Mappings Field Descriptions

Mapping Field Descriptions

Note: The OCSF versions will be maintained with the update of the plugin.

Alerts

Data Type

Sub Type

Netskope Field

OCSF Field

Default value

Alerts

anomaly

None

activity_id

99

Alerts

anomaly

None

category_uid

2

Alerts

anomaly

None

class_uid

2001

Alerts

anomaly

_id

finding.uid

None

Alerts

anomaly

None

finding.title

Alerts – Anomaly

Alerts

anomaly

None

metadata.product.name

Netskope CE

Alerts

anomaly

None

metadata.product.vendor_name

Netskope

Alerts

anomaly

None

metadata.version

1.1.0

Alerts

anomaly

None

severity_id

99

Alerts

anomaly

None

state_id

99

Alerts

anomaly

None

type_uid

200199

Alerts

anomaly

timestamp

time

None

Alerts

anomaly

srcip

observables[0].value

None

Alerts

anomaly

None

observables[0].type_id

2

Alerts

anomaly

None

observables[0].type

IP Address

Alerts

anomaly

None

observables[0].name

Source IP

Alerts

anomaly

dstip

observables[1].value

None

Alerts

anomaly

None

observables[1].type_id

2

Alerts

anomaly

None

observables[1].type

IP Address

Alerts

anomaly

None

observables[1].name

Destination IP

Alerts

anomaly

user

observables[2].value

None

Alerts

anomaly

None

observables[2].type_id

21

Alerts

anomaly

None

observables[2].type

User

Alerts

anomaly

None

observables[2].name

User

Alerts

anomaly

site

observables[3].value

None

Alerts

anomaly

None

observables[3].type_id

99

Alerts

anomaly

None

observables[3].type

Other

Alerts

anomaly

None

observables[3].name

Site Name

Alerts

anomaly

url

observables[4].value

None

Alerts

anomaly

None

observables[4].type_id

6

Alerts

anomaly

None

observables[4].type

URL String

Alerts

anomaly

None

observables[4].name

URL

Alerts

anomaly

None

enrichments[0].name

Justification

Alerts

anomaly

justification_type

enrichments[0].value

‘justification_type’ value not available

Alerts

anomaly

justification_reason

enrichments[0].data.description

None

Alerts

anomaly

None

enrichments[1].name

App Name

Alerts

anomaly

app

enrichments[1].value

‘app’ value not available

Alerts

anomaly

appcategory

enrichments[1].data.appcategory

None

Alerts

anomaly

app_session_id

enrichments[1].data.app_session_id

None

Alerts

anomaly

ccl

enrichments[1].data.ccl

None

Alerts

anomaly

cci

enrichments[1].data.cci

None

Alerts

anomaly

None

enrichments[2].name

Device Name

Alerts

anomaly

device_name

enrichments[2].value

‘device_name’ value not available

Alerts

anomaly

device_classification

enrichments[2].data.device_classification

None

Alerts

anomaly

nsdeviceuid

enrichments[2].data.nsdeviceuid

None

Alerts

anomaly

browser

enrichments[2].data.browser

None

Alerts

anomaly

os

enrichments[2].data.os

None

Alerts

anomaly

os_version

enrichments[2].data.os_version

None

Alerts

Compromised Credential

None

activity_id

99

Alerts

Compromised Credential

None

category_uid

2

Alerts

Compromised Credential

None

class_uid

2001

Alerts

Compromised Credential

_id

finding.uid

None

Alerts

Compromised Credential

None

finding.title

Alerts – Compromised Credential

Alerts

Compromised Credential

None

metadata.product.name

Netskope CE

Alerts

Compromised Credential

None

metadata.product.vendor_name

Netskope

Alerts

Compromised Credential

None

metadata.version

1.1.0

Alerts

Compromised Credential

None

severity_id

99

Alerts

Compromised Credential

None

state_id

99

Alerts

Compromised Credential

None

type_uid

200199

Alerts

Compromised Credential

timestamp

time

None

Alerts

Compromised Credential

matched_username

observables[0].value

None

Alerts

Compromised Credential

None

observables[0].type_id

21

Alerts

Compromised Credential

None

observables[0].type

User

Alerts

Compromised Credential

None

observables[0].name

Matched Username

Alerts

Compromised Credential

userkey

observables[1].value

None

Alerts

Compromised Credential

None

observables[1].type_id

99

Alerts

Compromised Credential

None

observables[1].type

Other

Alerts

Compromised Credential

None

observables[1].name

User Key

Alerts

Compromised Credential

None

enrichments[0].name

Justification

Alerts

Compromised Credential

justification_type

enrichments[0].value

‘justification_type’ value not available

Alerts

Compromised Credential

justification_reason

enrichments[0].data.description

None

Alerts

Compromised Credential

None

enrichments[1].name

Breach ID

Alerts

Compromised Credential

breach_id

enrichments[1].value

‘breach_id’ value not available

Alerts

Compromised Credential

breach_media_references

enrichments[1].data.breach_media_references

None

Alerts

Compromised Credential

breach_score

enrichments[1].data.breach_score

None

Alerts

Compromised Credential

breach_date

enrichments[1].data.breach_date

None

Alerts

Compromised Credential

breach_target_references

enrichments[1].data.breach_target_references

None

Alerts

Compromised Credential

None

enrichments[2].name

Device Name

Alerts

Compromised Credential

device_name

enrichments[2].value

‘device_name’ value not available

Alerts

Compromised Credential

device_classification

enrichments[2].data.device_classification

None

Alerts

Compromised Credential

nsdeviceuid

enrichments[2].data.nsdeviceuid

None

Alerts

Compromised Credential

browser

enrichments[2].data.browser

None

Alerts

Compromised Credential

os

enrichments[2].data.os

None

Alerts

Compromised Credential

os_version

enrichments[2].data.os_version

None

Alerts

policy

None

activity_id

99

Alerts

policy

None

category_uid

2

Alerts

policy

None

class_uid

2001

Alerts

policy

_id

finding.uid

None

Alerts

policy

None

finding.title

Alerts – Policy

Alerts

policy

None

metadata.product.name

Netskope CE

Alerts

policy

None

metadata.product.vendor_name

Netskope

Alerts

policy

None

metadata.version

1.1.0

Alerts

policy

None

severity_id

99

Alerts

policy

None

state_id

99

Alerts

policy

None

type_uid

200199

Alerts

policy

timestamp

time

None

Alerts

policy

hostname

observables[0].value

None

Alerts

policy

None

observables[0].type_id

1

Alerts

policy

None

observables[0].type

Hostname

Alerts

policy

None

observables[0].name

Host Name

Alerts

policy

srcip

observables[1].value

None

Alerts

policy

None

observables[1].type_id

2

Alerts

policy

None

observables[1].type

IP Address

Alerts

policy

None

observables[1].name

Source IP

Alerts

policy

dstip

observables[2].value

None

Alerts

policy

None

observables[2].type_id

2

Alerts

policy

None

observables[2].type

IP Address

Alerts

policy

None

observables[2].name

Destination IP

Alerts

policy

site

observables[3].value

None

Alerts

policy

None

observables[3].type_id

99

Alerts

policy

None

observables[3].type

Other

Alerts

policy

None

observables[3].name

Site Name

Alerts

policy

user

observables[4].value

None

Alerts

policy

None

observables[4].type_id

21

Alerts

policy

None

observables[4].type

User

Alerts

policy

None

observables[4].name

User

Alerts

policy

referer

observables[5].value

None

Alerts

policy

None

observables[5].type_id

6

Alerts

policy

None

observables[5].type

URL String

Alerts

policy

None

