type | Hostname |
Alerts | Legal Hold | None | observables[0].name | Host Name |
Alerts | Legal Hold | srcip | observables[1].value | None |
Alerts | Legal Hold | None | observables[1].type_id | 2 |
Alerts | Legal Hold | None | observables[1].type | IP Address |
Alerts | Legal Hold | None | observables[1].name | Source IP |
Alerts | Legal Hold | dstip | observables[2].value | None |
Alerts | Legal Hold | None | observables[2].type_id | 2 |
Alerts | Legal Hold | None | observables[2].type | IP Address |
Alerts | Legal Hold | None | observables[2].name | Destination IP |
Alerts | Legal Hold | site | observables[3].value | None |
Alerts | Legal Hold | None | observables[3].type_id | 99 |
Alerts | Legal Hold | None | observables[3].type | Other |
Alerts | Legal Hold | None | observables[3].name | Site Name |
Alerts | Legal Hold | user | observables[4].value | None |
Alerts | Legal Hold | None | observables[4].type_id | 21 |
Alerts | Legal Hold | None | observables[4].type | User |
Alerts | Legal Hold | None | observables[4].name | User |
Alerts | Legal Hold | md5 | observables[5].value | None |
Alerts | Legal Hold | None | observables[5].type_id | 8 |
Alerts | Legal Hold | None | observables[5].type | File Hash |
Alerts | Legal Hold | None | observables[5].name | MD5 |
Alerts | Legal Hold | sha256 | observables[6].value | None |
Alerts | Legal Hold | None | observables[6].type_id | 8 |
Alerts | Legal Hold | None | observables[6].type | File Hash |
Alerts | Legal Hold | None | observables[6].name | SHA256 |
Alerts | Legal Hold | object | observables[7].value | None |
Alerts | Legal Hold | None | observables[7].type_id | 24 |
Alerts | Legal Hold | None | observables[7].type | File |
Alerts | Legal Hold | None | observables[7].name | Object |
Alerts | Legal Hold | None | enrichments[0].name | Justification |
Alerts | Legal Hold | justification_type | enrichments[0].value | ‘justification_type’ value not available |
Alerts | Legal Hold | justification_reason | enrichments[0].data.description | None |
Alerts | Legal Hold | None | enrichments[1].name | App Name |
Alerts | Legal Hold | app | enrichments[1].value | ‘app’ value not available |
Alerts | Legal Hold | appcategory | enrichments[1].data.appcategory | None |
Alerts | Legal Hold | app_session_id | enrichments[1].data.app_session_id | None |
Alerts | Legal Hold | ccl | enrichments[1].data.ccl | None |
Alerts | Legal Hold | cci | enrichments[1].data.cci | None |
Alerts | Legal Hold | None | enrichments[2].name | Device Name |
Alerts | Legal Hold | device_name | enrichments[2].value | ‘device_name’ value not available |
Alerts | Legal Hold | device_classification | enrichments[2].data.device_classification | None |
Alerts | Legal Hold | nsdeviceuid | enrichments[2].data.nsdeviceuid | None |
Alerts | Legal Hold | browser | enrichments[2].data.browser | None |
Alerts | Legal Hold | os | enrichments[2].data.os | None |
Alerts | Legal Hold | os_version | enrichments[2].data.os_version | None |
Alerts | Legal Hold | None | enrichments[3].name | Legal Hold Profile Name |
Alerts | Legal Hold | legal_hold_profile_name | enrichments[3].value | ‘legal_hold_profile_name’ value not available |
Alerts | Legal Hold | lh_custodian_email | enrichments[3].data.lh_custodian_email | None |
Alerts | Legal Hold | lh_custodian_name | enrichments[3].data.lh_custodian_name | None |
Alerts | Legal Hold | lh_dest_app | enrichments[3].data.lh_dest_app | None |
Alerts | Legal Hold | lh_dest_instance | enrichments[3].data.lh_dest_instance | None |
Alerts | Legal Hold | lh_shared | enrichments[3].data.lh_shared | None |
Alerts | Legal Hold | lh_original_filename | enrichments[3].data.lh_original_filename | None |
Alerts | Malsite | None | activity_id | 99 |
Alerts | Malsite | None | category_uid | 2 |
Alerts | Malsite | None | class_uid | 2001 |
Alerts | Malsite | _id | finding.uid | None |
Alerts | Malsite | None | finding.title | Alerts – Malsite |
Alerts | Malsite | None | metadata.product.name | Netskope CE |
Alerts | Malsite | None | metadata.product.vendor_name | Netskope |
Alerts | Malsite | None | metadata.version | 1.1.0 |
Alerts | Malsite | None | severity_id | 99 |
Alerts | Malsite | None | state_id | 99 |
Alerts | Malsite | None | type_uid | 200199 |
Alerts | Malsite | timestamp | time | None |
Alerts | Malsite | hostname | observables[0].value | None |
Alerts | Malsite | None | observables[0].type_id | 1 |
Alerts | Malsite | None | observables[0].type | Hostname |
Alerts | Malsite | None | observables[0].name | Host Name |
Alerts | Malsite | srcip | observables[1].value | None |
Alerts | Malsite | None | observables[1].type_id | 2 |
Alerts | Malsite | None | observables[1].type | IP Address |
Alerts | Malsite | None | observables[1].name | Source IP |
Alerts | Malsite | dstip | observables[2].value | None |
Alerts | Malsite | None | observables[2].type_id | 2 |
Alerts | Malsite | None | observables[2].type | IP Address |
Alerts | Malsite | None | observables[2].name | Destination IP |
Alerts | Malsite | site | observables[3].value | None |
Alerts | Malsite | None | observables[3].type_id | 99 |
Alerts | Malsite | None | observables[3].type | Other |
Alerts | Malsite | None | observables[3].name | Site Name |
Alerts | Malsite | user | observables[4].value | None |
Alerts | Malsite | None | observables[4].type_id | 21 |
Alerts | Malsite | None | observables[4].type | User |
Alerts | Malsite | None | observables[4].name | User |
Alerts | Malsite | referer | observables[5].value | None |
Alerts | Malsite | None | observables[5].type_id | 6 |
Alerts | Malsite | None | observables[5].type | URL String |
Alerts | Malsite | None | observables[5].name | Referer URL |
Alerts | Malsite | url | observables[6].value | None |
Alerts | Malsite | None | observables[6].type_id | 6 |
Alerts | Malsite | None | observables[6].type | URL String |
Alerts | Malsite | None | observables[6].name | URL |
Alerts | Malsite | None | enrichments[0].name | Justification |
Alerts | Malsite | justification_type | enrichments[0].value | ‘justification_type’ value not available |
Alerts | Malsite | justification_reason | enrichments[0].data.description | None |
Alerts | Malsite | None | enrichments[1].name | App Name |
Alerts | Malsite | app | enrichments[1].value | ‘app’ value not available |
Alerts | Malsite | appcategory | enrichments[1].data.appcategory | None |
Alerts | Malsite | app_session_id | enrichments[1].data.app_session_id | None |
Alerts | Malsite | ccl | enrichments[1].data.ccl | None |
Alerts | Malsite | cci | enrichments[1].data.cci | None |
Alerts | Malsite | None | enrichments[2].name | Device Name |
Alerts | Malsite | device_name | enrichments[2].value | ‘device_name’ value not available |
