Skope IT Queries Library
Skope IT Queries Library
This section provides the query name, description, format, and operators for Skope IT query language searches. Click on a letter to expand and see the queries.
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Alerts, Application, Network, Page | access_method | Search for events generated from specific access methods such as Client, Secure Forwarder, Logs, and Mobile profile. Search events where the access method is either Add On or Secure Forwarder: access_method eq ‘Add On’ or access_method eq ‘Secure Forwarder’ For log uploads from Proxy or firewall, provide the name of the parser to search for events generated from log uploads: access_method eq proxysg-http-main | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in” | access_method eq ‘Client’ |
| Alerts | account_id | Search IaaS collections and alerts for the given account ID. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in” | a776ab3b-0d9d-401e-a31d-2f478a4cd2cb |
| Alerts | account_name | Search IaasS collections and alert for the given account name. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in” | iaas-azure-dev |
| Alerts | acked | Search for alerts that have been acknowledged or not. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | acked eq true/false |
| Alerts, Application, Network, Page | act_user | Search for the user who performed an activity. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | jamesgreen@netskope.com |
| Alerts, Application, Network, Page | action | Search for an action taken by the user, like Block, Bypass, Alert. Isolate is unique to Page Events. This query is only available if RBI is deployed. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | alert eq yes and action eq block |
| Alerts, Application, Network | activity | Search for events or alerts for a specific user activity. Values specified for this query field is one of the activities that can occur within the cloud app and analyzed by the Netskope analytics engine. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in” | activity eq Create,activity eq Download or activity eq Upload,activity eq Download and object_type eq Reports and app eq Expensify |
| Alerts, Application, Network | activity_status | Search for events or alerts for a specific app activity status. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | activity_status eq Access Denied |
| Alerts, Application, Network | activity_type | Search events about activity type of app. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | Admin |
| Alerts, Application, Network, Page | aggregated_user | Search events where the user field is a network location. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | aggregated_user eq True |
| Alerts, Application, Network | alert | Search for events that triggered an alert due to a policy match, watchlist, or event that did not trigger an alert. Alerts are only generated when a policy or watchlist is matched. In all other scenarios, a regular event is generated. | string | “eq”, “=”, “==”, “neq”, “!=” | alert eq yes |
| Alerts | alert_category | Search for alerts triggered by watchlist. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | alert_category eq Suspicious Access |
| Alerts | alert_detection_stage | Search for alerts triggered by watchlist. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | alert_detection_stage eq Access |
| Alerts | alert_id | The alert ID of the alert data. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts | alert_name | Search for alerts triggered by specific policy, watchlist, or DLP. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | alert_name eq ‘Cloud storage Policy’, alert_type eq policy and alert_name eq ‘block uploads policy’, alert_type eq watchlist and alert_name eq ‘Creating file on Google drive’ |
| Alerts | alert_query | Search for alerts triggered by watchlist. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | alert_query eq query string |
| Alerts | alert_stage | Search for alerts triggered by watchlist. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | alert_stage eq Access |
| Alerts | alert_status | Search for alerts triggered by watchlist. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | alert_status eq open |
| Alerts, Application, Network | alert_type | Search for alerts triggered by policy action, watchlist, quarantine, or DLP. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | alert_type eq policy Search for alerts generated by DLP violations: alert_type eq DLP Search for alerts not generated by watchlist: alert_type neq watchlist alert_type eq Compromised Credential alert_type in [‘Tombstone Failed’] |
| Alerts | alert_window | Search for alerts triggered by watchlist. | integer | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | alert_window eq 86400000 |
| Alerts, Application, Page | app | Search events for a specific cloud app. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in” | app = Dropbox Search events for all apps except Box: app neq Box Search events for Box or Dropbox apps: app = Box or app = Dropbox Search events from user abc@xyz.com for the Dropbox, Box, Facebook, or Salesforce.com apps: user eq abc@xyz.com and (app eq Dropbox or app eq Box or app eq Facebook or app eq Salesforce.com) |
| Alerts, Application, Network, Page | app_activity | Search events based on app search for application activity. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | SearchQueryPerformed, FileDeleted, FileAccessedExtended,GroupAdded, FileSyncUploadedFull, UserLoginFailed, FileAccessed |
| Alerts, Application, Page | app_session_id | Search for events with specific application session ID. An app session starts when a user starts using acloud app and ends once they have been inactive for a certain period of time. Each application session hasa unique application session ID. Use app_session_id to check all the user activities in a single app session. | integer | “eq”, “=”, “==”, “neq”, “!=” | app_session_id eq <session ID number> |
