Skope IT Queries Library
This section provides the query name, description, format, and operators for Skope IT query language searches. Click on a letter to expand and see the queries.
Query | Description | Format | Operators |
---|---|---|---|
access_method | Search for events generated from specific access methods such as Client, Secure Forwarder, Logs, Mobile profile, etc. Event Type: Application, Page, Alert Ex: access_method eq 'Client' Search events where the access method is either Add On or Secure Forwarder: access_method eq 'Add On' or access_method eq 'Secure Forwarder' For log uploads from Proxy or firewall, provide the name of the parser to search for events generated fromlog uploads: access_method eq proxysg-http-main | string | eq,=,==,neq,!=,like,~,notlike,!~,in |
account_id | Search IaaS collections and alerts for the given account ID. | string | eq,=,==,neq,!=,like,~,notlike,!~,in |
account_name | Search IaasS collections and alert for the given account name. | string | eq,=,==,neq,!=,like,~,notlike,!~,in |
acked | Search for alerts that have been acknowledged or not. Ex: acked eq true/false | string | eq,=,==,neq,!=,like,~,notlike,!~ |
acl_assocation | Search events based on ACL association. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
acl_grantee | Search events based on ACL grantee. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
acl_grantee_type | Search events based on ACL grantee type. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
acl_permission | Search events based on ACL permission. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
act_user | Search for user who performed the activity, like naman@netskope.com. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
acting_role | Search events based on acting role. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
acting_user | Search incident from a specific user. Ex: acting_user eq john@abc.com | string | eq,=,==,neq,!=,like,~,notlike,!~ |
acting_user | Search events based on acting user. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
action | Search for an action taken by the user, like Block, Bypass, Alert. Event Type: Application, Alert Ex: alert eq yes and action eq block | string | eq,=,==,neq,!=,like,~,notlike,!~,exists |
action_type | Search events based on action type. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
active_since | Time stamp since when client is active. | integer | lte |
activity | Search for events or alerts for a specific user activity. Values specified for this query field is one of the activities that can occur within the cloud app and analyzed by the Netskope analytics engine. The value is case sensitive. Ex: activity eq Create, activity eq Download or activity eq Upload, activity eq Download and object_type eq Reports and app eq Expensify | string | eq,=,==,neq,!=,like,~,notlike,!~ |
activity_status | Search for events or alerts for a specific app activity status. Ex: activity_status eq Access Denied | string | eq,=,==,neq,!=,like,~,notlike,!~ |
activity_type | Search events about activity type of app. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
aggregated_user | Search events where the user field is a network location. Ex: aggregated_user eq True | string | eq,=,==,neq,!=,like,~,notlike,!~ |
alarm_description | This is the description of the alarm. Event type: Infrastructure Ex: alarm_description like 'last 24 hours' | string | eq,=,==,neq,!=,like,~,notlike,!~ |
alarm_name | This is the name of the alarm. Event type: Infrastructure Ex: alarm_name like 'router-log' | string | eq,=,==,neq,!=,like,~,notlike,!~ |
alert | Search for events that triggered an alert due to a policy match, watchlist, or event that did not trigger an alert. Alerts are only generated when a policy or watchlist is matched. In all other scenarios, a regular event is generated. Event Type: Application, Alert Ex: alert eq yes | string | eq,=,==,neq,!= |
alert_category | Search for alerts triggered by watchlist. Ex: alert_category eq Suspicious Access | string | eq,=,==,neq,!=,like,~,notlike,!~ |
alert_detection_stage | Search for alerts triggered by watchlist. Ex: alert_detection_stage eq Access | string | eq,=,==,neq,!=,like,~,notlike,!~ |
alert_event_group | Search events based on Alert Event Group. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
alert_name | Search for alerts triggered by specific policy, watchlist or DLP. Ex: alert_name eq 'Cloud storage Policy', alert_type eq policy and alert_name eq 'block uploads policy', alert_type eq watchlist and alert_name eq 'Creating file on Google drive' | string | eq,=,==,neq,!=,like,~,notlike,!~ |
alert_priority | Search events based on alert priority. | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
alert_query | Search for alerts triggered by watchlist. Ex: alert_query eq query string | string | eq,=,==,neq,!=,like,~,notlike,!~ |
alert_source | Search events based on alert source. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
alert_stage | Search for alerts triggered by watchlist. Ex: alert_stage eq Access | string | eq,=,==,neq,!=,like,~,notlike,!~ |
alert_stage | Search events based on alert stage. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
alert_status | Search for alerts triggered by watchlist Ex: alert_status eq open | string | eq,=,==,neq,!=,like,~,notlike,!~ |
alert_type | Search for alerts triggered by policy action, watchlist, quarantine, or DLP. Event Type: Application, Alert Ex: alert_type eq policy Search for alerts generated by DLP violations: alert_type eq DLP Search for alerts not generated by watchlist: alert_type neq watchlist | string | eq,=,==,neq,!=,like,~,notlike,!~ |
alert_window | Search for alerts triggered by watchlist. Ex: alert_window eq 86400000 | integer | eq,=,==,neq,!=,like,~,notlike,!~ |
allocated_storage | Search events based on allocated storage. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
app | Search events for a specific cloud app. Event Type: Application, Page, Alert Ex: app = Dropbox Search events for all apps except Box: app neq Box Search events for Box or Dropbox apps: app = Box or app = Dropbox Search events from user abc@xyz.com for the Dropbox, Box, Facebook, or Salesforce.com apps: user eq abc@xyz.com and (app eq Dropbox or app eq Box or app eq Facebook or app eq Salesforce.com) | string | eq,=,==,neq,!=,like,~,notlike,!~,in,not_in |
app_activity | Search events based on app search for application activity. Ex: Collaboration_Expiration | string | eq,=,==,neq,!=,like,~,notlike,!~ |
app_session_id | Search for events with specific application session ID. An app session starts when a user starts using acloud app and ends once they have been inactive for a certain period of time. Each application session hasa unique application session ID. Use app_session_id to check all the user activities in a single app session. Event Type: Application, Page, Alert Ex: app_session_id eq <session ID number> | integer | eq,=,==,neq,!= |
app-cci-access-logs | Search events for apps with 'Does the app provide data access audit logs?' | string | eq,=,==,neq,!= |
app-cci-access-other-apps | Search events for apps with 'Does this application access other apps on the device?' | string | eq,=,==,neq,!= |
app-cci-action-based-auth | Search events for apps with 'Does the app enforce authorization policies on user activities?' | string | eq,=,==,neq,!= |
app-cci-allow-classify-data | Search events for apps with 'Does the app allow data classification, like public, confidential, and proprietary. | string | eq,=,==,neq,!= |
app-cci-allow-download-data | Search events for apps with 'Is the customer data available for download upon cancellation of service?' | string | eq,=,==,neq,!= |
app-cci-allow-proxy | Search events for apps with 'Can the App Traffic be Proxied'. | string | eq,=,==,neq,!= |
app-cci-anonymous-sharing | Search events for apps with 'Does the app allow anonymous sharing of data?' | string | eq,=,==,neq,!= |
