REST API Events and Alerts Response Descriptions
REST API Events and Alerts Response Descriptions
These are the response descriptions for the Get Events Data and Get Alerts Data endpoints.
Parameter Grouping | Parameter Name | Descriptions | Data Type | Example Responses | App Events | Page Events | Alerts |
---|---|---|---|---|---|---|---|
General | timestamp | Timestamp when the event/alert happened. Event timestamp in Unix epoch format. | Integer | 1443811033 | Y | Y | Y |
General | _insertion_epoch_timestamp | Insertion timestamp | Integer | 1485025255 | Y | Y | Y |
General | src_timezone | Source timezone. Shows the long format timezone designation. | String | America/Los_Angeles | Y | Y | Y |
General | dst_timezone | Destination timezone | String | America/New_York | Y | Y | Y |
General | type | Shows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection. | String | Value for Application Events: nspolicy Value for Page Events: connection Values for Alerts: nspolicy, connection, breach, anomaly, malsite | Y | Y | Y |
General | access_method | Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. Administrators can also upload firewall and/or proxy logs for log analytics. This field shows the actual access method that triggered the event. For log uploads this shows the actual log type such as PAN, Websense, etc. | String | Client, Secure Forwarder, API Connector, Proxy Chaining, Reverse Proxy | Y | Y | Y |
General | traffic_type | Type of the traffic: CloudApp or Web. CloudApp indicates CASB and web indicates HTTP traffic. Web traffic is only captured for inline access method. It is currently not captured for Risk Insights. | String | CloudApp, Web | Y | Y | Y |
General | action | Action taken on the event for the policy | String | useralert, Detection, bypass, block, alert, restrictToView, disableDownload, legalHold, expireLink, restrictAccess, delete, quarantine | Y | Y | Y |
General | fromlogs | Shows if the event was generated from the Risk Insights log. | String | yes | Y | Y | Y |
General | user_generated | Tells whether it is user generated page event | Boolean | yes, no | N | Y | Y |
General | tunnel_id | Shows the Client installation ID. Only available for the Client steering configuration. | String | c5b07447-e86e-4722-b59e-81144 | Y | Y | Y |
General | request_id | Unique request ID for the event | Integer | 1,590 | Y | N | Y |
General | transaction_id | Unique ID for a given request/response | String | 1843244978932892112 | Y | Y | Y |
General | connection_id | Each connection has a unique ID. Shows the ID for the connection event. | LongInt | 117073088998365 | Y | Y | Y |
General | conn_duration | Duration of the connection in milliseconds. Useful for querying long-lived sessions. | Integer | 59000 | Y | Y | Y |
General | conn_starttime | Connection start time | Float | 1480330369 | N | Y | Y |
General | conn_endtime | Connection end time | Float | 1480330428 | N | Y | Y |
General | latency_min | Min latency for a connection in milliseconds | Integer | 47 | N | Y | Y |
General | latency_max | Max latency for a connection in milliseconds | Integer | 651 | N | Y | Y |
General | latency_total | Total latency from proxy to app in milliseconds | Integer | 3797 | N | Y | Y |
General | req_cnt | Total number of HTTP requests (equal to number of transaction events for this page event) sent from client to server over one underlying TCP connection. | Integer | 21 | Y | Y | Y |
General | resp_cnt | Total number of HTTP responses (equal to number of transaction events for this page event) from server to client | Integer | 21 | Y | Y | Y |
General | http_transaction_count | HTTP transaction count | Integer | 300 | N | Y | Y |
General | numbytes | Total number of bytes that were transmitted for the connection – numbytes = client_bytes + server_bytes | Integer | 18177 | Y | Y | Y |
General | client_bytes | Total number of bytes uploaded from client to server | Integer | 1093 | Y | Y | Y |
General | server_bytes | Total number of downloaded from server to client. | Integer | 17084 | Y | Y | Y |
General | suppression_key | To limit the number of events. Example: Suppress block event for browse | String | 2019-01-07_1135.zip | Y | N | Y |
General | suppression_start_time | When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. | Integer | 1443811033 | Y | Y | Y |
General | suppression_end_time | When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. | Integer | 1443811078 | Y | Y | Y |
