This endpoint returns alerts generated by Netskope, including policy, DLP, and watch list alerts. Policy alerts are triggered when traffic matches policy. DLP alerts are generated when there is a DLP violation triggered by the policy. Watch list alerts are triggered when watchlist matches.
Request Endpoint
https://<tenant-name>.goskope.com/api/v1/alertsValid query parameters are:
Key | Value | Description |
|---|---|---|
| string | Required. The token obtained from the REST API page in the Netskope UI ( Settings > Tools > Rest API v1) is required. We recommend that you place the token in the body of the request, not in the endpoint URL. |
| Valid alert query. Examples:
| This acts as a filter for all the cloud app alerts in the events database. |
|
| Selects Policy, DLP, Quarantine, Watchlist, etc. alerts. If nothing is passed, then it gets alerts of all types. |
|
| Selects the type of alerts. If nothing is passed, then it gets alerts of all types. |
|
| Last 60 mins | Last 24 Hrs | Last 7 Days | Last 30 Days | Last 60 days | Last 90 days Only use one of these parameters at a time, not a combination: |
| Unix epoch time | Restrict alerts to those that have timestamps greater than this. Needed only if Only use one of these parameters at a time, not a combination: |
| Unix epoch time | Restrict alerts to those that have timestamps less than or equal to this. Needed only if |
| Unix epoch time | Restrict alerts which have been inserted into the database after the specified time. Needed only if Only use one of these parameters at a time, not a combination: |
| Unix epoch time | Restrict alerts which have been inserted into the database before the specified time. Needed only if |
| Positive integer less than 10000 | REST API responses can return up to 10000 alerts in a single response. You can use pagination to retrieve more results. |
| Positive integer | Skip over some of the alerts (useful for pagination in combination with |
|
| If |
Response
For response information, refer to REST API Events and Alerts Response Descriptions.
Example Requests with Responses
Filter by single Compliance Standard
POST 'https://<tenant-name>.goskope.com/api/v1/alerts?timeperiod=86400&type=Security%20Assessment&limit=1&stimeperiod=2592000&query=%28compliance_standards.standard%20eq%20%27CSA-CCM-3.0.1%27%29
{
"token": "f32a973eddd7bc1602fc0f48dc0a"
}
{
"alert_type": "Security Assessment",
"region_id": "westeurope",
"sa_profile_name": "CIS Azure Foundations Benchmark v1.0.0",
"app": "Microsoft Azure",
"object_type": "Instance",
"compliance_standards": [
{
"control": "02",
"description": "Security Incident Management, E-Discovery, & Cloud Forensics: Incident Management | Policies and procedures shall be established, and supporting business processes and technical measures implemented, to triage security-related events and ensure timely and thorough incident management, as per established IT service management policies and procedures.",
"section": "SEF",
"standard": "CSA-CCM-3.0.1",
"reference_url": "https://cloudsecurityalliance.org/research/cloud-controls-matrix/",
"id": -91402
}
],
"account_name": "iaas-qe",
"region_name": "West Europe",
"category": "IaaS/PaaS",
"timestamp": 1603870162,
"sa_profile_id": -2001000,
"sa_rule_id": -2067,
"iaas_remediated": "false",
"access_method": "API Connector",
"policy": "azure_81_policy",
"sa_rule_name": "Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers",
"type": "nspolicy",
"account_id": "e3813397-1fff-46b0-a59f-5c2130aac115",
"iaas_asset_tags": [],
"sa_rule_severity": "High",
"object": "automation1603868619",
"alert": "yes",
"user": "admin@netskope.com",
"device": "other",
"count": 1,
"asset_object_id": "016044c5aeb1bf9c3af75357",
"instance_id": "azure80",
"alert_name": "Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers",
"activity": "Introspection Scan",
"action": "alert",
"browser": "unknown",
"os": "unknown",
"resource_category": "Database",
"policy_id": 2,
"organization_unit": "",
"userkey": "admin@netskope.com",
"ur_normalized": "admin@netskope.com",
