Skip to main content

Netskope Help

REST API Events and Alerts Response Descriptions

These are the response descriptions for the Get Events Data and Get Alerts Data endpoints.

Parameter Grouping

Parameter Name

Descriptions

Data Type

Example Responses

App Events

Page Events

Alerts

General

timestamp

Timestamp when the event/alert happened. Event timestamp in Unix epoch format.

Integer

1443811033

Y

Y

Y

General

_insertion_epoch_timestamp

Insertion timestamp

Integer

1485025255

Y

Y

Y

General

src_timezone

Source timezone. Shows the long format timezone designation.

String

America/Los_Angeles

Y

Y

Y

General

dst_timezone

Destination timezone

String

America/New_York

Y

Y

Y

General

type

Shows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection.

String

Value for Application Events: nspolicy

Value for Page Events: connection

Values for Alerts: nspolicy, connection, breach, anomaly, malsite

Y

Y

Y

General

access_method

Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. Administrators can also upload firewall and/or proxy logs for log analytics. This field shows the actual access method that triggered the event.

For log uploads this shows the actual log type such as PAN, Websense, etc.

String

Client, Secure Forwarder, API Connector, Proxy Chaining, Reverse Proxy

Y

Y

Y

General

traffic_type

Type of the traffic: CloudApp or Web. CloudApp indicates CASB and web indicates HTTP traffic. Web traffic is only captured for inline access method. It is currently not captured for Risk Insights.

String

CloudApp, Web

Y

Y

Y

General

action

Action taken on the event for the policy

String

useralert, Detection, bypass, block, alert, restrictToView, disableDownload, legalHold, expireLink, restrictAccess, delete, quarantine

Y

Y

Y

General

fromlogs

Shows if the event was generated from the Risk Insights log.

String

yes

Y

Y

Y

General

user_generated

Tells whether it is user generated page event

Boolean

yes, no

N

Y

Y

General

tunnel_id

Shows the Client installation ID. Only available for the Client steering configuration.

String

c5b07447-e86e-4722-b59e-81144

Y

Y

Y

General

request_id

Unique request ID for the event

Integer

1,590

Y

N

Y

General

transaction_id

Unique ID for a given request/response

String

1843244978932892112

Y

Y

Y

General

connection_id

Each connection has a unique ID. Shows the ID for the connection event.

LongInt

117073088998365

Y

Y

Y

General

conn_duration

Duration of the connection in milliseconds. Useful for querying long-lived sessions.

Integer

59000

Y

Y

Y

General

conn_starttime

Connection start time

Float

1480330369

N

Y

Y

General

conn_endtime

Connection end time

Float

1480330428

N

Y

Y

General

latency_min

Min latency for a connection in milliseconds

Integer

47

N

Y

Y

General

latency_max

Max latency for a connection in milliseconds

Integer

651

N

Y

Y

General

latency_total

Total latency from proxy to app in milliseconds

Integer

3797

N

Y

Y

General

req_cnt

Total number of HTTP requests (equal to number of transaction events for this page event) sent from client to server over one underlying TCP connection.

Integer

21

Y

Y

Y

General

resp_cnt

Total number of HTTP responses (equal to number of transaction events for this page event) from server to client

Integer

21

Y

Y

Y

General

http_transaction_count

HTTP transaction count

Integer

300

N

Y

Y

General

numbytes

Total number of bytes that were transmitted for the connection - numbytes = client_bytes + server_bytes

Integer

18177

Y

Y

Y

General

client_bytes

Total number of bytes uploaded from client to server

Integer

1093

Y

Y

Y

General

server_bytes

Total number of downloaded from server to client.

Integer

17084

Y

Y

Y

General

suppression_key

To limit the number of events. Example: Suppress block event for browse

String

2019-01-07_1135.zip

Y

N

Y

General

suppression_start_time

When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence.

Integer

1443811033

Y

Y

Y

General

suppression_end_time

When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence.

Integer

1443811078

Y

Y

Y

General

count

Number of raw log lines/events sessionized or suppressed during the suppressed interval.

Integer

1

Y

Y

Y

General

bypass_traffic

Tells if traffic is bypassed by Netskope

Boolean

yes, no

N

Y

Y

General

ssl_decrypt_policy

Applicable to only bypass events. There are 2 ways to create rules for bypass:

  • Bypass due to Exception Configuration

  • Bypass due to SSL Decrypt Policy

The existing flag bypass_traffic only gives information that a flow has been bypassed, but does not tell exactly which policy was responsible for it. ssl_decrypt_policy field will provide this extra information. In addition, policy field will be also set for every Bypass event.