observables[5].name

Referer URL

Alerts

policy

url

observables[6].value

None

Alerts

policy

None

observables[6].type_id

6

Alerts

policy

None

observables[6].type

URL String

Alerts

policy

None

observables[6].name

URL

Alerts

policy

None

enrichments[0].name

Justification

Alerts

policy

justification_type

enrichments[0].value

‘justification_type’ value not available

Alerts

policy

justification_reason

enrichments[0].data.description

None

Alerts

policy

None

enrichments[1].name

App Name

Alerts

policy

app

enrichments[1].value

‘app’ value not available

Alerts

policy

appcategory

enrichments[1].data.appcategory

None

Alerts

policy

app_session_id

enrichments[1].data.app_session_id

None

Alerts

policy

ccl

enrichments[1].data.ccl

None

Alerts

policy

cci

enrichments[1].data.cci

None

Alerts

policy

None

enrichments[2].name

Device Name

Alerts

policy

device_name

enrichments[2].value

‘device_name’ value not available

Alerts

policy

device_classification

enrichments[2].data.device_classification

None

Alerts

policy

nsdeviceuid

enrichments[2].data.nsdeviceuid

None

Alerts

policy

browser

enrichments[2].data.browser

None

Alerts

policy

os

enrichments[2].data.os

None

Alerts

policy

os_version

enrichments[2].data.os_version

None

Alerts

Legal Hold

None

activity_id

99

Alerts

Legal Hold

None

category_uid

2

Alerts

Legal Hold

None

class_uid

2001

Alerts

Legal Hold

_id

finding.uid

None

Alerts

Legal Hold

None

finding.title

Alerts – Legal Hold

Alerts

Legal Hold

None

metadata.product.name

Netskope CE

Alerts

Legal Hold

None

metadata.product.vendor_name

Netskope

Alerts

Legal Hold

None

metadata.version

1.1.0

Alerts

Legal Hold

None

severity_id

99

Alerts

Legal Hold

None

state_id

99

Alerts

Legal Hold

None

type_uid

200199

Alerts

Legal Hold

timestamp

time

None

Alerts

Legal Hold

hostname

observables[0].value

None

Alerts

Legal Hold

None

observables[0].type_id

1

Alerts

Legal Hold

None

observables[0].type

Hostname

Alerts

Legal Hold

None

observables[0].name

Host Name

Alerts

Legal Hold

srcip

observables[1].value

None

Alerts

Legal Hold

None

observables[1].type_id

2

Alerts

Legal Hold

None

observables[1].type

IP Address

Alerts

Legal Hold

None

observables[1].name

Source IP

Alerts

Legal Hold

dstip

observables[2].value

None

Alerts

Legal Hold

None

observables[2].type_id

2

Alerts

Legal Hold

None

observables[2].type

IP Address

Alerts

Legal Hold

None

observables[2].name

Destination IP

Alerts

Legal Hold

site

observables[3].value

None

Alerts

Legal Hold

None

observables[3].type_id

99

Alerts

Legal Hold

None

observables[3].type

Other

Alerts

Legal Hold

None

observables[3].name

Site Name

Alerts

Legal Hold

user

observables[4].value

None

Alerts

Legal Hold

None

observables[4].type_id

21

Alerts

Legal Hold

None

observables[4].type

User

Alerts

Legal Hold

None

observables[4].name

User

Alerts

Legal Hold

md5

observables[5].value

None

Alerts

Legal Hold

None

observables[5].type_id

8

Alerts

Legal Hold

None

observables[5].type

File Hash

Alerts

Legal Hold

None

observables[5].name

MD5

Alerts

Legal Hold

sha256

observables[6].value

None

Alerts

Legal Hold

None

observables[6].type_id

8

Alerts

Legal Hold

None

observables[6].type

File Hash

Alerts

Legal Hold

None

observables[6].name

SHA256

Alerts

Legal Hold

object

observables[7].value

None

Alerts

Legal Hold

None

observables[7].type_id

24

Alerts

Legal Hold

None

observables[7].type

File

Alerts

Legal Hold

None

observables[7].name

Object

Alerts

Legal Hold

None

enrichments[0].name

Justification

Alerts

Legal Hold

justification_type

enrichments[0].value

‘justification_type’ value not available

Alerts

Legal Hold

justification_reason

enrichments[0].data.description

None

Alerts

Legal Hold

None

enrichments[1].name

App Name

Alerts

Legal Hold

app

enrichments[1].value

‘app’ value not available

Alerts

Legal Hold

appcategory

enrichments[1].data.appcategory

None

Alerts

Legal Hold

app_session_id

enrichments[1].data.app_session_id

None

Alerts

Legal Hold

ccl

enrichments[1].data.ccl

None

Alerts

Legal Hold

cci

enrichments[1].data.cci

None

Alerts

Legal Hold

None

enrichments[2].name

Device Name

Alerts

Legal Hold

device_name

enrichments[2].value

‘device_name’ value not available

Alerts

Legal Hold

device_classification

enrichments[2].data.device_classification

None

Alerts

Legal Hold

nsdeviceuid

enrichments[2].data.nsdeviceuid

None

Alerts

Legal Hold

browser

enrichments[2].data.browser

None

Alerts

Legal Hold

os

enrichments[2].data.os

None

Alerts

Legal Hold

os_version

enrichments[2].data.os_version

None

Alerts

Legal Hold

None

enrichments[3].name

Legal Hold Profile Name

Alerts

Legal Hold

legal_hold_profile_name

enrichments[3].value

‘legal_hold_profile_name’ value not available

Alerts

Legal Hold

lh_custodian_email

enrichments[3].data.lh_custodian_email

None

Alerts

Legal Hold

lh_custodian_name

enrichments[3].data.lh_custodian_name

None

Alerts

Legal Hold

lh_dest_app

enrichments[3].data.lh_dest_app

None

Alerts

Legal Hold

lh_dest_instance

enrichments[3].data.lh_dest_instance

None

Alerts

Legal Hold

lh_shared

enrichments[3].data.lh_shared

None

Alerts

Legal Hold

lh_original_filename

enrichments[3].data.lh_original_filename

None

Alerts

Malsite

None

activity_id

99

Alerts

Malsite

None

category_uid

2

Alerts

Malsite

None

class_uid

2001

Alerts

Malsite

_id

finding.uid

None

Alerts

Malsite

None

finding.title

Alerts – Malsite

Alerts

Malsite

None

metadata.product.name

Netskope CE

Alerts

Malsite

None

metadata.product.vendor_name

Netskope

Alerts

Malsite

None

metadata.version

1.1.0

Alerts

Malsite

None

severity_id

99

Alerts

Malsite

None

state_id

99

Alerts

Malsite

None

type_uid

200199

Alerts

Malsite

timestamp

time

None

Alerts

Malsite

hostname

observables[0].value

None

Alerts

Malsite

None

observables[0].type_id

1

Alerts

Malsite

None

observables[0].type

Hostname

Alerts

Malsite

None

observables[0].name

Host Name

Alerts

Malsite

srcip

observables[1].value

None

Alerts

Malsite

None

observables[1].type_id

2

Alerts

Malsite

None

observables[1].type

IP Address

Alerts

Malsite

None

observables[1].name

Source IP

Alerts

Malsite

dstip

observables[2].value

None

Alerts

Malsite

None

observables[2].type_id

2

Alerts

Malsite

None

observables[2].type

IP Address

Alerts

Malsite

None

observables[2].name

Destination IP

Alerts

Malsite

site

observables[3].value

None

Alerts

Malsite

None

observables[3].type_id

99

Alerts

Malsite

None

observables[3].type

Other

Alerts

Malsite

None

observables[3].name

Site Name

Alerts

Malsite

user

observables[4].value

None

Alerts

Malsite

None

observables[4].type_id

21

Alerts

Malsite

None

observables[4].type

User

Alerts

Malsite

None

observables[4].name

User

Alerts

Malsite

referer

observables[5].value

None

Alerts

Malsite

None

observables[5].type_id

6

Alerts

Malsite

None

observables[5].type

URL String

Alerts

Malsite

None

observables[5].name

Referer URL

Alerts

Malsite

url

observables[6].value

None

Alerts