| Alerts, Application, Network, Page | app-cci-access-logs | Search events for apps with ‘Does the app provide data access audit logs?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-access-other-apps | Search events for apps with ‘Does this application access other apps on the device?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-action-based-auth | Search events for apps with ‘Does the app enforce authorization policies on user activities?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-allow-classify-data | Search events for apps with ‘Does the app allow data classification, like public, confidential, and proprietary. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-allow-download-data | Search events for apps with ‘Is the customer data available for download upon cancellation of service?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-allow-proxy | Search events for apps with ‘Can the App Traffic be Proxied’. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-anonymous-sharing | Search events for apps with ‘Does the app allow anonymous sharing of data?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-app-hosting-location | Search events about the locations from which the hosting provider serves app data. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-app-tag | Search events for apps with ‘App Type’. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-app-type | The type of the app – Consumer, Departmental, or Enterprise. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-apphosting-provider | Search events for apps with ‘Which infrastructure or hosting provider is the app hosted on?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-audit-logs | Search events for apps with ‘Does the app provide admin audit logs?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-backup-user-data | Search events for apps with ‘Does the app vendor back up customer data in a separate location from the main data center?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-backup-user-data | Search for apps with ‘Does the app vendor back up customer data in a separate location from the main data center?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-cc-signup | Search events about the locations from which the hosting provider serve app data. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-compliance-cert | Search events for apps with ‘What compliance certifications does the app have?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-contacts-data | Search events for apps with ‘Does this application access contacts, calendar data and messages?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-cookies-3rd-party | Search events for apps with ‘Does this application use third-party cookies?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-data-center-cert | Search for events f apps with ‘To what data center standards does the app adhere?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-data-per-tenant | Search events for apps with ‘Data segregated by tenant’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-device-based-access | Search events for apps with ‘Does the app support the following device types?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-dispersed-data-center | Search events for apps with ‘Does the application vendor utilize geographically dispersed data centers to serve customers?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-encrypt-at-rest | Search events for apps with ‘Does the app encrypt data- at-rest?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-encrypt-in-transit | Search events for apps with ‘Does the app encrypt data- in-transit?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-encrypt-tenant-managed-key | Search events for apps with ‘Does the app allow customer-managed encryption keys?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-erase-cust-data | Search events for apps with ‘Is all customer data erased upon cancellation of service? If so, when?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-file-capacity | Search events for apps with ‘File Sharing Capacity’. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-file-sharing | Search events for apps with ‘Does the app enable file sharing? ‘ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-is-weak-cipher | Search events for apps with ‘Does the app increase the risk of data exposure by supporting weak cipher suites?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-multi-fact-auth | Search events for apps with ‘Does the app support multi- factor authentication?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-published-dr-plan | Search events for apps with ‘Does the app vendor provide disaster recovery services?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-recent-breach | Search events for apps with ‘Has this application been recently breached (in the past year)?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-role-based-access | Search events for apps with ‘Does the app support role- based authorization?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-secure-pass-policy | Search events for apps with ‘Does the app enforce password best practices as policy?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-securityheaders | Search events for apps with ‘Which HTTP security headers does the app use?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-sharing-personal-info-3rd-party | Search events for apps with ‘Does this app share users’ personal information.’ Ex: name, email, address) | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-spf | Search events for apps with ‘Does the app vendor use a Sender Policy Framework to protect customers from spam and phishing emails?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-src-ip-enforcement | Search events for apps with ‘Does the app support access control by IP address or range?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-sso | Search events for apps with ‘SSO/AD hooks.’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-status-report | Search events for apps with ‘Does the app vendor provide infrastructure status reports?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-system-operations | Search events for apps with ‘Does this application perform system operations?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-treat-classify-data | Search events for apps with ‘If yes, does the app allow admins to take action on classified data. Ex: , encrypt, control access? | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-upgrade-notification | Search events for apps with ‘Does the app vendor provide notifications to customers about upgrades and changes Ex: scheduled maintenance, new releases, software/hardware changes | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-user-audit-logs | Search events for apps with ‘Does the app provide user audit logs?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-vuln-exploit | Search events for apps with ‘Vulnerabilities & Exploits’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-weak-algorithm-keysize | Search events for apps with ‘Does the app increase the risk of data exposure by supporting weak signature algorithm or key size ?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-cci-who-owns-data | Search events for apps with ‘Who owns the data/content uploaded to the application site? Does the customer own the data or does the application vendor own the data?’ | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | app-gdpr-level | Search based on the General Data Protection Regulation (GDPR) readiness level of the apps. The readiness levels are low, medium, and high. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | app-gdpr-level eq high |
