Netskope (API v1)
Netskope Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.2.0 and later.
#
Netskope (API v1)Get alerts and events, manage quarantine files as well as URL and hash lists using Netskope API v1. This integration was integrated and tested with version 93.0.7.625 of Netskope.
#
Configure Netskope in CortexParameter | Description | Required |
---|---|---|
Server URL | True | |
API token | True | |
Trust any certificate (not secure) | False | |
Use system proxy settings | False | |
Fetch incidents | False | |
Maximum incidents per fetch | False | |
First fetch timestamp (<number> <time unit>, like 12 hours, 7 days) | False | |
Fetch Events | Fetch events as incidents, in addition to the alerts. | False |
Event types to fetch | False | |
Maximum events as incidents per fetch | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
netskope-event-listGet events extracted from SaaS traffic and or logs.
#
Base Commandnetskope-event-list
#
InputArgument Name | Description | Required |
---|---|---|
query | Free query to filter the events. For example, "app eq Dropbox". For more information, please visit Netskope documentation: https://docs.netskope.com/en/get-events-data.html' | Optional |
event_type | Select events by their type. Possible values are: page, application, audit, infrastructure, network. | Required |
timeperiod | Get all events from a certain time period. Possible values are: Last 60 mins, Last 24 Hrs, Last 7 Days, Last 30 Days. | Optional |
start_time | Restrict events to those that have timestamps greater than the provided timestamp. | Optional |
end_time | Restrict events to those that have timestamps less than or equal to the provided timestamp. | Optional |
insertion_start_time | Restrict events to those that were inserted to the system after the provided timestamp. | Optional |
insertion_end_time | Restrict events to those that were inserted to the system before the provided timestamp. | Optional |
limit | The maximum amount of events to retrieve. Default is 50. | Optional |
page | The page number of the events to retrieve (minimum is 1). Default is 1. | Optional |
unsorted | If true, the returned data will not be sorted (useful for improved performance). Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Netskope.Event.event_id | String | The unique identifier of the event. |
Netskope.Event.timestamp | Number | Unix epoch timestamp when the event happened in. |
Netskope.Event.type | String | Shows if it is an application event or a connection event. |
Netskope.Event.access_method | String | Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. |
Netskope.Event.traffic_type | String | Type of the traffic: CloudApp or Web. |
Netskope.Event.count | Number | Number of raw log lines/events sessionized or suppressed during the suppressed interval. |
Netskope.Event.app | String | Specific cloud application used by the user (e.g. app = Dropbox). |
Netskope.Event.appcategory | String | Application Category as designated by Netskope. |
Netskope.Event.url | String | URL of the application that the user visited as provided by the log or data plane traffic. |
Netskope.Event.page | String | The URL of the originating page. |
Netskope.Event.domain | String | Domain value. |
Netskope.Event.object | String | Name of the object which is being acted on. |
Netskope.Event.object_id | String | Unique ID associated with an object. |
Netskope.Event.activity | String | Description of the user performed activity. |
Netskope.Event.device | String | Device type from where the user accessed the cloud app. |
Netskope.Event.category | String | The event category. |
#
Command example!netskope-event-list event_type=application limit=1 start_time=2021-03-21T18:48:02.358736 end_time=2022-03-21T18:48:02.358736
#
Context Example#
Human Readable Output#
Events List:Current page size: 1 Showing page 1 out of others that may exist. |Event Id|Timestamp|Type|Access Method|App|Traffic Type| |---|---|---|---|---|---| | a3f6cb3f22c4431defbf371b | 1647888482 | nspolicy | API Connector | Google Workspace | CloudApp |
#
netskope-alert-listGet alerts generated by Netskope, including policy, DLP, and watch list alerts.