Malsite

None

observables[6].type_id

6

Alerts

Malsite

None

observables[6].type

URL String

Alerts

Malsite

None

observables[6].name

URL

Alerts

Malsite

None

enrichments[0].name

Justification

Alerts

Malsite

justification_type

enrichments[0].value

‘justification_type’ value not available

Alerts

Malsite

justification_reason

enrichments[0].data.description

None

Alerts

Malsite

None

enrichments[1].name

App Name

Alerts

Malsite

app

enrichments[1].value

‘app’ value not available

Alerts

Malsite

appcategory

enrichments[1].data.appcategory

None

Alerts

Malsite

app_session_id

enrichments[1].data.app_session_id

None

Alerts

Malsite

ccl

enrichments[1].data.ccl

None

Alerts

Malsite

cci

enrichments[1].data.cci

None

Alerts

Malsite

None

enrichments[2].name

Device Name

Alerts

Malsite

device_name

enrichments[2].value

‘device_name’ value not available

Alerts

Malsite

device_classification

enrichments[2].data.device_classification

None

Alerts

Malsite

nsdeviceuid

enrichments[2].data.nsdeviceuid

None

Alerts

Malsite

browser

enrichments[2].data.browser

None

Alerts

Malsite

os

enrichments[2].data.os

None

Alerts

Malsite

os_version

enrichments[2].data.os_version

None

Alerts

malware

None

activity_id

99

Alerts

malware

None

category_uid

2

Alerts

malware

None

class_uid

2001

Alerts

malware

_id

finding.uid

None

Alerts

malware

None

finding.title

Alerts – Malware

Alerts

malware

None

metadata.product.name

Netskope CE

Alerts

malware

None

metadata.product.vendor_name

Netskope

Alerts

malware

None

metadata.version

1.1.0

Alerts

malware

None

severity_id

99

Alerts

malware

None

state_id

99

Alerts

malware

None

type_uid

200199

Alerts

malware

timestamp

time

None

Alerts

malware

local_md5

observables[0].value

None

Alerts

malware

None

observables[0].type_id

8

Alerts

malware

None

observables[0].type

File Hash

Alerts

malware

None

observables[0].name

MD5

Alerts

malware

local_sha256

observables[1].value

None

Alerts

malware

None

observables[1].type_id

8

Alerts

malware

None

observables[1].type

File Hash

Alerts

malware

None

observables[1].name

SHA256

Alerts

malware

local_sha1

observables[2].value

None

Alerts

malware

None

observables[2].type_id

8

Alerts

malware

None

observables[2].type

File Hash

Alerts

malware

None

observables[2].name

SHA1

Alerts

malware

srcip

observables[3].value

None

Alerts

malware

None

observables[3].type_id

2

Alerts

malware

None

observables[3].type

IP Address

Alerts

malware

None

observables[3].name

Source IP

Alerts

malware

dstip

observables[4].value

None

Alerts

malware

None

observables[4].type_id

2

Alerts

malware

None

observables[4].type

IP Address

Alerts

malware

None

observables[4].name

Destination IP

Alerts

malware

user

observables[5].value

None

Alerts

malware

None

observables[5].type_id

21

Alerts

malware

None

observables[5].type

User

Alerts

malware

None

observables[5].name

User

Alerts

malware

object

observables[6].value

None

Alerts

malware

None

observables[6].type_id

24

Alerts

malware

None

observables[6].type

File

Alerts

malware

None

observables[6].name

Object

Alerts

malware

referer

observables[7].value

None

Alerts

malware

None

observables[7].type_id

6

Alerts

malware

None

observables[7].type

URL String

Alerts

malware

None

observables[7].name

Referer URL

Alerts

malware

site

observables[8].value

None

Alerts

malware

None

observables[8].type_id

99

Alerts

malware

None

observables[8].type

Other

Alerts

malware

None

observables[8].name

Site Name

Alerts

malware

hostname

observables[9].value

None

Alerts

malware

None

observables[9].type_id

1

Alerts

malware

None

observables[9].type

Hostname

Alerts

malware

None

observables[9].name

Host Name

Alerts

malware

url

observables[10].value

None

Alerts

malware

None

observables[10].type_id

6

Alerts

malware

None

observables[10].type

URL String

Alerts

malware

None

observables[10].name

URL

Alerts

malware

None

enrichments[0].name

Justification

Alerts

malware

justification_type

enrichments[0].value

‘justification_type’ value not available

Alerts

malware

justification_reason

enrichments[0].data.description

None

Alerts

malware

None

enrichments[1].name

App Name

Alerts

malware

app

enrichments[1].value

‘app’ value not available

Alerts

malware

appcategory

enrichments[1].data.appcategory

None

Alerts

malware

app_session_id

enrichments[1].data.app_session_id

None

Alerts

malware

ccl

enrichments[1].data.ccl

None

Alerts

malware

cci

enrichments[1].data.cci

None

Alerts

malware

None

enrichments[2].name

Device Name

Alerts

malware

device_name

enrichments[2].value

‘device_name’ value not available

Alerts

malware

device_classification

enrichments[2].data.device_classification

None

Alerts

malware

nsdeviceuid

enrichments[2].data.nsdeviceuid

None

Alerts

malware

browser

enrichments[2].data.browser

None

Alerts

malware

os

enrichments[2].data.os

None

Alerts

malware

os_version

enrichments[2].data.os_version

None

Alerts

malware

None

enrichments[3].name

Malware ID

Alerts

malware

malware_id

enrichments[3].value

‘malware_id’ value not available

Alerts

malware

malware_name

enrichments[3].data.malware_name

None

Alerts

malware

malware_scanner_result

enrichments[3].data.malware_scanner_result

None

Alerts

malware

malware_type

enrichments[3].data.malware_type

None

Alerts

malware

malware_profile

enrichments[3].data.malware_profile

None

Alerts

malware

malware_severity

enrichments[3].data.malware_severity

None

Alerts

dlp

None

activity_id

99

Alerts

dlp

None

category_uid

2

Alerts

dlp

None

class_uid

2001

Alerts

dlp

_id

finding.uid

None

Alerts

dlp

None

finding.title

Alerts – DLP

Alerts

dlp

None

metadata.product.name

Netskope CE

Alerts

dlp

None

metadata.product.vendor_name

Netskope

Alerts

dlp

None

metadata.version

1.1.0

Alerts

dlp

None

severity_id

99

Alerts

dlp

None

state_id

99

Alerts

dlp

None

type_uid

200199

Alerts

dlp

timestamp

time

None

Alerts

dlp

srcip

observables[0].value

None

Alerts

dlp

None

observables[0].type_id

2

Alerts

dlp

None

observables[0].type

IP Address

Alerts

dlp

None

observables[0].name

Source IP

Alerts

dlp

dstip

observables[1].value

None

Alerts

dlp

None

observables[1].type_id

2

Alerts

dlp

None

observables[1].type

IP Address

Alerts

dlp

None

observables[1].name

Destination IP

Alerts

dlp

site

observables[2].value

None

Alerts

dlp

None

observables[2].type_id

99

Alerts

dlp

None

observables[2].type

Other

Alerts

dlp

None

observables[2].name

Site Name

Alerts

dlp

user

observables[3].value

None

Alerts

dlp

None

observables[3].type_id

21

Alerts

dlp

None

observables[3].type

User

Alerts

dlp

None

observables[3].name

User

Alerts

dlp

hostname

observables[4].value

None

Alerts

dlp

None

observables[4].type_id

1

Alerts

dlp

None

observables[4].type

Hostname

Alerts

dlp

None

observables[4].name

Host Name

Alerts

dlp

md5

observables[5].value

None

Alerts

dlp

None

observables[5].type_id

8

Alerts

dlp

None

observables[5].type

File Hash

Alerts

dlp

