Skope IT Queries Library

Skope IT Queries Library

This section provides the query name, description, format, and operators for Skope IT query language searches. Click on a letter to expand and see the queries.

A

Event TypeQueryDescriptionFormatOperatorsSample Values
Alerts, Application, Network, Pageaccess_methodSearch for events generated from specific access methods such as Client, Secure Forwarder, Logs, and Mobile profile.

Search events where the access method is either Add On or Secure Forwarder:

access_method eq ‘Add On’ or access_method eq ‘Secure Forwarder’

For log uploads from Proxy or firewall, provide the name of the parser to search for events generated from log uploads:

access_method eq proxysg-http-main

string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”access_method eq ‘Client’
Alertsaccount_idSearch IaaS collections and alerts for the given account ID.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”a776ab3b-0d9d-401e-a31d-2f478a4cd2cb
Alertsaccount_nameSearch IaasS collections and alert for the given account name.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”iaas-azure-dev
AlertsackedSearch for alerts that have been acknowledged or not.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”acked eq true/false
Alerts, Application, Network, Pageact_userSearch for the user who performed an activity.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”jamesgreen@netskope.com
Alerts, Application, Network, PageactionSearch for an action taken by the user, like Block, Bypass, Alert. Isolate is unique to Page Events. This query is only available if RBI is deployed.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”alert eq yes and action eq block
Alerts, Application, NetworkactivitySearch for events or alerts for a specific user activity. Values specified for this query field is one of the activities that can occur within the cloud app and analyzed by the Netskope analytics engine.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”activity eq Create,activity eq Download or activity eq Upload,activity eq Download and object_type eq Reports and app eq Expensify
Alerts, Application, Networkactivity_statusSearch for events or alerts for a specific app activity status.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”activity_status eq Access Denied
Alerts, Application, Networkactivity_typeSearch events about activity type of app.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”Admin
Alerts, Application, Network, Pageaggregated_userSearch events where the user field is a network location.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”aggregated_user eq True
Alerts, Application, NetworkalertSearch for events that triggered an alert due to a policy match, watchlist, or event that did not trigger an alert. Alerts are only generated when a policy or watchlist is matched. In all other scenarios, a regular event is generated.string“eq”, “=”, “==”, “neq”, “!=”alert eq yes
Alertsalert_categorySearch for alerts triggered by watchlist.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”alert_category eq Suspicious Access
Alertsalert_detection_stageSearch for alerts triggered by watchlist.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”alert_detection_stage eq Access
Alertsalert_idThe alert ID of the alert data.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alertsalert_nameSearch for alerts triggered by specific policy, watchlist, or DLP.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”alert_name eq ‘Cloud storage Policy’,

alert_type eq policy and alert_name eq ‘block uploads policy’,

alert_type eq watchlist and alert_name eq ‘Creating file on Google drive’

Alertsalert_querySearch for alerts triggered by watchlist.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”alert_query eq query string
Alertsalert_stageSearch for alerts triggered by watchlist.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”alert_stage eq Access
Alertsalert_statusSearch for alerts triggered by watchlist.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”alert_status eq open
Alerts, Application, Networkalert_typeSearch for alerts triggered by policy action, watchlist, quarantine, or DLP.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”alert_type eq policy

Search for alerts generated by DLP violations:

alert_type eq DLP

Search for alerts not generated by watchlist:

alert_type neq watchlist

alert_type eq Compromised Credential

alert_type in [‘Tombstone Failed’]

Alertsalert_windowSearch for alerts triggered by watchlist.integer“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”alert_window eq 86400000
Alerts, Application, PageappSearch events for a specific cloud app.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in”app = Dropbox

Search events for all apps except Box:

app neq Box

Search events for Box or Dropbox apps:

app = Box or app = Dropbox

Search events from user abc@xyz.com for the Dropbox, Box, Facebook, or Salesforce.com apps:

user eq abc@xyz.com and (app eq Dropbox or app eq Box or app eq Facebook or app eq Salesforce.com)

