REST API Events and Alerts Response Descriptions

REST API Events and Alerts Response Descriptions

These are the response descriptions for the Get Events Data and Get Alerts Data endpoints.

Parameter GroupingParameter NameDescriptionsData TypeExample ResponsesApp EventsPage EventsAlerts
GeneraltimestampTimestamp when the event/alert happened. Event timestamp in Unix epoch format.Integer1443811033YYY
General_insertion_epoch_timestampInsertion timestampInteger1485025255YYY
Generalsrc_timezoneSource timezone. Shows the long format timezone designation.StringAmerica/Los_AngelesYYY
Generaldst_timezoneDestination timezoneStringAmerica/New_YorkYYY
GeneraltypeShows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection.StringValue for Application Events: nspolicy

Value for Page Events: connection

Values for Alerts: nspolicy, connection, breach, anomaly, malsite

Generalaccess_methodCloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. Administrators can also upload firewall and/or proxy logs for log analytics. This field shows the actual access method that triggered the event.

For log uploads this shows the actual log type such as PAN, Websense, etc.

StringClient, Secure Forwarder, API Connector, Proxy Chaining, Reverse ProxyYYY
Generaltraffic_typeType of the traffic: CloudApp or Web. CloudApp indicates CASB and web indicates HTTP traffic. Web traffic is only captured for inline access method. It is currently not captured for Risk Insights.StringCloudApp, WebYYY
GeneralactionAction taken on the event for the policyStringuseralert, Detection, bypass, block, alert, restrictToView, disableDownload, legalHold, expireLink, restrictAccess, delete, quarantineYYY
GeneralfromlogsShows if the event was generated from the Risk Insights log.StringyesYYY
Generaluser_generatedTells whether it is user generated page eventBooleanyes, noNYY
Generaltunnel_idShows the Client installation ID. Only available for the Client steering configuration.Stringc5b07447-e86e-4722-b59e-81144YYY
Generalrequest_idUnique request ID for the eventInteger1,590YNY
Generaltransaction_idUnique ID for a given request/responseString1843244978932892112YYY
Generalconnection_idEach connection has a unique ID. Shows the ID for the connection event.LongInt117073088998365YYY
Generalconn_durationDuration of the connection in milliseconds. Useful for querying long-lived sessions.Integer59000YYY
Generalconn_starttimeConnection start timeFloat1480330369NYY
Generalconn_endtimeConnection end timeFloat1480330428NYY
Generallatency_minMin latency for a connection in millisecondsInteger47NYY
Generallatency_maxMax latency for a connection in millisecondsInteger651NYY
Generallatency_totalTotal latency from proxy to app in millisecondsInteger3797NYY
Generalreq_cntTotal number of HTTP requests (equal to number of transaction events for this page event) sent from client to server over one underlying TCP connection.Integer21YYY
Generalresp_cntTotal number of HTTP responses (equal to number of transaction events for this page event) from server to clientInteger21YYY
Generalhttp_transaction_countHTTP transaction countInteger300NYY
GeneralnumbytesTotal number of bytes that were transmitted for the connection – numbytes = client_bytes + server_bytesInteger18177YYY
Generalclient_bytesTotal number of bytes uploaded from client to serverInteger1093YYY
Generalserver_bytesTotal number of downloaded from server to client.Integer17084YYY
Generalsuppression_keyTo limit the number of events. Example: Suppress block event for browseString2019-01-07_1135.zipYNY
Generalsuppression_start_timeWhen events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence.Integer1443811033YYY
Generalsuppression_end_timeWhen events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence.Integer1443811078YYY
GeneralcountNumber of raw log lines/events sessionized or suppressed during the suppressed interval.Integer1YYY
Generalbypass_trafficTells if traffic is bypassed by NetskopeBooleanyes, noNYY
Generalssl_decrypt_policyApplicable to only bypass events. There are 2 ways to create rules for bypass:
  • Bypass due to Exception Configuration
  • Bypass due to SSL Decrypt Policy

The existing flag bypass_traffic only gives information that a flow has been bypassed, but does not tell exactly which policy was responsible for it. ssl_decrypt_policy field will provide this extra information. In addition, policy field will be also set for every Bypass event.

