Skip to main content

Netskope Help

Skope IT Queries Library

This section provides the query name, description, format, and operators for Skope IT query language searches. Click on a letter to expand and see the queries.

Event Type

Query

Description

Format

Operators

Sample Values

Alerts, Application, Network, Page

access_method

Search for events generated from specific access methods such as Client, Secure Forwarder, Logs, and Mobile profile.

Search events where the access method is either Add On or Secure Forwarder:

access_method eq 'Add On' or access_method eq 'Secure Forwarder'

For log uploads from Proxy or firewall, provide the name of the parser to search for events generated from log uploads:

access_method eq proxysg-http-main

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~", "in"

access_method eq 'Client'

Alerts

account_id

Search IaaS collections and alerts for the given account ID.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~", "in"

a776ab3b-0d9d-401e-a31d-2f478a4cd2cb

Alerts

account_name

Search IaasS collections and alert for the given account name.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~", "in"

iaas-azure-dev

Alerts

acked

Search for alerts that have been acknowledged or not.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

acked eq true/false

Alerts, Application, Network, Page

act_user

Search for the user who performed an activity.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

jamesgreen@netskope.com

Alerts, Application, Network, Page

action

Search for an action taken by the user, like Block, Bypass, Alert. Isolate is unique to Page Events. This query is only available if RBI is deployed.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

alert eq yes and action eq block

Alerts, Application, Network

activity

Search for events or alerts for a specific user activity. Values specified for this query field is one of the activities that can occur within the cloud app and analyzed by the Netskope analytics engine.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~", "in"

activity eq Create,activity eq Download or activity eq Upload,activity eq Download and object_type eq Reports and app eq Expensify

Alerts, Application, Network

activity_status

Search for events or alerts for a specific app activity status.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

activity_status eq Access Denied

Alerts, Application, Network

activity_type

Search events about activity type of app.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Admin

Alerts, Application, Network, Page

aggregated_user

Search events where the user field is a network location.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

aggregated_user eq True

Alerts, Application, Network

alert

Search for events that triggered an alert due to a policy match, watchlist, or event that did not trigger an alert. Alerts are only generated when a policy or watchlist is matched. In all other scenarios, a regular event is generated.

string

"eq", "=", "==", "neq", "!="

alert eq yes

Alerts

alert_category

Search for alerts triggered by watchlist.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

alert_category eq Suspicious Access

Alerts

alert_detection_stage

Search for alerts triggered by watchlist.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

alert_detection_stage eq Access

Alerts

alert_id

The alert ID of the alert data.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts

alert_name

Search for alerts triggered by specific policy, watchlist, or DLP.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

alert_name eq 'Cloud storage Policy',

alert_type eq policy and alert_name eq 'block uploads policy',

alert_type eq watchlist and alert_name eq 'Creating file on Google drive'

Alerts

alert_query

Search for alerts triggered by watchlist.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

alert_query eq query string

Alerts

alert_stage

Search for alerts triggered by watchlist.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

alert_stage eq Access

Alerts

alert_status

Search for alerts triggered by watchlist.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

alert_status eq open

Alerts, Application, Network

alert_type

Search for alerts triggered by policy action, watchlist, quarantine, or DLP.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

alert_type eq policy

Search for alerts generated by DLP violations:

alert_type eq DLP

Search for alerts not generated by watchlist:

alert_type neq watchlist

Alerts

alert_window

Search for alerts triggered by watchlist.

integer

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

alert_window eq 86400000

Alerts, Application, Page

app

Search events for a specific cloud app.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~", "in", "not_in"

app = Dropbox

Search events for all apps except Box:

app neq Box

Search events for Box or Dropbox apps:

app = Box or app = Dropbox

Search events from user abc@xyz.com for the Dropbox, Box, Facebook, or Salesforce.com apps:

user eq abc@xyz.com and (app eq Dropbox or app eq Box or app eq Facebook or app eq Salesforce.com)

Alerts, Application, Network, Page

app_activity

Search events based on app search for application activity.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

SearchQueryPerformed, FileDeleted, FileAccessedExtended,GroupAdded, FileSyncUploadedFull, UserLoginFailed, FileAccessed

Alerts, Application, Page

app_session_id

Search for events with specific application session ID. An app session starts when a user starts using acloud app and ends once they have been inactive for a certain period of time. Each application session hasa unique application session ID. Use app_session_id to check all the user activities in a single app session.

integer

"eq", "=", "==", "neq", "!="

app_session_id eq <session ID number>

Alerts, Application, Network, Page

app-cci-access-logs

Search events for apps with 'Does the app provide data access audit logs?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-access-other-apps

Search events for apps with 'Does this application access other apps on the device?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-action-based-auth

Search events for apps with 'Does the app enforce authorization policies on user activities?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-allow-classify-data

Search events for apps with 'Does the app allow data classification, like public, confidential, and proprietary.

