Netskope Logs connector reference

Important

This feature is in Beta. Workspace admins can control access to this feature from the Previews page. See Manage Azure Databricks previews.

This page has reference information for the managed Netskope Logs connector, including supported source tables and destination table schemas.

Connector options

This connector has no connector-specific pipeline options.

Supported source tables

The Netskope Logs connector supports the following source tables, all under the default source schema. Every table supports incremental ingestion. The connector uses the time field as the cursor field for incremental ingestion.

Source table Primary key Description Sync mode Cursor field
audit lw_id Administrator audit log events for your Netskope tenant, such as configuration changes and report activity. Incremental time
application lw_id Application events for user activity on cloud apps and websites, such as uploads, downloads, and logins. Incremental time
incident lw_id Incident events for data and file activity that triggers a Netskope incident. Incremental time
infrastructure lw_id Infrastructure events for the health and status of your Netskope deployment. Incremental time
network lw_id Network events for traffic that Netskope processes, such as Cloud Firewall connections. Incremental time
page lw_id Page events for website and web application visits. Incremental time
alert_compromisedcredential lw_id Compromised credential alerts for user credentials found in known data breaches. Incremental time
alert_content lw_id Content alerts raised when activity matches a content policy. Incremental time
alert_ctep lw_id Cloud Threat Exploit Prevention (CTEP) and intrusion prevention alerts for network threats. Incremental time
alert_device lw_id Device alerts for managed device events. Incremental time
alert_dlp lw_id Data loss prevention (DLP) alerts raised when activity matches a DLP policy. Incremental time
alert_malsite lw_id Malicious website alerts for visits to known malicious websites. Incremental time
alert_malware lw_id Malware alerts for detected malware. Incremental time
alert_policy lw_id Policy alerts raised when activity matches a real-time protection policy. Incremental time
alert_quarantine lw_id Quarantine alerts for files that Netskope moves to quarantine. Incremental time
alert_remediation lw_id Remediation alerts for remediation actions. Incremental time
alert_securityassessment lw_id Security assessment alerts for cloud security posture findings. Incremental time
alert_uba lw_id User and entity behavior analytics (UEBA) alerts for anomalous user activity. Incremental time
alert_watchlist lw_id Watchlist alerts for activity that matches a configured watchlist. Incremental time

The connector applies liquid clustering to all destination tables on the time column for efficient time-range queries.

Destination table schemas

audit

Field Data type
lw_id string
time timestamp
_id string
_insertion_epoch_timestamp bigint
audit_log_event string
changed_ds string
count bigint
details string
is_netskope_personnel boolean
organization_unit string
report_id string
severity_level bigint
supporting_data string
timestamp bigint
type string
ur_normalized string
user string

application

Field Data type
lw_id string
time timestamp
_id string
access_method string
action string
activity string
app string
appcategory string
browser string
category string
cci bigint
ccl string
device string
domain string
dstip string
dstport bigint
event_type string
object string
object_type string
organization_unit string
os string
page string
policy string
protocol string
severity string
site string
srcip string
timestamp bigint
traffic_type string
type string
url string
user string
useragent string
userip string
userkey string

incident

Field Data type
lw_id string
time timestamp
_id string
access_method string
action string
activity string
app string
appcategory string
browser string
category string
cci bigint
ccl string
device string
domain string
dstip string
dstport bigint
event_type string
object string
object_type string
organization_unit string
os string
page string
policy string
protocol string
severity string
site string
srcip string
timestamp bigint
traffic_type string
type string
url string
user string
useragent string
userip string
userkey string

infrastructure

Field Data type
lw_id string
time timestamp
_id string
access_method string
action string
activity string
app string
appcategory string
browser string
category string
cci bigint
ccl string
device string
domain string
dstip string
dstport bigint
event_type string
object string
object_type string
organization_unit string
os string
page string
policy string
protocol string
severity string
site string
srcip string
timestamp bigint
traffic_type string
type string
url string
user string
useragent string
userip string
userkey string

network

Field Data type
lw_id string
time timestamp
_id string
access_method string
action string
activity string
app string
appcategory string
browser string
category string
cci bigint
ccl string
device string
domain string
dstip string
dstport bigint
event_type string
object string
object_type string
organization_unit string
os string
page string
policy string
protocol string
severity string
site string
srcip string
timestamp bigint
traffic_type string
type string
url string
user string
useragent string
userip string
userkey string

page

Field Data type
lw_id string
time timestamp
_id string
access_method string
action string
activity string
app string
appcategory string
browser string
category string
cci bigint
ccl string
device string
domain string
dstip string
dstport bigint
event_type string
object string
object_type string
organization_unit string
os string
page string
policy string
protocol string
severity string
site string
srcip string
timestamp bigint
traffic_type string
type string
url string
user string
useragent string
userip string
userkey string

