Skip to main content

Netskope (API v2)

This Integration is part of the Netskope Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.9.0 and later.

Netskope API v2 provides a powerful interface for managing and monitoring Netskope deployments. It enables users to retrieve alerts and events, manage URL lists, and control clients. With Netskope API v2, organizations can proactively respond to security threats, enforce web access policies, and efficiently administer their Netskope environment. This integration was integrated and tested with version 2 of the Netskope API.

Configure Netskope (API v2) on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Netskope (API v2).

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URLTrue
    Use system proxy settingsFalse
    Trust any certificate (not secure)False
    API tokenNetskope API access token (make sure to generate token for the following endpoints: api/v2/events/data/application, api/v2/events/data/audit, api/v2/events/data/page, api/v2/events/data/network, api/v2/events/data/infrastructure, api/v2/events/data/alert, api/v2/policy/urllist (read + write), api/v2/policy/urllist/deploy (read + write), api/v2/scim/Users).True
    First fetch timestampFirst alert created date to fetch. e.g., "1 min ago","2 weeks ago","3 months ago"False
    Maximum incidents per fetchMaximum number of incidents per fetch. Default is 50. The maximum is 100.False
    Maximum events as incidents per fetch. Max value is 200.False
    Fetch EventsFetch events as incidents, in addition to the alerts.False
    Event types to fetch.The event types to fetch as incidents.False
    Alerts QueryFree text query to filter the fetched alerts.False
    Events QueryFree text query to filter the fetched events (if configured).False
    Incident typeFalse
    Fetch incidents
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

netskope-alert-list#


Retrieve alerts generated by Netskope. Select desired alerts using the alert_type parameter. Mandatory inputs include start_time and end_time, or insertion_start_time and insertion_end_time (Please note that if end_time or insertion_end_time is not provided, it will default to the current date and time). Additionally, it is not permissible to supply a combination of the aforementioned options.