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-allow-download-data

Search events for apps with 'Is the customer data available for download upon cancellation of service?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-allow-proxy

Search events for apps with 'Can the App Traffic be Proxied'.

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-anonymous-sharing

Search events for apps with 'Does the app allow anonymous sharing of data?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-app-hosting-location

Search events about the locations from which the hosting provider serves app data.

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-app-tag

Search events for apps with 'App Type'.

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-app-type

The type of the app - Consumer, Departmental, or Enterprise.

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-apphosting-provider

Search events for apps with 'Which infrastructure or hosting provider is the app hosted on?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-audit-logs

Search events for apps with 'Does the app provide admin audit logs?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-backup-user-data

Search events for apps with 'Does the app vendor back up customer data in a separate location from the main data center?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-backup-user-data

Search for apps with 'Does the app vendor back up customer data in a separate location from the main data center?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-cc-signup

Search events about the locations from which the hosting provider serve app data.

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-compliance-cert

Search events for apps with 'What compliance certifications does the app have?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-contacts-data

Search events for apps with 'Does this application access contacts, calendar data and messages?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-cookies-3rd-party

Search events for apps with 'Does this application use third-party cookies?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-data-center-cert

Search for events f apps with 'To what data center standards does the app adhere?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-data-per-tenant

Search events for apps with 'Data segregated by tenant'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-device-based-access

Search events for apps with 'Does the app support the following device types?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-dispersed-data-center

Search events for apps with 'Does the application vendor utilize geographically dispersed data centers to serve customers?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-encrypt-at-rest

Search events for apps with 'Does the app encrypt data- at-rest?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-encrypt-in-transit

Search events for apps with 'Does the app encrypt data- in-transit?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-encrypt-tenant-managed-key

Search events for apps with 'Does the app allow customer-managed encryption keys?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-erase-cust-data

Search events for apps with 'Is all customer data erased upon cancellation of service? If so, when?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-file-capacity

Search events for apps with 'File Sharing Capacity'.

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-file-sharing

Search events for apps with 'Does the app enable file sharing? '

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-is-weak-cipher

Search events for apps with 'Does the app increase the risk of data exposure by supporting weak cipher suites?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-multi-fact-auth

Search events for apps with 'Does the app support multi- factor authentication?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-published-dr-plan

Search events for apps with 'Does the app vendor provide disaster recovery services?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-recent-breach

Search events for apps with 'Has this application been recently breached (in the past year)?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-role-based-access

Search events for apps with 'Does the app support role- based authorization?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-secure-pass-policy

Search events for apps with 'Does the app enforce password best practices as policy?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-securityheaders

Search events for apps with 'Which HTTP security headers does the app use?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-sharing-personal-info-3rd-party

Search events for apps with 'Does this app share users' personal information.'

Ex: name, email, address)

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-spf

Search events for apps with 'Does the app vendor use a Sender Policy Framework to protect customers from spam and phishing emails?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-src-ip-enforcement

Search events for apps with 'Does the app support access control by IP address or range?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-sso

Search events for apps with 'SSO/AD hooks.'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-status-report

Search events for apps with 'Does the app vendor provide infrastructure status reports?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-system-operations

Search events for apps with 'Does this application perform system operations?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-treat-classify-data

Search events for apps with 'If yes, does the app allow admins to take action on classified data.

Ex: , encrypt, control access?

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-upgrade-notification

Search events for apps with 'Does the app vendor provide notifications to customers about upgrades and changes

Ex: scheduled maintenance, new releases, software/hardware changes

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-user-audit-logs

Search events for apps with 'Does the app provide user audit logs?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-vuln-exploit

Search events for apps with 'Vulnerabilities & Exploits'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-weak-algorithm-keysize

Search events for apps with 'Does the app increase the risk of data exposure by supporting weak signature algorithm or key size ?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-cci-who-owns-data

Search events for apps with 'Who owns the data/content uploaded to the application site? Does the customer own the data or does the application vendor own the data?'

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

app-gdpr-level

Search based on the General Data Protection Regulation (GDPR) readiness level of the apps. The readiness levels are low, medium, and high.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

app-gdpr-level eq high

Alerts, Application, Network, Page

app-risk

The risk level of apps (low,medium,high).

string

"eq", "="

Alerts, Application

appsuite

Search appsuite field in application and alerts.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

attachment

This variable will hold the name of attachments that are being sent with the mail.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

audit_category

Search audit events for a specific audit category. audit_category displays the category to which the audit event belongs to.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

audit_type

Search audit events for a specific audit type. audit_type displays the actual audit event name from the SaaS app.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

audit_type eq internal

Event Type

Query

Description

Format

Operators

Sample Values

Alerts, Application, Network

bcc

Search events based on the user ids in bcc

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network, Page

browser

Search for events from a specific browser.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

browser eq Chrome

Search for events from any browser other than Chrome, Safari, and Firefox:

not (browser eq Chrome or browser eq Safari or browser eq Firefox)

Alerts, Page

browser_session_id

Search for browser session ID.