Alerts | Malsite | device_classification | enrichments[2].data.device_classification | None |
Alerts | Malsite | nsdeviceuid | enrichments[2].data.nsdeviceuid | None |
Alerts | Malsite | browser | enrichments[2].data.browser | None |
Alerts | Malsite | os | enrichments[2].data.os | None |
Alerts | Malsite | os_version | enrichments[2].data.os_version | None |
Alerts | malware | None | activity_id | 99 |
Alerts | malware | None | category_uid | 2 |
Alerts | malware | None | class_uid | 2001 |
Alerts | malware | _id | finding.uid | None |
Alerts | malware | None | finding.title | Alerts – Malware |
Alerts | malware | None | metadata.product.name | Netskope CE |
Alerts | malware | None | metadata.product.vendor_name | Netskope |
Alerts | malware | None | metadata.version | 1.1.0 |
Alerts | malware | None | severity_id | 99 |
Alerts | malware | None | state_id | 99 |
Alerts | malware | None | type_uid | 200199 |
Alerts | malware | timestamp | time | None |
Alerts | malware | local_md5 | observables[0].value | None |
Alerts | malware | None | observables[0].type_id | 8 |
Alerts | malware | None | observables[0].type | File Hash |
Alerts | malware | None | observables[0].name | MD5 |
Alerts | malware | local_sha256 | observables[1].value | None |
Alerts | malware | None | observables[1].type_id | 8 |
Alerts | malware | None | observables[1].type | File Hash |
Alerts | malware | None | observables[1].name | SHA256 |
Alerts | malware | local_sha1 | observables[2].value | None |
Alerts | malware | None | observables[2].type_id | 8 |
Alerts | malware | None | observables[2].type | File Hash |
Alerts | malware | None | observables[2].name | SHA1 |
Alerts | malware | srcip | observables[3].value | None |
Alerts | malware | None | observables[3].type_id | 2 |
Alerts | malware | None | observables[3].type | IP Address |
Alerts | malware | None | observables[3].name | Source IP |
Alerts | malware | dstip | observables[4].value | None |
Alerts | malware | None | observables[4].type_id | 2 |
Alerts | malware | None | observables[4].type | IP Address |
Alerts | malware | None | observables[4].name | Destination IP |
Alerts | malware | user | observables[5].value | None |
Alerts | malware | None | observables[5].type_id | 21 |
Alerts | malware | None | observables[5].type | User |
Alerts | malware | None | observables[5].name | User |
Alerts | malware | object | observables[6].value | None |
Alerts | malware | None | observables[6].type_id | 24 |
Alerts | malware | None | observables[6].type | File |
Alerts | malware | None | observables[6].name | Object |
Alerts | malware | referer | observables[7].value | None |
Alerts | malware | None | observables[7].type_id | 6 |
Alerts | malware | None | observables[7].type | URL String |
Alerts | malware | None | observables[7].name | Referer URL |
Alerts | malware | site | observables[8].value | None |
Alerts | malware | None | observables[8].type_id | 99 |
Alerts | malware | None | observables[8].type | Other |
Alerts | malware | None | observables[8].name | Site Name |
Alerts | malware | hostname | observables[9].value | None |
Alerts | malware | None | observables[9].type_id | 1 |
Alerts | malware | None | observables[9].type | Hostname |
Alerts | malware | None | observables[9].name | Host Name |
Alerts | malware | url | observables[10].value | None |
Alerts | malware | None | observables[10].type_id | 6 |
Alerts | malware | None | observables[10].type | URL String |
Alerts | malware | None | observables[10].name | URL |
Alerts | malware | None | enrichments[0].name | Justification |
Alerts | malware | justification_type | enrichments[0].value | ‘justification_type’ value not available |
Alerts | malware | justification_reason | enrichments[0].data.description | None |
Alerts | malware | None | enrichments[1].name | App Name |
Alerts | malware | app | enrichments[1].value | ‘app’ value not available |
Alerts | malware | appcategory | enrichments[1].data.appcategory | None |
Alerts | malware | app_session_id | enrichments[1].data.app_session_id | None |
Alerts | malware | ccl | enrichments[1].data.ccl | None |
Alerts | malware | cci | enrichments[1].data.cci | None |
Alerts | malware | None | enrichments[2].name | Device Name |
Alerts | malware | device_name | enrichments[2].value | ‘device_name’ value not available |
Alerts | malware | device_classification | enrichments[2].data.device_classification | None |
Alerts | malware | nsdeviceuid | enrichments[2].data.nsdeviceuid | None |
Alerts | malware | browser | enrichments[2].data.browser | None |
Alerts | malware | os | enrichments[2].data.os | None |
Alerts | malware | os_version | enrichments[2].data.os_version | None |
Alerts | malware | None | enrichments[3].name | Malware ID |
Alerts | malware | malware_id | enrichments[3].value | ‘malware_id’ value not available |
Alerts | malware | malware_name | enrichments[3].data.malware_name | None |
Alerts | malware | malware_scanner_result | enrichments[3].data.malware_scanner_result | None |
Alerts | malware | malware_type | enrichments[3].data.malware_type | None |
Alerts | malware | malware_profile | enrichments[3].data.malware_profile | None |
Alerts | malware | malware_severity | enrichments[3].data.malware_severity | None |
Alerts | dlp | None | activity_id | 99 |
Alerts | dlp | None | category_uid | 2 |
Alerts | dlp | None | class_uid | 2001 |
Alerts | dlp | _id | finding.uid | None |
Alerts | dlp | None | finding.title | Alerts – DLP |
Alerts | dlp | None | metadata.product.name | Netskope CE |
Alerts | dlp | None | metadata.product.vendor_name | Netskope |
Alerts | dlp | None | metadata.version | 1.1.0 |
Alerts | dlp | None | severity_id | 99 |
Alerts | dlp | None | state_id | 99 |
Alerts | dlp | None | type_uid | 200199 |
Alerts | dlp | timestamp | time | None |
Alerts | dlp | srcip | observables[0].value | None |
Alerts | dlp | None | observables[0].type_id | 2 |
Alerts | dlp | None | observables[0].type | IP Address |
Alerts | dlp | None | observables[0].name | Source IP |
Alerts | dlp | dstip | observables[1].value | None |
Alerts | dlp | None | observables[1].type_id | 2 |
Alerts | dlp | None | observables[1].type | IP Address |
Alerts | dlp | None | observables[1].name | Destination IP |
Alerts | dlp | site | observables[2].value | None |
Alerts | dlp | None | observables[2].type_id | 99 |
Alerts | dlp | None | observables[2].type | Other |
Alerts | dlp | None | observables[2].name | Site Name |
Alerts | dlp | user | observables[3].value | None |
Alerts | dlp | None | observables[3].type_id | 21 |
Alerts | dlp | None | observables[3].type | User |
Alerts | dlp | None | observables[3].name | User |
