Netskope Help

SkopeIT Query Language Search Examples

To help you find specific events, here's a list of helpful search queries:

Purpose

Query

Are my users sharing content with a competitor?

activity eq Share and to_user like @competitor.com

Are my user sharing outside the organization?

activity eq Share and to_user notlike @mycompany.com and to_user neq ''

Do I have Non-Sanctioned Google Apps usage?

app like google and instance_id notlike mycompany and from_user notlike mycompany.com

Do I have high risk applications outside of the US?

app-risk eq high and dst_country neq US and dst_country neq ''

Are my users sending email messages to competitors?

activity eq 'Send' and to_user like '@competitor.com'

Is anyone outside of HR (or finance, or support) downloading from an HR (or finance, or CRM) app?

organization_unit neq [NAME] and activity eq Download and category eq [CAT NAME]

Is anyone uploading to apps whose terms don't specify that the customer owns the data?

activity eq Upload and app-cci-who-owns-data eq 'Vendor owns the data'

Is anyone uploading to business intelligence apps whose terms don't specify that the customer owns the data?

category eq 'Business Intelligence' and app-cci-who-owns-data eq 'Vendor owns the data' and activity eq Upload

Show downloads from vulnerable apps

activity eq Download and app-cci-vuln-exploit neq None

Show any shares from an app that ISN'T Cloud Storage

category neq 'Cloud Storage' and activity eq Share

Show any failed logins to any Finance/Accounting app

activity eq 'Login Failed' and category eq Finance/Accounting

Show logins to any Finance/Accounting app by people outside of Finance, except for Expensify <insert expense mgmt app here>

organization_unit neq [NAME] and activity eq Login and app neq Expensify

Show any data modifications in Finance/Accounting apps

category eq 'Finance/Accounting' and activity eq Edit or category eq Finance/Accounting and activity eq Delete

What happened to that document after someone downloaded it?

object like '[partial name]' OR user eq [name] and object like '[partial name]'

Show uploads events to Social Media > 10MB

category eq Social and client_bytes > 10000000

Show downloads >1GB

server_bytes > 1000000000

Show Box Sync client activity

useragent like 'Box Sync'

Show HR apps that offer Encryption@Rest withTenant managed keys

category eq HR and app-cci-encrypt-tenant-managed-key eq Yes

Show Mozy backup agent usage

app eq Mozy and useragent like kalypso

Show events that don't have user binding

user like '10\.' or user like '172\.16\.' or user like '172\.17\.' or user like '172\.18\.' or user like '172\.19\.' or user like '172\.20\.' or user like '172\.21\.' or user like '172\.22\.' or user like '172\.23\.' or user like '172\.24\.' or user like '172\.25\.' or user like '172\.26\.' or user like '172\.27\.' or user like '172\.28\.' or user like '172\.29\.' or user like '172\.30\.' or user like '172\.31\.' or user like '192\.168\.'

Show events that DO have user binding

user notlike '10\.' and user notlike '172\.16\.' and user notlike '172\.17\.' and user notlike '172\.18\.' and user notlike '172\.19\.' and user notlike '172\.20\.' and user notlike '172\.21\.' and user notlike '172\.22\.' and user notlike '172\.23\.' and user notlike '172\.24\.' and user notlike '172\.25\.' and user notlike '172\.26\.' and user notlike '172\.27\.' and user notlike '172\.28\.' and user notlike '172\.29\.' and user notlike '172\.30\.' and user notlike '172\.31\.' and user notlike '192\.168\.'

Field IS empty

organization_unit eq ''

Field is NOT empty

organization_unit neq ''

Case insensitive search of string netskope in the object field

object ~ 'netskope(?i)'

Show events from various OS endpoints

os like NT or os like 7 or os like XP or os like 8.1 or os like 2000 or os like 8 or os like 'Windows Vista' or os eq unknown or os eq 'Mac OS' or os eq Linux or os eq Android or os eq 'Snow Leopard' or os eq BlackBerry

Show events that involved Powerpoint files

object ~ '.pptx(?i)'

Show high risk app usage

app-risk eq high

Show high risk user usage

user-risk eq high

Show mobile agent activity

access_method eq 'Mobile Profile'

Show non-blocked app traffic (useful for log Risk Insights)

action neq block

Show non-blocked application activities (useful for log Risk Insights)