When there is an idle timeout of 15 minutes, the browser session ID is triggered and will timeout the session.

integer

"eq", "=", "==", "neq", "!=", "gt", "&gt;", "gte", "&gt;=", "lt", "&lt;", "lte", "&lt;="

Alerts, Page

browser_version

Search for specific browser version.

string

"eq", "=", "==", "neq", "!="

Page

bypass_traffic

Search for traffic bypassed by Netskope.

string

"eq", "=", "==", "neq", "!="

Event Type

Query

Description

Format

Operators

Sample Values

Alerts, Application, Network, Page

category

Search events for category.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~", "in", "not_in"

category = 'Cloud Storage'

Alerts, Application, Network

cc

Search events based on the user in cc.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network, Page

cci

Search for Cloud Confidence Index (CCI) score.

integer

"eq", "=", "==", "neq", "!=", "gt", ">", "gte", ">=", "lt", "<;", "lte", "<="

cci gt 40

Alerts, Application, Network, Page

ccl

Search for Cloud confidence level of an application.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~", "in", "not_in"

ccl eq poor

Alerts, Application, Network, Page

channel

Search for events specific to a channel in slack.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Page

client_bytes

Search events based on bytes transferred from client to server.

integer

"eq", "=", "==", "neq", "!=", "gt", ">", "gte", ">=", "lt", "<", "lte", "<="

client_bytes > 800

Alerts

compliance_standards.control

The compliance standards control value.

string

"eq", "=", "==", "neq", "!=", "in", "not_in"

Alerts

compliance_standards.id

The compliance standards ID for use in sort.

integer

"eq", "=", "==", "neq", "!=", "gt", ">", "gte", ">=", "lt", "<", "lte", "<=", "in", "not_in"

Alerts

compliance_standards.section

The compliance standards section value.

string

"eq", "=", "==", "neq", "!=", "in", "not_in"

Alerts

compliance_standards.standard

The compliance standards 'standard' value.

string

"eq", "=", "==", "neq", "!=", "in", "not_in"

Page

conn_duration

Search events based on how long the connection was established in seconds.

integer

"eq", "=", "==", "neq", "!=", "gt", ">", "gte", ">=", "lt", "<", "lte", "<="

conn_duration > 10000

Alerts, Application, Network, Page

connection_id

Search events for a specific connection ID.

integer

"eq", "=", "==", "neq", "!="

connection_id eq <connection ID number>

Alerts, Application, Network, Page

count

Search for activities with event count greater than 1 to search for events that are suppressed. Netskope log watcher ensures that minimum numbers of events are generated for events that occur multiple times within a short interval of time. It will report the total number of events under count.

integer

"eq", "=", "==", "neq", "!=", "gt", ">", "gte", ">=", "lt", "<", "lte", "<="

count gt 1and app eq 'Google Drive'

Event Type

Query

Description

Format

Operators

Sample Values

Alerts, Application, Network

data_type

Search events about content-type for Upload and Download triggers.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts

detection_engine

Search alerts for the given detection engine.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network, Page

device

Search for events from a specific device.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

device eq WindowsSearch for users using Dropbox from iOS device:device eq iOS and app eq DropboxSearch for events to verify if MacOS traffic is redirected through Secure Forwarder:device eq Macintosh and access_method eq 'Secure Forwarder'

Alerts, Application, Network

device_classification

How the device has been classified.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

device_classification eq managed

Alerts, Application, Network

dlp_file

Search events for DLP violation file that matches the content.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

dlp_file = credit_card_data.doc

Alerts, Application, Network

dlp_fingerprint_classification

Search events for DLP fingerprint classification within the profile that matches the content.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

dlp_fingerprint_classification = Finance

Alerts, Application, Network

dlp_fingerprint_match

Search events for DLP fingerprint file within the profile that matches the content.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

dlp_fingerprint_match = finance_report.doc

Alerts, Application, Network

dlp_fingerprint_score

Search events for DLP fingerprint score within the profile that matches the content.

integer

"eq", "neq", "gt", ">", "gte", ">;=", "lt", "<", "lte", "<="

dlp_fingerprint_match > 10

Alerts, Application, Network

dlp_incident_id

Search events for a specific dlp incident ID.