General | count | Number of raw log lines/events sessionized or suppressed during the suppressed interval. | Integer | 1 | Y | Y | Y |
General | bypass_traffic | Tells if traffic is bypassed by Netskope | Boolean | yes, no | N | Y | Y |
General | ssl_decrypt_policy | Applicable to only bypass events. There are 2 ways to create rules for bypass:
The existing flag bypass_traffic only gives information that a flow has been bypassed, but does not tell exactly which policy was responsible for it. | String | yes, no | N | Y | Y |
General | dynamic_classification | URLs were categorized by NSURLC machine or not | String | yes, no | N | N | Y |
General | dst_geoip_src | Source from where the location of Destination IP was derived | Integer | 1 | Y | Y | Y |
General | src_geoip_src | Source from where the location of Source IP was derived | Integer | 2 | Y | Y | Y |
General | modified | Timestamp corresponding to the modification time of the entity (file, etc.) | DateTime | 2017-01-17T08:56:05 | Y | Y | Y |
Alert | alert | Indicates whether alert is generated or not. Populated as | String | yes, no | Y | Y | Y |
Alert | alert_name | Name of the alert | String | proximity, rare_event, risky_country, user_shared_credentials, data_exfiltration, mlad | Y | Y | Y |
Alert | alert_type | Type of the alert | String | Values for Alerts: watchlist, policy, DLP, Legal Hold, quarantine, Malware, malsite, anomaly, Compromised Credential, Security Assessment Values for App Events: policy, DLP, quarantine, Legal Hold, Malware, Security Assessment, Remediation | Y | Y | Y |
Alert | acked | Whether user acknowledged the alert or not | Boolean | false, true | Y | Y | Y |
Alert | severity | Severity used by watchlist and malware alerts | String | low, medium, high, unknown, null | Y | Y | Y |
Alert | severity_id | Severity ID used by watchlist and malware alerts | Integer | 1, 2, 3, null | Y | N | Y |
Alert | policy_id | The Netskope internal ID for the policy created by an admin | Integer | 1, 8 | Y | N | Y |
Alert | policy | Name of the policy configured by an admin | String | PCI Files in OneDrive | Y | Y | Y |
Alert | profile_emails | List of profile emails per policy | String | [“dlp_policy@netskope.com”] | Y | N | Y |
Alert | justification_reason | Justification reason provided by user. For following policies, justification events are raised. User is displayed a notification popup, user enters justification and can select to proceed or block:
| String | Provided reason | Y | N | Y |
Alert | justification_type | Type of justification provided by user when user bypasses the policy block | String | falsePositive, justification | Y | N | Y |
Application | app | Specific cloud application used by the user (e.g. app = Dropbox). | String | Google Drive | Y | Y | Y |
Application | appcategory | Application Category as designated by Netskope | String | Collaboration, Customer Relationship Management, Cloud Storage, IaaS/PaaS | Y | Y | Y |
Application | ccl | Cloud Confidence Level. CCL measures the enterprise readiness of the cloud apps taking into consideration those apps security, auditability and business continuity. Each app is assigned one of five cloud confidence levels: excellent, high, medium, low, or poor. Useful for querying if users are accessing a cloud app with a lower CCL. | String | excellent, high, medium, low, poor, unknown, not_defined | Y | Y | Y |
Application | site | For traffic_type = CloudApp, site = app and for traffic_type = Web, it will be the second level domain name + top-level domain name. For example, in “www.cnn.com”, it is “cnn.com”. | String | cnn.com | Y | Y | Y |
Application | url | URL of the application that the user visited as provided by the log or data plane traffic | String | www.evernote.com/shard/s2 31/notestore | Y | Y | Y |
Application | page | The URL of the originating page | String | www.google.co.in/search?q= railway | Y | Y | Y |
Application | domain | Domain value. This will hold the host header value or SNI or extracted from absolute URI. | String | google.co.in | Y | Y | Y |
Application | sessionid | Populated by Risk Insights | Integer | 34014529 | Y | Y | Y |
Application | app_session_id | Unique App/Site Session ID for traffic_type = CloudApp and Web. An app session starts when a user starts using a cloud app/site on and ends once they have been inactive for a certain period of time(15 mins). Use app_session_id to check all the user activities in a single app session. app_session_id is unique for a user, device, browser and domain. | String | 1.42333E+14 | Y | Y | Y |
