Netskope Logs connector reference

Beta

This feature is in Beta. Workspace admins can control access to this feature from the Previews page. See Manage Databricks previews.

This page has reference information for the managed Netskope Logs connector, including supported source tables and destination table schemas.

Connector options

This connector has no connector-specific pipeline options.

Supported source tables

The Netskope Logs connector supports the following source tables, all under the default source schema. Every table supports incremental ingestion. The connector uses the time field as the cursor field for incremental ingestion.

Source table	Primary key	Description	Sync mode	Cursor field
`audit`	`lw_id`	Administrator audit log events for your Netskope tenant, such as configuration changes and report activity.	Incremental	`time`
`application`	`lw_id`	Application events for user activity on cloud apps and websites, such as uploads, downloads, and logins.	Incremental	`time`
`incident`	`lw_id`	Incident events for data and file activity that triggers a Netskope incident.	Incremental	`time`
`infrastructure`	`lw_id`	Infrastructure events for the health and status of your Netskope deployment.	Incremental	`time`
`network`	`lw_id`	Network events for traffic that Netskope processes, such as Cloud Firewall connections.	Incremental	`time`
`page`	`lw_id`	Page events for website and web application visits.	Incremental	`time`
`alert_compromisedcredential`	`lw_id`	Compromised credential alerts for user credentials found in known data breaches.	Incremental	`time`
`alert_content`	`lw_id`	Content alerts raised when activity matches a content policy.	Incremental	`time`
`alert_ctep`	`lw_id`	Cloud Threat Exploit Prevention (CTEP) and intrusion prevention alerts for network threats.	Incremental	`time`
`alert_device`	`lw_id`	Device alerts for managed device events.	Incremental	`time`
`alert_dlp`	`lw_id`	Data loss prevention (DLP) alerts raised when activity matches a DLP policy.	Incremental	`time`
`alert_malsite`	`lw_id`	Malicious website alerts for visits to known malicious websites.	Incremental	`time`
`alert_malware`	`lw_id`	Malware alerts for detected malware.	Incremental	`time`
`alert_policy`	`lw_id`	Policy alerts raised when activity matches a real-time protection policy.	Incremental	`time`
`alert_quarantine`	`lw_id`	Quarantine alerts for files that Netskope moves to quarantine.	Incremental	`time`
`alert_remediation`	`lw_id`	Remediation alerts for remediation actions.	Incremental	`time`
`alert_securityassessment`	`lw_id`	Security assessment alerts for cloud security posture findings.	Incremental	`time`
`alert_uba`	`lw_id`	User and entity behavior analytics (UEBA) alerts for anomalous user activity.	Incremental	`time`
`alert_watchlist`	`lw_id`	Watchlist alerts for activity that matches a configured watchlist.	Incremental	`time`

The connector applies liquid clustering to all destination tables on the time column for efficient time-range queries.

Destination table schemas

`audit`

Field	Data type
`lw_id`	`string`
`time`	`timestamp`
`_id`	`string`
`_insertion_epoch_timestamp`	`bigint`
`audit_log_event`	`string`
`changed_ds`	`string`
`count`	`bigint`
`details`	`string`
`is_netskope_personnel`	`boolean`
`organization_unit`	`string`
`report_id`	`string`
`severity_level`	`bigint`
`supporting_data`	`string`
`timestamp`	`bigint`
`type`	`string`
`ur_normalized`	`string`
`user`	`string`

`application`

Field	Data type
`lw_id`	`string`
`time`	`timestamp`
`_id`	`string`
`access_method`	`string`
`action`	`string`
`activity`	`string`
`app`	`string`
`appcategory`	`string`
`browser`	`string`
`category`	`string`
`cci`	`bigint`
`ccl`	`string`
`device`	`string`
`domain`	`string`
`dstip`	`string`
`dstport`	`bigint`
`event_type`	`string`
`object`	`string`
`object_type`	`string`
`organization_unit`	`string`
`os`	`string`
`page`	`string`
`policy`	`string`
`protocol`	`string`
`severity`	`string`
`site`	`string`
`srcip`	`string`
`timestamp`	`bigint`
`traffic_type`	`string`
`type`	`string`
`url`	`string`
`user`	`string`
`useragent`	`string`
`userip`	`string`
`userkey`	`string`