"site": "Windows Azure",
"traffic_type": "CloudApp",
"ccl": "excellent",
"acked": "false",
"_insertion_epoch_timestamp": 1603967916,
"_id": "d3a03deeb9ec657d18f48a43",
"cci": 96,
"sa_rule_remediation": "<html>\n\t<body>\n\t <b>Azure Console:</b>\n <ol>\n <li>Go to <code>SQL servers</code></li>\n <li>For each server instance</li>\n <li>Click on <code>Auditing & Threat Detection</code></li>\n <li>Set <code>Send alerts to</code> as appropriate</li>\n </ol>\n \n <b>Azure PowerShell:</b>\n <p>\n Get the list of all SQL Servers<br>\n <code><pre>\n Get-AzureRmSqlServer\n </pre></code>\n For each Server, set <code>Send alerts to</code>.<br>\n <code><pre>\n Set-AzureRmSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> -ServerName <server name> -NotificationRecipientsEmails \"<Recipient Email ID>\"\n </pre></code>\n </p>\n \n <b>Default Value:</b><br>\n <p>\n By default, <code>Send alerts to</code> is not set.\n </p>\n\t</body>\n</html>\n",
"appcategory": "IaaS/PaaS"
} Filter by multiple Compliance Standards
POST 'https://<tenant-name>.goskope.com/api/v1/alerts?timeperiod=2592000&query=%28compliance_standards.standard%20in%20%5B%27CSA-CCM-3.0.1%27%2C%20%27NIST-CSF-1.1%27%2C%20%27CIS-AZRFND-1.0.0%27%5D%29
{
"token": "f32a973eddd7bc1602fc0f48dc0a"
}
{
"alert_type": "Security Assessment",
"region_id": "westeurope",
"sa_profile_name": "CIS Azure Foundations Benchmark v1.0.0",
"app": "Microsoft Azure",
"object_type": "Instance",
"compliance_standards": [
{
"control": "02",
"description": "Security Incident Management, E-Discovery, & Cloud Forensics: Incident Management | Policies and procedures shall be established, and supporting business processes and technical measures implemented, to triage security-related events and ensure timely and thorough incident management, as per established IT service management policies and procedures.",
"section": "SEF",
"standard": "CSA-CCM-3.0.1",
"reference_url": "https://cloudsecurityalliance.org/research/cloud-controls-matrix/",
"id": -91402
},
{
"control": "1",
"description": "Personnel know their roles and order of operations when a response is needed",
"section": "RS.CO",
"standard": "NIST-CSF-1.1",
"reference_url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"id": -7701
},
{
"control": "1.4",
"description": "Ensure that 'Send alerts to' is set",
"appname": "azure",
"section": "4",
"standard": "CIS-AZRFND-1.0.0",
"reference_url": "https://www.cisecurity.org/benchmark/azure/",
"id": -5414
}
],
"account_name": "iaas-qe",
"region_name": "West Europe",
"category": "IaaS/PaaS",
"timestamp": 1603870162,
"sa_profile_id": -2001000,
"sa_rule_id": -2067,
"iaas_remediated": "false",
"access_method": "API Connector",
"policy": "azure_81_policy",
"sa_rule_name": "Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers",
"type": "nspolicy",
"account_id": "e3813397-1fff-46b0-a59f-5c2130aac115",
"iaas_asset_tags": [],
"sa_rule_severity": "High",
"object": "automation1603868619",
"alert": "yes",
"user": "admin@netskope.com",
"device": "other",
"count": 1,
"asset_object_id": "016044c5aeb1bf9c3af75357",
"instance_id": "azure80",
"alert_name": "Personnel know response roles/operations: Ensure that 'Send Alerts to' is set for SQL Servers",
"activity": "Introspection Scan",
"action": "alert",
"browser": "unknown",
"os": "unknown",
"resource_category": "Database",
"policy_id": 2,
"organization_unit": "",
"userkey": "admin@netskope.com",
"ur_normalized": "admin@netskope.com",
"site": "Windows Azure",
"traffic_type": "CloudApp",
"ccl": "excellent",
"acked": "false",
"_insertion_epoch_timestamp": 1603967916,
"_id": "d3a03deeb9ec657d18f48a43",
"cci": 96,
"sa_rule_remediation": "<html>\n\t<body>\n\t <b>Azure Console:</b>\n <ol>\n <li>Go to <code>SQL servers</code></li>\n <li>For each server instance</li>\n <li>Click on <code>Auditing & Threat Detection</code></li>\n <li>Set <code>Send alerts to</code> as appropriate</li>\n </ol>\n \n <b>Azure PowerShell:</b>\n <p>\n Get the list of all SQL Servers<br>\n <code><pre>\n Get-AzureRmSqlServer\n </pre></code>\n For each Server, set <code>Send alerts to</code>.<br>\n <code><pre>\n Set-AzureRmSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> -ServerName <server name> -NotificationRecipientsEmails \"<Recipient Email ID>\"\n </pre></code>\n </p>\n \n <b>Default Value:</b><br>\n <p>\n By default, <code>Send alerts to</code> is not set.\n </p>\n\t</body>\n</html>\n",