String

yes, no

N

Y

Y

General

dynamic_classification

URLs were categorized by NSURLC machine or not

String

yes, no

N

N

Y

General

dst_geoip_src

Source from where the location of Destination IP was derived

Integer

1

Y

Y

Y

General

src_geoip_src

Source from where the location of Source IP was derived

Integer

2

Y

Y

Y

General

modified

Timestamp corresponding to the modification time of the entity (file, etc.)

DateTime

2017-01-17T08:56:05

Y

Y

Y

Alert

alert

Indicates whether alert is generated or not.

Populated as yes for all alerts.

String

yes, no

Y

Y

Y

Alert

alert_name

Name of the alert

String

proximity, rare_event, risky_country, user_shared_credentials,

data_exfiltration, mlad

Y

Y

Y

Alert

alert_type

Type of the alert

String

Values for Alerts: watchlist, policy, DLP, Legal Hold, quarantine, Malware, malsite, anomaly, Compromised Credential, Security Assessment 

Values for App Events: policy, DLP, quarantine, Legal Hold, Malware, Security Assessment, Remediation

Y

Y

Y

Alert

acked

Whether user acknowledged the alert or not

Boolean

false, true

Y

Y

Y

Alert

severity

Severity used by watchlist and malware alerts

String

low, medium, high, unknown, null

Y

Y

Y

Alert

severity_id

Severity ID used by watchlist and malware alerts

Integer

1, 2, 3, null

Y

N

Y

Alert

policy_id

The Netskope internal ID for the policy created by an admin

Integer

1, 8

Y

N

Y

Alert

policy

Name of the policy configured by an admin

String

PCI Files in OneDrive

Y

Y

Y

Alert

profile_emails

List of profile emails per policy

String

["dlp_policy@netskope.com"]

Y

N

Y

Alert

justification_reason

Justification reason provided by user.

For following policies, justification events are raised. User is displayed a notification popup, user enters justification and can select to proceed or block:

  1. useralert policy

  2. dlp block policy

  3. block policy with custom template which contains justification text box

String

Provided reason

Y

N

Y

Alert

justification_type

Type of justification provided by user when user bypasses the policy block

String

falsePositive, justification

Y

N

Y

Application

app

Specific cloud application used by the user (e.g. app = Dropbox).

String

Google Drive

Y

Y

Y

Application

appcategory

Application Category as designated by Netskope

String

Collaboration, Customer Relationship Management, Cloud Storage, IaaS/PaaS

Y

Y

Y

Application

ccl

Cloud Confidence Level. CCL measures the enterprise readiness of the cloud apps taking into consideration those apps security, auditability and business continuity.

Each app is assigned one of five cloud confidence levels: excellent, high, medium, low, or poor. Useful for querying if users are accessing a cloud app with a lower CCL.

String

excellent, high, medium, low, poor, unknown, not_defined

Y

Y

Y

Application

site

For traffic_type = CloudApp, site = app and for traffic_type = Web, it will be the second level domain name + top-level domain name. For example, in "www.cnn.com", it is "cnn.com".

String

cnn.com

Y

Y

Y

Application

url

URL of the application that the user visited as provided by the log or data plane traffic

String

www.evernote.com/shard/s2 31/notestore

Y

Y

Y

Application

page

The URL of the originating page

String

www.google.co.in/search?q=

railway

Y

Y

Y

Application

domain

Domain value. This will hold the host header value or SNI or extracted from absolute URI.

String

google.co.in

Y

Y

Y

Application

sessionid

Populated by Risk Insights

Integer

34014529

Y

Y

Y

Application

app_session_id

Unique App/Site Session ID for traffic_type = CloudApp and Web.

An app session starts when a user starts using a cloud app/site on and ends once they have been inactive for a certain period of time(15 mins). Use app_session_id to check all the user activities in a single app session. app_session_id is unique for a user, device, browser and domain.

String

1.42333E+14

Y

Y

Y

Application

referer

Referer URL of the application(with http) that the user visited as provided by the log or data plane traffic

String

https://portal.office.com/Admi nPortal/Home

Y

Y

Y

Application

managed_app

Whether or not the app in question is managed

Boolean

yes, no

Y

N

Y

Application

telemetry_app

Typically SaaS app web sites use web analytics code within the pages to gather analytic data.