Url2Activity eq yes

Show users searching for Jobs on LinkedIn

app eq 'Linkedin' and object_type eq 'Job'

Get a DLP report

alert_type eq DLP

Show which apps leverage AWS

app-cci-apphosting-provider eq 'Amazon Web Services'

Show upload/send/transfer/post to Cloud Storage / Cloud Backup / Consumer: Content sharing where you have given away the rights to your own data due to poor terms and conditions.

app-cci-who-owns-data eq 'Vendor owns the data' and ( activity eq Upload or activity eq Send or activity eq Transfer or activity eq Post) and category = 'Cloud Storage' or category = 'Cloud Backup' or category = 'Consumer: Content Sharing'

Show high risk apps but takes away some noisy ones

app-risk = high and (category neq 'Data & Analysis' and category neq Marketing and category neq 'Web Analytics' and category neq Security and category neq eCommerce )

Show app usage that could be violating German Data Sovereignty Laws (using Social as the example category; replace with HR, Finance, or other appropriate app category)

src_country eq DE and dst_country neq DE and category eq Social

Investigate if someone has downloaded from sanctioned and uploaded to unsanctioned

user eq xxx@netskope.com and ((activity eq 'Download' and app-cci-app-tag eq Sanctioned) or ( activity eq 'Upload' and app-cci-app-tag eq Unsanctioned))

Are users uploading to apps that will own my data?

app-cci-who-owns-data eq 'Vendor owns the data' and activity eq Upload

What are the critical PCI incidents in the last 30 days?

dlp_profile eq 'DLP-PCI' and dlp_rule_severity eq Critical

Which apps used by my workforce can be source-IP restricted?

app-cci-src-ip-enforcement eq Yes

Which of the apps used by my workforce can use SAML SSO?

app-cci-sso eq SAML

Show example of sessionization - Netskope log parsing differentiation. This reports on human usage (which is useful), not each individual http session (which is not useful)

req_cnt > 1

Show sharing detected from log parsing

Url2Activity eq yes and activity eq Share

Show posting detected from log parsing

Url2Activity eq yes and activity eq Post

Show alerts for high risk users

user-risk eq high and alert eq yes

Show all file sharing outside the organization

activity eq Share and to_user notlike @netskope.com and object_type eq 'File' and object neq ''

Show all destination countries outside EU

dst_country neq BE and dst_country neq BG and dst_country neq DK and dst_country neq DE and dst_country neq EE and dst_country neq FI and dst_country neq FR and dst_country neq GR and dst_country neq IE and dst_country neq IT and dst_country neq HR and dst_country neq LV and dst_country neq LT and dst_country neq LU and dst_country neq MT and dst_country neq NL and dst_country neq AT and dst_country neq PL and dst_country neq PT and dst_country neq RO and dst_country neq SE and dst_country neq SK and dst_country neq SI and dst_country neq ES and dst_country neq CZ and dst_country neq HU and dst_country neq GB and dst_country neq CY and dst_country neq EU

Search for all user logins for a period of time

activity eq 'Login Successful' and user from albertd@netskope.com to userz@netskope.com

Categories commonly excluded from ShadowIT analysis:

  • Data & Analysis: often noisy; automated sessions.

  • eCommerce: often noisy; personal use.

  • Marketing: can be noisy; varies by firm/some apps may be valid Security - often Noisy; imposed, so not shadow IT.

  • Social: can be noisy; varies by firm/some apps may be valid.

  • Tracking apps: often noisy; automated sessions.

  • Web Analytics: often noisy; automated sessions.

  • Web Proxies/Anonymizers: can be noisy; varies by firm.

(category neq 'Data & Analysis' and category neq eCommerce and category neq Marketing and category neq Security and category neq Social and category neq 'Tracking apps' and category neq 'Web Analytics' and category neq 'Web Proxies/Anonymizers')

Note

For users with special characters, like an organizational unit having a backslash (netskope.com\johnd), add a second backslash. For example: user eq netskope.com\\johnd

This provides all the Page events generated for the user johnd. Go to the Application Events type in SkopeIT to see the application events generated for this user.

Tip

You can filter the data source by navigating to Settings > General > Data Source > EDIT SOURCE and then choosing the data source to look for events specifically generated from these sources. For more details, refer to Filter Data Sources.