Netskope
Collect logs from Netskope with Elastic Agent.
What is an Elastic integration?
This integration is powered by Elastic Agent. Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to our documentation for a detailed comparison between Beats and Elastic Agent.
Prefer to use Beats for this use case? See Filebeat modules for logs or Metricbeat modules for metrics.
See the integrations quick start guides to get started:
This integration is for Netskope. It can be used to receive logs sent by Netskope Cloud Log Shipper on respective TCP ports.
The log message is expected to be in JSON format. The data is mapped to
ECS fields where applicable and the remaining fields are written under
netskope.<data-stream-name>.*
.
Setup steps
- Configure this integration with the TCP input in Kibana.
- For all Netskope Cloud Exchange configurations refer to the Log Shipper.
- In Netskope Cloud Exchange please enable Log Shipper, add your Netskope Tenant.
- Configure input connectors:
- First with all Event types, and
- Second with all Alerts type. For detailed steps refer to Configure the Netskope Plugin for Log Shipper.
- Configure output connectors:
- Navigate to Settings -> Plugins.
- Add separate output connector Elastic CLS for both Alerts and Events and select mapping "Elastic Default Mappings (Recommended)" for both.
- Create business rules:
- Navigate to Home Page > Log Shipper > Business Rules.
- Create business rules with Netskope Alerts.
- Create business rules with Netskope Events. For detailed steps refer to Manage Log Shipper Business Rules.
- Adding SIEM mappings:
- Navigate to Home Page > Log Shipper > SIEM Mappings
- Add SIEM mapping for events:
- Add Rule put rule created in step 6.
- Add Source Configuration put input created for Events in step 4.
- Add Destination Configuration, put output created for Events in step 5.
Note: For detailed steps refer to Configure Log Shipper SIEM Mappings. Please make sure to use the given response formats.
Compatibility
This package has been tested against Netskope version 95.1.0.645
and Netskope Cloud Exchange version 3.4.0
.
Documentation and configuration
Alerts
Default port: 9020
Events
Default port: 9021
Fields and Sample event
Alerts
Exported fields
Field | Description | Type |
---|---|---|
@timestamp | Event timestamp. | date |
client.bytes | Bytes sent from the client to the server. | long |
client.port | Port of the client. | long |
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword |
cloud.availability_zone | Availability zone in which this host is running. | keyword |
cloud.image.id | Image ID for the cloud instance. | keyword |
cloud.instance.id | Instance ID of the host machine. | keyword |
cloud.instance.name | Instance name of the host machine. | keyword |
cloud.machine.type | Machine type of the host machine. | keyword |
cloud.project.id | Name of the project in Google Cloud. | keyword |
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
cloud.region | Region in which this host, resource, or service is located. | keyword |
cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword |
container.id | Unique container id. | keyword |
container.image.name | Name of the image the container was built on. | keyword |
container.labels | Image labels. | object |
container.name | Container name. | keyword |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. Then it should be duplicated to .ip or .domain , depending on which one it is. | keyword |
destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
destination.geo.city_name | City name. | keyword |
destination.geo.continent_name | Name of the continent. | keyword |
destination.geo.country_iso_code | Country ISO code. | keyword |
destination.geo.country_name | Country name. | keyword |
destination.geo.location | Longitude and latitude. | geo_point |
destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
destination.geo.region_iso_code | Region ISO code. | keyword |
destination.geo.region_name | Region name. | keyword |
destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
destination.port | Port of the destination. | long |
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
event.dataset | Event dataset | constant_keyword |
event.id | Unique ID to describe the event. | keyword |
event.module | Event module | constant_keyword |
file.hash.md5 | MD5 hash. | keyword |
file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml\[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword |
file.name | Name of the file including the extension, without the directory. | keyword |
file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
file.path.text | Multi-field of file.path . | match_only_text |
file.size | File size in bytes. Only relevant when file.type is "file". | long |
host.architecture | Operating system architecture. | keyword |
host.containerized | If the host is a container. | boolean |
host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
host.hostname | Hostname of the host. It normally contains what the hostname command returns on the host machine. | keyword |
host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name . | keyword |
host.ip | Host ip addresses. | ip |
host.mac | Host mac addresses. | keyword |
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
host.os.build | OS build information. | keyword |
host.os.codename | OS codename, if any. | keyword |
host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
host.os.kernel | Operating system kernel version as a raw string. | keyword |
host.os.name | Operating system name, without the version. | keyword |
host.os.name.text | Multi-field of host.os.name . | match_only_text |
host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
host.os.version | Operating system version as a raw string. | keyword |
host.type | Type of host. For Cloud providers this can be the machine type like t2.medium . If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
http.request.referrer | Referrer for this HTTP request. | keyword |
input.type | Input type | keyword |
log.offset | Log offset | long |
log.source.address | Source address from which the log event was read / sent from. | keyword |
netskope.alerts.Url2Activity | Populated if the activity from the URL matches certain activities. This field applies to Risk Insights only. | keyword |
netskope.alerts.access_method | Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. Administrators can also upload firewall and/or proxy logs for log analytics. This field shows the actual access method that triggered the event. For log uploads this shows the actual log type such as PAN, Websense, etc. | keyword |
netskope.alerts.account.id | Account ID (usually is account number as provided by the cloud provider). | keyword |
netskope.alerts.account.name | Account name - in case of AWS this is the instance name set by user. For others, account name is provided by cloud provider. | keyword |
netskope.alerts.acked | Whether user acknowledged the alert or not. | boolean |
netskope.alerts.acting.role | N/A | keyword |
netskope.alerts.action | Action taken on the event for the policy. | keyword |
netskope.alerts.activities | N/A | keyword |
netskope.alerts.activity.name | Description of the user performed activity. | keyword |
netskope.alerts.activity.status | Displayed when the user is denied access while performing some activity. | keyword |
netskope.alerts.activity.type | Displayed when only admins can perform the activity in question. | keyword |
netskope.alerts.agg.window | N/A | long |
netskope.alerts.aggregated.user | N/A | boolean |
netskope.alerts.alert.affected.entities | N/A | keyword |
netskope.alerts.alert.category | N/A | keyword |
netskope.alerts.alert.description | N/A | keyword |
netskope.alerts.alert.detection.stage | N/A | keyword |
netskope.alerts.alert.id | Hash of alert generated from code. | keyword |
netskope.alerts.alert.name | Name of the alert. | keyword |
netskope.alerts.alert.notes | N/A | keyword |
netskope.alerts.alert.query | N/A | keyword |
netskope.alerts.alert.score | N/A | long |
netskope.alerts.alert.source | N/A | keyword |
netskope.alerts.alert.status | N/A | keyword |
netskope.alerts.alert.type | Shows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection. | keyword |
netskope.alerts.alert.window | N/A | long |
netskope.alerts.algorithm | N/A | keyword |
netskope.alerts.anomaly.efficacy | Full anomaly details for debugging. | keyword |
netskope.alerts.anomaly.fields | Name(s) and values(s) of the anomalous fields, usually there's going to be only one in the list. | keyword |
netskope.alerts.anomaly.id | N/A | keyword |
netskope.alerts.anomaly.magnitude | N/A | double |
netskope.alerts.anomaly.type | Type of UBA alert. | keyword |
netskope.alerts.app.activity | N/A | keyword |
netskope.alerts.app.app_name | N/A | keyword |
netskope.alerts.app.category | N/A | keyword |
netskope.alerts.app.name | Specific cloud application used by the user (e.g. app = Dropbox). | keyword |
netskope.alerts.app.region | N/A | keyword |
netskope.alerts.app.session.id | Unique App/Site Session ID for traffic_type = CloudApp and Web. An app session starts when a user starts using a cloud app/site on and ends once they have been inactive for a certain period of time(15 mins). Use app_session_id to check all the user activities in a single app session. app_session_id is unique for a user, device, browser and domain. | keyword |
netskope.alerts.app.suite | N/A | keyword |
netskope.alerts.asn | N/A | long |
netskope.alerts.asset.id | N/A | keyword |
netskope.alerts.asset.object.id | N/A | keyword |
netskope.alerts.attachment | File name. | keyword |
netskope.alerts.audit.category | The subcategories in an application such as IAM, EC in AWS, login, token, file, etc., in case of Google. | keyword |
netskope.alerts.audit.type | The sub category in audit according to SaaS / IaaS apps. | keyword |
netskope.alerts.bin.timestamp | Applicable to only: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/Download/Delete) and Failed Login Anomaly type. Bin TimeStamp (is a window used that is used for certain types of anomalies - for breaking into several windows per day/hour). | long |
