Netskope Help

SkopeIT Queries Library

This section provides the query name, description, format, and operators for SkopeIT query language searches. Click on a letter to expand and see the queries.

Query

Description

Format

Operators

access_method

Search for events generated from specific access methods such as Client, Secure Forwarder, Logs, Mobile profile, etc.

Event Type: Application, Page, Alert

Ex: access_method eq 'Client'

Search events where the access method is either Add On or Secure Forwarder:

access_method eq 'Add On' or access_method eq 'Secure Forwarder'

For log uploads from Proxy or firewall, provide the name of the parser to search for events generated fromlog uploads:

access_method eq proxysg-http-main

string

eq,=,==,neq,!=,like,~,notlike,!~,in

account

Search events based on account.

string

eq,=,==,neq,!=,like,~,notlike,!~

account_id

Search IaaS collections and alerts for the given account ID.

string

eq,=,==,neq,!=,like,~,notlike,!~,in

account_name

Search IaasS collections and alert for the given account name.

string

eq,=,==,neq,!=,like,~,notlike,!~,in

account_recipient

Search events based on account recipient.

string

eq,=,==,neq,!=,like,~,notlike,!~

acked

Search for alerts that have been acknowledged or not.

Ex: acked eq true/false

string

eq,=,==,neq,!=,like,~,notlike,!~

acl_assocation

Search events based on ACL association.

string

eq,=,==,neq,!=,like,~,notlike,!~

acl_grantee

Search events based on ACL grantee.

string

eq,=,==,neq,!=,like,~,notlike,!~

acl_grantee_type

Search events based on ACL grantee type.

string

eq,=,==,neq,!=,like,~,notlike,!~

acl_permission

Search events based on ACL permission.

string

eq,=,==,neq,!=,like,~,notlike,!~

act_user

Search for user who performed the activity, like naman@netskope.com.

string

eq,=,==,neq,!=,like,~,notlike,!~

acting_role

Search events based on acting role.

string

eq,=,==,neq,!=,like,~,notlike,!~

acting_user

Search incident from a specific user.

Ex: acting_user eq john@abc.com

string

eq,=,==,neq,!=,like,~,notlike,!~

acting_user

Search events based on acting user.

string

eq,=,==,neq,!=,like,~,notlike,!~

action

Search for an action taken by the user, like Block, Bypass, Alert.

Event Type: Application, Alert

Ex: alert eq yes and action eq block

string

eq,=,==,neq,!=,like,~,notlike,!~,exists

action_type

Search events based on action type.

string

eq,=,==,neq,!=,like,~,notlike,!~

active_since

Time stamp since when client is active.

integer

lte

activity

Search for events or alerts for a specific user activity. Values specified for this query field is one of the activities that can occur within the cloud app and analyzed by the Netskope analytics engine. The value is case sensitive.

Ex: activity eq Create,

activity eq Download or activity eq Upload,

activity eq Download and object_type eq Reports and app eq Expensify

string

eq,=,==,neq,!=,like,~,notlike,!~

activity_status

Search for events or alerts for a specific app activity status.

Ex: activity_status eq Access Denied

string

eq,=,==,neq,!=,like,~,notlike,!~

activity_type

Search events about activity type of app.

string

eq,=,==,neq,!=,like,~,notlike,!~

aggregated_user

Search events where the user field is a network location.

Ex: aggregated_user eq True

string

eq,=,==,neq,!=,like,~,notlike,!~

alarm_description

This is the description of the alarm.

Event type: Infrastructure

Ex: alarm_description like 'last 24 hours'

string

eq,=,==,neq,!=,like,~,notlike,!~

alarm_name

This is the name of the alarm.

Event type: Infrastructure

Ex: alarm_name like 'router-log'

string

eq,=,==,neq,!=,like,~,notlike,!~

alert

Search for events that triggered an alert due to a policy match, watchlist, or event that did not trigger an alert. Alerts are only generated when a policy or watchlist is matched. In all other scenarios, a regular event is generated.

Event Type: Application, Alert

Ex: alert eq yes

string

eq,=,==,neq,!=

alert_category

Search for alerts triggered by watchlist.

Ex: alert_category eq Suspicious Access

string

eq,=,==,neq,!=,like,~,notlike,!~

alert_detection_stage

Search for alerts triggered by watchlist.

Ex: alert_detection_stage eq Access

string

eq,=,==,neq,!=,like,~,notlike,!~

alert_event_group

Search events based on Alert Event Group.

string

eq,=,==,neq,!=,like,~,notlike,!~

alert_name

Search for alerts triggered by specific policy, watchlist or DLP.

Ex: alert_name eq 'Cloud storage Policy',

alert_type eq policy and alert_name eq 'block uploads policy',

alert_type eq watchlist and alert_name eq 'Creating file on Google drive'

string

eq,=,==,neq,!=,like,~,notlike,!~

alert_priority

Search events based on alert priority.

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

alert_query

Search for alerts triggered by watchlist.

Ex: alert_query eq query string

string

eq,=,==,neq,!=,like,~,notlike,!~

alert_source

Search events based on alert source.

string

eq,=,==,neq,!=,like,~,notlike,!~

alert_stage

Search for alerts triggered by watchlist.

Ex: alert_stage eq Access

string

eq,=,==,neq,!=,like,~,notlike,!~

alert_stage

Search events based on alert stage.

string

eq,=,==,neq,!=,like,~,notlike,!~

alert_status

Search for alerts triggered by watchlist

Ex: alert_status eq open

string

eq,=,==,neq,!=,like,~,notlike,!~

alert_type

Search for alerts triggered by policy action, watchlist, quarantine, or DLP.

Event Type: Application, Alert

Ex: alert_type eq policy

Search for alerts generated by DLP violations:

alert_type eq DLP

Search for alerts not generated by watchlist:

alert_type neq watchlist

string

eq,=,==,neq,!=,like,~,notlike,!~

alert_window

Search for alerts triggered by watchlist.

Ex: alert_window eq 86400000

integer

eq,=,==,neq,!=,like,~,notlike,!~

allocated_storage

Search events based on allocated storage.

string

eq,=,==,neq,!=,like,~,notlike,!~

app

Search events for a specific cloud app.

Event Type: Application, Page, Alert

Ex: app = Dropbox

Search events for all apps except Box:

app neq Box

Search events for Box or Dropbox apps:

app = Box or app = Dropbox

Search events from user abc@xyz.com for the Dropbox, Box, Facebook, or Salesforce.com apps:

user eq abc@xyz.com and (app eq Dropbox or app eq Box or app eq Facebook or app eq Salesforce.com)

string

eq,=,==,neq,!=,like,~,notlike,!~,in,not_in

app_activity

Search events based on app search for application activity.

Ex: Collaboration_Expiration

string

eq,=,==,neq,!=,like,~,notlike,!~

app_session_id

Search for events with specific application session ID. An app session starts when a user starts using acloud app and ends once they have been inactive for a certain period of time. Each application session hasa unique application session ID. Use app_session_id to check all the user activities in a single app session.