`incident`

Field	Data type
`lw_id`	`string`
`time`	`timestamp`
`_id`	`string`
`access_method`	`string`
`action`	`string`
`activity`	`string`
`app`	`string`
`appcategory`	`string`
`browser`	`string`
`category`	`string`
`cci`	`bigint`
`ccl`	`string`
`device`	`string`
`domain`	`string`
`dstip`	`string`
`dstport`	`bigint`
`event_type`	`string`
`object`	`string`
`object_type`	`string`
`organization_unit`	`string`
`os`	`string`
`page`	`string`
`policy`	`string`
`protocol`	`string`
`severity`	`string`
`site`	`string`
`srcip`	`string`
`timestamp`	`bigint`
`traffic_type`	`string`
`type`	`string`
`url`	`string`
`user`	`string`
`useragent`	`string`
`userip`	`string`
`userkey`	`string`

`infrastructure`

Field	Data type
`lw_id`	`string`
`time`	`timestamp`
`_id`	`string`
`access_method`	`string`
`action`	`string`
`activity`	`string`
`app`	`string`
`appcategory`	`string`
`browser`	`string`
`category`	`string`
`cci`	`bigint`
`ccl`	`string`
`device`	`string`
`domain`	`string`
`dstip`	`string`
`dstport`	`bigint`
`event_type`	`string`
`object`	`string`
`object_type`	`string`
`organization_unit`	`string`
`os`	`string`
`page`	`string`
`policy`	`string`
`protocol`	`string`
`severity`	`string`
`site`	`string`
`srcip`	`string`
`timestamp`	`bigint`
`traffic_type`	`string`
`type`	`string`
`url`	`string`
`user`	`string`
`useragent`	`string`
`userip`	`string`
`userkey`	`string`

`network`

Field	Data type
`lw_id`	`string`
`time`	`timestamp`
`_id`	`string`
`access_method`	`string`
`action`	`string`
`activity`	`string`
`app`	`string`
`appcategory`	`string`
`browser`	`string`
`category`	`string`
`cci`	`bigint`
`ccl`	`string`
`device`	`string`
`domain`	`string`
`dstip`	`string`
`dstport`	`bigint`
`event_type`	`string`
`object`	`string`
`object_type`	`string`
`organization_unit`	`string`
`os`	`string`
`page`	`string`
`policy`	`string`
`protocol`	`string`
`severity`	`string`
`site`	`string`
`srcip`	`string`
`timestamp`	`bigint`
`traffic_type`	`string`
`type`	`string`
`url`	`string`
`user`	`string`
`useragent`	`string`
`userip`	`string`
`userkey`	`string`

`page`

Field	Data type
`lw_id`	`string`
`time`	`timestamp`
`_id`	`string`
`access_method`	`string`
`action`	`string`
`activity`	`string`
`app`	`string`
`appcategory`	`string`
`browser`	`string`
`category`	`string`
`cci`	`bigint`
`ccl`	`string`
`device`	`string`
`domain`	`string`
`dstip`	`string`
`dstport`	`bigint`
`event_type`	`string`
`object`	`string`
`object_type`	`string`
`organization_unit`	`string`
`os`	`string`
`page`	`string`
`policy`	`string`
`protocol`	`string`
`severity`	`string`
`site`	`string`
`srcip`	`string`
`timestamp`	`bigint`
`traffic_type`	`string`
`type`	`string`
`url`	`string`
`user`	`string`
`useragent`	`string`
`userip`	`string`
`userkey`	`string`

`alert_compromisedcredential`

Field	Data type
`lw_id`	`string`
`time`	`timestamp`
`_id`	`string`
`_insertion_epoch_timestamp`	`bigint`
`alert_type`	`string`
`alert_name`	`string`
`app`	`string`
`severity`	`string`
`timestamp`	`bigint`
`type`	`string`
`user`	`string`

`alert_content`

Field	Data type
`lw_id`	`string`
`time`	`timestamp`
`_id`	`string`
`_insertion_epoch_timestamp`	`bigint`
`alert_type`	`string`
`alert_name`	`string`
`app`	`string`
`severity`	`string`
`timestamp`	`bigint`
`type`	`string`
`user`	`string`