| Alerts, Application, Network, Page | app-risk | The risk level of apps (low,medium,high). | string | “eq”, “=” | |
| Alerts, Application | appsuite | Search appsuite field in application and alerts. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | attachment | This variable will hold the name of attachments that are being sent with the mail. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | audit_category | Search audit events for a specific audit category. audit_category displays the category to which the audit event belongs to. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | audit_type | Search audit events for a specific audit type. audit_type displays the actual audit event name from the SaaS app. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | audit_type eq internal |
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Alerts, Application, Network | bcc | Search events based on the user ids in bcc | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network, Page | browser | Search for events from a specific browser. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | browser eq Chrome Search for events from any browser other than Chrome, Safari, and Firefox: not (browser eq Chrome or browser eq Safari or browser eq Firefox) |
| Alerts, Page | browser_session_id | Search for browser session ID. When there is an idle timeout of 15 minutes, the browser session ID is triggered and will timeout the session. | integer | “eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<”, “lte”, “<=” | |
| Alerts, Page | browser_version | Search for specific browser version. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Page | bypass_traffic | Search for traffic bypassed by Netskope. | string | “eq”, “=”, “==”, “neq”, “!=” |
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Alerts, Application, Network, Page | category | Search events for category. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in” | category = ‘Cloud Storage’ |
| Alerts, Application, Network | cc | Search events based on the user in cc. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network, Page | cci | Search for Cloud Confidence Index (CCI) score. | integer | “eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<;”, “lte”, “<=” | cci gt 40 |
| Alerts, Application, Network, Page | ccl | Search for Cloud confidence level of an application. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in” | ccl eq poor |
| Alerts, Application, Network, Page | channel | Search for events specific to a channel in slack. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Page | client_bytes | Search events based on bytes transferred from client to server. | integer | “eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=” | client_bytes > 800 |
| Alerts | compliance_standards.control | The compliance standards control value. | string | “eq”, “=”, “==”, “neq”, “!=”, “in”, “not_in” | |
| Alerts | compliance_standards.id | The compliance standards ID for use in sort. | integer | “eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=”, “in”, “not_in” | |
| Alerts | compliance_standards.section | The compliance standards section value. | string | “eq”, “=”, “==”, “neq”, “!=”, “in”, “not_in” | |
| Alerts | compliance_standards.standard | The compliance standards ‘standard’ value. | string | “eq”, “=”, “==”, “neq”, “!=”, “in”, “not_in” | |
| Page | conn_duration | Search events based on how long the connection was established in seconds. | integer | “eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=” | conn_duration > 10000 |
| Alerts, Application, Network, Page | connection_id | Search events for a specific connection ID. | integer | “eq”, “=”, “==”, “neq”, “!=” | connection_id eq <connection ID number> |
| Alerts, Application, Network, Page | count | Search for activities with event count greater than 1 to search for events that are suppressed. Netskope log watcher ensures that minimum numbers of events are generated for events that occur multiple times within a short interval of time. It will report the total number of events under count. | integer | “eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=” | count gt 1and app eq ‘Google Drive’ |
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Alerts, Application, Network | data_type | Search events about content-type for Upload and Download triggers. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts | detection_engine | Search alerts for the given detection engine. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network, Page | device | Search for events from a specific device. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | device eq WindowsSearch for users using Dropbox from iOS device:device eq iOS and app eq DropboxSearch for events to verify if MacOS traffic is redirected through Secure Forwarder:device eq Macintosh and access_method eq ‘Secure Forwarder’ |
| Alerts, Application, Network | device_classification | How the device has been classified. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | device_classification eq managed |
| Alerts, Application, Network | dlp_file | Search events for DLP violation file that matches the content. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | dlp_file = credit_card_data.doc |
| Alerts, Application, Network | dlp_fingerprint_classification | Search events for DLP fingerprint classification within the profile that matches the content. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | dlp_fingerprint_classification = Finance |
| Alerts, Application, Network | dlp_fingerprint_match | Search events for DLP fingerprint file within the profile that matches the content. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | dlp_fingerprint_match = finance_report.doc |
| Alerts, Application, Network | dlp_fingerprint_score | Search events for DLP fingerprint score within the profile that matches the content. | integer | “eq”, “neq”, “gt”, “>”, “gte”, “>;=”, “lt”, “<“, “lte”, “<=” | dlp_fingerprint_match > 10 |