netskope.alerts.breach.date | Breach date for compromised credentials. | double |
netskope.alerts.breach.description | N/A | keyword |
netskope.alerts.breach.id | Breach ID for compromised credentials. | keyword |
netskope.alerts.breach.media_references | Media references of breach. | keyword |
netskope.alerts.breach.score | Breach score for compromised credentials. | long |
netskope.alerts.breach.target_references | Breach target references for compromised credentials. | keyword |
netskope.alerts.browser.session.id | Browser session ID. If there is an idle timeout of 15 minutes, it will timeout the session. | keyword |
netskope.alerts.bucket | N/A | keyword |
netskope.alerts.bypass.traffic | Tells if traffic is bypassed by Netskope. | boolean |
netskope.alerts.category.id | Matching category ID according to policy. Populated for both cloud and web traffic. | keyword |
netskope.alerts.category.name | N/A | keyword |
netskope.alerts.cci | N/A | keyword |
netskope.alerts.ccl | Cloud Confidence Level. CCL measures the enterprise readiness of the cloud apps taking into consideration those apps security, auditability and business continuity. Each app is assigned one of five cloud confidence levels: excellent, high, medium, low, or poor. Useful for querying if users are accessing a cloud app with a lower CCL. | keyword |
netskope.alerts.channel | Channel of the user for slack and slack enterprise apps. | keyword |
netskope.alerts.cloud.provider | N/A | keyword |
netskope.alerts.compliance.standards | N/A | keyword |
netskope.alerts.compute.instance | N/A | keyword |
netskope.alerts.connection.duration | Duration of the connection in milliseconds. Useful for querying long-lived sessions. | long |
netskope.alerts.connection.endtime | Connection end time. | long |
netskope.alerts.connection.id | Each connection has a unique ID. Shows the ID for the connection event. | keyword |
netskope.alerts.connection.starttime | Connection start time. | long |
netskope.alerts.count | Number of raw log lines/events sessionized or suppressed during the suppressed interval. | long |
netskope.alerts.created_at | N/A | keyword |
netskope.alerts.data.type | Content type of upload/download. | keyword |
netskope.alerts.data.version | N/A | long |
netskope.alerts.description | N/A | keyword |
netskope.alerts.destination.geoip_src | Source from where the location of Destination IP was derived. | long |
netskope.alerts.detected-file-type | N/A | keyword |
netskope.alerts.detection.engine | Customer exposed detection engine name. | keyword |
netskope.alerts.detection.type | Same as malware type. Duplicate. | keyword |
netskope.alerts.device.classification | Designation of device as determined by the Netskope Client as to whether the device is managed or not. | keyword |
netskope.alerts.device.name | Device type from where the user accessed the cloud app. It could be Macintosh Windows device, iPad etc. | keyword |
netskope.alerts.dlp.file | File/Object name extracted from the file/object. | keyword |
netskope.alerts.dlp.fingerprint.classification | Fingerprint classification. | keyword |
netskope.alerts.dlp.fingerprint.match | Fingerprint classification match file name. | keyword |
netskope.alerts.dlp.fingerprint.score | Fingerprint classification score. | long |
netskope.alerts.dlp.fv | N/A | long |
netskope.alerts.dlp.incident.id | Incident ID associated with sub-file. In the case of main file, this is same as the parent incident ID. | keyword |
netskope.alerts.dlp.is_unique_count | True or false depending upon if rule is unique counted per rule data. | boolean |
netskope.alerts.dlp.mail.parent.id | N/A | keyword |
netskope.alerts.dlp.parent.id | Incident ID associated with main container (or non-container) file that was scanned. | keyword |
netskope.alerts.dlp.profile | DLP profile name. | keyword |
netskope.alerts.dlp.rule.count | Count of rule hits. | long |
netskope.alerts.dlp.rule.name | DLP rule that triggered. | keyword |
netskope.alerts.dlp.rule.score | DLP rule score for weighted dictionaries. | long |
netskope.alerts.dlp.rule.severity | Severity of rule. | keyword |
netskope.alerts.dlp.unique_count | Integer value of number of unique matches seen per rule data. Only present if rule is uniquely counted. | long |
netskope.alerts.doc.count | N/A | long |
netskope.alerts.domain | Domain value. This will hold the host header value or SNI or extracted from absolute URI. | keyword |
netskope.alerts.domain_shared_with | N/A | keyword |
netskope.alerts.download.app | Applicable to only data exfiltration. Download App (App in the download event). | keyword |
netskope.alerts.drive.id | N/A | keyword |
netskope.alerts.dynamic.classification | URLs were categorized by NSURLC machine or not. | keyword |
netskope.alerts.elastic_key | N/A | keyword |
netskope.alerts.email.source | N/A | keyword |
netskope.alerts.encrypt.failure | Reason of failure while encrypting. | keyword |
netskope.alerts.encryption.service.key | N/A | keyword |
netskope.alerts.enterprise.id | EnterpriseID in case of Slack for Enterprise. | keyword |
netskope.alerts.enterprise.name | Enterprise name in case of Slack for Enterprise. | keyword |
netskope.alerts.entity.list | N/A | keyword |
netskope.alerts.entity.type | N/A | keyword |
netskope.alerts.entity.value | N/A | keyword |
netskope.alerts.event.detail | N/A | keyword |
netskope.alerts.event.id | N/A | keyword |
netskope.alerts.event.type | Anomaly type. | keyword |
netskope.alerts.event_source_channel | N/A | keyword |
netskope.alerts.exposure | Exposure of a document. | keyword |
netskope.alerts.external.collaborator.count | Count of external collaborators on a file/folder. Supported for some apps. | long |
netskope.alerts.external.email | N/A | long |
netskope.alerts.feature.description | N/A | keyword |
netskope.alerts.feature.id | N/A | keyword |
netskope.alerts.feature.name | N/A | keyword |
netskope.alerts.file.id | Unique identifier of the file. | keyword |
netskope.alerts.file.lang | Language of the file. | keyword |
netskope.alerts.file.name | N/A | keyword |
netskope.alerts.file.password.protected | N/A | keyword |
netskope.alerts.file.path.orignal | If the file is moved, then keep original path of the file in this field. | keyword |
netskope.alerts.file.size | Size of the file in bytes. | long |
netskope.alerts.file.type | File type. | keyword |
netskope.alerts.flow_status | N/A | keyword |
netskope.alerts.from.logs | Shows if the event was generated from the Risk Insights log. | keyword |
netskope.alerts.from.object | Initial name of an object that has been renamed, copied or moved. | keyword |
netskope.alerts.from.storage | N/A | keyword |
netskope.alerts.from.user_category | Type of from_user. | keyword |
netskope.alerts.gateway | N/A | keyword |
netskope.alerts.graph.id | N/A | keyword |
netskope.alerts.http_status | N/A | keyword |
netskope.alerts.http_transaction_count | HTTP transaction count. | long |
netskope.alerts.iaas.asset.tags | List of tags associated with the asset for which alert is raised. Each tag is a key/value pair. | keyword |
netskope.alerts.iaas.remediated | N/A | keyword |
netskope.alerts.iam.session | N/A | keyword |
netskope.alerts.id | N/A | keyword |
netskope.alerts.insertion_epoch_timestamp | Insertion timestamp. | long |
netskope.alerts.instance.id | Unique ID associated with an organization application instance. | keyword |
netskope.alerts.instance.name | Instance name associated with an organization application instance. | keyword |
netskope.alerts.instance.type | Instance type. | keyword |
netskope.alerts.instance_name | Instance associated with an organization application instance. | keyword |
netskope.alerts.internal.collaborator.count | Count of internal collaborators on a file/folder. Supported for some apps. | long |
netskope.alerts.ip.protocol | N/A | keyword |
netskope.alerts.ipblock | IPblock that caused the alert. | keyword |
netskope.alerts.is_alert | Indicates whether alert is generated or not. Populated as yes for all alerts. | boolean |
netskope.alerts.is_file_passwd_protected | Tells if the file is password protected. | boolean |
netskope.alerts.is_malicious | Only exists if some HTTP transaction belonging to the page event resulted in a malsite alert. | boolean |
netskope.alerts.is_two_factor_auth | N/A | keyword |
netskope.alerts.is_universal_connector | N/A | keyword |
netskope.alerts.is_user_generated | Tells whether it is user generated page event. | boolean |
netskope.alerts.is_web_universal_connector | N/A | boolean |
netskope.alerts.isp | N/A | keyword |
netskope.alerts.item.id | N/A | keyword |
netskope.alerts.justification.reason | Justification reason provided by user. For following policies, justification events are raised. User is displayed a notification popup, user enters justification and can select to proceed or block: useralert policy, dlp block policy, block policy with custom template which contains justification text box. | keyword |
netskope.alerts.justification.type | Type of justification provided by user when user bypasses the policy block. | keyword |
netskope.alerts.last.app | Last application (app in the first/older event). Applies to only proximity anomaly alert. | keyword |
netskope.alerts.last.coordinates | Last location coordinates(latitude, longitude). Applies to only proximity alert. | keyword |
netskope.alerts.last.country | Last location (Country). Applies to only proximity anomaly alert. | keyword |
netskope.alerts.last.device | Last device name (Device Name in the first/older event). Applies to only proximity anomaly alert. | keyword |
netskope.alerts.last.location | Last location (City). Applies to only proximity anomaly alert. | keyword |
netskope.alerts.last.modified_timestamp | Timestamp when alert is acknowledged. | long |
netskope.alerts.last.region | Applies to only proximity anomaly alert. | keyword |
