REST API Reports

REST API Reports

You are viewing classic reports documentation. When Reports (New Experience) is no longer in BETA, the classic reports documentation will be replaced with “Reports” documentation, aka Reports (New Experience).

You can also use REST APIs to analyze the data captured by Netskope for the following scenarios:


REST API responses can return up to 10000 results in a single response. You can use pagination to retrieve more results.

  1. Identify sensitive customer or employee information:
    • Alert administrator through email when Enterprise worker downloads PHI or PCI data onto an unmanaged device from Sanctioned cloud storage apps.
    • Alert administrator when Enterprise worker uploads PHI, PCI or PII data into cloud storage apps.
    • Alert administrator through email when user shares PHI content with user on cloud storage application.
    • Alert Administrator and employee’s manager when user downloads large amount ( >75k) PHI records from any device from Cloud storage. Notify centralize governing body through email.

      The table below shows the REST API queries that are used

      Pull all the DLP alerts for API Data Protection
      https://<tenant hostname> api/v1/alerts?token=<REST API token>&type=dlp&query=access_ method%20eq%20%27API%20 Connector%27&timeperiod=604800 
      This will pull the DLP alerts for API Data Protection (access_method = API Connector) for a time period of 7 days.

      You can set the time period for last 1 hour, last 7 days, last 30 days, etc.

      Pull all the DLP alerts for a specific policy

      (This is to cover use-case where admin is looking for specific PHI or PCI violation). Admin would query based on the policy name configured for the DLP inspection

      https://<tenant hostname> api/v1/alerts?token=<token-no> &type=dlp&query=alert_name%20eq%20% 27Custom-PHI%27&timeperiod=604800
      In this example, the policy name queried was Custom-PHI.
      Pull events when a user downloads a PHI file
      https://<tenant hostname> api/v1/alerts?token=<token>&type= dlp&query=activity%20eq%20Download %20and%20 alert_name%20eq%20% 27Custom-PHI%27&timeperiod= 2592000
      In this example, query for activity eq download and alert_name eq 'Custom-PHI'

      This can be further filtered with device type to identify the downloads from a mobile device.

  2. Identify and Protect Intellectual Property

    Alerts the administrator when an employee uploads intellectual property data to the cloud. This involves using DLP Fingerprinting feature to fingerprint all the key design documents, looking for keywords such as confidential, sensitive, and so on, or using DLP Precise data matching.

    You can query for DLP alerts based on specific DLP policy name, fingerprint classification or based on actions. To query for DLP alerts matching a specific DLP Fingerprint profile:

    https://<tenant hostname>

    In the above example you are fetching all the DLP alerts that matched the fingerprint classification of intellectual

  3. Audit all activities of the users
    • Create a report to see all the top activities performed by the users
    • Create a report to understand the top applications usage
    • Query for risky apps
    • Query for risky users
    • Create a second level summary report to identify DLP violation per app,
    • Administrator can check for files that are shared outside of the organization
  4. Policy Governance
    • Identify allowed apps vs blocked apps
    • Identify list of files that are quarantined
    • Identify list of files that are encrypted by policy
      Query events with action of encrypt
      https://<tenant hostname><rest api token>&type=application&query=action%20eq%20encrypt&timeperiod=604800
      Block vs Allow AppsCreate a report with the following:
      • Event type: Alert
      • Query: Action (block)
      • Summarize by apps
      • Second level summary by users

      This report would show list of apps and list of users blocked per app.

      Query events with action of quarantine
      https://<tenant hostname><rest api token>&type=application&query=action%20eq%20quarantine&timeperiod =604800
      Find the Top 10 applications for the last 24 hours
      https://<tenant hostname><rest api token>&type=page&groupby=application&timeperiod=86400&limit=10
Share this Doc

REST API Reports

Or copy link

In this topic ...