None

observables[5].name

MD5

Alerts

dlp

sha256

observables[6].value

None

Alerts

dlp

None

observables[6].type_id

8

Alerts

dlp

None

observables[6].type

File Hash

Alerts

dlp

None

observables[6].name

SHA256

Alerts

dlp

object

observables[7].value

None

Alerts

dlp

None

observables[7].type_id

24

Alerts

dlp

None

observables[7].type

File

Alerts

dlp

None

observables[7].name

Object

Alerts

dlp

url

observables[8].value

None

Alerts

dlp

None

observables[8].type_id

6

Alerts

dlp

None

observables[8].type

URL String

Alerts

dlp

None

observables[8].name

URL

Alerts

dlp

act_user

observables[9].value

None

Alerts

dlp

None

observables[9].type_id

21

Alerts

dlp

None

observables[9].type

User

Alerts

dlp

None

observables[9].name

Activity User

Alerts

dlp

None

enrichments[0].name

Justification

Alerts

dlp

justification_type

enrichments[0].value

‘justification_type’ value not available

Alerts

dlp

justification_reason

enrichments[0].data.description

None

Alerts

dlp

None

enrichments[1].name

App Name

Alerts

dlp

app

enrichments[1].value

‘app’ value not available

Alerts

dlp

appcategory

enrichments[1].data.appcategory

None

Alerts

dlp

app_session_id

enrichments[1].data.app_session_id

None

Alerts

dlp

ccl

enrichments[1].data.ccl

None

Alerts

dlp

cci

enrichments[1].data.cci

None

Alerts

dlp

None

enrichments[2].name

Device Name

Alerts

dlp

device_name

enrichments[2].value

‘device_name’ value not available

Alerts

dlp

device_classification

enrichments[2].data.device_classification

None

Alerts

dlp

nsdeviceuid

enrichments[2].data.nsdeviceuid

None

Alerts

dlp

browser

enrichments[2].data.browser

None

Alerts

dlp

os

enrichments[2].data.os

None

Alerts

dlp

os_version

enrichments[2].data.os_version

None

Alerts

dlp

None

enrichments[3].name

DLP Incident ID

Alerts

dlp

dlp_incident_id

enrichments[3].value

‘dlp_incident_id’ value not available

Alerts

dlp

dlp_profile

enrichments[3].data.dlp_profile

None

Alerts

dlp

dlp_file

enrichments[3].data.dlp_file

None

Alerts

dlp

dlp_rule

enrichments[3].data.dlp_rule

None

Alerts

dlp

dlp_rule_count

enrichments[3].data.dlp_rule_count

None

Alerts

dlp

dlp_rule_severity

enrichments[3].data.dlp_rule_severity

None

Alerts

Security Assessment

None

activity_id

99

Alerts

Security Assessment

None

category_uid

2

Alerts

Security Assessment

None

class_uid

2001

Alerts

Security Assessment

_id

finding.uid

None

Alerts

Security Assessment

None

finding.title

Alerts – Security Assessment

Alerts

Security Assessment

None

metadata.product.name

Netskope CE

Alerts

Security Assessment

None

metadata.product.vendor_name

Netskope

Alerts

Security Assessment

None

metadata.version

1.1.0

Alerts

Security Assessment

None

severity_id

99

Alerts

Security Assessment

None

state_id

99

Alerts

Security Assessment

None

type_uid

200199

Alerts

Security Assessment

timestamp

time

None

Alerts

Security Assessment

site

observables[0].value

None

Alerts

Security Assessment

None

observables[0].type_id

99

Alerts

Security Assessment

None

observables[0].type

Other

Alerts

Security Assessment

None

observables[0].name

Site Name

Alerts

Security Assessment

user

observables[1].value

None

Alerts

Security Assessment

None

observables[1].type_id

21

Alerts

Security Assessment

None

observables[1].type

User

Alerts

Security Assessment

None

observables[1].name

User

Alerts

Security Assessment

object

observables[2].value

None

Alerts

Security Assessment

None

observables[2].type_id

24

Alerts

Security Assessment

None

observables[2].type

File

Alerts

Security Assessment

None

observables[2].name

Object

Alerts

Security Assessment

None

enrichments[0].name

Justification

Alerts

Security Assessment

justification_type

enrichments[0].value

‘justification_type’ value not available

Alerts

Security Assessment

justification_reason

enrichments[0].data.description

None

Alerts

Security Assessment

None

enrichments[1].name

App Name

Alerts

Security Assessment

app

enrichments[1].value

‘app’ value not available

Alerts

Security Assessment

appcategory

enrichments[1].data.appcategory

None

Alerts

Security Assessment

app_session_id

enrichments[1].data.app_session_id

None

Alerts

Security Assessment

ccl

enrichments[1].data.ccl

None

Alerts

Security Assessment

cci

enrichments[1].data.cci

None

Alerts

Security Assessment

None

enrichments[2].name

Device Name

Alerts

Security Assessment

device_name

enrichments[2].value

‘device_name’ value not available

Alerts

Security Assessment

device_classification

enrichments[2].data.device_classification

None

Alerts

Security Assessment

nsdeviceuid

enrichments[2].data.nsdeviceuid

None

Alerts

Security Assessment

browser

enrichments[2].data.browser

None

Alerts

Security Assessment

os

enrichments[2].data.os

None

Alerts

Security Assessment

os_version

enrichments[2].data.os_version

None

Alerts

Security Assessment

None

enrichments[3].name

Security Assessment Profile ID

Alerts

Security Assessment

sa_profile_id

enrichments[3].value

‘sa_profile_id’ value not available

Alerts

Security Assessment

sa_profile_name

enrichments[3].data.sa_profile_name

None

Alerts

Security Assessment

sa_rule_name

enrichments[3].data.sa_rule_name

None

Alerts

Security Assessment

sa_rule_remediation

enrichments[3].data.sa_rule_remediation

None

Alerts

Security Assessment

sa_rule_severity

enrichments[3].data.sa_rule_severity

None

Alerts

Watchlist

None

activity_id

99

Alerts

Watchlist

None

category_uid

2

Alerts

Watchlist

None

class_uid

2001

Alerts

Watchlist

_id

finding.uid

None

Alerts

Watchlist

None

finding.title

Alerts – Watchlist

Alerts

Watchlist

None

metadata.product.name

Netskope CE

Alerts

Watchlist

None

metadata.product.vendor_name

Netskope

Alerts

Watchlist

None

metadata.version

1.1.0

Alerts

Watchlist

None

severity_id

99

Alerts

Watchlist

None

state_id

99

Alerts

Watchlist

None

type_uid

200199

Alerts

Watchlist

timestamp

time

None

Alerts

Watchlist

hostname

observables[0].value

None

Alerts

Watchlist

None

observables[0].type_id

1

Alerts

Watchlist

None

observables[0].type

Hostname

Alerts

Watchlist

None

observables[0].name

Host Name

Alerts

Watchlist

srcip

observables[1].value

None

Alerts

Watchlist

None

observables[1].type_id

2

Alerts

Watchlist

None

observables[1].type

IP Address

Alerts

Watchlist

None

observables[1].name

Source IP

Alerts

Watchlist

dstip

observables[2].value

None

Alerts

Watchlist

None

observables[2].type_id

2

Alerts

Watchlist

None

observables[2].type

IP Address

Alerts

Watchlist

None

observables[2].name

Destination IP

Alerts

Watchlist

site

observables[3].value

None

Alerts

Watchlist

None

observables[3].type_id

99

Alerts

Watchlist

None

observables[3].type

Other

Alerts

Watchlist

None

observables[3].name

Site Name

Alerts

Watchlist

user

observables[4].value

None

Alerts

Watchlist

None

observables[4].type_id

21

Alerts

Watchlist

None

observables[4].type

User

Alerts

Watchlist

None

observables[4].name

User

Alerts

Watchlist

url

observables[5].value

None

Alerts

Watchlist

None