app-cci-app-hosting-location | Search events about the locations from which the hosting provider serves app data. | string | eq,=,==,neq,!= |
app-cci-app-tag | Search events for apps with 'App Type'. | string | eq,=,==,neq,!= |
app-cci-app-type | The type of the app - Consumer, Departmental, or Enterprise. | string | eq,=,==,neq,!= |
app-cci-apphosting-provider | Search events for apps with 'Which infrastructure or hosting provider is the app hosted on?' | string | eq,=,==,neq,!= |
app-cci-audit-logs | Search events for apps with 'Does the app provide admin audit logs?' | string | eq,=,==,neq,!= |
app-cci-backup-user-data | Search events for apps with 'Does the app vendor back up customer data in a separate location from the main data center?' | string | eq,=,==,neq,!= |
app-cci-backup-user-data | Search for apps with 'Does the app vendor back up customer data in a separate location from the main data center?' | string | eq,=,==,neq,!= |
app-cci-cc-signup | Search events about the locations from which the hosting provider serve app data. | string | eq,=,==,neq,!= |
app-cci-compliance-cert | Search events for apps with 'What compliance certifications does the app have?' | string | eq,=,==,neq,!= |
app-cci-contacts-data | Search events for apps with 'Does this application access contacts, calendar data and messages?' | string | eq,=,==,neq,!= |
app-cci-cookies-3rd-party | Search events for apps with 'Does this application use third-party cookies?' | string | eq,=,==,neq,!= |
app-cci-data-center-cert | Search for events f apps with 'To what data center standards does the app adhere?' | string | eq,=,==,neq,!= |
app-cci-data-per-tenant | Search events for apps with 'Data segregated by tenant' | string | eq,=,==,neq,!= |
app-cci-device-based-access | Search events for apps with 'Does the app support the following device types?' | string | eq,=,==,neq,!= |
app-cci-dispersed-data-center | Search events for apps with 'Does the application vendor utilize geographically dispersed data centers to serve customers?' | string | eq,=,==,neq,!= |
app-cci-encrypt-at-rest | Search events for apps with 'Does the app encrypt data- at-rest?' | string | eq,=,==,neq,!= |
app-cci-encrypt-in-transit | Search events for apps with 'Does the app encrypt data- in-transit?' | string | eq,=,==,neq,!= |
app-cci-encrypt-tenant-managed-key | Search events for apps with 'Does the app allow customer-managed encryption keys?' | string | eq,=,==,neq,!= |
app-cci-erase-cust-data | Search events for apps with 'Is all customer data erased upon cancellation of service? If so, when?' | string | eq,=,==,neq,!= |
app-cci-file-capacity | Search events for apps with 'File Sharing Capacity'. | string | eq,=,==,neq,!= |
app-cci-file-sharing | Search events for apps with 'Does the app enable file sharing? ' | string | eq,=,==,neq,!= |
app-cci-is-weak-cipher | Search events for apps with 'Does the app increase the risk of data exposure by supporting weak cipher suites?' | string | eq,=,==,neq,!= |
app-cci-multi-fact-auth | Search events for apps with 'Does the app support multi- factor authentication?' | string | eq,=,==,neq,!= |
app-cci-published-dr-plan | Search events for apps with 'Does the app vendor provide disaster recovery services?' | string | eq,=,==,neq,!= |
app-cci-recent-breach | Search events for apps with 'Has this application been recently breached (in the past year)?' | string | eq,=,==,neq,!= |
app-cci-role-based-access | Search events for apps with 'Does the app support role- based authorization?' | string | eq,=,==,neq,!= |
app-cci-secure-pass-policy | Search events for apps with 'Does the app enforce password best practices as policy?' | string | eq,=,==,neq,!= |
app-cci-securityheaders | Search events for apps with 'Which HTTP security headers does the app use?' | string | eq,=,==,neq,!= |
app-cci-sharing-personal-info-3rd-party | Search events for apps with 'Does this app share users' personal information.' Ex: name, email, address) | string | eq,=,==,neq,!= |
app-cci-spf | Search events for apps with 'Does the app vendor use a Sender Policy Framework to protect customers from spam and phishing emails?' | string | eq,=,==,neq,!= |
app-cci-src-ip-enforcement | Search events for apps with 'Does the app support access control by IP address or range?' | string | eq,=,==,neq,!= |
app-cci-sso | Search events for apps with 'SSO/AD hooks.' | string | eq,=,==,neq,!= |
app-cci-status-report | Search events for apps with 'Does the app vendor provide infrastructure status reports?' | string | eq,=,==,neq,!= |
app-cci-system-operations | Search events for apps with 'Does this application perform system operations?' | string | eq,=,==,neq,!= |
app-cci-treat-classify-data | Search events for apps with 'If yes, does the app allow admins to take action on classified data. Ex: , encrypt, control access? | string | eq,=,==,neq,!= |
app-cci-upgrade-notification | Search events for apps with 'Does the app vendor provide notifications to customers about upgrades and changes Ex: scheduled maintenance, new releases, software/hardware changes | string | eq,=,==,neq,!= |
app-cci-user-audit-logs | Search events for apps with 'Does the app provide user audit logs?' | string | eq,=,==,neq,!= |
app-cci-vuln-exploit | Search events for apps with 'Vulnerabilities & Exploits' | string | eq,=,==,neq,!= |
app-cci-weak-algorithm-keysize | Search events for apps with 'Does the app increase the risk of data exposure by supporting weak signature algorithm or key size ?' | string | eq,=,==,neq,!= |
app-cci-who-owns-data | Search events for apps with 'Who owns the data/content uploaded to the application site? Does the customer own the data or does the application vendor own the data?' | string | eq,=,==,neq,!= |
app-gdpr-level | Search based on the General Data Protection Regulation (GDPR) readiness level of the apps. Thereadiness levels are low, medium, and high. Event Type: Application, Page, Alert Ex: app-gdpr-level eq high | string | eq,=,==,neq,!=,like,~,notlike,!~ |
assignee | Assignee for the incident. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
attachment | This variable will hold the name of attachments that are being sent with the mail. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
audit_category | Search audit events for a specific audit category. audit_category displays the category to which the audit event belongs to. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
audit_log_event | Search events for a specific audit log event. Event Type: Audit Ex: audit_log_event eq 'Access Denied' | string | eq,=,==,neq,!=,like,~,notlike,!~ |
audit_type | Search audit events for a specific audit type. audit_type displays the actual audit event name from the SaaS app. Event Type: Application Ex: audit_type eq internal | string | eq,=,==,neq,!=,like,~,notlike,!~ |
Query | Description | Format | Operators |
---|---|---|---|
browser | Search for events from a specific browser. Event Type: Application, Page, Alert Ex: browser eq Chrome Search for events from any browser other than Chrome, Safari, and Firefox: not (browser eq Chrome or browser eq Safari or browser eq Firefox) | string | eq,=,==,neq,!=,like,~,notlike,!~ |
browser_session_id | Search for browser session ID. When there is an idle timeout of 15 minutes, the browser session ID is triggered and will timeout the session. | integer | eq,=,==,neq,!=,gt,>,gte,>;=,lt |
browser_version | Search for specific browser version. | string | eq,=,==,neq,!= |
bypass_traffic | Search for traffic bypassed by Netskope. | string | eq,=,==,neq,!= |
bytes | Search events based on bytes. | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
Query | Description | Format | Operators |
---|---|---|---|
category | Search events for category. Ex: category = 'Cloud Storage' | string | eq,=,==,neq,!=,like,~,notlike,!~,in,not_in |