`alert_ctep`

Field	Data type
`lw_id`	`string`
`time`	`timestamp`
`_id`	`string`
`_insertion_epoch_timestamp`	`bigint`
`alert_type`	`string`
`alert_name`	`string`
`app`	`string`
`severity`	`string`
`timestamp`	`bigint`
`type`	`string`
`user`	`string`

`alert_device`

Field	Data type
`lw_id`	`string`
`time`	`timestamp`
`_id`	`string`
`_insertion_epoch_timestamp`	`bigint`
`alert_type`	`string`
`alert_name`	`string`
`app`	`string`
`severity`	`string`
`timestamp`	`bigint`
`type`	`string`
`user`	`string`

`alert_dlp`

Field	Data type
`lw_id`	`string`
`time`	`timestamp`
`_id`	`string`
`_insertion_epoch_timestamp`	`bigint`
`alert_type`	`string`
`alert_name`	`string`
`app`	`string`
`severity`	`string`
`timestamp`	`bigint`
`type`	`string`
`user`	`string`

`alert_malsite`

Field	Data type
`lw_id`	`string`
`time`	`timestamp`
`_appsession_start`	`string`
`_category_id`	`string`
`_category_name`	`string`
`_category_tags`	`array<bigint>`
`_correlation_id`	`string`
`_creation_timestamp`	`bigint`
`_ef_received_at`	`bigint`
`_enriched_all`	`boolean`
`_event_id`	`string`
`_forwarded_by`	`string`
`_gef_src_dp`	`string`
`_id`	`string`
`_insertion_epoch_timestamp`	`bigint`
`_nshostname`	`string`
`_original_destip`	`string`
`_original_destport`	`bigint`
`_policy_category_id`	`array<bigint>`
`_policy_matched_categories_id`	`array<string>`
`_raw_event_inserted_at`	`bigint`
`_service_identifier`	`string`
`_skip_geoip_lookup`	`string`
`_src_epoch_now`	`bigint`
`_src_gmt_offset`	`bigint`
`access_method`	`string`
`acked`	`string`
`action`	`string`
`alert`	`string`
`alert_name`	`string`
`alert_type`	`string`
`app`	`string`
`app_session_id`	`bigint`
`app_tags`	`array<string>`
`appcategory`	`string`
`appsuite`	`string`
`browser`	`string`
`browser_session_id`	`bigint`
`browser_version`	`string`
`category`	`string`
`cci`	`bigint`
`ccl`	`string`
`connection_id`	`bigint`
`count`	`bigint`
`destination_profiles`	`array<string>`
`device`	`string`
`domain`	`string`
`dst_country`	`string`
`dst_latitude`	`double`
`dst_location`	`string`
`dst_longitude`	`double`
`dst_region`	`string`
`dst_timezone`	`string`
`dst_zipcode`	`string`
`dstip`	`string`
`dstport`	`bigint`
`incident_id`	`bigint`
`ja3`	`string`
`ja3s`	`string`
`malicious`	`string`
`malsite_category`	`array<string>`
`malsite_country`	`string`
`malsite_id`	`string`
`malsite_ip_host`	`string`
`malsite_latitude`	`double`
`malsite_longitude`	`double`
`malsite_region`	`string`
`managed_app`	`string`
`netskope_pop`	`string`
`notify_template`	`string`
`object`	`string`
`object_type`	`string`
`organization_unit`	`string`
`os`	`string`
`os_family`	`string`
`os_version`	`string`
`other_categories`	`array<string>`
`page`	`string`
`page_site`	`string`
`policy`	`string`
`policy_id`	`string`
`port`	`string`
`protocol`	`string`
`referer`	`string`
`request_id`	`bigint`
`severity`	`string`
`severity_level`	`string`
`severity_level_id`	`bigint`
`site`	`string`
`src_country`	`string`
`src_latitude`	`double`
`src_location`	`string`
`src_longitude`	`double`
`src_region`	`string`
`src_time`	`string`
`src_timezone`	`string`
`src_zipcode`	`string`
`srcip`	`string`
`tags`	`array<string>`
`telemetry_app`	`string`
`threat_match_field`	`string`
`threat_match_value`	`string`
`threat_source_id`	`bigint`
`timestamp`	`bigint`
`title`	`string`
`traffic_type`	`string`
`transaction_id`	`bigint`
`type`	`string`
`ur_normalized`	`string`
`url`	`string`
`user`	`string`
`useragent`	`string`
`userip`	`string`
`userkey`	`string`
`web_universal_connector`	`string`