observables[5].type_id

6

Alerts

Watchlist

None

observables[5].type

URL String

Alerts

Watchlist

None

observables[5].name

URL

Alerts

Watchlist

None

enrichments[0].name

Justification

Alerts

Watchlist

justification_type

enrichments[0].value

‘justification_type’ value not available

Alerts

Watchlist

justification_reason

enrichments[0].data.description

None

Alerts

Watchlist

None

enrichments[1].name

App Name

Alerts

Watchlist

app

enrichments[1].value

‘app’ value not available

Alerts

Watchlist

appcategory

enrichments[1].data.appcategory

None

Alerts

Watchlist

app_session_id

enrichments[1].data.app_session_id

None

Alerts

Watchlist

ccl

enrichments[1].data.ccl

None

Alerts

Watchlist

cci

enrichments[1].data.cci

None

Alerts

Watchlist

None

enrichments[2].name

Device Name

Alerts

Watchlist

device_name

enrichments[2].value

‘device_name’ value not available

Alerts

Watchlist

device_classification

enrichments[2].data.device_classification

None

Alerts

Watchlist

nsdeviceuid

enrichments[2].data.nsdeviceuid

None

Alerts

Watchlist

browser

enrichments[2].data.browser

None

Alerts

Watchlist

os

enrichments[2].data.os

None

Alerts

Watchlist

os_version

enrichments[2].data.os_version

None

Alerts

Qurantine

None

activity_id

99

Alerts

Qurantine

None

category_uid

2

Alerts

Qurantine

None

class_uid

2001

Alerts

Qurantine

_id

finding.uid

None

Alerts

Qurantine

None

finding.title

Alerts – Qurantine

Alerts

Qurantine

None

metadata.product.name

Netskope CE

Alerts

Qurantine

None

metadata.product.vendor_name

Netskope

Alerts

Qurantine

None

metadata.version

1.1.0

Alerts

Qurantine

None

severity_id

99

Alerts

Qurantine

None

state_id

99

Alerts

Qurantine

None

type_uid

200199

Alerts

Qurantine

timestamp

time

None

Alerts

Qurantine

hostname

observables[0].value

None

Alerts

Qurantine

None

observables[0].type_id

1

Alerts

Qurantine

None

observables[0].type

Hostname

Alerts

Qurantine

None

observables[0].name

Host Name

Alerts

Qurantine

srcip

observables[1].value

None

Alerts

Qurantine

None

observables[1].type_id

2

Alerts

Qurantine

None

observables[1].type

IP Address

Alerts

Qurantine

None

observables[1].name

Source IP

Alerts

Qurantine

dstip

observables[2].value

None

Alerts

Qurantine

None

observables[2].type_id

2

Alerts

Qurantine

None

observables[2].type

IP Address

Alerts

Qurantine

None

observables[2].name

Destination IP

Alerts

Qurantine

site

observables[3].value

None

Alerts

Qurantine

None

observables[3].type_id

99

Alerts

Qurantine

None

observables[3].type

Other

Alerts

Qurantine

None

observables[3].name

Site Name

Alerts

Qurantine

user

observables[4].value

None

Alerts

Qurantine

None

observables[4].type_id

21

Alerts

Qurantine

None

observables[4].type

User

Alerts

Qurantine

None

observables[4].name

User

Alerts

Qurantine

md5

observables[5].value

None

Alerts

Qurantine

None

observables[5].type_id

8

Alerts

Qurantine

None

observables[5].type

File Hash

Alerts

Qurantine

None

observables[5].name

MD5

Alerts

Qurantine

object

observables[6].value

None

Alerts

Qurantine

None

observables[6].type_id

24

Alerts

Qurantine

None

observables[6].type

File

Alerts

Qurantine

None

observables[6].name

Object

Alerts

Qurantine

None

enrichments[0].name

Justification

Alerts

Qurantine

justification_type

enrichments[0].value

‘justification_type’ value not available

Alerts

Qurantine

justification_reason

enrichments[0].data.description

None

Alerts

Qurantine

None

enrichments[1].name

App Name

Alerts

Qurantine

app

enrichments[1].value

‘app’ value not available

Alerts

Qurantine

appcategory

enrichments[1].data.appcategory

None

Alerts

Qurantine

app_session_id

enrichments[1].data.app_session_id

None

Alerts

Qurantine

ccl

enrichments[1].data.ccl

None

Alerts

Qurantine

cci

enrichments[1].data.cci

None

Alerts

Qurantine

None

enrichments[2].name

Device Name

Alerts

Qurantine

device_name

enrichments[2].value

‘device_name’ value not available

Alerts

Qurantine

device_classification

enrichments[2].data.device_classification

None

Alerts

Qurantine

nsdeviceuid

enrichments[2].data.nsdeviceuid

None

Alerts

Qurantine

browser

enrichments[2].data.browser

None

Alerts

Qurantine

os

enrichments[2].data.os

None

Alerts

Qurantine

os_version

enrichments[2].data.os_version

None

Alerts

Qurantine

None

enrichments[3].name

Transaction ID

Alerts

Qurantine

transaction_id

enrichments[3].value

‘transaction_id’ value not available

Alerts

Qurantine

client_bytes

enrichments[3].data.client_bytes

None

Alerts

Qurantine

server_bytes

enrichments[3].data.server_bytes

None

Alerts

Qurantine

client_packets

enrichments[3].data.client_packets

None

Alerts

Qurantine

server_packets

enrichments[3].data.server_packets

None

Alerts

Qurantine

protocol

enrichments[3].data.protocol

None

Alerts

Qurantine

None

enrichments[4].name

Qurantine File ID

Alerts

Qurantine

quarantine_file_id

enrichments[4].value

‘quarantine_file_id’ value not available

Alerts

Qurantine

q_original_filename

enrichments[4].data.q_original_filename

None

Alerts

Qurantine

q_app

enrichments[4].data.q_app

None

Alerts

Qurantine

quarantine_profile

enrichments[4].data.quarantine_profile

None

Alerts

Qurantine

quarantine_file_name

enrichments[4].data.quarantine_file_name

None

Alerts

Qurantine

q_admin

enrichments[4].data.q_admin

None

Alerts

Qurantine

q_instance

enrichments[4].data.q_instance

None

Alerts

Remediation

None

activity_id

99

Alerts

Remediation

None

category_uid

2

Alerts

Remediation

None

class_uid

2001

Alerts

Remediation

_id

finding.uid

None

Alerts

Remediation

None

finding.title

Alerts – Remediation

Alerts

Remediation

None

metadata.product.name

Netskope CE

Alerts

Remediation

None

metadata.product.vendor_name

Netskope

Alerts

Remediation

None

metadata.version

1.1.0

Alerts

Remediation

None

severity_id

99

Alerts

Remediation

None

state_id

99

Alerts

Remediation

None

type_uid

200199

Alerts

Remediation

timestamp

time

None

Alerts

Remediation

hostname

observables[0].value

None

Alerts

Remediation

None

observables[0].type_id

1

Alerts

Remediation

None

observables[0].type

Hostname

Alerts

Remediation

None

observables[0].name

Host Name

Alerts

Remediation

srcip

observables[1].value

None

Alerts

Remediation

None

observables[1].type_id

2

Alerts

Remediation

None

observables[1].type

IP Address

Alerts

Remediation

None

observables[1].name

Source IP

Alerts

Remediation

dstip

observables[2].value

None

Alerts

Remediation

None

observables[2].type_id

2

Alerts

Remediation

None

observables[2].type

IP Address

Alerts

Remediation

None

observables[2].name

Destination IP

Alerts

Remediation

site

observables[3].value

None

Alerts

Remediation

None

observables[3].type_id

99

Alerts

Remediation

None

observables[3].type

Other

Alerts

Remediation

None

observables[3].name

Site Name

Alerts

Remediation

user

observables[4].value

None

Alerts

Remediation

None

observables[4].type_id

21

Alerts

Remediation

None

observables[4].type

User

Alerts

Remediation

None

observables[4].name

User

Alerts