Event Type: Application, Page, Alert

Ex: app_session_id eq <session ID number>

integer

eq,=,==,neq,!=

app-cci-access-logs

Search events for apps with 'Does the app provide data access audit logs?'

string

eq,=,==,neq,!=

app-cci-access-other-apps

Search events for apps with 'Does this application access other apps on the device?'

string

eq,=,==,neq,!=

app-cci-action-based-auth

Search events for apps with 'Does the app enforce authorization policies on user activities?'

string

eq,=,==,neq,!=

app-cci-allow-classify-data

Search events for apps with 'Does the app allow data classification, like public, confidential, and proprietary.

string

eq,=,==,neq,!=

app-cci-allow-download-data

Search events for apps with 'Is the customer data available for download upon cancellation of service?'

string

eq,=,==,neq,!=

app-cci-allow-proxy

Search events for apps with 'Can the App Traffic be Proxied'.

string

eq,=,==,neq,!=

app-cci-anonymous-sharing

Search events for apps with 'Does the app allow anonymous sharing of data?'

string

eq,=,==,neq,!=

app-cci-app-hosting-location

Search events about the locations from which the hosting provider serves app data.

string

eq,=,==,neq,!=

app-cci-app-tag

Search events for apps with 'App Type'.

string

eq,=,==,neq,!=

app-cci-app-type

The type of the app - Consumer, Departmental, or Enterprise.

string

eq,=,==,neq,!=

app-cci-apphosting-provider

Search events for apps with 'Which infrastructure or hosting provider is the app hosted on?'

string

eq,=,==,neq,!=

app-cci-audit-logs

Search events for apps with 'Does the app provide admin audit logs?'

string

eq,=,==,neq,!=

app-cci-backup-user-data

Search events for apps with 'Does the app vendor back up customer data in a separate location from the main data center?'

string

eq,=,==,neq,!=

app-cci-backup-user-data

Search for apps with 'Does the app vendor back up customer data in a separate location from the main data center?'

string

eq,=,==,neq,!=

app-cci-business-risk

The business risk level of apps, like low, medium, and high.

string

eq,=,==,neq,!=

app-cci-cc-signup

Search events about the locations from which the hosting provider serve app data.

string

eq,=,==,neq,!=

app-cci-compliance-cert

Search events for apps with 'What compliance certifications does the app have?'

string

eq,=,==,neq,!=

app-cci-contacts-data

Search events for apps with 'Does this application access contacts, calendar data and messages?'

string

eq,=,==,neq,!=

app-cci-cookies-3rd-party

Search events for apps with 'Does this application use third-party cookies?'

string

eq,=,==,neq,!=

app-cci-data-center-cert

Search for events f apps with 'To what data center standards does the app adhere?'

string

eq,=,==,neq,!=

app-cci-data-per-tenant

Search events for apps with 'Data segregated by tenant'

string

eq,=,==,neq,!=

app-cci-device-based-access

Search events for apps with 'Does the app support the following device types?'

string

eq,=,==,neq,!=

app-cci-dispersed-data-center

Search events for apps with 'Does the application vendor utilize geographically dispersed data centers to serve customers?'

string

eq,=,==,neq,!=

app-cci-encrypt-at-rest

Search events for apps with 'Does the app encrypt data- at-rest?'

string

eq,=,==,neq,!=

app-cci-encrypt-in-transit

Search events for apps with 'Does the app encrypt data- in-transit?'

string

eq,=,==,neq,!=

app-cci-encrypt-tenant-managed-key

Search events for apps with 'Does the app allow customer-managed encryption keys?'

string

eq,=,==,neq,!=

app-cci-erase-cust-data

Search events for apps with 'Is all customer data erased upon cancellation of service? If so, when?'

string

eq,=,==,neq,!=

app-cci-file-capacity

Search events for apps with 'File Sharing Capacity'.

string

eq,=,==,neq,!=

app-cci-file-sharing

Search events for apps with 'Does the app enable file sharing? '

string

eq,=,==,neq,!=

app-cci-is-weak-cipher

Search events for apps with 'Does the app increase the risk of data exposure by supporting weak cipher suites?'

string

eq,=,==,neq,!=

app-cci-multi-fact-auth

Search events for apps with 'Does the app support multi- factor authentication?'

string

eq,=,==,neq,!=

app-cci-published-dr-plan

Search events for apps with 'Does the app vendor provide disaster recovery services?'

string

eq,=,==,neq,!=

app-cci-recent-breach

Search events for apps with 'Has this application been recently breached (in the past year)?'

string

eq,=,==,neq,!=

app-cci-role-based-access

Search events for apps with 'Does the app support role- based authorization?'

string

eq,=,==,neq,!=

app-cci-secure-pass-policy

Search events for apps with 'Does the app enforce password best practices as policy?'

string

eq,=,==,neq,!=

app-cci-securityheaders

Search events for apps with 'Which HTTP security headers does the app use?'

string

eq,=,==,neq,!=

app-cci-sharing-personal-info-3rd-party

Search events for apps with 'Does this app share users' personal information.'

Ex: name, email, address)

string

eq,=,==,neq,!=

app-cci-spf

Search events for apps with 'Does the app vendor use a Sender Policy Framework to protect customers from spam and phishing emails?'

string

eq,=,==,neq,!=

app-cci-src-ip-enforcement

Search events for apps with 'Does the app support access control by IP address or range?'

string

eq,=,==,neq,!=

app-cci-sso

Search events for apps with 'SSO/AD hooks.'

string

eq,=,==,neq,!=

app-cci-status-report

Search events for apps with 'Does the app vendor provide infrastructure status reports?'

string

eq,=,==,neq,!=

app-cci-system-operations

Search events for apps with 'Does this application perform system operations?'

string

eq,=,==,neq,!=

app-cci-treat-classify-data

Search events for apps with 'If yes, does the app allow admins to take action on classified data.

Ex: , encrypt, control access?

string

eq,=,==,neq,!=

app-cci-upgrade-notification

Search events for apps with 'Does the app vendor provide notifications to customers about upgrades and changes

Ex: scheduled maintenance, new releases, software/hardware changes

string

eq,=,==,neq,!=

app-cci-user-audit-logs

Search events for apps with 'Does the app provide user audit logs?'

string

eq,=,==,neq,!=

app-cci-vuln-exploit

Search events for apps with 'Vulnerabilities & Exploits'

string

eq,=,==,neq,!=

app-cci-weak-algorithm-keysize

Search events for apps with 'Does the app increase the risk of data exposure by supporting weak signature algorithm or key size ?'

string

eq,=,==,neq,!=

app-cci-who-owns-data

Search events for apps with 'Who owns the data/content uploaded to the application site? Does the customer own the data or does the application vendor own the data?'

string

eq,=,==,neq,!=

app-gdpr-level

Search based on the General Data Protection Regulation (GDPR) readiness level of the apps. Thereadiness levels are low, medium, and high.

Event Type: Application, Page, Alert

Ex: app-gdpr-level eq high

string

eq,=,==,neq,!=,like,~,notlike,!~

assignee

Assignee for the incident.

string

eq,=,==,neq,!=,like,~,notlike,!~

attachment

This variable will hold the name of attachments that are being sent with the mail.

string

eq,=,==,neq,!=,like,~,notlike,!~

audit_category

Search audit events for a specific audit category. audit_category displays the category to which the audit event belongs to.

string

eq,=,==,neq,!=,like,~,notlike,!~

audit_log_event

Search events for a specific audit log event.

Event Type: Audit

Ex: audit_log_event eq 'Access Denied'

string

eq,=,==,neq,!=,like,~,notlike,!~

audit_type

Search audit events for a specific audit type. audit_type displays the actual audit event name from the SaaS app.

Event Type: Application

Ex: audit_type eq internal

string

eq,=,==,neq,!=,like,~,notlike,!~

Query

Description

Format

Operators

boolean_metric_value

Represents a timer metric value.

string

eq,=,==,neq,!=,like,~,notlike,!~

browser

Search for events from a specific browser.

Event Type: Application, Page, Alert

Ex: browser eq Chrome

Search for events from any browser other than Chrome, Safari, and Firefox:

not (browser eq Chrome or browser eq Safari or browser eq Firefox)

string

eq,=,==,neq,!=,like,~,notlike,!~

browser_session_id

Search for browser session ID.

integer

eq,=,==,neq,!=,gt,>,gte,>;=,lt

browser_version

Search for specific browser version.

string

eq,=,==,neq,!=

bypass_traffic

Search for traffic bypassed by Netskope.

string

eq,=,==,neq,!=

bytes

Search events based on bytes.

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

Query

Description

Format

Operators

category

Search events for category.

Ex: category = 'Cloud Storage'

string

eq,=,==,neq,!=,like,~,notlike,!~,in,not_in

cci

Search for Cloud Confidence Index (CCI) score.

Event Type: Application, Page, Alert

Ex: cci gt 40

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

ccl

Search for Cloud confidence level of an application.