`alert_malware`

Field	Data type
`lw_id`	`string`
`time`	`timestamp`
`_id`	`string`
`_insertion_epoch_timestamp`	`bigint`
`alert_type`	`string`
`alert_name`	`string`
`app`	`string`
`severity`	`string`
`timestamp`	`bigint`
`type`	`string`
`user`	`string`

`alert_policy`

Field	Data type
`lw_id`	`string`
`time`	`timestamp`
`TSS-scan`	`string`
`_appsession_start`	`string`
`_category_id`	`string`
`_category_name`	`string`
`_category_tags`	`array<bigint>`
`_client_timeout`	`bigint`
`_content_version`	`bigint`
`_correlation_id`	`string`
`_creation_timestamp`	`bigint`
`_ef_received_at`	`bigint`
`_enriched_all`	`boolean`
`_event_id`	`string`
`_forwarded_by`	`string`
`_gef_src_dp`	`string`
`_id`	`string`
`_insertion_epoch_timestamp`	`bigint`
`_ns_protection_type`	`string`
`_nshostname`	`string`
`_nsp_dur_back`	`bigint`
`_nsp_dur_front`	`bigint`
`_nsp_retrans_back`	`bigint`
`_nsp_retrans_front`	`bigint`
`_nsp_rtt_back`	`bigint`
`_nsp_rtt_front`	`bigint`
`_original_destip`	`string`
`_original_destport`	`bigint`
`_partial_file`	`boolean`
`_policy_index`	`bigint`
`_policy_matched_categories_id`	`array<string>`
`_raw_event_inserted_at`	`bigint`
`_resource_name`	`string`
`_scan_source`	`string`
`_service_identifier`	`string`
`_session_begin`	`string`
`_skip_geoip_lookup`	`string`
`_src_epoch_now`	`bigint`
`_src_gmt_offset`	`bigint`
`_tenant_max_file_size`	`bigint`
`access_method`	`string`
`acked`	`string`
`action`	`string`
`activity`	`string`
`alert`	`string`
`alert_name`	`string`
`alert_type`	`string`
`all_policy_matches`	`array<string>`
`app`	`string`
`app_session_id`	`bigint`
`app_tags`	`array<string>`
`appcategory`	`string`
`appsuite`	`string`
`browser`	`string`
`browser_session_id`	`bigint`
`browser_version`	`string`
`category`	`string`
`cci`	`bigint`
`ccl`	`string`
`connection_id`	`bigint`
`count`	`bigint`
`destination_profiles`	`array<string>`
`device`	`string`
`domain`	`string`
`dst_country`	`string`
`dst_latitude`	`double`
`dst_location`	`string`
`dst_longitude`	`double`
`dst_region`	`string`
`dst_timezone`	`string`
`dst_zipcode`	`string`
`dstip`	`string`
`dstport`	`bigint`
`file_category`	`string`
`file_size`	`bigint`
`file_type`	`string`
`from_user`	`string`
`incident_id`	`bigint`
`instance_id`	`string`
`instance_tags`	`array<string>`
`ja3`	`string`
`ja3s`	`string`
`justification_reason`	`string`
`justification_type`	`string`
`local_sha256`	`string`
`malicious`	`string`
`malsite_category`	`array<string>`
`malware_id`	`string`
`malware_name`	`string`
`malware_severity`	`string`
`malware_type`	`string`
`managed_app`	`string`
`md5`	`string`
`netskope_pop`	`string`
`notify_template`	`string`
`object`	`string`
`object_type`	`string`
`organization_unit`	`string`
`os`	`string`
`os_family`	`string`
`os_version`	`string`
`other_categories`	`array<string>`
`page`	`string`
`page_site`	`string`
`parent_id`	`string`
`policy`	`string`
`policy_id`	`string`
`port`	`string`
`protection_string`	`string`
`protocol`	`string`
`referer`	`string`
`request_id`	`bigint`
`sanctioned_instance`	`string`
`severity`	`string`
`sha256`	`string`
`site`	`string`
`src_country`	`string`
`src_latitude`	`double`
`src_location`	`string`
`src_longitude`	`double`
`src_region`	`string`
`src_time`	`string`
`src_timezone`	`string`
`src_zipcode`	`string`
`srcip`	`string`
`suppression_end_time`	`bigint`
`suppression_start_time`	`bigint`
`tags`	`array<string>`
`telemetry_app`	`string`
`threat_match_field`	`string`
`threat_match_value`	`string`
`threat_source_id`	`bigint`
`timestamp`	`bigint`
`title`	`string`
`traffic_type`	`string`
`transaction_id`	`bigint`
`tss_mode`	`string`
`type`	`string`
`ur_normalized`	`string`
`url`	`string`
`user`	`string`
`useragent`	`string`
`userip`	`string`
`userkey`	`string`
`web_universal_connector`	`string`