netskope.alerts.last.timestamp | Last timestamp (timestamp in the first/older event). Applies to only proximity anomaly alert. | long |
netskope.alerts.latency.max | Max latency for a connection in milliseconds. | long |
netskope.alerts.latency.min | Min latency for a connection in milliseconds. | long |
netskope.alerts.latency.total | Total latency from proxy to app in milliseconds. | long |
netskope.alerts.legal_hold.custodian_name | Custodian name of legal hold profile. | keyword |
netskope.alerts.legal_hold.destination.app | Destination appname of legalhold action. | keyword |
netskope.alerts.legal_hold.destination.instance | Destination instance of legal hold action. | keyword |
netskope.alerts.legal_hold.file.id | File ID of legal hold file. | keyword |
netskope.alerts.legal_hold.file.name | File name of legal hold file. | keyword |
netskope.alerts.legal_hold.file.name_original | Original filename of legal hold file. | keyword |
netskope.alerts.legal_hold.file.path | File path of legal hold file. | keyword |
netskope.alerts.legal_hold.profile_name | Legal hold profile name. | keyword |
netskope.alerts.legal_hold.shared | Shared type of legal hold file. | keyword |
netskope.alerts.legal_hold.shared_with | User shared with the legal hold file. | keyword |
netskope.alerts.legal_hold.version | File version of original file. | keyword |
netskope.alerts.list.id | N/A | keyword |
netskope.alerts.local.md5 | md5 hash of file generated by Malware engine. | keyword |
netskope.alerts.local.sha1 | sha1 hash of file generated by Malware engine. | keyword |
netskope.alerts.local.sha256 | sha256 hash of file generated by Malware engine. | keyword |
netskope.alerts.log.file.name | Log file name for Risk Insights. | keyword |
netskope.alerts.login.type | Salesforce login type. | keyword |
netskope.alerts.login.url.domain | keyword | |
netskope.alerts.login.url.extension | keyword | |
netskope.alerts.login.url.fragment | keyword | |
netskope.alerts.login.url.full | keyword | |
netskope.alerts.login.url.original | keyword | |
netskope.alerts.login.url.password | keyword | |
netskope.alerts.login.url.path | keyword | |
netskope.alerts.login.url.port | long | |
netskope.alerts.login.url.query | keyword | |
netskope.alerts.login.url.scheme | keyword | |
netskope.alerts.login.url.username | keyword | |
netskope.alerts.malsite.active | Since how many days malsite is Active. | long |
netskope.alerts.malsite.as.number | Malsite ASN Number. | keyword |
netskope.alerts.malsite.category | Category of malsite [ Phishing / Botnet / Malicous URL, etc. ]. | keyword |
netskope.alerts.malsite.city | Malsite city. | keyword |
netskope.alerts.malsite.confidence | Malsite confidence score. | long |
netskope.alerts.malsite.consecutive | How many times that malsite is seen. | long |
netskope.alerts.malsite.country | Malsite country. | keyword |
netskope.alerts.malsite.dns.server | DNS server of the malsite URL/Domain/IP. | keyword |
netskope.alerts.malsite.first_seen | Malsite first seen timestamp. | long |
netskope.alerts.malsite.hostility | Malsite hostility score. | long |
netskope.alerts.malsite.id | Malicious Site ID - Hash of threat match value. | keyword |
netskope.alerts.malsite.ip_host | Malsite IP. | keyword |
netskope.alerts.malsite.isp | Malsite ISP info. | keyword |
netskope.alerts.malsite.last.seen | Malsite last seen timestamp. | long |
netskope.alerts.malsite.latitude | Latitude plot of the Malsite URL/IP/Domain. | double |
netskope.alerts.malsite.longitude | Longitude plot of the Malsite URL/IP/Domain. | double |
netskope.alerts.malsite.region | Region of the malsite URL/IP/Domain. | keyword |
netskope.alerts.malsite.reputation | Reputation score of Malsite IP/Domain/URL. | double |
netskope.alerts.malsite.severity.level | Severity level of the Malsite ( High / Med / Low). | keyword |
netskope.alerts.malware.id | md5 hash of the malware name as provided by the scan engine. | keyword |
netskope.alerts.malware.name | Netskope detection name. | keyword |
netskope.alerts.malware.profile | tss_profile: profile which user has selected. Data comes from WebUI. Its a json structure. | keyword |
netskope.alerts.malware.severity | Malware severity. | keyword |
netskope.alerts.malware.type | Malware Type. | keyword |
netskope.alerts.managed.app | Whether or not the app in question is managed. | boolean |
netskope.alerts.management.id | Management ID. | keyword |
netskope.alerts.matched.username | N/A | keyword |
netskope.alerts.matrix.columns | N/A | keyword |
netskope.alerts.matrix.rows | N/A | keyword |
netskope.alerts.md5 | md5 of the file. | keyword |
netskope.alerts.md5_list | List of md5 hashes specific to the files that are part of custom sequence policy alert. | keyword |
netskope.alerts.mime.type | MIME type of the file. | keyword |
netskope.alerts.ml_detection | N/A | boolean |
netskope.alerts.modified.date | N/A | long |
netskope.alerts.modified.timestamp | Timestamp corresponding to the modification time of the entity (file, etc.). | long |
netskope.alerts.netskope_pop | N/A | keyword |
netskope.alerts.network.name | N/A | keyword |
netskope.alerts.network.security.group | N/A | keyword |
netskope.alerts.new.value | New value for a given file for salesforce.com. | keyword |
netskope.alerts.nonzero.entries | N/A | long |
netskope.alerts.nonzero.percentage | N/A | double |
netskope.alerts.notify.template | N/A | keyword |
netskope.alerts.ns_activity | Maps app activity to Netskope standard activity. | keyword |
netskope.alerts.ns_device_uid | Device identifiers on macOS and Windows. | keyword |
netskope.alerts.numbytes | Total number of bytes that were transmitted for the connection - numbytes = client_bytes + server_bytes. | long |
netskope.alerts.obfuscate | N/A | boolean |
netskope.alerts.object.count | Displayed when the activity is Delete. Shows the number of objects being deleted. | long |
netskope.alerts.object.id | Unique ID associated with an object. | keyword |
netskope.alerts.object.name | Name of the object which is being acted on. It could be a filename, folder name, report name, document name, etc. | keyword |
netskope.alerts.object.type | Type of the object which is being acted on. Object type could be a file, folder, report, document, message, etc. | keyword |
netskope.alerts.old.value | Old value for a given file for salesforce.com. | keyword |
netskope.alerts.org | Search for events from a specific organization. Organization name is derived from the user ID. | keyword |
netskope.alerts.organization.unit | Org Units for which the event correlates to. This ties to user information extracted from Active Directory using the Directory Importer/AD Connector application. | keyword |
netskope.alerts.orig_ty | Event Type of original event. | keyword |
netskope.alerts.original.file_path | If the file is moved, then keep original path of the file in this field. | keyword |
netskope.alerts.os_version_hostname | Host and OS Version that caused the alert. Concatenation of 2 fields (hostname and os). | keyword |
netskope.alerts.other.categories | N/A | keyword |
netskope.alerts.owner | Owner of the file. | keyword |
netskope.alerts.page.site | N/A | keyword |
netskope.alerts.page.url.domain | keyword | |
netskope.alerts.page.url.extension | keyword | |
netskope.alerts.page.url.fragment | keyword | |
netskope.alerts.page.url.full | keyword | |
netskope.alerts.page.url.original | keyword | |
netskope.alerts.page.url.password | keyword | |
netskope.alerts.page.url.path | keyword | |
netskope.alerts.page.url.port | long | |
netskope.alerts.page.url.query | keyword | |
netskope.alerts.page.url.scheme | keyword | |
netskope.alerts.page.url.username | keyword | |
netskope.alerts.parameters | N/A | keyword |
netskope.alerts.parent.id | N/A | keyword |
netskope.alerts.path.id | N/A | keyword |
netskope.alerts.policy.actions | N/A | keyword |
netskope.alerts.policy.id | The Netskope internal ID for the policy created by an admin. | keyword |
netskope.alerts.policy.name | Predefined or Custom policy name. | keyword |
netskope.alerts.pretty.sourcetype | N/A | keyword |
netskope.alerts.processing.time | N/A | long |
netskope.alerts.profile.emails | List of profile emails per policy. | keyword |
netskope.alerts.profile.id | Anomaly profile ID. | keyword |
netskope.alerts.quarantine.action.reason | Reason for the action taken for quarantine. | keyword |
netskope.alerts.quarantine.admin | Quarantine profile custodian email/name. | keyword |
netskope.alerts.quarantine.app | Quarantine app name. | keyword |
netskope.alerts.quarantine.failure | Reason of failure. | keyword |
netskope.alerts.quarantine.file.id | File ID of the quarantined file. | keyword |
netskope.alerts.quarantine.file.name | File name of the quarantine file. | keyword |
netskope.alerts.quarantine.instance | Quarantine instance name. | keyword |
netskope.alerts.quarantine.original.file.name | Original file name which got quarantined. | keyword |
netskope.alerts.quarantine.original.file.path | Original file path which got quarantined. | keyword |
netskope.alerts.quarantine.original.shared | Original file shared user details. | keyword |
netskope.alerts.quarantine.original.version | Original version of file which got quarantined. | keyword |
netskope.alerts.quarantine.profile.id | Quarantine profile ID. | keyword |
netskope.alerts.quarantine.profile.name | Quarantine profile name of policy for quarantine action. | keyword |
netskope.alerts.quarantine.shared.with | N/A | keyword |
netskope.alerts.referer.domain | keyword | |
netskope.alerts.referer.extension | keyword | |
netskope.alerts.referer.fragment | keyword | |
netskope.alerts.referer.full | keyword | |
netskope.alerts.referer.original | keyword | |
netskope.alerts.referer.password | keyword | |
netskope.alerts.referer.path | keyword | |
netskope.alerts.referer.port | long | |
netskope.alerts.referer.query | keyword | |
netskope.alerts.referer.scheme | keyword | |
netskope.alerts.referer.username | keyword | |
netskope.alerts.region.id | Region ID (as provided by the cloud provider). | keyword |
netskope.alerts.region.name | N/A | keyword |