Stringyes, noNYY
Generaldynamic_classificationURLs were categorized by NSURLC machine or notStringyes, noNNY
Generaldst_geoip_srcSource from where the location of Destination IP was derivedInteger1YYY
Generalsrc_geoip_srcSource from where the location of Source IP was derivedInteger2YYY
GeneralmodifiedTimestamp corresponding to the modification time of the entity (file, etc.)DateTime2017-01-17T08:56:05YYY
AlertalertIndicates whether alert is generated or not.

Populated as yes for all alerts.

Stringyes, noYYY
Alertalert_nameName of the alertStringproximity, rare_event, risky_country, user_shared_credentials,

data_exfiltration, mlad

Alertalert_typeType of the alertStringValues for Alerts: watchlist, policy, DLP, Legal Hold, quarantine, Malware, malsite, anomaly, Compromised Credential, Security Assessment 

Values for App Events: policy, DLP, quarantine, Legal Hold, Malware, Security Assessment, Remediation

AlertackedWhether user acknowledged the alert or notBooleanfalse, trueYYY
AlertseveritySeverity used by watchlist and malware alertsStringlow, medium, high, unknown, nullYYY
Alertseverity_idSeverity ID used by watchlist and malware alertsInteger1, 2, 3, nullYNY
Alertpolicy_idThe Netskope internal ID for the policy created by an adminInteger1, 8YNY
AlertpolicyName of the policy configured by an adminStringPCI Files in OneDriveYYY
Alertprofile_emailsList of profile emails per policyString[“”]YNY
Alertjustification_reasonJustification reason provided by user.

For following policies, justification events are raised. User is displayed a notification popup, user enters justification and can select to proceed or block:

  1. useralert policy
  2. dlp block policy
  3. block policy with custom template which contains justification text box
StringProvided reasonYNY
Alertjustification_typeType of justification provided by user when user bypasses the policy blockStringfalsePositive, justificationYNY
ApplicationappSpecific cloud application used by the user (e.g. app = Dropbox).StringGoogle DriveYYY
ApplicationappcategoryApplication Category as designated by NetskopeStringCollaboration, Customer Relationship Management, Cloud Storage, IaaS/PaaSYYY
ApplicationcclCloud Confidence Level. CCL measures the enterprise readiness of the cloud apps taking into consideration those apps security, auditability and business continuity.

Each app is assigned one of five cloud confidence levels: excellent, high, medium, low, or poor. Useful for querying if users are accessing a cloud app with a lower CCL.

Stringexcellent, high, medium, low, poor, unknown, not_definedYYY
ApplicationsiteFor traffic_type = CloudApp, site = app and for traffic_type = Web, it will be the second level domain name + top-level domain name. For example, in “”, it is “”.Stringcnn.comYYY
ApplicationurlURL of the application that the user visited as provided by the log or data plane 31/notestoreYYY
ApplicationpageThe URL of the originating


ApplicationdomainDomain value. This will hold the host header value or SNI or extracted from absolute
ApplicationsessionidPopulated by Risk InsightsInteger34014529YYY
Applicationapp_session_idUnique App/Site Session ID for traffic_type = CloudApp and Web.

An app session starts when a user starts using a cloud app/site on and ends once they have been inactive for a certain period of time(15 mins). Use app_session_id to check all the user activities in a single app session. app_session_id is unique for a user, device, browser and domain.

ApplicationrefererReferer URL of the application(with http) that the user visited as provided by the log or data plane trafficString nPortal/HomeYYY
Applicationmanaged_appWhether or not the app in question is managedBooleanyes, noYNY
Applicationtelemetry_appTypically SaaS app web sites use web analytics code within the pages to gather analytic data.

When a SaaS app action or page is shown, there is subsequent traffic generated to tracking apps such as, Optimizely, etc. These tracking apps are listed if applicable in the

Telemetry App field.

Stringdoubleclick, Amazon S3, google, Microsoft Office 365 Suite, Adswizz, fbcdnYNY
Applicationinstance_idUnique ID associated with an organization application instanceStringnammazone.comYNY
ApplicationinstanceInstance associated with an organization application instanceStringnammazone.comYYY
Applicationinstance_nameInstance name associated with an organization application instanceStringnetskope.comYNY
Applicationinstance_typeInstance typeStringVirtualPrivateCloud, Server, Image, Document, Managed