Alerts, Application, Network, Pageapp_activitySearch events based on app search for application activity.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”SearchQueryPerformed, FileDeleted, FileAccessedExtended,GroupAdded, FileSyncUploadedFull, UserLoginFailed, FileAccessed
Alerts, Application, Pageapp_session_idSearch for events with specific application session ID. An app session starts when a user starts using acloud app and ends once they have been inactive for a certain period of time. Each application session hasa unique application session ID. Use app_session_id to check all the user activities in a single app session.integer“eq”, “=”, “==”, “neq”, “!=”app_session_id eq <session ID number>
Alerts, Application, Network, Pageapp-cci-access-logsSearch events for apps with ‘Does the app provide data access audit logs?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-access-other-appsSearch events for apps with ‘Does this application access other apps on the device?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-action-based-authSearch events for apps with ‘Does the app enforce authorization policies on user activities?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-allow-classify-dataSearch events for apps with ‘Does the app allow data classification, like public, confidential, and proprietary.string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-allow-download-dataSearch events for apps with ‘Is the customer data available for download upon cancellation of service?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-allow-proxySearch events for apps with ‘Can the App Traffic be Proxied’.string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-anonymous-sharingSearch events for apps with ‘Does the app allow anonymous sharing of data?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-app-hosting-locationSearch events about the locations from which the hosting provider serves app data.string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-app-tagSearch events for apps with ‘App Type’.string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-app-typeThe type of the app – Consumer, Departmental, or Enterprise.string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-apphosting-providerSearch events for apps with ‘Which infrastructure or hosting provider is the app hosted on?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-audit-logsSearch events for apps with ‘Does the app provide admin audit logs?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-backup-user-dataSearch events for apps with ‘Does the app vendor back up customer data in a separate location from the main data center?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-backup-user-dataSearch for apps with ‘Does the app vendor back up customer data in a separate location from the main data center?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-cc-signupSearch events about the locations from which the hosting provider serve app data.string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-compliance-certSearch events for apps with ‘What compliance certifications does the app have?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-contacts-dataSearch events for apps with ‘Does this application access contacts, calendar data and messages?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-cookies-3rd-partySearch events for apps with ‘Does this application use third-party cookies?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-data-center-certSearch for events f apps with ‘To what data center standards does the app adhere?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-data-per-tenantSearch events for apps with ‘Data segregated by tenant’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-device-based-accessSearch events for apps with ‘Does the app support the following device types?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-dispersed-data-centerSearch events for apps with ‘Does the application vendor utilize geographically dispersed data centers to serve customers?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-encrypt-at-restSearch events for apps with ‘Does the app encrypt data- at-rest?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-encrypt-in-transitSearch events for apps with ‘Does the app encrypt data- in-transit?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-encrypt-tenant-managed-keySearch events for apps with ‘Does the app allow customer-managed encryption keys?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-erase-cust-dataSearch events for apps with ‘Is all customer data erased upon cancellation of service? If so, when?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-file-capacitySearch events for apps with ‘File Sharing Capacity’.string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-file-sharingSearch events for apps with ‘Does the app enable file sharing? ‘string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-is-weak-cipherSearch events for apps with ‘Does the app increase the risk of data exposure by supporting weak cipher suites?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-multi-fact-authSearch events for apps with ‘Does the app support multi- factor authentication?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-published-dr-planSearch events for apps with ‘Does the app vendor provide disaster recovery services?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-recent-breachSearch events for apps with ‘Has this application been recently breached (in the past year)?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-role-based-accessSearch events for apps with ‘Does the app support role- based authorization?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-secure-pass-policySearch events for apps with ‘Does the app enforce password best practices as policy?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-securityheadersSearch events for apps with ‘Which HTTP security headers does the app use?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-sharing-personal-info-3rd-partySearch events for apps with ‘Does this app share users’ personal information.’

Ex: name, email, address)

string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-spfSearch events for apps with ‘Does the app vendor use a Sender Policy Framework to protect customers from spam and phishing emails?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-src-ip-enforcementSearch events for apps with ‘Does the app support access control by IP address or range?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-ssoSearch events for apps with ‘SSO/AD hooks.’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-status-reportSearch events for apps with ‘Does the app vendor provide infrastructure status reports?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-system-operationsSearch events for apps with ‘Does this application perform system operations?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-treat-classify-dataSearch events for apps with ‘If yes, does the app allow admins to take action on classified data.

Ex: , encrypt, control access?

string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-upgrade-notificationSearch events for apps with ‘Does the app vendor provide notifications to customers about upgrades and changes

Ex: scheduled maintenance, new releases, software/hardware changes

string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-user-audit-logsSearch events for apps with ‘Does the app provide user audit logs?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-vuln-exploitSearch events for apps with ‘Vulnerabilities & Exploits’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-weak-algorithm-keysizeSearch events for apps with ‘Does the app increase the risk of data exposure by supporting weak signature algorithm or key size ?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-cci-who-owns-dataSearch events for apps with ‘Who owns the data/content uploaded to the application site? Does the customer own the data or does the application vendor own the data?’string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageapp-gdpr-levelSearch based on the General Data Protection Regulation (GDPR) readiness level of the apps. The readiness levels are low, medium, and high.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”app-gdpr-level eq high
Alerts, Application, Network, Pageapp-riskThe risk level of apps (low,medium,high).string“eq”, “=”
Alerts, ApplicationappsuiteSearch appsuite field in application and alerts.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, NetworkattachmentThis variable will hold the name of attachments that are being sent with the mail.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networkaudit_categorySearch audit events for a specific audit category. audit_category displays the category to which the audit event belongs to.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networkaudit_typeSearch audit events for a specific audit type. audit_type displays the actual audit event name from the SaaS app.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”audit_type eq internal

