---
id: netskope
title: Netskope
sidebar_label: Netskope
description: The Sumo Logic app for Netskope provides visibility into security posture for your applications, allowing you to determine the overall usage of software and SaaS applications in your environment.
slug: /help/docs/integrations/security-threat-detection/netskope/
canonical: https://www.sumologic.com/help/docs/integrations/security-threat-detection/netskope/
---
import useBaseUrl from '@docusaurus/useBaseUrl';
})
The Sumo Logic app for Netskope provides visibility into the security posture of your applications and helps you determine the overall usage of software and SaaS applications.
Netskope is a Cloud Access Security Broker (CASB) hosted in the cloud. The Netskope product is primarily used for enforcing security policies for cloud-based resources, such as Box and Microsoft Office 365. Customers purchase a CASB to address cloud service risks, enforce security policies, and comply with regulations, even when cloud services are beyond their perimeter and out of their direct control.
:::info
This app includes [built-in monitors](#netskope-alerts). For details on creating custom monitors, refer to [Create monitors for the Netskope app](#create-monitors-for-the-netskope-app).
:::
## Log types
The Netskope app provides a collector source for pulling all the events and alerts from Netskope in real-time via API calls and ingests them into the Sumo Logic platform through our Hosted collector.
For more information on Netskope, refer to the Netskope [documentation](https://www.netskope.com/platform/how-it-works).
### Sample log message
Click to expand
```json
{
"dstip": "74.125.239.150",
"dst_location": "Mountain View",
"app": "Google Gmail",
"_insertion_epoch_timestamp": 1547391690,
"site": "Google Gmail",
"src_location": "Pomerol",
"organization_unit": "",
"object_type": "Mail",
"id": 3764,
"app_session_id": 4252577042,
"category": "Webmail",
"dst_region": "California",
"userkey": "Tanja.Barton@kkrlogistics.com",
"dst_country": "US",
"src_zipcode": "33500",
"ur_normalized": "tanja.barton@kkrlogistics.com",
"type": "nspolicy",
"object": "Welcome Novak Dimitrov",
"srcip": "77.194.46.1",
"dst_latitude": 37.405991,
"timestamp": 1547400222,
"src_region": "Gironde",
"dst_longitude": -122.078514,
"alert": "no",
"to_user": "ns-india@microsoft.com, hrglobal@microsoft.com",
"user": "Tanja.Barton@kkrlogistics.com",
"from_user": "bloomberg@bloomberg.com",
"device": "Windows PC",
"org": "kkrlogistics.com",
"src_country": "FR",
"traffic_type": "CloudApp",
"dst_zipcode": "N/A",
"count": 2,
"src_latitude": 44.9333,
"url": "https://mail.google.com/",
"page_id": 2641483218,
"sv": "unknown",
"ccl": "excellent",
"cci": 92,
"activity": "Send",
"userip": "127.0.0.1",
"src_longitude": -0.2,
"_id": "5df996d5b66a9ea963e812ce",
"os": "Windows 8",
"browser": "Internet Explorer",
"appcategory": "Webmail"
}
```
### Sample queries
The following query sample is from the Total Sessions panel of the Application Overview Dashboard.
```sumo
_sourceCategory="netskope_events" "no" "nspolicy"
| json "_id", "alert", "type", "srcip", "dstip", "appcategory", "app", "os", "user", "device",
"acked", "site", "timestamp", "ccl", "activity", "browser", "object", "object_type", "from_user",
"to_user", "app_session_id" as alert_id, is_alert, type, src_ip, dest_ip, appcategory, app, os,
user, device, acked, site, timestamp, ccl, activity, browser, object, object_type, from_user,
to_user, app_session_id nodrop
| where is_alert="no" and type="nspolicy"
| count by app_session_id
| count
```
## Collection configuration and app installation
import CollectionConfiguration from '../../reuse/apps/collection-configuration.md';
:::important
Use the [Cloud-to-Cloud Integration for Netskope](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/netskope-source) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Netskope app is properly integrated and configured to collect and analyze your Netskope data.
:::
### Create a new collector and install the app
import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md';
### Use an existing collector and install the app
import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md';
### Use an existing source and install the app
import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md';
## Viewing the Netskope dashboards
The Netskope dashboards are grouped by their component in the following two category folders:
* Application Usage
* Security Alerts
import ViewDashboards from '../../reuse/apps/view-dashboards.md';
### Application Overview
The **Netskope - Application Overview** dashboard provides a high-level view of user activity, user geographic location by source IP, total sessions, applications used, distribution and activity of applications, and application trends over time.
Use this dashboard to:
* Monitor the number of users, sessions, and sites using the applications, and find out the popular apps by user and app category.
* Track spikes in application usage over time.
})
### Application Users
The **Netskope - Application Users** dashboard provides a high-level view of application events, total sessions, user activity, and geographic location by source IP and destination IP. This dashboard also shows visual breakdowns of distributions by operating system, browser, device, and user activity.
Use this dashboard to:
* Monitor recent user activities, track user locations, and find out the top users affected by alerts.