cci | Search for Cloud Confidence Index (CCI) score. Event Type: Application, Page, Alert Ex: cci gt 40 | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
ccl | Search for Cloud confidence level of an application. Event Type: Application, Page, Alert Ex: ccl eq poor | string | eq,=,==,neq,!=,like,~,notlike,!~ |
channel | Search for events specific to a channel in slack. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
cidr | Search events based on cidr. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
client_bytes | Search events based on bytes transferred from client to server. Event Type: Page Ex: client_bytes > 800 | integer | eq,=,==,neq,!=,gt,>;,gte,>=,lt |
client_install_time | The time the client is installed. | integer | eq,=,==,neq,!=,gt,>;,gte,>=,lt |
client_last_check_in_time | The time the client is last checked-in | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
client_version | Search for devices with a specific Netskope client version. Ex: client_version like '67' | string | eq,=,==,like,notlike |
cloud_domain | Search events based on cloud domain. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
cloud_provider | Search events based on Cloud Provider (Google Cloud Platform, Amazon Web Services). | string | eq,=,==,neq,!=,like,~,notlike,!~ |
collaborated | Exposure of file in filemeta. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
compute_disk | Search events based on compute disk. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
compute_image | Search events based on compute image. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
compute_image_location | Search events based on compute image location. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
compute_instance | Search events based on compute instance. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
compute_type | Search events based on compute type. | string | eq,=,==,neq,!=,like,~,notlike,!~ eq,=,==,neq,!=,gt,>,gte,>=,lt |
conn_duration | Search events based on how long the connection was established in seconds. Ex: conn_duration > 10000 | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
connection_id | Search events for a specific connection ID. Ex: connection_id eq <connection ID number> | integer | eq,=,==,neq,!= |
count | Search for activities with event count greater than 1 to search for events that are suppressed. Netskope log watcher ensures that minimum numbers of events are generated for events that occur multiple times within a short interval of time. It will report the total number of events under count. Event Type: Application, Page, Alert Ex: count gt 1and app eq 'Google Drive' | integer | eq,neq,gt,>,gte,>=,lt |
creation_time_instance | Search events based on creation_time_instance. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
Query | Description | Format | Operators |
---|---|---|---|
data_type | Search events about content-type for Upload and Download triggers. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
database | Search events based on database. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
db_cluster | Search events based on db cluster. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
db_cluster_members | Search events based on db_cluster_members. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
db_encrypted | Search events based on db_encrypted. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
db_engine | Search events based on db engine. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
db_engine_license_model | Search events based on db_engine_license_model. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
db_engine_version | Search events based on db_engine_version. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
db_hosted_zone_id | Search events based on db_hosted_zone_id. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
db_instance_type | Search events based on db instance type. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
db_resource_id | Search events based on db_resource_id. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
db_security_group | Search events based on db_security_group. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
db_table | Search events based on db_table. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
description | Description about this event. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dest_ip | Search events based on destination IP. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dest_ip_country | Search events based on destination IP country. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dest_ip_latitude | Search events based on destination IP latitude. | float | eq,=,==,neq,!=,gt,>,gte,>=,lt, |
dest_ip_location | Search events based on destination IP location. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dest_ip_longitude | Search events based on destination IP longitude. | float | eq,=,==,neq,!=,gt,>,gte,>=,lt |
dest_ip_region | Search events based on destination IP region. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dest_ip_zipcode | Search events based on destination IP zipcode. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dest_mac | Search events based on destination MAC address. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dest_port | Search events based on destination port. | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
detection_engine | Search alerts for the given detection engine. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
device | Search for events from a specific device. Event Type: Application, Page, Alert Ex: device eq Windows Search for users using Dropbox from iOS device: device eq iOS and app eq Dropbox Search for events to verify if MacOS traffic is redirected through Secure Forwarder: device eq Macintosh and access_method eq 'Secure Forwarder' | string | eq,ne |
device_classification | How the device has been classified. Event Type: Application, Alert. Ex: device_classification eq managed | string | eq,=,==,neq,!=,like,~,notlike,!~ |
device_classification_status | This variable holds device classification status. Ex: device_classification_status eq 0 Use '0' for \managed\, '1' for \unmanaged\, '2' for \unknown\, '3' for \not configured\ | integer | eq,=,== |
device_id | This variable holds device ID | string | eq,=,==,like,notlike |
device_name | This is the name of the device from which the metric came | string | null |
dlp_action | Search events for a specific DLP profile. Ex: dlp_action = alert | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dlp_file | Search events for DLP violation file that matches the content. Ex: dlp_file = credit_card_data.doc | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dlp_fingerprint_classification | Search events for DLP fingerprint classification within the profile that matches the content. Ex: dlp_fingerprint_classification = Finance | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dlp_fingerprint_match | Search events for DLP fingerprint file within the profile that matches the content. Ex: dlp_fingerprint_match = finance_report.doc | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dlp_fingerprint_score | Search events for DLP fingerprint score within the profile that matches the content. Ex: , dlp_fingerprint_match > 10 | integer | eq,neq,gt,>,gte,>=,lt |
dlp_incident_id | Search events for a specific dlp incident ID. Ex: dlp_incident_id eq <incident ID number> | integer | eq,=,==,neq,!= |
dlp_match_info | DLP match identifier details. | dictionary | eq,neq,in,notin |
dlp_parent_id | Search events for a specific DLP parent incident ID. Ex: dlp_parent_id eq <parent ID number> | integer | eq,=,==,neq,!= |
