Skope IT Query Language Search Examples
Skope IT Query Language Search Examples
To help you find specific events, here’s a list of helpful search queries:
|Are my users sharing content with a competitor?
activity eq Share and to_user like @competitor.com
|Are my user sharing outside the organization?
activity eq Share and to_user notlike @mycompany.com and to_user neq ''
|Do I have Non-Sanctioned Google Apps usage?
app like google and instance_id notlike mycompany and from_user notlike mycompany.com
|Do I have high risk applications outside of the US?
app-risk eq high and dst_country neq US and dst_country neq ''
|Are my users sending email messages to competitors?
activity eq 'Send' and to_user like '@competitor.com'
|Is anyone outside of HR (or finance, or support) downloading from an HR (or finance, or CRM) app?
organization_unit neq [NAME] and activity eq Download and category eq [CAT NAME]
|Is anyone uploading to apps whose terms don’t specify that the customer owns the data?
activity eq Upload and app-cci-who-owns-data eq 'Vendor owns the data'
|Is anyone uploading to business intelligence apps whose terms don’t specify that the customer owns the data?
category eq 'Business Intelligence' and app-cci-who-owns-data eq 'Vendor owns the data' and activity eq Upload
|Show downloads from vulnerable apps
activity eq Download and app-cci-vuln-exploit neq None
|Show any shares from an app that ISN’T Cloud Storage
category neq 'Cloud Storage' and activity eq Share
|Show any failed logins to any Finance/Accounting app
activity eq 'Login Failed' and category eq Finance/Accounting
|Show logins to any Finance/Accounting app by people outside of Finance, except for Expensify <insert expense mgmt app here>
organization_unit neq [NAME] and activity eq Login and app neq Expensify
|Show any data modifications in Finance/Accounting apps
category eq 'Finance/Accounting' and activity eq Edit or category eq Finance/Accounting and activity eq Delete
|What happened to that document after someone downloaded it?
object like '[partial name]' OR user eq [name] and object like '[partial name]'
|Show uploads events to Social Media > 10MB
category eq Social and client_bytes > 10000000
|Show downloads >1GB
server_bytes > 1000000000
|Show Box Sync client activity
useragent like 'Box Sync'
|Show HR apps that offer Encryption@Rest withTenant managed keys
category eq HR and app-cci-encrypt-tenant-managed-key eq Yes
|Show Mozy backup agent usage
app eq Mozy and useragent like kalypso
|Show events that don’t have user binding
user like '10.' or user like '172.16.' or user like '172.17.' or user like '172.18.' or user like '172.19.' or user like '172.20.' or user like '172.21.' or user like '172.22.' or user like '172.23.' or user like '172.24.' or user like '172.25.' or user like '172.26.' or user like '172.27.' or user like '172.28.' or user like '172.29.' or user like '172.30.' or user like '172.31.' or user like '192.168.'
|Show events that DO have user binding
user notlike '10.' and user notlike '172.16.' and user notlike '172.17.' and user notlike '172.18.' and user notlike '172.19.' and user notlike '172.20.' and user notlike '172.21.' and user notlike '172.22.' and user notlike '172.23.' and user notlike '172.24.' and user notlike '172.25.' and user notlike '172.26.' and user notlike '172.27.' and user notlike '172.28.' and user notlike '172.29.' and user notlike '172.30.' and user notlike '172.31.' and user notlike '192.168.'
|Field IS empty
organization_unit eq ''
|Field is NOT empty
organization_unit neq ''
|Case insensitive search of string
netskope in the object field
object ~ 'netskope(?i)'
|Show events from various OS endpoints
os like NT or os like 7 or os like XP or os like 8.1 or os like 2000 or os like 8 or os like 'Windows Vista' or os eq unknown or os eq 'Mac OS' or os eq Linux or os eq Android or os eq 'Snow Leopard' or os eq BlackBerry
|Show events that involved Powerpoint files
object ~ '.pptx(?i)'
|Show high risk app usage
app-risk eq high
|Show high risk user usage
user-risk eq high
|Show mobile agent activity
access_method eq 'Mobile Profile'
|Show non-blocked app traffic (useful for log Risk Insights)
action neq block
|Show non-blocked application activities (useful for log Risk Insights)
Url2Activity eq yes
|Show users searching for Jobs on LinkedIn
app eq 'Linkedin' and object_type eq 'Job'
|Get a DLP report
alert_type eq DLP
|Show which apps leverage AWS
app-cci-apphosting-provider eq 'Amazon Web Services'
|Show upload/send/transfer/post to Cloud Storage / Cloud Backup / Consumer: Content sharing where you have given away the rights to your own data due to poor terms and conditions.
