Netskope Help

REST API Reports

You can also use REST APIs to analyze the data captured by Netskope for the following scenarios:

Note

REST API responses can return up to 10000 results in a single response. You can use pagination to retrieve more results.

  1. Identify sensitive customer or employee information:

    • Alert administrator through email when Enterprise worker downloads PHI or PCI data onto an unmanaged device from Sanctioned cloud storage apps.

    • Alert administrator when Enterprise worker uploads PHI, PCI or PII data into cloud storage apps.

    • Alert administrator through email when user shares PHI content with non-@company.com user on cloud storage application.

    • Alert Administrator and employee's manager when user downloads large amount ( >75k) PHI records from any device from Cloud storage. Notify centralize governing body through email.

      The table below shows the REST API queries that are used

      Purpose

      Description

      Pull all the DLP alerts for API Data Protection

      https://<tenant hostname>.goskope.com/ api/v1/alerts?token=<REST API token>&type=dlp&query=access_ method%20eq%20%27API%20 Connector%27&timeperiod=604800

      This will pull the DLP alerts for API Data Protection (access_method = API Connector) for a time period of 7 days.

      You can set the time period for last 1 hour, last 7 days, last 30 days, etc.

      Pull all the DLP alerts for a specific policy

      (This is to cover use-case where admin is looking for specific PHI or PCI violation). Admin would query based on the policy name configured for the DLP inspection

      https://<tenant hostname>.goskope.com/ api/v1/alerts?token=<token-no> &type=dlp&query=alert_name%20eq%20% 27Custom-PHI%27&timeperiod=604800

      In this example, the policy name queried was Custom-PHI.

      Pull events when a user downloads a PHI file

      https://<tenant hostname>.goskope.com/ api/v1/alerts?token=<token>&type= dlp&query=activity%20eq%20Download %20and%20 alert_name%20eq%20% 27Custom-PHI%27&timeperiod= 2592000

      In this example, query for activity eq download and alert_name eq 'Custom-PHI'

      This can be further filtered with device type to identify the downloads from a mobile device.

  2. Identify and Protect Intellectual Property

    Alerts the administrator when an employee uploads intellectual property data to the cloud. This involves using DLP Fingerprinting feature to fingerprint all the key design documents, looking for keywords such as confidential, sensitive, and so on, or using DLP Precise data matching.

    You can query for DLP alerts based on specific DLP policy name, fingerprint classification or based on actions. To query for DLP alerts matching a specific DLP Fingerprint profile:

    https://<tenant hostname>.goskope.com/api/v1/alerts?token=
    <token-no>&type=dlp&query=dlp_fingerprint_classification
    %20eq%20intellectual&timeperiod=2592000

    In the above example you are fetching all the DLP alerts that matched the fingerprint classification of intellectual

  3. Audit all activities of the users

    • Create a report to see all the top activities performed by the users

    • Create a report to understand the top applications usage

    • Query for risky apps

    • Query for risky users

    • Create a second level summary report to identify DLP violation per app,

    • Administrator can check for files that are shared outside of the organization

  4. Policy Governance

    • Identify allowed apps vs blocked apps

    • Identify list of files that are quarantined

    • Identify list of files that are encrypted by policy

      Purpose

      Description

      Query events with action of encrypt

      https://<tenant hostname>.goskope.com/api/v1/events?token=<rest api token>&type=application&query=action%20eq%20encrypt&timeperiod=604800

      Block vs Allow Apps

      Create a report with the following:

      • Event type: Alert

      • Query: Action (block)

      • Summarize by apps

      • Second level summary by users

      This report would show list of apps and list of users blocked per app.

      Query events with action of quarantine

      https://<tenant hostname> .goskope.com/api/v1/events?token=<rest api token>&type=application&query=action%20eq%20quarantine&timeperiod =604800

      Find the Top 10 applications for the last 24 hours

      https://<tenant hostname>.goskope.com/api/v1/report?token=<rest api token>&type=page&groupby=application&timeperiod=86400&limit=10