integer

"eq", "=", "==", "neq", "!="

dlp_incident_id eq <incident-id-number>

Alerts

dlp_match_info

DLP match identifier details.

dictionary

"eq", "neq", "in", "notin"

Alerts, Application, Network

dlp_parent_id

Search events for a specific DLP parent incident ID.

integer

"eq", "=", "==", "neq", "!="

dlp_parent_id eq <parent ID number>

Alerts, Application, Network

dlp_profile

Search events for a specific DLP profile applied to the content.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

dlp_profile = dlp-pci

Alerts, Application, Network

dlp_profile_name

Search events for a specific DLP profile.

string

"eq", "neq", "gt", ">", "gte", ">=", "lt", "<", "lte", "<="

dlp_profile_name = dlp-pci

Alerts, Application, Network

dlp_rule

Search events for a dlp rule within the profile that matches the content.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

dlp_rule = cc_num

Alerts, Application, Network

dlp_rule_count

Search events that number of rules matches the content.

integer

"eq", "neq", "gt", ">", "gte", ">=", "lt", "<", "lte", "<="

dlp_rule_count = 10

Alerts, Application

dlp_rule_name

Search events for a dlp rule within the profile that matches the content.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

dlp_rule = cc_num

Alerts, Application, Network

dlp_rule_severity

Search events for a DLP rule that matches the severity level.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

dlp_rule_severity = high

Application

dlp_scan_failed

Search dlp_scan_failed field in application

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Page

domain

Search for specific domain.

string

"eq", "=", "==", "neq", "!="

Alerts

download_app

Search events where data was downloaded from a specific cloud app.

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

dst_country

Search events for a specific destination country.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

dst_country = US

Alerts, Application, Network, Page

dst_latitude

Search events for a specific destination latitude.

float

"eq", "=", "gt", ">", "gte", ">=", "lt", "<", "lte", "<="

dst_latitude > 0

Alerts, Application, Network, Page

dst_location

Search events for a specific destination location.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

dst_location = 'San Jose

Alerts, Application, Network, Page

dst_longitude

Search events for a specific destination longitude.

float

"eq", "=", "gt", ">", "gte", ">=", "lt", "<", "lte", "<="

dst_longitude > 0

Alerts, Application, Network, Page

dst_region

Search events for a specific destination state.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

dst_region eq GA

Alerts, Application, Network, Page

dst_zipcode

Search events for a specific zip code.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

dst_zipcode eq 94043

Network, Page

dsthost

Destination host name.

 

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network, Page

dstip

Search events for a specific destination IP address.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

dstip eq 192.0.2.1

Alerts, Application, Network, Page

dstport

Search events for a specific destination port.

integer

"eq", "=", "==", "neq", "!="

dstport = 443

Event Type

Query

Description

Format

Operators

Sample Values

Alerts

email_source

The source of the email used in finding compromised credentials.

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network

encrypt_failure

Failure while encrypting a file.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

enterprise

The name of an enterprise.

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

exposure

Search for a file with exposure.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

external

Alerts, Application, Network

external_collaborator_count

Number of external collaborators.

integer

"eq", "=", "gt", "gte", "lt", "lte"

Alerts

external_email

Search the external_email in alerts.

integer

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Event Type

Query

Description

Format

Operators

Sample Values

Alerts

false_positive

Search for alerts that have been acknowledged or not.

TRUE

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

acked eq true/false

Alerts, Application, Network

file_lang

File language attribute of relevant object.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

file_password_protected

Search for events that have file_password_protected attribute set to yes.

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network

file_path

File path attribute of relevant object.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

file_size

File size attribute of relevant object.

integer

"eq", "=", "==", "neq", "!=", "gt", ">", "gte", ">=", "lt", "<", "lte", "<="

Alerts, Application, Network

file_type

File type attribute of relevant object.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network, Page

first_accessed

Search for first seen time of app.

integer

"gte", "lte", "from", "to"

Alerts, Application, Network

from_object

Search events for activities where the user is performing activities between two objects, like moving files between folders.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

from_object eq Folder1

Alerts, Application, Network

from_user

Search events for activities based on login IDs for cloud apps.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

from_user like john,

from_user = john and activity eq Download

Alerts, Application, Network, Page

from_user_category

Search whether user who is inviting is external or internal.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

from_user_category like Internal

Event Type

Query

Description

Format

Operators

Sample Values

Alerts, Application, Network, Page

gateway

Search events from a specific gateway name or address.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Event Type

Query

Description

Format

Operators

Sample Values

Alerts, Application, Network, Page

hostname

Search for events from a specific device hostname.

string

eq,=,==,neq,!=,like,~,notlike,!~

Alerts, Page

http_transaction_count

Search for http transaction count.

integer

"eq", "=", "==", "neq", "!=", "gt", ">", "gte", ">=", "lt", "<", "lte", "<="

http_transaction_count gt 4

Event Type

Query

Description

Format

Operators

Sample Values

Alerts

iaas_asset_tags.name

Search alert for the given iaas_asset_tags.name.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts

iaas_asset_tags.value

Search alert for the given iaas_asset_tags.value.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts

iaas_remediated

Search alert for iaas_remediated field existence.