Instance, LoadBalancer

ApplicationobjectName of the object which is being acted on. It could be a filename, folder name, report name, document name, etc.StringResume.docYYY
Applicationobject_idUnique ID associated with an objectString3214YNY
Applicationobject_typeType of the object which is being acted on. Object type could be a file, folder, report, document, message, etc.StringFile, User, NoteYNY
Applicationfrom_objectInitial name of an object that has been renamed, copied or movedStringtest1YNY
Applicationto_objectChanged name of an object that has been renamed, copied, or movedStringtest2YNY
Applicationobject_countDisplayed when the activity is Delete. Shows the number of objects being deletedInteger3YNY
Application Specificenterprise_idEnterpriseID in case of Slack for EnterpriseStringE8D23NJ1HYNY
Application SpecificenterpriseEnterprise name in case of Slack for EnterpriseStringNetskope enterpriseYNY
Application Specificworkspace_idWorkspace ID in case of Slack for EnterpriseStringTDFHG3CLFYNY
Application SpecificworkspaceWorkspace name in case of Slack for EnterpriseStringNetskope workspaceYNY
Application SpecificteamSlack team nameStringNetskope teamYNY
Application SpecificchannelChannel of the user for slack and slack enterprise appsStringchannel1YNY
Application Specificsub_typeWorkplace by Facebook post sub category (files, comments, status etc)Stringfile, comment, postYNY
Application Specificviolating_userUser who caused a vioaltion. Populated for Workplace by FacebookStringexample@netskope.comYNY
Application Specificviolating_user_typeCategory of the user who caused a violation. Populated for Workplace by Facebook.StringInternal, ExternalYNY
Application SpecificlogintypeSalesforce login typeStringRemote Access 2.0, Other Apex API, Remote Access ClientYNY
Application SpecificloginurlSalesforce login URLStringmy.salesforce.comYNY
Application Specificnew_valueNew value for a given file for salesforce.comString2019-01-18 3:33:58YNY
Application Specificold_valueOld value for a given file for salesforce.comString2019-01-17 3:33:58YNY
Application SpecificscopesList of permissions for google appsString[“

/auth/cloud-platform”, “ auth/”]

Application Specificsession_idSession ID for Dropbox applicationInteger1.77573E+14YNY
Application Specificuser_roleRoles such as admin, owner etc for BoxStringAdmin, coadmin, userYNY
Application SpecificroleRoles for BoxStringEditor, Previewer, Previewer Uploader, Uploader, Viewer, Viewer Uploader, Owner, Co- ownerYNY
ActivityactivityDescription of the user performed activityStringDownload, Invite, Issue, Join, Login Attempt, Login Failed, Login Successful, Logout, Mark, Markup, Move, Upload, View, View AllYYY
Activityactivity_typeDisplayed when only admins can perform the activity in questionStringAdminYNY
Activityact_userUser doing an activityStringuser@netskope.comYNY
Activityactivity_statusDisplayed when the user is denied access while performing some activityStringAccess DeniedYNY
ActivityUrl2ActivityPopulated if the activity from the URL matches certain activities. This field applies to Risk Insights only.StringYesYNY
Activityns_activityMaps app activity to Netskope standard activity.StringDownload, Upload, view, unlockYNY
Activityaudit_categoryThe subcategories in an application such as IAM, EC in AWS, login, token, file, etc., in case of Google.StringIAM, Lambda, S3, access, Compute Engine, Elasticloadbalancing, EC2, event_change, acl_changeYNY
Activityaudit_typeThe sub category in audit according to SaaS / IaaS appsStringdownload, edit, create, view, HeadBucketYNY
UseruserkeyUser ID or emailStringuser@netskope.comYYY
Useruser_idUser emailStringuser@netskope.comYNY
UseruserUser emailStringuser@netskope.comYYY
Useruser_nameName of userStringTestUserYNY
Userur_normalizedAll lower case user emailStringuser@netskope.comYYY
Useruser_normalizedAll lower case user emailStringuser@netskope.comNNY
UseruseripIP address of
UseruseragentBrowser HTTP user agent headerStringMozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0)