Base Command#

netskope-alert-list

Input#

Argument NameDescriptionRequired
start_timeRestrict events to those that have dates greater than the provided date string (for example "YYYY-MM-DDThh:mm", "1 min ago", "2 weeks ago"). When this argument is provided, the ‘end_time’ argument must be provided as well. .Optional
end_timeRestrict events to those that have dates less than or equal to the provided date string (for example "YYYY-MM-DDThh:mm", "1 min ago", "2 weeks ago"). When this argument is provided, the ‘start_time’ argument must be provided as well. If start_time argument is provided and this argument is not - the default value will be set for now.Optional
insertion_start_timeRestrict events to those that were inserted to the system after the provided date string (for example "YYYY-MM-DDThh:mm", "1 min ago", "2 weeks ago"). When this argument is provided, the ‘insertion_end_time’ argument must be provided as well.Optional
insertion_end_timeRestrict events to those that were inserted to the system before the provided date string (for example "YYYY-MM-DDThh:mm", "1 min ago", "2 weeks ago"). When this argument is provided, the ‘insertion_start_time’ argument must be provided as well. If insertion_start_time argument is provided and this argument is not - the default value will be set for now.Optional
queryFree query to filter the alerts. For example, "alert_name like test". For more information, please visit Netskope documentation: https://docs.netskope.com/en/get-alerts-data.html.Optional
alert_typeSelect alerts by their type.Optional
ackedWhether to retrieve acknowledged alerts or not. Possible values are: True, False.Optional
pagePage number of paginated results. Minimum value: 1.Optional
limitThe maximum number of records to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
Netskope.Alert._appsession_startStringThe timestamp marking the start of an application session.
Netskope.Alert._category_idStringThe unique identifier for a category.
Netskope.Alert._category_nameStringThe name or label associated with a category.
Netskope.Alert._category_tagsNumberNumeric tags or labels associated with the category.
Netskope.Alert._content_versionNumberA numeric value representing the content version.
Netskope.Alert._correlation_idStringAn identifier used for correlating events or data.
Netskope.Alert._creation_timestampNumberThe timestamp when the data or event was created.
Netskope.Alert._ef_received_atDateThe timestamp indicating when the event was received.
Netskope.Alert._event_idStringA unique identifier for the event.
Netskope.Alert._forwarded_byStringInformation indicating the source responsible for forwarding the event.
Netskope.Alert._gef_src_dpStringThe source data path for the event.
Netskope.Alert._idStringA unique identifier for the event or data.
Netskope.Alert._insertion_epoch_timestampNumberInsertion timestamp.
Netskope.Alert._nshostnameStringThe hostname associated with Netskope.
Netskope.Alert._raw_event_inserted_atDateThe timestamp indicating when the raw event was inserted.
Netskope.Alert._service_identifierStringAn identifier associated with a specific service.
Netskope.Alert._session_beginStringThe timestamp marking the beginning of a session.
Netskope.Alert._skip_geoip_lookupStringA flag indicating whether GeoIP lookup should be skipped.
Netskope.Alert._src_epoch_nowNumberA numeric value representing the source epoch.
Netskope.Alert.access_methodStringCloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. Administrators can also upload firewall and/or proxy logs for log analytics. This field shows the actual access method that triggered the event. For log uploads this shows the actual log type such as PAN, Websense, etc.
Netskope.Alert.ackedStringWhether the user acknowledged the alert or not.
Netskope.Alert.actionStringAction taken on the event for the policy.
Netskope.Alert.activityStringDescription of the user-performed activity.
Netskope.Alert.alertStringIndicates whether the alert is generated or not. Populated as yes for all alerts.
Netskope.Alert.alert_nameStringName of the alert.
Netskope.Alert.alert_typeStringType of the alert.
Netskope.Alert.appStringSpecific cloud application used by the user (e.g., app = Dropbox).
Netskope.Alert.app_session_idNumberUnique App/Site Session ID for traffic_type = CloudApp and Web. An app session starts when a user starts using a cloud app/site and ends once they have been inactive for a certain period of time (15 mins). Use app_session_id to check all the user activities in a single app session. app_session_id is unique for a user, device, browser, and domain.
Netskope.Alert.appcategoryStringApplication category as designated by Netskope.
Netskope.Alert.appsuiteStringInformation related to the suite of applications or software used.
Netskope.Alert.browserStringShows the actual browser from where the cloud app was accessed.
Netskope.Alert.browser_session_idNumberBrowser session ID. If there is an idle timeout of 15 minutes, it will time out the session.
Netskope.Alert.categoryStringA classification or grouping label for data or events.
Netskope.Alert.cciNumberCloud Confidence Index, indicating the readiness and security of cloud applications.
Netskope.Alert.cclString"Cloud Confidence Level. CCL measures the enterprise readiness of the cloud apps taking into consideration those apps' security, auditability, and business continuity. Each app is assigned one of five cloud confidence levels: excellent, high, medium, low, or poor. Useful for querying if users are accessing a cloud app with a lower CCL."
Netskope.Alert.connection_idNumberEach connection has a unique ID. Shows the ID for the connection event.
Netskope.Alert.countNumberNumber of raw log lines/events sessionized or suppressed during the suppressed interval.
Netskope.Alert.deviceStringDevice type from where the user accessed the cloud app. It could be Macintosh Windows device, iPad, etc.
Netskope.Alert.device_classificationStringDesignation of the device as determined by the Netskope Client as to whether the device is managed or not.
Netskope.Alert.domainStringDomain value. This will hold the host header value or SNI or extracted from an absolute URI.
Netskope.Alert.dst_countryStringApplication’s two-letter country code as determined by Maxmind or IP2Location Geodatabase.