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network

instance_id

Search events based on the instance of the app. Some cloud apps have multiple instances of the app active at the same time. For example, enterprise Salesforce.com instance for an organization. This query field is to query events for a specific instance ID.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Salesforce: app eq Salesforce.com and instance_id eq <instance-id>

Alerts, Application, Network

instance_name

Search events based on the name of instance of the app.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

instance_type

Search events based on the instance type of the app.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Example for creating a server: instance_type= Server

Alerts, Application, Network

internal_collaborator_count

Number of internal collaborators.

integer

"eq", "=", "gt", "gte", "lt", "lte"

Network

ip_protocol

Search events from a specific ip_protocol.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Event Type

Query

Description

Format

Operators

Sample Values

Alerts, Application, Network

justification_reason

Search user justification reason for policy violation action.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

justification_type

Search user justification for policy violation action.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Event Type

Query

Description

Format

Operators

Sample Values

Alerts

last_app

The last app seen used by this user for this anomaly type prior to the generation of this anomaly.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts

last_country

The last country this user was seen in prior to the generation of this anomaly.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts

last_device

The last device used prior to the generation of this anomaly.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts

last_location

The last location this user was seen in prior to the generation of this anomaly.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts

last_region

The last region this user was seen in prior to the generation of this anomaly.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts

last_timestamp

The timestamp corresponding to the user's last non- anomalous activity prior to the generation of this anomaly.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Page

latency_max

Search events based on the max latency values from proxy to app in milliseconds.

Event Type: Page.

Ex: latency_max > 200,

app = 'Salesforce.com' and src_country != US and latency_max gt 500

integer

"eq", "=", "==", "neq", "!=", "gt", ">", "gte", ">=", "lt", "<", "lte", "<="

latency_max > 200

Page

latency_min

Search events based on the min latency values from proxy to app in milliseconds.

Event Type: Page

Ex: latency_min > 200

integer

"eq", "=", "==", "neq", "!=", "gt", ">", "gte", ">=", "lt"

latency_min > 200

Page

latency_total

Search events based on the total latency values from proxy to app in milliseconds.

Event Type: Page.

Ex: latency_total gt 200

integer

"eq", "=", "==", "neq", "!=", "gt", ">", "gte", ">=", "lt"

latency_total gt 200

Alerts, Application, Network

lh_fileid

Search events for a specific file identified by a unique ID assigned by the app chosen for copying the file for legalhold.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

local_md5

MD5 checksum of relevant object.

string

"eq", "=", "==", "neq", "!="

Alerts

local_sha256

The sha256 of relevant object.

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

log_file_name

The file name of the log.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Event Type

Query

Description

Format

Operators

Sample Values

Alerts

malsite_id

This variable holds hash of malsite URL.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts

malware_id

This variable holds value for malware ID.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts

malware_name

This variable holds value for malware name.

TRUE

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts

malware_severity

This variable holds value for malware severity.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts

malware_type

This variable holds value for malware type.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

managed_app

App managed by Netskope.

sting

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

managementID

Search events for a specific device management ID.

string

"eq", "=", "==", "neq", "!="

Alerts

matched_username

The email address that was compromised.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

md5

MD5 checksum of relevant object.

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network

message_id

Search events based on the message_id.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

mime_type

Mimetype attribute of relevant object.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

modified

Modification time of relevant object.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Event Type

Query

Description

Format

Operators

Sample Values

Alerts, Application, Network, Page

netskope_pop

Search events with the netskope pop details.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network, Page

network

Search events based on network.

string

eq,=,==,neq,!=,like,~,notlike,!~

network eq NET24:172.16.168.0

Alerts, Application, Network

nsdeviceuid

Search events for a specific nsdeviceuid.

string

"eq", "=", "==", "neq", "!="

Page

numbytes

Search for total number of bytes that transmitted for the connection.

integer

"eq", "=", "==", "neq", "!=", "gt", ">", "gte", ">=", "lt"

numbytes > 100

Event Type

Query

Description

Format

Operators

Sample Values

Alerts, Application, Network

oauth

Search events where a login has been performed by 3rd party app using OAuth tool provided by the cloud app.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

object

Search events for a specific object name. Object name displays the actual filename, folder name, report name, document name, etc.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

object like xls

Search for users sharing excel files and this will display the individual file names under this object:

activity eq Share and object_type eq File and object ~ xls

Search for users downloading medical records:

activity eq Download and object ~ 'Medical Record'

Alerts, Application, Network

object_count

This variable holds the value of number of objects on which operation is performed.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

object_id

Search events for a specific object id such as activity specific value, etc.