Useruser_categoryType of user in an enterprise – external / internalStringInternalYNY
Userorganization_unitOrg Units for which the event correlates to. This ties to user information extracted from Active Directory using the Directory Importer/AD Connector application.StringMaximum of 5 levels: “OU1/OU2/OU3/OU4/OU5”YYY
UserorgSearch for events from a specific organization. Organization name is derived from the user ID.Stringsampleorganization.orgYYY
UserosOperating system of the host who generated the event.StringYosemiteYYY
Useros_versionOS version of the hostStringWindows 7YYY
UserbrowserShows the actual browser from where the cloud app was accessed.StringBlackBerry, Chrome, Firefox, iCab, Mobile, MSIE, Native, Opera, RockMelt, Safari, Skyfire, Tencent, ThunderbirdYYY
Userbrowser_versionBrowser versionString50YYY
Userbrowser_session_idBrowser session ID. If there is an idle timeout of 15 minutes, it will timeout the session.LongInt75256867583232YYY
UserdeviceDevice type from where the user accessed the cloud app. It could be Macintosh Windows device, iPad etc.StringAndroid Device, iOS Device. iPad, iPhone, Linux Device, Mac Device, Windows Device, Other DeviceYYY
Userdevice_classificationDesignation of device as determined by the Netskope Client as to whether the device is managed or not.Stringmanaged, not configured, unknown, unmanagedYNY
UserhostnameHost nameStringexample’s Macbook ProYYY
UsernsdeviceuidDevice identifiers on macOS and WindowsStringzndbgI=YNY
UsermanagementIDManagement IDStringFFD2E8AYNY
SourcesrcipIP address of source/
Sourcesrc_locationUser’s city as determined by the Maxmind or IP2Location GeodatabaseStringSan JoseYYY
Sourcesrc_regionSource state or region as determined by the Maxmind or IP2Location GeodatabaseStringCaliforniaYYY
Sourcesrc_latitudeLatitude of the user as determined by the Maxmind or IP2Location GeodatabaseInteger[xx.xxxx]YYY
Sourcesrc_longitudeLongitude of the user as determined by the Maxmind or IP2Location GeodatabaseInteger[]NYN
Sourcesrc_countryUser’s country’s two-letter Country Code as determined by the Maxmind or IP2Location GeodatabaseStringUSYYY
Sourcesrc_zipcodeSource zip code as determined by the Maxmind or IP2Location GeodatabaseString95134YYY
DestinationdstipIP address where the destination app is
Destinationdst_locationApplication’s city as determined by the Maxmind or IP2Location GeodatabaseStringMountain ViewYYY
Destinationdst_regionApplication’s state or region as determined by the Maxmind or IP2Location GeodatabaseStringCaliforniaYYY
Destinationdst_latitudeLatitude of the Application as determined by the Maxmind or IP2Location GeodatabaseInteger[xx.xxxx]YYY
Destinationdst_longitudeLongitude of the Application as determined by the Maxmind or IP2Location GeodatabaseInteger[]NYN
Destinationdst_countryApplication’s two-letter country code as determined by the Maxmind or IP2Location GeodatabaseStringUSYYY
Destinationdst_zipcodeApplication’s zip code as determined by the Maxmind or IP2Location GeodatabaseString94043YYY
DestinationdstportDestination portInteger443, 80 (1-65535)YYY
Introspectionretro_scan_nameRetro scan nameStringRetro_Scan_box_netskope.com_20181213_1616YYY
Introspectionscan_typeGenerated during retroactive scan or new ongoing activityStringOngoing, ongoing, retroactive, RetroactiveYNY
Filefile_idUnique identifier of the fileString0B3jELp0mSNw2dTZDNUhpUGpjUGgxQUY5OUZIYNY
FilefilenameName of the fileStringPandasDFTests.pyYNY
FiletitleTitle of the fileStringPandasDFTests.pyYYY
Filemime_typeMIME type of the fileStringapplication/pdfYNY
Filedata_typeContent type of upload/downloadStringapplication/xmlYYY
Filemd5md5 of the fileString295a6f156624f73c31a9a670