B

Event TypeQueryDescriptionFormatOperatorsSample Values
Alerts, Application, NetworkbccSearch events based on the user ids in bccstring“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Network, PagebrowserSearch for events from a specific browser.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”browser eq Chrome

Search for events from any browser other than Chrome, Safari, and Firefox:

not (browser eq Chrome or browser eq Safari or browser eq Firefox)

Alerts, Pagebrowser_session_idSearch for browser session ID.

When there is an idle timeout of 15 minutes, the browser session ID is triggered and will timeout the session.

integer“eq”, “=”, “==”, “neq”, “!=”, “gt”, “&gt;”, “gte”, “&gt;=”, “lt”, “&lt;”, “lte”, “&lt;=”
Alerts, Pagebrowser_versionSearch for specific browser version.string“eq”, “=”, “==”, “neq”, “!=”
Pagebypass_trafficSearch for traffic bypassed by Netskope.string“eq”, “=”, “==”, “neq”, “!=”

C

Event TypeQueryDescriptionFormatOperatorsSample Values
Alerts, Application, Network, PagecategorySearch events for category.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in”category = ‘Cloud Storage’
Alerts, Application, NetworkccSearch events based on the user in cc.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Network, PagecciSearch for Cloud Confidence Index (CCI) score.integer“eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<;”, “lte”, “<=”cci gt 40
Alerts, Application, Network, PagecclSearch for Cloud confidence level of an application.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in”ccl eq poor
Alerts, Application, Network, PagechannelSearch for events specific to a channel in slack.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Pageclient_bytesSearch events based on bytes transferred from client to server.integer“eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=”client_bytes > 800
Alertscompliance_standards.controlThe compliance standards control value.string“eq”, “=”, “==”, “neq”, “!=”, “in”, “not_in”
Alertscompliance_standards.idThe compliance standards ID for use in sort.integer“eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=”, “in”, “not_in”
Alertscompliance_standards.sectionThe compliance standards section value.string“eq”, “=”, “==”, “neq”, “!=”, “in”, “not_in”
Alertscompliance_standards.standardThe compliance standards ‘standard’ value.string“eq”, “=”, “==”, “neq”, “!=”, “in”, “not_in”
Pageconn_durationSearch events based on how long the connection was established in seconds.integer“eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=”conn_duration > 10000
Alerts, Application, Network, Pageconnection_idSearch events for a specific connection ID.integer“eq”, “=”, “==”, “neq”, “!=”connection_id eq <connection ID number>
Alerts, Application, Network, PagecountSearch for activities with event count greater than 1 to search for events that are suppressed. Netskope log watcher ensures that minimum numbers of events are generated for events that occur multiple times within a short interval of time. It will report the total number of events under count.integer“eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=”count gt 1and app eq ‘Google Drive’
Alertscve_idSearch IPS alerts by CVE ID.string“eq”, “=”, “==”, “like”, “~”,cve_id eq ‘CVE-2019-1345’