| Alerts, Application, Network | dlp_incident_id | Search events for a specific dlp incident ID. | integer | “eq”, “=”, “==”, “neq”, “!=” | dlp_incident_id eq <incident-id-number> |
| Alerts | dlp_match_info | DLP match identifier details. | dictionary | “eq”, “neq”, “in”, “notin” | |
| Alerts, Application, Network | dlp_parent_id | Search events for a specific DLP parent incident ID. | integer | “eq”, “=”, “==”, “neq”, “!=” | dlp_parent_id eq <parent ID number> |
| Alerts, Application, Network | dlp_profile | Search events for a specific DLP profile applied to the content. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | dlp_profile = dlp-pci |
| Alerts, Application, Network | dlp_profile_name | Search events for a specific DLP profile. | string | “eq”, “neq”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=” | dlp_profile_name = dlp-pci |
| Alerts, Application, Network | dlp_rule | Search events for a dlp rule within the profile that matches the content. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | dlp_rule = cc_num |
| Alerts, Application, Network | dlp_rule_count | Search events that number of rules matches the content. | integer | “eq”, “neq”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=” | dlp_rule_count = 10 |
| Alerts, Application | dlp_rule_name | Search events for a dlp rule within the profile that matches the content. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | dlp_rule = cc_num |
| Alerts, Application, Network | dlp_rule_severity | Search events for a DLP rule that matches the severity level. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | dlp_rule_severity = high |
| Application | dlp_scan_failed | Search dlp_scan_failed field in application | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Page | domain | Search for specific domain. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts | download_app | Search events where data was downloaded from a specific cloud app. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | dst_country | Search events for a specific destination country. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | dst_country = US |
| Alerts, Application, Network, Page | dst_latitude | Search events for a specific destination latitude. | float | “eq”, “=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=” | dst_latitude > 0 |
| Alerts, Application, Network, Page | dst_location | Search events for a specific destination location. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | dst_location = ‘San Jose |
| Alerts, Application, Network, Page | dst_longitude | Search events for a specific destination longitude. | float | “eq”, “=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=” | dst_longitude > 0 |
| Alerts, Application, Network, Page | dst_region | Search events for a specific destination state. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | dst_region eq GA |
| Alerts, Application, Network, Page | dst_zipcode | Search events for a specific zip code. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | dst_zipcode eq 94043 |
| Network, Page | dsthost | Destination host name.
| string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network, Page | dstip | Search events for a specific destination IP address. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | dstip eq 192.0.2.1 |
| Alerts, Application, Network, Page | dstport | Search events for a specific destination port. | integer | “eq”, “=”, “==”, “neq”, “!=” | dstport = 443 |
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Alerts | email_source | The source of the email used in finding compromised credentials. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network | encrypt_failure | Failure while encrypting a file. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | enterprise | The name of an enterprise. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | exposure | Search for a file with exposure. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | external |
| Alerts, Application, Network | external_collaborator_count | Number of external collaborators. | integer | “eq”, “=”, “gt”, “gte”, “lt”, “lte” | |
| Alerts | external_email | Search the external_email in alerts. | integer | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” |
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Alerts | false_positive | Search for alerts that have been acknowledged or not. | TRUE | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | acked eq true/false |
| Alerts, Application, Network | file_lang | File language attribute of relevant object. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | file_password_protected | Search for events that have file_password_protected attribute set to yes. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network | file_path | File path attribute of relevant object. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | file_size | File size attribute of relevant object. | integer | “eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=” | |
| Alerts, Application, Network | file_type | File type attribute of relevant object. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network, Page | first_accessed | Search for first seen time of app. | integer | “gte”, “lte”, “from”, “to” | |
| Alerts, Application, Network | from_object | Search events for activities where the user is performing activities between two objects, like moving files between folders. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | from_object eq Folder1 |
| Alerts, Application, Network | from_user | Search events for activities based on login IDs for cloud apps. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | from_user like john, from_user = john and activity eq Download |
| Alerts, Application, Network, Page | from_user_category | Search whether user who is inviting is external or internal. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | from_user_category like Internal |
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Alerts, Application, Network, Page | gateway | Search events from a specific gateway name or address. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” |
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Alerts, Application, Network, Page | hostname | Search for events from a specific device hostname. | string | eq,=,==,neq,!=,like,~,notlike,!~ | |
| Alerts, Page | http_transaction_count | Search for http transaction count. | integer | “eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=” | http_transaction_count gt 4 |