Netskope.Alert.dst_latitudeNumberLatitude of the application as determined by Maxmind or IP2Location Geodatabase.
Netskope.Alert.dst_locationStringApplication’s city as determined by maxmind or IP2Location Geodatabase.
Netskope.Alert.dst_longitudeNumberLongitude of the application as determined by Maxmind or IP2Location Geodatabase.
Netskope.Alert.dst_regionStringApplication’s state or region as determined by Maxmind or IP2Location Geodatabase.
Netskope.Alert.dst_timezoneStringDestination timezone.
Netskope.Alert.dst_zipcodeStringApplication’s zip code as determined by Maxmind or IP2Location Geodatabase.
Netskope.Alert.dstipStringIP address where the destination app is hosted.
Netskope.Alert.hostnameStringHost name.
Netskope.Alert.incident_idNumberA unique identifier for an incident or event.
Netskope.Alert.ja3StringA field indicating JA3 information.
Netskope.Alert.ja3sStringA field indicating JA3S information.
Netskope.Alert.managed_appStringWhether or not the app in question is managed.
Netskope.Alert.managementIDStringManagement ID.
Netskope.Alert.netskope_popStringNetskope Point of Presence, related to network infrastructure.
Netskope.Alert.notify_templateStringThe template used for notifications or alerts.
Netskope.Alert.nsdeviceuidStringDevice identifiers on macOS and Windows.
Netskope.Alert.organization_unitStringOrganization units for which the event correlates to. This ties to user information extracted from Active Directory using the Directory Importer/AD Connector application.
Netskope.Alert.osStringOperating system of the host that generated the event.
Netskope.Alert.os_versionStringOperating system version of the host.
Netskope.Alert.other_categoriesStringAdditional categories or labels not specified elsewhere.
Netskope.Alert.pageStringThe URL of the originating page.
Netskope.Alert.page_siteStringInformation about the web page or site being accessed.
Netskope.Alert.policyStringName of the policy configured by an admin.
Netskope.Alert.policy_idStringThe Netskope internal ID for the policy created by an admin.
Netskope.Alert.portStringThe network port used for communication.
Netskope.Alert.protocolStringThe communication protocol or method used.
Netskope.Alert.request_idNumberUnique request ID for the event.
Netskope.Alert.severityStringSeverity used by watchlist and malware alerts.
Netskope.Alert.siteStringFor traffic_type = CloudApp, site = app, and for traffic_type = Web, it will be the second-level domain name + top-level domain name. For example, in “www.cnn.com”, it is “cnn.com”.
Netskope.Alert.src_countryStringUser’s country’s two-letter country code as determined by Maxmind or IP2Location Geodatabase.
Netskope.Alert.src_latitudeNumberLatitude of the user as determined by Maxmind or IP2Location Geodatabase.
Netskope.Alert.src_locationStringUser’s city as determined by Maxmind or IP2Location Geodatabase.
Netskope.Alert.src_longitudeNumberLongitude of the user as determined by Maxmind or IP2Location Geodatabase.
Netskope.Alert.src_regionStringSource state or region as determined by Maxmind or IP2Location Geodatabase.
Netskope.Alert.src_timeDateA timestamp associated with the source or event.
Netskope.Alert.src_timezoneStringSource timezone. Shows the long-format timezone designation.
Netskope.Alert.src_zipcodeStringSource zip code as determined by Maxmind or IP2Location Geodatabase.
Netskope.Alert.srcipStringIP address of the source/user.
Netskope.Alert.telemetry_appStringTypically, SaaS app websites use web analytics code within the pages to gather analytic data. When a SaaS app action or page is shown, there is subsequent traffic generated to tracking apps such as doubleclick.net, Optimizely, etc. These tracking apps are listed if applicable in the Telemetry App field.
Netskope.Alert.timestampNumberTimestamp when the event/alert happened. Event timestamp in Unix epoch format.
Netskope.Alert.traffic_typeString"Type of the traffic: CloudApp or Web. CloudApp indicates CASB and web indicates HTTP traffic. Web traffic is only captured for inline access method. It is currently not captured for Risk Insights."
Netskope.Alert.transaction_idNumberUnique ID for a given request/response.
Netskope.Alert.typeStringShows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events show the actual HTTP connection.
Netskope.Alert.ur_normalizedStringAll lowercase user email.
Netskope.Alert.urlStringURL of the application that the user visited as provided by the log or data plane traffic.
Netskope.Alert.userStringUser email.
Netskope.Alert.useragentStringBrowser HTTP user agent header.
Netskope.Alert.useripStringIP address of the user.
Netskope.Alert.userkeyStringUser ID or email.
Netskope.Alert._client_timeoutNumberInformation related to client timeouts.
Netskope.Alert._dlp_backup_profileStringInformation related to DLP (Data Loss Prevention) backup profiles.
Netskope.Alert._nsp_dur_backNumberDuration information for NSP (Network Security Platform) on the back end.
Netskope.Alert._nsp_dur_frontNumberDuration information for NSP on the front end.
Netskope.Alert._nsp_retrans_backNumberRetransmission information for NSP on the back end.
Netskope.Alert._nsp_retrans_frontNumberRetransmission information for NSP on the front end.
Netskope.Alert._nsp_rtt_backNumberRound-trip time information for NSP on the back end.
Netskope.Alert._nsp_rtt_frontNumberRound-trip time information for NSP on the front end.
Netskope.Alert._resource_nameStringThe name associated with a resource.
Netskope.Alert._scan_sourceStringInformation indicating the source of a scan.
Netskope.Alert._tenant_max_file_sizeNumberThe maximum file size allowed for a tenant.
Netskope.Alert.all_policy_matchesStringInformation related to policy matches.
Netskope.Alert.browser_versionStringBrowser version.
Netskope.Alert.file_sizeNumberSize of the file in bytes.
Netskope.Alert.file_typeStringFile type.
Netskope.Alert.md5StringMD5 of the file.
Netskope.Alert.objectStringName of the object which is being acted on. It could be a filename, folder name, report name, document name, etc.
Netskope.Alert.object_typeStringType of the object which is being acted on. Object type could be a file, folder, report, document, message, etc.
Netskope.Alert.web_universal_connectorStringUniversal web connector information.