D

Event TypeQueryDescriptionFormatOperatorsSample Values
Alerts, Application, Networkdata_typeSearch events about content-type for Upload and Download triggers.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alertsdetection_engineSearch alerts for the given detection engine.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Network, PagedeviceSearch for events from a specific device.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”device eq WindowsSearch for users using Dropbox from iOS device:device eq iOS and app eq DropboxSearch for events to verify if MacOS traffic is redirected through Secure Forwarder:device eq Macintosh and access_method eq ‘Secure Forwarder’
Alerts, Application, Networkdevice_classificationHow the device has been classified.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”device_classification eq managed
Alerts, Application, Networkdlp_fileSearch events for DLP violation file that matches the content.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”dlp_file = credit_card_data.doc
Alerts, Application, Networkdlp_fingerprint_classificationSearch events for DLP fingerprint classification within the profile that matches the content.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”dlp_fingerprint_classification = Finance
Alerts, Application, Networkdlp_fingerprint_matchSearch events for DLP fingerprint file within the profile that matches the content.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”dlp_fingerprint_match = finance_report.doc
Alerts, Application, Networkdlp_fingerprint_scoreSearch events for DLP fingerprint score within the profile that matches the content.integer“eq”, “neq”, “gt”, “>”, “gte”, “>;=”, “lt”, “<“, “lte”, “<=”dlp_fingerprint_match > 10
Alerts, Application, Networkdlp_incident_idSearch events for a specific dlp incident ID.integer“eq”, “=”, “==”, “neq”, “!=”dlp_incident_id eq <incident-id-number>
Alertsdlp_match_infoDLP match identifier details.dictionary“eq”, “neq”, “in”, “notin”
Alerts, Application, Networkdlp_parent_idSearch events for a specific DLP parent incident ID.integer“eq”, “=”, “==”, “neq”, “!=”dlp_parent_id eq <parent ID number>
Alerts, Application, Networkdlp_profileSearch events for a specific DLP profile applied to the content.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”dlp_profile = dlp-pci
Alerts, Application, Networkdlp_profile_nameSearch events for a specific DLP profile.string“eq”, “neq”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=”dlp_profile_name = dlp-pci
Alerts, Application, Networkdlp_ruleSearch events for a dlp rule within the profile that matches the content.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”dlp_rule = cc_num
Alerts, Application, Networkdlp_rule_countSearch events that number of rules matches the content.integer“eq”, “neq”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=”dlp_rule_count = 10
Alerts, Applicationdlp_rule_nameSearch events for a dlp rule within the profile that matches the content.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”dlp_rule = cc_num
Alerts, Application, Networkdlp_rule_severitySearch events for a DLP rule that matches the severity level.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”dlp_rule_severity = high
Applicationdlp_scan_failedSearch dlp_scan_failed field in applicationstring“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
PagedomainSearch for specific domain.string“eq”, “=”, “==”, “neq”, “!=”
Alertsdownload_appSearch events where data was downloaded from a specific cloud app.string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pagedst_countrySearch events for a specific destination country.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”dst_country = US
Alerts, Application, Network, Pagedst_latitudeSearch events for a specific destination latitude.float “eq”, “=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=”dst_latitude > 0
Alerts, Application, Network, Pagedst_locationSearch events for a specific destination location.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”dst_location = ‘San Jose
Alerts, Application, Network, Pagedst_longitudeSearch events for a specific destination longitude.float“eq”, “=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=”dst_longitude > 0
Alerts, Application, Network, Pagedst_regionSearch events for a specific destination state.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”dst_region eq GA
Alerts, Application, Network, Pagedst_zipcodeSearch events for a specific zip code.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”dst_zipcode eq 94043
Network, PagedsthostDestination host name.

 

string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Network, PagedstipSearch events for a specific destination IP address.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”dstip eq 192.0.2.1
Alerts, Application, Network, PagedstportSearch events for a specific destination port.integer“eq”, “=”, “==”, “neq”, “!=”dstport = 443

E

Event TypeQueryDescriptionFormatOperatorsSample Values
Alertsemail_sourceThe source of the email used in finding compromised credentials.string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Networkencrypt_failureFailure while encrypting a file.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, NetworkenterpriseThe name of an enterprise.string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, PageexposureSearch for a file with exposure.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”external
Alerts, Application, Networkexternal_collaborator_countNumber of external collaborators.integer“eq”, “=”, “gt”, “gte”, “lt”, “lte”
Alertsexternal_emailSearch the external_email in alerts.integer“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”

F

Event TypeQueryDescriptionFormatOperatorsSample Values
Alertsfalse_positiveSearch for alerts that have been acknowledged or not.TRUE“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”acked eq true/false
Alerts, Application, Networkfile_langFile language attribute of relevant object.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networkfile_password_protectedSearch for events that have file_password_protected attribute set to yes.string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Networkfile_pathFile path attribute of relevant object.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networkfile_sizeFile size attribute of relevant object.integer“eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=”
Alerts, Application, Networkfile_typeFile type attribute of relevant object.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Network, Pagefirst_accessedSearch for first seen time of app.integer“gte”, “lte”, “from”, “to”
Alerts, Application, Networkfrom_objectSearch events for activities where the user is performing activities between two objects, like moving files between folders.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”from_object eq Folder1
Alerts, Application, Networkfrom_userSearch events for activities based on login IDs for cloud apps.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”from_user like john,

from_user = john and activity eq Download

Alerts, Application, Network, Pagefrom_user_categorySearch whether user who is inviting is external or internal.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”from_user_category like Internal

G

Event TypeQueryDescriptionFormatOperatorsSample Values
Alerts, Application, Network, PagegatewaySearch events from a specific gateway name or address.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”

H

Event TypeQueryDescriptionFormatOperatorsSample Values
Alerts, Application, Network, PagehostnameSearch for events from a specific device hostname.stringeq,=,==,neq,!=,like,~,notlike,!~
Alerts, Pagehttp_transaction_countSearch for http transaction count.integer“eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=”http_transaction_count gt 4