dlp_policy | Search events for a specific DLP policy. Ex: dlp_policy = PII-Policy | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dlp_profile | Search events for a specific DLP profile applied to the content. Event Type: Application, Alert. Ex: dlp_profile = dlp-pci Search for PCI-related DLP violationson Dropbox: app eq Dropbox and dlp_profile eq dlp-pci | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dlp_profile_name | Search events for a specific DLP profile. Ex: dlp_profile_name = dlp-pci | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dlp_rule | Search events for a DLP rule within the profile that matches the content. Event Type: Application, Alert. Ex: dlp_rule = cc_num Search for social security number-related DLP violations: dlp_rule eq 'SSN (No Delimiter)' | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dlp_rule_count | Search events that number of rules matches the content. Event Type: Application, Alert. Ex: dlp_rule_count = 10 | integer | eq,neq,gt,>,gte,>=,lt |
dlp_rule_name | Search events for a specific DLP rule. Ex: dlp_rule_name = Name-SSN | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dlp_rule_severity | Search events for a DLP rule that matches the severity level. Ex: dlp_rule_severity = high | string | eq,=,==,neq,!=,like,~,notlike,!~ |
domain | Search for specific domain. | string | eq,=,==,neq,!= |
domain_membership | Search events based on domain membership. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
download_app | Search events where data was downloaded from a specific cloud app. | string | eq,=,==,neq,!= |
dst_country | Search events for a specific destination country. Event Type: Application, Page, Alert. Ex: dst_country = US, dst_country eq RU and src_country eq US | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dst_latitude | Search events for a specific destination latitude. Event Type: Application, Page, Alert. Ex: dst_latitude > 0 | float | eq,=,gt,>,gte,>=,lt |
dst_location | Search events for a specific destination location. Event Type: Application, Page, Alert. Ex: dst_location = 'San Jose' | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dst_longitude | Search events for a specific destination longitude. Event Type: Application, Page, Alert. Ex: dst_longitude > 0 | float | eq,=,gt,>,gte,>=,lt |
dst_region | Search events for a specific destination state. Event Type: Application, Page, Alert. Ex: dst_region eq GA | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dst_zipcode | Search events for a specific zip code. Event Type: Application, Page, Alert. Ex: dst_zipcode eq 94043 | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dsthost | Destination host name. Event Type: Application, Page, Alert. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dstip | Search events for a specific destination IP address. Event Type: Application, Page, Alert. Ex: dstip eq 192.0.2.1 | string | eq,=,==,neq,!=,like,~,notlike,!~ |
dstport | Search events for a specific destination port. Event Type: Application, Page, Alert. Ex: dstport = 443 | integer | eq,=,==,neq,!= |
Query | Description | Format | Operators |
---|---|---|---|
email_source | The source of the email used in finding compromised credentials. | string | eq,=,==,neq,!= |
encrypt_failure | Failure while encrypting a file | string | eq,=,==,neq,!=,like,~,notlike,!~ |
encryption_service_key | Search events based on encryption service key. | string string | eq,=,==,neq,!=,like,~,notlike,!~ |
enterprise | Enterprise name. | string | eq,=,==,neq,!= |
event_permission | Search events based on event permission. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
event_permission_granted | Search events based on event permission granted (true/false). | boolean | neq,eq,=,==,!= |
events.actor | This variable holds actor info of the event. Ex: events.actor eq 0 Use '0' for \User\, '1' for \Admin\, '2' for \System\ | integer | eq,=,== |
events.event | This variable holds event info. Ex: events.event eq 0 Use '0' for \Installed\, '1' for \Tunnel Up\, '2' for \Tunnel Down\, '3' for \Tunnel down due to secure forwarder\, '4' for \Tunnel down due to config error\, '5' for \Tunnel down due to error\, '6' for \User Disabled\, '7' for \User Enabled\, '8' for \Admin Disabled\, '9' for \Admin Enabled\, '10' for \Uninstalled\, '11' for \Installation Failure\, '12' for \Tunnel down due to GRE\, '13' for \Tunnel down due to Data Plane on- premises\, '14' for \Change in network\, '15' for \System shutdown\, '16' for \System power-up\ | integer | eq,=,==,like,~,notlike,!~ |
events.npa_status | This variable holds the Secure Access Tunnel Status info of last event. Ex: last_event.npa_status eq 0 Use '0' for \Disabled\, '1' for \Allowed\, '2' for \Enabled\, '4' for \Connected\, '6' for \Disconnected\ | integer | eq,=,== |
events.status | This variable holds status info of event. Ex: events.status eq 0 (Use '0' for \Disabled\, '1' for \Enabled\, '2' for \Uninstalled\ | integer | eq,=,== |
events.timestamp | The time the event is generated. | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
eventtype | Search events based on event type. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
exposure | search for file with exposure, like external. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
external_collaborator_count | Number of external collaborators. | integer | eq,=,gt,gte,lt,lte |
Query | Description | Format | Operators |
---|---|---|---|
false_positive | Search for alerts that have been acknowledged or not Ex: acked eq true/false. | TRUE | eq,=,==,neq,!=,like,~,notlike,!~ |
file_lang | File language attribute of relevant object. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
file_password_protected | Search for events that have file_password_protected attribute set to yes. | string | eq,=,==,neq,!= |
file_path | File path attribute of relevant object. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
file_size | File size attribute of relevant object. | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
file_type | File type attribute of relevant object. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
first_accessed | Search for first seen time of app. | integer | gte,lte,from,to |
from_object | Search events for activities where the user is performing activities between two objects, like moving files between folders. Event Type: Application, Alert Ex: from_object eq Folder1 | string | eq,=,==,neq,!=,like,~,notlike,!~ |
from_user | Search events for activities based on login IDs for cloud apps. Event Type: Application, Alert Ex: from_user like john, from_user = john and activity eq Download | string | eq,=,==,neq,!=,like,~,notlike,!~ |
from_user_category | Search whether user who is inviting is external or internal. Ex: from_user_category like Internal | string | eq,=,==,neq,!=,like,~,notlike,!~ |
Query | Description | Format | Operators |
---|---|---|---|
gateway | Search events from a specific gateway name or address. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
Query | Description | Format | Operators |
---|---|---|---|
heartbeat_status | Get status. Use 0 = active, 1 = inactive | integer | eq,=,==,neq,!= |
heartbeat_status_since | Time stamp since when in heartbeat_status state. | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
host_info.device_make | Search for devices from a specific make. Ex: device_make = Apple | string | eq,=,== |
host_info.device_model | Search for devices from a specific model. Ex: device_model = 'Macbook Pro' | string | eq,=,== |
host_info.hostname | Search for devices with a specific host name. | string | eq,=,==,like,notlike |
host_info.managementID | Search for devices with a specific management ID. | string | eq,=,== |
host_info.nsdeviceuid | Search for devices with a specific nsdeviceuid. | string | eq,=,== |
host_info.os | Search for events from a specific operating system. Ex: host_info.os eq 0 Use 0 for Windows, 1 for Mac, 2 for iOS, 3 for Android, 4 for Windows Server | integer | eq,=,==,neq,!=,like,~,notlike,!~ |
host_info.os_version | This variable holds the value of host OS version. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