Command example#

!netskope-alert-list start_time="2023-05-05 11:06" alert_type=policy limit=2

Context Example#

{
"Netskope": {
"Alert": [
{
"_appsession_start": "yes",
"_category_id": "8",
"_category_name": "Collaboration",
"_category_tags": [
10001,
564,
8
],
"_content_version": 1687272302,
"_correlation_id": "011c0f84-9938-460b-8cbe-dab38fa6cb31",
"_creation_timestamp": 1687656279,
"_ef_received_at": 1687656276462,
"_event_id": "724d1174-d78c-4197-8243-4fbd3644b192",
"_forwarded_by": "msg-relayer",
"_gef_src_dp": "IL-TLV1",
"_id": "c3c98336e9d6807dd821b8dc",
"_insertion_epoch_timestamp": 1687656283,
"_nshostname": "dppool1-2-egress",
"_raw_event_inserted_at": 1687656276776,
"_service_identifier": "service-nsproxy",
"_session_begin": "1",
"_skip_geoip_lookup": "yes",
"_src_epoch_now": 1687667040,
"access_method": "Client",
"acked": "false",
"action": "block",
"activity": "Browse",
"alert": "yes",
"alert_id": "c3c98336e9d6807dd821b8dc",
"alert_name": "365 block",
"alert_type": "policy",
"app": "Microsoft Teams",
"app_session_id": 3379014715943843300,
"appcategory": "Collaboration",
"appsuite": "Office365",
"browser": "Native",
"browser_session_id": 2893692091617575400,
"category": "Collaboration",
"cci": 92,
"ccl": "excellent",
"connection_id": 1717056737521399300,
"count": 1,
"device": "Windows Device",
"device_classification": "unmanaged",
"domain": "config.teams.microsoft.com",
"dst_country": "US",
"dst_latitude": 47.682899475097656,
"dst_location": "Redmond",
"dst_longitude": -122.12090301513672,
"dst_region": "Washington",
"dst_timezone": "America/Los_Angeles",
"dst_zipcode": "N/A",
"dstip": "8.8.8.8",
"hostname": "DESKTOP-TOR2VO7",
"incident_id": 6782360912641091000,
"ja3": "a0e9f5d64349fb13191bc781f81f42e1",
"ja3s": "NotAvailable",
"managed_app": "no",
"managementID": "",
"netskope_pop": "IL-TLV1",
"notify_template": "block_page.html",
"nsdeviceuid": "A633E874-D3B2-0FB7-F5CC-AF89F428B182",
"organization_unit": "",
"os": "Windows 10",
"os_version": "Windows 10",
"other_categories": [
"Test web Policy Beni",
"Technology",
"Collaboration"
],
"page": "config.teams.microsoft.com",
"page_site": "Microsoft Teams",
"policy": "365 block",
"policy_id": "84BE7DC6087E38BCA19B3788C5E02A67 2023-06-22 14:42:51.404368",
"port": "443",
"protocol": "HTTPS/1.1",
"request_id": 2605870162901070000,
"severity": "unknown",
"site": "Microsoft Teams",
"src_country": "IL",
"src_latitude": 32.0803,
"src_location": "Tel Aviv",
"src_longitude": 34.7805,
"src_region": "Tel Aviv",
"src_time": "Sun Jun 25 04:24:00 2023",
"src_timezone": "Asia/Jerusalem",
"src_zipcode": "N/A",
"srcip": "8.8.8.8",
"telemetry_app": "",
"timestamp": "2023-06-25T01:24:36.000Z",
"traffic_type": "CloudApp",
"transaction_id": 6782360912641091000,
"type": "nspolicy",
"ur_normalized": "example@qmasters.co",
"url": "config.teams.microsoft.com/config/v1/ODSP_Sync_Client/23.119.0606.0001",
"user": "example@qmasters.co",
"useragent": "OneDrive-23.119.0606.0001",
"userip": "8.8.8.8",
"userkey": "example@qmasters.co"
},
{
"_appsession_start": "yes",
"_category_id": "8",
"_category_name": "Collaboration",
"_category_tags": [
10001,
564,
8
],
"_content_version": 1687272302,
"_correlation_id": "46647142-2f24-4802-b8f5-22814e80353a",
"_creation_timestamp": 1687659879,
"_ef_received_at": 1687659876494,
"_event_id": "6827a5eb-de85-48af-8eae-6d3034084fd6",
"_forwarded_by": "msg-relayer",
"_gef_src_dp": "IL-TLV1",
"_id": "da711d311019f02d79ebc8f4",
"_insertion_epoch_timestamp": 1687659883,
"_nshostname": "dppool1-2-egress",
"_raw_event_inserted_at": 1687659876771,
"_service_identifier": "service-nsproxy",
"_session_begin": "1",
"_skip_geoip_lookup": "yes",
"_src_epoch_now": 1687670640,
"access_method": "Client",
"acked": "false",
"action": "block",
"activity": "Browse",
"alert": "yes",
"alert_id": "da711d311019f02d79ebc8f4",
"alert_name": "365 block",
"alert_type": "policy",
"app": "Microsoft Teams",
"app_session_id": 4359394467077842400,
"appcategory": "Collaboration",
"appsuite": "Office365",
"browser": "Native",
"browser_session_id": 2893692091617575400,
"category": "Collaboration",
"cci": 92,
"ccl": "excellent",
"connection_id": 8981978357397935000,
"count": 1,
"device": "Windows Device",
"device_classification": "unmanaged",
"domain": "config.teams.microsoft.com",
"dst_country": "AT",
"dst_latitude": 48.2049,
"dst_location": "Vienna",
"dst_longitude": 16.3662,
"dst_region": "Vienna",
"dst_timezone": "Europe/Vienna",
"dst_zipcode": "1010",
"dstip": "8.8.8.8",
"hostname": "DESKTOP-TOR2VO7",
"incident_id": 1478029261577663500,
"ja3": "a0e9f5d64349fb13191bc781f81f42e1",
"ja3s": "NotAvailable",
"managed_app": "no",
"managementID": "",
"netskope_pop": "IL-TLV1",
"notify_template": "block_page.html",
"nsdeviceuid": "A633E874-D3B2-0FB7-F5CC-AF89F428B182",
"organization_unit": "",
"os": "Windows 10",
"os_version": "Windows 10",
"other_categories": [
"Test web Policy Beni",
"Technology",
"Collaboration"
],
"page": "config.teams.microsoft.com",
"page_site": "Microsoft Teams",
"policy": "365 block",
"policy_id": "84BE7DC6087E38BCA19B3788C5E02A67 2023-06-22 14:42:51.404368",
"port": "443",
"protocol": "HTTPS/1.1",
"request_id": 2605900362175087600,
"severity": "unknown",
"site": "Microsoft Teams",
"src_country": "IL",
"src_latitude": 32.0803,
"src_location": "Tel Aviv",
"src_longitude": 34.7805,
"src_region": "Tel Aviv",
"src_time": "Sun Jun 25 05:24:00 2023",
"src_timezone": "Asia/Jerusalem",
"src_zipcode": "N/A",
"srcip": "8.8.8.8",
"telemetry_app": "",
"timestamp": "2023-06-25T02:24:36.000Z",
"traffic_type": "CloudApp",
"transaction_id": 1478029261577663500,
"type": "nspolicy",
"ur_normalized": "example@qmasters.co",
"url": "config.teams.microsoft.com/config/v1/ODSP_Sync_Client/23.119.0606.0001",
"user": "example@qmasters.co",
"useragent": "OneDrive-23.119.0606.0001",
"userip": "8.8.8.8",
"userkey": "example@qmasters.co"
}
]
}
}