I

Event TypeQueryDescriptionFormatOperatorsSample Values
Alertsiaas_asset_tags.nameSearch alert for the given iaas_asset_tags.name.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alertsiaas_asset_tags.valueSearch alert for the given iaas_asset_tags.value.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alertsiaas_remediatedSearch alert for iaas_remediated field existence.string“eq”, “=”, “==”, “neq”, “!=”
Alertsincident_idSearch file for a specific incident id.int“eq”, “=”, “==”, “neq”, “!=”incident_id eq <incident-id-number>
Alerts, Application, Networkinstance_idSearch events based on the instance of the app. Some cloud apps have multiple instances of the app active at the same time. For example, enterprise Salesforce.com instance for an organization. This query field is to query events for a specific instance ID.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”Salesforce: app eq Salesforce.com and instance_id eq <instance-id>
Alerts, Application, Networkinstance_nameSearch events based on the name of instance of the app.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networkinstance_typeSearch events based on the instance type of the app.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”Example for creating a server: instance_type= Server
Alerts, Application, Networkinternal_collaborator_countNumber of internal collaborators.integer“eq”, “=”, “gt”, “gte”, “lt”, “lte”
Networkip_protocolSearch events from a specific ip_protocol.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”

J

Event TypeQueryDescriptionFormatOperatorsSample Values
Alerts, Application, Networkjustification_reasonSearch user justification reason for policy violation action.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networkjustification_typeSearch user justification for policy violation action.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”

L

Event TypeQueryDescriptionFormatOperatorsSample Values
Alertslast_appThe last app seen used by this user for this anomaly type prior to the generation of this anomaly.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alertslast_countryThe last country this user was seen in prior to the generation of this anomaly.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alertslast_deviceThe last device used prior to the generation of this anomaly.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alertslast_locationThe last location this user was seen in prior to the generation of this anomaly.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alertslast_regionThe last region this user was seen in prior to the generation of this anomaly.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alertslast_timestampThe timestamp corresponding to the user’s last non- anomalous activity prior to the generation of this anomaly.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Pagelatency_maxSearch events based on the max latency values from proxy to app in milliseconds.

Event Type: Page.

Ex: latency_max > 200,

app = ‘Salesforce.com’ and src_country != US and latency_max gt 500

integer“eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=”latency_max > 200
Pagelatency_minSearch events based on the min latency values from proxy to app in milliseconds.

Event Type: Page

Ex: latency_min > 200

integer“eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”latency_min > 200
Pagelatency_totalSearch events based on the total latency values from proxy to app in milliseconds.

Event Type: Page.

Ex: latency_total gt 200

integer“eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”latency_total gt 200
Alerts, Application, Networklh_fileidSearch events for a specific file identified by a unique ID assigned by the app chosen for copying the file for legalhold.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networklocal_md5MD5 checksum of relevant object.string“eq”, “=”, “==”, “neq”, “!=”
Alertslocal_sha256The sha256 of relevant object.string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pagelog_file_nameThe file name of the log.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”

M

Event TypeQueryDescriptionFormatOperatorsSample Values
Alertsmalsite_idThis variable holds hash of malsite URL.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alertsmalware_idThis variable holds value for malware ID.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alertsmalware_nameThis variable holds value for malware name.TRUE“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alertsmalware_severityThis variable holds value for malware severity.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alertsmalware_typeThis variable holds value for malware type.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networkmanaged_appApp managed by Netskope.sting“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, NetworkmanagementIDSearch events for a specific device management ID.string“eq”, “=”, “==”, “neq”, “!=”
Alertsmatched_usernameThe email address that was compromised.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networkmd5MD5 checksum of relevant object.string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Networkmessage_idSearch events based on the message_id.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networkmime_typeMimetype attribute of relevant object.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, NetworkmodifiedModification time of relevant object.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”

N

Event TypeQueryDescriptionFormatOperatorsSample Values
Alerts, Application, Network, Pagenetskope_popSearch events with the netskope pop details.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Network, PagenetworkSearch events based on network.stringeq,=,==,neq,!=,like,~,notlike,!~network eq NET24:172.16.168.0
Alerts, Application, NetworknsdeviceuidSearch events for a specific nsdeviceuid.string“eq”, “=”, “==”, “neq”, “!=”
PagenumbytesSearch for total number of bytes that transmitted for the connection.integer“eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”numbytes > 100

O

Event TypeQueryDescriptionFormatOperatorsSample Values
Alerts, Application, NetworkoauthSearch events where a login has been performed by 3rd party app using OAuth tool provided by the cloud app.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, NetworkobjectSearch events for a specific object name. Object name displays the actual filename, folder name, report name, document name, etc.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”object like xls

Search for users sharing excel files and this will display the individual file names under this object:

activity eq Share and object_type eq File and object ~ xls

Search for users downloading medical records:

activity eq Download and object ~ ‘Medical Record’

Alerts, Application, Networkobject_countThis variable holds the value of number of objects on which operation is performed.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networkobject_idSearch events for a specific object id such as activity specific value, etc.