hostname | Search for events from a specific device hostname. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
http_transaction_count | Search for http transaction count. Event Type: Alert. Ex: http_transaction_count gt 4 | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
http_user_agent | Search events based on http user agent. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
Query | Description | Format | Operators |
---|---|---|---|
iaas_asset_tags.name | Search alert for the given iaas_asset_tags.name | string | eq,=,==,neq,!=,like,~,notlike,!~ |
iaas_asset_tags.value | Search alert for the given iaas_asset_tags.value | string | eq,=,==,neq,!=,like,~,notlike,!~ |
iaas_remediated | Search alert for iaas_remediated field existence. | string | eq,=,==,neq,!= |
iam_access_key | Search events based on IAM access key. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
iam_authentication_enabled | Search events based on iam_authentication_enabled. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
iam_group | Search events based on IAM Group. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
iam_identity_type | Search events based on IAM identity type. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
iam_owner | Search events based on IAM owner. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
iam_principal | Search events based on IAM principal. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
iam_session | Search events based on IAM session. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
iam_session_issuer_data.accountId | Search events based on IAM session account ID. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
iam_session_issuer_data.arn | Search events based on IAM ARN. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
iam_session_issuer_data.principalId | Search events based on IAM session principal ID. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
iam_session_issuer_data.type | Search events based on IAM session issuer data type. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
iam_session_mfa | Search events based on IAM session MFA. | boolean | neq,eq,=,==,!= |
iam_session_name | Search events based on IAM session name. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
id | The ID of the event. | integer | eq,=,==,neq,!=,like,~,notlike,!~ |
inactive_since | Time stamp since when Client is inactive | integer | lte |
incident_id | Search file for a specific incident ID. Ex: incident_id eq <ID> | integer | eq,=,==,neq,!= |
inline_action | Search for inline action taken by the user, like Block, Bypass, Alert. | sting | eq,=,==,neq,!=,like,~,notlike,!~ |
inline_dlp_profile_name | Search events for a specific inline DLP profile. Ex: inline_dlp_profile_name = dlp-pci | string | eq,=,==,neq,!=,like,~,notlike,!~ |
inline_dlp_rule_name | Search events for a specific inline dlp rule. Ex: inline_dlp_rule_name = Name-SSN | string | eq,=,==,neq,!=,like,~,notlike,!~ |
inline_policy | Search for inline policies triggered by a specific policy. Ex: inline_policy eq 'Cloud storage Policy' | string | eq,=,==,neq,!=,like,~,notlike,!~ |
instance_id | Search events based on the instance of the app. Some cloud apps have multiple instances of the app active at the same time. For example, enterprise Salesforce.com instance for an organization. This query field is to query events for a specific instance ID. Event Type: Application, Alert. Ex for Salesforce: app eq Salesforce.com and instance_id eq <instance-id> | string | eq,=,==,neq,!=,like,~,notlike,!~ |
instance_name | Search events based on the name of instance of the app. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
instance_type | Search events based on the instance type of the app. Ex: for creating a Server, instance_type= Server | string | eq,=,==,neq,!=,like,~,notlike,!~ |
internal_collaborator_count | Number of internal collaborators. | integer | eq,=,gt,gte,lt,lte |
internet_gateway | Search events based on internet gateway. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
ip_allocation | Search events based on IP allocation. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
ip_association | Search events based on IP association. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
ip_forwarding | Search events based on IP forwarding. | boolean | neq,eq,=,==,!= |
Query | Description | Format | Operators |
---|---|---|---|
justification_reason | Search user justification reason for policy violation action. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
justification_type | Search user justification for policy violation action. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
Query | Description | Format | Operators |
---|---|---|---|
last_app | The last app seen used by this user for this anomaly type prior to the generation of this anomaly | string | eq,=,==,neq,!=,like,~,notlike,!~ |
last_country | The last country this user was seen in prior to the generation of this anomaly. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
last_device | The last device used prior to the generation of this anomaly. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
last_event_timestamp | The time the last event is generated. | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
last_event.actor | This variable holds actor info of last event. Ex: last_event.actor eq 0 Use '0' for User, '1' for Admin, '2' for System | integer | eq,=,== |
last_event.event | This variable holds last event. Ex: last_event.event eq 0 Use '0' for Installed, '1' for Tunnel Up, '2' for Tunnel Down, '3' for Tunnel down due to secure forwarder, '4' for Tunnel down due to config error, '5' for Tunnel down due to error, '6' for User Disabled, '7' for User Enabled, '8' for Admin Disabled, '9' for Admin Enabled, '10' for Uninstalled, '11' for Installation Failure, '12' for Tunnel down due to GRE, '13' for Tunnel down due to Data Plane on- premises, '14' for Change in network, '15' for System shutdown, '16' for System power-up | integer | eq,=,==,like,~,notlike,!~ |
last_event.npa_status | This variable holds the Secure Access Tunnel Status info of last event. Ex: last_event.npa_status eq 0 Use '0' for Disabled, '1' for Allowed, '2' for Enabled, '4' for Connected, '6' for Disconnected | integer | eq,=,== |
last_event.status | This variable holds status info of last event. Ex: last_event.status eq 0 Use '0' for Disabled, '1' for Enabled, '2' for Uninstalled | integer | eq,=,== |
last_event.timestamp | The time the last event was generated. | int | eq,=,==,neq,!=,gt,>,gte,>=,lt |
last_location | The last location this user was seen in prior to the generation of this anomaly. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
last_region | The last region this user was seen in prior to the generation of this anomaly. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
last_timestamp | The timestamp corresponding to the user's last non- anomalous activity prior to the generation of this anomaly. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
latency_max | Search events based on the max latency values from proxy to app in milliseconds. Event Type: Page. Ex: latency_max > 200, app = 'Salesforce.com' and src_country != US and latency_max gt 500 | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
latency_min | Search events based on the min latency values from proxy to app in milliseconds. Event Type: Page Ex: latency_min > 200 | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
latency_total | Search events based on the total latency values from proxy to app in milliseconds. Event Type: Page. Ex: latency_total gt 200 | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
lh_fileid | Search events for a specific file identified by a unique ID assigned by the app chosen for copying the file for legalhold. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
local_md5 | MD5 checksum of relevant object. | string | eq,=,==,neq,!= |