Alerts | dlp | hostname | observables[4].value | None |
Alerts | dlp | None | observables[4].type_id | 1 |
Alerts | dlp | None | observables[4].type | Hostname |
Alerts | dlp | None | observables[4].name | Host Name |
Alerts | dlp | md5 | observables[5].value | None |
Alerts | dlp | None | observables[5].type_id | 8 |
Alerts | dlp | None | observables[5].type | File Hash |
Alerts | dlp | None | observables[5].name | MD5 |
Alerts | dlp | sha256 | observables[6].value | None |
Alerts | dlp | None | observables[6].type_id | 8 |
Alerts | dlp | None | observables[6].type | File Hash |
Alerts | dlp | None | observables[6].name | SHA256 |
Alerts | dlp | object | observables[7].value | None |
Alerts | dlp | None | observables[7].type_id | 24 |
Alerts | dlp | None | observables[7].type | File |
Alerts | dlp | None | observables[7].name | Object |
Alerts | dlp | url | observables[8].value | None |
Alerts | dlp | None | observables[8].type_id | 6 |
Alerts | dlp | None | observables[8].type | URL String |
Alerts | dlp | None | observables[8].name | URL |
Alerts | dlp | act_user | observables[9].value | None |
Alerts | dlp | None | observables[9].type_id | 21 |
Alerts | dlp | None | observables[9].type | User |
Alerts | dlp | None | observables[9].name | Activity User |
Alerts | dlp | None | enrichments[0].name | Justification |
Alerts | dlp | justification_type | enrichments[0].value | ‘justification_type’ value not available |
Alerts | dlp | justification_reason | enrichments[0].data.description | None |
Alerts | dlp | None | enrichments[1].name | App Name |
Alerts | dlp | app | enrichments[1].value | ‘app’ value not available |
Alerts | dlp | appcategory | enrichments[1].data.appcategory | None |
Alerts | dlp | app_session_id | enrichments[1].data.app_session_id | None |
Alerts | dlp | ccl | enrichments[1].data.ccl | None |
Alerts | dlp | cci | enrichments[1].data.cci | None |
Alerts | dlp | None | enrichments[2].name | Device Name |
Alerts | dlp | device_name | enrichments[2].value | ‘device_name’ value not available |
Alerts | dlp | device_classification | enrichments[2].data.device_classification | None |
Alerts | dlp | nsdeviceuid | enrichments[2].data.nsdeviceuid | None |
Alerts | dlp | browser | enrichments[2].data.browser | None |
Alerts | dlp | os | enrichments[2].data.os | None |
Alerts | dlp | os_version | enrichments[2].data.os_version | None |
Alerts | dlp | None | enrichments[3].name | DLP Incident ID |
Alerts | dlp | dlp_incident_id | enrichments[3].value | ‘dlp_incident_id’ value not available |
Alerts | dlp | dlp_profile | enrichments[3].data.dlp_profile | None |
Alerts | dlp | dlp_file | enrichments[3].data.dlp_file | None |
Alerts | dlp | dlp_rule | enrichments[3].data.dlp_rule | None |
Alerts | dlp | dlp_rule_count | enrichments[3].data.dlp_rule_count | None |
Alerts | dlp | dlp_rule_severity | enrichments[3].data.dlp_rule_severity | None |
Alerts | Security Assessment | None | activity_id | 99 |
Alerts | Security Assessment | None | category_uid | 2 |
Alerts | Security Assessment | None | class_uid | 2001 |
Alerts | Security Assessment | _id | finding.uid | None |
Alerts | Security Assessment | None | finding.title | Alerts – Security Assessment |
Alerts | Security Assessment | None | metadata.product.name | Netskope CE |
Alerts | Security Assessment | None | metadata.product.vendor_name | Netskope |
Alerts | Security Assessment | None | metadata.version | 1.1.0 |
Alerts | Security Assessment | None | severity_id | 99 |
Alerts | Security Assessment | None | state_id | 99 |
Alerts | Security Assessment | None | type_uid | 200199 |
Alerts | Security Assessment | timestamp | time | None |
Alerts | Security Assessment | site | observables[0].value | None |
Alerts | Security Assessment | None | observables[0].type_id | 99 |
Alerts | Security Assessment | None | observables[0].type | Other |
Alerts | Security Assessment | None | observables[0].name | Site Name |
Alerts | Security Assessment | user | observables[1].value | None |
Alerts | Security Assessment | None | observables[1].type_id | 21 |
Alerts | Security Assessment | None | observables[1].type | User |
Alerts | Security Assessment | None | observables[1].name | User |
Alerts | Security Assessment | object | observables[2].value | None |
Alerts | Security Assessment | None | observables[2].type_id | 24 |
Alerts | Security Assessment | None | observables[2].type | File |
Alerts | Security Assessment | None | observables[2].name | Object |
Alerts | Security Assessment | None | enrichments[0].name | Justification |
Alerts | Security Assessment | justification_type | enrichments[0].value | ‘justification_type’ value not available |
Alerts | Security Assessment | justification_reason | enrichments[0].data.description | None |
Alerts | Security Assessment | None | enrichments[1].name | App Name |
Alerts | Security Assessment | app | enrichments[1].value | ‘app’ value not available |
Alerts | Security Assessment | appcategory | enrichments[1].data.appcategory | None |
Alerts | Security Assessment | app_session_id | enrichments[1].data.app_session_id | None |
Alerts | Security Assessment | ccl | enrichments[1].data.ccl | None |
Alerts | Security Assessment | cci | enrichments[1].data.cci | None |
Alerts | Security Assessment | None | enrichments[2].name | Device Name |
Alerts | Security Assessment | device_name | enrichments[2].value | ‘device_name’ value not available |
Alerts | Security Assessment | device_classification | enrichments[2].data.device_classification | None |
Alerts | Security Assessment | nsdeviceuid | enrichments[2].data.nsdeviceuid | None |
Alerts | Security Assessment | browser | enrichments[2].data.browser | None |
Alerts | Security Assessment | os | enrichments[2].data.os | None |
Alerts | Security Assessment | os_version | enrichments[2].data.os_version | None |
Alerts | Security Assessment | None | enrichments[3].name | Security Assessment Profile ID |
Alerts | Security Assessment | sa_profile_id | enrichments[3].value | ‘sa_profile_id’ value not available |
Alerts | Security Assessment | sa_profile_name | enrichments[3].data.sa_profile_name | None |
Alerts | Security Assessment | sa_rule_name | enrichments[3].data.sa_rule_name | None |
Alerts | Security Assessment | sa_rule_remediation | enrichments[3].data.sa_rule_remediation | None |
Alerts | Security Assessment | sa_rule_severity | enrichments[3].data.sa_rule_severity | None |
Alerts | Watchlist | None | activity_id | 99 |
Alerts | Watchlist | None | category_uid | 2 |
Alerts | Watchlist | None | class_uid | 2001 |
Alerts | Watchlist | _id | finding.uid | None |
Alerts | Watchlist | None | finding.title | Alerts – Watchlist |