netskope.alerts.reladb | N/A | keyword |
netskope.alerts.repo | N/A | keyword |
netskope.alerts.request.cnt | Total number of HTTP requests (equal to number of transaction events for this page event) sent from client to server over one underlying TCP connection. | long |
netskope.alerts.request.id | Unique request ID for the event. | keyword |
netskope.alerts.resource.category | Category of resource as defined in DOM. | keyword |
netskope.alerts.resource.group | N/A | keyword |
netskope.alerts.resources | N/A | keyword |
netskope.alerts.response.cnt | Total number of HTTP responses (equal to number of transaction events for this page event) from server to client. | long |
netskope.alerts.response.content.length | N/A | long |
netskope.alerts.response.content.type | N/A | keyword |
netskope.alerts.retro.scan.name | Retro scan name. | keyword |
netskope.alerts.risk_level.id | This field is set by both role-based access (RBA) and MLAD. | keyword |
netskope.alerts.risk_level.tag | Corresponding field to risk_level_id. Name. | keyword |
netskope.alerts.role | Roles for Box. | keyword |
netskope.alerts.rule.id | N/A | keyword |
netskope.alerts.sa.profile.id | CSA profile ID. | keyword |
netskope.alerts.sa.profile.name | CSA profile name. | keyword |
netskope.alerts.sa.rule.id | CSA rule ID. | keyword |
netskope.alerts.sa.rule.name | CSA rule name. | keyword |
netskope.alerts.sa.rule.remediation | N/A | keyword |
netskope.alerts.sa.rule.severity | Rule severity. | keyword |
netskope.alerts.scan.time | Time when the scan is done. | long |
netskope.alerts.scan.type | Generated during retroactive scan or new ongoing activity. | keyword |
netskope.alerts.scanner_result | N/A | keyword |
netskope.alerts.scopes | List of permissions for google apps. | keyword |
netskope.alerts.serial | N/A | keyword |
netskope.alerts.server.bytes | Total number of downloaded from server to client. | long |
netskope.alerts.session.id | Populated by Risk Insights. | keyword |
netskope.alerts.severity.id | Severity ID used by watchlist and malware alerts. | keyword |
netskope.alerts.severity.level | Severity used by watchlist and malware alerts. | keyword |
netskope.alerts.severity.level_id | If the Severity Level ID is 1, it means that URL / IP /Domain is detected from Internal threat feed and if Severity Level ID is 2, then it means the detection happened based on the Zvelo DB Malsite Category. | long |
netskope.alerts.sfwder | N/A | keyword |
netskope.alerts.shared.credential.user | Applicable to only shared credentials. User with whom the credentials are shared with. | keyword |
netskope.alerts.shared.domains | List of domains of users the document is shared with. | keyword |
netskope.alerts.shared.is_shared | If the file is shared or not. | boolean |
netskope.alerts.shared.type | Shared Type. | keyword |
netskope.alerts.shared.with | Array of emails with whom a document is shared with. | keyword |
netskope.alerts.shared_type | N/A | keyword |
netskope.alerts.site | For traffic_type = CloudApp, site = app and for traffic_type = Web, it will be the second level domain name + top-level domain name. For example, in "www.cnn.com", it is "cnn.com". | keyword |
netskope.alerts.slc_latitude | N/A | keyword |
netskope.alerts.slc_longitude | N/A | keyword |
netskope.alerts.source.geoip_src | Source from where the location of Source IP was derived. | long |
netskope.alerts.source.time | N/A | keyword |
netskope.alerts.srcip2 | N/A | keyword |
netskope.alerts.ssl.decrypt.policy | Applicable to only bypass events. There are 2 ways to create rules for bypass: Bypass due to Exception Configuration Bypass due to SSL Decrypt Policy The existing flag bypass_traffic only gives information that a flow has been bypassed, but does not tell exactly which policy was responsible for it. ssl_decrypt_policy field will provide this extra information. In addition, policy field will be also set for every Bypass event. | keyword |
netskope.alerts.start_time | Start time for alert time period. | long |
netskope.alerts.statistics | This field & summary field go together. This field will either tell count or size of files. File size is in bytes. | long |
netskope.alerts.storage_service_bucket | N/A | keyword |
netskope.alerts.sub.type | Workplace by Facebook post sub category (files, comments, status etc). | keyword |
netskope.alerts.summary | Tells whether anomaly was measured from count or size of files. | keyword |
netskope.alerts.suppression.end.time | When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. | long |
netskope.alerts.suppression.key | To limit the number of events. Example: Suppress block event for browse. | keyword |
netskope.alerts.suppression.start.time | When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. | long |
netskope.alerts.target.entity.key | N/A | keyword |
netskope.alerts.target.entity.type | N/A | keyword |
netskope.alerts.target.entity.value | N/A | keyword |
netskope.alerts.team | Slack team name. | keyword |
netskope.alerts.telemetry.app | Typically SaaS app web sites use web analytics code within the pages to gather analytic data. When a SaaS app action or page is shown, there is subsequent traffic generated to tracking apps such as doubleclick.net, Optimizely, etc. These tracking apps are listed if applicable in the Telemetry App field. | keyword |
netskope.alerts.temp.user | N/A | keyword |
netskope.alerts.tenant.id | Tenant id. | keyword |
netskope.alerts.threat.match.field | Threat match field, either from domain or URL or IP. | keyword |
netskope.alerts.threat.match.value | N/A | keyword |
netskope.alerts.threat.source.id | Threat source id: 1 - NetskopeThreatIntel, 2 - Zvelodb. | keyword |
netskope.alerts.threshold.time | Applicable to: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. Threshold Time. | long |
netskope.alerts.threshold.value | Threshold (Count at which the anomaly should trigger). Applicable to Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. | long |
netskope.alerts.title | Title of the file. | keyword |
netskope.alerts.to.object | Changed name of an object that has been renamed, copied, or moved. | keyword |
netskope.alerts.to.storage | N/A | keyword |
netskope.alerts.to.user | Used when a file is moved from user A to user B. Shows the email address of user B. | keyword |
netskope.alerts.to.user_category | Type of user to which move is done. | keyword |
netskope.alerts.total.collaborator.count | Count of collaborators on a file/folder. Supported for some apps. | long |
netskope.alerts.traffic.type | Type of the traffic: CloudApp or Web. CloudApp indicates CASB and web indicates HTTP traffic. Web traffic is only captured for inline access method. It is currently not captured for Risk Insights. | keyword |
netskope.alerts.transaction.id | Unique ID for a given request/response. | keyword |
netskope.alerts.transformation | N/A | keyword |
netskope.alerts.tss.mode | Malware scanning mode, specifies whether it's Real-time Protection or API Data Protection. | keyword |
netskope.alerts.tss.version | N/A | long |
netskope.alerts.tunnel.id | Shows the Client installation ID. Only available for the Client steering configuration. | keyword |
netskope.alerts.type | Type of the alert. | keyword |
netskope.alerts.uba_ap1 | N/A | keyword |
netskope.alerts.uba_ap2 | N/A | keyword |
netskope.alerts.uba_inst1 | N/A | keyword |
netskope.alerts.uba_inst2 | N/A | keyword |
netskope.alerts.updated | N/A | long |
netskope.alerts.url.domain | keyword | |
netskope.alerts.url.extension | keyword | |
netskope.alerts.url.fragment | keyword | |
netskope.alerts.url.full | keyword | |
netskope.alerts.url.original | keyword | |
netskope.alerts.url.password | keyword | |
netskope.alerts.url.path | keyword | |
netskope.alerts.url.port | long | |
netskope.alerts.url.query | keyword | |
netskope.alerts.url.scheme | keyword | |
netskope.alerts.url.username | keyword | |
netskope.alerts.user.category | Type of user in an enterprise - external / internal. | keyword |
netskope.alerts.user.geo.city_name | City name. | keyword |
netskope.alerts.user.geo.continent_name | Name of the continent. | keyword |
netskope.alerts.user.geo.country_iso_code | Country ISO code. | keyword |
netskope.alerts.user.geo.country_name | Country name. | keyword |
netskope.alerts.user.geo.location | Longitude and latitude. | geo_point |
netskope.alerts.user.geo.region_iso_code | Region ISO code. | keyword |
netskope.alerts.user.geo.region_name | Region name. | keyword |
netskope.alerts.user.group | N/A | keyword |
netskope.alerts.user.ip | IP address of User. | keyword |
netskope.alerts.value | N/A | double |
netskope.alerts.violating_user.name | User who caused a violation. Populated for Workplace by Facebook. | keyword |
netskope.alerts.violating_user.type | Category of the user who caused a violation. Populated for Workplace by Facebook. | keyword |
netskope.alerts.web.url.domain | keyword | |
netskope.alerts.web.url.extension | keyword | |
netskope.alerts.web.url.fragment | keyword | |
netskope.alerts.web.url.full | keyword | |
netskope.alerts.web.url.original | keyword | |
netskope.alerts.web.url.password | keyword | |
netskope.alerts.web.url.path | keyword | |
netskope.alerts.web.url.port | long | |
netskope.alerts.web.url.query | keyword | |
netskope.alerts.web.url.scheme | keyword | |
netskope.alerts.web.url.username | keyword | |
netskope.alerts.workspace.id | Workspace ID in case of Slack for Enterprise. | keyword |
netskope.alerts.workspace.name | Workspace name in case of Slack for Enterprise. | keyword |
netskope.alerts.zip.password | Zip the malicious file and put pwd to it and send it back to caller. | keyword |
network.protocol | In the OSI Model this would be the Application Layer protocol. For example, http , dns , or ssh . The field value must be normalized to lowercase for querying. | keyword |
related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
related.ip | All of the IPs seen on your event. | ip |
source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. Then it should be duplicated to .ip or .domain , depending on which one it is. | keyword |