Event Type: Application, Page, Alert

Ex: ccl eq poor

string

eq,=,==,neq,!=,like,~,notlike,!~

certificate_id

Search events based on certificate_id.

string

eq,=,==,neq,!=,like,~,notlike,!~

channel

Search for events specific to a channel in slack.

string

eq,=,==,neq,!=,like,~,notlike,!~

cidr

Search events based on cidr.

string

eq,=,==,neq,!=,like,~,notlike,!~

client_bytes

Search events based on bytes transferred from client to server.

Event Type: Page

Ex: client_bytes > 800

integer

eq,=,==,neq,!=,gt,>;,gte,>=,lt

client_install_time

The time the client is installed.

integer

eq,=,==,neq,!=,gt,>;,gte,>=,lt

client_last_check_in_time

The time the client is last checked-in

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

client_version

Search for devices with a specific Netskope client version.

Ex: client_version like '67'

string

eq,=,==,like,notlike

cloud_domain

Search events based on cloud domain.

string

eq,=,==,neq,!=,like,~,notlike,!~

cloud_provider

Search events based on Cloud Provider (Google Cloud Platform, Amazon Web Services).

string

eq,=,==,neq,!=,like,~,notlike,!~

collaborated

Exposure of file in filemeta.

string

eq,=,==,neq,!=,like,~,notlike,!~

compute_disk

Search events based on compute disk.

string

eq,=,==,neq,!=,like,~,notlike,!~

compute_image

Search events based on compute image.

string

eq,=,==,neq,!=,like,~,notlike,!~

compute_image_location

Search events based on compute image location.

string

eq,=,==,neq,!=,like,~,notlike,!~

compute_instance

Search events based on compute instance.

string

eq,=,==,neq,!=,like,~,notlike,!~

compute_type

Search events based on compute type.

string

eq,=,==,neq,!=,like,~,notlike,!~

eq,=,==,neq,!=,gt,>,gte,>=,lt

conn_duration

Search events based on how long the connection was established in seconds.

Ex: conn_duration > 10000

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

connection_id

Search events for a specific connection ID.

Ex: connection_id eq <connection ID number>

integer

eq,=,==,neq,!=

count

Search for activities with event count greater than 1 to search for events that are suppressed. Netskope log watcher ensures that minimum numbers of events are generated for events that occur multiple times within a short interval of time. It will report the total number of events under count.

Event Type: Application, Page, Alert

Ex: count gt 1and app eq 'Google Drive'

integer

eq,neq,gt,>,gte,>=,lt

count_metric_value

Represents a timer metric value.

string

eq,=,==,neq,!=,like,~,notlike,!~

creation_time_instance

Search events based on creation_time_instance.

string

eq,=,==,neq,!=,like,~,notlike,!~

Query

Description

Format

Operators

data_type

Search events about content-type for Upload and Download triggers.

string

eq,=,==,neq,!=,like,~,notlike,!~

database

Search events based on database.

string

eq,=,==,neq,!=,like,~,notlike,!~

db_cluster

Search events based on db cluster.

string

eq,=,==,neq,!=,like,~,notlike,!~

db_cluster_members

Search events based on db_cluster_members.

string

eq,=,==,neq,!=,like,~,notlike,!~

db_encrypted

Search events based on db_encrypted.

string

eq,=,==,neq,!=,like,~,notlike,!~

db_engine

Search events based on db engine.

string

eq,=,==,neq,!=,like,~,notlike,!~

db_engine_license_model

Search events based on db_engine_license_model.

string

eq,=,==,neq,!=,like,~,notlike,!~

db_engine_version

Search events based on db_engine_version.

string

eq,=,==,neq,!=,like,~,notlike,!~

db_hosted_zone_id

Search events based on db_hosted_zone_id.

string

eq,=,==,neq,!=,like,~,notlike,!~

db_instance_type

Search events based on db instance type.

string

eq,=,==,neq,!=,like,~,notlike,!~

db_resource_id

Search events based on db_resource_id.

string

eq,=,==,neq,!=,like,~,notlike,!~

db_security_group

Search events based on db_security_group.

string

eq,=,==,neq,!=,like,~,notlike,!~

db_table

Search events based on db_table.

string

eq,=,==,neq,!=,like,~,notlike,!~

description

Description about this event.

string

eq,=,==,neq,!=,like,~,notlike,!~

dest_ip

Search events based on destination IP.

string

eq,=,==,neq,!=,like,~,notlike,!~

dest_ip_country

Search events based on destination IP country.

string

eq,=,==,neq,!=,like,~,notlike,!~

dest_ip_latitude

Search events based on destination IP latitude.

float

eq,=,==,neq,!=,gt,>,gte,>=,lt,

dest_ip_location

Search events based on destination IP location.

string

eq,=,==,neq,!=,like,~,notlike,!~

dest_ip_longitude

Search events based on destination IP longitude.

float

eq,=,==,neq,!=,gt,>,gte,>=,lt

dest_ip_region

Search events based on destination IP region.

string

eq,=,==,neq,!=,like,~,notlike,!~

dest_ip_zipcode

Search events based on destination IP zipcode.

string

eq,=,==,neq,!=,like,~,notlike,!~

dest_mac

Search events based on destination MAC address.

string

eq,=,==,neq,!=,like,~,notlike,!~

dest_port

Search events based on destination port.

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

detection_engine

Search alerts for the given detection engine.

string

eq,=,==,neq,!=,like,~,notlike,!~

device

Search for events from a specific device.

Event Type: Application, Page, Alert

Ex: device eq Windows

Search for users using Dropbox from iOS device:

device eq iOS and app eq Dropbox

Search for events to verify if MacOS traffic is redirected through Secure Forwarder:

device eq Macintosh and access_method eq 'Secure Forwarder'

string

eq,ne

device_classification

How the device has been classified.

Event Type: Application, Alert.

Ex: device_classification eq managed

string

eq,=,==,neq,!=,like,~,notlike,!~

device_classification_status

This variable holds device classification status.

Ex: device_classification_status eq 0

Use '0' for \managed\,

'1' for \unmanaged\,

'2' for \unknown\,

'3' for \not configured\

integer

eq,=,==

device_id

This variable holds device ID

string

eq,=,==,like,notlike

device_name

This is the name of the device from which the metric came

string

null

direction

Search events based on direction.

string

eq,=,==,neq,!=,like,~,notlike,!~

dlp_action

Search events for a specific DLP profile.

Ex: dlp_action = alert

string

eq,=,==,neq,!=,like,~,notlike,!~

dlp_file

Search events for DLP violation file that matches the content.

Ex: dlp_file = credit_card_data.doc

string

eq,=,==,neq,!=,like,~,notlike,!~

dlp_fingerprint_classification

Search events for DLP fingerprint classification within the profile that matches the content.

Ex: dlp_fingerprint_classification = Finance

string

eq,=,==,neq,!=,like,~,notlike,!~

dlp_fingerprint_match

Search events for DLP fingerprint file within the profile that matches the content.

Ex: dlp_fingerprint_match = finance_report.doc

string

eq,=,==,neq,!=,like,~,notlike,!~

dlp_fingerprint_score

Search events for DLP fingerprint score within the profile that matches the content.

Ex: , dlp_fingerprint_match > 10

integer

eq,neq,gt,>,gte,>=,lt

dlp_incident_id

Search events for a specific dlp incident ID.

Ex: dlp_incident_id eq <incident ID number>

integer

eq,=,==,neq,!=

dlp_match_info

DLP match identifier details.

dictionary

eq,neq,in,notin

dlp_parent_id

Search events for a specific DLP parent incident ID.

Ex: dlp_parent_id eq <parent ID number>

integer

eq,=,==,neq,!=

dlp_policy

Search events for a specific DLP policy.

Ex: dlp_policy = PII-Policy

string

eq,=,==,neq,!=,like,~,notlike,!~

dlp_profile

Search events for a specific DLP profile applied to the content.

Event Type: Application, Alert.

Ex: dlp_profile = dlp-pci

Search for PCI-related DLP violationson Dropbox:

app eq Dropbox and dlp_profile eq dlp-pci

string

eq,=,==,neq,!=,like,~,notlike,!~

dlp_profile_name

Search events for a specific DLP profile.