"appcategory": "IaaS/PaaS"
}Filter by Type
POST 'https://<tenant-name>.goskope.com/api/v1/alerts?timeperiod=86400&type=Security%20Assessment&limit=1&skip=0&ack=false'
{
"token": "f32a973eddd7bc1602fc0f48dc0a"
}
{
"msg" : "",
"data" : [
{
"app" : "Amazon Web Services",
"alert_name" : "CIS AWS Foundations Benchmark v1.2.0",
"instance_id" : "aws61",
"device" : "other",
"ccl" : "excellent",
"browser" : "unknown",
"organization_unit" : "",
"access_method" : "API Connector",
"_session_begin" : 1,
"sa_profile_name" : "CIS AWS Foundations Benchmark v1.2.0",
"acked" : "false",
"_id" : "1c248c457f5c2f2fb8b221f5",
"type" : "nspolicy",
"account_name" : "aws61",
"alert_type" : "Security Assessment",
"timestamp" : 1551713762,
"activity" : "Introspection Scan",
"object_type" : "Policy",
"compliance_standards": [
{
"control": "02",
"description": "Security Incident Management, E-Discovery, & Cloud Forensics",
"section": "SEF",
"standard": "CSA-CCM-3.0.1",
"reference_url": "https://cloudsecurityalliance.org/research/cloud-controls-matrix/",
"id": -91402
}
],
"user" : "meghana@netskope.com",
"alert" : "yes",
"userkey" : "meghana@netskope.com",
"sa_rule_remediation" : "<html>\n<body>\n <b>Using the Amazon unified command line interface:</b>\n <ol>\n <li>Create an IAM role for managing incidents with AWS:\n <ul style='list-style-type: circle;'>\n <li>Create a trust relationship policy document that allows <iam_user> to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:</li>\n <li>\n <code>\n {\n 'Version': '2012-10-17',\n 'Statement': [\n {\n 'Effect': 'Allow',\n 'Principal': { 'AWS': '<iam_user>'\n },\n 'Action': 'sts:AssumeRole'\n }\n ]\n }\n </code>\n </li>\n </ul>\n </li>\n <li>\n <ul style='list-style-type: circle;'>\n <li>Create the IAM role using the above trust policy:</li>\n <li>aws iam create-role --role-name <aws_support_iam_role> --assume-role- policy-document file:///tmp/TrustPolicy.json</li>\n </ul>\n </li>\n <li>\n <ul style='list-style-type: circle;'>\n <li>Attach 'AWSSupportAccess' managed policy to the created IAM role:</li>\n <li>aws iam attach-role-policy --policy-arn <iam_policy_arn> --role-name <aws_support_iam_role></li>\n </ul>\n </li>\n </ol>\n <p>\n <b>Impact</b><br>\n All AWS Support plans include an unlimited number of account and billing support cases,\n with no long-term contracts.<br>\n Support billing calculations are performed on a per-account basis for all plans. Enterprise\n Support plan customers have the option to include multiple enabled accounts in an\n aggregated monthly billing calculation.<br>\n Monthly charges for the Business and Enterprise support plans are based on each month's\n AWS usage charges, subject to a monthly minimum, billed in advance<br>\n </p> \n</body>\n</html>\n",
"sa_rule_id" : -1001017,
"sa_rule_name" : "CIS-AWSFND | 1.22 Ensure a support role has been created to manage incidents with AWS Support",
"os" : "unknown",
"resource_category" : "Identity",
"object" : "arn:aws:iam::215406114230:policy/automation1551712932",
"policy" : "aws61policy",
"traffic_type" : "CloudApp",
"count" : 1,
"region_id" : "",
"policy_id" : 3,
"action" : "alert",
"sa_rule_severity" : "2",
"cci" : 94,
"account_id" : "215406114230",
"sa_profile_id" : -1001000,
"site" : "Amazon Web Services",
"appcategory" : null,
"_insertion_epoch_timestamp" : 1551713763,
"category" : null
}
],
"status" : "success"
}Query for DLP violations grouped by user:
POST https://<tenant-name>.goskope.com/api/v1/report?query=alert_type eq DLP&type=alert&groupby=user&timeperiod=2592000Set endpoint name as
reportSet
query=alert_type eq DLPto query for DLP alertsSet
type=alert to queryfor DLP alertsSet
groupby=user