source.geo.city_name | City name. | keyword |
source.geo.continent_name | Name of the continent. | keyword |
source.geo.country_iso_code | Country ISO code. | keyword |
source.geo.country_name | Country name. | keyword |
source.geo.location | Longitude and latitude. | geo_point |
source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
source.geo.region_iso_code | Region ISO code. | keyword |
source.geo.region_name | Region name. | keyword |
source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
source.ip | IP address of the source (IPv4 or IPv6). | ip |
source.port | Port of the source. | long |
tags | List of keywords used to tag each event. | keyword |
threat.indicator.file.hash.md5 | MD5 hash. | keyword |
threat.indicator.file.hash.sha1 | SHA1 hash. | keyword |
threat.indicator.file.hash.sha256 | SHA256 hash. | keyword |
user.email | User email address. | keyword |
user.group.name | Name of the group. | keyword |
user.name | Short name or login of the user. | keyword |
user.name.text | Multi-field of user.name . | match_only_text |
user.roles | Array of user roles at the time of the event. | keyword |
user_agent.name | Name of the user agent. | keyword |
user_agent.original | Unparsed user_agent string. | keyword |
user_agent.original.text | Multi-field of user_agent.original . | match_only_text |
user_agent.os.name | Operating system name, without the version. | keyword |
user_agent.os.name.text | Multi-field of user_agent.os.name . | match_only_text |
user_agent.os.version | Operating system version as a raw string. | keyword |
user_agent.version | Version of the user agent. | keyword |
An example event for alerts
looks as following:
{
"@timestamp": "2021-12-23T16:27:09.000Z",
"agent": {
"ephemeral_id": "f351413b-f36f-45a3-aa1f-1334e718f39a",
"id": "c0ee214c-57e5-4a60-80ba-e4dc247eb02e",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.9.0"
},
"data_stream": {
"dataset": "netskope.alerts",
"namespace": "ep",
"type": "logs"
},
"destination": {
"address": "81.2.69.143",
"geo": {
"city_name": "London",
"continent_name": "Europe",
"country_iso_code": "GB",
"country_name": "United Kingdom",
"location": {
"lat": 51.5142,
"lon": -0.0931
},
"region_iso_code": "GB-ENG",
"region_name": "England"
},
"ip": "81.2.69.143"
},
"ecs": {
"version": "8.10.0"
},
"elastic_agent": {
"id": "c0ee214c-57e5-4a60-80ba-e4dc247eb02e",
"snapshot": false,
"version": "8.9.0"
},
"event": {
"agent_id_status": "verified",
"id": "f621f259f5fbde850ad5593a",
"ingested": "2023-07-27T15:55:05Z"
},
"file": {
"hash": {
"md5": "4bb5d9501bf7685ecaed55e3eda9ca01"
},
"mime_type": [
"application\\\\/vnd.apps.document"
],
"path": "\\\\/My Drive\\\\/Clickhouse\\\\/Tenant Migration across MPs",
"size": 196869
},
"input": {
"type": "tcp"
},
"log": {
"source": {
"address": "172.18.0.4:33326"
}
},
"netskope": {
"alerts": {
"access_method": "API Connector",
"acked": false,
"action": "block",
"activity": {
"name": "Login Successful"
},
"alert": {
"name": "policy-alert",
"type": "nspolicy"
},
"app": {
"category": "Cloud Storage",
"name": "SomeApp"
},
"category": {
"name": "Cloud Storage"
},
"cci": "81",
"ccl": "high",
"count": 1,
"destination": {
"geoip_src": 2
},
"device": {
"name": "Other"
},
"exposure": "organization_wide_link",
"file": {
"lang": "ENGLISH"
},
"insertion_epoch_timestamp": 1640277131,
"instance": {
"id": "example.com",
"name": "example.com"
},
"is_alert": true,
"modified": {
"timestamp": 1613760236
},
"object": {
"id": "GxyjNjJxKg14W3Mb57aLY9_klcxToPEyqIoNAcF82rGg",
"name": "HjBuUvDLWgpudzQr",
"type": "File"
},
"organization": {
"unit": "example.local\\\\/example\\\\/Active Users"
},
"owner": "foobar",
"policy": {
"name": "Some Policy"
},
"request": {
"id": "9262245914980288500"
},
"scan": {
"type": "Ongoing"
},
"shared": {
"with": "none"
},
"site": "Example",
"source": {
"geoip_src": 2
},
"suppression": {
"key": "Tenant Migration across MPs"
},
"traffic": {
"type": "CloudApp"
},
"type": "policy",
"url": {
"extension": "com\\\\/open",
"original": "http:\\\\/\\\\/www.example.com\\\\/open?id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg",
"path": "\\\\/\\\\/www.example.com\\\\/open",
"query": "id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg",
"scheme": "http"
}
}
},
"related": {
"ip": [
"81.2.69.143"
]
},
"source": {
"address": "81.2.69.143",
"geo": {
"city_name": "London",
"continent_name": "Europe",
"country_iso_code": "GB",
"country_name": "United Kingdom",
"location": {
"lat": 51.5142,
"lon": -0.0931
},
"region_iso_code": "GB-ENG",
"region_name": "England"
},
"ip": "81.2.69.143"
},
"tags": [
"forwarded",
"netskope-alerts"
],
"user": {
"email": [
"test@example.com"
]
},
"user_agent": {
"name": "unknown",
"os": {
"name": "unknown"
}
}
}
Events
Exported fields
Field | Description | Type |
---|---|---|
@timestamp | Event timestamp. | date |
client.bytes | Bytes sent from the client to the server. | long |
client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip |
client.packets | Packets sent from the client to the server. | long |
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword |
cloud.availability_zone | Availability zone in which this host is running. | keyword |
cloud.image.id | Image ID for the cloud instance. | keyword |
cloud.instance.id | Instance ID of the host machine. | keyword |
cloud.instance.name | Instance name of the host machine. | keyword |
cloud.machine.type | Machine type of the host machine. | keyword |
cloud.project.id | Name of the project in Google Cloud. | keyword |
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
cloud.region | Region in which this host, resource, or service is located. | keyword |
cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword |
container.id | Unique container id. | keyword |
container.image.name | Name of the image the container was built on. | keyword |
container.labels | Image labels. | object |
container.name | Container name. | keyword |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. Then it should be duplicated to .ip or .domain , depending on which one it is. | keyword |
destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
destination.geo.city_name | City name. | keyword |
destination.geo.continent_name | Name of the continent. | keyword |
destination.geo.country_iso_code | Country ISO code. | keyword |
destination.geo.country_name | Country name. | keyword |
destination.geo.location | Longitude and latitude. | geo_point |
destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
destination.geo.region_iso_code | Region ISO code. | keyword |
destination.geo.region_name | Region name. | keyword |
destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
destination.port | Port of the destination. | long |
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
event.action | The action captured by the event. This describes the information in the event. It is more specific than event.category . Examples are group-add , process-started , file-created . The value is normally defined by the implementer. | keyword |
event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. event.category represents the "big buckets" of ECS categories. For example, filtering on event.category:process yields all events relating to process activity. This field is closely related to event.type , which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
event.dataset | Event dataset | constant_keyword |
event.id | Unique ID to describe the event. | keyword |
event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
event.module | Event module | constant_keyword |
event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
file.hash.md5 | MD5 hash. | keyword |
file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml\[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword |
file.name | Name of the file including the extension, without the directory. | keyword |
file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
file.path.text | Multi-field of file.path . | match_only_text |
file.size | File size in bytes. Only relevant when file.type is "file". | long |
host.architecture | Operating system architecture. | keyword |
host.containerized | If the host is a container. | boolean |
host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
host.hostname | Hostname of the host. It normally contains what the hostname command returns on the host machine. | keyword |
host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name . | keyword |
host.ip | Host ip addresses. | ip |
host.mac | Host mac addresses. | keyword |
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
host.os.build | OS build information. | keyword |
host.os.codename | OS codename, if any. | keyword |
host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
host.os.kernel | Operating system kernel version as a raw string. | keyword |
host.os.name | Operating system name, without the version. | keyword |
host.os.name.text | Multi-field of host.os.name . | text |
host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
host.os.version | Operating system version as a raw string. | keyword |
host.type | Type of host. For Cloud providers this can be the machine type like t2.medium . If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
input.type | Input type | keyword |
log.offset | Log offset | long |
log.source.address | Source address from which the log event was read / sent from. | keyword |
netskope.events.access_method | Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. Administrators can also upload firewall and/or proxy logs for log analytics. This field shows the actual access method that triggered the event. For log uploads this shows the actual log type such as PAN, Websense, etc. | keyword |
netskope.events.ack | Whether user acknowledged the alert or not. | boolean |
netskope.events.activity.name | Description of the user performed activity. | keyword |
netskope.events.activity.status | Displayed when the user is denied access while performing some activity. | keyword |