#
Base Commandnetskope-alert-list
#
InputArgument Name | Description | Required |
---|---|---|
query | Free query to filter the alerts. For example, "alert_name like 'test'". For more information, please visit Netskope documentation: https://docs.netskope.com/en/get-alerts-data.html' | Optional |
alert_type | Select alerts by their type. Possible values are: anomaly, Compromised Credential, policy, Legal Hold, malsite, Malware, DLP, Security Assessment, watchlist, quarantine, Remediation, uba. | Optional |
acked | Whether to retrieve acknowledged alerts or not. Possible values are: true, false. | Optional |
timeperiod | Get alerts from certain time period. Possible values are: Last 60 mins, Last 24 Hrs, Last 7 Days, Last 30 days, Last 60 days, Last 90 days. | Optional |
start_time | Restrict alerts to those that have timestamps greater than the provided timestamp. | Optional |
end_time | Restrict alerts to those that have timestamps less than or equal to the provided timestamp. | Optional |
insertion_start_time | Restrict alerts which have been inserted into the system after the provided timestamp. | Optional |
insertion_end_time | Restrict alerts which have been inserted into the system before the provided timestamp. | Optional |
limit | The maximum number of alerts to return. Default is 50. | Optional |
page | The page number of the alerts to retrieve (minimum is 1). Default is 1. | Optional |
unsorted | If true, the returned data will not be sorted (useful for improved performance). Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Netskope.Alert.alert_id | String | The unique identifier of the alert. |
Netskope.Alert.timestamp | Number | Timestamp when the event/alert happened. |
Netskope.Alert.type | String | Shows if it is an application event or a connection event. |
Netskope.Alert.access_method | String | Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. |
Netskope.Alert.traffic_type | String | Type of the traffic: CloudApp or Web. |
Netskope.Alert.action | String | Action taken on the event for the policy. |
Netskope.Alert.count | Number | Number of raw log lines/events sessionized or suppressed during the suppressed interval. |
Netskope.Alert.alert_name | String | Name of the alert. |
Netskope.Alert.alert_type | String | Type of the alert. |
Netskope.Alert.acked | Boolean | Whether user acknowledged the alert or not. |
Netskope.Alert.policy | String | Name of the policy configured by an admin. |
Netskope.Alert.app | String | Specific cloud application used by the user (e. |
Netskope.Alert.appcategory | String | Application Category as designated by Netskope. |
Netskope.Alert.dlp_file | String | File/Object name extracted from the file/object. |
Netskope.Alert.dlp_profile | String | DLP profile name. |
Netskope.Alert.dlp_rule | String | DLP rule that triggered. |
Netskope.Alert.category | String | The alert category. |
Netskope.Alert.cci | Number | The cloud confidence index. |
#
Command example!netskope-alert-list limit=1 start_time=2021-03-21T18:48:02.358736 end_time=2022-03-21T18:48:02.358736
#
Context Example#
Human Readable Output#
Alerts List:Current page size: 1 Showing page 1 out of others that may exist. |Alert Id|Alert Name|Alert Type|Timestamp|Action| |---|---|---|---|---| | 0d7fa7e3cb3034bcc0ff94a5 | Gdrive - Alert on PII | DLP | 1647888450 | alert |
#
netskope-quarantined-file-listList all quarantined files.
#
Base Commandnetskope-quarantined-file-list
#
InputArgument Name | Description | Required |
---|---|---|
start_time | Get files last modified after the provided date string. | Optional |
end_time | Get files last modified before the provided date string. | Optional |
limit | The maximum amount of clients to retrieve. Default is 50. | Optional |
page | The page number of the clients to retrieve (minimum is 1). Default is 1. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Netskope.Quarantine.quarantine_profile_id | String | The ID of quarantine profile. |
Netskope.Quarantine.quarantine_profile_name | String | The name of quarantine profile. |
Netskope.Quarantine.file_id | String | The ID of the quarantined file. |
Netskope.Quarantine.original_file_name | String | The original filename before quarantining. |
Netskope.Quarantine.policy | String | The policy name caused quarantine the file. |
Netskope.Quarantine.quarantined_file_name | String | The filename after quarantining. |
Netskope.Quarantine.user_id | String | The ID of the user related to the quarantined file. |
#
Command example!netskope-quarantined-file-list limit=1
#
Context Example#
Human Readable Output#
Quarantined Files List:Current page size: 1 Showing page 1 out of others that may exist. |quarantine_profile_id|quarantine_profile_name|file_id|original_file_name|policy| |---|---|---|---|---| | 1 | Qmasters Testing Google Drive | 1M_RU4jLPUwclKOhqZ7sPSqkMNS-S6Vyr | PII SSN Large v2.xlsx | [Data Protection] - Quarantine PII Uploads to Box |
#
netskope-quarantined-file-getDownload a quarantined file.
#
Base Commandnetskope-quarantined-file-get
#
InputArgument Name | Description | Required |
---|---|---|
quarantine_profile_id | The ID of quarantine profile. | Required |
file_id | The ID of the quarantined file. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
File.Size | Number | The size of the file. |
File.Name | String | The name of the file. |
File.EntryID | String | The entry ID of the file. |
File.Info | String | File information. |
File.Type | String | The file type. |
File.Extension | String | The file extension. |
#
Command example!netskope-quarantined-file-get file_id=1M_RU4jLPUwclKOhqZ7sPSqkMNS-S6Vyr quarantine_profile_id=1
#
Context Example#
Human Readable Output#
netskope-quarantined-file-updateTake an action on a quarantined file.
#
Base Commandnetskope-quarantined-file-update
#
InputArgument Name | Description | Required |
---|---|---|
quarantine_profile_id | The profile ID of the quarantined file. | Required |
file_id | The ID of the quarantined file. | Required |
action | Action to be performed on a quarantined. Possible values are: block, allow. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!netskope-quarantined-file-update file_id=1M_RR4jLPUwclKOhqZ7sPSqkMNS-S6Vyr quarantine_profile_id=1 action=block
#
Human Readable OutputThe file 1M_RR4jLPUwclKOhqZ7sPSqkMNS-S6Vyr was successfully blocked!