Application | referer | Referer URL of the application(with http) that the user visited as provided by the log or data plane traffic | String | https://portal.office.com/Admi nPortal/Home | Y | Y | Y |
Application | managed_app | Whether or not the app in question is managed | Boolean | yes, no | Y | N | Y |
Application | telemetry_app | Typically SaaS app web sites use web analytics code within the pages to gather analytic data. When a SaaS app action or page is shown, there is subsequent traffic generated to tracking apps such as doubleclick.net, Optimizely, etc. These tracking apps are listed if applicable in the Telemetry App field. | String | doubleclick, Amazon S3, google, Microsoft Office 365 Suite, Adswizz, fbcdn | Y | N | Y |
Application | instance_id | Unique ID associated with an organization application instance | String | nammazone.com | Y | N | Y |
Application | instance | Instance associated with an organization application instance | String | nammazone.com | Y | Y | Y |
Application | instance_name | Instance name associated with an organization application instance | String | netskope.com | Y | N | Y |
Application | instance_type | Instance type | String | VirtualPrivateCloud, Server, Image, Document, Managed Instance, LoadBalancer | Y | N | Y |
Application | object | Name of the object which is being acted on. It could be a filename, folder name, report name, document name, etc. | String | Resume.doc | Y | Y | Y |
Application | object_id | Unique ID associated with an object | String | 3214 | Y | N | Y |
Application | object_type | Type of the object which is being acted on. Object type could be a file, folder, report, document, message, etc. | String | File, User, Note | Y | N | Y |
Application | from_object | Initial name of an object that has been renamed, copied or moved | String | test1 | Y | N | Y |
Application | to_object | Changed name of an object that has been renamed, copied, or moved | String | test2 | Y | N | Y |
Application | object_count | Displayed when the activity is Delete. Shows the number of objects being deleted | Integer | 3 | Y | N | Y |
Application Specific | enterprise_id | EnterpriseID in case of Slack for Enterprise | String | E8D23NJ1H | Y | N | Y |
Application Specific | enterprise | Enterprise name in case of Slack for Enterprise | String | Netskope enterprise | Y | N | Y |
Application Specific | workspace_id | Workspace ID in case of Slack for Enterprise | String | TDFHG3CLF | Y | N | Y |
Application Specific | workspace | Workspace name in case of Slack for Enterprise | String | Netskope workspace | Y | N | Y |
Application Specific | team | Slack team name | String | Netskope team | Y | N | Y |
Application Specific | channel | Channel of the user for slack and slack enterprise apps | String | channel1 | Y | N | Y |
Application Specific | sub_type | Workplace by Facebook post sub category (files, comments, status etc) | String | file, comment, post | Y | N | Y |
Application Specific | violating_user | User who caused a vioaltion. Populated for Workplace by Facebook | String | example@netskope.com | Y | N | Y |
Application Specific | violating_user_type | Category of the user who caused a violation. Populated for Workplace by Facebook. | String | Internal, External | Y | N | Y |
Application Specific | logintype | Salesforce login type | String | Remote Access 2.0, Other Apex API, Remote Access Client | Y | N | Y |
Application Specific | loginurl | Salesforce login URL | String | my.salesforce.com | Y | N | Y |
Application Specific | new_value | New value for a given file for salesforce.com | String | 2019-01-18 3:33:58 | Y | N | Y |
Application Specific | old_value | Old value for a given file for salesforce.com | String | 2019-01-17 3:33:58 | Y | N | Y |
Application Specific | scopes | List of permissions for google apps | String | [“https://www.googleapis.com /auth/cloud-platform”, “https://www.googleapis.com/ auth/userinfo.email”] | Y | N | Y |
Application Specific | session_id | Session ID for Dropbox application | Integer | 1.77573E+14 | Y | N | Y |
Application Specific | user_role | Roles such as admin, owner etc for Box | String | Admin, coadmin, user | Y | N | Y |
Application Specific | role | Roles for Box | String | Editor, Previewer, Previewer Uploader, Uploader, Viewer, Viewer Uploader, Owner, Co- owner | Y | N | Y |