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Alerts | iaas_asset_tags.name | Search alert for the given iaas_asset_tags.name. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts | iaas_asset_tags.value | Search alert for the given iaas_asset_tags.value. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts | iaas_remediated | Search alert for iaas_remediated field existence. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts | incident_id | Search file for a specific incident id. | int | “eq”, “=”, “==”, “neq”, “!=” | incident_id eq <incident-id-number> |
| Alerts, Application, Network | instance_id | Search events based on the instance of the app. Some cloud apps have multiple instances of the app active at the same time. For example, enterprise Salesforce.com instance for an organization. This query field is to query events for a specific instance ID. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | Salesforce: app eq Salesforce.com and instance_id eq <instance-id> |
| Alerts, Application, Network | instance_name | Search events based on the name of instance of the app. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | instance_type | Search events based on the instance type of the app. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | Example for creating a server: instance_type= Server |
| Alerts, Application, Network | internal_collaborator_count | Number of internal collaborators. | integer | “eq”, “=”, “gt”, “gte”, “lt”, “lte” | |
| Network | ip_protocol | Search events from a specific ip_protocol. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” |
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Alerts, Application, Network | justification_reason | Search user justification reason for policy violation action. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | justification_type | Search user justification for policy violation action. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” |
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Alerts | last_app | The last app seen used by this user for this anomaly type prior to the generation of this anomaly. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts | last_country | The last country this user was seen in prior to the generation of this anomaly. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts | last_device | The last device used prior to the generation of this anomaly. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts | last_location | The last location this user was seen in prior to the generation of this anomaly. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts | last_region | The last region this user was seen in prior to the generation of this anomaly. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts | last_timestamp | The timestamp corresponding to the user’s last non- anomalous activity prior to the generation of this anomaly. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Page | latency_max | Search events based on the max latency values from proxy to app in milliseconds. Event Type: Page. Ex: latency_max > 200, app = ‘Salesforce.com’ and src_country != US and latency_max gt 500 | integer | “eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=” | latency_max > 200 |
| Page | latency_min | Search events based on the min latency values from proxy to app in milliseconds. Event Type: Page Ex: latency_min > 200 | integer | “eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt” | latency_min > 200 |
| Page | latency_total | Search events based on the total latency values from proxy to app in milliseconds. Event Type: Page. Ex: latency_total gt 200 | integer | “eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt” | latency_total gt 200 |
| Alerts, Application, Network | lh_fileid | Search events for a specific file identified by a unique ID assigned by the app chosen for copying the file for legalhold. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | local_md5 | MD5 checksum of relevant object. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts | local_sha256 | The sha256 of relevant object. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | log_file_name | The file name of the log. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” |
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Alerts | malsite_id | This variable holds hash of malsite URL. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts | malware_id | This variable holds value for malware ID. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts | malware_name | This variable holds value for malware name. | TRUE | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts | malware_severity | This variable holds value for malware severity. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts | malware_type | This variable holds value for malware type. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | managed_app | App managed by Netskope. | sting | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | managementID | Search events for a specific device management ID. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts | matched_username | The email address that was compromised. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | md5 | MD5 checksum of relevant object. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network | message_id | Search events based on the message_id. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | mime_type | Mimetype attribute of relevant object. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | modified | Modification time of relevant object. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” |
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Alerts, Application, Network, Page | netskope_pop | Search events with the netskope pop details. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network, Page | network | Search events based on network. | string | eq,=,==,neq,!=,like,~,notlike,!~ | network eq NET24:172.16.168.0 |
| Alerts, Application, Network | nsdeviceuid | Search events for a specific nsdeviceuid. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Page | numbytes | Search for total number of bytes that transmitted for the connection. | integer | “eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt” | numbytes > 100 |
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Alerts, Application, Network | oauth | Search events where a login has been performed by 3rd party app using OAuth tool provided by the cloud app. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | object | Search events for a specific object name. Object name displays the actual filename, folder name, report name, document name, etc. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | object like xls Search for users sharing excel files and this will display the individual file names under this object: activity eq Share and object_type eq File and object ~ xls Search for users downloading medical records: activity eq Download and object ~ ‘Medical Record’ |
