Netskope Help

Viewing Patient Zero Events

A patient zero event occurs when a user downloads a file that's not detected by signature-based analysis (e.g., Netskope AV engine) in Standard Threat Protection; however, Netskope scans and determines the file is malicious through behavior-based analysis (e.g., Cloud Sandbox) or advanced heuristics analysis in Advanced Threat Protection. Netskope then triggers a malware alert for patient zero users to accelerate remediation actions for your organization. You can investigate these events in Skope IT Alerts.

You can also integrate with endpoint detection and response (EDR) vendors via Netskope Cloud Exchange (CE) to detect and isolate the downloaded file on an endpoint.

To view patient zero events:

  1. Go to Skope IT > Alerts.

  2. Choose a time frame.

    The Time Frame drop-down menu on the Skope IT Alerts page.
  3. Under Filters, click The Netskope Query Mode icon. to switch to query mode.

  4. Enter the following query:

    (alert_name eq 'Patient Zero')
  5. Click Search. Based on the chosen time frame, all patient zero events Netskope discovered appear.

    Filtered patient zero events on the Skope IT Alerts page.
  6. Click The Preview icon. to view more information on the patient zero event. Following are some helpful fields for investigating the event:

    • MD5: The MD5 hash calculated from the malicious file during detection. You can use this hash value to filter Skope IT events and view other malware detections associated with the file. See Investigating with the MD5.

    • File Name: The name of the malicious file. Click to view the file details, which displays analysis from the detection engine.

    • Malware Name: The name of the detected malware. Click to view malware details, which displays the impacted files and users.

    The MD5, File Name, and Malware Name highlighted in the Alert Details pane.
Investigating with the MD5

You can use MD5 to filter Skope IT events and view other malware detection alerts associated with the patient zero event.

To investigate with the MD5:

  1. In the Alert Details pane, copy the MD5.

    The MD5 field in Alert Details pane.
  2. Choose a time frame.

    The Time Frame drop-down menu on the Skope IT Alerts page.
  3. On the Alerts page, under Filters, enter the following query:

    (md5 eq '<MD5>')

    Replace <MD5> with the MD5 hash value you copied in Step 1. Your query must look similar to:

    (md5 eq '5d1f657812072e43968456f4d0636138')
  4. Click Search. All malware detection alerts that are associated with the MD5 appear.

    The malware detection alerts filtered by MD5 on the Skope IT Alerts page.