Activity | activity | Description of the user performed activity | String | Download, Invite, Issue, Join, Login Attempt, Login Failed, Login Successful, Logout, Mark, Markup, Move, Upload, View, View All | Y | Y | Y |
Activity | activity_type | Displayed when only admins can perform the activity in question | String | Admin | Y | N | Y |
Activity | act_user | User doing an activity | String | user@netskope.com | Y | N | Y |
Activity | activity_status | Displayed when the user is denied access while performing some activity | String | Access Denied | Y | N | Y |
Activity | Url2Activity | Populated if the activity from the URL matches certain activities. This field applies to Risk Insights only. | String | Yes | Y | N | Y |
Activity | ns_activity | Maps app activity to Netskope standard activity. | String | Download, Upload, view, unlock | Y | N | Y |
Activity | audit_category | The subcategories in an application such as IAM, EC in AWS, login, token, file, etc., in case of Google. | String | IAM, Lambda, S3, access, Compute Engine, Elasticloadbalancing, EC2, event_change, acl_change | Y | N | Y |
Activity | audit_type | The sub category in audit according to SaaS / IaaS apps | String | download, edit, create, view, HeadBucket | Y | N | Y |
User | userkey | User ID or email | String | user@netskope.com | Y | Y | Y |
User | user_id | User email | String | user@netskope.com | Y | N | Y |
User | user | User email | String | user@netskope.com | Y | Y | Y |
User | user_name | Name of user | String | TestUser | Y | N | Y |
User | ur_normalized | All lower case user email | String | user@netskope.com | Y | Y | Y |
User | user_normalized | All lower case user email | String | user@netskope.com | N | N | Y |
User | userip | IP address of User | String | xxx.xxx.xxx.xx | Y | Y | Y |
User | useragent | Browser HTTP user agent header | String | Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 | Y | Y | Y |
User | user_category | Type of user in an enterprise – external / internal | String | Internal | Y | N | Y |
User | organization_unit | Org Units for which the event correlates to. This ties to user information extracted from Active Directory using the Directory Importer/AD Connector application. | String | Maximum of 5 levels: “OU1/OU2/OU3/OU4/OU5” | Y | Y | Y |
User | org | Search for events from a specific organization. Organization name is derived from the user ID. | String | sampleorganization.org | Y | Y | Y |
User | os | Operating system of the host who generated the event. | String | Yosemite | Y | Y | Y |
User | os_version | OS version of the host | String | Windows 7 | Y | Y | Y |
User | browser | Shows the actual browser from where the cloud app was accessed. | String | BlackBerry, Chrome, Firefox, iCab, Mobile, MSIE, Native, Opera, RockMelt, Safari, Skyfire, Tencent, Thunderbird | Y | Y | Y |
User | browser_version | Browser version | String | 50 | Y | Y | Y |
User | browser_session_id | Browser session ID. If there is an idle timeout of 15 minutes, it will timeout the session. | LongInt | 75256867583232 | Y | Y | Y |
User | device | Device type from where the user accessed the cloud app. It could be Macintosh Windows device, iPad etc. | String | Android Device, iOS Device. iPad, iPhone, Linux Device, Mac Device, Windows Device, Other Device | Y | Y | Y |
User | device_classification | Designation of device as determined by the Netskope Client as to whether the device is managed or not. | String | managed, not configured, unknown, unmanaged | Y | N | Y |
User | hostname | Host name | String | example’s Macbook Pro | Y | Y | Y |
User | nsdeviceuid | Device identifiers on macOS and Windows | String | zndbgI= | Y | N | Y |
User | managementID | Management ID | String | FFD2E8A | Y | N | Y |
Source | srcip | IP address of source/user | String | xxx.xxx.xxx.xx | Y | Y | Y |
Source | src_location | User’s city as determined by the Maxmind or IP2Location Geodatabase | String | San Jose | Y | Y | Y |
Source | src_region | Source state or region as determined by the Maxmind or IP2Location Geodatabase | String | California | Y | Y | Y |
Source | src_latitude | Latitude of the user as determined by the Maxmind or IP2Location Geodatabase | Integer | [xx.xxxx] | Y | Y | Y |
Source | src_longitude | Longitude of the user as determined by the Maxmind or IP2Location Geodatabase | Integer | [-xxx.xxx] | N | Y | N |
Source | src_country | User’s country’s two-letter Country Code as determined by the Maxmind or IP2Location Geodatabase | String | US | Y | Y | Y |