| Alerts, Application, Network | object_count | This variable holds the value of number of objects on which operation is performed. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | object_id | Search events for a specific object id such as activity specific value, etc. Event Type: Alert. Ex: object_id = f_12787234 | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | object_id = f_12787234 |
| Alerts, Application, Network | object_type | Search events for a specific object type such as file, folder, report, document, message, etc. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | object_type eq file Search for all the files that are shared by users and also the file names of the file: activity eq share and object_type eq File Search for all the downloads from Salesforce.com of type file. This will also show the file names: app eq Salesforce.com and activity eq Download and object_type eq File Search for users who accessed file on GitHub. This will also show the file names: app eq GitHub and activity eq View and object_type eq File |
| Alerts, Application, Network | offending_entry | Contains offending snippet from traffic. Ex: email that matches a constraints profile | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | An email that matches a constraints profile. |
| Alerts, Application, Network | offending_ip | Contains offending IP that matches a network location object. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | An IP that matches a network location object. |
| Alerts, Application, Network | openid | Search events where a login has been performed by 3rd-party app using OpenID tool provide by the cloud app. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network, Page | org | Search for events from a specific organization. Organization name is derived from user ID. Event Type: Application, Page, Alert. Ex: org eq ‘netskope.com’ | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | org eq ‘netskope.com’ |
| Alerts, Application, Network, Page | organization_unit | Search for events from a specific organization unit. Organization name is derived from user ID. Ex: organization_unit eq ‘netskope.com’ | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “startswith” | org eq ‘netskope.com’ |
| Page | origin | Search for events from specific log sources for log uploads. Administrators can upload the firewall logs and proxy logs to the Netskope tenant instance for passive monitoring of the traffic. Netskope log watcher can monitor the logs to detect the cloud apps that users are using. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | origin like Gateway, origin like firewall, origin like proxy |
| Alerts, Application, Network, Page | os | Search for events from a specific Operating System (OS). | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | os = Windows, os eq Mavericks or os eq iOS Search for events from Macintosh not running enterprise approved OS: device eq Macintosh and os neq Maverick |
| Alerts, Page | os_version | Search for a specific OS version. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network | owner | User who owns this object. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Application, Page | other_categories | The secondary category assigned to an application or website, it also includes any user designated categories. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in” | Security Risk Malware Distribution Point, All Categories, Prohibited Websites |
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Page | page | Search for specific page. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Page | page_duration | Search for page duration. | integer | “eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=” | |
| Page | page_endtime | Search for page end time. | integer | “eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=” | |
| Page | page_id | Search for page ID. | integer | “eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=” | |
| Page | page_starttime | Search for page start time. | integer | “eq”, “=”, “==”, “neq”, “!=”, “gt”, “>, “gte”, “>=”, “lt”, <, “lte”, “<=” | |
| Alerts, Application, Network | parent_id | Search event for folder ID to which file has been moved or copied. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network, Page | policy | Search for policies triggered by specific policy. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | policy eq ‘Cloud storage Policy’ |
| Network | private_app_tags | Search for network events with the private app tags. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in” | |
| Alerts, Application, Network | privilege | Search event for user account privilege details. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Network | protocol_port | Search events for combination of ip_protocol and destination port. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in” | protocol_port eq TCP:80 |
| Network | publisher_cn | Search events for a specific publisher_cn. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in” | publisher_cn eq test_npa_publisher_cn |
| Network | publisher_name | Search events for a specific publisher_name. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in” | publisher_name eq test_npa_publisher |
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Application, Network, Page | qos_class_name | Search for event based on qos class name. | String | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in” | |
| Application, Network, Page | qos_link_name | Search for event based on qos link name. | String | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in” | |
| Alerts, Application, Network | quarantine_action_reason | Search events for a specific action (allow/block) applied to the content based on quarantine approver (admin) decision. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | quarantine_failure | Search events for a quarantine failure during transferring the content to the app chosen for quarantining. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | quarantine_file_id | Search events for a specific file identified by a unique ID assigned by the app chosen for quarantining the file. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | quarantine_profile | Search events for a specific quarantine profile applied to the content. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | quarantine_profile = quarantine-pf1 |