Alerts | Watchlist | None | metadata.product.name | Netskope CE |
Alerts | Watchlist | None | metadata.product.vendor_name | Netskope |
Alerts | Watchlist | None | metadata.version | 1.1.0 |
Alerts | Watchlist | None | severity_id | 99 |
Alerts | Watchlist | None | state_id | 99 |
Alerts | Watchlist | None | type_uid | 200199 |
Alerts | Watchlist | timestamp | time | None |
Alerts | Watchlist | hostname | observables[0].value | None |
Alerts | Watchlist | None | observables[0].type_id | 1 |
Alerts | Watchlist | None | observables[0].type | Hostname |
Alerts | Watchlist | None | observables[0].name | Host Name |
Alerts | Watchlist | srcip | observables[1].value | None |
Alerts | Watchlist | None | observables[1].type_id | 2 |
Alerts | Watchlist | None | observables[1].type | IP Address |
Alerts | Watchlist | None | observables[1].name | Source IP |
Alerts | Watchlist | dstip | observables[2].value | None |
Alerts | Watchlist | None | observables[2].type_id | 2 |
Alerts | Watchlist | None | observables[2].type | IP Address |
Alerts | Watchlist | None | observables[2].name | Destination IP |
Alerts | Watchlist | site | observables[3].value | None |
Alerts | Watchlist | None | observables[3].type_id | 99 |
Alerts | Watchlist | None | observables[3].type | Other |
Alerts | Watchlist | None | observables[3].name | Site Name |
Alerts | Watchlist | user | observables[4].value | None |
Alerts | Watchlist | None | observables[4].type_id | 21 |
Alerts | Watchlist | None | observables[4].type | User |
Alerts | Watchlist | None | observables[4].name | User |
Alerts | Watchlist | url | observables[5].value | None |
Alerts | Watchlist | None | observables[5].type_id | 6 |
Alerts | Watchlist | None | observables[5].type | URL String |
Alerts | Watchlist | None | observables[5].name | URL |
Alerts | Watchlist | None | enrichments[0].name | Justification |
Alerts | Watchlist | justification_type | enrichments[0].value | ‘justification_type’ value not available |
Alerts | Watchlist | justification_reason | enrichments[0].data.description | None |
Alerts | Watchlist | None | enrichments[1].name | App Name |
Alerts | Watchlist | app | enrichments[1].value | ‘app’ value not available |
Alerts | Watchlist | appcategory | enrichments[1].data.appcategory | None |
Alerts | Watchlist | app_session_id | enrichments[1].data.app_session_id | None |
Alerts | Watchlist | ccl | enrichments[1].data.ccl | None |
Alerts | Watchlist | cci | enrichments[1].data.cci | None |
Alerts | Watchlist | None | enrichments[2].name | Device Name |
Alerts | Watchlist | device_name | enrichments[2].value | ‘device_name’ value not available |
Alerts | Watchlist | device_classification | enrichments[2].data.device_classification | None |
Alerts | Watchlist | nsdeviceuid | enrichments[2].data.nsdeviceuid | None |
Alerts | Watchlist | browser | enrichments[2].data.browser | None |
Alerts | Watchlist | os | enrichments[2].data.os | None |
Alerts | Watchlist | os_version | enrichments[2].data.os_version | None |
Alerts | Qurantine | None | activity_id | 99 |
Alerts | Qurantine | None | category_uid | 2 |
Alerts | Qurantine | None | class_uid | 2001 |
Alerts | Qurantine | _id | finding.uid | None |
Alerts | Qurantine | None | finding.title | Alerts – Qurantine |
Alerts | Qurantine | None | metadata.product.name | Netskope CE |
Alerts | Qurantine | None | metadata.product.vendor_name | Netskope |
Alerts | Qurantine | None | metadata.version | 1.1.0 |
Alerts | Qurantine | None | severity_id | 99 |
Alerts | Qurantine | None | state_id | 99 |
Alerts | Qurantine | None | type_uid | 200199 |
Alerts | Qurantine | timestamp | time | None |
Alerts | Qurantine | hostname | observables[0].value | None |
Alerts | Qurantine | None | observables[0].type_id | 1 |
Alerts | Qurantine | None | observables[0].type | Hostname |
Alerts | Qurantine | None | observables[0].name | Host Name |
Alerts | Qurantine | srcip | observables[1].value | None |
Alerts | Qurantine | None | observables[1].type_id | 2 |
Alerts | Qurantine | None | observables[1].type | IP Address |
Alerts | Qurantine | None | observables[1].name | Source IP |
Alerts | Qurantine | dstip | observables[2].value | None |
Alerts | Qurantine | None | observables[2].type_id | 2 |
Alerts | Qurantine | None | observables[2].type | IP Address |
Alerts | Qurantine | None | observables[2].name | Destination IP |
Alerts | Qurantine | site | observables[3].value | None |
Alerts | Qurantine | None | observables[3].type_id | 99 |
Alerts | Qurantine | None | observables[3].type | Other |
Alerts | Qurantine | None | observables[3].name | Site Name |
Alerts | Qurantine | user | observables[4].value | None |
Alerts | Qurantine | None | observables[4].type_id | 21 |
Alerts | Qurantine | None | observables[4].type | User |
Alerts | Qurantine | None | observables[4].name | User |
Alerts | Qurantine | md5 | observables[5].value | None |
Alerts | Qurantine | None | observables[5].type_id | 8 |
Alerts | Qurantine | None | observables[5].type | File Hash |
Alerts | Qurantine | None | observables[5].name | MD5 |
Alerts | Qurantine | object | observables[6].value | None |
Alerts | Qurantine | None | observables[6].type_id | 24 |
Alerts | Qurantine | None | observables[6].type | File |
Alerts | Qurantine | None | observables[6].name | Object |
Alerts | Qurantine | None | enrichments[0].name | Justification |
Alerts | Qurantine | justification_type | enrichments[0].value | ‘justification_type’ value not available |
Alerts | Qurantine | justification_reason | enrichments[0].data.description | None |
Alerts | Qurantine | None | enrichments[1].name | App Name |
Alerts | Qurantine | app | enrichments[1].value | ‘app’ value not available |
Alerts | Qurantine | appcategory | enrichments[1].data.appcategory | None |
Alerts | Qurantine | app_session_id | enrichments[1].data.app_session_id | None |
Alerts | Qurantine | ccl | enrichments[1].data.ccl | None |
Alerts | Qurantine | cci | enrichments[1].data.cci | None |
Alerts | Qurantine | None | enrichments[2].name | Device Name |
Alerts | Qurantine | device_name | enrichments[2].value | ‘device_name’ value not available |
Alerts | Qurantine | device_classification | enrichments[2].data.device_classification | None |
Alerts | Qurantine | nsdeviceuid | enrichments[2].data.nsdeviceuid | None |
Alerts | Qurantine | browser | enrichments[2].data.browser | None |
Alerts | Qurantine | os | enrichments[2].data.os | None |
Alerts | Qurantine | os_version | enrichments[2].data.os_version | None |
Alerts | Qurantine | None | enrichments[3].name | Transaction ID |
Alerts | Qurantine | transaction_id | enrichments[3].value | ‘transaction_id’ value not available |
