|Are my users sharing content with a competitor?|
activity eq Share and to_user like @competitor.com
|Are my user sharing outside the organization?|
activity eq Share and to_user notlike @mycompany.com and to_user neq ''
|Do I have Non-Sanctioned Google Apps usage?|
app like google and instance_id notlike mycompany and from_user notlike mycompany.com
|Do I have high risk applications outside of the US?|
app-risk eq high and dst_country neq US and dst_country neq ''
|Are my users sending email messages to competitors?|
activity eq 'Send' and to_user like '@competitor.com'
|Is anyone outside of HR (or finance, or support) downloading from an HR (or finance, or CRM) app?|
organization_unit neq [NAME] and activity eq Download and category eq [CAT NAME]
|Is anyone uploading to apps whose terms don’t specify that the customer owns the data?|
activity eq Upload and app-cci-who-owns-data eq 'Vendor owns the data'
|Is anyone uploading to business intelligence apps whose terms don’t specify that the customer owns the data?|
category eq 'Business Intelligence' and app-cci-who-owns-data eq 'Vendor owns the data' and activity eq Upload
|Show downloads from vulnerable apps|
activity eq Download and app-cci-vuln-exploit neq None
|Show any shares from an app that ISN’T Cloud Storage|
category neq 'Cloud Storage' and activity eq Share
|Show any failed logins to any Finance/Accounting app|
activity eq 'Login Failed' and category eq Finance/Accounting
|Show logins to any Finance/Accounting app by people outside of Finance, except for Expensify <insert expense mgmt app here>|
organization_unit neq [NAME] and activity eq Login and app neq Expensify
|Show any data modifications in Finance/Accounting apps|
category eq 'Finance/Accounting' and activity eq Edit or category eq Finance/Accounting and activity eq Delete
|What happened to that document after someone downloaded it?|
object like '[partial name]' OR user eq [name] and object like '[partial name]'
|Show uploads events to Social Media > 10MB|
category eq Social and client_bytes > 10000000
|Show downloads >1GB|
server_bytes > 1000000000
|Show Box Sync client activity|
useragent like 'Box Sync'
|Show HR apps that offer Encryption@Rest withTenant managed keys|
category eq HR and app-cci-encrypt-tenant-managed-key eq Yes
|Show Mozy backup agent usage|
app eq Mozy and useragent like kalypso
|Show events that don’t have user binding|
user like '10.' or user like '172.16.' or user like '172.17.' or user like '172.18.' or user like '172.19.' or user like '172.20.' or user like '172.21.' or user like '172.22.' or user like '172.23.' or user like '172.24.' or user like '172.25.' or user like '172.26.' or user like '172.27.' or user like '172.28.' or user like '172.29.' or user like '172.30.' or user like '172.31.' or user like '192.168.'
|Show events that DO have user binding|
user notlike '10.' and user notlike '172.16.' and user notlike '172.17.' and user notlike '172.18.' and user notlike '172.19.' and user notlike '172.20.' and user notlike '172.21.' and user notlike '172.22.' and user notlike '172.23.' and user notlike '172.24.' and user notlike '172.25.' and user notlike '172.26.' and user notlike '172.27.' and user notlike '172.28.' and user notlike '172.29.' and user notlike '172.30.' and user notlike '172.31.' and user notlike '192.168.'