log_file_name | The file name of the log. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
Query | Description | Format | Operators |
---|---|---|---|
malsite_id | This variable holds hash of malsite URL. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
malware_id | This variable holds value for malware ID. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
malware_name | This variable holds value for malware name. | TRUE | eq,=,==,neq,!=,like,~,notlike,!~ |
malware_severity | This variable holds value for malware severity. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
malware_type | This variable holds value for malware type. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
managed_app | App managed by Netskope. | sting | eq,=,==,neq,!=,like,~,notlike,!~ |
managementID | Search events for a specific device management ID. | string string | eq,=,==,neq,!= |
matched_username | The email address that was compromised. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
md5 | MD5 checksum of relevant object. | string | eq,=,==,neq,!= |
metric_name | Indicates the name of the metric (Storage-1a, Auth_proxy_status, etc.) | string | eq,=,==,neq,!=,like,~,notlike,!~ |
metric_type | Indicates the type of the metric (boolean, gauge, counts, etc) | string | eq,=,==,neq,!=,like,~,notlike,!~ |
mime_type | Mimetype attribute of relevant object. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
modified | Modification time of relevant object. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
module | The module that generates the event. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
monitoring_interval | Search events based on monitoring interval. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
multi_zone_support | Search events based on multi_zone_support. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
Query | Description | Format | Operators |
---|---|---|---|
network | Search events based on network. Event Type: Page Ex: network eq NET24:172.16.168.0 | string | eq,=,==,neq,!=,like,~,notlike,!~ |
nsdeviceuid | Search events for a specific nsdeviceuid. | string | eq,=,==,neq,!= |
numbytes | Search for total number of bytes that transmitted for the connection. Ex: numbytes > 100 | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
Query | Description | Format | Operators |
---|---|---|---|
oauth | Search events where a login has been performed by 3rd party app using OAuth tool provided by the cloud app. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
obj_status | Search events for a specific obj_status field. Ex: obj_status != deleted | string | eq,=,==,neq,!=,like,~,notlike,!~ |
object | Search events for a specific object name. Object name displays the actual filename, folder name, report name, document name, etc. Event Type: Alert. Ex: object like xls Search for users sharing excel files and this will display the individual file names under this object: activity eq Share and object_type eq File and object ~ xls Search for users downloading medical records: activity eq Download and object ~ 'Medical Record': | string | eq,=,==,neq,!=,like,~,notlike,!~ |
object_count | This variable holds the value of number of objects on which operation is performed. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
object_id | Search events for a specific object id such as activity specific value, etc. Event Type: Alert. Ex: object_id = f_12787234 | string | eq,=,==,neq,!=,like,~,notlike,!~ |
object_type | Search events for a specific object type such as file, folder, report, document, message, etc. Event Type: Alert Ex: object_type eq file Search for all the files that are shared by users and also the file names of the file: activity eq share and object_type eq File Search for all the downloads from Salesforce.com of type file. This will also show the file names: app eq Salesforce.com and activity eq Download and object_type eq File Search for users who accessed file on GitHub. This will also show the file names: app eq GitHub and activity eq View and object_type eq File | string | eq,=,==,neq,!=,like,~,notlike,!~ |
offending_entry | Contains offending snippet from traffic. Ex: email that matches a constraints profile | string | eq,=,==,neq,!=,like,~,notlike,!~ |
offending_ip | Contains offending IP that matches a network location object. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
openid | Search events where a login has been performed by 3rd-party app using OpenID tool provide by the cloud app. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
org | Search for events from a specific organization. Organization name is derived from user ID. Event Type: Application, Page, Alert. Ex: org eq 'netskope.com' | string | eq,=,==,neq,!=,like,~,notlike,!~ |
organization_unit | Search for events from a specific organization unit. Organization name is derived from user ID. Ex: organization_unit eq 'netskope.com' | string | eq,=,==,neq,!=,like,~,notlike,!~,startswith |
origin | Search for events from specific log sources for log uploads. Administrators can upload the firewall logs and proxy logs to the Netskope tenant instance for passive monitoring of the traffic. Netskope log watcher can monitor the logs to detect the cloud apps that users are using. Event Type: Page Ex: origin like Gateway, origin like firewall, origin like proxy | string | eq,=,==,neq,!=,like,~,notlike,!~ |
os | Search for events from a specific Operating System (OS). Event Type: Application, Page, Alert. Ex: os = Windows, os eq Mavericks or os eq iOS Search for events from Macintosh not running enterprise approved OS: device eq Macintosh and os neq Maverick | string | eq,=,==,neq,!=,like,~,notlike,!~ |
os_version | Search for a specific OS version. | string | eq,=,==,neq,!= |
owner | User who owns this object. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
Query | Description | Format | Operators |
---|---|---|---|
packets | Search events based on number of packets. | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
page | Search for specific page. | string | eq,=,==,neq,!= |
page_duration | Search for page duration. | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
page_endtime | Search for page end time. | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
page_id | Search for page ID. | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
page_starttime | Search for page start time. | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
parent_id | Search event for folder ID to which file has been moved or copied. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
pathId | Search file for a specific file ID. Ex: pathId eq <ID> | string | eq,=,==,neq,!= |
policy | Search for policies triggered by specific policy Ex: policy eq 'Cloud storage Policy' | string | eq,=,==,neq,!=,like,~,notlike,!~ |
policy_action | Search events based on policy action. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
policy_resource_id | Search events based on policy resource ID. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
policy_string | Search events based on Policy. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
port | Search events based on port. | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
port_range_end | Search events based on port_range_end. | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
port_range_start | Search events based on port_range_start. | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
privilege | Search event for user account privilege details. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
protocol | Search events based on protocol. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
public_access | Search events based on public_access. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
Query | Description | Format | Operators |
---|---|---|---|
quarantine_action_reason | Search events for a specific action (allow/block) applied to the content based on quarantine approver (admin) decision. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