Remediation

md5

observables[5].value

None

Alerts

Remediation

None

observables[5].type_id

8

Alerts

Remediation

None

observables[5].type

File Hash

Alerts

Remediation

None

observables[5].name

MD5

Alerts

Remediation

object

observables[6].value

None

Alerts

Remediation

None

observables[6].type_id

24

Alerts

Remediation

None

observables[6].type

File

Alerts

Remediation

None

observables[6].name

Object

Alerts

Remediation

url

observables[7].value

None

Alerts

Remediation

None

observables[7].type_id

6

Alerts

Remediation

None

observables[7].type

URL String

Alerts

Remediation

None

observables[7].name

URL

Alerts

Remediation

None

enrichments[0].name

Justification

Alerts

Remediation

justification_type

enrichments[0].value

‘justification_type’ value not available

Alerts

Remediation

justification_reason

enrichments[0].data.description

None

Alerts

Remediation

None

enrichments[1].name

App Name

Alerts

Remediation

app

enrichments[1].value

‘app’ value not available

Alerts

Remediation

appcategory

enrichments[1].data.appcategory

None

Alerts

Remediation

app_session_id

enrichments[1].data.app_session_id

None

Alerts

Remediation

ccl

enrichments[1].data.ccl

None

Alerts

Remediation

cci

enrichments[1].data.cci

None

Alerts

Remediation

None

enrichments[2].name

Device Name

Alerts

Remediation

device_name

enrichments[2].value

‘device_name’ value not available

Alerts

Remediation

device_classification

enrichments[2].data.device_classification

None

Alerts

Remediation

nsdeviceuid

enrichments[2].data.nsdeviceuid

None

Alerts

Remediation

browser

enrichments[2].data.browser

None

Alerts

Remediation

os

enrichments[2].data.os

None

Alerts

Remediation

os_version

enrichments[2].data.os_version

None

Alerts

uba

None

activity_id

99

Alerts

uba

None

category_uid

2

Alerts

uba

None

class_uid

2001

Alerts

uba

_id

finding.uid

None

Alerts

uba

None

finding.title

Alerts – UBA

Alerts

uba

None

metadata.product.name

Netskope CE

Alerts

uba

None

metadata.product.vendor_name

Netskope

Alerts

uba

None

metadata.version

1.1.0

Alerts

uba

None

severity_id

99

Alerts

uba

None

state_id

99

Alerts

uba

None

type_uid

200199

Alerts

uba

timestamp

time

None

Alerts

uba

hostname

observables[0].value

None

Alerts

uba

None

observables[0].type_id

1

Alerts

uba

None

observables[0].type

Hostname

Alerts

uba

None

observables[0].name

Host name

Alerts

uba

srcip

observables[1].value

None

Alerts

uba

None

observables[1].type_id

2

Alerts

uba

None

observables[1].type

IP Address

Alerts

uba

None

observables[1].name

Source IP

Alerts

uba

dstip

observables[2].value

None

Alerts

uba

None

observables[2].type_id

2

Alerts

uba

None

observables[2].type

IP Address

Alerts

uba

None

observables[2].name

Destination IP

Alerts

uba

site

observables[3].value

None

Alerts

uba

None

observables[3].type_id

99

Alerts

uba

None

observables[3].type

Other

Alerts

uba

None

observables[3].name

Site Name

Alerts

uba

user

observables[4].value

None

Alerts

uba

None

observables[4].type_id

21

Alerts

uba

None

observables[4].type

User

Alerts

uba

None

observables[4].name

User

Alerts

uba

url

observables[5].value

None

Alerts

uba

None

observables[5].type_id

6

Alerts

uba

None

observables[5].type

URL String

Alerts

uba

None

observables[5].name

URL

Alerts

uba

object

observables[6].value

None

Alerts

uba

None

observables[6].type_id

24

Alerts

uba

None

observables[6].type

File

Alerts

uba

None

observables[6].name

Object

Alerts

uba

None

enrichments[0].name

Justification

Alerts

uba

justification_type

enrichments[0].value

‘justification_type’ value not available

Alerts

uba

justification_reason

enrichments[0].data.description

None

Alerts

uba

None

enrichments[1].name

App Name

Alerts

uba

app

enrichments[1].value

‘app’ value not available

Alerts

uba

appcategory

enrichments[1].data.appcategory

None

Alerts

uba

app_session_id

enrichments[1].data.app_session_id

None

Alerts

uba

ccl

enrichments[1].data.ccl

None

Alerts

uba

cci

enrichments[1].data.cci

None

Alerts

uba

None

enrichments[2].name

Device Name

Alerts

uba

device_name

enrichments[2].value

‘device_name’ value not available

Alerts

uba

device_classification

enrichments[2].data.device_classification

None

Alerts

uba

nsdeviceuid

enrichments[2].data.nsdeviceuid

None

Alerts

uba

browser

enrichments[2].data.browser

None

Alerts

uba

os

enrichments[2].data.os

None

Alerts

uba

os_version

enrichments[2].data.os_version

None

Events

Data Type

Sub Type

Netskope Field

OCSF Field

Default value

Events

infrastructure

None

activity_id

99

Events

infrastructure

None

category_uid

2

Events

infrastructure

None

class_uid

2001

Events

infrastructure

_id

finding.uid

None

Events

infrastructure

None

finding.title

Events – Infrastructure

Events

infrastructure

None

metadata.product.name

Netskope CE

Events

infrastructure

None

metadata.product.vendor_name

Netskope

Events

infrastructure

None

metadata.version

1.1.0

Events

infrastructure

None

severity_id

99

Events

infrastructure

None

state_id

99

Events

infrastructure

None

type_uid

200199

Events

infrastructure

timestamp

time

None

Events

infrastructure

None

enrichments[0].name

Justification

Events

infrastructure

justification_type

enrichments[0].value

‘justification_type’ value not available

Events

infrastructure

justification_reason

enrichments[0].data.description

None

Events

infrastructure

None

enrichments[1].name

Alarm

Events

infrastructure

alarm_name

enrichments[1].value

‘alarm_name’ value not available

Events

infrastructure

alarm_description

enrichments[1].data.description

None

Events

infrastructure

None

enrichments[2].name

Transaction ID

Events

infrastructure

transaction_id

enrichments[2].value

‘transaction_id’ value not available

Events

infrastructure

client_bytes

enrichments[2].data.client_bytes

None

Events

infrastructure

server_bytes

enrichments[2].data.server_bytes

None

Events

infrastructure

client_packets

enrichments[2].data.client_packets

None

Events

infrastructure

server_packets

enrichments[2].data.server_packets

None

Events

infrastructure

protocol

enrichments[2].data.protocol

None

Events

infrastructure

None

enrichments[3].name

Device Name

Events

infrastructure

device_name

enrichments[3].value

‘device_name’ value not available

Events

infrastructure

device_classification

enrichments[3].data.device_classification

None

Events

infrastructure

nsdeviceuid

enrichments[3].data.nsdeviceuid

None

Events

infrastructure

browser

enrichments[3].data.browser

None

Events

infrastructure

os

enrichments[3].data.os

None

Events

infrastructure

os_version

enrichments[3].data.os_version

None

Events

page

None

activity_id

99

Events

page

None

category_uid

2

Events

page

None

class_uid

2001

Events

page

_id

finding.uid

None

Events

page

None

finding.title

Events – Page

Events

page

None

metadata.product.name

Netskope CE

Events

page

None

metadata.product.vendor_name

Netskope

Events

page

None

metadata.version

1.1.0

Events

page

None