netskope.events.activity.type | Displayed when only admins can perform the activity in question. | keyword |
netskope.events.alarm.description | N/A | keyword |
netskope.events.alarm.name | N/A | keyword |
netskope.events.alert.is_present | Indicates whether alert is generated or not. Populated as yes for all alerts. | boolean |
netskope.events.alert.name | Name of the alert. | keyword |
netskope.events.alert.type | Type of the alert. | keyword |
netskope.events.app.activity | N/A | keyword |
netskope.events.app.category | N/A | keyword |
netskope.events.app.name | Specific cloud application used by the user (e.g. app = Dropbox). | keyword |
netskope.events.app.region | N/A | keyword |
netskope.events.app.session.id | Unique App/Site Session ID for traffic_type = CloudApp and Web. An app session starts when a user starts using a cloud app/site on and ends once they have been inactive for a certain period of time(15 mins). Use app_session_id to check all the user activities in a single app session. app_session_id is unique for a user, device, browser and domain. | keyword |
netskope.events.attachment | File name. | keyword |
netskope.events.audit.category | The subcategories in an application such as IAM, EC in AWS, login, token, file, etc., in case of Google. | keyword |
netskope.events.audit.log.event | N/A | keyword |
netskope.events.audit.type | The sub category in audit according to SaaS / IaaS apps. | keyword |
netskope.events.browser.session.id | Browser session ID. If there is an idle timeout of 15 minutes, it will timeout the session. | keyword |
netskope.events.bucket | N/A | keyword |
netskope.events.category.id | Matching category ID according to policy. Populated for both cloud and web traffic. | keyword |
netskope.events.category.name | N/A | keyword |
netskope.events.cci | N/A | keyword |
netskope.events.ccl | Cloud Confidence Level. CCL measures the enterprise readiness of the cloud apps taking into consideration those apps security, auditability and business continuity. Each app is assigned one of five cloud confidence levels: excellent, high, medium, low, or poor. Useful for querying if users are accessing a cloud app with a lower CCL. | keyword |
netskope.events.channel | Channel of the user for slack and slack enterprise apps. | keyword |
netskope.events.client.bytes | Total number of bytes uploaded from client to server. | long |
netskope.events.client.packets | N/A | long |
netskope.events.connection.duration | Duration of the connection in milliseconds. Useful for querying long-lived sessions. | long |
netskope.events.connection.end_time | Connection end time. | long |
netskope.events.connection.id | Each connection has a unique ID. Shows the ID for the connection event. | keyword |
netskope.events.connection.start_time | Connection start time. | long |
netskope.events.count | Number of raw log lines/events sessionized or suppressed during the suppressed interval. | long |
netskope.events.description | N/A | keyword |
netskope.events.destination.geoip.source | Source from where the location of Destination IP was derived. | long |
netskope.events.detail | N/A | keyword |
netskope.events.detection.engine | Customer exposed detection engine name. | keyword |
netskope.events.detection.type | Same as malware type. Duplicate. | keyword |
netskope.events.device.classification | Designation of device as determined by the Netskope Client as to whether the device is managed or not. | keyword |
netskope.events.device.name | N/A | keyword |
netskope.events.device.type | Device type from where the user accessed the cloud app. It could be Macintosh Windows device, iPad etc. | keyword |
netskope.events.dlp.count | Count of rule hits. | long |
netskope.events.dlp.file | File/Object name extracted from the file/object. | keyword |
netskope.events.dlp.fingerprint.classificaiton | Fingerprint classification. | keyword |
netskope.events.dlp.fingerprint.match | Fingerprint classification match file name. | keyword |
netskope.events.dlp.fingerprint.score | Fingerprint classification score. | long |
netskope.events.dlp.fv | N/A | long |
netskope.events.dlp.incident.id | Incident ID associated with sub-file. In the case of main file, this is same as the parent incident ID. | keyword |
netskope.events.dlp.is_unique_count | True or false depending upon if rule is unique counted per rule data. | boolean |
netskope.events.dlp.mail.parent_id | N/A | keyword |
netskope.events.dlp.parent.id | Incident ID associated with main container (or non-container) file that was scanned. | keyword |
netskope.events.dlp.profile | DLP profile name. | keyword |
netskope.events.dlp.score | DLP rule score for weighted dictionaries. | long |
netskope.events.dlp.severity | Severity of rule. | keyword |
netskope.events.dlp.unique_count | Integer value of number of unique matches seen per rule data. Only present if rule is uniquely counted. | long |
netskope.events.domain | Domain value. This will hold the host header value or SNI or extracted from absolute URI. | keyword |
netskope.events.domain_shared_with | N/A | long |
netskope.events.drive.id | N/A | keyword |
netskope.events.encrypt.failure | Reason of failure while encrypting. | keyword |
netskope.events.end_time | N/A | keyword |
netskope.events.enterprise.id | EnterpriseID in case of Slack for Enterprise. | keyword |
netskope.events.enterprise.name | Enterprise name in case of Slack for Enterprise. | keyword |
netskope.events.event.type | Anomaly type. | keyword |
netskope.events.event_type | N/A | keyword |
netskope.events.exposure | Exposure of a document. | keyword |
netskope.events.external_collaborator_count | Count of external collaborators on a file/folder. Supported for some apps. | long |
netskope.events.file.id | Unique identifier of the file. | keyword |
netskope.events.file.is_password_protected | N/A | keyword |
netskope.events.file.lang | Language of the file. | keyword |
netskope.events.from.logs | Shows if the event was generated from the Risk Insights log. | keyword |
netskope.events.from.object | Initial name of an object that has been renamed, copied or moved. | keyword |
netskope.events.from.storage | N/A | keyword |
netskope.events.from.user_category | Type of from_user. | keyword |
netskope.events.gateway | N/A | keyword |
netskope.events.graph.id | N/A | keyword |
netskope.events.http_status | N/A | keyword |
netskope.events.http_transaction_count | HTTP transaction count. | long |
netskope.events.iaas_asset_tags | List of tags associated with the asset for which alert is raised. Each tag is a key/value pair. | keyword |
netskope.events.id | N/A | keyword |
netskope.events.insertion.timestamp | Insertion timestamp. | long |
netskope.events.instance.id | Unique ID associated with an organization application instance. | keyword |
netskope.events.instance.name | Instance name associated with an organization application instance. | keyword |
netskope.events.instance.type | Instance type. | keyword |
netskope.events.instance_name | Instance associated with an organization application instance. | keyword |
netskope.events.internal_collaborator_count | Count of internal collaborators on a file/folder. Supported for some apps. | long |
netskope.events.ip.protocol | N/A | keyword |
netskope.events.is_bypass_traffic | Tells if traffic is bypassed by Netskope. | boolean |
netskope.events.is_malicious | Only exists if some HTTP transaction belonging to the page event resulted in a malsite alert. | boolean |
netskope.events.item.id | N/A | keyword |
netskope.events.justification.reason | Justification reason provided by user. For following policies, justification events are raised. User is displayed a notification popup, user enters justification and can select to proceed or block: useralert policy, dlp block policy, block policy with custom template which contains justification text box. | keyword |
netskope.events.justification.type | Type of justification provided by user when user bypasses the policy block. | keyword |
netskope.events.last.app | Last application (app in the first/older event). Applies to only proximity anomaly alert. | keyword |
netskope.events.last.country | Last location (Country). Applies to only proximity anomaly alert. | keyword |
netskope.events.last.device | Last device name (Device Name in the first/older event). Applies to only proximity anomaly alert. | keyword |
netskope.events.last.location | Last location (City). Applies to only proximity anomaly alert. | keyword |
netskope.events.last.region | Applies to only proximity anomaly alert. | keyword |
netskope.events.last.timestamp | Last timestamp (timestamp in the first/older event). Applies to only proximity anomaly alert. | long |
netskope.events.latency.max | Max latency for a connection in milliseconds. | long |
netskope.events.latency.min | Min latency for a connection in milliseconds. | long |
netskope.events.latency.total | Total latency from proxy to app in milliseconds. | long |
netskope.events.legal_hold_profile_name | Legal hold profile name. | keyword |
netskope.events.lh.custodian.name | Custodian name of legal hold profile. | keyword |
netskope.events.lh.destination.app | Destination appname of legalhold action. | keyword |
netskope.events.lh.destination.instance | Destination instance of legal hold action. | keyword |
netskope.events.lh.file_id | File ID of legal hold file. | keyword |
netskope.events.lh.filename | File name of legal hold file. | keyword |
netskope.events.lh.filename_original | Original filename of legal hold file. | keyword |
netskope.events.lh.filepath | File path of legal hold file. | keyword |
netskope.events.lh.shared | Shared type of legal hold file. | keyword |
netskope.events.lh.shared_with | User shared with the legal hold file. | keyword |
netskope.events.lh.version | File version of original file. | keyword |
netskope.events.list.id | N/A | keyword |
netskope.events.log_file.name | Log file name for Risk Insights. | keyword |
netskope.events.login.type | Salesforce login type. | keyword |
netskope.events.login.url.domain | keyword | |