Human Readable Output#

Alert List#

Showing page 1. Current page size: 2. |Alert Id|Alert Name|Alert Type|Severity|Action|Activity|Type|Category Name|Event Id|Domain|Dst Country|Policy|Port|Protocol|Md5|Timestamp| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| | c3c98336e9d6807dd821b8dc | 365 block | policy | unknown | block | Browse | nspolicy | Collaboration | 724d1174-d78c-4197-8243-4fbd3644b192 | config.teams.microsoft.com | US | 365 block | 443 | HTTPS/1.1 | | 2023-06-25T01:24:36.000Z | | da711d311019f02d79ebc8f4 | 365 block | policy | unknown | block | Browse | nspolicy | Collaboration | 6827a5eb-de85-48af-8eae-6d3034084fd6 | config.teams.microsoft.com | AT | 365 block | 443 | HTTPS/1.1 | | 2023-06-25T02:24:36.000Z |

netskope-event-list#


Get events extracted from SaaS traffic. You may choose what events to receive with the event_type parameter. You must provide start_time and end_time, or insertion_start_time and insertion_end_time (Note that if end_time or insertion_end_time don't provided - it would be set with the now date time). Also, you cannot provide a combination of the options mentioned above.

Base Command#

netskope-event-list

Input#

Argument NameDescriptionRequired
event_typeSelect events by their type. Available types: page,application,audit,infrastructure,network. Possible values are: page, application, audit, infrastructure, network.Required
queryFree query to filter the events. For example, "app eq Dropbox". For more information, please visit Netskope documentation: https://docs.netskope.com/en/get-events-data.html.Optional
start_timeRestrict events to those that have dates greater than the provided date string (for example "YYYY-MM-DDThh:mm", "1 min ago", "2 weeks ago"). When this argument is provided, the ‘end_time’ argument must be provided as well.Optional
end_timeRestrict events to those that have dates less than or equal to the provided date string (for example "YYYY-MM-DDThh:mm", "1 min ago", "2 weeks ago"). When this argument is provided, the ‘start_time’ argument must be provided as well. If start_time argument is provided and this argument is not - the default value will be set for now.Optional
insertion_start_timeRestrict events to those that were inserted to the system after the provided date string (for example "YYYY-MM-DDThh:mm", "1 min ago", "2 weeks ago"). When this argument is provided, the ‘insertion_end_time’ argument must be provided as well.Optional
insertion_end_timeRestrict events to those that were inserted to the system before the provided date string (for example "YYYY-MM-DDThh:mm", "1 min ago", "2 weeks ago"). When this argument is provided, the ‘insertion_start_time’ argument must be provided as well. If insertion_start_time argument is provided and this argument is not - the default value will be set for now.Optional
pagePage number of paginated results. Minimum value: 1.Optional
limitThe maximum number of records to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
Netskope.Event._appsession_startStringNetskope event application session start.
Netskope.Event._category_idStringNetskope event category ID.
Netskope.Event._category_nameStringNetskope event category name.
Netskope.Event._category_tagsNumberNetskope event category tags.
Netskope.Event._content_versionNumberNetskope event content version.
Netskope.Event._correlation_idStringNetskope event correlation ID.
Netskope.Event._creation_timestampNumberNetskope event creation timestamp.
Netskope.Event._ef_received_atDateThe timestamp indicating when the event was received.
Netskope.Event._event_idStringNetskope event event ID.
Netskope.Event._forwarded_byStringNetskope event forwarded by.
Netskope.Event._gef_src_dpStringThe source data path for the event.
Netskope.Event._idStringNetskope event ID.
Netskope.Event._insertion_epoch_timestampNumberNetskope event insertion epoch timestamp
Netskope.Event._nshostnameStringThe hostname associated with Netskope.
Netskope.Event._raw_event_inserted_atDateThe date the Netskope raw event was inserted.
Netskope.Event._service_identifierStringNetskope event service identifier.
Netskope.Event._session_beginStringThe timestamp marking the beginning of a session.
Netskope.Event._skip_geoip_lookupStringNetskope event skip GeoIP lookup.
Netskope.Event._src_epoch_nowNumberA numeric value representing the source epoch.
Netskope.Event.access_methodStringNetskope event access method.
Netskope.Event.actionStringNetskope event action.
Netskope.Event.activityStringNetskope event activity.
Netskope.Event.alertStringNetskope event alert.
Netskope.Event.appStringNetskope event app.
Netskope.Event.app_session_idNumberNetskope event app session ID.
Netskope.Event.appcategoryStringNetskope event app category.
Netskope.Event.appsuiteStringNetskope event app suite.
Netskope.Event.browserStringNetskope event browser.
Netskope.Event.browser_session_idNumberNetskope event browser session ID.
Netskope.Event.categoryStringNetskope event category.