When a SaaS app action or page is shown, there is subsequent traffic generated to tracking apps such as doubleclick.net, Optimizely, etc. These tracking apps are listed if applicable in the

Telemetry App field.

String

doubleclick, Amazon S3, google, Microsoft Office 365 Suite, Adswizz, fbcdn

Y

N

Y

Application

instance_id

Unique ID associated with an organization application instance

String

nammazone.com

Y

N

Y

Application

instance

Instance associated with an organization application instance

String

nammazone.com

Y

Y

Y

Application

instance_name

Instance name associated with an organization application instance

String

netskope.com

Y

N

Y

Application

instance_type

Instance type

String

VirtualPrivateCloud, Server, Image, Document, Managed

Instance, LoadBalancer

Y

N

Y

Application

object

Name of the object which is being acted on. It could be a filename, folder name, report name, document name, etc.

String

Resume.doc

Y

Y

Y

Application

object_id

Unique ID associated with an object

String

3214

Y

N

Y

Application

object_type

Type of the object which is being acted on. Object type could be a file, folder, report, document, message, etc.

String

File, User, Note

Y

N

Y

Application

from_object

Initial name of an object that has been renamed, copied or moved

String

test1

Y

N

Y

Application

to_object

Changed name of an object that has been renamed, copied, or moved

String

test2

Y

N

Y

Application

object_count

Displayed when the activity is Delete. Shows the number of objects being deleted

Integer

3

Y

N

Y

Application Specific

enterprise_id

EnterpriseID in case of Slack for Enterprise

String

E8D23NJ1H

Y

N

Y

Application Specific

enterprise

Enterprise name in case of Slack for Enterprise

String

Netskope enterprise

Y

N

Y

Application Specific

workspace_id

Workspace ID in case of Slack for Enterprise

String

TDFHG3CLF

Y

N

Y

Application Specific

workspace

Workspace name in case of Slack for Enterprise

String

Netskope workspace

Y

N

Y

Application Specific

team

Slack team name

String

Netskope team

Y

N

Y

Application Specific

channel

Channel of the user for slack and slack enterprise apps

String

channel1

Y

N

Y

Application Specific

sub_type

Workplace by Facebook post sub category (files, comments, status etc)

String

file, comment, post

Y

N

Y

Application Specific

violating_user

User who caused a vioaltion. Populated for Workplace by Facebook

String

example@netskope.com

Y

N

Y

Application Specific

violating_user_type

Category of the user who caused a violation. Populated for Workplace by Facebook.

String

Internal, External

Y

N

Y

Application Specific

logintype

Salesforce login type

String

Remote Access 2.0, Other Apex API, Remote Access Client

Y

N

Y

Application Specific

loginurl

Salesforce login URL

String

my.salesforce.com

Y

N

Y

Application Specific

new_value

New value for a given file for salesforce.com

String

2019-01-18 3:33:58

Y

N

Y

Application Specific

old_value

Old value for a given file for salesforce.com

String

2019-01-17 3:33:58

Y

N

Y

Application Specific

scopes

List of permissions for google apps

String

["https://www.googleapis.com

/auth/cloud-platform", "https://www.googleapis.com/ auth/userinfo.email"]

Y

N

Y

Application Specific

session_id

Session ID for Dropbox application

Integer

1.77573E+14

Y

N

Y

Application Specific

user_role

Roles such as admin, owner etc for Box

String

Admin, coadmin, user

Y

N

Y

Application Specific

role

Roles for Box

String

Editor, Previewer, Previewer Uploader, Uploader, Viewer, Viewer Uploader, Owner, Co- owner

Y

N

Y

Activity

activity

Description of the user performed activity

String

Download, Invite, Issue, Join, Login Attempt, Login Failed, Login Successful, Logout, Mark, Markup, Move, Upload, View, View All

Y

Y

Y

Activity

activity_type

Displayed when only admins can perform the activity in question

String

Admin

Y

N

Y

Activity

act_user

User doing an activity

String

user@netskope.com

Y

N

Y

Activity

activity_status

Displayed when the user is denied access while performing some activity

String

Access Denied

Y

N

Y

Activity

Url2Activity

Populated if the activity from the URL matches certain activities. This field applies to Risk Insights only.

String

Yes

Y

N

Y

Activity

ns_activity

Maps app activity to Netskope standard activity.