netskope.events.login.url.extension | keyword | |
netskope.events.login.url.fragment | keyword | |
netskope.events.login.url.full | keyword | |
netskope.events.login.url.original | keyword | |
netskope.events.login.url.password | keyword | |
netskope.events.login.url.path | keyword | |
netskope.events.login.url.port | long | |
netskope.events.login.url.query | keyword | |
netskope.events.login.url.scheme | keyword | |
netskope.events.login.url.username | keyword | |
netskope.events.malsite_category | Category of malsite [ Phishing / Botnet / Malicous URL, etc. ]. | keyword |
netskope.events.malware.id | md5 hash of the malware name as provided by the scan engine. | keyword |
netskope.events.malware.name | Netskope detection name. | keyword |
netskope.events.malware.profile | tss_profile: profile which user has selected. Data comes from WebUI. Its a json structure. | keyword |
netskope.events.malware.severity | Malware severity. | keyword |
netskope.events.malware.type | Malware Type. | keyword |
netskope.events.managed_app | Whether or not the app in question is managed. | boolean |
netskope.events.management.id | Management ID. | keyword |
netskope.events.metric_value | N/A | long |
netskope.events.modified_at | Timestamp corresponding to the modification time of the entity (file, etc.). | date |
netskope.events.netskope_pop | N/A | keyword |
netskope.events.network | N/A | keyword |
netskope.events.new_value | New value for a given file for salesforce.com. | keyword |
netskope.events.notify_template | N/A | keyword |
netskope.events.ns.activity | Maps app activity to Netskope standard activity. | keyword |
netskope.events.ns.device_uid | Device identifiers on macOS and Windows. | keyword |
netskope.events.num_sessions | N/A | long |
netskope.events.numbytes | Total number of bytes that were transmitted for the connection - numbytes = client_bytes + server_bytes. | long |
netskope.events.obfuscate | N/A | boolean |
netskope.events.object.count | Displayed when the activity is Delete. Shows the number of objects being deleted. | long |
netskope.events.object.id | Unique ID associated with an object. | keyword |
netskope.events.object.name | Name of the object which is being acted on. It could be a filename, folder name, report name, document name, etc. | keyword |
netskope.events.object.type | Type of the object which is being acted on. Object type could be a file, folder, report, document, message, etc. | keyword |
netskope.events.old_value | Old value for a given file for salesforce.com. | keyword |
netskope.events.org | Search for events from a specific organization. Organization name is derived from the user ID. | keyword |
netskope.events.organization_unit | Org Units for which the event correlates to. This ties to user information extracted from Active Directory using the Directory Importer/AD Connector application. | keyword |
netskope.events.orig_ty | Event Type of original event. | keyword |
netskope.events.original_file_path | If the file is moved, then keep original path of the file in this field. | keyword |
netskope.events.other.categories | N/A | keyword |
netskope.events.owner | Owner of the file. | keyword |
netskope.events.page | The URL of the originating page. | keyword |
netskope.events.page_site | N/A | keyword |
netskope.events.parent.id | N/A | keyword |
netskope.events.path_id | Path ID of the file in the application. | long |
netskope.events.policy.id | The Netskope internal ID for the policy created by an admin. | keyword |
netskope.events.policy.name | Name of the policy configured by an admin. | keyword |
netskope.events.profile.emails | List of profile emails per policy. | keyword |
netskope.events.profile.id | Anomaly profile ID. | keyword |
netskope.events.publisher_cn | N/A | keyword |
netskope.events.qar | N/A | keyword |
netskope.events.quarantine.action.reason | Reason for the action taken for quarantine. | keyword |
netskope.events.quarantine.admin | Quarantine profile custodian email/name. | keyword |
netskope.events.quarantine.app | Quarantine app name. | keyword |
netskope.events.quarantine.app_name | N/A | keyword |
netskope.events.quarantine.failure | Reason of failure. | keyword |
netskope.events.quarantine.file.id | File ID of the quarantined file. | keyword |
netskope.events.quarantine.file.name | File name of the quarantine file. | keyword |
netskope.events.quarantine.instance | Quarantine instance name. | keyword |
netskope.events.quarantine.original.file.name | Original file name which got quarantined. | keyword |
netskope.events.quarantine.original.file.path | Original file path which got quarantined. | keyword |
netskope.events.quarantine.original.shared | Original file shared user details. | keyword |
netskope.events.quarantine.original.version | Original version of file which got quarantined. | keyword |
netskope.events.quarantine.profile.id | Quarantine profile ID. | keyword |
netskope.events.quarantine.profile.name | Quarantine profile name of policy for quarantine action. | keyword |
netskope.events.quarantine.shared_with | N/A | keyword |
netskope.events.referer.domain | keyword | |
netskope.events.referer.extension | keyword | |
netskope.events.referer.fragment | keyword | |
netskope.events.referer.full | keyword | |
netskope.events.referer.original | keyword | |
netskope.events.referer.password | keyword | |
netskope.events.referer.path | keyword | |
netskope.events.referer.port | long | |
netskope.events.referer.query | keyword | |
netskope.events.referer.scheme | keyword | |
netskope.events.referer.username | keyword | |
netskope.events.repo | N/A | keyword |
netskope.events.request.count | Total number of HTTP requests (equal to number of transaction events for this page event) sent from client to server over one underlying TCP connection. | long |
netskope.events.request.id | Unique request ID for the event. | keyword |
netskope.events.response.content.length | N/A | long |
netskope.events.response.content.type | N/A | keyword |
netskope.events.response.count | Total number of HTTP responses (equal to number of transaction events for this page event) from server to client. | long |
netskope.events.retro_scan_name | Retro scan name. | keyword |
netskope.events.risk_level | Corresponding field to risk_level_id. Name. | keyword |
netskope.events.risk_level_id | This field is set by both role-based access (RBA) and MLAD. | keyword |
netskope.events.role | Roles for Box. | keyword |
netskope.events.run_id | Run ID. | long |
netskope.events.sa.profile.id | CSA profile ID. | keyword |
netskope.events.sa.profile.name | CSA profile name. | keyword |
netskope.events.sa.rule.severity | Rule severity. | keyword |
netskope.events.scan.time | Time when the scan is done. | long |
netskope.events.scan.type | Generated during retroactive scan or new ongoing activity. | keyword |
netskope.events.scopes | List of permissions for google apps. | keyword |
netskope.events.serial | N/A | keyword |
netskope.events.server.bytes | Total number of downloaded from server to client. | long |
netskope.events.server.packets | N/A | long |
netskope.events.session.duration | N/A | long |
netskope.events.session.id | Session ID for Dropbox application. | keyword |
netskope.events.session.packets | N/A | long |
netskope.events.severity.id | Severity ID used by watchlist and malware alerts. | keyword |
netskope.events.severity.level | Severity used by watchlist and malware alerts. | keyword |
netskope.events.severity.type | Severity type used by watchlist and malware alerts | keyword |
netskope.events.sfwder | N/A | keyword |
netskope.events.shared.domains | List of domains of users the document is shared with. | keyword |
netskope.events.shared.is_shared | If the file is shared or not. | boolean |
netskope.events.shared.type | Shared Type. | keyword |
netskope.events.shared.with | Array of emails with whom a document is shared with. | keyword |
netskope.events.site | For traffic_type = CloudApp, site = app and for traffic_type = Web, it will be the second level domain name + top-level domain name. For example, in "www.cnn.com", it is "cnn.com". | keyword |
netskope.events.slc.geo.location | Longitude and latitude. | geo_point |
netskope.events.source.geoip_src | Source from where the location of Source IP was derived. | long |
netskope.events.ssl_decrypt_policy | Applicable to only bypass events. There are 2 ways to create rules for bypass: Bypass due to Exception Configuration, Bypass due to SSL Decrypt Policy.The existing flag bypass_traffic only gives information that a flow has been bypassed, but does not tell exactly which policy was responsible for it. ssl_decrypt_policy field will provide this extra information. In addition, policy field will be also set for every Bypass event. | keyword |
netskope.events.start_time | N/A | keyword |
netskope.events.sub_type | Workplace by Facebook post sub category (files, comments, status etc). | keyword |
netskope.events.supporting_data | N/A | keyword |
netskope.events.suppression.end_time | When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. | long |
netskope.events.suppression.key | To limit the number of events. Example: Suppress block event for browse. | keyword |
netskope.events.suppression.start_time | When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. | long |
netskope.events.team | Slack team name. | keyword |
netskope.events.telemetry_app | Typically SaaS app web sites use web analytics code within the pages to gather analytic data. When a SaaS app action or page is shown, there is subsequent traffic generated to tracking apps such as doubleclick.net, Optimizely, etc. These tracking apps are listed if applicable in the Telemetry App field. | keyword |
netskope.events.temp_user | N/A | keyword |
netskope.events.tenant.id | Tenant id. | keyword |
netskope.events.threat.match_field | Threat match field, either from domain or URL or IP. | keyword |
netskope.events.threat.source.id | Threat source id: 1 - NetskopeThreatIntel, 2 - Zvelodb. | keyword |