app-cci-who-owns-data eq 'Vendor owns the data' and ( activity eq Upload or activity eq Send or activity eq Transfer or activity eq Post) and category = 'Cloud Storage' or category = 'Cloud Backup' or category = 'Consumer: Content Sharing'
|Show high risk apps but takes away some noisy ones
app-risk = high and (category neq 'Data & Analysis' and category neq Marketing and category neq 'Web Analytics' and category neq Security and category neq eCommerce )
|Show app usage that could be violating German Data Sovereignty Laws (using Social as the example category; replace with HR, Finance, or other appropriate app category)
src_country eq DE and dst_country neq DE and category eq Social
|Investigate if someone has downloaded from sanctioned and uploaded to unsanctioned
user eq email@example.com and ((activity eq 'Download' and app-cci-app-tag eq Sanctioned) or ( activity eq 'Upload' and app-cci-app-tag eq Unsanctioned))
|Are users uploading to apps that will own my data?
app-cci-who-owns-data eq 'Vendor owns the data' and activity eq Upload
|What are the critical PCI incidents in the last 30 days?
dlp_profile eq 'DLP-PCI' and dlp_rule_severity eq Critical
|Which apps used by my workforce can be source-IP restricted?
app-cci-src-ip-enforcement eq Yes
|Which of the apps used by my workforce can use SAML SSO?
app-cci-sso eq SAML
|Show example of sessionization – Netskope log parsing differentiation. This reports on human usage (which is useful), not each individual http session (which is not useful)
req_cnt > 1
|Show sharing detected from log parsing
Url2Activity eq yes and activity eq Share
|Show posting detected from log parsing
Url2Activity eq yes and activity eq Post
|Show alerts for high risk users
user-risk eq high and alert eq yes
|Show all file sharing outside the organization
activity eq Share and to_user notlike @netskope.com and object_type eq 'File' and object neq ''
|Show all destination countries outside EU
dst_country neq BE and dst_country neq BG and dst_country neq DK and dst_country neq DE and dst_country neq EE and dst_country neq FI and dst_country neq FR and dst_country neq GR and dst_country neq IE and dst_country neq IT and dst_country neq HR and dst_country neq LV and dst_country neq LT and dst_country neq LU and dst_country neq MT and dst_country neq NL and dst_country neq AT and dst_country neq PL and dst_country neq PT and dst_country neq RO and dst_country neq SE and dst_country neq SK and dst_country neq SI and dst_country neq ES and dst_country neq CZ and dst_country neq HU and dst_country neq GB and dst_country neq CY and dst_country neq EU
|Search for all user logins for a period of time
activity eq 'Login Successful' and user from firstname.lastname@example.org to email@example.com
|Categories commonly excluded from ShadowIT analysis:
(category neq 'Data & Analysis' and category neq eCommerce and category neq Marketing and category neq Security and category neq Social and category neq 'Tracking apps' and category neq 'Web Analytics' and category neq 'Web Proxies/Anonymizers')
|Show patient zero
(alert_name eq 'Patient Zero')
|Show alerts associated with this malicious file hash
(md5 eq '<MD5>')
For users with special characters, like an organizational unit having a backslash (
netskope.comjohnd), add a second backslash. For example:
user eq netskope.comjohnd
This provides all the Page events generated for the user
johnd. Go to the Application Events type in Skope IT to see the application events generated for this user.
You can filter the data source by navigating to Settings > General > Data Source > EDIT SOURCE and then choosing the data source to look for events specifically generated from these sources. For more details, refer to Filter Data Sources.