Source | src_zipcode | Source zip code as determined by the Maxmind or IP2Location Geodatabase | String | 95134 | Y | Y | Y |
Destination | dstip | IP address where the destination app is hosted | String | xxx.xxx.xxx.xx | Y | Y | Y |
Destination | dst_location | Application’s city as determined by the Maxmind or IP2Location Geodatabase | String | Mountain View | Y | Y | Y |
Destination | dst_region | Application’s state or region as determined by the Maxmind or IP2Location Geodatabase | String | California | Y | Y | Y |
Destination | dst_latitude | Latitude of the Application as determined by the Maxmind or IP2Location Geodatabase | Integer | [xx.xxxx] | Y | Y | Y |
Destination | dst_longitude | Longitude of the Application as determined by the Maxmind or IP2Location Geodatabase | Integer | [-xxx.xxx] | N | Y | N |
Destination | dst_country | Application’s two-letter country code as determined by the Maxmind or IP2Location Geodatabase | String | US | Y | Y | Y |
Destination | dst_zipcode | Application’s zip code as determined by the Maxmind or IP2Location Geodatabase | String | 94043 | Y | Y | Y |
Destination | dstport | Destination port | Integer | 443, 80 (1-65535) | Y | Y | Y |
Destination | dsthost | Destination host | String | mail.yahoo.com | Y | Y | Y |
Introspection | retro_scan_name | Retro scan name | String | Retro_Scan_box_netskope.com_20181213_1616 | Y | Y | Y |
Introspection | scan_type | Generated during retroactive scan or new ongoing activity | String | Ongoing, ongoing, retroactive, Retroactive | Y | N | Y |
File | file_id | Unique identifier of the file | String | 0B3jELp0mSNw2dTZDNUhpUGpjUGgxQUY5OUZI | Y | N | Y |
File | filename | Name of the file | String | PandasDFTests.py | Y | N | Y |
File | title | Title of the file | String | PandasDFTests.py | Y | Y | Y |
File | mime_type | MIME type of the file | String | application/pdf | Y | N | Y |
File | data_type | Content type of upload/download | String | application/xml | Y | Y | Y |
File | md5 | md5 of the file | String | 295a6f156624f73c31a9a670 d9a41914 | Y | Y | Y |
File | file_size | Size of the file in bytes | Integer | 22854 | Y | N | Y |
File | file_type | File type | String | text/plain, application/pdf, etc. | Y | Y | Y |
File | file_lang | Language of the file | String | SWEDISH | Y | Y | Y |
File | path_id | Path ID of the file in the application | Integer | 3.94218E+11 | Y | N | Y |
File | file_path | Path of the file in the application | String | /sample/file.pdf | Y | N | Y |
File | owner | Owner of the file | String | example@netskope.com | Y | N | Y |
File | original_file_path | If the file is moved, then keep original path of the file in this field | String | 29208ee0-021e-4cb2-87b4-c9303880 | Y | N | Y |
File | from_user | Email address used to login to the SAAS app | String | example@netskope.com | Y | N | Y |
File | from_user_category | Type of from_user | String | Internal, External | Y | N | Y |
File | to_user | Used when a file is moved from user A to user B. Shows the email address of user B | String | example@netskope.com | Y | N | Y |
File | to_user_category | Type of user to which move is done | String | Internal, External | Y | N | Y |
File | shared_with | Array of emails with whom a document is shared with | String | [aaaa@netskope.com,nnnn@netskope.com,dddd@netskope.com] | Y | Y | Y |
File | shared | If the file is shared or not | Boolean | true, false | Y | N | Y |
File | shared_type | Shared Type | String | internal, external, private, enterprise | Y | N | Y |
File | shared_domains | List of domains of users the document is shared with | String | [netskope.com, yahoo.com] | Y | N | Y |
File | exposure | Exposure of a document | String | private, public, public_on_web, enterprise, external, internal, anyone_with_link | Y | Y | Y |
File | attachment | File name | String | image001.png | Y | N | Y |
File | encrypt_failure | Reason of failure while encrypting | String | Failed getting encryption Key | Y | N | Y |
File | log_file_name | Log file name for Risk Insights | String | 20190205T0917_0.csv.gz | Y | Y | Y |
File | file_passwd_protected | Tells if the file is password protected | Boolean | TRUE | Y | N | Y |
File | web_url | File preview URL | String | https://drive.google.com/open?id=1234 | Y | N | Y |
File | external_collaborator_count | Count of external collaborators on a file/folder. Supported for some apps. | Integer | 4 | Y | Y | Y |