Event Type: Alert.

Ex: object_id = f_12787234

string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”object_id = f_12787234
Alerts, Application, Networkobject_typeSearch events for a specific object type such as file, folder, report, document, message, etc.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”object_type eq file

Search for all the files that are shared by users and also the file names of the file:

activity eq share and object_type eq File

Search for all the downloads from Salesforce.com of type file. This will also show the file names:

app eq Salesforce.com and activity eq Download and object_type eq File

Search for users who accessed file on GitHub. This will also show the file names:

app eq GitHub and activity eq View and object_type eq File

Alerts, Application, Networkoffending_entryContains offending snippet from traffic.

Ex: email that matches a constraints profile

string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”An email that matches a constraints profile.
Alerts, Application, Networkoffending_ipContains offending IP that matches a network location object.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”An IP that matches a network location object.
Alerts, Application, NetworkopenidSearch events where a login has been performed by 3rd-party app using OpenID tool provide by the cloud app.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Network, PageorgSearch for events from a specific organization. Organization name is derived from user ID.

Event Type: Application, Page, Alert.

Ex: org eq ‘netskope.com’

string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”org eq ‘netskope.com’
Alerts, Application, Network, Pageorganization_unitSearch for events from a specific organization unit.

Organization name is derived from user ID.

Ex: organization_unit eq ‘netskope.com’

string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “startswith”org eq ‘netskope.com’
PageoriginSearch for events from specific log sources for log uploads. Administrators can upload the firewall logs and proxy logs to the Netskope tenant instance for passive monitoring of the traffic. Netskope log watcher can monitor the logs to detect the cloud apps that users are using.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”origin like Gateway,

origin like firewall,

origin like proxy

Alerts, Application, Network, PageosSearch for events from a specific Operating System (OS).string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”os = Windows,

os eq Mavericks or os eq iOS

Search for events from Macintosh not running enterprise approved OS:

device eq Macintosh and os neq Maverick

Alerts, Pageos_versionSearch for a specific OS version.string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, NetworkownerUser who owns this object.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Pageother_categoriesThe secondary category assigned to an application or website, it also includes any user designated categories.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in”Security Risk Malware Distribution Point, All Categories, Prohibited Websites

P

Event TypeQueryDescriptionFormatOperatorsSample Values
PagepageSearch for specific page.string“eq”, “=”, “==”, “neq”, “!=”
Pagepage_durationSearch for page duration.integer“eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=”
Pagepage_endtimeSearch for page end time.integer“eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=”
Pagepage_idSearch for page ID.integer“eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=”
Pagepage_starttimeSearch for page start time.integer“eq”, “=”, “==”, “neq”, “!=”, “gt”, “>, “gte”, “>=”, “lt”, <, “lte”, “<=”
Alerts, Application, Networkparent_idSearch event for folder ID to which file has been moved or copied.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Network, PagepolicySearch for policies triggered by specific policy.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”policy eq ‘Cloud storage Policy’
Networkprivate_app_tagsSearch for network events with the private app tags.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in”
Alerts, Application, NetworkprivilegeSearch event for user account privilege details.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Networkprotocol_portSearch events for combination of ip_protocol and destination port.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in”protocol_port eq TCP:80
Networkpublisher_cnSearch events for a specific publisher_cn.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in”publisher_cn eq test_npa_publisher_cn
Networkpublisher_nameSearch events for a specific publisher_name.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in”publisher_name eq test_npa_publisher

Q

Event TypeQueryDescriptionFormatOperatorsSample Values
Application, Network, Pageqos_class_nameSearch for event based on qos class name.String“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in”
Application, Network, Pageqos_link_nameSearch for event based on qos link name.String“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in”
Alerts, Application, Networkquarantine_action_reasonSearch events for a specific action (allow/block) applied to the content based on quarantine approver (admin) decision.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networkquarantine_failureSearch events for a quarantine failure during transferring the content to the app chosen for quarantining.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networkquarantine_file_idSearch events for a specific file identified by a unique ID assigned by the app chosen for quarantining the file.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networkquarantine_profileSearch events for a specific quarantine profile applied to the content.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”quarantine_profile = quarantine-pf1