String

Download, Upload, view, unlock

Y

N

Y

Activity

audit_category

The subcategories in an application such as IAM, EC in AWS, login, token, file, etc., in case of Google.

String

IAM, Lambda, S3, access, Compute Engine, Elasticloadbalancing, EC2, event_change, acl_change

Y

N

Y

Activity

audit_type

The sub category in audit according to SaaS / IaaS apps

String

download, edit, create, view, HeadBucket

Y

N

Y

User

userkey

User ID or email

String

user@netskope.com

Y

Y

Y

User

user_id

User email

String

user@netskope.com

Y

N

Y

User

user

User email

String

user@netskope.com

Y

Y

Y

User

user_name

Name of user

String

TestUser

Y

N

Y

User

ur_normalized

All lower case user email

String

user@netskope.com

Y

Y

Y

User

user_normalized

All lower case user email

String

user@netskope.com

N

N

Y

User

userip

IP address of User

String

xxx.xxx.xxx.xx

Y

Y

Y

User

useragent

Browser HTTP user agent header

String

Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0)

Gecko/20100101

Firefox/50.0

Y

Y

Y

User

user_category

Type of user in an enterprise - external / internal

String

Internal

Y

N

Y

User

organization_unit

Org Units for which the event correlates to. This ties to user information extracted from Active Directory using the Directory Importer/AD Connector application.

String

Maximum of 5 levels: "OU1/OU2/OU3/OU4/OU5"

Y

Y

Y

User

org

Search for events from a specific organization. Organization name is derived from the user ID.

String

sampleorganization.org

Y

Y

Y

User

os

Operating system of the host who generated the event.

String

Yosemite

Y

Y

Y

User

os_version

OS version of the host

String

Windows 7

Y

Y

Y

User

browser

Shows the actual browser from where the cloud app was accessed.

String

BlackBerry, Chrome, Firefox, iCab, Mobile, MSIE, Native, Opera, RockMelt, Safari, Skyfire, Tencent, Thunderbird

Y

Y

Y

User

browser_version

Browser version

String

50

Y

Y

Y

User

browser_session_id

Browser session ID. If there is an idle timeout of 15 minutes, it will timeout the session.

LongInt

75256867583232

Y

Y

Y

User

device

Device type from where the user accessed the cloud app. It could be Macintosh Windows device, iPad etc.

String

Android Device, iOS Device. iPad, iPhone, Linux Device, Mac Device, Windows Device, Other Device

Y

Y

Y

User

device_classification

Designation of device as determined by the Netskope Client as to whether the device is managed or not.

String

managed, not configured, unknown, unmanaged

Y

N

Y

User

hostname

Host name

String

example's Macbook Pro

Y

Y

Y

User

nsdeviceuid

Device identifiers on macOS and Windows

String

zndbgI=

Y

N

Y

User

managementID

Management ID

String

FFD2E8A

Y

N

Y

Source

srcip

IP address of source/user

String

xxx.xxx.xxx.xx

Y

Y

Y

Source

src_location

User's city as determined by the Maxmind or IP2Location Geodatabase

String

San Jose

Y

Y

Y

Source

src_region

Source state or region as determined by the Maxmind or IP2Location Geodatabase

String

California

Y

Y

Y

Source

src_latitude

Latitude of the user as determined by the Maxmind or IP2Location Geodatabase

Integer

[xx.xxxx]

Y

Y

Y

Source

src_longitude

Longitude of the user as determined by the Maxmind or IP2Location Geodatabase

Integer

[-xxx.xxx]

N

Y

N

Source

src_country

User's country's two-letter Country Code as determined by the Maxmind or IP2Location Geodatabase

String

US

Y

Y

Y

Source

src_zipcode

Source zip code as determined by the Maxmind or IP2Location Geodatabase

String

95134

Y

Y

Y

Destination

dstip

IP address where the destination app is hosted

String

xxx.xxx.xxx.xx

Y

Y

Y

Destination

dst_location

Application's city as determined by the Maxmind or IP2Location Geodatabase

String

Mountain View

Y

Y

Y

Destination

dst_region

Application's state or region as determined by the Maxmind or IP2Location Geodatabase

String

California

Y

Y

Y

Destination

dst_latitude

Latitude of the Application as determined by the Maxmind or IP2Location Geodatabase

Integer

[xx.xxxx]

Y

Y

Y

Destination

dst_longitude

Longitude of the Application as determined by the Maxmind or IP2Location Geodatabase