Ex: dlp_profile_name = dlp-pci

string

eq,=,==,neq,!=,like,~,notlike,!~

dlp_rule

Search events for a DLP rule within the profile that matches the content.

Event Type: Application, Alert.

Ex: dlp_rule = cc_num

Search for social security number-related DLP violations:

dlp_rule eq 'SSN (No Delimiter)'

string

eq,=,==,neq,!=,like,~,notlike,!~

dlp_rule_count

Search events that number of rules matches the content.

Event Type: Application, Alert.

Ex: dlp_rule_count = 10

integer

eq,neq,gt,>,gte,>=,lt

dlp_rule_name

Search events for a specific DLP rule.

Ex: dlp_rule_name = Name-SSN

string

eq,=,==,neq,!=,like,~,notlike,!~

dlp_rule_severity

Search events for a DLP rule that matches the severity level.

Ex: dlp_rule_severity = high

string

eq,=,==,neq,!=,like,~,notlike,!~

domain

Search for specific domain.

string

eq,=,==,neq,!=

domain_membership

Search events based on domain membership.

string

eq,=,==,neq,!=,like,~,notlike,!~

download_app

Search events where data was downloaded from a specific cloud app.

string

eq,=,==,neq,!=

dst_country

Search events for a specific destination country.

Event Type: Application, Page, Alert.

Ex: dst_country = US,

dst_country eq RU and src_country eq US

string

eq,=,==,neq,!=,like,~,notlike,!~

dst_latitude

Search events for a specific destination latitude.

Event Type: Application, Page, Alert.

Ex: dst_latitude > 0

float

eq,=,gt,>,gte,>=,lt

dst_location

Search events for a specific destination location.

Event Type: Application, Page, Alert.

Ex: dst_location = 'San Jose'

string

eq,=,==,neq,!=,like,~,notlike,!~

dst_longitude

Search events for a specific destination longitude.

Event Type: Application, Page, Alert.

Ex: dst_longitude > 0

float

eq,=,gt,>,gte,>=,lt

dst_region

Search events for a specific destination state.

Event Type: Application, Page, Alert.

Ex: dst_region eq GA

string

eq,=,==,neq,!=,like,~,notlike,!~

dst_zipcode

Search events for a specific zip code.

Event Type: Application, Page, Alert.

Ex: dst_zipcode eq 94043

string

eq,=,==,neq,!=,like,~,notlike,!~

dsthost

Destination host name.

Event Type: Application, Page, Alert.

string

eq,=,==,neq,!=,like,~,notlike,!~

dstip

Search events for a specific destination IP address.

Event Type: Application, Page, Alert.

Ex: dstip eq 192.0.2.1

string

eq,=,==,neq,!=,like,~,notlike,!~

dstport

Search events for a specific destination port.

Event Type: Application, Page, Alert.

Ex: dstport = 443

integer

eq,=,==,neq,!=

Query

Description

Format

Operators

email_source

The source of the email used in finding compromised credentials.

string

eq,=,==,neq,!=

encrypt_failure

Failure while encrypting a file

string

eq,=,==,neq,!=,like,~,notlike,!~

encryption_service_key

Search events based on encryption service key.

string

string

eq,=,==,neq,!=,like,~,notlike,!~

enterprise

Enterprise name.

string

eq,=,==,neq,!=

event_permission

Search events based on event permission.

string

eq,=,==,neq,!=,like,~,notlike,!~

event_permission_granted

Search events based on event permission granted (true/false).

boolean

neq,eq,=,==,!=

events.actor

This variable holds actor info of the event.

Ex: events.actor eq 0

Use '0' for \User\,

'1' for \Admin\,

'2' for \System\

integer

eq,=,==

events.event

This variable holds event info.

Ex: events.event eq 0

Use '0' for \Installed\,

'1' for \Tunnel Up\,

'2' for \Tunnel Down\,

'3' for \Tunnel down due to secure forwarder\,

'4' for \Tunnel down due to config error\,

'5' for \Tunnel down due to error\,

'6' for \User Disabled\,

'7' for \User Enabled\,

'8' for \Admin Disabled\,

'9' for \Admin Enabled\,

'10' for \Uninstalled\,

'11' for \Installation Failure\,

'12' for \Tunnel down due to GRE\,

'13' for \Tunnel down due to Data Plane on- premises\,

'14' for \Change in network\,

'15' for \System shutdown\,

'16' for \System power-up\

integer

eq,=,==,like,~,notlike,!~

events.npa_status

This variable holds the Secure Access Tunnel Status info of last event.

Ex: last_event.npa_status eq 0

Use '0' for \Disabled\,

'1' for \Allowed\,

'2' for \Enabled\,

'4' for \Connected\,

'6' for \Disconnected\

integer

eq,=,==

events.status

This variable holds status info of event.

Ex: events.status eq 0

(Use '0' for \Disabled\,

'1' for \Enabled\,

'2' for \Uninstalled\

integer

eq,=,==

events.timestamp

The time the event is generated.

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

eventtype

Search events based on event type.

string

eq,=,==,neq,!=,like,~,notlike,!~

exposure

search for file with exposure, like external.

string

eq,=,==,neq,!=,like,~,notlike,!~

external_collaborator_count

Number of external collaborators.

integer

eq,=,gt,gte,lt,lte

Query

Description

Format

Operators

false_positive

Search for alerts that have been acknowledged or not

Ex: acked eq true/false.

TRUE

eq,=,==,neq,!=,like,~,notlike,!~

file_lang

File language attribute of relevant object.

string

eq,=,==,neq,!=,like,~,notlike,!~

file_password_protected

Search for events that have file_password_protected attribute set to yes.

string

eq,=,==,neq,!=

file_path

File path attribute of relevant object.

string

eq,=,==,neq,!=,like,~,notlike,!~

file_size

File size attribute of relevant object.

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

file_type

File type attribute of relevant object.

string

eq,=,==,neq,!=,like,~,notlike,!~

first_accessed

Search for first seen time of app.

integer

gte,lte,from,to

from_object

Search events for activities where the user is performing activities between two objects, like moving files between folders.

Event Type: Application, Alert

Ex: from_object eq Folder1

string

eq,=,==,neq,!=,like,~,notlike,!~

from_user

Search events for activities based on login IDs for cloud apps.

Event Type: Application, Alert

Ex: from_user like john,

from_user = john and activity eq Download

string

eq,=,==,neq,!=,like,~,notlike,!~

from_user_category

Search whether user who is inviting is external or internal.

Ex: from_user_category like Internal

string

eq,=,==,neq,!=,like,~,notlike,!~

Query

Description

Format

Operators

gateway

Search events from a specific gateway name or address.

string

eq,=,==,neq,!=,like,~,notlike,!~

Query

Description

Format

Operators

heartbeat_status

Get status.

Use 0 = active,

1 = inactive

integer

eq,=,==,neq,!=

heartbeat_status_since

Time stamp since when in heartbeat_status state.

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

host_info.device_make

Search for devices from a specific make.

Ex: device_make = Apple

string

eq,=,==

host_info.device_model

Search for devices from a specific model.

Ex: device_model = 'Macbook Pro'

string

eq,=,==

host_info.hostname

Search for devices with a specific host name.

string

eq,=,==,like,notlike

host_info.managementID

Search for devices with a specific management ID.

string

eq,=,==

host_info.nsdeviceuid

Search for devices with a specific nsdeviceuid.

string

eq,=,==

host_info.os

Search for events from a specific operating system.

Ex: host_info.os eq 0

Use 0 for Windows,

1 for Mac,

2 for iOS, 3 for Android,

4 for Windows Server

integer

eq,=,==,neq,!=,like,~,notlike,!~

host_info.os_version

This variable holds the value of host OS version.

string

eq,=,==,neq,!=,like,~,notlike,!~

hostname

Search for events from a specific device hostname.

string

eq,=,==,neq,!=,like,~,notlike,!~

http_transaction_count

Search for http transaction count.

Event Type: Alert.