* Determine user classifications by browsers, devices, and operating systems (OS).
})
### Application Details
The **Netskope - Application Details** dashboard provides a high-level view of data for unique applications used, as well as top applications by alerts, bytes, and average page duration. This dashboard also provides a visual breakdown of applications by category, devices by user access, and network usage over time.
Use this dashboard to:
* Monitor the top applications generating alerts.
* Find out detailed information about application usage in terms of page duration, user counts, upload and download bytes.
})
### Alert Overview
The **Netskope - Alert Overview** dashboard provides a high-level view of your alert data by type, geographic location of source IPs, total and top alerts, alerts by user, recent alerts, and alert trends over time.
Use this dashboard to:
* Track users affected by alerts.
* Monitor abnormal spikes, alert locations, and recent alerts.
})
### Alert Details
The **Netskope - Alert Details** dashboard provides a visual presentation of alert analytics, including the geographic locations of suspicious source and destination IPs, a time comparison of alerts, alert outlier trends over time, alerts by application, and recent alerts with a poor cloud confidence level.
Use this dashboard to:
* Compare alerts over time and anomalies in alert rates.
* Track which applications are producing the most alerts over time.
})
### Data Loss Prevention
The **Netskope - Data Loss Prevention** dashboard provides a high-level view of data loss prevention (DLP) analytics, including incidents by policy over time, incidents by severity and application, incidents by operating system (OS), and browser. This dashboard also shows data on DLP rules, top profiles, incident count, and users affected.
Use this dashboard to:
* Track users and applications affected by DLP incidents.
* Monitor High Severity DLP incidents.
* Determine objects with critical severity.
})
### Compromised Credentials
The **Netskope - Compromised Credentials** dashboard provides easily accessible analytics on compromised credentials, including the number of users with compromised credentials, a breach count, and top breaches, and source info. This dashboard also provides data on recent compromised credentials, apps used by users after a credentials breach, and user activities after a credentials breach.
Use this dashboard to:
* Track credential breaches along with their source.
* Monitor user activities.
* Monitor application usage after credentials have been breached.
})
### Malware
The **Netskope - Malware** dashboard provides a high-level view of total malware detected, total apps and users affected, total files infected, top source IPs and malware types, and the top users affected. This dashboard also provides data on malware incidents by app and severity, affected file types, apps used on infected machines, and the user activity on infected machines.
Use this dashboard to:
* Determine applications and users affected by malware.
* Monitor user activity on affected machines.
})
### Anomalies
The **Netskope - Anomalies** dashboard provides an at-a-glance view of anomalies in your environment, including the number of anomalies, users affected, anomalies over time, anomalies by app, alert name, and risk level. It also includes data on top users by anomaly risk level and recent anomalies by high risk level.
Use this dashboard to:
* Monitor anomalies in user activities.
* Track anomalies with high risk levels.
})
### Admin Audit & Compliance
The **Netskope - Admin Audit & Compliance** dashboard provides visibility into administrative operations within Netskope, including audit log events, admin user activity, severity levels, configuration changes, and compliance-relevant operations with week-over-week trending.
})
### Watchlist & Insider Threat
The **Netskope - Watchlist & Insider Threat** dashboard provides visibility into watchlist-triggered events, insider threat indicators, risky user behaviors, including file sharing, uploads, and data exfiltration patterns. Monitors watched users, applications, activities, object types, and geographic locations.
})
## Create monitors for the Netskope app
import CreateMonitors from '../../reuse/apps/create-monitors.md';
### Netskope alerts
| Name | Description | Alert Condition | Recover Condition |
|:--|:--|:--|:--|
| `Netskope - Compromised Credentials Detected` | This alert is triggered when Netskope identifies user credentials that appear in known data breaches, requiring an immediate password reset and account investigation. | Count > 0 | Count < = 0 |
| `Netskope - File Quarantine Action Triggered` | This alert is triggered when Netskope quarantines a file due to a policy violation, indicating that DLP or security controls have intercepted potentially sensitive or non-compliant content requiring administrative review. | Count > 0 | Count < = 0 |
| `Netskope - High Risk Anomaly Detected` | This alert is triggered when Netskope detects high-risk behavioral anomalies, such as shared credentials, bulk data exfiltration, or unusual access patterns, which may indicate account compromise or insider threat activity. | Count > 0 | Count < = 0 |
| `Netskope - High Severity DLP Policy Violation` | This alert is triggered when a high-severity DLP rule violation is detected, indicating potential exposure of sensitive data through cloud applications and requiring immediate investigation. | Count > 0 | Count < = 0 |
| `Netskope - Malware Detected` | This alert is triggered when Netskope detects malware activity, capturing details such as malware name, type, severity, affected user, file, and source IP to support rapid incident response. | Count > 0 | Count < = 0 |
## Upgrade/Downgrade the Netskope app (Optional)
import AppUpdate from '../../reuse/apps/app-update.md';
## Uninstalling the Netskope app (Optional)
import AppUninstall from '../../reuse/apps/app-uninstall.md';