quarantine_failure | Search events for a quarantine failure during transferring the content to the app chosen for quarantining. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
quarantine_file_id | Search events for a specific file identified by a unique ID assigned by the app chosen for quarantining the file. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
quarantine_profile | Search events for a specific quarantine profile applied to the content. Ex: quarantine_profile = quarantine-pf1 | string | eq,=,==,neq,!=,like,~,notlike,!~ |
Query | Description | Format | Operators |
---|---|---|---|
redirect_url | Search event for the URLs to which a cloud app has redirected after login when used with tools such as OAuth. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
referer | Search referer URL associated with an activity in a cloud app. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
region | Search events based on region. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
region_id | Search events based on region ID. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
region_name | Search IaaS assets for the given region_name. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
region_name | Search events based on Region Name. | string int | eq,=,==,neq,!=,like,~,notlike,!~ |
req_cnt | Search events based on number of http requests over one underlying tcp connection. Ex: req_cnt > 10 | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
resource_category | Search events based on the resource_category like user, IAM, etc. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
resource_label | Search events based on resource label. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
resource_label_account | Search events based on account label. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
resource_label_network_security_group | Search events based on network security group label. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
resource_label_policy | Search events based on policy label. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
resource_label_subnet | Search events based on subnet. | string string | eq,=,==,neq,!=,like,~,notlike,!~ |
resource_type | Search events based on resource type. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
resp_cnt | Search events based on the number of HTTP responses over one underlying TCP connection. Ex: resp_cnt > 10 | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
retention_period_backup | Search events based on retention_period_backup. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
retro_scan_name | Filter by retro scan name. Event Type: Application, Alert. EX: retro_scan_name = 'Retro_Scan_onedrive_sumoskope_20180827', retro_scan_name eq 'Retro_Scan_onedrive_sumoskope_20180827' or'Retro_Scan_box_ENG51457TEST_20180827' | string | eq,=,==,neq,!=,like,~,notlike,!~ |
role | Search for user roles like owner, editor, etc. Ex: role eq Editor | string | eq,=,==,neq,!=,like,~,notlike,!~ |
role_create_date | Filter events based on role creation date. | string string | eq,=,==,neq,!=,like,~,notlike,!~ |
role_id | Search events based on Role ID. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
rule_number | Search events based on rule number. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
Query | Description | Format | Operators |
---|---|---|---|
sa_profile_name | Search alerts based on the sa_profile_name value. | integer | eq,=,==,neq,!=,like,~,notlike,!~,gt,>,gte,>=, lt |
sa_rule_name | Search alerts based on the sa_rule_name value. | integer | eq,=,==,neq,!=,like,~,notlike,!~,gt,>,gte,>=, lt |
sa_rule_severity | Search for alerts triggered by specific policy, watchlist, or DLP. Ex: sa_rule_severity eq 'Low' | string | eq,=,==,neq,!=,like,~,notlike,!~,in |
scan_type | Generated during retroactive scan or new ongoing activity. | string | eq,=,==,neq,!= |
security_issue | Search events about any security issues associated with the SAAS app. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
serial | The device serial number from which the metric came. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
server_bytes | Search events based on bytes transferred from server to client. Event Type: Page. Ex: server_bytes > 800 | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt, |
service_invoking_event | Search events based on service invoking event. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
severity | Search incident severity | string int string | eq,=,==,neq,!=,like,~,notlike,!~ |
severity_level | Search events for a specific severity level. The enumerations will match syslog format though all the levels will not be in use (only 1,2,4 & 6 will be used). Event Type: Audit. Ex: severity_level eq 1 | integer | eq,=,==,neq,!=,like,~,notlike,!~ |
shared | File sharing attributes of relevant object. | string | eq,=,==,neq,!= |
shared_domains | Comma-seperated shared domains of a file. | string string | eq,=,==,neq,!=,like,~,notlike,!~ |
shared_with | Comma-seperated shared users of a file. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
sharedType | Exposure of file in filemeta. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
site | Search for specific site. Event Type: Alert. Ex: site eq NY | string | eq,=,==,neq,!=,in,not_in |
src_account | Search events based on source account. Event Type: Application, Page, Alert. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
src_country | Search events from a specific source country. Event Type: Application, Page, Alert. Ex: src_country eq IN, src_country eq US and dst_country eq US | string | eq,=,==,neq,!=,like,~,notlike,!~ |
src_host | Search events based on source host. Event Type: Application, Page, Alert. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
src_ip | Search events based on source IP. Event Type: Application, Page, Alert | string string | eq,=,==,neq,!=,like,~,notlike,!~ |
src_ip_country | Search events based on source IP country. Event Type: Application, Page, Alert. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
src_ip_latitude | Search events based on source IP latitude. Event Type: Application, Page, Alert. Ex: src_latitude > 0 | float string | eq,=,==,neq,!=,gt,>,gte,>=,lt, |
src_ip_location | Search events based on source IP location. The search option presents the narrowed down list of options as you type in the name. Event Type: Application, Page, Alert. src_country eq US and src_location eq 'Mountain View' | string | eq,=,==,neq,!=,like,~,notlike,!~ |
src_ip_longitude | Search events based on source IP longitude. Event Type: Application, Page, Alert. Ex: src_longitude > 0 | float | eq,=,==,neq,!=,gt,>,gte,>=,lt, |
src_ip_region | Search events based on source IP region. Event Type: Application, Page, Alert. Ex: src_country eq US and src_region eq CA | string | eq,=,==,neq,!=,like,~,notlike,!~ |
src_ip_zipcode | Search events based on source IP zipcode. Event Type: Application, Page, Alert. Ex: src_zipcode eq 94043 | string | eq,=,==,neq,!=,like,~,notlike,!~ |
src_location | Search events from a specific source city. Event Type: Application, Page, Alert. Ex: src_location eq 'San Francisco' | string | eq,=,==,neq,!=,like,~,notlike,!~ |
src_port | Search events based on source port. Event Type: Application, Page, Alert. | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt, |
src_region | Search events from a specific source state or region. Event Type: Application, Page, Alert. Ex: src_region eq CA | string | eq,=,==,neq,!=,like,~,notlike,!~ |
src_timezone | Search events for a specific timezone. Event Type: Application, Page, Alert. | string | eq,=,==,neq,!= |
src_zipcode | Search for events from a specific source zipcode. Event Type: Application, Page, Alert. Ex: src_zipcode eq 94043 | string | eq,=,==,neq,!=,like,~,notlike,!~ |