Filefile_sizeSize of the file in bytesInteger22854YNY
Filefile_typeFile typeStringtext/plain, application/pdf, etc. YYY
Filefile_langLanguage of the fileStringSWEDISHYYY
Filepath_idPath ID of the file in the applicationInteger3.94218E+11YNY
Filefile_pathPath of the file in the applicationString/sample/file.pdfYNY
FileownerOwner of the fileStringexample@netskope.comYNY
Fileoriginal_file_pathIf the file is moved, then keep original path of the file in this fieldString29208ee0-021e-4cb2-87b4-c9303880YNY
Filefrom_userEmail address used to login to the SAAS appStringexample@netskope.comYNY
Filefrom_user_categoryType of from_userStringInternal, ExternalYNY
Fileto_userUsed when a file is moved from user A to user B. Shows the email address of user BStringexample@netskope.comYNY
Fileto_user_categoryType of user to which move is doneStringInternal, ExternalYNY
Fileshared_withArray of emails with whom a document is shared withString[,,]YYY
FilesharedIf the file is shared or notBooleantrue, falseYNY
Fileshared_typeShared TypeStringinternal, external, private, enterpriseYNY
Fileshared_domainsList of domains of users the document is shared withString[,]YNY
FileexposureExposure of a documentStringprivate, public, public_on_web, enterprise, external, internal, anyone_with_linkYYY
FileattachmentFile nameStringimage001.pngYNY
Fileencrypt_failureReason of failure while encryptingStringFailed getting encryption KeyYNY
Filelog_file_nameLog file name for Risk InsightsString20190205T0917_0.csv.gzYYY
Filefile_passwd_protectedTells if the file is password protectedBooleanTRUEYNY
Fileweb_urlFile preview URLString
Fileexternal_collaborator_countCount of external collaborators on a file/folder. Supported for some apps.Integer4YYY
Fileinternal_collaborator_countCount of internal collaborators on a file/folder. Supported for some apps.Integer3YNY
Filetotal_collaborator_countCount of collaborators on a file/folder. Supported for some apps.Integer7YNY
DLPdlp_incident_idIncident ID associated with sub-file. In the case of main file, this is same as the parent incident ID.LongInt146831431522000YYY
DLPdlp_parent_idIncident ID associated with main container (or non-container) file that was scannedLongInt146831431522000YYY
DLPdlp_fileFile/Object name extracted from the file/objectStringCredit Report.pdfYNY
DLPdlp_profileDLP profile nameStringDLP-PCIYYY
DLPdlp_ruleDLP rule that triggeredStringName-Credit Card (CC)YYY
DLPdlp_rule_countCount of rule hitsInteger5YYY
DLPdlp_rule_severitySeverity of ruleStringLow, Medium, High, CriticalYYY
DLPdlp_fingerprint_classificationFingerprint classificationStringSenstive Customer Information, PIIYNY
DLPdlp_fingerprint_matchFingerprint classification match file nameStringTop_100_Existing_Accounts_11_1_18.xlsxYNY
DLPdlp_fingerprint_scoreFingerprint classification scoreInteger0-100YNY
DLPdlp_rule_scoreDLP rule score for weighted dictionariesInteger13YNY
DLPdlp_is_unique_countTrue or false depending upon if rule is unique counted per rule dataBooleantrue, falseYYY
DLPdlp_unique_countInteger value of number of unique matches seen per rule data. Only present if rule is uniquely counted.Integer10YNY
Quarantinequarantine_file_idFile ID of the quarantined fileString435bd35a-e021-4a2c-bc41-ba281f91YNY
Quarantinequarantine_profile_idQuarantine profile IDInteger2YNY
Quarantinequarantine_profileQuarantine profile name of policy for quarantine actionStringQuarantine Data – OneDriveYNY
Quarantinequarantine_failureReason of failureStringQuarantine failed; file transfer failureYNY
Quarantinequarantine_action_reasonReason for the action taken for quarantineStringPreviously quarantined file still blocked because admin decision is pendingYNY
Quarantineq_adminQuarantine profile custodian email/nameStringexample@netskope.comYNY
Quarantineq_appQuarantine app nameStringBoxYNY
Quarantineq_instanceQuarantine instance nameStringBox ProductionYNY
Quarantineq_original_filenameOriginal file name which got quarantinedStringSensitive FileYNY
Quarantineq_original_filepathOriginal file path which got quarantinedStringAll/Folder1/Folder2YNY
Quarantineq_original_sharedOriginal file shared user detailsStringPrivateYNY
Quarantineq_original_versionOriginal version of file which got quarantinedString1YNY
Quarantinequarantine_file_nameFile name of the quarantine fileStringsensitivefile.txtYNY
Legal Holdlegal_hold_profile_nameLegal hold profile nameStringLegal hold Test ProfileYNY
Legal Holdlh_custodian_emailCustodian email of legal hold profileStringexample@netskope.comYNY
Legal Holdlh_custodian_nameCustodian name of legal hold profileStringKelly OarYNY
Legal Holdlh_dest_appDestination appname of legalhold actionStringBoxYNY
Legal Holdlh_dest_instanceDestination instance of legal hold actionStringBox ProductionYNY
Legal Holdlh_fileidFile ID of legal hold fileString3.97035E+11YNY
Legal Holdlh_filenameFile name of legal hold fileStringSensitive file_v1_2016-04-2707-00-15(UTC)YNY
Legal Holdlh_filepathFile path of legal hold fileStringAll/Folder1/Folder2YNY
Legal Holdlh_original_filenameOriginal filename of legal hold fileStringSensitive FileYNY
Legal Holdlh_sharedShared type of legal hold fileStringInternalYNY
Legal Holdlh_shared_withUser shared with the legal hold fileString[“”, “”]YNY
Legal Holdlh_versionFile version of original fileString1YNY
Anomalyorig_tyEvent Type of original eventStringnspolicy, connectionNYY
Anomalylast_timestampLast timestamp (timestamp in the first/older event). Applies to only proximity anomaly alert.LongInt1549296669NYY
Anomalylast_appLast application (app in the first/older event). Applies to only proximity anomaly alert.StringFacebookNYY
Anomalylast_deviceLast device name (Device Name in the first/older event). Applies to only proximity anomaly alert.StringWindows DeviceNYY
Anomalylast_countryLast location (Country). Applies to only proximity anomaly alert.StringUSNYY
Anomalylast_locationLast location (City). Applies to only proximity anomaly alert.StringChicagoNYY
Anomalylast_regionApplies to only proximity anomaly alert.StringPennsylvaniaNYY
Anomalydownload_appApplicable to only data exfiltration. Download App (App in the download event).StringGoogle GmailNNY
Anomalyshared_credential_userApplicable to only shared credentials.