Integer

[-xxx.xxx]

N

Y

N

Destination

dst_country

Application's two-letter country code as determined by the Maxmind or IP2Location Geodatabase

String

US

Y

Y

Y

Destination

dst_zipcode

Application's zip code as determined by the Maxmind or IP2Location Geodatabase

String

94043

Y

Y

Y

Destination

dstport

Destination port

Integer

443, 80 (1-65535)

Y

Y

Y

Destination

dsthost

Destination host

String

mail.yahoo.com

Y

Y

Y

Introspection

retro_scan_name

Retro scan name

String

Retro_Scan_box_netskope.com_20181213_1616

Y

Y

Y

Introspection

scan_type

Generated during retroactive scan or new ongoing activity

String

Ongoing, ongoing, retroactive, Retroactive

Y

N

Y

File

file_id

Unique identifier of the file

String

0B3jELp0mSNw2dTZDNUhpUGpjUGgxQUY5OUZI

Y

N

Y

File

filename

Name of the file

String

PandasDFTests.py

Y

N

Y

File

title

Title of the file

String

PandasDFTests.py

Y

Y

Y

File

mime_type

MIME type of the file

String

application/pdf

Y

N

Y

File

data_type

Content type of upload/download

String

application/xml

Y

Y

Y

File

md5

md5 of the file

String

295a6f156624f73c31a9a670

d9a41914

Y

Y

Y

File

file_size

Size of the file in bytes

Integer

22854

Y

N

Y

File

file_type

File type

String

text/plain, application/pdf, etc.

Y

Y

Y

File

file_lang

Language of the file

String

SWEDISH

Y

Y

Y

File

path_id

Path ID of the file in the application

Integer

3.94218E+11

Y

N

Y

File

file_path

Path of the file in the application

String

/sample/file.pdf

Y

N

Y

File

owner

Owner of the file

String

example@netskope.com

Y

N

Y

File

original_file_path

If the file is moved, then keep original path of the file in this field

String

29208ee0-021e-4cb2-87b4-c9303880

Y

N

Y

File

from_user

Email address used to login to the SAAS app

String

example@netskope.com

Y

N

Y

File

from_user_category

Type of from_user

String

Internal, External

Y

N

Y

File

to_user

Used when a file is moved from user A to user B. Shows the email address of user B

String

example@netskope.com

Y

N

Y

File

to_user_category

Type of user to which move is done

String

Internal, External

Y

N

Y

File

shared_with

Array of emails with whom a document is shared with

String

[aaaa@netskope.com,nnnn@netskope.com,dddd@netskope.com]

Y

Y

Y

File

shared

If the file is shared or not

Boolean

true, false

Y

N

Y

File

shared_type

Shared Type

String

internal, external, private, enterprise

Y

N

Y

File

shared_domains

List of domains of users the document is shared with

String

[netskope.com, yahoo.com]

Y

N

Y

File

exposure

Exposure of a document

String

private, public, public_on_web, enterprise, external, internal, anyone_with_link

Y

Y

Y

File

attachment

File name

String

image001.png

Y

N

Y

File

encrypt_failure

Reason of failure while encrypting

String

Failed getting encryption Key

Y

N

Y

File

log_file_name

Log file name for Risk Insights

String

20190205T0917_0.csv.gz

Y

Y

Y

File

file_passwd_protected

Tells if the file is password protected

Boolean

TRUE

Y

N

Y

File

web_url

File preview URL

String

https://drive.google.com/open?id=1234

Y

N

Y

File

external_collaborator_count

Count of external collaborators on a file/folder. Supported for some apps.

Integer

4

Y

Y

Y

File

internal_collaborator_count

Count of internal collaborators on a file/folder. Supported for some apps.

Integer

3

Y

N

Y

File

total_collaborator_count

Count of collaborators on a file/folder. Supported for some apps.

Integer

7

Y

N

Y

DLP

dlp_incident_id

Incident ID associated with sub-file. In the case of main file, this is same as the parent incident ID.