alert_compromisedcredential

Field Data type
lw_id string
time timestamp
_id string
_insertion_epoch_timestamp bigint
alert_type string
alert_name string
app string
severity string
timestamp bigint
type string
user string

alert_content

Field Data type
lw_id string
time timestamp
_id string
_insertion_epoch_timestamp bigint
alert_type string
alert_name string
app string
severity string
timestamp bigint
type string
user string

alert_ctep

Field Data type
lw_id string
time timestamp
_id string
_insertion_epoch_timestamp bigint
alert_type string
alert_name string
app string
severity string
timestamp bigint
type string
user string

alert_device

Field Data type
lw_id string
time timestamp
_id string
_insertion_epoch_timestamp bigint
alert_type string
alert_name string
app string
severity string
timestamp bigint
type string
user string

alert_dlp

Field Data type
lw_id string
time timestamp
_id string
_insertion_epoch_timestamp bigint
alert_type string
alert_name string
app string
severity string
timestamp bigint
type string
user string

alert_malsite

Field Data type
lw_id string
time timestamp
_appsession_start string
_category_id string
_category_name string
_category_tags array<bigint>
_correlation_id string
_creation_timestamp bigint
_ef_received_at bigint
_enriched_all boolean
_event_id string
_forwarded_by string
_gef_src_dp string
_id string
_insertion_epoch_timestamp bigint
_nshostname string
_original_destip string
_original_destport bigint
_policy_category_id array<bigint>
_policy_matched_categories_id array<string>
_raw_event_inserted_at bigint
_service_identifier string
_skip_geoip_lookup string
_src_epoch_now bigint
_src_gmt_offset bigint
access_method string
acked string
action string
alert string
alert_name string
alert_type string
app string
app_session_id bigint
app_tags array<string>
appcategory string
appsuite string
browser string
browser_session_id bigint
browser_version string
category string
cci bigint
ccl string
connection_id bigint
count bigint
destination_profiles array<string>
device string
domain string
dst_country string
dst_latitude double
dst_location string
dst_longitude double
dst_region string
dst_timezone string
dst_zipcode string
dstip string
dstport bigint
incident_id bigint
ja3 string
ja3s string
malicious string
malsite_category array<string>
malsite_country string
malsite_id string
malsite_ip_host string
malsite_latitude double
malsite_longitude double
malsite_region string
managed_app string
netskope_pop string
notify_template string
object string
object_type string
organization_unit string
os string
os_family string
os_version string
other_categories array<string>
page string
page_site string
policy string
policy_id string
port string
protocol string
referer string
request_id bigint
severity string
severity_level string
severity_level_id bigint
site string
src_country string
src_latitude double
src_location string
src_longitude double
src_region string
src_time string
src_timezone string
src_zipcode string
srcip string
tags array<string>
telemetry_app string
threat_match_field string
threat_match_value string
threat_source_id bigint
timestamp bigint
title string
traffic_type string
transaction_id bigint
type string
ur_normalized string
url string
user string
useragent string
userip string
userkey string
web_universal_connector string

alert_malware

Field Data type
lw_id string
time timestamp
_id string
_insertion_epoch_timestamp bigint
alert_type string
alert_name string
app string
severity string
timestamp bigint
type string
user string

alert_policy

Field Data type
lw_id string
time timestamp
TSS-scan string
_appsession_start string
_category_id string
_category_name string
_category_tags array<bigint>
_client_timeout bigint
_content_version bigint
_correlation_id string
_creation_timestamp bigint
_ef_received_at bigint
_enriched_all boolean
_event_id string
_forwarded_by string
_gef_src_dp string
_id string
_insertion_epoch_timestamp bigint
_ns_protection_type string
_nshostname string
_nsp_dur_back bigint
_nsp_dur_front bigint
_nsp_retrans_back bigint
_nsp_retrans_front bigint
_nsp_rtt_back bigint
_nsp_rtt_front bigint
_original_destip string
_original_destport bigint
_partial_file boolean
_policy_index bigint
_policy_matched_categories_id array<string>
_raw_event_inserted_at bigint
_resource_name string
_scan_source string
_service_identifier string
_session_begin string
_skip_geoip_lookup string
_src_epoch_now bigint
_src_gmt_offset bigint
_tenant_max_file_size bigint
access_method string
acked string
action string
activity string
alert string
alert_name string
alert_type string
all_policy_matches array<string>
app string
app_session_id bigint
app_tags array<string>
appcategory string
appsuite string
browser string
browser_session_id bigint
browser_version string
category string
cci bigint
ccl string
connection_id bigint
count bigint
destination_profiles array<string>
device string
domain string
dst_country string
dst_latitude double
dst_location string
dst_longitude double
dst_region string
dst_timezone string
dst_zipcode string
dstip string
dstport bigint
file_category string
file_size bigint
file_type string
from_user string
incident_id bigint
instance_id string
instance_tags array<string>
ja3 string
ja3s string
justification_reason string
justification_type string
local_sha256 string
malicious string
malsite_category array<string>
malware_id string
malware_name string
malware_severity string
malware_type string
managed_app string
md5 string
netskope_pop string
notify_template string
object string
object_type string
organization_unit string
os string
os_family string
os_version string
other_categories array<string>
page string
page_site string
parent_id string
policy string
policy_id string
port string
protection_string string
protocol string
referer string
request_id bigint
sanctioned_instance string
severity string
sha256 string
site string
src_country string
src_latitude double
src_location string
src_longitude double
src_region string
src_time string
src_timezone string
src_zipcode string
srcip string
suppression_end_time bigint
suppression_start_time bigint
tags array<string>
telemetry_app string
threat_match_field string
threat_match_value string
threat_source_id bigint
timestamp bigint
title string
traffic_type string
transaction_id bigint
tss_mode string
type string
ur_normalized string
url string
user string
useragent string
userip string
userkey string
web_universal_connector string