Netskope.Event.cciNumberNetskope event Cloud Confidence Index.
Netskope.Event.cclStringNetskope event Cloud Confidence Levels.
Netskope.Event.connection_idNumberNetskope event connection ID.
Netskope.Event.countNumberNetskope event count.
Netskope.Event.deviceStringNetskope event device.
Netskope.Event.device_classificationStringNetskope event device classification.
Netskope.Event.domStringNetskope event Document Object Model (DOM).
Netskope.Event.dst_countryStringNetskope event destination country.
Netskope.Event.dst_latitudeNumberNetskope event destination latitude.
Netskope.Event.dst_locationStringNetskope event destination location.
Netskope.Event.dst_longitudeNumberNetskope event destination longitude.
Netskope.Event.dst_regionStringNetskope event destination region.
Netskope.Event.dst_timezoneStringNetskope event destination timezone.
Netskope.Event.dst_zipcodeStringNetskope event destination zip code.
Netskope.Event.dstipStringNetskope event destination IP.
Netskope.Event.hostnameStringNetskope event host name.
Netskope.Event.incident_idNumberNetskope event incident ID.
Netskope.Event.ja3StringA field indicating JA3 information.
Netskope.Event.ja3sStringA field indicating JA3S information.
Netskope.Event.managed_appStringNetskope event managed app.
Netskope.Event.managementIDStringNetskope event management ID.
Netskope.Event.netskope_popStringNetskope event Netskope POP.
Netskope.Event.notify_templateStringNetskope event notify template.
Netskope.Event.nsdeviceuidStringNetskope event Netskope device UID.
Netskope.Event.organization_unitStringNetskope event organization unit.
Netskope.Event.osStringNetskope event operating system.
Netskope.Event.os_versionStringNetskope event operating system version.
Netskope.Event.other_categoriesStringNetskope event other categories.
Netskope.Event.pageStringNetskope event page.
Netskope.Event.page_siteStringNetskope event page site.
Netskope.Event.policyStringNetskope event policy.
Netskope.Event.policy_idStringNetskope event policy ID.
Netskope.Event.portNumberNetskope event port.
Netskope.Event.protocolStringNetskope event protocol.
Netskope.Event.request_idNumberNetskope event request ID.
Netskope.Event.severityStringNetskope event severity.
Netskope.Event.siteStringNetskope event site.
Netskope.Event.src_countryStringNetskope event source country.
Netskope.Event.src_latitudeNumberNetskope event source latitude.
Netskope.Event.src_locationStringNetskope event source location.
Netskope.Event.src_longitudeNumberNetskope event source longitude.
Netskope.Event.src_regionStringNetskope event source region.
Netskope.Event.src_timeDateNetskope event source time.
Netskope.Event.src_timezoneStringNetskope event source timezone.
Netskope.Event.src_zipcodeStringNetskope event source zip code.
Netskope.Event.srcipStringNetskope event source IP.
Netskope.Event.telemetry_appStringNetskope event telemetry app.
Netskope.Event.timestampNumberNetskope event timestamp.
Netskope.Event.traffic_typeStringNetskope event traffic type.
Netskope.Event.transaction_idNumberNetskope event transaction ID.
Netskope.Event.typeStringNetskope event type.
Netskope.Event.ur_normalizedStringAll lowercase user email.
Netskope.Event.urlStringNetskope event URL.
Netskope.Event.userStringNetskope event user.
Netskope.Event.useragentStringNetskope event user agent.
Netskope.Event.useripStringNetskope event user IP.
Netskope.Event.userkeyStringNetskope event user key.

Command example#

!netskope-event-list event_type=page start_time="10 days ago" limit=2

Human Readable Output#

Event List#

Showing page 1. Current page size: 2. No entries.

netskope-url-list-update#


Update the URL List with the values provided. please note that this command overrides the list.

Base Command#

netskope-url-list-update

Input#

Argument NameDescriptionRequired
url_list_idThe URL list ID to update (use netskope-url-list-list command to get URL list ID).Required
nameThe updated URL list name.Required
urlsThe updated URL list items (For Exact - Enter URLs like .example.com, or IP addresses, separated by new line. For Regex - Enter URLs like ^client[0-9]\.google\.com , ^app\.slack\.com/./netskope, or ^google.com, separated by new line).Required
list_typeThe updated URL list type. Possible values are: exact, regex.Required
deployWhether to deploy URL list changes or not. Default is False. Possible values are: True, False.Optional

Context Output#

PathTypeDescription
Netskope.URLList.idNumberNetskope URL list ID.
Netskope.URLList.nameStringNetskope URL list name.
Netskope.URLList.data.urlsStringNetskope URL list data URLs.
Netskope.URLList.data.typeStringNetskope URL list data type.
Netskope.URLList.data.json_versionNumberNetskope URL list data JSON version.
Netskope.URLList.modify_byStringNetskope URL list modify by.
Netskope.URLList.modify_timeDateNetskope URL list modify time.
Netskope.URLList.modify_typeStringNetskope URL list modify type.
Netskope.URLList.pendingStringNetskope URL list pending status.