LongInt

146831431522000

Y

Y

Y

DLP

dlp_parent_id

Incident ID associated with main container (or non-container) file that was scanned

LongInt

146831431522000

Y

Y

Y

DLP

dlp_file

File/Object name extracted from the file/object

String

Credit Report.pdf

Y

N

Y

DLP

dlp_profile

DLP profile name

String

DLP-PCI

Y

Y

Y

DLP

dlp_rule

DLP rule that triggered

String

Name-Credit Card (CC)

Y

Y

Y

DLP

dlp_rule_count

Count of rule hits

Integer

5

Y

Y

Y

DLP

dlp_rule_severity

Severity of rule

String

Low, Medium, High, Critical

Y

Y

Y

DLP

dlp_fingerprint_classification

Fingerprint classification

String

Senstive Customer Information, PII

Y

N

Y

DLP

dlp_fingerprint_match

Fingerprint classification match file name

String

Top_100_Existing_Accounts_11_1_18.xlsx

Y

N

Y

DLP

dlp_fingerprint_score

Fingerprint classification score

Integer

0-100

Y

N

Y

DLP

dlp_rule_score

DLP rule score for weighted dictionaries

Integer

13

Y

N

Y

DLP

dlp_is_unique_count

True or false depending upon if rule is unique counted per rule data

Boolean

true, false

Y

Y

Y

DLP

dlp_unique_count

Integer value of number of unique matches seen per rule data. Only present if rule is uniquely counted.

Integer

10

Y

N

Y

Quarantine

quarantine_file_id

File ID of the quarantined file

String

435bd35a-e021-4a2c-bc41-ba281f91

Y

N

Y

Quarantine

quarantine_profile_id

Quarantine profile ID

Integer

2

Y

N

Y

Quarantine

quarantine_profile

Quarantine profile name of policy for quarantine action

String

Quarantine Data – OneDrive

Y

N

Y

Quarantine

quarantine_failure

Reason of failure

String

Quarantine failed; file transfer failure

Y

N

Y

Quarantine

quarantine_action_reason

Reason for the action taken for quarantine

String

Previously quarantined file still blocked because admin decision is pending

Y

N

Y

Quarantine

q_admin

Quarantine profile custodian email/name

String

example@netskope.com

Y

N

Y

Quarantine

q_app

Quarantine app name

String

Box

Y

N

Y

Quarantine

q_instance

Quarantine instance name

String

Box Production

Y

N

Y

Quarantine

q_original_filename

Original file name which got quarantined

String

Sensitive File

Y

N

Y

Quarantine

q_original_filepath

Original file path which got quarantined

String

All/Folder1/Folder2

Y

N

Y

Quarantine

q_original_shared

Original file shared user details

String

Private

Y

N

Y

Quarantine

q_original_version

Original version of file which got quarantined

String

1

Y

N

Y

Quarantine

quarantine_file_name

File name of the quarantine file

String

sensitivefile.txt

Y

N

Y

Legal Hold

legal_hold_profile_name

Legal hold profile name

String

Legal hold Test Profile

Y

N

Y

Legal Hold

lh_custodian_email

Custodian email of legal hold profile

String

example@netskope.com

Y

N

Y

Legal Hold

lh_custodian_name

Custodian name of legal hold profile

String

Kelly Oar

Y

N

Y

Legal Hold

lh_dest_app

Destination appname of legalhold action

String

Box

Y

N

Y

Legal Hold

lh_dest_instance

Destination instance of legal hold action

String

Box Production

Y

N

Y

Legal Hold

lh_fileid

File ID of legal hold file

String

3.97035E+11

Y

N

Y

Legal Hold

lh_filename

File name of legal hold file

String

Sensitive file_v1_2016-04-2707-00-15(UTC)

Y

N

Y

Legal Hold

lh_filepath

File path of legal hold file

String

All/Folder1/Folder2

Y

N

Y

Legal Hold

lh_original_filename

Original filename of legal hold file

String

Sensitive File

Y

N

Y

Legal Hold

lh_shared

Shared type of legal hold file

String

Internal

Y

N

Y

Legal Hold

lh_shared_with

User shared with the legal hold file

String

["example1@netskope.com", "example2@netskope.com"]

Y

N

Y

Legal Hold

lh_version

File version of original file

String

1

Y

N

Y

Anomaly

orig_ty

Event Type of original event

String

nspolicy, connection

N

Y

Y

Anomaly

last_timestamp

Last timestamp (timestamp in the first/older event). Applies to only proximity anomaly alert.

LongInt

1549296669

N

Y

Y

Anomaly

last_app

Last application (app in the first/older event). Applies to only proximity anomaly alert.

String

Facebook

N

Y

Y

Anomaly

last_device

Last device name (Device Name in the first/older event). Applies to only proximity anomaly alert.

