Advanced Analytics Incidents Event Fields
The following table lists the Netskope Advanced Analytics Incidents event field names. This list is dynamic and may not contain each available field.
AA Incident Name | Description | Category | Field Group |
---|---|---|---|
Assignee | Assignee name | Dimension | DLP |
Assignee Last Update | Timestamp of when the assignee was last updated | Dimension | DLP |
Attachment | Name of the attachment being sent through mail | Dimension | File |
BCC | Field to search events based on users in the bcc field | Dimension | General |
CC | Field to search events based on users in the cc field | Dimension | General |
DLP Action | Search events based on a specific DLP profile action | Dimension | DLP |
DLP Fingerprint Classification | Search events for the DLP fingerprint classification within the profile that matches the content | Dimension | File |
DLP Fingerprint Match | Search events for the DLP fingerprint file within the profile that matches the content | Dimension | File |
DLP Fingerprint Score | Search events for the DLP fingerprint score within the profile that matches the content | Dimension | File |
DLP Incident Status | Status of the DLP incident (e.g. New, In Progress, Closed) | Dimension | DLP |
DLP Incident Status Last Update | DLP incident status last updated timestamp | Dimension | DLP |
DLP Severity Status | Status of DLP incident severity | Dimension | DLP |
DLP Severity Status Last Update | DLP incident severity last updated timestamp | Dimension | DLP |
Email Subject | Search events based on the email subject | Dimension | General |
Incident ID | Incident Unique Identifier | Dimension | General |
Incident Type | Type of incident includes: DLP, UEBA, Compromised Credentials, Malware, Malsite. | Dimension | General |
Malsite Destination Country | Destination country of the malicious site | Dimension | Malsite |
Malsite Destination Region | Destination region of the malicious site | Dimension | Malsite |
Malsite First Seen | Malsite first seen date | Dimension | Malsite |
Malsite Last Seen | Malsite last seen date | Dimension | Malsite |
Transaction ID | Type of log message | Dimension | General |
Tip
To see specific alerts associated with each incident, use the ‘Merged Query’ feature and merge with the alerts table using the ‘Incident ID’ or ‘DLP Incident ID’ (DLP alerts only) fields.
Enriched Fields
The data fields below are enriched from the data in the Alerts data collection. Use these enriched fields coupled with the "Merged Query' to view targeted details of your DLP incident.
Access Method
Activity
Application
Application Activity
Attachment
Browser
CCL
Connection ID
Destination Country
Destination IP
Destination Location
Destination Region
Destination Timezone
Destination Zipcode
Device Classification
Device Type
DLP File Name
DLP Fingerprint Classification
DLP Fingerprint Match
DLP Fingerprint Score
DLP Incident ID
DLP is Unique Count
DLP Parent ID
DLP Profile
DLP Rule
DLP Rule Count
DLP Rule Severity
Event Timestamp
Exposure
External Collaborator Count
File ID
File Language
File Owner
File Path
File Size
File Type
From User
Hostname
Instance ID
Internal Collaborator Count
MD5
MIME Type
Object
Object ID
Object Type
Original File Path
OS
OS Version
Referrer
Request ID
Session ID
Shared With
Shared With Domains
Site
Source Country
Source IP
Source Location
Source Region
Source Zipcode
Telemetry App
To User
Total Collaborator Count
Transaction ID
URL
User
User IP