Netskope (API v1)
Netskope Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.2.0 and later.
#
Netskope (API v1)Get alerts and events, manage quarantine files as well as URL and hash lists using Netskope API v1. This integration was integrated and tested with version 93.0.7.625 of Netskope.
#
Configure Netskope in CortexParameter | Description | Required |
---|---|---|
Server URL | True | |
API token | True | |
Trust any certificate (not secure) | False | |
Use system proxy settings | False | |
Fetch incidents | False | |
Maximum incidents per fetch | False | |
First fetch timestamp (<number> <time unit>, like 12 hours, 7 days) | False | |
Fetch Events | Fetch events as incidents, in addition to the alerts. | False |
Event types to fetch | False | |
Maximum events as incidents per fetch | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
netskope-event-listGet events extracted from SaaS traffic and or logs.
#
Base Commandnetskope-event-list
#
InputArgument Name | Description | Required |
---|---|---|
query | Free query to filter the events. For example, "app eq Dropbox". For more information, please visit Netskope documentation: https://docs.netskope.com/en/get-events-data.html' | Optional |
event_type | Select events by their type. Possible values are: page, application, audit, infrastructure, network. | Required |
timeperiod | Get all events from a certain time period. Possible values are: Last 60 mins, Last 24 Hrs, Last 7 Days, Last 30 Days. | Optional |
start_time | Restrict events to those that have timestamps greater than the provided timestamp. | Optional |
end_time | Restrict events to those that have timestamps less than or equal to the provided timestamp. | Optional |
insertion_start_time | Restrict events to those that were inserted to the system after the provided timestamp. | Optional |
insertion_end_time | Restrict events to those that were inserted to the system before the provided timestamp. | Optional |
limit | The maximum amount of events to retrieve. Default is 50. | Optional |
page | The page number of the events to retrieve (minimum is 1). Default is 1. | Optional |
unsorted | If true, the returned data will not be sorted (useful for improved performance). Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Netskope.Event.event_id | String | The unique identifier of the event. |
Netskope.Event.timestamp | Number | Unix epoch timestamp when the event happened in. |
Netskope.Event.type | String | Shows if it is an application event or a connection event. |
Netskope.Event.access_method | String | Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. |
Netskope.Event.traffic_type | String | Type of the traffic: CloudApp or Web. |
Netskope.Event.count | Number | Number of raw log lines/events sessionized or suppressed during the suppressed interval. |
Netskope.Event.app | String | Specific cloud application used by the user (e.g. app = Dropbox). |
Netskope.Event.appcategory | String | Application Category as designated by Netskope. |
Netskope.Event.url | String | URL of the application that the user visited as provided by the log or data plane traffic. |
Netskope.Event.page | String | The URL of the originating page. |
Netskope.Event.domain | String | Domain value. |
Netskope.Event.object | String | Name of the object which is being acted on. |
Netskope.Event.object_id | String | Unique ID associated with an object. |
Netskope.Event.activity | String | Description of the user performed activity. |
Netskope.Event.device | String | Device type from where the user accessed the cloud app. |
Netskope.Event.category | String | The event category. |
#
Command example!netskope-event-list event_type=application limit=1 start_time=2021-03-21T18:48:02.358736 end_time=2022-03-21T18:48:02.358736
#
Context Example#
Human Readable Output#
Events ListCurrent page size: 1 Showing page 1 out of others that may exist.
Event Id Timestamp Type Access Method App Traffic Type a3f6cb3f22c4431defbf371b 1647888482 nspolicy API Connector Google Workspace CloudApp
#
netskope-alert-listGet alerts generated by Netskope, including policy, DLP, and watch list alerts.