severity_id

99

Events

page

None

state_id

99

Events

page

None

type_uid

200199

Events

page

timestamp

time

None

Events

page

page_starttime

start_time

None

Events

page

page_endtime

end_time

None

Events

page

srcip

observables[0].value

None

Events

page

None

observables[0].type_id

2

Events

page

None

observables[0].type

IP Address

Events

page

None

observables[0].name

Source IP

Events

page

dstip

observables[1].value

None

Events

page

None

observables[1].type_id

2

Events

page

None

observables[1].type

IP Address

Events

page

None

observables[1].name

Destination IP

Events

page

url

observables[2].value

None

Events

page

None

observables[2].type_id

6

Events

page

None

observables[2].type

URL String

Events

page

None

observables[2].name

URL

Events

page

user

observables[3].value

None

Events

page

None

observables[3].type_id

21

Events

page

None

observables[3].type

User

Events

page

None

observables[3].name

User

Events

page

site

observables[4].value

None

Events

page

None

observables[4].type_id

99

Events

page

None

observables[4].type

Other

Events

page

None

observables[4].name

Site name

Events

page

None

enrichments[0].name

App Name

Events

page

app

enrichments[0].value

‘app’ value not available

Events

page

appcategory

enrichments[0].data.appcategory

None

Events

page

ccl

enrichments[0].data.ccl

None

Events

page

cci

enrichments[0].data.cci

None

Events

page

app_session_id

enrichments[0].data.app_session_id

None

Events

page

None

enrichments[1].name

Justification

Events

page

justification_type

enrichments[1].value

‘justification_type’ value not available

Events

page

justification_reason

enrichments[1].data.description

None

Events

page

None

enrichments[2].name

Transaction ID

Events

page

transaction_id

enrichments[2].value

‘transaction_id’ value not available

Events

page

client_bytes

enrichments[2].data.client_bytes

None

Events

page

server_bytes

enrichments[2].data.server_bytes

None

Events

page

client_packets

enrichments[2].data.client_packets

None

Events

page

server_packets

enrichments[2].data.server_packets

None

Events

page

protocol

enrichments[2].data.protocol

None

Events

page

None

enrichments[3].name

Device Name

Events

page

device_name

enrichments[3].value

‘device_name’ value not available

Events

page

device_classification

enrichments[3].data.device_classification

None

Events

page

nsdeviceuid

enrichments[3].data.nsdeviceuid

None

Events

page

browser

enrichments[3].data.browser

None

Events

page

os

enrichments[3].data.os

None

Events

page

os_version

enrichments[3].data.os_version

None

Events

application

None

activity_id

99

Events

application

None

category_uid

2

Events

application

None

class_uid

2001

Events

application

_id

finding.uid

None

Events

application

None

finding.title

Events – Application

Events

application

None

metadata.product.name

Netskope CE

Events

application

None

metadata.product.vendor_name

Netskope

Events

application

None

metadata.version

1.1.0

Events

application

None

severity_id

99

Events

application

None

state_id

99

Events

application

None

type_uid

200199

Events

application

timestamp

time

None

Events

application

user

observables[0].value

None

Events

application

None

observables[0].type_id

21

Events

application

None

observables[0].type

User

Events

application

None

observables[0].name

User

Events

application

url

observables[1].value

None

Events

application

None

observables[1].type_id

6

Events

application

None

observables[1].type

URL String

Events

application

None

observables[1].name

URL

Events

application

srcip

observables[2].value

None

Events

application

None

observables[2].type_id

2

Events

application

None

observables[2].type

IP Address

Events

application

None

observables[2].name

Source IP

Events

application

dstip

observables[3].value

None

Events

application

None

observables[3].type_id

2

Events

application

None

observables[3].type

IP Address

Events

application

None

observables[3].name

Destination IP

Events

application

site

observables[4].value

None

Events

application

None

observables[4].type_id

99

Events

application

None

observables[4].type

Other

Events

application

None

observables[4].name

Site name

Events

application

None

enrichments[0].name

App Name

Events

application

app

enrichments[0].value

‘app’ value not available

Events

application

appcategory

enrichments[0].data.appcategory

None

Events

application

ccl

enrichments[0].data.ccl

None

Events

application

cci

enrichments[0].data.cci

None

Events

application

app_session_id

enrichments[0].data.app_session_id

None

Events

application

None

enrichments[1].name

Device Name

Events

application

device

enrichments[1].value

‘device’ value not available

Events

application

device_classification

enrichments[1].data.device_classification

None

Events

application

os

enrichments[1].data.os

None

Events

application

os_version

enrichments[1].data.os_version

None

Events

application

browser

enrichments[1].data.browser

None

Events

application

nsdeviceuid

enrichments[1].data.nsdeviceuid

None

Events

application

None

enrichments[2].name

Justification

Events

application

justification_type

enrichments[2].value

‘justification_type’ value not available

Events

application

justification_reason

enrichments[2].data.description

None

Events

application

None

enrichments[3].name

Transaction ID

Events

application

transaction_id

enrichments[3].value

‘transaction_id’ value not available

Events

application

client_bytes

enrichments[3].data.client_bytes

None

Events

application

server_bytes

enrichments[3].data.server_bytes

None

Events

application

client_packets

enrichments[3].data.client_packets

None

Events

application

server_packets

enrichments[3].data.server_packets

None

Events

application

protocol

enrichments[3].data.protocol

None

Events

audit

None

activity_id

99

Events

audit

None

category_uid

2

Events

audit

None

class_uid

2001

Events

audit

_id

finding.uid

None

Events

audit

None

finding.title

Events – Audit

Events

audit

None

metadata.product.name

Netskope CE

Events

audit

None

metadata.product.vendor_name

Netskope

Events

audit

None

metadata.version

1.1.0

Events

audit

None

severity_id

99

Events

audit

None

state_id

99

Events

audit

None

type_uid

200199

Events

audit

timestamp

time

None

Events

audit

user

observables[0].value

None

Events

audit

None

observables[0].type_id

21

Events

audit

None

observables[0].type

User

Events

audit

None

observables[0].name

User

Events

audit

None

enrichments[0].name

Justification

Events

audit

justification_type

enrichments[0].value

‘justification_type’ value not available

Events

audit

justification_reason

enrichments[0].data.description

None

Events

audit

None

enrichments[1].name

Transaction

Events

audit

transaction_id

enrichments[1].value

‘transaction_id’ value not available

Events

audit

client_bytes

enrichments[1].data.client_bytes

None

Events

audit

server_bytes

enrichments[1].data.server_bytes