Alerts | Qurantine | client_bytes | enrichments[3].data.client_bytes | None |
Alerts | Qurantine | server_bytes | enrichments[3].data.server_bytes | None |
Alerts | Qurantine | client_packets | enrichments[3].data.client_packets | None |
Alerts | Qurantine | server_packets | enrichments[3].data.server_packets | None |
Alerts | Qurantine | protocol | enrichments[3].data.protocol | None |
Alerts | Qurantine | None | enrichments[4].name | Qurantine File ID |
Alerts | Qurantine | quarantine_file_id | enrichments[4].value | ‘quarantine_file_id’ value not available |
Alerts | Qurantine | q_original_filename | enrichments[4].data.q_original_filename | None |
Alerts | Qurantine | q_app | enrichments[4].data.q_app | None |
Alerts | Qurantine | quarantine_profile | enrichments[4].data.quarantine_profile | None |
Alerts | Qurantine | quarantine_file_name | enrichments[4].data.quarantine_file_name | None |
Alerts | Qurantine | q_admin | enrichments[4].data.q_admin | None |
Alerts | Qurantine | q_instance | enrichments[4].data.q_instance | None |
Alerts | Remediation | None | activity_id | 99 |
Alerts | Remediation | None | category_uid | 2 |
Alerts | Remediation | None | class_uid | 2001 |
Alerts | Remediation | _id | finding.uid | None |
Alerts | Remediation | None | finding.title | Alerts – Remediation |
Alerts | Remediation | None | metadata.product.name | Netskope CE |
Alerts | Remediation | None | metadata.product.vendor_name | Netskope |
Alerts | Remediation | None | metadata.version | 1.1.0 |
Alerts | Remediation | None | severity_id | 99 |
Alerts | Remediation | None | state_id | 99 |
Alerts | Remediation | None | type_uid | 200199 |
Alerts | Remediation | timestamp | time | None |
Alerts | Remediation | hostname | observables[0].value | None |
Alerts | Remediation | None | observables[0].type_id | 1 |
Alerts | Remediation | None | observables[0].type | Hostname |
Alerts | Remediation | None | observables[0].name | Host Name |
Alerts | Remediation | srcip | observables[1].value | None |
Alerts | Remediation | None | observables[1].type_id | 2 |
Alerts | Remediation | None | observables[1].type | IP Address |
Alerts | Remediation | None | observables[1].name | Source IP |
Alerts | Remediation | dstip | observables[2].value | None |
Alerts | Remediation | None | observables[2].type_id | 2 |
Alerts | Remediation | None | observables[2].type | IP Address |
Alerts | Remediation | None | observables[2].name | Destination IP |
Alerts | Remediation | site | observables[3].value | None |
Alerts | Remediation | None | observables[3].type_id | 99 |
Alerts | Remediation | None | observables[3].type | Other |
Alerts | Remediation | None | observables[3].name | Site Name |
Alerts | Remediation | user | observables[4].value | None |
Alerts | Remediation | None | observables[4].type_id | 21 |
Alerts | Remediation | None | observables[4].type | User |
Alerts | Remediation | None | observables[4].name | User |
Alerts | Remediation | md5 | observables[5].value | None |
Alerts | Remediation | None | observables[5].type_id | 8 |
Alerts | Remediation | None | observables[5].type | File Hash |
Alerts | Remediation | None | observables[5].name | MD5 |
Alerts | Remediation | object | observables[6].value | None |
Alerts | Remediation | None | observables[6].type_id | 24 |
Alerts | Remediation | None | observables[6].type | File |
Alerts | Remediation | None | observables[6].name | Object |
Alerts | Remediation | url | observables[7].value | None |
Alerts | Remediation | None | observables[7].type_id | 6 |
Alerts | Remediation | None | observables[7].type | URL String |
Alerts | Remediation | None | observables[7].name | URL |
Alerts | Remediation | None | enrichments[0].name | Justification |
Alerts | Remediation | justification_type | enrichments[0].value | ‘justification_type’ value not available |
Alerts | Remediation | justification_reason | enrichments[0].data.description | None |
Alerts | Remediation | None | enrichments[1].name | App Name |
Alerts | Remediation | app | enrichments[1].value | ‘app’ value not available |
Alerts | Remediation | appcategory | enrichments[1].data.appcategory | None |
Alerts | Remediation | app_session_id | enrichments[1].data.app_session_id | None |
Alerts | Remediation | ccl | enrichments[1].data.ccl | None |
Alerts | Remediation | cci | enrichments[1].data.cci | None |
Alerts | Remediation | None | enrichments[2].name | Device Name |
Alerts | Remediation | device_name | enrichments[2].value | ‘device_name’ value not available |
Alerts | Remediation | device_classification | enrichments[2].data.device_classification | None |
Alerts | Remediation | nsdeviceuid | enrichments[2].data.nsdeviceuid | None |
Alerts | Remediation | browser | enrichments[2].data.browser | None |
Alerts | Remediation | os | enrichments[2].data.os | None |
Alerts | Remediation | os_version | enrichments[2].data.os_version | None |
Alerts | uba | None | activity_id | 99 |
Alerts | uba | None | category_uid | 2 |
Alerts | uba | None | class_uid | 2001 |
Alerts | uba | _id | finding.uid | None |
Alerts | uba | None | finding.title | Alerts – UBA |
Alerts | uba | None | metadata.product.name | Netskope CE |
Alerts | uba | None | metadata.product.vendor_name | Netskope |
Alerts | uba | None | metadata.version | 1.1.0 |
Alerts | uba | None | severity_id | 99 |
Alerts | uba | None | state_id | 99 |
Alerts | uba | None | type_uid | 200199 |
Alerts | uba | timestamp | time | None |
Alerts | uba | hostname | observables[0].value | None |
Alerts | uba | None | observables[0].type_id | 1 |
Alerts | uba | None | observables[0].type | Hostname |
Alerts | uba | None | observables[0].name | Host name |
Alerts | uba | srcip | observables[1].value | None |
Alerts | uba | None | observables[1].type_id | 2 |
Alerts | uba | None | observables[1].type | IP Address |
Alerts | uba | None | observables[1].name | Source IP |
Alerts | uba | dstip | observables[2].value | None |
Alerts | uba | None | observables[2].type_id | 2 |
Alerts | uba | None | observables[2].type | IP Address |
Alerts | uba | None | observables[2].name | Destination IP |
Alerts | uba | site | observables[3].value | None |
Alerts | uba | None | observables[3].type_id | 99 |
Alerts | uba | None | observables[3].type | Other |
Alerts | uba | None | observables[3].name | Site Name |
Alerts | uba | user | observables[4].value | None |
Alerts | uba | None | observables[4].type_id | 21 |
Alerts | uba | None | observables[4].type | User |
Alerts | uba | None | observables[4].name | User |
Alerts | uba | url | observables[5].value | None |
Alerts | uba | None | observables[5].type_id | 6 |
Alerts | uba | None | observables[5].type | URL String |
Alerts | uba | None | observables[5].name | URL |