File | internal_collaborator_count | Count of internal collaborators on a file/folder. Supported for some apps. | Integer | 3 | Y | N | Y |
File | total_collaborator_count | Count of collaborators on a file/folder. Supported for some apps. | Integer | 7 | Y | N | Y |
DLP | dlp_incident_id | Incident ID associated with sub-file. In the case of main file, this is same as the parent incident ID. | LongInt | 146831431522000 | Y | Y | Y |
DLP | dlp_parent_id | Incident ID associated with main container (or non-container) file that was scanned | LongInt | 146831431522000 | Y | Y | Y |
DLP | dlp_file | File/Object name extracted from the file/object | String | Credit Report.pdf | Y | N | Y |
DLP | dlp_profile | DLP profile name | String | DLP-PCI | Y | Y | Y |
DLP | dlp_rule | DLP rule that triggered | String | Name-Credit Card (CC) | Y | Y | Y |
DLP | dlp_rule_count | Count of rule hits | Integer | 5 | Y | Y | Y |
DLP | dlp_rule_severity | Severity of rule | String | Low, Medium, High, Critical | Y | Y | Y |
DLP | dlp_fingerprint_classification | Fingerprint classification | String | Senstive Customer Information, PII | Y | N | Y |
DLP | dlp_fingerprint_match | Fingerprint classification match file name | String | Top_100_Existing_Accounts_11_1_18.xlsx | Y | N | Y |
DLP | dlp_fingerprint_score | Fingerprint classification score | Integer | 0-100 | Y | N | Y |
DLP | dlp_rule_score | DLP rule score for weighted dictionaries | Integer | 13 | Y | N | Y |
DLP | dlp_is_unique_count | True or false depending upon if rule is unique counted per rule data | Boolean | true, false | Y | Y | Y |
DLP | dlp_unique_count | Integer value of number of unique matches seen per rule data. Only present if rule is uniquely counted. | Integer | 10 | Y | N | Y |
Quarantine | quarantine_file_id | File ID of the quarantined file | String | 435bd35a-e021-4a2c-bc41-ba281f91 | Y | N | Y |
Quarantine | quarantine_profile_id | Quarantine profile ID | Integer | 2 | Y | N | Y |
Quarantine | quarantine_profile | Quarantine profile name of policy for quarantine action | String | Quarantine Data – OneDrive | Y | N | Y |
Quarantine | quarantine_failure | Reason of failure | String | Quarantine failed; file transfer failure | Y | N | Y |
Quarantine | quarantine_action_reason | Reason for the action taken for quarantine | String | Previously quarantined file still blocked because admin decision is pending | Y | N | Y |
Quarantine | q_admin | Quarantine profile custodian email/name | String | example@netskope.com | Y | N | Y |
Quarantine | q_app | Quarantine app name | String | Box | Y | N | Y |
Quarantine | q_instance | Quarantine instance name | String | Box Production | Y | N | Y |
Quarantine | q_original_filename | Original file name which got quarantined | String | Sensitive File | Y | N | Y |
Quarantine | q_original_filepath | Original file path which got quarantined | String | All/Folder1/Folder2 | Y | N | Y |
Quarantine | q_original_shared | Original file shared user details | String | Private | Y | N | Y |
Quarantine | q_original_version | Original version of file which got quarantined | String | 1 | Y | N | Y |
Quarantine | quarantine_file_name | File name of the quarantine file | String | sensitivefile.txt | Y | N | Y |
Legal Hold | legal_hold_profile_name | Legal hold profile name | String | Legal hold Test Profile | Y | N | Y |
Legal Hold | lh_custodian_email | Custodian email of legal hold profile | String | example@netskope.com | Y | N | Y |
Legal Hold | lh_custodian_name | Custodian name of legal hold profile | String | Kelly Oar | Y | N | Y |
Legal Hold | lh_dest_app | Destination appname of legalhold action | String | Box | Y | N | Y |
Legal Hold | lh_dest_instance | Destination instance of legal hold action | String | Box Production | Y | N | Y |
Legal Hold | lh_fileid | File ID of legal hold file | String | 3.97035E+11 | Y | N | Y |
Legal Hold | lh_filename | File name of legal hold file | String | Sensitive file_v1_2016-04-2707-00-15(UTC) | Y | N | Y |
Legal Hold | lh_filepath | File path of legal hold file | String | All/Folder1/Folder2 | Y | N | Y |
Legal Hold | lh_original_filename | Original filename of legal hold file | String | Sensitive File | Y | N | Y |
Legal Hold | lh_shared | Shared type of legal hold file | String | Internal | Y | N | Y |
Legal Hold | lh_shared_with | User shared with the legal hold file | String | [“example1@netskope.com”, “example2@netskope.com”] | Y | N | Y |
Legal Hold | lh_version | File version of original file | String | 1 | Y | N | Y |