#
netskope-url-list-updateUpdate the URL List with the values provided. The command will override the whole list content, rather than appending the new values.
#
Base Commandnetskope-url-list-update
#
InputArgument Name | Description | Required |
---|---|---|
name | Name of an existing URL List shown in the Netskope UI on the URL List page. | Required |
urls | The content of the URL list. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Netskope.URLList.name | String | The name of the URL list. |
Netskope.URLList.URL | String | The content the URL list. |
#
Command example!netskope-url-list-update name="Allowed URLs" urls="allow.me,allow2.me"
#
Context Example#
Human Readable OutputURL List Allowed URLs: allow.me, allow2.me
#
netskope-file-hash-list-updateUpdate file hash list with the values provided. The command will override the whole list content, rather than appending the new values.
#
Base Commandnetskope-file-hash-list-update
#
InputArgument Name | Description | Required |
---|---|---|
name | Name of an existing file hash list shown in the Netskope UI on the file hash list page. | Required |
hash | List of file hashes (md5 or sha256). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
FileHashList.name | String | The name of the hash list. |
FileHashList.hash | String | The content of the hash list. |
#
Command example!netskope-file-hash-list-update name="Test SHA256" hash="00db7cf5cc13df9ae88615af999582608361c14fc915d1dd76fa619d1c341597"
#
Context Example#
Human Readable OutputHash List Test SHA256: 00db7cf5cc13df9ae88615af999582608361c14fc915d1dd76fa619d1c341597
#
netskope-client-listGet information about the Netskope clients.
#
Base Commandnetskope-client-list
#
InputArgument Name | Description | Required |
---|---|---|
query | Free query on the clients, based on the client fields. For example, "host_info.hostname eq xxx". For more information, please visit Netskope documentation: https://docs.netskope.com/en/get-client-data.html'. | Optional |
limit | The maximum amount of clients to retrieve. Default is 50. | Optional |
page | The page number of the clients to retrieve (minimum is 1). Default is 1. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Netskope.Client.client_id | String | The ID of the Netskope client. |
Netskope.Client.client_version | String | The client version. |
Netskope.Client.device_id | String | The ID of the client's device. |
Netskope.Client.host_info | String | Information about the client's host. |
Netskope.Client.last_event | String | Information about the last event related to the client. |
Netskope.Client.user_added_time | String | The last time a client's user was added to Netskope. |
Netskope.Client.users | String | List of all users of the provided client. |
#
Command example!netskope-client-list limit=1
#
Context Example#
Human Readable Output#
Clients List:Current page size: 1 Showing page 1 out of others that may exist. |Client Id|Client Version|Device Id|User Added Time| |---|---|---|---| | TEST82A5 | 91.0.6.812 | TEST82A5 | 1638994653 |
#
netskope-host-associated-user-listList all users of certain host by its hostname.
#
Base Commandnetskope-host-associated-user-list
#
InputArgument Name | Description | Required |
---|---|---|
hostname | The hostname to view its users. | Required |
limit | The maximum amount of users to retrieve. Default is 50. | Optional |
page | The page number of the users to retrieve (minimum is 1). Default is 1. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Netskope.User.user_id | String | The ID of the Netskope user. |
Netskope.User.device_classification_status | String | The device classification status. |
Netskope.User.last_event | Unknown | Information about the last event related to the user. |
Netskope.User.user_source | String | The source of the user. |
Netskope.User.userkey | String | The user key. |
Netskope.User.username | String | The name/email of the user. |
#
Command example!netskope-host-associated-user-list hostname=TEST82A5 limit=1
#
Context Example#
Human Readable Output#
Users Associated With TEST82A5:Current page size: 1 Showing page 1 out of others that may exist. |user_id|username|user_source| |---|---|---| | 0c6f3f867882c2d243a83310 | test@goxsoar.com | Manual | | 0c6f3f867882c2d243a83310 | | |
#
netskope-user-associated-host-listList all hosts related to a certain username.
#
Base Commandnetskope-user-associated-host-list
#
InputArgument Name | Description | Required |
---|---|---|
username | The username to view its hosts. | Required |
limit | The maximum amount of hosts to retrieve. Default is 50. | Optional |
page | The page number of the hosts to retrieve (minimum is 1). Default is 1. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Netskope.Host.nsdeviceuid | String | Netskope device UID. |
Netskope.Host.os | String | The device operating system. |
Netskope.Host.os_version | String | The device operating system version. |
Netskope.Host.device_model | String | The device model. |
Netskope.Host.hostname | String | The hostname of the device. |
Netskope.Host.agent_status | String | The status of the agent on the device. |
#
Command example!netskope-user-associated-host-list username=test@goxsoar.com
#
Context Example#
Human Readable Outputtest@goxsoar.com:#
Hosts Associated WithCurrent page size: 50 Showing page 1 out of others that may exist. |hostname|os_version|agent_status| |---|---|---| | TEST82A5 | 10.0 (2009) | Enabled |