String

Windows Device

N

Y

Y

Anomaly

last_country

Last location (Country). Applies to only proximity anomaly alert.

String

US

N

Y

Y

Anomaly

last_location

Last location (City). Applies to only proximity anomaly alert.

String

Chicago

N

Y

Y

Anomaly

last_region

Applies to only proximity anomaly alert.

String

Pennsylvania

N

Y

Y

Anomaly

download_app

Applicable to only data exfiltration. Download App (App in the download event).

String

Google Gmail

N

N

Y

Anomaly

shared_credential_user

Applicable to only shared credentials.

User with whom the credentials are shared with.

String

Michael Sam

N

N

Y

Anomaly

threshold_time

Applicable to: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. Threshold Time

LongInt

Default time (86400 Seconds)

N

N

Y

Anomaly

bin_timestamp

Applicable to only: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/Download/Delete) and Failed Login Anomaly type.

Bin TimeStamp (is a window used that is used for certain types of anomalies - for breaking into several windows per day/hour).

LongInt

1549411200

N

N

Y

Anomaly

threshold

Threshold (Count at which the anomaly should trigger). Applicable to Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type

Integer

205

N

Y

Y

Anomaly, MLAD

event_type

Anomaly type

String

App Events: Info, error Alerts: proximity, rare_event, risky_country, user_shared_credentials, data_exfiltration, bulk_upload, bulk_download, mlad

Y

Y

Y

Anomaly, MLAD

profile_id

Anomaly profile ID

String

NS_101 which means proximity alert

NS_103, NS_102, NS_307, NS_306, NS_304, NS_303, NS_305, NS_301, NS_403, NS_401

Y

Y

Y

Anomoly, MLAD

risk_level_id

This field is set by both role-based access (RBA) and MLAD

Integer

1,2,0

N

Y

Y

Anomoly, MLAD

risk_level

Corresponding field to risk_level_id. Name

String

low, med, high

Y

Y

Y

Malsite

malicious

Only exists if some HTTP transaction belonging to the page event resulted in a malsite alert.

Boolean

TRUE

Y

Y

Y

Malsite

malsite_active

Since how many days malsite is Active

Integer

2

N

N

Y

Malsite

malsite_as_number

Malsite ASN Number

String

AS35838 CCANet Limited

N

N

Y

Malsite

malsite_confidence

Malsite confidence score

Integer

100

N

N

Y

Malsite

malsite_consecutive

How many times that malsite is seen

Integer

1

N

N

Y

Malsite

malsite_category

Category of malsite [ Phishing / Botnet / Malicous URL, etc. ]

String

["Malcious Site"]

Y

N

Y

Malsite

malsite_country

Malsite country

String

US

N

N

Y

Malsite

malsite_region

Region of the malsite URL/IP/Domain

String

Texas

N

N

Y

Malsite

malsite_city

Malsite city

String

Los Angeles

N

N

Y

Malsite

malsite_dns_server

DNS server of the malsite URL/Domain/IP

String

xxx.xxx.com

N

N

Y

Malsite

malsite_first_seen

Malsite first seen timestamp

Integer

1485302400

N

N

Y

Malsite

malsite_hostility

Malsite hostility score

Integer

5

N

N

Y

Malsite

malsite_ip_host

Malsite IP

String

xxx.xxx.x.xxx

N

N

Y

Malsite

malsite_isp

Malsite ISP info

String

CCANET Limited

N

N

Y

Malsite

malsite_longitude

Longitude plot of the Malsite URL/IP/Domain

Float

x.xxxx

N

N

Y

Malsite

malsite_latitude

Latitude plot of the Malsite URL/IP/Domain

Float

xx.xxx

N

N

Y

Malsite

malsite_last_seen

Malsite last seen timestamp

Integer

1486339200

N

N

Y

Malsite

malsite_reputation

Reputation score of Malsite IP/Domain/URL

Float

7.4

N

N

Y

Malsite

malsite_id

Malicious Site ID - Hash of threat match value

String

9228edb31a922c392ba3746

N

N

Y

Malsite

severity_level_id

If the Severity Level ID is 1, it means that URL / IP /Domain is detected from Internal threat feed and if Severity Level ID is 2, then it means the detection happened based on the OEM DB Malsite Category.

Integer

0, 1, 2, 3

N

N

Y

Malsite

severity_level

Severity level of the Malsite ( High / Med / Low)

String

low, medium, high

N

N

Y

Malsite

threat_match_field

Threat match field, either from domain or URL or IP.