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Alerts, Application, Network | redirect_url | Search event for the URLs to which a cloud app has redirected after login when used with tools such as OAuth. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | referer | Search referer URL associated with an activity in a cloud app. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts | region_name | Search IaaS assets for the given region_name. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Page | req_cnt | Search events based on number of http requests over one underlying tcp connection. | integer | “eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=” | req_cnt >10 |
| Alerts | resource_category | Search events based on the resource_category like user, IAM, etc. | string | eq,=,==,neq,!=,like,~,notlike,!~ | “Compute” |
| Page | resp_cnt | Search events based on the number of HTTP responses over one underlying TCP connection. | integer | “eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=” | resp_cnt > 10 |
| Alerts, Application, Network, Page | retro_scan_name | Filter by retro scan name. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | retro_scan_name = ‘Retro_Scan_onedrive_sumoskope_20180827’, retro_scan_name eq Retro_Scan_onedrive_sumoskope_20180827′ or’Retro_Scan_box_ENG51457TEST_20180827′ |
| Alerts, Application, Network, Page | role | Search for user roles like owner, editor, etc. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | role eq Editor |
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Alerts | sa_profile_name | Search alerts based on the sa_profile_name value. | integer | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=” | |
| Alerts | sa_rule_name | Search alerts based on the sa_rule_name value. | integer | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=” | |
| Alerts | sa_rule_severity | Search for alerts triggered by specific policy, watchlist, or DLP. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in” | sa_rule_severity eq ‘Low’ |
| Alerts, Application, Network, Page | sanctioned | Checks whether the returned events are generated from applications tagged as Sanctioned. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Application, Alerts | sanctioned_instance | Search sanctioned_instance field in application and alerts. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | scan_type | Generated during retroactive scan or new ongoing activity. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network | security_issue | Search events about any security issues associated with the SAAS app. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Page | serial | The device serial number from which the metric came. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Page | server_bytes | Search events based on bytes transferred from server to client. | integer | “eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=” | server_bytes > 800 |
| Alerts, Application, Network | severity | Search incident severity. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | shared | File sharing attributes of relevant object. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts | shared_credential_user | Search the shared_credential_user events. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in” | |
| Alerts, Application, Network | shared_domains | Comma-seperated shared domains of a file. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts | shared_user_hostname | Search for shared credential alert from a specific shared user hostname. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in” | |
| Alerts, Application, Network | shared_with | Comma-seperated shared users of a file. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network, Page | site | Search for specific site. | string | “eq”, “=”, “==”, “neq”, “!=”, “in”, “not_in” | site eq NY |
| Alerts, Application, Network | smtp_status | Search events based on the smtp_status. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | smtp_to | Search events based on the smtp_to user. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network, Page | src_ip_country | Search events from a specific source country. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | src_ip_country eq IN |
| Alerts, Application, Network, Page | srcip | Search events based on source IP. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network, Page | src_country | Search events based on source IP country. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | src_country eq IN, src_country eq US and dst_country eq US |
| Alerts, Application, Network, Page | src_location | Search events from a specific source city. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | src_location eq ‘San Francisco’ |
| Alerts, Application, Network, Page | src_region | Search events based on source IP region. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | src_country eq US and src_region eq CA |
| Alerts, Application, Network, Page | src_zipcode | Search events based on source IP zipcode. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | src_zipcode eq 94043 |
| Alerts, Application, Network, Page | src_location | Search events from a specific source city. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | src_location eq ‘San Francisco’ |
| Alerts, Application, Network, Page | src_region | Search events from a specific source state or region. | string | eq,=,==,neq,!=,like,~,notlike,!~ | src_region eq CA |
| Alerts, Application, Network, Page | src_timezone | Search events for a specific timezone. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | src_zipcode | Search for events from a specific source zipcode. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | src_zipcode eq 94043 |
| Alerts, Application, Network, Page | srcip | Search events from a specific source IP address. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | srcip eq 192.0.2.1 |
| Page | ssl_decrypt_policy | Search for traffic bypassed by Netskope due to a SSL Decrypt Policy hit. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Page | subject | Search events based on the email subject. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” |
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Alerts, Application, Network | tag | Search events based on video related keywords. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network, Page | team | Search for events specific to a team in slack. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | telemetry_app | Search telemetry app associated with an activity in a cloud app. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts | threat_match_value | Search for threat match value (URL or domain) in malicious sites. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | domain, url, ip |