Ex: http_transaction_count gt 4

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

http_user_agent

Search events based on http user agent.

string

eq,=,==,neq,!=,like,~,notlike,!~

Query

Description

Format

Operators

iaas_asset_tags.name

Search alert for the given iaas_asset_tags.name

string

eq,=,==,neq,!=,like,~,notlike,!~

iaas_asset_tags.value

Search alert for the given iaas_asset_tags.value

string

eq,=,==,neq,!=,like,~,notlike,!~

iaas_remediated

Search alert for iaas_remediated field existence.

string

eq,=,==,neq,!=

iam_access_key

Search events based on IAM access key.

string

eq,=,==,neq,!=,like,~,notlike,!~

iam_authentication_enabled

Search events based on iam_authentication_enabled.

string

eq,=,==,neq,!=,like,~,notlike,!~

iam_group

Search events based on IAM Group.

string

eq,=,==,neq,!=,like,~,notlike,!~

iam_identity_type

Search events based on IAM identity type.

string

eq,=,==,neq,!=,like,~,notlike,!~

iam_owner

Search events based on IAM owner.

string

eq,=,==,neq,!=,like,~,notlike,!~

iam_principal

Search events based on IAM principal.

string

eq,=,==,neq,!=,like,~,notlike,!~

iam_session

Search events based on IAM session.

string

eq,=,==,neq,!=,like,~,notlike,!~

iam_session_issuer_data.accountId

Search events based on IAM session account ID.

string

eq,=,==,neq,!=,like,~,notlike,!~

iam_session_issuer_data.arn

Search events based on IAM ARN.

string

eq,=,==,neq,!=,like,~,notlike,!~

iam_session_issuer_data.principalId

Search events based on IAM session principal ID.

string

eq,=,==,neq,!=,like,~,notlike,!~

iam_session_issuer_data.type

Search events based on IAM session issuer data type.

string

eq,=,==,neq,!=,like,~,notlike,!~

iam_session_mfa

Search events based on IAM session MFA.

boolean

neq,eq,=,==,!=

iam_session_name

Search events based on IAM session name.

string

eq,=,==,neq,!=,like,~,notlike,!~

id

The ID of the event.

integer

eq,=,==,neq,!=,like,~,notlike,!~

inactive_since

Time stamp since when Client is inactive

integer

lte

incident_id

Search file for a specific incident ID.

Ex: incident_id eq <ID>

integer

eq,=,==,neq,!=

inline_action

Search for inline action taken by the user, like Block, Bypass, Alert.

sting

eq,=,==,neq,!=,like,~,notlike,!~

inline_dlp_profile_name

Search events for a specific inline DLP profile.

Ex: inline_dlp_profile_name = dlp-pci

string

eq,=,==,neq,!=,like,~,notlike,!~

inline_dlp_rule_name

Search events for a specific inline dlp rule.

Ex: inline_dlp_rule_name = Name-SSN

string

eq,=,==,neq,!=,like,~,notlike,!~

inline_policy

Search for inline policies triggered by a specific policy.

Ex: inline_policy eq 'Cloud storage Policy'

string

eq,=,==,neq,!=,like,~,notlike,!~

instance

Search events based on the name of instance of the app.

string

eq,=,==,neq,!=,like,~,notlike,!~

instance_id

Search events based on the instance of the app. Some cloud apps have multiple instances of the app active at the same time. For example, enterprise Salesforce.com instance for an organization. This query field is to query events for a specific instance ID.

Event Type: Application, Alert.

Ex for Salesforce:

app eq Salesforce.com and instance_id eq <instance-id>

string

eq,=,==,neq,!=,like,~,notlike,!~

instance_name

Search events based on the name of instance of the app.

string

eq,=,==,neq,!=,like,~,notlike,!~

instance_type

Search events based on the instance type of the app.

Ex: for creating a Server, instance_type= Server

string

eq,=,==,neq,!=,like,~,notlike,!~

internal_collaborator_count

Number of internal collaborators.

integer

eq,=,gt,gte,lt,lte

internet_gateway

Search events based on internet gateway.

string

eq,=,==,neq,!=,like,~,notlike,!~

ip_allocation

Search events based on IP allocation.

string

eq,=,==,neq,!=,like,~,notlike,!~

ip_association

Search events based on IP association.

string

eq,=,==,neq,!=,like,~,notlike,!~

ip_forwarding

Search events based on IP forwarding.

boolean

neq,eq,=,==,!=

Query

Description

Format

Operators

justification_reason

Search user justification reason for policy violation action.

string

eq,=,==,neq,!=,like,~,notlike,!~

justification_type

Search user justification for policy violation action.

string

eq,=,==,neq,!=,like,~,notlike,!~

Query

Description

Format

Operators

last_app

The last app seen used by this user for this anomaly type prior to the generation of this anomaly

string

eq,=,==,neq,!=,like,~,notlike,!~

last_country

The last country this user was seen in prior to the generation of this anomaly.

string

eq,=,==,neq,!=,like,~,notlike,!~

last_device

The last device used prior to the generation of this anomaly.

string

eq,=,==,neq,!=,like,~,notlike,!~

last_event_timestamp

The time the last event is generated.

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

last_event.actor

This variable holds actor info of last event.

Ex: last_event.actor eq 0

Use '0' for User,

'1' for Admin,

'2' for System

integer

eq,=,==

last_event.event

This variable holds last event.

Ex: last_event.event eq 0

Use '0' for Installed,

'1' for Tunnel Up,

'2' for Tunnel Down,

'3' for Tunnel down due to secure forwarder,

'4' for Tunnel down due to config error,

'5' for Tunnel down due to error,

'6' for User Disabled,

'7' for User Enabled,

'8' for Admin Disabled,

'9' for Admin Enabled,

'10' for Uninstalled,

'11' for Installation Failure,

'12' for Tunnel down due to GRE,

'13' for Tunnel down due to Data Plane on- premises,

'14' for Change in network,

'15' for System shutdown,

'16' for System power-up

integer

eq,=,==,like,~,notlike,!~

last_event.npa_status

This variable holds the Secure Access Tunnel Status info of last event.

Ex: last_event.npa_status eq 0

Use '0' for Disabled,

'1' for Allowed,

'2' for Enabled,

'4' for Connected,

'6' for Disconnected

integer

eq,=,==

last_event.status

This variable holds status info of last event.

Ex: last_event.status eq 0

Use '0' for Disabled,

'1' for Enabled,

'2' for Uninstalled

integer

eq,=,==

last_event.timestamp

The time the last event was generated.

int

eq,=,==,neq,!=,gt,>,gte,>=,lt

last_location

The last location this user was seen in prior to the generation of this anomaly.

string

eq,=,==,neq,!=,like,~,notlike,!~

last_region

The last region this user was seen in prior to the generation of this anomaly.

string

eq,=,==,neq,!=,like,~,notlike,!~

last_timestamp

The timestamp corresponding to the user's last non- anomalous activity prior to the generation of this anomaly.

string

eq,=,==,neq,!=,like,~,notlike,!~

latency_max

Search events based on the max latency values from proxy to app in milliseconds.

Event Type: Page.

Ex: latency_max > 200,

app = 'Salesforce.com' and src_country != US and latency_max gt 500

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

latency_min

Search events based on the min latency values from proxy to app in milliseconds.

Event Type: Page

Ex: latency_min > 200

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

latency_total

Search events based on the total latency values from proxy to app in milliseconds.

Event Type: Page.

Ex: latency_total gt 200

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

lh_fileid

Search events for a specific file identified by a unique ID assigned by the app chosen for copying the file for legalhold.

string

eq,=,==,neq,!=,like,~,notlike,!~

local_md5

MD5 checksum of relevant object.

string

eq,=,==,neq,!=

log_file_name

The file name of the log.

string

eq,=,==,neq,!=,like,~,notlike,!~

Query

Description

Format

Operators

malsite_id

This variable holds hash of malsite URL.

string

eq,=,==,neq,!=,like,~,notlike,!~

malware_id

This variable holds value for malware ID.

string

eq,=,==,neq,!=,like,~,notlike,!~

malware_name

This variable holds value for malware name.

