Skope IT Query Language Search Examples

Skope IT Query Language Search Examples

To help you find specific events, here’s a list of helpful search queries:

PurposeQuery
Are my users sharing content with a competitor? activity eq Share and to_user like @competitor.com
Are my user sharing outside the organization? activity eq Share and to_user notlike @mycompany.com and to_user neq ''
Do I have Non-Sanctioned Google Apps usage? app like google and instance_id notlike mycompany and from_user notlike mycompany.com
Do I have high risk applications outside of the US? app-risk eq high and dst_country neq US and dst_country neq ''
Are my users sending email messages to competitors? activity eq 'Send' and to_user like '@competitor.com'
Is anyone outside of HR (or finance, or support) downloading from an HR (or finance, or CRM) app? organization_unit neq [NAME] and activity eq Download and category eq [CAT NAME]
Is anyone uploading to apps whose terms don’t specify that the customer owns the data? activity eq Upload and app-cci-who-owns-data eq 'Vendor owns the data'
Is anyone uploading to business intelligence apps whose terms don’t specify that the customer owns the data? category eq 'Business Intelligence' and app-cci-who-owns-data eq 'Vendor owns the data' and activity eq Upload
Show downloads from vulnerable apps activity eq Download and app-cci-vuln-exploit neq None
Show any shares from an app that ISN’T Cloud Storage category neq 'Cloud Storage' and activity eq Share
Show any failed logins to any Finance/Accounting app activity eq 'Login Failed' and category eq Finance/Accounting
Show logins to any Finance/Accounting app by people outside of Finance, except for Expensify <insert expense mgmt app here> organization_unit neq [NAME] and activity eq Login and app neq Expensify
Show any data modifications in Finance/Accounting apps category eq 'Finance/Accounting' and activity eq Edit or category eq Finance/Accounting and activity eq Delete
What happened to that document after someone downloaded it? object like '[partial name]' OR user eq [name] and object like '[partial name]'
Show uploads events to Social Media > 10MB category eq Social and client_bytes > 10000000
Show downloads >1GB server_bytes > 1000000000
Show Box Sync client activity useragent like 'Box Sync'
Show HR apps that offer Encryption@Rest withTenant managed keys category eq HR and app-cci-encrypt-tenant-managed-key eq Yes
Show Mozy backup agent usage app eq Mozy and useragent like kalypso
Show events that don’t have user binding user like '10.' or user like '172.16.' or user like '172.17.' or user like '172.18.' or user like '172.19.' or user like '172.20.' or user like '172.21.' or user like '172.22.' or user like '172.23.' or user like '172.24.' or user like '172.25.' or user like '172.26.' or user like '172.27.' or user like '172.28.' or user like '172.29.' or user like '172.30.' or user like '172.31.' or user like '192.168.'
Show events that DO have user binding user notlike '10.' and user notlike '172.16.' and user notlike '172.17.' and user notlike '172.18.' and user notlike '172.19.' and user notlike '172.20.' and user notlike '172.21.' and user notlike '172.22.' and user notlike '172.23.' and user notlike '172.24.' and user notlike '172.25.' and user notlike '172.26.' and user notlike '172.27.' and user notlike '172.28.' and user notlike '172.29.' and user notlike '172.30.' and user notlike '172.31.' and user notlike '192.168.'
Field IS empty organization_unit eq ''
Field is NOT empty organization_unit neq ''
Case insensitive search of string netskope in the object field object ~ 'netskope(?i)'
Show events from various OS endpoints os like NT or os like 7 or os like XP or os like 8.1 or os like 2000 or os like 8 or os like 'Windows Vista' or os eq unknown or os eq 'Mac OS' or os eq Linux or os eq Android or os eq 'Snow Leopard' or os eq BlackBerry
Show events that involved Powerpoint files object ~ '.pptx(?i)'
Show high risk app usage app-risk eq high
Show high risk user usage user-risk eq high
Show mobile agent activity access_method eq 'Mobile Profile'
Show non-blocked app traffic (useful for log Risk Insights) action neq block
Show non-blocked application activities (useful for log Risk Insights) Url2Activity eq yes
Show users searching for Jobs on LinkedIn app eq 'Linkedin' and object_type eq 'Job'
Get a DLP report alert_type eq DLP
Show which apps leverage AWS app-cci-apphosting-provider eq 'Amazon Web Services'