Event Type: Alert.

Ex: object_id = f_12787234

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

object_id = f_12787234

Alerts, Application, Network

object_type

Search events for a specific object type such as file, folder, report, document, message, etc.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

object_type eq file

Search for all the files that are shared by users and also the file names of the file:

activity eq share and object_type eq File

Search for all the downloads from Salesforce.com of type file. This will also show the file names:

app eq Salesforce.com and activity eq Download and object_type eq File

Search for users who accessed file on GitHub. This will also show the file names:

app eq GitHub and activity eq View and object_type eq File

Alerts, Application, Network

offending_entry

Contains offending snippet from traffic.

Ex: email that matches a constraints profile

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

An email that matches a constraints profile.

Alerts, Application, Network

offending_ip

Contains offending IP that matches a network location object.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

An IP that matches a network location object.

Alerts, Application, Network

openid

Search events where a login has been performed by 3rd-party app using OpenID tool provide by the cloud app.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network, Page

org

Search for events from a specific organization. Organization name is derived from user ID.

Event Type: Application, Page, Alert.

Ex: org eq 'netskope.com'

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

org eq 'netskope.com'

Alerts, Application, Network, Page

organization_unit

Search for events from a specific organization unit.

Organization name is derived from user ID.

Ex: organization_unit eq 'netskope.com'

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~", "startswith"

org eq 'netskope.com'

Page

origin

Search for events from specific log sources for log uploads. Administrators can upload the firewall logs and proxy logs to the Netskope tenant instance for passive monitoring of the traffic. Netskope log watcher can monitor the logs to detect the cloud apps that users are using.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

origin like Gateway,

origin like firewall,

origin like proxy

Alerts, Application, Network, Page

os

Search for events from a specific Operating System (OS).

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

os = Windows,

os eq Mavericks or os eq iOS

Search for events from Macintosh not running enterprise approved OS:

device eq Macintosh and os neq Maverick

Alerts, Page

os_version

Search for a specific OS version.

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network

owner

User who owns this object.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Application, Page

other_categories

The secondary category assigned to an application or website, it also includes any user designated categories.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~", "in", "not_in"

Security Risk Malware Distribution Point, All Categories, Prohibited Websites

Event Type

Query

Description

Format

Operators

Sample Values

Page

page

Search for specific page.

string

"eq", "=", "==", "neq", "!="

Page

page_duration

Search for page duration.

integer

"eq", "=", "==", "neq", "!=", "gt", ">", "gte", ">=", "lt", "<", "lte", "<="

Page

page_endtime

Search for page end time.

integer

"eq", "=", "==", "neq", "!=", "gt", ">", "gte", ">=", "lt", "<", "lte", "<="

Page

page_id

Search for page ID.

integer

"eq", "=", "==", "neq", "!=", "gt", ">", "gte", ">=", "lt", "<", "lte", "<="

Page

page_starttime

Search for page start time.

integer

"eq", "=", "==", "neq", "!=", "gt", ">, "gte", ">=", "lt", <, "lte", "<="

Alerts, Application, Network

parent_id

Search event for folder ID to which file has been moved or copied.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network, Page

policy

Search for policies triggered by specific policy.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

policy eq 'Cloud storage Policy'

Alerts, Application, Network

privilege

Search event for user account privilege details.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Network

protocol_port

Search events for combination of ip_protocol and destination port.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~", "in", "not_in"

protocol_port eq TCP:80

Network

publisher_cn

Search events for a specific publisher_cn.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~", "in", "not_in"

publisher_cn eq test_npa_publisher_cn

Network

publisher_name

Search events for a specific publisher_name.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~", "in", "not_in"

publisher_name eq test_npa_publisher

Event Type

Query

Description

Format

Operators

Sample Values

Alerts, Application, Network

quarantine_action_reason

Search events for a specific action (allow/block) applied to the content based on quarantine approver (admin) decision.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

quarantine_failure

Search events for a quarantine failure during transferring the content to the app chosen for quarantining.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

quarantine_file_id

Search events for a specific file identified by a unique ID assigned by the app chosen for quarantining the file.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

quarantine_profile

Search events for a specific quarantine profile applied to the content.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

quarantine_profile = quarantine-pf1

Event Type

Query

Description

Format

Operators

Sample Values

Alerts, Application, Network

redirect_url

Search event for the URLs to which a cloud app has redirected after login when used with tools such as OAuth.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

referer

Search referer URL associated with an activity in a cloud app.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts

region_name

Search IaaS assets for the given region_name.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Page

req_cnt

Search events based on number of http requests over one underlying tcp connection.