netskope.events.threshold | Threshold (Count at which the anomaly should trigger). Applicable to Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. | long |
netskope.events.tnetwork_session_id | N/A | keyword |
netskope.events.to.object | Changed name of an object that has been renamed, copied, or moved. | keyword |
netskope.events.to.storage | N/A | keyword |
netskope.events.to.user | Used when a file is moved from user A to user B. Shows the email address of user B. | keyword |
netskope.events.to.user_category | Type of user to which move is done. | keyword |
netskope.events.total.collaborator_count | Count of collaborators on a file/folder. Supported for some apps. | long |
netskope.events.total_packets | N/A | long |
netskope.events.traffic.type | Type of the traffic: CloudApp or Web. CloudApp indicates CASB and web indicates HTTP traffic. Web traffic is only captured for inline access method. It is currently not captured for Risk Insights. | keyword |
netskope.events.transaction.id | Unique ID for a given request/response. | keyword |
netskope.events.tss_mode | Malware scanning mode, specifies whether it's Real-time Protection or API Data Protection. | keyword |
netskope.events.tunnel.id | Shows the Client installation ID. Only available for the Client steering configuration. | keyword |
netskope.events.tunnel.type | N/A | keyword |
netskope.events.tunnel.up_time | N/A | long |
netskope.events.two_factor_auth | N/A | keyword |
netskope.events.type | Shows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection. | keyword |
netskope.events.universal_connector | N/A | keyword |
netskope.events.url.domain | keyword | |
netskope.events.url.extension | keyword | |
netskope.events.url.fragment | keyword | |
netskope.events.url.full | keyword | |
netskope.events.url.original | keyword | |
netskope.events.url.password | keyword | |
netskope.events.url.path | keyword | |
netskope.events.url.port | long | |
netskope.events.url.query | keyword | |
netskope.events.url.scheme | keyword | |
netskope.events.url.username | keyword | |
netskope.events.url_to_activity | Populated if the activity from the URL matches certain activities. This field applies to Risk Insights only. | keyword |
netskope.events.user.category | Type of user in an enterprise - external / internal. | keyword |
netskope.events.user.generated | Tells whether it is user generated page event. | boolean |
netskope.events.user.geo.city_name | N/A | keyword |
netskope.events.user.geo.continent_name | N/A | keyword |
netskope.events.user.geo.country_iso_code | N/A | keyword |
netskope.events.user.geo.country_name | N/A | keyword |
netskope.events.user.geo.location | Longitude and latitude. | geo_point |
netskope.events.user.geo.region_iso_code | N/A | keyword |
netskope.events.user.geo.region_name | N/A | keyword |
netskope.events.user.group | N/A | keyword |
netskope.events.user.ip | IP address of User. | keyword |
netskope.events.user.is_aggregated | N/A | boolean |
netskope.events.violating.user.name | User who caused a vioaltion. Populated for Workplace by Facebook. | keyword |
netskope.events.violating.user.type | Category of the user who caused a violation. Populated for Workplace by Facebook. | keyword |
netskope.events.web.url.domain | keyword | |
netskope.events.web.url.extension | keyword | |
netskope.events.web.url.fragment | keyword | |
netskope.events.web.url.full | keyword | |
netskope.events.web.url.original | keyword | |
netskope.events.web.url.password | keyword | |
netskope.events.web.url.path | keyword | |
netskope.events.web.url.port | long | |
netskope.events.web.url.query | keyword | |
netskope.events.web.url.scheme | keyword | |
netskope.events.web.url.username | keyword | |
netskope.events.web_universal_connector | N/A | keyword |
netskope.events.workspace.id | Workspace ID in case of Slack for Enterprise. | keyword |
netskope.events.workspace.name | Workspace name in case of Slack for Enterprise. | keyword |
netskope.events.zip_password | Zip the malacious file and put pwd to it and send it back to caller. | keyword |
network.protocol | In the OSI Model this would be the Application Layer protocol. For example, http , dns , or ssh . The field value must be normalized to lowercase for querying. | keyword |
related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
related.ip | All of the IPs seen on your event. | ip |
rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword |
rule.name | The name of the rule or signature generating the event. | keyword |
server.bytes | Bytes sent from the server to the client. | long |
server.packets | Packets sent from the server to the client. | long |
source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. Then it should be duplicated to .ip or .domain , depending on which one it is. | keyword |
source.geo.city_name | City name. | keyword |
source.geo.continent_name | Name of the continent. | keyword |
source.geo.country_iso_code | Country ISO code. | keyword |
source.geo.country_name | Country name. | keyword |
source.geo.location | Longitude and latitude. | geo_point |
source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword |
source.geo.region_iso_code | Region ISO code. | keyword |
source.geo.region_name | Region name. | keyword |
source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword |
source.ip | IP address of the source (IPv4 or IPv6). | ip |
source.port | Port of the source. | long |
tags | List of keywords used to tag each event. | keyword |
threat.indicator.file.hash.md5 | MD5 hash. | keyword |
threat.indicator.file.hash.sha1 | SHA1 hash. | keyword |
threat.indicator.file.hash.sha256 | SHA256 hash. | keyword |
user.email | User email address. | keyword |
user.group.name | Name of the group. | keyword |
user.name | Short name or login of the user. | keyword |
user.name.text | Multi-field of user.name . | match_only_text |
user.roles | Array of user roles at the time of the event. | keyword |
user_agent.device.name | Name of the device. | keyword |
user_agent.name | Name of the user agent. | keyword |
user_agent.original | Unparsed user_agent string. | keyword |
user_agent.original.text | Multi-field of user_agent.original . | match_only_text |
user_agent.os.full | Operating system name, including the version or code name. | keyword |
user_agent.os.full.text | Multi-field of user_agent.os.full . | match_only_text |
user_agent.os.name | Operating system name, without the version. | keyword |
user_agent.os.name.text | Multi-field of user_agent.os.name . | match_only_text |
user_agent.os.version | Operating system version as a raw string. | keyword |
user_agent.version | Version of the user agent. | keyword |
An example event for events
looks as following:
{
"@timestamp": "2021-12-24T00:29:56.000Z",
"agent": {
"ephemeral_id": "169a2d34-f013-46a1-8cfa-0688afe7cb78",
"id": "c0ee214c-57e5-4a60-80ba-e4dc247eb02e",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.9.0"
},
"data_stream": {
"dataset": "netskope.events",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.10.0"
},
"elastic_agent": {
"id": "c0ee214c-57e5-4a60-80ba-e4dc247eb02e",
"snapshot": false,
"version": "8.9.0"
},
"event": {
"agent_id_status": "verified",
"dataset": "netskope.events",
"ingested": "2023-07-27T15:55:55Z"
},
"event.id": "613ee55ec9d868fc47654a73",
"input": {
"type": "tcp"
},
"log": {
"source": {
"address": "172.18.0.4:53214"
}
},
"netskope": {
"events": {
"alarm": {
"description": "Events from device not received in the last 24 hours",
"name": "No_events_from_device"
},
"device": {
"name": "device-1"
},
"event_type": "infrastructure",
"metric_value": 43831789,
"serial": "FFFFFFFFFFFFFFFF",
"severity": {
"level": "high"
},
"supporting_data": "abc"
}
},
"tags": [
"forwarded",
"netskope-events"
]
}
Changelog
Version | Details |
---|---|
1.15.0 | Enhancement View pull request Improve 'event.original' check to avoid errors if set. |
1.14.0 | Enhancement View pull request ECS version updated to 8.10.0. |
1.13.0 | Enhancement View pull request The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest. |
1.12.0 | Enhancement View pull request Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. |
1.11.0 | Enhancement View pull request Update package to ECS 8.9.0. |
1.10.0 | Enhancement View pull request Update package-spec to 2.9.0. |
1.9.1 | Bug fix View pull request Remove netskope.events.region and netskope.events.region.id fields. |
1.9.0 | Enhancement View pull request Ensure event.kind is correctly set for pipeline errors. |
1.8.0 | Enhancement View pull request Update package to ECS 8.8.0. |
1.7.0 | Enhancement View pull request Update package to ECS 8.7.0. |
1.6.1 | Enhancement View pull request Added categories and/or subcategories. |
1.6.0 | Enhancement View pull request Update package to ECS 8.6.0. |
1.5.0 | Enhancement View pull request Add an on_failure processor to the date processor, add an on_failure processor to the convert processor, remove unnecessary white spaces, remove visualizations and convert double quotes to single quotes. |
1.4.1 | Bug fix View pull request Remove duplicate fields. |
1.4.0 | Enhancement View pull request Update package to ECS 8.5.0. |
1.3.1 | Enhancement View pull request Use ECS geo.location definition. |
1.3.0 | Enhancement View pull request Update package to ECS 8.4.0 |
1.2.0 | Enhancement View pull request Added support to handle null values in ip fields. Enhancement View pull request Added support of retaining unparseable URLs in *.url.original. |
1.1.0 | Enhancement View pull request Update package to ECS 8.3.0. |
1.0.1 | Enhancement View pull request Added linnk to vendor documentation |
1.0.0 | Enhancement View pull request Make GA |
0.1.3 | Enhancement View pull request removed Italic text in hyperlinks in readme |
0.1.2 | Bug fix View pull request Fix boolean conversion logic to accept "true", "false", "yes", and "no" as strings. Correct the type of is_alert and is_web_universal_connector to boolean. |
0.1.1 | Enhancement View pull request Add documentation for multi-fields |
0.1.0 | Enhancement View pull request Initial draft of the package |