Command example#

!netskope-url-list-update url_list_id=11 name="QMASTERS list" urls="google.com" list_type=regex deploy=false

Context Example#

{
"Netskope": {
"URLList": {
"id": 11,
"json_version": 2,
"modify_by": "Tal New Token",
"modify_time": "2023-07-18",
"modify_type": "Edited",
"name": "QMASTERS list",
"pending": "pending",
"type": "regex",
"urls": [
"google.com"
]
}
}
}

Human Readable Output#

URL List#

IdJson VersionModify ByModify TimeModify TypeNamePendingTypeUrls
112Tal New Token2023-07-18EditedQMASTERS listpendingregexgoogle.com

netskope-url-list-create#


Create a new URL list.

Base Command#

netskope-url-list-create

Input#

Argument NameDescriptionRequired
nameThe unique name for the URL list.Required
urlsThe URL list items (For Exact - Enter URLs like .example.com, or IP addresses, separated by new line. For Regex - Enter URLs like ^client[0-9]\.google\.com , ^app\.slack\.com/./netskope, or ^google.com, separated by new line).Required
list_typeThe URL list type. Possible values are: exact, regex.Required
deployWhether to deploy URL list changes or not. Default is False. Possible values are: True, False.Optional

Context Output#

PathTypeDescription
Netskope.URLList.idNumberNetskope URL list ID.
Netskope.URLList.nameStringNetskope URL list name.
Netskope.URLList.data.urlsStringNetskope URL list data URLs.
Netskope.URLList.data.typeStringNetskope URL list data type.
Netskope.URLList.data.json_versionNumberNetskope URL list data JSON version.
Netskope.URLList.modify_typeStringNetskope URL list modify type.
Netskope.URLList.modify_byStringNetskope URL list modify by.
Netskope.URLList.modify_timeDateNetskope URL list modify time.
Netskope.URLList.pendingStringNetskope URL list pending status.

Command example#

!netskope-url-list-create name="New QMASTERS list" urls="xsoar.com,qmasters.com,google.com" list_type=regex deploy=false

Context Example#

{
"Netskope": {
"URLList": {
"id": 12,
"json_version": 2,
"modify_by": "Tal New Token",
"modify_time": "2023-07-18",
"modify_type": "Created",
"name": "New QMASTERS list",
"pending": "pending",
"type": "regex",
"urls": [
"xsoar.com",
"qmasters.com",
"google.com"
]
}
}
}

Human Readable Output#

URL List#

IdJson VersionModify ByModify TimeModify TypeNamePendingTypeUrls
122Tal New Token2023-07-18CreatedNew QMASTERS listpendingregexxsoar.com,
qmasters.com,
google.com

netskope-url-lists-list#


Get all URL Lists or a specific by specifying the list ID.

Base Command#

netskope-url-lists-list

Input#

Argument NameDescriptionRequired
url_list_idThe URL list ID to get.Optional
pendingGet a list of only applied or pending URL lists. Possible values are: applied, pending.Optional
fieldComma separated data values to return in response call (for example: name, id, data, modify_by, modify_time, modify_type, pending). Defaults to all values.Optional
all_resultsWhether to retrieve all results or not. Defaults is false. Possible values are: True, False.Optional
limitThe maximum number of records to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
Netskope.URLList.idNumberNetskope URL list ID.
Netskope.URLList.nameStringNetskope URL list name.
Netskope.URLList.data.urlsStringNetskope URL list data URLs.
Netskope.URLList.modify_byStringNetskope URL list modify by.
Netskope.URLList.modify_timeDateNetskope URL list modify time.
Netskope.URLList.modify_typeStringNetskope URL list modify type.
Netskope.URLList.pendingStringNetskope URL list pending status.

Command example#

!netskope-url-lists-list

Context Example#

{
"Netskope": {
"URLList": [
{
"data": {
"json_version": 2,
"type": "exact",
"urls": [
"g.g"
]
},
"id": 1,
"modify_by": "example@qmasters.co",
"modify_time": "2023-07-16T00:00:00.000Z",
"modify_type": "Edited",
"name": "myList",
"pending": 0
},
{
"data": {
"json_version": 2,
"type": "regex",
"urls": [
"google.com"
]
},
"id": 2,
"modify_by": "Tal New Token",
"modify_time": "2023-07-18T00:00:00.000Z",
"modify_type": "Edited",
"name": "NewURLList",
"pending": 0
},
{
"data": {
"json_version": 2,
"type": "exact",
"urls": [
"google.com",
"www.abc.com",
"example.com",
"lulu.com"
]
},
"id": 4,
"modify_by": "Netskope REST API",
"modify_time": "2023-07-05T10:24:57.000Z",
"modify_type": "Edited",
"name": "Tal-newURLlist",
"pending": 0
},
{
"data": {
"json_version": 2,
"type": "exact",
"urls": [
"google.com",
"example.com",
"lulu.com"
]
},
"id": 5,
"modify_by": "Netskope REST API",
"modify_time": "2023-07-05T00:00:00.000Z",
"modify_type": "Created",
"name": "New URL list",
"pending": 0
},
{
"data": {
"json_version": 2,
"type": "exact",
"urls": [
"google.com",
"example.com",
"lulu.com"
]
},
"id": 6,
"modify_by": "Netskope REST API",
"modify_time": "2023-07-05T00:00:00.000Z",
"modify_type": "Created",
"name": "New URL list 2",
"pending": 0
},
{
"data": {
"json_version": 2,
"type": "regex",
"urls": [
"xsoar.com",
"qmasters.com"
]
},
"id": 8,
"modify_by": "Netskope REST API",
"modify_time": "2023-07-17T00:00:00.000Z",
"modify_type": "Created",
"name": "NewNewURLlist",
"pending": 0
},
{
"data": {
"json_version": 2,
"type": "regex",
"urls": [
"xsoar.com",
"qmasters.com"
]
},
"id": 9,
"modify_by": "Netskope REST API",
"modify_time": "2023-07-17T00:00:00.000Z",
"modify_type": "Created",
"name": "NewNewURLlist1",
"pending": 0
}
]
}
}