TRUE

eq,=,==,neq,!=,like,~,notlike,!~

malware_severity

This variable holds value for malware severity.

string

eq,=,==,neq,!=,like,~,notlike,!~

malware_type

This variable holds value for malware type.

string

eq,=,==,neq,!=,like,~,notlike,!~

managed_app

App managed by Netskope.

sting

eq,=,==,neq,!=,like,~,notlike,!~

managementID

Search events for a specific device management ID.

string

string

eq,=,==,neq,!=

matched_username

The email address that was compromised.

string

eq,=,==,neq,!=,like,~,notlike,!~

md5

MD5 checksum of relevant object.

string

eq,=,==,neq,!=

metric_name

Indicates the name of the metric (Storage-1a, Auth_proxy_status, etc.)

string

eq,=,==,neq,!=,like,~,notlike,!~

metric_type

Indicates the type of the metric (boolean, gauge, counts, etc)

string

eq,=,==,neq,!=,like,~,notlike,!~

mime_type

Mimetype attribute of relevant object.

string

eq,=,==,neq,!=,like,~,notlike,!~

modified

Modification time of relevant object.

string

eq,=,==,neq,!=,like,~,notlike,!~

module

The module that generates the event.

string

eq,=,==,neq,!=,like,~,notlike,!~

monitoring_interval

Search events based on monitoring interval.

string

eq,=,==,neq,!=,like,~,notlike,!~

multi_zone_support

Search events based on multi_zone_support.

string

eq,=,==,neq,!=,like,~,notlike,!~

Query

Description

Format

Operators

network

Search events based on network.

Event Type: Page

Ex: network eq NET24:172.16.168.0

string

eq,=,==,neq,!=,like,~,notlike,!~

network_acl

Search events based on network ACL.

string

eq,=,==,neq,!=,like,~,notlike,!~

network_config

Search events based on network config.

string

eq,=,==,neq,!=,like,~,notlike,!~

network_interface

Search events based on network interface.

string

eq,=,==,neq,!=,like,~,notlike,!~

network_interface_requester_id

Search events based on network_interface_requester_id.

string

eq,=,==,neq,!=,like,~,notlike,!~

network_interface_status

Search events based on network_interface_status.

string

eq,=,==,neq,!=,like,~,notlike,!~

network_security_group

Search events based on network security group.

string

eq,=,==,neq,!=,like,~,notlike,!~

nsdeviceuid

Search events for a specific nsdeviceuid.

string

eq,=,==,neq,!=

numbytes

Search for total number of bytes that transmitted for the connection.

Ex: numbytes > 100

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

Query

Description

Format

Operators

oauth

Search events where a login has been performed by 3rd party app using OAuth tool provided by the cloud app.

string

eq,=,==,neq,!=,like,~,notlike,!~

obj_status

Search events for a specific obj_status field.

Ex: obj_status != deleted

string

eq,=,==,neq,!=,like,~,notlike,!~

object

Search events for a specific object name. Object name displays the actual filename, folder name, report name, document name, etc.

Event Type: Alert.

Ex: object like xls

Search for users sharing excel files and this will display the individual file names under this object:

activity eq Share and object_type eq File and object ~ xls

Search for users downloading medical records:

activity eq Download and object ~ 'Medical Record':

string

eq,=,==,neq,!=,like,~,notlike,!~

object_count

This variable holds the value of number of objects on which operation is performed.

string

eq,=,==,neq,!=,like,~,notlike,!~

object_id

Search events for a specific object id such as activity specific value, etc.

Event Type: Alert.

Ex: object_id = f_12787234

string

eq,=,==,neq,!=,like,~,notlike,!~

object_type

Search events for a specific object type such as file, folder, report, document, message, etc.

Event Type: Alert

Ex: object_type eq file

Search for all the files that are shared by users and also the file names of the file:

activity eq share and object_type eq File

Search for all the downloads from Salesforce.com of type file. This will also show the file names:

app eq Salesforce.com and activity eq Download and object_type eq File

Search for users who accessed file on GitHub. This will also show the file names:

app eq GitHub and activity eq View and object_type eq File

string

eq,=,==,neq,!=,like,~,notlike,!~

offending_entry

Contains offending snippet from traffic.

Ex: email that matches a constraints profile

string

eq,=,==,neq,!=,like,~,notlike,!~

offending_ip

Contains offending IP that matches a network location object.

string

eq,=,==,neq,!=,like,~,notlike,!~

openid

Search events where a login has been performed by 3rd-party app using OpenID tool provide by the cloud app.

string

eq,=,==,neq,!=,like,~,notlike,!~

org

Search for events from a specific organization. Organization name is derived from user ID.

Event Type: Application, Page, Alert.

Ex: org eq 'netskope.com'

string

eq,=,==,neq,!=,like,~,notlike,!~

organization_unit

Search for events from a specific organization unit.

Organization name is derived from user ID.

Ex: organization_unit eq 'netskope.com'

string

eq,=,==,neq,!=,like,~,notlike,!~,startswith

origin

Search for events from specific log sources for log uploads. Administrators can upload the firewall logs and proxy logs to the Netskope tenant instance for passive monitoring of the traffic. Netskope log watcher can monitor the logs to detect the cloud apps that users are using.

Event Type: Page

Ex: origin like Gateway,

origin like firewall,

origin like proxy

string

eq,=,==,neq,!=,like,~,notlike,!~

os

Search for events from a specific Operating System (OS).

Event Type: Application, Page, Alert.

Ex: os = Windows,

os eq Mavericks or os eq iOS

Search for events from Macintosh not running enterprise approved OS:

device eq Macintosh and os neq Maverick

string

eq,=,==,neq,!=,like,~,notlike,!~

os_version

Search for a specific OS version.

string

eq,=,==,neq,!=

owner

User who owns this object.

string

eq,=,==,neq,!=,like,~,notlike,!~

Query

Description

Format

Operators

packets

Search events based on number of packets.

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

page

Search for specific page.

string

eq,=,==,neq,!=

page_duration

Search for page duration.

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

page_endtime

Search for page end time.

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

page_id

Search for page ID.

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

page_starttime

Search for page start time.

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

parent_id

Search event for folder ID to which file has been moved or copied.

string

eq,=,==,neq,!=,like,~,notlike,!~

pathId

Search file for a specific file ID.

Ex: pathId eq <ID>

string

eq,=,==,neq,!=

policy

Search for policies triggered by specific policy

Ex: policy eq 'Cloud storage Policy'

string

eq,=,==,neq,!=,like,~,notlike,!~

policy_action

Search events based on policy action.

string

eq,=,==,neq,!=,like,~,notlike,!~

policy_effect

Search events based on policy effect.

string

eq,=,==,neq,!=,like,~,notlike,!~

policy_resource

Search events based on policy resource.

string

eq,=,==,neq,!=,like,~,notlike,!~

policy_resource_id

Search events based on policy resource ID.

string

eq,=,==,neq,!=,like,~,notlike,!~

policy_string

Search events based on Policy.

string

eq,=,==,neq,!=,like,~,notlike,!~

port

Search events based on port.

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

port_range_end

Search events based on port_range_end.

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

port_range_start

Search events based on port_range_start.

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

privilege

Search event for user account privilege details.

string

eq,=,==,neq,!=,like,~,notlike,!~

protocol

Search events based on protocol.

string

eq,=,==,neq,!=,like,~,notlike,!~

public_access

Search events based on public_access.

string

eq,=,==,neq,!=,like,~,notlike,!~

Query

Description

Format

Operators

quarantine_action_reason

Search events for a specific action (allow/block) applied to the content based on quarantine approver (admin) decision.

string

eq,=,==,neq,!=,like,~,notlike,!~

quarantine_failure

Search events for a quarantine failure during transferring the content to the app chosen for quarantining.

string

eq,=,==,neq,!=,like,~,notlike,!~

quarantine_file_id

Search events for a specific file identified by a unique ID assigned by the app chosen for quarantining the file.

string

eq,=,==,neq,!=,like,~,notlike,!~

quarantine_profile

Search events for a specific quarantine profile applied to the content.