srcip | Search events from a specific source IP address. Event Type: Application, Page, Alert. Ex: srcip eq 192.0.2.1 | string | eq,=,==,neq,!=,like,~,notlike,!~ |
ssl_decrypt_policy | Search for traffic bypassed by Netskope due to a SSL Decrypt Policy hit. | string | eq,=,==,neq,!= |
status | Status of the event, like new, in-progress, or closed. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
storage_service_bucket | Search events based on storage service bucket. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
storage_service_object | Search events based on storage service object. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
storage_type | Search events based on storage type. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
subnet | Search events based on subnet. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
Query | Description | Format | Operators |
---|---|---|---|
tag | Search events based on video related keywords. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
team | Search for events specific to a team in slack. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
telemetry_app | Search telemetry app associated with an activity in a cloud app. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
threat_match_value | Search for threat match value (URL or domain) in malicious sites. | string | "eq", "=", "==", "neq", "!=", "like", "~", "notlike", "!~" |
timer_metric_value | Represents a timer metric value. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
timestamp | The time the event is generated. Timestamp is in Epoch Time format. Event Type: Application, Page, Audit, Infrastructure, Alert. Ex: timestamp gt 1597449600 | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt |
title | Name of the file in filemeta. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
to_object | Search events for activities where the user is performing activities between two objects, like moving files between folders. This field is visible only for events which involves a user activity between two objects. Event Type: Application, Alert. Ex: to_object like Folder1, activity eq Edit and to_object like Folder1 | string | eq,=,==,neq,!=,like,~,notlike,!~ |
to_user | Search events based on the destination user IDs. This field is visible only for events where a user is transacting with another user such as sharing a file, sharing a folder, etc. Event Type: Application, Alert. Ex: to_user like Adam Search for all the user names inside the organization with who the file was shared: app eq Dropbox and activity eq Share and to_user ~ netskope | string | eq,=,==,neq,!=,like,~,notlike,!~ |
to_user_category | search whether invited user is internal or external. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
total_collaborator_count | Total number of collaborators. | integer | eq,=,gt,gte,lt,lte |
traffic_type | Search for specific traffic type. There are two types of traffic: Web and CloudApp. Event Type: Alert. Ex: traffic_type eq Web | string | eq,=,==,neq,!= |
transaction_id | Search for events with specific transaction ID. Ex: transaction_id eq <ID> | integer | eq,=,==,neq,!= |
trigger | Search for events for specific activity, like Upload. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
trigger_val | Search for events for specific activity value, like File Name. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
trigger_var | Search for events for specific activity name, like File. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
trust_computer_checked | Search events where trust computer option is checked along with two factor authentication for logging into a cloud app. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
tunnel_id | Search events for a specific connection ID. | string | eq,=,== |
two_factor_auth | Search events where a login has been performed using two factor authentication. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
type | Search for a connection type event or an application event. Application events are triggered for user actions inside the cloud app. Application events are of type nspolicy. You can also switch between page and application events from the dropdown displayed on the Skope IT page. Event Type: Application, Page, Audit, Alert. Ex: type eq connection, type eq page, type eq nspolicy | string | eq,=,==,neq,!=,like,~,notlike,!~ |
Query | Description | Format | Operators |
---|---|---|---|
universal_connector | Search events about detection source, like App Connector or Universal Connector. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
ur_normalized | Search events from a specific ur_normalized. Ex: ur_normalized eq john@abc.com | string | eq,=,==,neq,!=,like,~,notlike,!~,in,not_in |
url | Search URL accessed by a user. Event Type: Alert. Ex: url eq http://www.example.com | string | eq,=,==,neq,!=,like,~,notlike,!~ |
Url2Activity | Search specific Skope IT events for uploaded logs. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
user | Search events for a specific user. Event Type: Application, Page, Audit, Alert. Ex: user eq john@abc.com Search for user with IP address 192.0.2.1: user eq 192.0.2.1 Search for events from username that contains john for the Dropbox app: user ~ john and app eq Dropbox Search for events from user john@abc.com for the Dropbox app: user eq john@abc.com and app eq Dropbox Search for events for all users from adam to john: user from adam to john | string | eq,=,==,neq,!=,like,~,notlike,!~,in,not_in |
user_added_time | The time the user is added. | integer | eq,=,==,neq,!=,gt,>,gte,>=,lt, |
user_category | search whether user is internal or external Ex: user_category eq Internal | string | eq,=,==,neq,!=,like,~,notlike,!~ |
user_full | Search events based on user_full. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
user_generated | Search for events for user generated page events. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
user_groups | When a user group is searched, this includes every user within the group. Ex: user_groups eq 'local_group' | string | eq,=,==,neq,!=,like,~,notlike,!~ |
user_info.last_event.npa_status | This variable holds the Secure Access Tunnel Status info of last event. Ex: last_event.npa_status eq 0 Use '0' for Disabled, '1' for Allowed, '2' for Enabled, '4' for Connected, '6' for Disconnected | integer | eq,=,== |
user_password_breached | The user whose credential is compromised. Possible values are 'yes' or 'no'. | string | eq,=,==,neq,!= |
user_resource_id | Search events based on user resource ID. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
user_role | Search for user role like admin, coadmin, etc. Ex: user_role eq Admin | string | eq,=,==,neq,!=,like,~,notlike,!~ |
user_source | User source info, like directory or local. | int | eq,=,==,neq,!= |
useragent | The user agent field in HTTP request. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
usergroup | When a user group is searched, this includes every user within the group. Event Type: Application, Page, Alert. Ex: usergroup eq student2.support-lab.com/Test | string | eq,=,==,neq,!=,like,~,notlike,!~,in,not_in |
userip | When a user is behind a proxy, this indicates the internal IP of the user at that time. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
userkey | Search events from a specific user/email. Event Type: Application, Page. Ex: userkey eq john@abc.com | string | eq,=,==,neq,!=,like,~,notlike,!~ |
username | Search events with AD info, like username. Ex: username like 'John' | string | eq,=,==,neq,!=,like,~,notlike,!~ |
Query | Description | Format | Operators |
---|---|---|---|
vpc | Search events based on vpc. | string | eq,=,==,neq,!=,like,~,notlike,!~ |
Query | Description | Format | Operators |
---|---|---|---|
web_url | The URL for a file which will open the file in an app. | string | eq,=,==,neq,!= |
workspace | Workspace Name | string | eq,=,==,neq,!= |