Alerts | uba | object | observables[6].value | None |
Alerts | uba | None | observables[6].type_id | 24 |
Alerts | uba | None | observables[6].type | File |
Alerts | uba | None | observables[6].name | Object |
Alerts | uba | None | enrichments[0].name | Justification |
Alerts | uba | justification_type | enrichments[0].value | ‘justification_type’ value not available |
Alerts | uba | justification_reason | enrichments[0].data.description | None |
Alerts | uba | None | enrichments[1].name | App Name |
Alerts | uba | app | enrichments[1].value | ‘app’ value not available |
Alerts | uba | appcategory | enrichments[1].data.appcategory | None |
Alerts | uba | app_session_id | enrichments[1].data.app_session_id | None |
Alerts | uba | ccl | enrichments[1].data.ccl | None |
Alerts | uba | cci | enrichments[1].data.cci | None |
Alerts | uba | None | enrichments[2].name | Device Name |
Alerts | uba | device_name | enrichments[2].value | ‘device_name’ value not available |
Alerts | uba | device_classification | enrichments[2].data.device_classification | None |
Alerts | uba | nsdeviceuid | enrichments[2].data.nsdeviceuid | None |
Alerts | uba | browser | enrichments[2].data.browser | None |
Alerts | uba | os | enrichments[2].data.os | None |
Alerts | uba | os_version | enrichments[2].data.os_version | None |
Events
Data Type | Sub Type | Netskope Field | OCSF Field | Default value |
Events | infrastructure | None | activity_id | 99 |
Events | infrastructure | None | category_uid | 2 |
Events | infrastructure | None | class_uid | 2001 |
Events | infrastructure | _id | finding.uid | None |
Events | infrastructure | None | finding.title | Events – Infrastructure |
Events | infrastructure | None | metadata.product.name | Netskope CE |
Events | infrastructure | None | metadata.product.vendor_name | Netskope |
Events | infrastructure | None | metadata.version | 1.1.0 |
Events | infrastructure | None | severity_id | 99 |
Events | infrastructure | None | state_id | 99 |
Events | infrastructure | None | type_uid | 200199 |
Events | infrastructure | timestamp | time | None |
Events | infrastructure | None | enrichments[0].name | Justification |
Events | infrastructure | justification_type | enrichments[0].value | ‘justification_type’ value not available |
Events | infrastructure | justification_reason | enrichments[0].data.description | None |
Events | infrastructure | None | enrichments[1].name | Alarm |
Events | infrastructure | alarm_name | enrichments[1].value | ‘alarm_name’ value not available |
Events | infrastructure | alarm_description | enrichments[1].data.description | None |
Events | infrastructure | None | enrichments[2].name | Transaction ID |
Events | infrastructure | transaction_id | enrichments[2].value | ‘transaction_id’ value not available |
Events | infrastructure | client_bytes | enrichments[2].data.client_bytes | None |
Events | infrastructure | server_bytes | enrichments[2].data.server_bytes | None |
Events | infrastructure | client_packets | enrichments[2].data.client_packets | None |
Events | infrastructure | server_packets | enrichments[2].data.server_packets | None |
Events | infrastructure | protocol | enrichments[2].data.protocol | None |
Events | infrastructure | None | enrichments[3].name | Device Name |
Events | infrastructure | device_name | enrichments[3].value | ‘device_name’ value not available |
Events | infrastructure | device_classification | enrichments[3].data.device_classification | None |
Events | infrastructure | nsdeviceuid | enrichments[3].data.nsdeviceuid | None |
Events | infrastructure | browser | enrichments[3].data.browser | None |
Events | infrastructure | os | enrichments[3].data.os | None |
Events | infrastructure | os_version | enrichments[3].data.os_version | None |
Events | page | None | activity_id | 99 |
Events | page | None | category_uid | 2 |
Events | page | None | class_uid | 2001 |
Events | page | _id | finding.uid | None |
Events | page | None | finding.title | Events – Page |
Events | page | None | metadata.product.name | Netskope CE |
Events | page | None | metadata.product.vendor_name | Netskope |
Events | page | None | metadata.version | 1.1.0 |
Events | page | None | severity_id | 99 |
Events | page | None | state_id | 99 |
Events | page | None | type_uid | 200199 |
Events | page | timestamp | time | None |
Events | page | page_starttime | start_time | None |
Events | page | page_endtime | end_time | None |
Events | page | srcip | observables[0].value | None |
Events | page | None | observables[0].type_id | 2 |
Events | page | None | observables[0].type | IP Address |
Events | page | None | observables[0].name | Source IP |
Events | page | dstip | observables[1].value | None |
Events | page | None | observables[1].type_id | 2 |
Events | page | None | observables[1].type | IP Address |
Events | page | None | observables[1].name | Destination IP |
Events | page | url | observables[2].value | None |
Events | page | None | observables[2].type_id | 6 |
Events | page | None | observables[2].type | URL String |
Events | page | None | observables[2].name | URL |
Events | page | user | observables[3].value | None |
Events | page | None | observables[3].type_id | 21 |
Events | page | None | observables[3].type | User |
Events | page | None | observables[3].name | User |
Events | page | site | observables[4].value | None |
Events | page | None | observables[4].type_id | 99 |
Events | page | None | observables[4].type | Other |
Events | page | None | observables[4].name | Site name |
Events | page | None | enrichments[0].name | App Name |
Events | page | app | enrichments[0].value | ‘app’ value not available |
Events | page | appcategory | enrichments[0].data.appcategory | None |
Events | page | ccl | enrichments[0].data.ccl | None |
Events | page | cci | enrichments[0].data.cci | None |
Events | page | app_session_id | enrichments[0].data.app_session_id | None |
Events | page | None | enrichments[1].name | Justification |
Events | page | justification_type | enrichments[1].value | ‘justification_type’ value not available |
Events | page | justification_reason | enrichments[1].data.description | None |
Events | page | None | enrichments[2].name | Transaction ID |
Events | page | transaction_id | enrichments[2].value | ‘transaction_id’ value not available |
Events | page | client_bytes | enrichments[2].data.client_bytes | None |
Events | page | server_bytes | enrichments[2].data.server_bytes | None |
Events | page | client_packets | enrichments[2].data.client_packets | None |
Events | page | server_packets | enrichments[2].data.server_packets | None |
Events | page | protocol | enrichments[2].data.protocol | None |
