Rules (XIF)
[MODEL: dataset=netskope_netskope_raw, model=Network]
alter XDM.Network.original_event_type=action,
XDM.Network.Destination.host.os_family=device,
XDM.Network.Destination.host.hostname=coalesce(dsthost, hostname),
XDM.Network.Destination.ipv4=dstip,
XDM.Network.Destination.port=dstport,
XDM.Network.ip_protocol=ip_protocol,
XDM.Network.Source.host.os=os,
XDM.Network.protocol_layers=arraycreate(protocol),
XDM.Network.duration=session_duration,
XDM.Network.Source.ipv4=srcip,
XDM.Network.Source.port=srcport,
XDM.Network.event_timestamp=to_timestamp(to_integer(timestamp), "SECONDS"),
XDM.Network.Source.packets=total_packets,
XDM.Network.Destination.user.username=user,
XDM.Network.Destination.user.identifier=userkey,
XDM.Network.http.user_agent = useragent;
[MODEL: dataset=netskope_netskope_raw, model=Audit]
alter XDM.Audit.threat.severity=severity_level,
XDM.Audit.event_timestamp=to_timestamp(to_integer(timestamp), "SECONDS"),
XDM.Audit.TriggeredBy.identity.name=user,
XDM.Audit.original_event_description=audit_log_event,
XDM.Audit.original_event_type=type
| filter activity not in ("SignInEvent","Logout","Login Attempt","Login Successful","Login Failed")
| alter XDM.Audit.original_event_type=activity,
XDM.Audit.reason=alert,
XDM.Audit.threat.original_alert_id=to_string(incident_id),
XDM.Audit.TriggeredBy.location.country=src_country,
XDM.Audit.TriggeredBy.location.city=src_location,
XDM.Audit.TriggeredBy.location.region=src_region,
XDM.Audit.TriggeredBy.ipv4=coalesce(srcip, userip),
XDM.Audit.event_timestamp=to_timestamp(to_integer(timestamp), "SECONDS"),
XDM.Audit.TriggeredBy.identity.name=user,
XDM.Audit.threat.severity=severity,
XDM.Audit.original_event_description=if(json_extract_scalar(supporting_data, "$.data_type") = "reason", json_extract_scalar(supporting_data, "$.data_values[0]"), ""),
//XDM.Audit.TriggeredBy.identity.name=if(json_extract_scalar(supporting_data, "$.data_type") = "user", if(array_length(json_extract_array(supporting_data, "$.data_values"))=1, json_extract_scalar(supporting_data, "$.data_values[0]"), json_extract_scalar(supporting_data, "$.data_values[1]"))),
XDM.Audit.TriggeredBy.location.geo=concat("lat: ", to_string(src_latitude), " lon: ", to_string(dst_longitude)),
XDM.Audit.TriggeredBy.user_agent = useragent;
[MODEL: dataset=netskope_netskope_raw, model=Auth]
filter activity in ("SignInEvent","Logout","Login Attempt","Login Successful","Login Failed")
| alter XDM.Auth.auth_method=access_method,
XDM.Auth.original_event_type=activity,
XDM.Auth.Target.application.name=coalesce(app, managed_app),
XDM.Auth.Client.host.hostname=device,
XDM.Auth.Client.location.country=dst_country,
XDM.Auth.Client.location.region=dst_region,
XDM.Auth.Client.location.geo=concat("lat: ", to_string(src_latitude), " lon: ", to_string(dst_longitude)),
XDM.Auth.Client.process.executable.file_type=file_type,
XDM.Auth.Server.host.hostname=hostname,
XDM.Auth.Client.process.executable.md5=md5,
XDM.Auth.Client.host.os=os,
XDM.Auth.event_timestamp=to_timestamp(to_integer(timestamp), "SECONDS"),
XDM.Auth.Target.url=url,
XDM.Auth.Target.user.username=user,
XDM.Auth.Client.host.ipv4_addresses=arraycreate(userip),
XDM.Auth.reason=action,
XDM.Auth.threat.severity=severity,
XDM.Auth.Client.process.executable.sha256=coalesce(_sha256, sha256),
XDM.Auth.kerberos.padata_type=data_type,
XDM.Auth.Client.user_agent = useragent;
Schema
netskope_netskope_raw
| Field |
Type |
Array? |
access_method |
string |
— |
action |
string |
— |
activity |
string |
— |
alert |
string |
— |
app |
string |
— |
audit_log_event |
string |
— |
device |
string |
— |
dsthost |
string |
— |
dstip |
string |
— |
dstport |
string |
— |
file_type |
string |
— |
hostname |
string |
— |
incident_id |
string |
— |
ip_protocol |
string |
— |
managed_app |
string |
— |
md5 |
string |
— |
os |
string |
— |
protocol |
string |
— |
session_duration |
int |
— |
severity_level |
int |
— |
sha256 |
string |
— |
src_country |
string |
— |
src_location |
string |
— |
src_region |
string |
— |
srcip |
string |
— |
srcport |
string |
— |
timestamp |
int |
— |
total_packets |
int |
— |
type |
string |
— |
url |
string |
— |
user |
string |
— |
useragent |
string |
— |
userkey |
string |
— |
Raw JSON
{
"netskope_netskope_raw": {
"action": {
"type": "string",
"is_array": false
},
"device": {
"type": "string",
"is_array": false
},
"dsthost": {
"type": "string",
"is_array": false
},
"dstip": {
"type": "string",
"is_array": false
},
"dstport": {
"type": "string",
"is_array": false
},
"hostname": {
"type": "string",
"is_array": false
},
"ip_protocol": {
"type": "string",
"is_array": false
},
"os": {
"type": "string",
"is_array": false
},
"protocol": {
"type": "string",
"is_array": false
},
"session_duration": {
"type": "int",
"is_array": false
},
"srcip": {
"type": "string",
"is_array": false
},
"srcport": {
"type": "string",
"is_array": false
},
"timestamp": {
"type": "int",
"is_array": false
},
"total_packets": {
"type": "int",
"is_array": false
},
"user": {
"type": "string",
"is_array": false
},
"userkey": {
"type": "string",
"is_array": false
},
"severity_level": {
"type": "int",
"is_array": false
},
"audit_log_event": {
"type": "string",
"is_array": false
},
"activity": {
"type": "string",
"is_array": false
},
"type": {
"type": "string",
"is_array": false
},
"alert": {
"type": "string",
"is_array": false
},
"incident_id": {
"type": "string",
"is_array": false
},
"src_location": {
"type": "string",
"is_array": false
},
"src_country": {
"type": "string",
"is_array": false
},
"src_region": {
"type": "string",
"is_array": false
},
"access_method": {
"type": "string",
"is_array": false
},
"app": {
"type": "string",
"is_array": false
},
"file_type": {
"type": "string",
"is_array": false
},
"managed_app": {
"type": "string",
"is_array": false
},
"md5": {
"type": "string",
"is_array": false
},
"useragent": {
"type": "string",
"is_array": false
},
"url": {
"type": "string",
"is_array": false
},
"sha256": {
"type": "string",
"is_array": false
}
}
}