Skip to main content

Netskope Help

Advanced Analytics Incidents Event Fields

The following table lists the Netskope Advanced Analytics Incidents event field names. This list is dynamic and may not contain each available field.

AA Incident Name

Description

Category

Field Group

Assignee

Assignee name

Dimension

DLP

Assignee Last Update

Timestamp of when the assignee was last updated

Dimension

DLP

Attachment

Name of the attachment being sent through mail

Dimension

File

BCC

Field to search events based on users in the bcc field

Dimension

General

CC

Field to search events based on users in the cc field

Dimension

General

DLP Action

Search events based on a specific DLP profile action

Dimension

DLP

DLP Fingerprint Classification

Search events for the DLP fingerprint classification within the profile that matches the content

Dimension

File

DLP Fingerprint Match

Search events for the DLP fingerprint file within the profile that matches the content

Dimension

File

DLP Fingerprint Score

Search events for the DLP fingerprint score within the profile that matches the content

Dimension

File

DLP Incident Status

Status of the DLP incident (e.g. New, In Progress, Closed)

Dimension

DLP

DLP Incident Status Last Update

DLP incident status last updated timestamp

Dimension

DLP

DLP Severity Status

Status of DLP incident severity

Dimension

DLP

DLP Severity Status Last Update

DLP incident severity last updated timestamp

Dimension

DLP

Email Subject

Search events based on the email subject

Dimension

General

Incident ID

Incident Unique Identifier

Dimension

General

Incident Type

Type of incident includes: DLP, UEBA, Compromised Credentials, Malware, Malsite.

Dimension

General

Malsite Destination Country

Destination country of the malicious site

Dimension

Malsite

Malsite Destination Region

Destination region of the malicious site

Dimension

Malsite

Malsite First Seen

Malsite first seen date

Dimension

Malsite

Malsite Last Seen

Malsite last seen date

Dimension

Malsite

Transaction ID

Type of log message

Dimension

General

Tip

To see specific alerts associated with each incident, use the ‘Merged Query’ feature and merge with the alerts table using the ‘Incident ID’ or ‘DLP Incident ID’ (DLP alerts only) fields.

Enriched Fields

The data fields below are enriched from the data in the Alerts data collection. Use these enriched fields coupled with the "Merged Query' to view targeted details of your DLP incident.

  • Access Method

  • Activity

  • Application

  • Application Activity

  • Attachment

  • Browser

  • CCL

  • Connection ID

  • Destination Country

  • Destination IP

  • Destination Location

  • Destination Region

  • Destination Timezone

  • Destination Zipcode

  • Device Classification

  • Device Type

  • DLP File Name

  • DLP Fingerprint Classification

  • DLP Fingerprint Match

  • DLP Fingerprint Score

  • DLP Incident ID

  • DLP is Unique Count

  • DLP Parent ID

  • DLP Profile

  • DLP Rule

  • DLP Rule Count

  • DLP Rule Severity

  • Event Timestamp

  • Exposure

  • External Collaborator Count

  • File ID

  • File Language

  • File Owner

  • File Path

  • File Size

  • File Type

  • From User

  • Hostname

  • Instance ID

  • Internal Collaborator Count

  • MD5

  • MIME Type

  • Object

  • Object ID

  • Object Type

  • Original File Path

  • OS

  • OS Version

  • Referrer

  • Request ID

  • Session ID

  • Shared With

  • Shared With Domains

  • Site

  • Source Country

  • Source IP

  • Source Location

  • Source Region

  • Source Zipcode

  • Telemetry App

  • To User

  • Total Collaborator Count

  • Transaction ID

  • URL

  • User

  • User IP