User with whom the credentials are shared with.

StringMichael SamNNY
Anomalythreshold_timeApplicable to: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. Threshold TimeLongIntDefault time (86400 Seconds)NNY
Anomalybin_timestampApplicable to only: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/Download/Delete) and Failed Login Anomaly type.

Bin TimeStamp (is a window used that is used for certain types of anomalies – for breaking into several windows per day/hour).

AnomalythresholdThreshold (Count at which the anomaly should trigger). Applicable to Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly typeInteger205NYY
Anomaly, MLADevent_typeAnomaly typeStringApp Events: Info, error Alerts: proximity, rare_event, risky_country, user_shared_credentials, data_exfiltration, bulk_upload, bulk_download, mladYYY
Anomaly, MLADprofile_idAnomaly profile IDStringNS_101 which means proximity alert

NS_103, NS_102, NS_307, NS_306, NS_304, NS_303, NS_305, NS_301, NS_403, NS_401

Anomoly, MLADrisk_level_idThis field is set by both role-based access (RBA) and MLADInteger1,2,0NYY
Anomoly, MLADrisk_levelCorresponding field to risk_level_id. NameStringlow, med, highYYY
MalsitemaliciousOnly exists if some HTTP transaction belonging to the page event resulted in a malsite alert.BooleanTRUEYYY
Malsitemalsite_activeSince how many days malsite is ActiveInteger2NNY
Malsitemalsite_as_numberMalsite ASN NumberStringAS35838 CCANet LimitedNNY
Malsitemalsite_confidenceMalsite confidence scoreInteger100NNY
Malsitemalsite_consecutiveHow many times that malsite is seenInteger1NNY
Malsitemalsite_categoryCategory of malsite [ Phishing / Botnet / Malicous URL, etc. ]String[“Malcious Site”]YNY
Malsitemalsite_countryMalsite countryStringUSNNY
Malsitemalsite_regionRegion of the malsite URL/IP/DomainStringTexasNNY
Malsitemalsite_cityMalsite cityStringLos AngelesNNY
Malsitemalsite_dns_serverDNS server of the malsite URL/Domain/
Malsitemalsite_first_seenMalsite first seen timestampInteger1485302400NNY
Malsitemalsite_hostilityMalsite hostility scoreInteger5NNY
Malsitemalsite_ispMalsite ISP infoStringCCANET LimitedNNY
Malsitemalsite_longitudeLongitude plot of the Malsite URL/IP/DomainFloatx.xxxxNNY
Malsitemalsite_latitudeLatitude plot of the Malsite URL/IP/DomainFloatxx.xxxNNY
Malsitemalsite_last_seenMalsite last seen timestampInteger1486339200NNY
Malsitemalsite_reputationReputation score of Malsite IP/Domain/URLFloat7.4NNY
Malsitemalsite_idMalicious Site ID – Hash of threat match valueString9228edb31a922c392ba3746NNY
Malsiteseverity_level_idIf the Severity Level ID is 1, it means that URL / IP /Domain is detected from Internal threat feed and if Severity Level ID is 2, then it means the detection happened based on the OEM DB Malsite Category.Integer0, 1, 2, 3NNY
Malsiteseverity_levelSeverity level of the Malsite ( High / Med / Low)Stringlow, medium, highNNY
Malsitethreat_match_fieldThreat match field, either from domain or URL or IP.Stringdomain, url, ipYNY
Malsitethreat_source_idThreat source id: 1 – NetskopeThreatIntel, 2 – OEM DBInteger1,2YNY
Malwarescan_timeTime when the scan is doneLongInt1474308875YNY