None

Events

audit

client_packets

enrichments[1].data.client_packets

None

Events

audit

server_packets

enrichments[1].data.server_packets

None

Events

audit

protocol

enrichments[1].data.protocol

None

Events

network

None

activity_id

99

Events

network

None

category_uid

2

Events

network

None

class_uid

2001

Events

network

_id

finding.uid

None

Events

network

None

finding.title

Events – Network

Events

network

None

metadata.product.name

Netskope CE

Events

network

None

metadata.product.vendor_name

Netskope

Events

network

None

metadata.version

1.1.0

Events

network

None

severity_id

99

Events

network

None

state_id

99

Events

network

None

type_uid

200199

Events

network

timestamp

time

None

Events

network

session_duration

duration

None

Events

network

user

observables[0].value

None

Events

network

None

observables[0].type_id

21

Events

network

None

observables[0].type

User

Events

network

None

observables[0].name

User

Events

network

domain

observables[1].value

None

Events

network

None

observables[1].type_id

99

Events

network

None

observables[1].type

Other

Events

network

None

observables[1].name

Domain Name

Events

network

srcip

observables[2].value

None

Events

network

None

observables[2].type_id

2

Events

network

None

observables[2].type

IP Address

Events

network

None

observables[2].name

Source IP

Events

network

dstip

observables[3].value

None

Events

network

None

observables[3].type_id

2

Events

network

None

observables[3].type

IP Address

Events

network

None

observables[3].name

Destination IP

Events

network

site

observables[4].value

None

Events

network

None

observables[4].type_id

99

Events

network

None

observables[4].type

Other

Events

network

None

observables[4].name

Site name

Events

network

None

enrichments[0].name

App Name

Events

network

app

enrichments[0].value

‘app’ value not available

Events

network

appcategory

enrichments[0].data.appcategory

None

Events

network

ccl

enrichments[0].data.ccl

None

Events

network

cci

enrichments[0].data.cci

None

Events

network

app_session_id

enrichments[0].data.app_session_id

None

Events

network

None

enrichments[1].name

Device Name

Events

network

device

enrichments[1].value

‘device’ value not available

Events

network

device_classification

enrichments[1].data.device_classification

None

Events

network

os

enrichments[1].data.os

None

Events

network

os_version

enrichments[1].data.os_version

None

Events

network

browser

enrichments[1].data.browser

None

Events

network

nsdeviceuid

enrichments[1].data.nsdeviceuid

None

Events

network

None

enrichments[2].name

Transaction

Events

network

transaction_id

enrichments[2].value

‘transaction_id’ value not available

Events

network

client_bytes

enrichments[2].data.client_bytes

None

Events

network

server_bytes

enrichments[2].data.server_bytes

None

Events

network

client_packets

enrichments[2].data.client_packets

None

Events

network

server_packets

enrichments[2].data.server_packets

None

Events

network

protocol

enrichments[2].data.protocol

None

Events

network

None

enrichments[3].name

Justification

Events

network

justification_type

enrichments[3].value

‘justification_type’ value not available

Events

network

justification_reason

enrichments[3].data.description

None

Events

network

None

enrichments[4].name

Tunnel ID

Events

network

tunnel_id

enrichments[4].value

‘tunnel_id’ value not available

Events

network

tunnel_type

enrichments[4].data.tunnel_type

None

Events

network

tunnel_uptime

enrichments[4].data.tunnel_uptime

None

WebTx

Data Type

Sub Type

Netskope Field

OCSF Field

Default value

Webtx

v2

None

activity_id

99

Webtx

v2

None

category_uid

2

Webtx

v2

None

class_uid

2001

Webtx

v2

_id

finding.uid

None

Webtx

v2

None

finding.title

WebTx – v2

Webtx

v2

None

metadata.product.name

Netskope CE

Webtx

v2

None

metadata.product.vendor_name

Netskope

Webtx

v2

None

metadata.version

1.1.0

Webtx

v2

None

severity_id

99

Webtx

v2

None

state_id

99

Webtx

v2

None

type_uid

200199

Webtx

v2

date:time

time

None

Webtx

v2

time-taken

duration

None

Webtx

v2

cs-username

observables[0].value

None

Webtx

v2

None

observables[0].type_id

21

Webtx

v2

None

observables[0].type

User

Webtx

v2

None

observables[0].name

cs-username

Webtx

v2

c-ip

observables[1].value

None

Webtx

v2

None

observables[1].type_id

2

Webtx

v2

None

observables[1].type

IP Address

Webtx

v2

None

observables[1].name

Client IP

Webtx

v2

s-ip

observables[2].value

None

Webtx

v2

None

observables[2].type_id

2

Webtx

v2

None

observables[2].type

IP Address

Webtx

v2

None

observables[2].name

Server IP

Webtx

v2

None

enrichments[0].name

Cloud Application

Webtx

v2

x-cs-app

enrichments[0].value

‘x-cs-app’ value not available

Webtx

v2

x-category

enrichments[0].data.x-category

None

Webtx

v2

x-other-category

enrichments[0].data.x-other-category

None

Webtx

v2

None

enrichments[1].name

Server Transaction details

Webtx

v2

sc-bytes

enrichments[1].value

‘sc-bytes’ value not available

Webtx

v2

x-type

enrichments[1].data.x-type

None

Webtx

v2

x-server-ssl-err

enrichments[1].data.x-server-ssl-err

None

Webtx

v2

x-client-ssl-err

enrichments[1].data.x-client-ssl-err

None

Webtx

v2

None

enrichments[2].name

HTTP Transaction ID

Webtx

v2

x-transaction-id

enrichments[2].value

‘x-transaction-id’ value not available

Webtx

v2

cs-method

enrichments[2].data.cs-method

None

Webtx

v2

cs-uri-scheme

enrichments[2].data.cs-uri-scheme

None

Webtx

v2

cs-uri-query

enrichments[2].data.cs-uri-query

None

Webtx

v2

cs-user-agent

enrichments[2].data.cs-user-agent

None

Webtx

v2

cs-content-type

enrichments[2].data.cs-content-type

None

Webtx

v2

sc-status

enrichments[2].data.sc-status

None

Webtx

v2

sc-content-type

enrichments[2].data.sc-content-type

None

Webtx

v2

cs-dns

enrichments[2].data.cs-dns

None

Webtx

v2

cs-host

enrichments[2].data.cs-host

None

Webtx

v2

cs-uri

enrichments[2].data.cs-uri

None

Webtx

v2

cs-uri-port

enrichments[2].data.cs-uri-port

None

Webtx

v2

cs-referer

enrichments[2].data.cs-referer

None

Webtx

v2

x-cs-session-id

enrichments[2].data.x-cs-session-id

None

Webtx

v2

None

enrichments[3].name

Geolocation Transaction

Webtx

v2

None

enrichments[3].value

Location

Webtx

v2

x-c-country

enrichments[3].data.x-c-country

None

Webtx

v2

x-c-zipcode

enrichments[3].data.x-c-zipcode

None

Webtx

v2

x-c-latitude

enrichments[3].data.x-c-latitude

None

Webtx

v2

x-c-longitude

enrichments[3].data.x-c-longitude

None

Webtx

v2

None

enrichments[4].name

Client Connector Device Information

Webtx

v2

x-c-device

enrichments[4].value

‘x-c-device’ value not available

Webtx

v2

x-cs-page-id

enrichments[4].data.x-cs-page-id

None

Webtx

v2

None

enrichments[5].name

Client Transaction

Webtx

v2

None

enrichments[5].value

Client Transaction details

Webtx

v2

cs-bytes

enrichments[5].data.cs-bytes

None

Webtx

v2

bytes

enrichments[5].data.bytes

None

Share this Doc

Mappings Field Descriptions

Or copy link

In this topic ...