Ex: quarantine_profile = quarantine-pf1

string

eq,=,==,neq,!=,like,~,notlike,!~

Query

Description

Format

Operators

redirect_url

Search event for the URLs to which a cloud app has redirected after login when used with tools such as OAuth.

string

eq,=,==,neq,!=,like,~,notlike,!~

referer

Search referer URL associated with an activity in a cloud app.

string

eq,=,==,neq,!=,like,~,notlike,!~

region

Search events based on region.

string

eq,=,==,neq,!=,like,~,notlike,!~

region_id

Search events based on region ID.

string

eq,=,==,neq,!=,like,~,notlike,!~

region_name

Search IaaS assets for the given region_name.

string

eq,=,==,neq,!=,like,~,notlike,!~

region_name

Search events based on Region Name.

string

int

eq,=,==,neq,!=,like,~,notlike,!~

req_cnt

Search events based on number of http requests over one underlying tcp connection.

Ex: req_cnt > 10

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

resource_category

Search events based on the resource_category like user, IAM, etc.

string

eq,=,==,neq,!=,like,~,notlike,!~

resource_label

Search events based on resource label.

string

eq,=,==,neq,!=,like,~,notlike,!~

resource_label_account

Search events based on account label.

string

eq,=,==,neq,!=,like,~,notlike,!~

resource_label_network_security_group

Search events based on network security group label.

string

eq,=,==,neq,!=,like,~,notlike,!~

resource_label_policy

Search events based on policy label.

string

eq,=,==,neq,!=,like,~,notlike,!~

resource_label_subnet

Search events based on subnet.

string

string

eq,=,==,neq,!=,like,~,notlike,!~

resource_type

Search events based on resource type.

string

eq,=,==,neq,!=,like,~,notlike,!~

resp_cnt

Search events based on the number of HTTP responses over one underlying TCP connection.

Ex: resp_cnt > 10

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

retention_period_backup

Search events based on retention_period_backup.

string

eq,=,==,neq,!=,like,~,notlike,!~

retro_scan_name

Filter by retro scan name.

Event Type: Application, Alert.

EX: retro_scan_name = 'Retro_Scan_onedrive_sumoskope_20180827',

retro_scan_name eq 'Retro_Scan_onedrive_sumoskope_20180827' or'Retro_Scan_box_ENG51457TEST_20180827'

string

eq,=,==,neq,!=,like,~,notlike,!~

role

Search for user roles like owner, editor, etc.

Ex: role eq Editor

string

eq,=,==,neq,!=,like,~,notlike,!~

role_create_date

Filter events based on role creation date.

string

string

eq,=,==,neq,!=,like,~,notlike,!~

role_id

Search events based on Role ID.

string

eq,=,==,neq,!=,like,~,notlike,!~

role_policy_document

Search events based on role policy document.

string

string

eq,=,==,neq,!=,like,~,notlike,!~

route

Search events based on route.

string

eq,=,==,neq,!=,like,~,notlike,!~

rule_number

Search events based on rule number.

string

eq,=,==,neq,!=,like,~,notlike,!~

Query

Description

Format

Operators

sa_profile_name

Search alerts based on the sa_profile_name value.

integer

eq,=,==,neq,!=,like,~,notlike,!~,gt,>,gte,>=, lt

sa_rule_name

Search alerts based on the sa_rule_name value.

integer

eq,=,==,neq,!=,like,~,notlike,!~,gt,>,gte,>=, lt

sa_rule_severity

Search for alerts triggered by specific policy, watchlist, or DLP.

Ex: sa_rule_severity eq 'Low'

string

eq,=,==,neq,!=,like,~,notlike,!~,in

scan_type

Generated during retroactive scan or new ongoing activity.

string

eq,=,==,neq,!=

security_issue

Search events about any security issues associated with the SAAS app.

string

eq,=,==,neq,!=,like,~,notlike,!~

serial

The device serial number from which the metric came.

string

eq,=,==,neq,!=,like,~,notlike,!~

server_bytes

Search events based on bytes transferred from server to client.

Event Type: Page.

Ex: server_bytes > 800

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt,

service_invoking_event

Search events based on service invoking event.

string

eq,=,==,neq,!=,like,~,notlike,!~

severity

Search incident severity

string

int string

eq,=,==,neq,!=,like,~,notlike,!~

severity_level

Search events for a specific severity level. The enumerations will match syslog format though all the levels will not be in use (only 1,2,4 & 6 will be used).

Event Type: Audit.

Ex: severity_level eq 1

integer

eq,=,==,neq,!=,like,~,notlike,!~

shared

File sharing attributes of relevant object.

string

eq,=,==,neq,!=

shared_domains

Comma-seperated shared domains of a file.

string

string

eq,=,==,neq,!=,like,~,notlike,!~

shared_with

Comma-seperated shared users of a file.

string

eq,=,==,neq,!=,like,~,notlike,!~

sharedType

Exposure of file in filemeta.

string

eq,=,==,neq,!=,like,~,notlike,!~

site

Search for specific site.

Event Type: Alert.

Ex: site eq NY

string

eq,=,==,neq,!=,in,not_in

src_account

Search events based on source account.

Event Type: Application, Page, Alert.

string

eq,=,==,neq,!=,like,~,notlike,!~

src_country

Search events from a specific source country.

Event Type: Application, Page, Alert.

Ex: src_country eq IN,

src_country eq US and dst_country eq US

string

eq,=,==,neq,!=,like,~,notlike,!~

src_host

Search events based on source host.

Event Type: Application, Page, Alert.

string

eq,=,==,neq,!=,like,~,notlike,!~

src_ip

Search events based on source IP.

Event Type: Application, Page, Alert

string

string

eq,=,==,neq,!=,like,~,notlike,!~

src_ip_country

Search events based on source IP country.

Event Type: Application, Page, Alert.

string

eq,=,==,neq,!=,like,~,notlike,!~

src_ip_latitude

Search events based on source IP latitude.

Event Type: Application, Page, Alert.

Ex: src_latitude > 0

float

string

eq,=,==,neq,!=,gt,>,gte,>=,lt,

src_ip_location

Search events based on source IP location. The search option presents the narrowed down list of options as you type in the name.

Event Type: Application, Page, Alert.

src_country eq US and src_location eq 'Mountain View'

string

eq,=,==,neq,!=,like,~,notlike,!~

src_ip_longitude

Search events based on source IP longitude.

Event Type: Application, Page, Alert.

Ex: src_longitude > 0

float

eq,=,==,neq,!=,gt,>,gte,>=,lt,

src_ip_region

Search events based on source IP region.

Event Type: Application, Page, Alert.

Ex: src_country eq US and src_region eq CA

string

eq,=,==,neq,!=,like,~,notlike,!~

src_ip_zipcode

Search events based on source IP zipcode.

Event Type: Application, Page, Alert.

Ex: src_zipcode eq 94043

string

eq,=,==,neq,!=,like,~,notlike,!~

src_location

Search events from a specific source city.

Event Type: Application, Page, Alert.

Ex: src_location eq 'San Francisco'

string

eq,=,==,neq,!=,like,~,notlike,!~

src_port

Search events based on source port.

Event Type: Application, Page, Alert.

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt,

src_region

Search events from a specific source state or region.

Event Type: Application, Page, Alert.

Ex: src_region eq CA

string

eq,=,==,neq,!=,like,~,notlike,!~

src_timezone

Search events for a specific timezone.

Event Type: Application, Page, Alert.

string

eq,=,==,neq,!=

src_zipcode

Search for events from a specific source zipcode.

Event Type: Application, Page, Alert.

Ex: src_zipcode eq 94043

string

eq,=,==,neq,!=,like,~,notlike,!~

srcip

Search events from a specific source IP address.

Event Type: Application, Page, Alert.