Malwaremalware_idmd5 hash of the malware name as provided by the scan engineStringAny md5 hash string (as hexadecimal string)YNY
Malwaremalware_typeWhat type (virus, etc) of a threat is this?StringAdware, Dialer, Malicious App, Spam, Phishing, Spyware, Virus, Heuristic, No Detection, Encrypted/Unscannable, Trojan, Error, Misleading ApplicationYNY
Malwaredetection_typeSame as malware type. Duplicate. Stringvirus, trojanYNY
Malwaremalware_severityHow severe is the threat posed by this malwareStringhigh, medium, lowYNY
Malwaremalware_nameWhat is the detection name for this threatStringGen.Ransom.Encrypted.File.nsYNY
Malwaredetection_engineCustomer exposed detection engine nameStringNetskope AV, Netskope Threat Intel, Netskope Advanced Heursitics, Netskope Advanced SandboxYNY
Malwaretss_modeMalware scanning mode, specifies whether it’s Real-time Protection or API Data ProtectionStringIntrospection, Inline YNY
Malwaremalware_profiletss_profile: profile which user has selected. Data comes from WebUI. Its a json structure.StringDefault Malware ScanYNY
Malwarezip_passwordZip the malacious file and put pwd to it and send it back to callerStringnetskopeYNY
Malwarelocal_md5md5 hash of file generated by the Malware engineString3b30d5c68bfeYNY
Malwarelocal_sha256sha256 hash of file generated by the Malware engineString3b30d5c68bfeYNY
Malwarelocal_sha1sha1 hash of file generated by the Malware engineString3b30d5c68bfeYNY
Compromised Credentialsbreach_idBreach ID for compromised credentialsString95e2e98ac17cf08de4b82f94 356dc51eNNY
Compromised Credentialsbreach_dateBreach date for compromised credentialsInteger1524700800NNY
Compromised Credentialsbreach_scoreBreach score for compromised credentialsInteger30, 100NNY
Compromised Credentialsbreach_target_referencesBreach target references for compromised credentialsStringforbes.comNNY
Compromised Credentialsbreach_media_referencesMedia references of breachString 1009_3-57618945-83/syrian- electronic-army-hacks-forbes-steals-user-data/NNY
IaaS CSAsa_profile_nameCSA profile nameStringPCI-DSS v3.2.1 (Azure)YNY
IaaS CSAsa_profile_idCSA profile IDInteger-2002000YNY
IaaS CSAsa_rule_idCSA rule IDInteger-2002041YNY
IaaS CSAsa_rule_nameCSA rule nameStringPCI-AZR | 5.1 Ensure that the endpoint protection for all Virtual Machines is installedYNY
IaaS CSAsa_rule_severityRule severityStringCritical, High, Medium, LowYNY
IaaS CSAaccount_idAccount ID (usually is account number as provided by the cloud provider)Stringa776ab3b-0d9d-401e-a31d-2f478a4cYNY
IaaS CSAaccount_nameAccount name – in case of AWS this is the instance name set by user. For others, account name is provided by the cloud provider.Stringiaas-azure-devYNY
IaaS CSAiaas_asset_tagsList of tags associated with the asset for which alert is raised. Each tag is a key/value pairArray of dictionary objects (name/value pairs)[{“name”: “major environment”, “value”: “test”}, {“name”: “owner”, “value”: “abc” }]YNY
IaaS CSArun_idRun IDInteger15YNN
IaaS CSAregion_idRegion ID (as provided by the cloud provider)Stringeastus2YNY
IaaS CSAregion_nameRegion Name (as provided by the cloud provider)StringEast US 2YNY
IaaS CSAresource_categoryCategory of resource as defined in DOMStringComputeYNY
Share this Doc
In this topic ...