R

Event TypeQueryDescriptionFormatOperatorsSample Values
Alerts, Application, Networkredirect_urlSearch event for the URLs to which a cloud app has redirected after login when used with tools such as OAuth.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, NetworkrefererSearch referer URL associated with an activity in a cloud app.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alertsregion_nameSearch IaaS assets for the given region_name.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Pagereq_cntSearch events based on number of http requests over one underlying tcp connection.integer“eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=”req_cnt >10
Alertsresource_categorySearch events based on the resource_category like user, IAM, etc.stringeq,=,==,neq,!=,like,~,notlike,!~“Compute”
Pageresp_cntSearch events based on the number of HTTP responses over one underlying TCP connection.integer“eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=”resp_cnt > 10
Alerts, Application, Network, Pageretro_scan_nameFilter by retro scan name.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”retro_scan_name = ‘Retro_Scan_onedrive_sumoskope_20180827’,

retro_scan_name eq

Retro_Scan_onedrive_sumoskope_20180827′ or’Retro_Scan_box_ENG51457TEST_20180827′

Alerts, Application, Network, PageroleSearch for user roles like owner, editor, etc.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”role eq Editor

S

Event TypeQueryDescriptionFormatOperatorsSample Values
Alertssa_profile_nameSearch alerts based on the sa_profile_name value.integer“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=”
Alertssa_rule_nameSearch alerts based on the sa_rule_name value.integer“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=”
Alertssa_rule_severitySearch for alerts triggered by specific policy, watchlist, or DLP.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”sa_rule_severity eq ‘Low’
Alerts, Application, Network, PagesanctionedChecks whether the returned events are generated from applications tagged as Sanctioned.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Application, Alertssanctioned_instanceSearch sanctioned_instance field in application and alerts.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networkscan_typeGenerated during retroactive scan or new ongoing activity.string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Networksecurity_issueSearch events about any security issues associated with the SAAS app.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
PageserialThe device serial number from which the metric came.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Pageserver_bytesSearch events based on bytes transferred from server to client.integer“eq”, “=”, “==”, “neq”, “!=”, “gt”, “>”, “gte”, “>=”, “lt”, “<“, “lte”, “<=”server_bytes > 800
Alerts, Application, NetworkseveritySearch incident severity.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, NetworksharedFile sharing attributes of relevant object.string“eq”, “=”, “==”, “neq”, “!=”
Alertsshared_credential_userSearch the shared_credential_user events.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in”
Alerts, Application, Networkshared_domainsComma-seperated shared domains of a file.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alertsshared_user_hostnameSearch for shared credential alert from a specific shared user hostname.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in”
Alerts, Application, Networkshared_withComma-seperated shared users of a file.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Network, PagesiteSearch for specific site.string“eq”, “=”, “==”, “neq”, “!=”, “in”, “not_in”site eq NY
Alerts, Application, Networksmtp_statusSearch events based on the smtp_status.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networksmtp_toSearch events based on the smtp_to user.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Network, Pagesrc_ip_countrySearch events from a specific source country.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”src_ip_country eq IN
Alerts, Application, Network, PagesrcipSearch events based on source IP.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Network, Pagesrc_countrySearch events based on source IP country.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”src_country eq IN,

src_country eq US and dst_country eq US

Alerts, Application, Network, Pagesrc_locationSearch events from a specific source city.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”src_location eq ‘San Francisco’
Alerts, Application, Network, Pagesrc_regionSearch events based on source IP region.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”src_country eq US and src_region eq CA
Alerts, Application, Network, Pagesrc_zipcodeSearch events based on source IP zipcode.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”src_zipcode eq 94043
Alerts, Application, Network, Pagesrc_locationSearch events from a specific source city.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”src_location eq ‘San Francisco’
Alerts, Application, Network, Pagesrc_regionSearch events from a specific source state or region.stringeq,=,==,neq,!=,like,~,notlike,!~src_region eq CA
Alerts, Application, Network, Pagesrc_timezoneSearch events for a specific timezone.string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pagesrc_zipcodeSearch for events from a specific source zipcode.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”src_zipcode eq 94043
Alerts, Application, Network, PagesrcipSearch events from a specific source IP address.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”srcip eq 192.0.2.1
Pagessl_decrypt_policySearch for traffic bypassed by Netskope due to a SSL Decrypt Policy hit.string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, PagesubjectSearch events based on the email subject.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”

