REST API Reports

You are viewing classic reports documentation. When Reports (New Experience) is no longer in BETA, the classic reports documentation will be replaced with “Reports” documentation, aka Reports (New Experience).

You can also use REST APIs to analyze the data captured by Netskope for the following scenarios:

Note

REST API responses can return up to 10000 results in a single response. You can use pagination to retrieve more results.

Identify sensitive customer or employee information:

Alert administrator through email when Enterprise worker downloads PHI or PCI data onto an unmanaged device from Sanctioned cloud storage apps.
Alert administrator when Enterprise worker uploads PHI, PCI or PII data into cloud storage apps.
Alert administrator through email when user shares PHI content with non-@company.com user on cloud storage application.

Alert Administrator and employee’s manager when user downloads large amount ( >75k) PHI records from any device from Cloud storage. Notify centralize governing body through email.

The table below shows the REST API queries that are used

Purpose Description

Pull all the DLP alerts for API Data Protection

Purpose	Description
Pull all the DLP alerts for API Data Protection	https://<tenant hostname>.goskope.com/ api/v1/alerts?token=<REST API token>&type=dlp&query=access_ method%20eq%20%27API%20 Connector%27&timeperiod=604800 This will pull the DLP alerts for API Data Protection (`access_method = API Connector`) for a time period of 7 days. You can set the time period for last 1 hour, last 7 days, last 30 days, etc.
Pull all the DLP alerts for a specific policy (This is to cover use-case where admin is looking for specific PHI or PCI violation). Admin would query based on the policy name configured for the DLP inspection	https://<tenant hostname>.goskope.com/ api/v1/alerts?token=<token-no> &type=dlp&query=alert_name%20eq%20% 27Custom-PHI%27&timeperiod=604800 In this example, the policy name queried was `Custom-PHI`.
Pull events when a user downloads a PHI file	https://<tenant hostname>.goskope.com/ api/v1/alerts?token=<token>&type= dlp&query=activity%20eq%20Download %20and%20 alert_name%20eq%20% 27Custom-PHI%27&timeperiod= 2592000 In this example, query for `activity eq download and alert_name eq 'Custom-PHI'` This can be further filtered with device type to identify the downloads from a mobile device.

https://<tenant hostname>.goskope.com/ api/v1/alerts?token=<REST API token>&type=dlp&query=access_ method%20eq%20%27API%20 Connector%27&timeperiod=604800

This will pull the DLP alerts for API Data Protection (access_method = API Connector) for a time period of 7 days.

You can set the time period for last 1 hour, last 7 days, last 30 days, etc.

Pull all the DLP alerts for a specific policy

(This is to cover use-case where admin is looking for specific PHI or PCI violation). Admin would query based on the policy name configured for the DLP inspection

https://<tenant hostname>.goskope.com/ api/v1/alerts?token=<token-no> &type=dlp&query=alert_name%20eq%20% 27Custom-PHI%27&timeperiod=604800

In this example, the policy name queried was Custom-PHI.

Pull events when a user downloads a PHI file

https://<tenant hostname>.goskope.com/ api/v1/alerts?token=<token>&type= dlp&query=activity%20eq%20Download %20and%20 alert_name%20eq%20% 27Custom-PHI%27&timeperiod= 2592000

In this example, query for activity eq download and alert_name eq 'Custom-PHI'

This can be further filtered with device type to identify the downloads from a mobile device.

Identify and Protect Intellectual Property
Alerts the administrator when an employee uploads intellectual property data to the cloud. This involves using DLP Fingerprinting feature to fingerprint all the key design documents, looking for keywords such as confidential, sensitive, and so on, or using DLP Precise data matching.
You can query for DLP alerts based on specific DLP policy name, fingerprint classification or based on actions. To query for DLP alerts matching a specific DLP Fingerprint profile:
```
https://<tenant hostname>.goskope.com/api/v1/alerts?token=
<token-no>&type=dlp&query=dlp_fingerprint_classification
%20eq%20intellectual&timeperiod=2592000
```
In the above example you are fetching all the DLP alerts that matched the fingerprint classification of intellectual
Audit all activities of the users
- Create a report to see all the top activities performed by the users
- Create a report to understand the top applications usage
- Query for risky apps
- Query for risky users
- Create a second level summary report to identify DLP violation per app,
- Administrator can check for files that are shared outside of the organization

Policy Governance

Identify allowed apps vs blocked apps
Identify list of files that are quarantined

Identify list of files that are encrypted by policy

Purpose	Description
Query events with action of encrypt	`https://<tenant hostname>.goskope.com/api/v1/events?token=<rest api token>&type=application&query=action%20eq%20encrypt&timeperiod=604800`
Block vs Allow Apps	Create a report with the following: Event type: Alert Query: Action (block) Summarize by apps Second level summary by users This report would show list of apps and list of users blocked per app.
Query events with action of quarantine	`https://<tenant hostname>` `.goskope.com/api/v1/events?token=<rest api token>&type=application&query=action%20eq%20quarantine&timeperiod =604800`
Find the Top 10 applications for the last 24 hours	https://<tenant hostname>.goskope.com/api/v1/report?token=<rest api token>&type=page&groupby=application&timeperiod=86400&limit=10

REST API Reports

REST API Reports

REST API Reports

In this topic ...