API Tokens
Netskope Cloud Exchange exposes a REST API to enable nearly every equivalent GUI command to be programmatically triggered. However, each REST API call requires valid credentials. Users who are given API access will be able to create a Client ID and Client Secret. Note, this is NOT the same API token that you use for communicating with your Netskope tenant.
You can create API tokens by going to Settings > Users and clicking on the API Tokens tab.
 |
API access user can create new API tokens by clicking Create new token, which opens a form to create new tokens at the same credentialed level as the user has in the GUI.
API access user can copy the Client Secret using the copy button, and Client ID and Client Secret can be used to access Cloud Exchange APIs.
Users can fill in a description and expiry days for the token.
 |
After the tokens are created, copy them and return to the Configure New Tenant page. Please note, a v1 token is required for adding a Netskope tenant in Cloud Exchange but will not be used if a v2 endpoint is available.
You can use the iterator API endpoint by enabling the toggle button Use Iterator Endpoint. The toggle button will only be accessible if you have a provided a v2 token. If you opt for the Iterator API endpoints, all the Threat IoCs, Alerts, and Events will be fetched by the Iterator API endpoints. You have to provide access to the above mentioned API endpoints while generating the v2 API token.
To view the API documentation in Swagger, click Help in the bottom of the left nav and select API docs.
 |
Click the caret icon to view endpoint information.
 |
The Cloud Exchange platform REST API scopes are explained in the following sections.
Dataexport Error Codes
Error Codes | User-Action Required | Description |
|---|---|---|
403 | Yes | Check the API V2 token is associated with the valid endpoint & its not expired.Retry will solve the problem only after solving the token issue by following these guidelines. |
409 | No | Concurrency conflict and the request cannot be processed at this point of time. DataExport API V2 endpoints do not support downloading the same event type concurrently with the same iterator index, and the Client is expected to validate that the logic to pull the events is single-threaded. |
429 | No | Too many requests for the same tenant accessing the same endpoint. The Client is expected to honor the rate limit to avoid 429 error and as part of the response header, it carries the reset time in the header ratelimit-reset. The Client is expected to sleep/wait ( ratelimit-reset ) to avoid 429. The current rate limit is 4 req / second/endpoint. |
5XX | Yes | Netskope is having a temporary server issue for some reason:
Upon receiving a 5xx error from Netskope Server , the User is recommended to do a back off of 5 seconds wait time before the next call. |
Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) | Notes |
|---|---|---|---|---|---|---|---|
Token Generated and Not Expired | (all) | x | Required for sharing file hashes |
Note
Starting with CE 4.2.0, you are required to use the dataexport endpoint permission for the alerts and events you have configured in Cloud Exchange when setting up Netskope Tenants.
Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) | Notes |
|---|---|---|---|---|---|---|---|
/api/v2/events/data/alert | Read | ||||||
/api/v2/events/data/application | Read | ||||||
/api/v2/events/data/audit | Read | ||||||
/api/v2/events/data/infrastructure | Read | ||||||
/api/v2/events/data/network | Read | ||||||
/api/v2/events/data/page | Read | ||||||
/api/v2/events/dataexport/events/alert | Read | x | x | x | x | x | Required to validate API token |
/api/v2/events/dataexport/events/application | Read | x | x | ||||
/api/v2/events/dataexport/events/audit | Read | x | |||||
/api/v2/events/dataexport/events/connection | Read | ||||||
/api/v2/events/dataexport/events/incident | Read | x | |||||
/api/v2/events/dataexport/events/infrastructure | Read | x | |||||
/api/v2/events/dataexport/events/network | Read | x | |||||
/api/v2/events/dataexport/events/page | Read | x | |||||
/api/v2/events/dataexport/alerts/uba | Read | x | x | ||||
/api/v2/events/dataexport/alerts/securityassessment | Read | x | x | ||||
/api/v2/events/dataexport/alerts/quarantine | Read | x | x | x | |||
/api/v2/events/dataexport/alerts/remediation | Read | x | x | ||||
/api/v2/events/dataexport/alerts/policy | Read | x | x | ||||
/api/v2/events/dataexport/alerts/malware | Read | x | x | x | |||
/api/v2/events/dataexport/alerts/malsite | Read | x | x | x | |||
/api/v2/events/dataexport/alerts/compromisedcredential | Read | x | x | ||||
/api/v2/events/dataexport/alerts/ctep (or ips) | Read | x | x | ||||
/api/v2/events/dataexport/alerts/dlp | Read | x | x | ||||
/api/v2/events/dataexport/alerts/watchlist | Read | x | x | ||||
/api/v2/policy/urllist/file | Read + Write | ||||||
/api/v2/policy/urllist | Read + Write | x | |||||
/api/v2/policy/urllist/deploy | Read + Write | x | |||||
/api/v2/incidents/uba/getuci | Read + Write | x | |||||
/api/v2/ubadatasvc/user/uci | Read + Write | x | |||||
/api/v2/services/cci/app | Read | x | |||||
/api/v2/services/cci/domain | Read | x | |||||
/api/v2/services/cci/tags | Read | x |
x: Required API scopes for the corresponding CE module.
Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) | Notes |
|---|---|---|---|---|---|---|---|
Token Generated and Not Expired | (all) | x | Required for sharing file hashes |
Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) | Notes |
|---|---|---|---|---|---|---|---|
/api/v2/events/data/alert | Read | ||||||
/api/v2/events/data/application | Read | ||||||
/api/v2/events/data/audit | Read | ||||||
/api/v2/events/data/infrastructure | Read | ||||||
/api/v2/events/data/network | Read | ||||||
/api/v2/events/data/page | Read | ||||||
/api/v2/events/dataexport/events/alert | Read | x | x | x | x | x | Required to validate API token |
/api/v2/events/dataexport/events/application | Read | x | x | ||||
/api/v2/events/dataexport/events/audit | Read | x | |||||
/api/v2/events/dataexport/events/connection | Read | ||||||
/api/v2/events/dataexport/events/incident | Read | x | |||||
/api/v2/events/dataexport/events/infrastructure | Read | x | |||||
/api/v2/events/dataexport/events/network | Read | x | |||||
/api/v2/events/dataexport/events/page | Read | x | |||||
/api/v2/events/dataexport/alerts/uba | Read | x | x | ||||
/api/v2/events/dataexport/alerts/securityassessment | Read | x | x | ||||
/api/v2/events/dataexport/alerts/quarantine | Read | x | x | x | |||
/api/v2/events/dataexport/alerts/remediation | Read | x | x | ||||
/api/v2/events/dataexport/alerts/policy | Read | x | x | ||||
/api/v2/events/dataexport/alerts/malware | Read | x | x | x | |||
/api/v2/events/dataexport/alerts/malsite | Read | x | x | x | |||
/api/v2/events/dataexport/alerts/compromisedcredential | Read | x | x | ||||
/api/v2/events/dataexport/alerts/ctep (or ips) | Read | ||||||
/api/v2/events/dataexport/alerts/dlp | Read | x | x | ||||
/api/v2/events/dataexport/alerts/watchlist | Read | x | x | ||||
/api/v2/policy/urllist/file | Read + Write | ||||||
/api/v2/policy/urllist | Read + Write | x | |||||
/api/v2/policy/urllist/deploy | Read + Write | x | |||||
/api/v2/incidents/uba/getuci | Read + Write | x | |||||
/api/v2/ubadatasvc/user/uci | Read + Write | x | |||||
/api/v2/services/cci/app | Read | x | |||||
/api/v2/services/cci/domain | Read | x | |||||
/api/v2/services/cci/tags | Read | x |
x: Required API scopes for the corresponding CE module.
Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) | Notes |
|---|---|---|---|---|---|---|---|
Token Generated and Not Expired | (all) | y | y | x+y (*) | y | y | * Required for sharing file hashes |
Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) | Notes |
|---|---|---|---|---|---|---|---|
/api/v2/events/data/alert | Read | y | y | y | y | y | |
/api/v2/events/data/application | Read | y | |||||
/api/v2/events/data/audit | Read | y | |||||
/api/v2/events/data/infrastructure | Read | y | |||||
/api/v2/events/data/network | Read | y | |||||
/api/v2/events/data/page | Read | y | |||||
/api/v2/events/dataexport/events/alert | Read | x | x | x | x | x | |
/api/v2/events/dataexport/events/application | Read | x | x | ||||
/api/v2/events/dataexport/events/audit | Read | x | |||||
/api/v2/events/dataexport/events/connection | Read | ||||||
/api/v2/events/dataexport/events/incident | Read | ||||||
/api/v2/events/dataexport/events/infrastructure | Read | x | |||||
/api/v2/events/dataexport/events/network | Read | x | |||||
/api/v2/events/dataexport/events/page | Read | x | |||||
/api/v2/events/dataexport/alerts/uba | Read | ||||||
/api/v2/events/dataexport/alerts/securityassessment | Read | ||||||
/api/v2/events/dataexport/alerts/quarantine | Read | ||||||
/api/v2/events/dataexport/alerts/remediation | Read | ||||||
/api/v2/events/dataexport/alerts/policy | Read | ||||||
/api/v2/events/dataexport/alerts/malware | Read | ||||||
/api/v2/events/dataexport/alerts/malsite | Read | ||||||
/api/v2/events/dataexport/alerts/compromisedcredential | Read | ||||||
/api/v2/events/dataexport/alerts/ctep (or ips) | Read | ||||||
/api/v2/events/dataexport/alerts/dlp | Read | ||||||
/api/v2/events/dataexport/alerts/watchlist | Read | ||||||
/api/v2/policy/urllist/file | Read + Write | ||||||
/api/v2/policy/urllist | Read + Write | x + y | |||||
/api/v2/policy/urllist/deploy | Read + Write | x + y | |||||
/api/v2/incidents/uba/getuci | Read + Write | x + y | |||||
/api/v2/ubadatasvc/user/uci | Read + Write | x + y | |||||
/api/v2/services/cci/app | Read | x + y | |||||
/api/v2/services/cci/domain | Read | x + y | |||||
/api/v2/services/cci/tags | Read | x + y |
x: Required API scopes for the corresponding CE module if modern /events/dataexport endpoints will be used (recommended).
y: Required API scopes for the corresponding CE module if legacy /events/data endpoints will be used (deprecated starting in 4.1.0).
x+y: Required API scopes for the corresponding CE module (when using either /events/dataexport or /events/data endpoints).
Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) | Notes |
|---|---|---|---|---|---|---|---|
Token Generated and Not Expired | (all) | y | Required for sharing file hashes |
Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | Cloud Risk Exchange (CRE) | Notes |
|---|---|---|---|---|---|---|
/api/v2/events/data/alert | Read | y | y | y | y | |
/api/v2/events/data/application | Read | y | ||||
/api/v2/events/data/audit | Read | y | ||||
/api/v2/events/data/infrastructure | Read | y | ||||
/api/v2/events/data/network | Read | y | ||||
/api/v2/events/data/page | Read | y | ||||
/api/v2/events/dataexport/events/alert | Read | |||||
/api/v2/events/dataexport/events/application | Read | |||||
/api/v2/events/dataexport/events/audit | Read | |||||
/api/v2/events/dataexport/events/connection | Read | |||||
/api/v2/events/dataexport/events/incident | Read | |||||
/api/v2/events/dataexport/events/infrastructure | Read | |||||
/api/v2/events/dataexport/events/network | Read | |||||
/api/v2/events/dataexport/events/page | Read | |||||
/api/v2/events/dataexport/alerts/uba | Read | |||||
/api/v2/events/dataexport/alerts/securityassessment | Read | |||||
/api/v2/events/dataexport/alerts/quarantine | Read | |||||
/api/v2/events/dataexport/alerts/remediation | Read | |||||
/api/v2/events/dataexport/alerts/policy | Read | |||||
/api/v2/events/dataexport/alerts/malware | Read | |||||
/api/v2/events/dataexport/alerts/malsite | Read | |||||
/api/v2/events/dataexport/alerts/compromisedcredential | Read | |||||
/api/v2/events/dataexport/alerts/ctep (or ips) | Read | |||||
/api/v2/events/dataexport/alerts/dlp | Read | |||||
/api/v2/events/dataexport/alerts/watchlist | Read | |||||
/api/v2/policy/urllist/file | Read + Write | |||||
/api/v2/policy/urllist | Read + Write | y | ||||
/api/v2/policy/urllist/deploy | Read + Write | y | ||||
/api/v2/incidents/uba/getuci | Read + Write | y | ||||
/api/v2/ubadatasvc/user/uci | Read + Write | y | ||||
/api/v2/services/cci/app | Read | |||||
/api/v2/services/cci/domain | Read | |||||
/api/v2/services/cci/tags | Read |
y: Required API scopes for the corresponding CE module.