Ex: srcip eq 192.0.2.1

string

eq,=,==,neq,!=,like,~,notlike,!~

ssl_decrypt_policy

Search for traffic bypassed by Netskope due to a SSL Decrypt Policy hit.

string

eq,=,==,neq,!=

status

Status of the event, like new, in-progress, or closed.

string

eq,=,==,neq,!=,like,~,notlike,!~

status_type

Search events based on status type.

string

eq,=,==,neq,!=,like,~,notlike,!~

storage_service_bucket

Search events based on storage service bucket.

string

eq,=,==,neq,!=,like,~,notlike,!~

storage_service_object

Search events based on storage service object.

string

eq,=,==,neq,!=,like,~,notlike,!~

storage_type

Search events based on storage type.

string

eq,=,==,neq,!=,like,~,notlike,!~

subnet

Search events based on subnet.

string

eq,=,==,neq,!=,like,~,notlike,!~

Query

Description

Format

Operators

tag

Search events based on video related keywords.

string

eq,=,==,neq,!=,like,~,notlike,!~

team

Search for events specific to a team in slack.

string

eq,=,==,neq,!=,like,~,notlike,!~

telemetry_app

Search telemetry app associated with an activity in a cloud app.

string

eq,=,==,neq,!=,like,~,notlike,!~

timer_metric_value

Represents a timer metric value.

string

eq,=,==,neq,!=,like,~,notlike,!~

timestamp

The time the event is generated. Timestamp is in Epoch Time format.

Event Type: Application, Page, Audit, Infrastructure, Alert.

Ex: timestamp gt 1597449600

integer

eq,=,==,neq,!=,gt,>,gte,>=,lt

title

Name of the file in filemeta.

string

eq,=,==,neq,!=,like,~,notlike,!~

to_object

Search events for activities where the user is performing activities between two objects, like moving files between folders. This field is visible only for events which involves a user activity between two objects.

Event Type: Application, Alert.

Ex: to_object like Folder1,

activity eq Edit and to_object like Folder1

string

eq,=,==,neq,!=,like,~,notlike,!~

to_user

Search events based on the destination user IDs. This field is visible only for events where a user is transacting with another user such as sharing a file, sharing a folder, etc.

Event Type: Application, Alert.

Ex: to_user like Adam

Search for all the user names inside the organization with who the file was shared:

app eq Dropbox and activity eq Share and to_user ~ netskope

string

eq,=,==,neq,!=,like,~,notlike,!~

to_user_category

search whether invited user is internal or external.

string

eq,=,==,neq,!=,like,~,notlike,!~

total_collaborator_count

Total number of collaborators.

integer

eq,=,gt,gte,lt,lte

traffic_type

Search for specific traffic type. There are two types of traffic: Web and CloudApp.

Event Type: Alert.

Ex: traffic_type eq Web

string

eq,=,==,neq,!=

transaction_id

Search for events with specific transaction ID.

Ex: transaction_id eq <ID>

integer

eq,=,==,neq,!=

trigger

Search for events for specific activity, like Upload.

string

eq,=,==,neq,!=,like,~,notlike,!~

trigger_val

Search for events for specific activity value, like File Name.

string

eq,=,==,neq,!=,like,~,notlike,!~

trigger_var

Search for events for specific activity name, like File.

string

eq,=,==,neq,!=,like,~,notlike,!~

trust_computer_checked

Search events where trust computer option is checked along with two factor authentication for logging into a cloud app.

string

eq,=,==,neq,!=,like,~,notlike,!~

tunnel_id

Search events for a specific connection ID.

string

eq,=,==

two_factor_auth

Search events where a login has been performed using two factor authentication.

string

eq,=,==,neq,!=,like,~,notlike,!~

type

Search for a connection type event or an application event. Application events are triggered for user actions inside the cloud app. Application events are of type nspolicy. You can also switch between page and application events from the dropdown displayed on the SkopeIT page.

Event Type: Application, Page, Audit, Alert.

Ex: type eq connection,

type eq page,

type eq nspolicy

string

eq,=,==,neq,!=,like,~,notlike,!~

Query

Description

Format

Operators

universal_connector

Search events about detection source, like App Connector or Universal Connector.

string

eq,=,==,neq,!=,like,~,notlike,!~

ur_normalized

Search events from a specific ur_normalized.

Ex: ur_normalized eq john@abc.com

string

eq,=,==,neq,!=,like,~,notlike,!~,in,not_in

url

Search URL accessed by a user.

Event Type: Alert.

Ex: url eq http://www.example.com

string

eq,=,==,neq,!=,like,~,notlike,!~

Url2Activity

Search specific SkopeIT events for uploaded logs.

string

eq,=,==,neq,!=,like,~,notlike,!~

user

Search events for a specific user.

Event Type: Application, Page, Audit, Alert.

Ex: user eq john@abc.com

Search for user with IP address 192.0.2.1:

user eq 192.0.2.1

Search for events from username that contains john for the Dropbox app:

user ~ john and app eq Dropbox

Search for events from user john@abc.com for the Dropbox app:

user eq john@abc.com and app eq Dropbox

Search for events for all users from adam to john:

user from adam to john

string

eq,=,==,neq,!=,like,~,notlike,!~,in,not_in

user_added_time

The time the user is added.

integer

eq,=,==,neq,!=,gt,&gt;,gte,&gt;=,lt,

user_category

search whether user is internal or external

Ex: user_category eq Internal

string

eq,=,==,neq,!=,like,~,notlike,!~

user_full

Search events based on user_full.

string

eq,=,==,neq,!=,like,~,notlike,!~

user_generated

Search for events for user generated page events.

string

eq,=,==,neq,!=,like,~,notlike,!~

user_groups

When a user group is searched, this includes every user within the group.

Ex: user_groups eq 'local_group'

string

eq,=,==,neq,!=,like,~,notlike,!~

user_info.last_event.npa_status

This variable holds the Secure Access Tunnel Status info of last event.

Ex: last_event.npa_status eq 0

Use '0' for Disabled,

'1' for Allowed,

'2' for Enabled,

'4' for Connected,

'6' for Disconnected

integer

eq,=,==

user_password_breached

The user whose credential is compromised. Possible values are 'yes' or 'no'.

string

eq,=,==,neq,!=

user_resource_id

Search events based on user resource ID.

string

eq,=,==,neq,!=,like,~,notlike,!~

user_role

Search for user role like admin, coadmin, etc.

Ex: user_role eq Admin

string

eq,=,==,neq,!=,like,~,notlike,!~

user_source

User source info, like directory or local.

int

eq,=,==,neq,!=

useragent

The user agent field in HTTP request.

string

eq,=,==,neq,!=,like,~,notlike,!~

usergroup

When a user group is searched, this includes every user within the group.

Event Type: Application, Page, Alert.

Ex: usergroup eq student2.support-lab.com/Test

string

eq,=,==,neq,!=,like,~,notlike,!~,in,not_in

userip

When a user is behind a proxy, this indicates the internal IP of the user at that time.

string

eq,=,==,neq,!=,like,~,notlike,!~

userkey

Search events from a specific user/email.

Event Type: Application, Page.

Ex: userkey eq john@abc.com

string

eq,=,==,neq,!=,like,~,notlike,!~

username

Search events with AD info, like username.

Ex: username like 'John'

string

eq,=,==,neq,!=,like,~,notlike,!~

Query

Description

Format

Operators

vendor_db_cluster_resource_id

Search events based on vendor db cluster resource ID.

string

eq,=,==,neq,!=,like,~,notlike,!~

vendor_event_correlation_id

Search events based on vendor event correlation ID.

string

eq,=,==,neq,!=,like,~,notlike,!~

vendor_event_source

Search events based on vendor event source.

string

eq,=,==,neq,!=,like,~,notlike,!~

vendor_event_type

Search events based on vendor event type.

string

eq,=,==,neq,!=,like,~,notlike,!~

vendor_product

Search events based on vendor product.

string

eq,=,==,neq,!=,like,~,notlike,!~

vendor_resource_id

Search events based on vendor_resource_id.

string

eq,=,==,neq,!=,like,~,notlike,!~

vendor_resource_name

Search events based on vendor resource name.

string

eq,=,==,neq,!=,like,~,notlike,!~

vpc

Search events based on vpc.

string

eq,=,==,neq,!=,like,~,notlike,!~

Query

Description

Format

Operators

web_url

The URL for a file which will open the file in an app.

string

eq,=,==,neq,!=

workspace

Workspace Name

string

eq,=,==,neq,!=