Anomaly | orig_ty | Event Type of original event | String | nspolicy, connection | N | Y | Y |
Anomaly | last_timestamp | Last timestamp (timestamp in the first/older event). Applies to only proximity anomaly alert. | LongInt | 1549296669 | N | Y | Y |
Anomaly | last_app | Last application (app in the first/older event). Applies to only proximity anomaly alert. | String | N | Y | Y | |
Anomaly | last_device | Last device name (Device Name in the first/older event). Applies to only proximity anomaly alert. | String | Windows Device | N | Y | Y |
Anomaly | last_country | Last location (Country). Applies to only proximity anomaly alert. | String | US | N | Y | Y |
Anomaly | last_location | Last location (City). Applies to only proximity anomaly alert. | String | Chicago | N | Y | Y |
Anomaly | last_region | Applies to only proximity anomaly alert. | String | Pennsylvania | N | Y | Y |
Anomaly | download_app | Applicable to only data exfiltration. Download App (App in the download event). | String | Google Gmail | N | N | Y |
Anomaly | shared_credential_user | Applicable to only shared credentials. User with whom the credentials are shared with. | String | Michael Sam | N | N | Y |
Anomaly | threshold_time | Applicable to: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. Threshold Time | LongInt | Default time (86400 Seconds) | N | N | Y |
Anomaly | bin_timestamp | Applicable to only: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/Download/Delete) and Failed Login Anomaly type. Bin TimeStamp (is a window used that is used for certain types of anomalies – for breaking into several windows per day/hour). | LongInt | 1549411200 | N | N | Y |
Anomaly | threshold | Threshold (Count at which the anomaly should trigger). Applicable to Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type | Integer | 205 | N | Y | Y |
Anomaly, MLAD | event_type | Anomaly type | String | App Events: Info, error Alerts: proximity, rare_event, risky_country, user_shared_credentials, data_exfiltration, bulk_upload, bulk_download, mlad | Y | Y | Y |
Anomaly, MLAD | profile_id | Anomaly profile ID | String | NS_101 which means proximity alert NS_103, NS_102, NS_307, NS_306, NS_304, NS_303, NS_305, NS_301, NS_403, NS_401 | Y | Y | Y |
Anomoly, MLAD | risk_level_id | This field is set by both role-based access (RBA) and MLAD | Integer | 1,2,0 | N | Y | Y |
Anomoly, MLAD | risk_level | Corresponding field to risk_level_id. Name | String | low, med, high | Y | Y | Y |
Malsite | malicious | Only exists if some HTTP transaction belonging to the page event resulted in a malsite alert. | Boolean | TRUE | Y | Y | Y |
Malsite | malsite_active | Since how many days malsite is Active | Integer | 2 | N | N | Y |
Malsite | malsite_as_number | Malsite ASN Number | String | AS35838 CCANet Limited | N | N | Y |
Malsite | malsite_confidence | Malsite confidence score | Integer | 100 | N | N | Y |
Malsite | malsite_consecutive | How many times that malsite is seen | Integer | 1 | N | N | Y |
Malsite | malsite_category | Category of malsite [ Phishing / Botnet / Malicous URL, etc. ] | String | [“Malcious Site”] | Y | N | Y |
Malsite | malsite_country | Malsite country | String | US | N | N | Y |
Malsite | malsite_region | Region of the malsite URL/IP/Domain | String | Texas | N | N | Y |
Malsite | malsite_city | Malsite city | String | Los Angeles | N | N | Y |
Malsite | malsite_dns_server | DNS server of the malsite URL/Domain/IP | String | xxx.xxx.com | N | N | Y |
Malsite | malsite_first_seen | Malsite first seen timestamp | Integer | 1485302400 | N | N | Y |
Malsite | malsite_hostility | Malsite hostility score | Integer | 5 | N | N | Y |
Malsite | malsite_ip_host | Malsite IP | String | xxx.xxx.x.xxx | N | N | Y |
Malsite | malsite_isp | Malsite ISP info | String | CCANET Limited | N | N | Y |
Malsite | malsite_longitude | Longitude plot of the Malsite URL/IP/Domain | Float | x.xxxx | N | N | Y |
Malsite | malsite_latitude | Latitude plot of the Malsite URL/IP/Domain | Float | xx.xxx | N | N | Y |
Malsite | malsite_last_seen | Malsite last seen timestamp | Integer | 1486339200 | N | N | Y |
Malsite | malsite_reputation | Reputation score of Malsite IP/Domain/URL | Float | 7.4 | N | N | Y |
Malsite | malsite_id | Malicious Site ID – Hash of threat match value | String | 9228edb31a922c392ba3746 | N | N | Y |
Malsite | severity_level_id | If the Severity Level ID is 1, it means that URL / IP /Domain is detected from Internal threat feed and if Severity Level ID is 2, then it means the detection happened based on the OEM DB Malsite Category. | Integer | 0, 1, 2, 3 | N | N | Y |