Events | page | None | enrichments[3].name | Device Name |
Events | page | device_name | enrichments[3].value | ‘device_name’ value not available |
Events | page | device_classification | enrichments[3].data.device_classification | None |
Events | page | nsdeviceuid | enrichments[3].data.nsdeviceuid | None |
Events | page | browser | enrichments[3].data.browser | None |
Events | page | os | enrichments[3].data.os | None |
Events | page | os_version | enrichments[3].data.os_version | None |
Events | application | None | activity_id | 99 |
Events | application | None | category_uid | 2 |
Events | application | None | class_uid | 2001 |
Events | application | _id | finding.uid | None |
Events | application | None | finding.title | Events – Application |
Events | application | None | metadata.product.name | Netskope CE |
Events | application | None | metadata.product.vendor_name | Netskope |
Events | application | None | metadata.version | 1.1.0 |
Events | application | None | severity_id | 99 |
Events | application | None | state_id | 99 |
Events | application | None | type_uid | 200199 |
Events | application | timestamp | time | None |
Events | application | user | observables[0].value | None |
Events | application | None | observables[0].type_id | 21 |
Events | application | None | observables[0].type | User |
Events | application | None | observables[0].name | User |
Events | application | url | observables[1].value | None |
Events | application | None | observables[1].type_id | 6 |
Events | application | None | observables[1].type | URL String |
Events | application | None | observables[1].name | URL |
Events | application | srcip | observables[2].value | None |
Events | application | None | observables[2].type_id | 2 |
Events | application | None | observables[2].type | IP Address |
Events | application | None | observables[2].name | Source IP |
Events | application | dstip | observables[3].value | None |
Events | application | None | observables[3].type_id | 2 |
Events | application | None | observables[3].type | IP Address |
Events | application | None | observables[3].name | Destination IP |
Events | application | site | observables[4].value | None |
Events | application | None | observables[4].type_id | 99 |
Events | application | None | observables[4].type | Other |
Events | application | None | observables[4].name | Site name |
Events | application | None | enrichments[0].name | App Name |
Events | application | app | enrichments[0].value | ‘app’ value not available |
Events | application | appcategory | enrichments[0].data.appcategory | None |
Events | application | ccl | enrichments[0].data.ccl | None |
Events | application | cci | enrichments[0].data.cci | None |
Events | application | app_session_id | enrichments[0].data.app_session_id | None |
Events | application | None | enrichments[1].name | Device Name |
Events | application | device | enrichments[1].value | ‘device’ value not available |
Events | application | device_classification | enrichments[1].data.device_classification | None |
Events | application | os | enrichments[1].data.os | None |
Events | application | os_version | enrichments[1].data.os_version | None |
Events | application | browser | enrichments[1].data.browser | None |
Events | application | nsdeviceuid | enrichments[1].data.nsdeviceuid | None |
Events | application | None | enrichments[2].name | Justification |
Events | application | justification_type | enrichments[2].value | ‘justification_type’ value not available |
Events | application | justification_reason | enrichments[2].data.description | None |
Events | application | None | enrichments[3].name | Transaction ID |
Events | application | transaction_id | enrichments[3].value | ‘transaction_id’ value not available |
Events | application | client_bytes | enrichments[3].data.client_bytes | None |
Events | application | server_bytes | enrichments[3].data.server_bytes | None |
Events | application | client_packets | enrichments[3].data.client_packets | None |
Events | application | server_packets | enrichments[3].data.server_packets | None |
Events | application | protocol | enrichments[3].data.protocol | None |
Events | audit | None | activity_id | 99 |
Events | audit | None | category_uid | 2 |
Events | audit | None | class_uid | 2001 |
Events | audit | _id | finding.uid | None |
Events | audit | None | finding.title | Events – Audit |
Events | audit | None | metadata.product.name | Netskope CE |
Events | audit | None | metadata.product.vendor_name | Netskope |
Events | audit | None | metadata.version | 1.1.0 |
Events | audit | None | severity_id | 99 |
Events | audit | None | state_id | 99 |
Events | audit | None | type_uid | 200199 |
Events | audit | timestamp | time | None |
Events | audit | user | observables[0].value | None |
Events | audit | None | observables[0].type_id | 21 |
Events | audit | None | observables[0].type | User |
Events | audit | None | observables[0].name | User |
Events | audit | None | enrichments[0].name | Justification |
Events | audit | justification_type | enrichments[0].value | ‘justification_type’ value not available |
Events | audit | justification_reason | enrichments[0].data.description | None |
Events | audit | None | enrichments[1].name | Transaction |
Events | audit | transaction_id | enrichments[1].value | ‘transaction_id’ value not available |
Events | audit | client_bytes | enrichments[1].data.client_bytes | None |
Events | audit | server_bytes | enrichments[1].data.server_bytes | None |
Events | audit | client_packets | enrichments[1].data.client_packets | None |
Events | audit | server_packets | enrichments[1].data.server_packets | None |
Events | audit | protocol | enrichments[1].data.protocol | None |
Events | network | None | activity_id | 99 |
Events | network | None | category_uid | 2 |
Events | network | None | class_uid | 2001 |
Events | network | _id | finding.uid | None |
Events | network | None | finding.title | Events – Network |
Events | network | None | metadata.product.name | Netskope CE |
Events | network | None | metadata.product.vendor_name | Netskope |
Events | network | None | metadata.version | 1.1.0 |
Events | network | None | severity_id | 99 |
Events | network | None | state_id | 99 |
Events | network | None | type_uid | 200199 |
Events | network | timestamp | time | None |
Events | network | session_duration | duration | None |
Events | network | user | observables[0].value | None |
Events | network | None | observables[0].type_id | 21 |
Events | network | None | observables[0].type | User |
Events | network | None | observables[0].name | User |
Events | network | domain | observables[1].value | None |
Events | network | None | observables[1].type_id | 99 |