integer

"eq", "=", "==", "neq", "!=", "gt", ">", "gte", ">=", "lt", "<", "lte", "<="

req_cnt >10

Alerts

resource_category

Search events based on the resource_category like user, IAM, etc.

string

eq,=,==,neq,!=,like,~,notlike,!~

"Compute"

Page

resp_cnt

Search events based on the number of HTTP responses over one underlying TCP connection.

integer

"eq", "=", "==", "neq", "!=", "gt", ">", "gte", ">=", "lt", "<", "lte", "<="

resp_cnt > 10

Alerts, Application, Network, Page

retro_scan_name

Filter by retro scan name.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

retro_scan_name = 'Retro_Scan_onedrive_sumoskope_20180827',

retro_scan_name eq

Retro_Scan_onedrive_sumoskope_20180827' or'Retro_Scan_box_ENG51457TEST_20180827'

Alerts, Application, Network, Page

role

Search for user roles like owner, editor, etc.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

role eq Editor

Event Type

Query

Description

Format

Operators

Sample Values

Alerts

sa_profile_name

Search alerts based on the sa_profile_name value.

integer

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~", "gt", ">", "gte", ">=", "lt", "<", "lte", "<="

Alerts

sa_rule_name

Search alerts based on the sa_rule_name value.

integer

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~", "gt", ">", "gte", ">=", "lt", "<", "lte", "<="

Alerts

sa_rule_severity

Search for alerts triggered by specific policy, watchlist, or DLP.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~", "in"

sa_rule_severity eq 'Low'

Alerts, Application, Network, Page

sanctioned

Checks whether the returned events are generated from applications tagged as Sanctioned.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Application, Alerts

sanctioned_instance

Search sanctioned_instance field in application and alerts.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

scan_type

Generated during retroactive scan or new ongoing activity.

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network

security_issue

Search events about any security issues associated with the SAAS app.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Page

serial

The device serial number from which the metric came.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Page

server_bytes

Search events based on bytes transferred from server to client.

integer

"eq", "=", "==", "neq", "!=", "gt", ">", "gte", ">=", "lt", "<", "lte", "<="

server_bytes > 800

Alerts, Application, Network

severity

Search incident severity.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

shared

File sharing attributes of relevant object.

string

"eq", "=", "==", "neq", "!="

Alerts

shared_credential_user

Search the shared_credential_user events.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~", "in", "not_in"

Alerts, Application, Network

shared_domains

Comma-seperated shared domains of a file.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts

shared_user_hostname

Search for shared credential alert from a specific shared user hostname.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~", "in", "not_in"

Alerts, Application, Network

shared_with

Comma-seperated shared users of a file.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network, Page

site

Search for specific site.

string

"eq", "=", "==", "neq", "!=", "in", "not_in"

site eq NY

Alerts, Application, Network

smtp_status

Search events based on the smtp_status.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

smtp_to

Search events based on the smtp_to user.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network, Page

src_ip_country

Search events from a specific source country.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

src_ip_country eq IN

Alerts, Application, Network, Page

srcip

Search events based on source IP.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network, Page

src_country

Search events based on source IP country.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

src_country eq IN,

src_country eq US and dst_country eq US

Alerts, Application, Network, Page

src_location

Search events from a specific source city.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

src_location eq 'San Francisco'

Alerts, Application, Network, Page

src_region

Search events based on source IP region.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

src_country eq US and src_region eq CA

Alerts, Application, Network, Page

src_zipcode

Search events based on source IP zipcode.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

src_zipcode eq 94043

Alerts, Application, Network, Page

src_location

Search events from a specific source city.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

src_location eq 'San Francisco'

Alerts, Application, Network, Page

src_region

Search events from a specific source state or region.

string

eq,=,==,neq,!=,like,~,notlike,!~

src_region eq CA

Alerts, Application, Network, Page

src_timezone

Search events for a specific timezone.

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

src_zipcode

Search for events from a specific source zipcode.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

src_zipcode eq 94043

Alerts, Application, Network, Page

srcip

Search events from a specific source IP address.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

srcip eq 192.0.2.1

Page

ssl_decrypt_policy

Search for traffic bypassed by Netskope due to a SSL Decrypt Policy hit.