#
Base Commandnetskope-alert-list
#
InputArgument Name | Description | Required |
---|---|---|
query | Free query to filter the alerts. For example, "alert_name like 'test'". For more information, please visit Netskope documentation: https://docs.netskope.com/en/get-alerts-data.html' | Optional |
alert_type | Select alerts by their type. Possible values are: anomaly, Compromised Credential, policy, Legal Hold, malsite, Malware, DLP, Security Assessment, watchlist, quarantine, Remediation, uba. | Optional |
acked | Whether to retrieve acknowledged alerts or not. Possible values are: true, false. | Optional |
timeperiod | Get alerts from certain time period. Possible values are: Last 60 mins, Last 24 Hrs, Last 7 Days, Last 30 days, Last 60 days, Last 90 days. | Optional |
start_time | Restrict alerts to those that have timestamps greater than the provided timestamp. | Optional |
end_time | Restrict alerts to those that have timestamps less than or equal to the provided timestamp. | Optional |
insertion_start_time | Restrict alerts which have been inserted into the system after the provided timestamp. | Optional |
insertion_end_time | Restrict alerts which have been inserted into the system before the provided timestamp. | Optional |
limit | The maximum number of alerts to return. Default is 50. | Optional |
page | The page number of the alerts to retrieve (minimum is 1). Default is 1. | Optional |
unsorted | If true, the returned data will not be sorted (useful for improved performance). Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Netskope.Alert.alert_id | String | The unique identifier of the alert. |
Netskope.Alert.timestamp | Number | Timestamp when the event/alert happened. |
Netskope.Alert.type | String | Shows if it is an application event or a connection event. |
Netskope.Alert.access_method | String | Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. |
Netskope.Alert.traffic_type | String | Type of the traffic: CloudApp or Web. |
Netskope.Alert.action | String | Action taken on the event for the policy. |
Netskope.Alert.count | Number | Number of raw log lines/events sessionized or suppressed during the suppressed interval. |
Netskope.Alert.alert_name | String | Name of the alert. |
Netskope.Alert.alert_type | String | Type of the alert. |
Netskope.Alert.acked | Boolean | Whether user acknowledged the alert or not. |
Netskope.Alert.policy | String | Name of the policy configured by an admin. |
Netskope.Alert.app | String | Specific cloud application used by the user (e. |
Netskope.Alert.appcategory | String | Application Category as designated by Netskope. |
Netskope.Alert.dlp_file | String | File/Object name extracted from the file/object. |
Netskope.Alert.dlp_profile | String | DLP profile name. |
Netskope.Alert.dlp_rule | String | DLP rule that triggered. |
Netskope.Alert.category | String | The alert category. |
Netskope.Alert.cci | Number | The cloud confidence index. |
#
Command example!netskope-alert-list limit=1 start_time=2021-03-21T18:48:02.358736 end_time=2022-03-21T18:48:02.358736
#
Context Example#
Human Readable Output#
Alerts ListCurrent page size: 1 Showing page 1 out of others that may exist.
Alert Id Alert Name Alert Type Timestamp Action 0d7fa7e3cb3034bcc0ff94a5 Gdrive - Alert on PII DLP 1647888450 alert
#
netskope-quarantined-file-listList all quarantined files.
#
Base Commandnetskope-quarantined-file-list
#
InputArgument Name | Description | Required |
---|---|---|
start_time | Get files last modified after the provided date string. | Optional |
end_time | Get files last modified before the provided date string. | Optional |
limit | The maximum amount of clients to retrieve. Default is 50. | Optional |
page | The page number of the clients to retrieve (minimum is 1). Default is 1. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Netskope.Quarantine.quarantine_profile_id | String | The ID of quarantine profile. |
Netskope.Quarantine.quarantine_profile_name | String | The name of quarantine profile. |
Netskope.Quarantine.file_id | String | The ID of the quarantined file. |
Netskope.Quarantine.original_file_name | String | The original filename before quarantining. |
Netskope.Quarantine.policy | String | The policy name caused quarantine the file. |
Netskope.Quarantine.quarantined_file_name | String | The filename after quarantining. |
Netskope.Quarantine.user_id | String | The ID of the user related to the quarantined file. |
#
Command example!netskope-quarantined-file-list limit=1
#
Context Example#
Human Readable Output#
Quarantined Files ListCurrent page size: 1 Showing page 1 out of others that may exist.
quarantine_profile_id quarantine_profile_name file_id original_file_name policy 1 Qmasters Testing Google Drive 1M_RU4jLPUwclKOhqZ7sPSqkMNS-S6Vyr PII SSN Large v2.xlsx [Data Protection] - Quarantine PII Uploads to Box
#
netskope-quarantined-file-getDownload a quarantined file.
#
Base Commandnetskope-quarantined-file-get
#
InputArgument Name | Description | Required |
---|---|---|
quarantine_profile_id | The ID of quarantine profile. | Required |
file_id | The ID of the quarantined file. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
File.Size | Number | The size of the file. |
File.Name | String | The name of the file. |
File.EntryID | String | The entry ID of the file. |
File.Info | String | File information. |
File.Type | String | The file type. |
File.Extension | String | The file extension. |
#
Command example!netskope-quarantined-file-get file_id=1M_RU4jLPUwclKOhqZ7sPSqkMNS-S6Vyr quarantine_profile_id=1
#
Context Example#
Human Readable Output#
netskope-quarantined-file-updateTake an action on a quarantined file.
#
Base Commandnetskope-quarantined-file-update
#
InputArgument Name | Description | Required |
---|---|---|
quarantine_profile_id | The profile ID of the quarantined file. | Required |
file_id | The ID of the quarantined file. | Required |
action | Action to be performed on a quarantined. Possible values are: block, allow. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!netskope-quarantined-file-update file_id=1M_RR4jLPUwclKOhqZ7sPSqkMNS-S6Vyr quarantine_profile_id=1 action=block
#
Human Readable OutputThe file 1M_RR4jLPUwclKOhqZ7sPSqkMNS-S6Vyr was successfully blocked!
