Introduction
The tags beginning with cloud.netskope
identify events generated by Netskope.
Valid tags and data tables
The full tag must have 3 levels. The first two are fixed as cloud.netskope
. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Netskope |
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in this table:
cloud.netskope.events
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
|
|
| |
timestamp |
| timestamp(timestamp__tmp * 1000) | timestamp__tmp | |
insertion_epoch_timestamp |
| timestamp(_insertion_epoch_timestamp__tmp * 1000) | _insertion_epoch_timestamp__tmp | |
type |
|
|
| |
traffic_type |
|
|
| |
category |
|
|
| |
appcategory |
|
|
| |
url |
|
|
| |
user |
|
|
| |
app_session_id |
|
|
| |
acked |
|
|
| |
alert_name |
|
|
| |
srcip |
|
|
| |
dstip |
|
|
| |
dstport |
|
|
| |
dsthost |
|
|
| |
client_bytes |
|
|
| |
server_bytes |
|
|
| |
user_id |
|
|
| |
act_user |
|
|
| |
owner |
|
|
| |
activity |
|
|
| |
shared_with |
|
|
| |
app |
|
|
| |
policy |
|
|
| |
shared_domains |
|
|
| |
action |
|
|
| |
file_path |
|
|
| |
browser |
|
|
| |
site |
|
|
| |
object |
|
|
| |
file_size |
|
|
| |
device |
|
|
| |
mime_type |
|
|
| |
alert |
|
|
| |
instance_id |
|
|
| |
app_activity |
|
|
| |
md5 |
|
|
| |
session_begin |
|
|
| |
scan_type |
|
|
| |
os |
|
|
| |
exposure |
|
|
| |
organization_unit |
| (organization_unit__tmp = "") ? null('') : organization_unit__tmp | organization_unit__tmp | |
file_type |
|
|
| |
userkey |
|
|
| |
ns_activity |
|
|
| |
access_method |
|
|
| |
status |
|
|
| |
msg |
| (msg__tmp = "") ? null('') : msg__tmp | msg__tmp | |
object_id |
|
|
| |
id |
|
|
| |
modified |
|
|
| |
object_type |
|
|
| |
cci |
|
|
| |
suppression_key |
|
|
| |
ccl |
|
|
| |
alert_type |
|
|
| |
file_lang |
|
|
| |
instance |
|
|
| |
dlp_incident_id |
|
|
| |
dlp_rule_severity |
|
|
| |
dlp_rule_count |
|
|
| |
dlp_parent_id |
|
|
| |
dlp_profile |
|
|
| |
dlp_rule |
|
|
| |
dlp_file |
|
|
| |
count |
|
|
| |
from_user |
|
|
| |
aggregated_user |
|
|
| |
req_cnt |
|
|
| |
serial |
|
|
| |
fromlogs |
|
|
| |
numbytes |
|
|
| |
resp_cnt |
|
|
| |
log_file_name |
|
|
| |
useragent |
|
|
| |
page_duration |
|
|
| |
netskope_activity |
|
|
| |
other_categories |
|
|
| |
src_geoip_src |
|
|
| |
ur_normalized |
|
|
| |
user_category |
|
|
| |
user_name |
|
|
| |
user_role |
|
|
| |
userip |
|
|
| |
collaborated |
|
|
| |
internal_collaborator_count |
|
|
| |
request_id |
|
|
| |
sha256 |
|
|
| |
title |
|
|
| |
total_collaborator_count |
|
|
| |
true_obj_category |
|
|
| |
true_obj_type |
|
|
| |
suppression_start_time |
| timestamp(suppression_start_time__tmp * 1000) | suppression_start_time__tmp | |
suppression_end_time |
| timestamp(suppression_end_time__tmp * 1000) | suppression_end_time__tmp | |
src_latitude |
| (src_latitude_tmp = '"N/A"') ? null : float8(src_latitude_tmp) | src_latitude_tmp | |
src_longitude |
| (src_longitude_tmp = '"N/A"') ? null : float8(src_longitude_tmp) | src_longitude_tmp | |
dst_latitude |
| (dst_latitude_tmp = '"N/A"') ? null : float8(dst_latitude_tmp) | dst_latitude_tmp | |
dst_longitude |
| (dst_longitude_tmp = '"N/A"') ? null : float8(dst_longitude_tmp) | dst_longitude_tmp | |
src_location |
|
|
| |
src_country |
|
|
| |
src_zipcode |
|
|
| |
src_region |
|
|
| |
dst_location |
|
|
| |
dst_country |
|
|
| |
dst_zipcode |
|
|
| |
dst_region |
|
|
| |
web_url |
|
|
| |
org |
|
|
| |
message |
|
|
| |
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
| rawSource | ✓ |