| Alerts, Application, Network, Page | timestamp | The time the event is generated. Timestamp is in Epoch Time format. | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt | timestamp gt 1597449600 |
| Alerts, Application, Network | to_object | Search events for activities where the user is performing activities between two objects, like moving files between folders. This field is visible only for events which involves a user activity between two objects. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | to_object like Folder1 activity eq Edit and to_object like Folder1 |
| Alerts, Application, Network | to_user | Search events based on the destination user IDs. This field is visible only for events where a user is transacting with another user such as sharing a file, sharing a folder, etc. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | Ex: to_user like Adam Search for all the user names inside the organization with who the file was shared: app eq Dropbox and activity eq Share and to_user ~ netskope |
| Alerts, Application, Network, Page | to_user_category | search whether invited user is internal or external. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | Internal, External |
| Alerts, Application, Network | total_collaborator_count | Total number of collaborators. | integer | “eq”, “=”, “gt”, “gte”, “lt”, “lte” | |
| Alerts, Application, Network, Page | traffic_type | Search for specific traffic type. There are two types of traffic: Web and CloudApp. | string | eq,=,==,neq,!= | traffic_type eq Web |
| Alerts, Application, Network | transaction_id | Search for events with specific transaction ID. | integer | “eq”, “=”, “==”, “neq”, “!=” | transaction_id eq <ID> |
| Alerts, Application, Network | trigger | Search for events for specific activity, like Upload. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | trigger_val | Search for events for specific activity value, like File Name. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | trigger_var | Search for events for specific activity name, like File. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | trust_computer_checked | Search events where trust computer option is checked along with two factor authentication for logging into a cloud app. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network | tss_scan_failed | Search dlp_scan_failed field in application. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network, Page | tunnel_id | Search events for a specific connection ID. | string | “eq”, “=”, “==” | |
| Alerts, Application, Network | two_factor_auth | Search events where a login has been performed using two factor authentication. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network, Page | type | Search for a connection type event or an application event. Application events are triggered for user actions inside the cloud app. Application events are of type nspolicy. You can also switch between page and application events from the dropdown displayed on the Skope IT page. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | type eq connection, type eq page, type eq nspolicy |
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Alerts, Application, Network | universal_connector | Search events about detection source. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | App Connector or Universal Connector. |
| Application, Network, Page | ur_normalized | Search events from a specific ur_normalized. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in” | ur_normalized eq john@abc.com |
| Alerts, Application, Network, Page | url | Search URL accessed by a user. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | url eq http://www.example.com |
| Alerts, Application, Network | Url2Activity | Search specific Skope IT events for uploaded logs. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network, Page | user | Search events for a specific user. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in” | user eq john@abc.com Search for user with IP address 192.0.2.1: user eq 192.0.2.1 Search for events from username that contains john for the Dropbox app: user ~ john and app eq Dropbox Search for events from user john@abc.com for the Dropbox app: user eq john@abc.com and app eq Dropbox Search for events for all users from adam to john: user from adam to john |
| Alerts, Application, Network, Page | user_category | search whether user is internal or external | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | user_category eq Internal |
| Page | user_generated | Search for events for user generated page events. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network, Page | user_password_breached | The user whose credential is compromised. Possible values are ‘yes’ or ‘no’. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network, Page | user_role | Search for user role like admin, coadmin, etc. Ex: user_role eq Admin | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network, Page | user-risk | The risk level of users (low, medium, high). | string | “eq”, “=” | |
| Alerts, Application, Page | useragent | The user agent field in HTTP request. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network, Page | usergroup | When a user group is searched, this includes every user within the group. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in” | usergroup eq student2.support-lab.com/Test |
| Alerts, Application, Network, Page | userip | When a user is behind a proxy, this indicates the internal IP of the user at that time. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | |
| Alerts, Application, Network, Page | userkey | Search events from a specific user/email. | string | “eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~” | userkey eq john@abc.com |
| Query | Description | Format | Operators |
|---|---|---|---|
| vpc | Search events based on vpc. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
| Event Type | Query | Description | Format | Operators | Sample Values |
|---|---|---|---|---|---|
| Alerts, Application, Network | web_url | The URL for a file which will open the file in an app. | string | “eq”, “=”, “==”, “neq”, “!=” | |
| Alerts, Application, Network | workspace | Workspace name specific to Slack Enterprise. | string | “eq”, “=”, “==”, “neq”, “!=” | This a custom name provided by the admin. For example: Netskope Corp |