Malsite | severity_level | Severity level of the Malsite ( High / Med / Low) | String | low, medium, high | N | N | Y |
Malsite | threat_match_field | Threat match field, either from domain or URL or IP. | String | domain, url, ip | Y | N | Y |
Malsite | threat_source_id | Threat source id: 1 – NetskopeThreatIntel, 2 – OEM DB | Integer | 1,2 | Y | N | Y |
Malware | scan_time | Time when the scan is done | LongInt | 1474308875 | Y | N | Y |
Malware | malware_id | md5 hash of the malware name as provided by the scan engine | String | Any md5 hash string (as hexadecimal string) | Y | N | Y |
Malware | malware_type | What type (virus, etc) of a threat is this? | String | Adware, Dialer, Malicious App, Spam, Phishing, Spyware, Virus, Heuristic, No Detection, Encrypted/Unscannable, Trojan, Error, Misleading Application | Y | N | Y |
Malware | detection_type | Same as malware type. Duplicate. | String | virus, trojan | Y | N | Y |
Malware | malware_severity | How severe is the threat posed by this malware | String | high, medium, low | Y | N | Y |
Malware | malware_name | What is the detection name for this threat | String | Gen.Ransom.Encrypted.File.ns | Y | N | Y |
Malware | detection_engine | Customer exposed detection engine name | String | Netskope AV, Netskope Threat Intel, Netskope Advanced Heursitics, Netskope Advanced Sandbox | Y | N | Y |
Malware | tss_mode | Malware scanning mode, specifies whether it’s Real-time Protection or API Data Protection | String | Introspection, Inline | Y | N | Y |
Malware | malware_profile | tss_profile : profile which user has selected. Data comes from WebUI. Its a json structure. | String | Default Malware Scan | Y | N | Y |
Malware | zip_password | Zip the malacious file and put pwd to it and send it back to caller | String | netskope | Y | N | Y |
Malware | local_md5 | md5 hash of file generated by the Malware engine | String | 3b30d5c68bfe | Y | N | Y |
Malware | local_sha256 | sha256 hash of file generated by the Malware engine | String | 3b30d5c68bfe | Y | N | Y |
Malware | local_sha1 | sha1 hash of file generated by the Malware engine | String | 3b30d5c68bfe | Y | N | Y |
Compromised Credentials | breach_id | Breach ID for compromised credentials | String | 95e2e98ac17cf08de4b82f94 356dc51e | N | N | Y |
Compromised Credentials | breach_date | Breach date for compromised credentials | Integer | 1524700800 | N | N | Y |
Compromised Credentials | breach_score | Breach score for compromised credentials | Integer | 30, 100 | N | N | Y |
Compromised Credentials | breach_target_references | Breach target references for compromised credentials | String | forbes.com | N | N | Y |
Compromised Credentials | breach_media_references | Media references of breach | String | http://news.something.com/8301- 1009_3-57618945-83/syrian- electronic-army-hacks-forbes-steals-user-data/ | N | N | Y |
IaaS CSA | sa_profile_name | CSA profile name | String | PCI-DSS v3.2.1 (Azure) | Y | N | Y |
IaaS CSA | sa_profile_id | CSA profile ID | Integer | -2002000 | Y | N | Y |
IaaS CSA | sa_rule_id | CSA rule ID | Integer | -2002041 | Y | N | Y |
IaaS CSA | sa_rule_name | CSA rule name | String | PCI-AZR | 5.1 Ensure that the endpoint protection for all Virtual Machines is installed | Y | N | Y |
IaaS CSA | sa_rule_severity | Rule severity | String | Critical, High, Medium, Low | Y | N | Y |
IaaS CSA | account_id | Account ID (usually is account number as provided by the cloud provider) | String | a776ab3b-0d9d-401e-a31d-2f478a4c | Y | N | Y |
IaaS CSA | account_name | Account name – in case of AWS this is the instance name set by user. For others, account name is provided by the cloud provider. | String | iaas-azure-dev | Y | N | Y |
IaaS CSA | iaas_asset_tags | List of tags associated with the asset for which alert is raised. Each tag is a key/value pair | Array of dictionary objects (name/value pairs) | [{“name”: “major environment”, “value”: “test”}, {“name”: “owner”, “value”: “abc” }] | Y | N | Y |
IaaS CSA | run_id | Run ID | Integer | 15 | Y | N | N |
IaaS CSA | region_id | Region ID (as provided by the cloud provider) | String | eastus2 | Y | N | Y |
IaaS CSA | region_name | Region Name (as provided by the cloud provider) | String | East US 2 | Y | N | Y |
IaaS CSA | resource_category | Category of resource as defined in DOM | String | Compute | Y | N | Y |