Show upload/send/transfer/post to Cloud Storage / Cloud Backup / Consumer: Content sharing where you have given away the rights to your own data due to poor terms and conditions. app-cci-who-owns-data eq 'Vendor owns the data' and ( activity eq Upload or activity eq Send or activity eq Transfer or activity eq Post) and category = 'Cloud Storage' or category = 'Cloud Backup' or category = 'Consumer: Content Sharing'
Show high risk apps but takes away some noisy ones app-risk = high and (category neq 'Data & Analysis' and category neq Marketing and category neq 'Web Analytics' and category neq Security and category neq eCommerce )
Show app usage that could be violating German Data Sovereignty Laws (using Social as the example category; replace with HR, Finance, or other appropriate app category) src_country eq DE and dst_country neq DE and category eq Social
Investigate if someone has downloaded from sanctioned and uploaded to unsanctioned user eq xxx@netskope.com and ((activity eq 'Download' and app-cci-app-tag eq Sanctioned) or ( activity eq 'Upload' and app-cci-app-tag eq Unsanctioned))
Are users uploading to apps that will own my data? app-cci-who-owns-data eq 'Vendor owns the data' and activity eq Upload
What are the critical PCI incidents in the last 30 days? dlp_profile eq 'DLP-PCI' and dlp_rule_severity eq Critical
Which apps used by my workforce can be source-IP restricted? app-cci-src-ip-enforcement eq Yes
Which of the apps used by my workforce can use SAML SSO? app-cci-sso eq SAML
Show example of sessionization – Netskope log parsing differentiation. This reports on human usage (which is useful), not each individual http session (which is not useful) req_cnt > 1
Show sharing detected from log parsing Url2Activity eq yes and activity eq Share
Show posting detected from log parsing Url2Activity eq yes and activity eq Post
Show alerts for high risk users user-risk eq high and alert eq yes
Show all file sharing outside the organization activity eq Share and to_user notlike @netskope.com and object_type eq 'File' and object neq ''
Show all destination countries outside EU dst_country neq BE and dst_country neq BG and dst_country neq DK and dst_country neq DE and dst_country neq EE and dst_country neq FI and dst_country neq FR and dst_country neq GR and dst_country neq IE and dst_country neq IT and dst_country neq HR and dst_country neq LV and dst_country neq LT and dst_country neq LU and dst_country neq MT and dst_country neq NL and dst_country neq AT and dst_country neq PL and dst_country neq PT and dst_country neq RO and dst_country neq SE and dst_country neq SK and dst_country neq SI and dst_country neq ES and dst_country neq CZ and dst_country neq HU and dst_country neq GB and dst_country neq CY and dst_country neq EU
Search for all user logins for a period of time activity eq 'Login Successful' and user from albertd@netskope.com to userz@netskope.com
Categories commonly excluded from ShadowIT analysis:
  • Data & Analysis: often noisy; automated sessions.
  • eCommerce: often noisy; personal use.
  • Marketing: can be noisy; varies by firm/some apps may be valid Security – often Noisy; imposed, so not shadow IT.
  • Social: can be noisy; varies by firm/some apps may be valid.
  • Tracking apps: often noisy; automated sessions.
  • Web Analytics: often noisy; automated sessions.
  • Web Proxies/Anonymizers: can be noisy; varies by firm.
(category neq 'Data & Analysis' and category neq eCommerce and category neq Marketing and category neq Security and category neq Social and category neq 'Tracking apps' and category neq 'Web Analytics' and category neq 'Web Proxies/Anonymizers')
Show patient zero(alert_name eq 'Patient Zero')
Show alerts associated with this malicious file hash(md5 eq '<MD5>')

Note

For users with special characters, like an organizational unit having a backslash (netskope.comjohnd), add a second backslash. For example: user eq netskope.comjohnd

This provides all the Page events generated for the user johnd. Go to the Application Events type in Skope IT to see the application events generated for this user.

Tip

You can filter the data source by navigating to Settings > General > Data Source > EDIT SOURCE and then choosing the data source to look for events specifically generated from these sources. For more details, refer to Filter Data Sources.

Share this Doc

Skope IT Query Language Search Examples

Or copy link

In this topic ...