T

Event TypeQueryDescriptionFormatOperatorsSample Values
Alerts, Application, NetworktagSearch events based on video related keywords.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Network, PageteamSearch for events specific to a team in slack.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networktelemetry_appSearch telemetry app associated with an activity in a cloud app.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alertsthreat_match_valueSearch for threat match value (URL or domain) in malicious sites.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”domain, url, ip
Alerts, Application, Network, PagetimestampThe time the event is generated. Timestamp is in Epoch Time format.integereq,=,==,neq,!=,gt,>,gte,>=,lttimestamp gt 1597449600
Alerts, Application, Networkto_objectSearch events for activities where the user is performing activities between two objects, like moving files between folders. This field is visible only for events which involves a user activity between two objects.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”to_object like Folder1

activity eq Edit and to_object like Folder1

Alerts, Application, Networkto_userSearch events based on the destination user IDs. This field is visible only for events where a user is transacting with another user such as sharing a file, sharing a folder, etc.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”Ex: to_user like Adam

Search for all the user names inside the organization with who the file was shared:

app eq Dropbox and activity eq Share and to_user ~ netskope

Alerts, Application, Network, Pageto_user_categorysearch whether invited user is internal or external.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”Internal, External
Alerts, Application, Networktotal_collaborator_countTotal number of collaborators.integer“eq”, “=”, “gt”, “gte”, “lt”, “lte”
Alerts, Application, Network, Pagetraffic_typeSearch for specific traffic type. There are two types of traffic: Web and CloudApp.stringeq,=,==,neq,!=traffic_type eq Web
Alerts, Application, Networktransaction_idSearch for events with specific transaction ID.integer“eq”, “=”, “==”, “neq”, “!=” transaction_id eq <ID>
Alerts, Application, NetworktriggerSearch for events for specific activity, like Upload.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networktrigger_valSearch for events for specific activity value, like File Name.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networktrigger_varSearch for events for specific activity name, like File.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networktrust_computer_checkedSearch events where trust computer option is checked along with two factor authentication for logging into a cloud app.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Networktss_scan_failedSearch dlp_scan_failed field in application.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Network, Pagetunnel_idSearch events for a specific connection ID.string“eq”, “=”, “==”
Alerts, Application, Networktwo_factor_authSearch events where a login has been performed using two factor authentication.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Network, PagetypeSearch for a connection type event or an application event. Application events are triggered for user actions inside the cloud app. Application events are of type nspolicy. You can also switch between page and application events from the dropdown displayed on the Skope IT page.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”type eq connection,

type eq page,

type eq nspolicy

U

Event TypeQueryDescriptionFormatOperatorsSample Values
Alerts, Application, Networkuniversal_connectorSearch events about detection source.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”App Connector or Universal Connector.
Application, Network, Pageur_normalizedSearch events from a specific ur_normalized.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in”ur_normalized eq john@abc.com
Alerts, Application, Network, PageurlSearch URL accessed by a user.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”url eq http://www.example.com
Alerts, Application, NetworkUrl2ActivitySearch specific Skope IT events for uploaded logs.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Network, PageuserSearch events for a specific user.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in”user eq john@abc.com

Search for user with IP address 192.0.2.1:

user eq 192.0.2.1

Search for events from username that contains john for the Dropbox app:

user ~ john and app eq Dropbox

Search for events from user john@abc.com for the Dropbox app:

user eq john@abc.com and app eq Dropbox

Search for events for all users from adam to john:

user from adam to john

Alerts, Application, Network, Pageuser_categorysearch whether user is internal or externalstring“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”user_category eq Internal
Pageuser_generatedSearch for events for user generated page events.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Network, Pageuser_password_breachedThe user whose credential is compromised. Possible values are ‘yes’ or ‘no’.string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, Network, Pageuser_roleSearch for user role like admin, coadmin, etc.

Ex: user_role eq Admin

string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Network, Pageuser-riskThe risk level of users (low, medium, high).string“eq”, “=”
Alerts, Application, PageuseragentThe user agent field in HTTP request.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Network, PageusergroupWhen a user group is searched, this includes every user within the group.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”, “in”, “not_in”usergroup eq student2.support-lab.com/Test
Alerts, Application, Network, PageuseripWhen a user is behind a proxy, this indicates the internal IP of the user at that time.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”
Alerts, Application, Network, PageuserkeySearch events from a specific user/email.string“eq”, “=”, “==”, “neq”, “!=”, “like”, “~”, “notlike”, “!~”userkey eq john@abc.com

V

QueryDescriptionFormatOperators
vpcSearch events based on vpc.stringeq,=,==,neq,!=,like,~,notlike,!~

W

Event TypeQueryDescriptionFormatOperatorsSample Values
Alerts, Application, Networkweb_urlThe URL for a file which will open the file in an app.string“eq”, “=”, “==”, “neq”, “!=”
Alerts, Application, NetworkworkspaceWorkspace name specific to Slack Enterprise.string“eq”, “=”, “==”, “neq”, “!=”This a custom name provided by the admin. For example:

Netskope Corp

Share this Doc

Skope IT Queries Library

Or copy link

In this topic ...