Viewing Patient Zero Events
A patient zero event occurs when a user downloads a file that's not detected by signature-based analysis (e.g., Netskope AV engine) in Standard Threat Protection; however, if you have Advanced Threat Protection, Netskope scans and determines the file is malicious through behavior-based analysis (e.g., Cloud Sandbox) or advanced heuristics analysis. Netskope then triggers a malware alert for patient zero users to accelerate remediation actions for your organization. You can investigate these events in Skope IT Alerts.
You can also integrate with endpoint detection and response (EDR) vendors via Netskope Cloud Exchange (CE) to detect and isolate the downloaded file on an endpoint.
To view patient zero events:
Go to Skope IT > Alerts.
Choose a time frame.
Under Filters, click to switch to query mode.
Enter the following query:
(alert_name eq 'Patient Zero')
Click Search. Based on the chosen time frame, all patient zero events Netskope discovered appear.
Click to view more information on the patient zero event. Following are some helpful fields for investigating the event:
MD5: The MD5 hash calculated from the malicious file during detection. You can use this hash value to filter Skope IT events and view other malware detections associated with the file. See Investigating with the MD5.
File Name: The name of the malicious file. Click to view the file details, which displays analysis from the detection engine.
Malware Name: The name of the detected malware. Click to view malware details, which displays the impacted files and users.
Investigating with the MD5
You can use MD5 to filter Skope IT events and view other malware detection alerts associated with the patient zero event.
To investigate with the MD5:
In the Alert Details pane, copy the MD5.
Choose a time frame.
On the Alerts page, under Filters, enter the following query:
(md5 eq '<MD5>')
Replace <MD5> with the MD5 hash value you copied in Step 1. Your query must look similar to:
(md5 eq '5d1f657812072e43968456f4d0636138')
Click Search. All malware detection alerts that are associated with the MD5 appear.