String

domain, url, ip

Y

N

Y

Malsite

threat_source_id

Threat source id: 1 - NetskopeThreatIntel, 2 - OEM DB

Integer

1,2

Y

N

Y

Malware

scan_time

Time when the scan is done

LongInt

1474308875

Y

N

Y

Malware

malware_id

md5 hash of the malware name as provided by the scan engine

String

Any md5 hash string (as hexadecimal string)

Y

N

Y

Malware

malware_type

What type (virus, etc) of a threat is this?

String

Adware, Dialer, Malicious App, Spam, Phishing, Spyware, Virus, Heuristic, No Detection, Encrypted/Unscannable, Trojan, Error, Misleading Application

Y

N

Y

Malware

detection_type

Same as malware type. Duplicate.

String

virus, trojan

Y

N

Y

Malware

malware_severity

How severe is the threat posed by this malware

String

high, medium, low

Y

N

Y

Malware

malware_name

What is the detection name for this threat

String

Gen.Ransom.Encrypted.File.ns

Y

N

Y

Malware

detection_engine

Customer exposed detection engine name

String

Netskope AV, Netskope Threat Intel, Netskope Advanced Heursitics, Netskope Advanced Sandbox

Y

N

Y

Malware

tss_mode

Malware scanning mode, specifies whether it's Real-time Protection or API Data Protection

String

Introspection, Inline

Y

N

Y

Malware

malware_profile

tss_profile: profile which user has selected. Data comes from WebUI. Its a json structure.

String

Default Malware Scan

Y

N

Y

Malware

zip_password

Zip the malacious file and put pwd to it and send it back to caller

String

netskope

Y

N

Y

Malware

local_md5

md5 hash of file generated by the Malware engine

String

3b30d5c68bfe

Y

N

Y

Malware

local_sha256

sha256 hash of file generated by the Malware engine

String

3b30d5c68bfe

Y

N

Y

Malware

local_sha1

sha1 hash of file generated by the Malware engine

String

3b30d5c68bfe

Y

N

Y

Compromised Credentials

breach_id

Breach ID for compromised credentials

String

95e2e98ac17cf08de4b82f94 356dc51e

N

N

Y

Compromised Credentials

breach_date

Breach date for compromised credentials

Integer

1524700800

N

N

Y

Compromised Credentials

breach_score

Breach score for compromised credentials

Integer

30, 100

N

N

Y

Compromised Credentials

breach_target_references

Breach target references for compromised credentials

String

forbes.com

N

N

Y

Compromised Credentials

breach_media_references

Media references of breach

String

http://news.something.com/8301- 1009_3-57618945-83/syrian- electronic-army-hacks-forbes-steals-user-data/

N

N

Y

IaaS CSA

sa_profile_name

CSA profile name

String

PCI-DSS v3.2.1 (Azure)

Y

N

Y

IaaS CSA

sa_profile_id

CSA profile ID

Integer

-2002000

Y

N

Y

IaaS CSA

sa_rule_id

CSA rule ID

Integer

-2002041

Y

N

Y

IaaS CSA

sa_rule_name

CSA rule name

String

PCI-AZR | 5.1 Ensure that the endpoint protection for all Virtual Machines is installed

Y

N

Y

IaaS CSA

sa_rule_severity

Rule severity

String

Critical, High, Medium, Low

Y

N

Y

IaaS CSA

account_id

Account ID (usually is account number as provided by the cloud provider)

String

a776ab3b-0d9d-401e-a31d-2f478a4c

Y

N

Y

IaaS CSA

account_name

Account name - in case of AWS this is the instance name set by user. For others, account name is provided by the cloud provider.

String

iaas-azure-dev

Y

N

Y

IaaS CSA

iaas_asset_tags

List of tags associated with the asset for which alert is raised. Each tag is a key/value pair

Array of dictionary objects (name/value pairs)

[{"name": "major environment", "value": "test"}, {"name": "owner", "value": "abc" }]

Y

N

Y

IaaS CSA

run_id

Run ID

Integer

15

Y

N

N

IaaS CSA

region_id

Region ID (as provided by the cloud provider)

String

eastus2

Y

N

Y

IaaS CSA

region_name

Region Name (as provided by the cloud provider)

String

East US 2

Y

N

Y

IaaS CSA

resource_category

Category of resource as defined in DOM

String

Compute

Y

N

Y