alert_quarantine

Field Data type
lw_id string
time timestamp
_id string
_insertion_epoch_timestamp bigint
alert_type string
alert_name string
app string
severity string
timestamp bigint
type string
user string

alert_remediation

Field Data type
lw_id string
time timestamp
_id string
_insertion_epoch_timestamp bigint
alert_type string
alert_name string
app string
severity string
timestamp bigint
type string
user string

alert_securityassessment

Field Data type
lw_id string
time timestamp
_id string
_insertion_epoch_timestamp bigint
alert_type string
alert_name string
app string
severity string
timestamp bigint
type string
user string

alert_uba

Field Data type
lw_id string
time timestamp
__skip_cache string
_activity string
_api_conn string
_category_id string
_correlation_id string
_creation_timestamp bigint
_ef_received_at bigint
_enriched boolean
_event_id string
_forwarded_by string
_gef_meta string
_gef_src_dp string
_id string
_insertion_epoch_timestamp bigint
_raw_event_inserted_at bigint
_service_identifier string
_session_begin bigint
_skip_geoip_lookup string
_skip_ueba boolean
access_method string
acked string
act_user string
action string
activity string
activity_status string
alert string
alert_id string
alert_name string
alert_type string
app string
app_activity string
app_session_id bigint
app_tags array<string>
appcategory string
browser string
category string
cci bigint
ccl string
connection_id bigint
count bigint
device string
event_detail string
event_type string
evt_src_chnl string
file_id string
file_path string
file_type string
instance string
instance_id string
logon_error string
mime_type string
object string
object_id string
object_type string
organization_unit string
orig_ty string
os string
other_categories array<string>
parent_id string
policy string
policy_actions array<string>
profile_id string
raw_event string
request_id bigint
request_type string
sanctioned_instance string
scenario string
severity string
site string
srcip string
sub_scenario string
tags array<string>
threshold bigint
threshold_time bigint
timestamp bigint
title string
traffic_type string
transaction_id bigint
type string
ur_normalized string
user string
user_id string
userip string
userkey string

alert_watchlist

Field Data type
lw_id string
time timestamp
_category_id string
_category_name string
_category_tags array<bigint>
_correlation_id string
_creation_timestamp bigint
_ef_received_at bigint
_enriched boolean
_enriched_all boolean
_event_id string
_forwarded_by string
_gef_src_dp string
_id string
_ingress_client_bytes bigint
_ingress_server_bytes bigint
_insertion_epoch_timestamp bigint
_nshostname string
_raw_event_inserted_at bigint
_service_identifier string
_skip_geoip_lookup string
_src_epoch_now bigint
_src_gmt_offset bigint
access_method string
acked string
alert_name string
alert_type string
app string
app_session_id bigint
app_tags array<string>
appcategory string
browser string
browser_session_id bigint
browser_version string
bypass_reason string
bypass_traffic string
category string
cci bigint
ccl string
client_bytes bigint
conn_duration bigint
conn_endtime bigint
conn_starttime bigint
connection_id bigint
count bigint
device string
domain string
dst_country string
dst_latitude double
dst_location string
dst_longitude double
dst_region string
dst_timezone string
dst_zipcode string
dstip string
dstport bigint
http_transaction_count bigint
netskope_pop string
numbytes bigint
organization_unit string
os string
os_family string
os_version string
other_categories array<string>
page string
policy string
protocol string
req_cnt bigint
resp_cnt bigint
resp_content_len bigint
resp_content_type string
server_bytes bigint
severity string
site string
src_country string
src_geoip_src bigint
src_latitude double
src_location string
src_longitude double
src_region string
src_time string
src_timezone string
src_zipcode string
srcip string
ssl_decrypt_policy string
tags array<string>
timestamp bigint
traffic_type string
type string
ur_normalized string
url string
user string
user_generated string
useragent string
userip string
userkey string

Required Netskope API token permissions

The Netskope REST API v2 token's role must have View access to the events and alerts you want to ingest. For details, see Configure authentication to Netskope.

  • Last updated on