#
netskope-url-list-updateUpdate the URL List with the values provided. The command will override the whole list content, rather than appending the new values.
#
Base Commandnetskope-url-list-update
#
InputArgument Name | Description | Required |
---|---|---|
name | Name of an existing URL List shown in the Netskope UI on the URL List page. | Required |
urls | The content of the URL list. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Netskope.URLList.name | String | The name of the URL list. |
Netskope.URLList.URL | String | The content the URL list. |
#
Command example!netskope-url-list-update name="Allowed URLs" urls="allow.me,allow2.me"
#
Context Example#
Human Readable OutputURL List Allowed URLs: allow.me, allow2.me
#
netskope-file-hash-list-updateUpdate file hash list with the values provided. The command will override the whole list content, rather than appending the new values.
#
Base Commandnetskope-file-hash-list-update
#
InputArgument Name | Description | Required |
---|---|---|
name | Name of an existing file hash list shown in the Netskope UI on the file hash list page. | Required |
hash | List of file hashes (md5 or sha256). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
FileHashList.name | String | The name of the hash list. |
FileHashList.hash | String | The content of the hash list. |
#
Command example!netskope-file-hash-list-update name="Test SHA256" hash="00db7cf5cc13df9ae88615af999582608361c14fc915d1dd76fa619d1c341597"
#
Context Example#
Human Readable OutputHash List Test SHA256: 00db7cf5cc13df9ae88615af999582608361c14fc915d1dd76fa619d1c341597
#
netskope-client-listGet information about the Netskope clients.
#
Base Commandnetskope-client-list
#
InputArgument Name | Description | Required |
---|---|---|
query | Free query on the clients, based on the client fields. For example, "host_info.hostname eq xxx". For more information, please visit Netskope documentation: https://docs.netskope.com/en/get-client-data.html'. | Optional |
limit | The maximum amount of clients to retrieve. Default is 50. | Optional |
page | The page number of the clients to retrieve (minimum is 1). Default is 1. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Netskope.Client.client_id | String | The ID of the Netskope client. |
Netskope.Client.client_version | String | The client version. |
Netskope.Client.device_id | String | The ID of the client's device. |
Netskope.Client.host_info | String | Information about the client's host. |
Netskope.Client.last_event | String | Information about the last event related to the client. |
Netskope.Client.user_added_time | String | The last time a client's user was added to Netskope. |
Netskope.Client.users | String | List of all users of the provided client. |
#
Command example!netskope-client-list limit=1
#
Context Example#
Human Readable Output#
Clients ListCurrent page size: 1 Showing page 1 out of others that may exist.
Client Id Client Version Device Id User Added Time TEST82A5 91.0.6.812 TEST82A5 1638994653
#
netskope-host-associated-user-listList all users of certain host by its hostname.
#
Base Commandnetskope-host-associated-user-list
#
InputArgument Name | Description | Required |
---|---|---|
hostname | The hostname to view its users. | Required |
limit | The maximum amount of users to retrieve. Default is 50. | Optional |
page | The page number of the users to retrieve (minimum is 1). Default is 1. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Netskope.User.user_id | String | The ID of the Netskope user. |
Netskope.User.device_classification_status | String | The device classification status. |
Netskope.User.last_event | Unknown | Information about the last event related to the user. |
Netskope.User.user_source | String | The source of the user. |
Netskope.User.userkey | String | The user key. |
Netskope.User.username | String | The name/email of the user. |
#
Command example!netskope-host-associated-user-list hostname=TEST82A5 limit=1
#
Context Example#
Human Readable Output#
Users Associated With TEST82A5Current page size: 1 Showing page 1 out of others that may exist.
user_id username user_source 0c6f3f867882c2d243a83310 test@goxsoar.com Manual 0c6f3f867882c2d243a83310
#
netskope-user-associated-host-listList all hosts related to a certain username.
#
Base Commandnetskope-user-associated-host-list
#
InputArgument Name | Description | Required |
---|---|---|
username | The username to view its hosts. | Required |
limit | The maximum amount of hosts to retrieve. Default is 50. | Optional |
page | The page number of the hosts to retrieve (minimum is 1). Default is 1. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Netskope.Host.nsdeviceuid | String | Netskope device UID. |
Netskope.Host.os | String | The device operating system. |
Netskope.Host.os_version | String | The device operating system version. |
Netskope.Host.device_model | String | The device model. |
Netskope.Host.hostname | String | The hostname of the device. |
Netskope.Host.agent_status | String | The status of the agent on the device. |
#
Command example!netskope-user-associated-host-list username=test@goxsoar.com
#
Context Example#
Human Readable Outputtest@goxsoar.com#
Hosts Associated WithCurrent page size: 50 Showing page 1 out of others that may exist.
hostname os_version agent_status TEST82A5 10.0 (2009) Enabled