Human Readable Output#

URL List#

IdJson VersionModify ByModify TimeModify TypeNamePendingTypeUrls
12example@qmasters.co2023-07-16T00:00:00.000ZEditedmyListappliedexactg.g
22Tal New Token2023-07-18T00:00:00.000ZEditedNewURLListappliedregexgoogle.com
42Netskope REST API2023-07-05T10:24:57.000ZEditedTal-newURLlistappliedexactgoogle.com,
www.abc.com,
example.com,
lulu.com
52Netskope REST API2023-07-05T00:00:00.000ZCreatedNew URL listappliedexactgoogle.com,
example.com,
lulu.com
62Netskope REST API2023-07-05T00:00:00.000ZCreatedNew URL list 2appliedexactgoogle.com,
example.com,
lulu.com
82Netskope REST API2023-07-17T00:00:00.000ZCreatedNewNewURLlistappliedregexxsoar.com,
qmasters.com
92Netskope REST API2023-07-17T00:00:00.000ZCreatedNewNewURLlist1appliedregexxsoar.com,
qmasters.com

netskope-url-list-delete#


Delete a URL list by the list ID.

Base Command#

netskope-url-list-delete

Input#

Argument NameDescriptionRequired
url_list_idThe URL list ID to delete (use netskope-url-list-list to get the URL list ID).Required
deployWhether to deploy URL list changes or not. Default is False. Possible values are: True, False.Optional

Context Output#

PathTypeDescription
Netskope.URLList.idNumberNetskope URL list ID.
Netskope.URLList.nameStringNetskope URL list name.

Command example#

!netskope-url-list-delete url_list_id=10

Context Example#

{
"Netskope": {
"URLList": {
"data": {
"json_version": 2,
"type": "regex",
"urls": [
"xsoar.com",
"qmasters.com"
]
},
"id": 10,
"modify_by": "Netskope REST API",
"modify_time": "2023-07-17T00:00:00.000Z",
"modify_type": "Deleted",
"name": "TalURLlist",
"pending": 1
}
}
}

Human Readable Output#

The URL list 10 was deleted successfully

netskope-client-list#


Get information about Netskope SCIM users. The command provides a list of users who have been imported into the Netskope tenant through SCIM integration. Users imported through other methods, such as manual CSV import or manual creation, will not be included in the returned results.

Base Command#

netskope-client-list

Input#

Argument NameDescriptionRequired
filterFilter the Netskope user by 'key eq value' template. For example: userName eq "someUserName" OR externalId eq "User-Ext_id".Optional
pagePage number of paginated results. Minimum value: 1.Optional
limitThe maximum number of records to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
Netskope.Client.idNumberNetskope client ID.
Netskope.Client.nameStringNetskope client name.
Netskope.Client.userNameStringNetskope client username.
Netskope.Client.externalIdStringNetskope client external ID.
Netskope.Client.activeBooleanNetskope client activate.
Netskope.Client.emailsStringNetskope client emails.

Command example#

!netskope-client-list page=1 limit=2

Context Example#

{
"Netskope": {
"Client": [
{
"active": true,
"client_id": "6a4dbb07-f465-4a6c-8af2-1c84ced65010",
"emails": [
"email1@netskope.local"
],
"family_name": "last_name",
"given_name": "first_name",
"user_name": "upn1"
},
{
"active": true,
"client_id": "f8d26597-e4a4-400d-a24b-40318a9e80e5",
"emails": [
"email11@netskope.local"
],
"family_name": "last_name1",
"given_name": "first_name1",
"user_name": "upn2"
}
]
}
}

Human Readable Output#

Client List#

Showing page 1. Current page size: 2. |Client Id|User Name|Given Name|Family Name|Emails|Active| |---|---|---|---|---|---| | 6a4dbb07-f465-4a6c-8af2-1c84ced65010 | upn1 | first_name | last_name | email1@netskope.local | true | | f8d26597-e4a4-400d-a24b-40318a9e80e5 | upn2 | first_name1 | last_name1 | email11@netskope.local | true |