|Field IS empty|
organization_unit eq ''
|Field is NOT empty|
organization_unit neq ''
|Case insensitive search of string |
netskope in the object field
object ~ 'netskope(?i)'
|Show events from various OS endpoints|
os like NT or os like 7 or os like XP or os like 8.1 or os like 2000 or os like 8 or os like 'Windows Vista' or os eq unknown or os eq 'Mac OS' or os eq Linux or os eq Android or os eq 'Snow Leopard' or os eq BlackBerry
|Show events that involved Powerpoint files|
object ~ '.pptx(?i)'
|Show high risk app usage|
app-risk eq high
|Show high risk user usage|
user-risk eq high
|Show mobile agent activity|
access_method eq 'Mobile Profile'
|Show non-blocked app traffic (useful for log Risk Insights)|
action neq block
|Show non-blocked application activities (useful for log Risk Insights)|
Url2Activity eq yes
|Show users searching for Jobs on LinkedIn|
app eq 'Linkedin' and object_type eq 'Job'
|Get a DLP report|
alert_type eq DLP
|Show which apps leverage AWS|
app-cci-apphosting-provider eq 'Amazon Web Services'
|Show upload/send/transfer/post to Cloud Storage / Cloud Backup / Consumer: Content sharing where you have given away the rights to your own data due to poor terms and conditions.|
app-cci-who-owns-data eq 'Vendor owns the data' and ( activity eq Upload or activity eq Send or activity eq Transfer or activity eq Post) and category = 'Cloud Storage' or category = 'Cloud Backup' or category = 'Consumer: Content Sharing'
|Show high risk apps but takes away some noisy ones|
app-risk = high and (category neq 'Data & Analysis' and category neq Marketing and category neq 'Web Analytics' and category neq Security and category neq eCommerce )
|Show app usage that could be violating German Data Sovereignty Laws (using Social as the example category; replace with HR, Finance, or other appropriate app category)|
src_country eq DE and dst_country neq DE and category eq Social
|Investigate if someone has downloaded from sanctioned and uploaded to unsanctioned|
user eq email@example.com and ((activity eq 'Download' and app-cci-app-tag eq Sanctioned) or ( activity eq 'Upload' and app-cci-app-tag eq Unsanctioned))
|Are users uploading to apps that will own my data?|
app-cci-who-owns-data eq 'Vendor owns the data' and activity eq Upload
|What are the critical PCI incidents in the last 30 days?|
dlp_profile eq 'DLP-PCI' and dlp_rule_severity eq Critical
|Which apps used by my workforce can be source-IP restricted?|
app-cci-src-ip-enforcement eq Yes
|Which of the apps used by my workforce can use SAML SSO?|
app-cci-sso eq SAML
|Show example of sessionization – Netskope log parsing differentiation. This reports on human usage (which is useful), not each individual http session (which is not useful)|
req_cnt > 1
|Show sharing detected from log parsing|
Url2Activity eq yes and activity eq Share
|Show posting detected from log parsing|
Url2Activity eq yes and activity eq Post
|Show alerts for high risk users|
user-risk eq high and alert eq yes
|Show all file sharing outside the organization|
activity eq Share and to_user notlike @netskope.com and object_type eq 'File' and object neq ''
|Show all destination countries outside EU|
dst_country neq BE and dst_country neq BG and dst_country neq DK and dst_country neq DE and dst_country neq EE and dst_country neq FI and dst_country neq FR and dst_country neq GR and dst_country neq IE and dst_country neq IT and dst_country neq HR and dst_country neq LV and dst_country neq LT and dst_country neq LU and dst_country neq MT and dst_country neq NL and dst_country neq AT and dst_country neq PL and dst_country neq PT and dst_country neq RO and dst_country neq SE and dst_country neq SK and dst_country neq SI and dst_country neq ES and dst_country neq CZ and dst_country neq HU and dst_country neq GB and dst_country neq CY and dst_country neq EU
|Search for all user logins for a period of time|
activity eq 'Login Successful' and user from firstname.lastname@example.org to email@example.com
|Categories commonly excluded from ShadowIT analysis:|
- Data & Analysis: often noisy; automated sessions.
- eCommerce: often noisy; personal use.
- Marketing: can be noisy; varies by firm/some apps may be valid Security – often Noisy; imposed, so not shadow IT.
- Social: can be noisy; varies by firm/some apps may be valid.
- Tracking apps: often noisy; automated sessions.
- Web Analytics: often noisy; automated sessions.
- Web Proxies/Anonymizers: can be noisy; varies by firm.
(category neq 'Data & Analysis' and category neq eCommerce and category neq Marketing and category neq Security and category neq Social and category neq 'Tracking apps' and category neq 'Web Analytics' and category neq 'Web Proxies/Anonymizers')
|Show patient zero|
(alert_name eq 'Patient Zero')
|Show alerts associated with this malicious file hash|
(md5 eq '<MD5>')