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Page

subject

Search events based on the email subject.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Event Type

Query

Description

Format

Operators

Sample Values

Alerts, Application, Network

tag

Search events based on video related keywords.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network, Page

team

Search for events specific to a team in slack.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

telemetry_app

Search telemetry app associated with an activity in a cloud app.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts

threat_match_value

Search for threat match value (URL or domain) in malicious sites.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

domain, url, ip

Alerts, Application, Network, Page

timestamp

The time the event is generated. Timestamp is in Epoch Time format.

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

timestamp gt 1597449600

Alerts, Application, Network

to_object

Search events for activities where the user is performing activities between two objects, like moving files between folders. This field is visible only for events which involves a user activity between two objects.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

to_object like Folder1

activity eq Edit and to_object like Folder1

Alerts, Application, Network

to_user

Search events based on the destination user IDs. This field is visible only for events where a user is transacting with another user such as sharing a file, sharing a folder, etc.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Ex: to_user like Adam

Search for all the user names inside the organization with who the file was shared:

app eq Dropbox and activity eq Share and to_user ~ netskope

Alerts, Application, Network, Page

to_user_category

search whether invited user is internal or external.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Internal, External

Alerts, Application, Network

total_collaborator_count

Total number of collaborators.

integer

"eq", "=", "gt", "gte", "lt", "lte"

Alerts, Application, Network, Page

traffic_type

Search for specific traffic type. There are two types of traffic: Web and CloudApp.

string

eq,=,==,neq,!=

traffic_type eq Web

Alerts, Application, Network

transaction_id

Search for events with specific transaction ID.

integer

"eq", "=", "==", "neq", "!="

transaction_id eq <ID>

Alerts, Application, Network

trigger

Search for events for specific activity, like Upload.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

trigger_val

Search for events for specific activity value, like File Name.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

trigger_var

Search for events for specific activity name, like File.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

trust_computer_checked

Search events where trust computer option is checked along with two factor authentication for logging into a cloud app.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network

tss_scan_failed

Search dlp_scan_failed field in application.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network, Page

tunnel_id

Search events for a specific connection ID.

string

"eq", "=", "=="

Alerts, Application, Network

two_factor_auth

Search events where a login has been performed using two factor authentication.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network, Page

type

Search for a connection type event or an application event. Application events are triggered for user actions inside the cloud app. Application events are of type nspolicy. You can also switch between page and application events from the dropdown displayed on the Skope IT page.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

type eq connection,

type eq page,

type eq nspolicy

Event Type

Query

Description

Format

Operators

Sample Values

Alerts, Application, Network

universal_connector

Search events about detection source.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

App Connector or Universal Connector.

Application, Network, Page

ur_normalized

Search events from a specific ur_normalized.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~", "in", "not_in"

ur_normalized eq john@abc.com

Alerts, Application, Network, Page

url

Search URL accessed by a user.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

url eq http://www.example.com

Alerts, Application, Network

Url2Activity

Search specific Skope IT events for uploaded logs.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network, Page

user

Search events for a specific user.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~", "in", "not_in"

user eq john@abc.com

Search for user with IP address 192.0.2.1:

user eq 192.0.2.1

Search for events from username that contains john for the Dropbox app:

user ~ john and app eq Dropbox

Search for events from user john@abc.com for the Dropbox app:

user eq john@abc.com and app eq Dropbox

Search for events for all users from adam to john:

user from adam to john

Alerts, Application, Network, Page

user_category

search whether user is internal or external

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

user_category eq Internal

Page

user_generated

Search for events for user generated page events.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network, Page

user_password_breached

The user whose credential is compromised. Possible values are 'yes' or 'no'.

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network, Page

user_role

Search for user role like admin, coadmin, etc.

Ex: user_role eq Admin

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network, Page

user-risk

The risk level of users (low, medium, high).

string

"eq", "="

Alerts, Page

useragent

The user agent field in HTTP request.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network, Page

usergroup

When a user group is searched, this includes every user within the group.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~", "in", "not_in"

usergroup eq student2.support-lab.com/Test

Alerts, Application, Network, Page

userip

When a user is behind a proxy, this indicates the internal IP of the user at that time.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

Alerts, Application, Network, Page

userkey

Search events from a specific user/email.

string

"eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~"

userkey eq john@abc.com

Query

Description

Format

Operators

vpc

Search events based on vpc.

string

eq,=,==,neq,!=,like,~,notlike,!~

Event Type

Query

Description

Format

Operators

Sample Values

Alerts, Application, Network

web_url

The URL for a file which will open the file in an app.

string

"eq", "=", "==", "neq", "!="

Alerts, Application, Network

workspace

Workspace name specific to Slack Enterprise.

string

"eq", "=", "==", "neq", "!="

This a custom name provided by the admin. For example:

Netskope Corp