REST API Reports
REST API Reports
You can also use REST APIs to analyze the data captured by Netskope for the following scenarios:
REST API responses can return up to 10000 results in a single response. You can use pagination to retrieve more results.
- Identify sensitive customer or employee information:
- Alert administrator through email when Enterprise worker downloads PHI or PCI data onto an unmanaged device from Sanctioned cloud storage apps.
- Alert administrator when Enterprise worker uploads PHI, PCI or PII data into cloud storage apps.
- Alert administrator through email when user shares PHI content with email@example.com user on cloud storage application.
- Alert Administrator and employee’s manager when user downloads large amount ( >75k) PHI records from any device from Cloud storage. Notify centralize governing body through email.
The table below shows the REST API queries that are used
Purpose Description Pull all the DLP alerts for API Data Protection
https://<tenant hostname>.goskope.com/ api/v1/alerts?token=<REST API token>&type=dlp&query=access_ method%20eq%20%27API%20 Connector%27&timeperiod=604800This will pull the DLP alerts for API Data Protection (
access_method = API Connector) for a time period of 7 days.
You can set the time period for last 1 hour, last 7 days, last 30 days, etc.
Pull all the DLP alerts for a specific policy
(This is to cover use-case where admin is looking for specific PHI or PCI violation). Admin would query based on the policy name configured for the DLP inspection
https://<tenant hostname>.goskope.com/ api/v1/alerts?token=<token-no> &type=dlp&query=alert_name%20eq%20% 27Custom-PHI%27&timeperiod=604800In this example, the policy name queried was
Pull events when a user downloads a PHI file
https://<tenant hostname>.goskope.com/ api/v1/alerts?token=<token>&type= dlp&query=activity%20eq%20Download %20and%20 alert_name%20eq%20% 27Custom-PHI%27&timeperiod= 2592000In this example, query for
activity eq download and alert_name eq 'Custom-PHI'
This can be further filtered with device type to identify the downloads from a mobile device.
- Identify and Protect Intellectual Property
Alerts the administrator when an employee uploads intellectual property data to the cloud. This involves using DLP Fingerprinting feature to fingerprint all the key design documents, looking for keywords such as confidential, sensitive, and so on, or using DLP Precise data matching.
You can query for DLP alerts based on specific DLP policy name, fingerprint classification or based on actions. To query for DLP alerts matching a specific DLP Fingerprint profile:
https://<tenant hostname>.goskope.com/api/v1/alerts?token= <token-no>&type=dlp&query=dlp_fingerprint_classification %20eq%20intellectual&timeperiod=2592000
In the above example you are fetching all the DLP alerts that matched the fingerprint classification of intellectual
- Audit all activities of the users
- Create a report to see all the top activities performed by the users
- Create a report to understand the top applications usage
- Query for risky apps
- Query for risky users
- Create a second level summary report to identify DLP violation per app,
- Administrator can check for files that are shared outside of the organization
- Policy Governance
- Identify allowed apps vs blocked apps
- Identify list of files that are quarantined
- Identify list of files that are encrypted by policy
Purpose Description Query events with action of encrypt
https://<tenant hostname>.goskope.com/api/v1/events?token=<rest api token>&type=application&query=action%20eq%20encrypt&timeperiod=604800
Block vs Allow Apps Create a report with the following:
- Event type: Alert
- Query: Action (block)
- Summarize by apps
- Second level summary by users
This report would show list of apps and list of users blocked per app.
Query events with action of quarantine
.goskope.com/api/v1/events?token=<rest api token>&type=application&query=action%20eq%20quarantine&timeperiod =604800
Find the Top 10 applications for the last 24 hours
https://<tenant hostname>.goskope.com/api/v1/report?token=<rest api token>&type=page&groupby=application&timeperiod=86400&limit=10