Events | network | None | observables[1].type | Other |
Events | network | None | observables[1].name | Domain Name |
Events | network | srcip | observables[2].value | None |
Events | network | None | observables[2].type_id | 2 |
Events | network | None | observables[2].type | IP Address |
Events | network | None | observables[2].name | Source IP |
Events | network | dstip | observables[3].value | None |
Events | network | None | observables[3].type_id | 2 |
Events | network | None | observables[3].type | IP Address |
Events | network | None | observables[3].name | Destination IP |
Events | network | site | observables[4].value | None |
Events | network | None | observables[4].type_id | 99 |
Events | network | None | observables[4].type | Other |
Events | network | None | observables[4].name | Site name |
Events | network | None | enrichments[0].name | App Name |
Events | network | app | enrichments[0].value | ‘app’ value not available |
Events | network | appcategory | enrichments[0].data.appcategory | None |
Events | network | ccl | enrichments[0].data.ccl | None |
Events | network | cci | enrichments[0].data.cci | None |
Events | network | app_session_id | enrichments[0].data.app_session_id | None |
Events | network | None | enrichments[1].name | Device Name |
Events | network | device | enrichments[1].value | ‘device’ value not available |
Events | network | device_classification | enrichments[1].data.device_classification | None |
Events | network | os | enrichments[1].data.os | None |
Events | network | os_version | enrichments[1].data.os_version | None |
Events | network | browser | enrichments[1].data.browser | None |
Events | network | nsdeviceuid | enrichments[1].data.nsdeviceuid | None |
Events | network | None | enrichments[2].name | Transaction |
Events | network | transaction_id | enrichments[2].value | ‘transaction_id’ value not available |
Events | network | client_bytes | enrichments[2].data.client_bytes | None |
Events | network | server_bytes | enrichments[2].data.server_bytes | None |
Events | network | client_packets | enrichments[2].data.client_packets | None |
Events | network | server_packets | enrichments[2].data.server_packets | None |
Events | network | protocol | enrichments[2].data.protocol | None |
Events | network | None | enrichments[3].name | Justification |
Events | network | justification_type | enrichments[3].value | ‘justification_type’ value not available |
Events | network | justification_reason | enrichments[3].data.description | None |
Events | network | None | enrichments[4].name | Tunnel ID |
Events | network | tunnel_id | enrichments[4].value | ‘tunnel_id’ value not available |
Events | network | tunnel_type | enrichments[4].data.tunnel_type | None |
Events | network | tunnel_uptime | enrichments[4].data.tunnel_uptime | None |
WebTx
Data Type | Sub Type | Netskope Field | OCSF Field | Default value |
Webtx | v2 | None | activity_id | 99 |
Webtx | v2 | None | category_uid | 2 |
Webtx | v2 | None | class_uid | 2001 |
Webtx | v2 | _id | finding.uid | None |
Webtx | v2 | None | finding.title | WebTx – v2 |
Webtx | v2 | None | metadata.product.name | Netskope CE |
Webtx | v2 | None | metadata.product.vendor_name | Netskope |
Webtx | v2 | None | metadata.version | 1.1.0 |
Webtx | v2 | None | severity_id | 99 |
Webtx | v2 | None | state_id | 99 |
Webtx | v2 | None | type_uid | 200199 |
Webtx | v2 | date:time | time | None |
Webtx | v2 | time-taken | duration | None |
Webtx | v2 | cs-username | observables[0].value | None |
Webtx | v2 | None | observables[0].type_id | 21 |
Webtx | v2 | None | observables[0].type | User |
Webtx | v2 | None | observables[0].name | cs-username |
Webtx | v2 | c-ip | observables[1].value | None |
Webtx | v2 | None | observables[1].type_id | 2 |
Webtx | v2 | None | observables[1].type | IP Address |
Webtx | v2 | None | observables[1].name | Client IP |
Webtx | v2 | s-ip | observables[2].value | None |
Webtx | v2 | None | observables[2].type_id | 2 |
Webtx | v2 | None | observables[2].type | IP Address |
Webtx | v2 | None | observables[2].name | Server IP |
Webtx | v2 | None | enrichments[0].name | Cloud Application |
Webtx | v2 | x-cs-app | enrichments[0].value | ‘x-cs-app’ value not available |
Webtx | v2 | x-category | enrichments[0].data.x-category | None |
Webtx | v2 | x-other-category | enrichments[0].data.x-other-category | None |
Webtx | v2 | None | enrichments[1].name | Server Transaction details |
Webtx | v2 | sc-bytes | enrichments[1].value | ‘sc-bytes’ value not available |
Webtx | v2 | x-type | enrichments[1].data.x-type | None |
Webtx | v2 | x-server-ssl-err | enrichments[1].data.x-server-ssl-err | None |
Webtx | v2 | x-client-ssl-err | enrichments[1].data.x-client-ssl-err | None |
Webtx | v2 | None | enrichments[2].name | HTTP Transaction ID |
Webtx | v2 | x-transaction-id | enrichments[2].value | ‘x-transaction-id’ value not available |
Webtx | v2 | cs-method | enrichments[2].data.cs-method | None |
Webtx | v2 | cs-uri-scheme | enrichments[2].data.cs-uri-scheme | None |
Webtx | v2 | cs-uri-query | enrichments[2].data.cs-uri-query | None |
Webtx | v2 | cs-user-agent | enrichments[2].data.cs-user-agent | None |
Webtx | v2 | cs-content-type | enrichments[2].data.cs-content-type | None |
Webtx | v2 | sc-status | enrichments[2].data.sc-status | None |
Webtx | v2 | sc-content-type | enrichments[2].data.sc-content-type | None |
Webtx | v2 | cs-dns | enrichments[2].data.cs-dns | None |
Webtx | v2 | cs-host | enrichments[2].data.cs-host | None |
Webtx | v2 | cs-uri | enrichments[2].data.cs-uri | None |
Webtx | v2 | cs-uri-port | enrichments[2].data.cs-uri-port | None |
Webtx | v2 | cs-referer | enrichments[2].data.cs-referer | None |
Webtx | v2 | x-cs-session-id | enrichments[2].data.x-cs-session-id | None |
Webtx | v2 | None | enrichments[3].name | Geolocation Transaction |
Webtx | v2 | None | enrichments[3].value | Location |
Webtx | v2 | x-c-country | enrichments[3].data.x-c-country | None |
Webtx | v2 | x-c-zipcode | enrichments[3].data.x-c-zipcode | None |
Webtx | v2 | x-c-latitude | enrichments[3].data.x-c-latitude | None |
Webtx | v2 | x-c-longitude | enrichments[3].data.x-c-longitude | None |
Webtx | v2 | None | enrichments[4].name | Client Connector Device Information |
Webtx | v2 | x-c-device | enrichments[4].value | ‘x-c-device’ value not available |
Webtx | v2 | x-cs-page-id | enrichments[4].data.x-cs-page-id | None |
Webtx | v2 | None | enrichments[5].name | Client Transaction |
Webtx | v2 | None | enrichments[5].value | Client Transaction details |
Webtx | v2 | cs-bytes | enrichments[5].data.cs-bytes | None |
Webtx | v2 | bytes | enrichments[5].data.bytes | None |