`alert_quarantine`

Field	Data type
`lw_id`	`string`
`time`	`timestamp`
`_id`	`string`
`_insertion_epoch_timestamp`	`bigint`
`alert_type`	`string`
`alert_name`	`string`
`app`	`string`
`severity`	`string`
`timestamp`	`bigint`
`type`	`string`
`user`	`string`

`alert_remediation`

Field	Data type
`lw_id`	`string`
`time`	`timestamp`
`_id`	`string`
`_insertion_epoch_timestamp`	`bigint`
`alert_type`	`string`
`alert_name`	`string`
`app`	`string`
`severity`	`string`
`timestamp`	`bigint`
`type`	`string`
`user`	`string`

`alert_securityassessment`

Field	Data type
`lw_id`	`string`
`time`	`timestamp`
`_id`	`string`
`_insertion_epoch_timestamp`	`bigint`
`alert_type`	`string`
`alert_name`	`string`
`app`	`string`
`severity`	`string`
`timestamp`	`bigint`
`type`	`string`
`user`	`string`

`alert_uba`

Field	Data type
`lw_id`	`string`
`time`	`timestamp`
`__skip_cache`	`string`
`_activity`	`string`
`_api_conn`	`string`
`_category_id`	`string`
`_correlation_id`	`string`
`_creation_timestamp`	`bigint`
`_ef_received_at`	`bigint`
`_enriched`	`boolean`
`_event_id`	`string`
`_forwarded_by`	`string`
`_gef_meta`	`string`
`_gef_src_dp`	`string`
`_id`	`string`
`_insertion_epoch_timestamp`	`bigint`
`_raw_event_inserted_at`	`bigint`
`_service_identifier`	`string`
`_session_begin`	`bigint`
`_skip_geoip_lookup`	`string`
`_skip_ueba`	`boolean`
`access_method`	`string`
`acked`	`string`
`act_user`	`string`
`action`	`string`
`activity`	`string`
`activity_status`	`string`
`alert`	`string`
`alert_id`	`string`
`alert_name`	`string`
`alert_type`	`string`
`app`	`string`
`app_activity`	`string`
`app_session_id`	`bigint`
`app_tags`	`array<string>`
`appcategory`	`string`
`browser`	`string`
`category`	`string`
`cci`	`bigint`
`ccl`	`string`
`connection_id`	`bigint`
`count`	`bigint`
`device`	`string`
`event_detail`	`string`
`event_type`	`string`
`evt_src_chnl`	`string`
`file_id`	`string`
`file_path`	`string`
`file_type`	`string`
`instance`	`string`
`instance_id`	`string`
`logon_error`	`string`
`mime_type`	`string`
`object`	`string`
`object_id`	`string`
`object_type`	`string`
`organization_unit`	`string`
`orig_ty`	`string`
`os`	`string`
`other_categories`	`array<string>`
`parent_id`	`string`
`policy`	`string`
`policy_actions`	`array<string>`
`profile_id`	`string`
`raw_event`	`string`
`request_id`	`bigint`
`request_type`	`string`
`sanctioned_instance`	`string`
`scenario`	`string`
`severity`	`string`
`site`	`string`
`srcip`	`string`
`sub_scenario`	`string`
`tags`	`array<string>`
`threshold`	`bigint`
`threshold_time`	`bigint`
`timestamp`	`bigint`
`title`	`string`
`traffic_type`	`string`
`transaction_id`	`bigint`
`type`	`string`
`ur_normalized`	`string`
`user`	`string`
`user_id`	`string`
`userip`	`string`
`userkey`	`string`

`alert_watchlist`

Field	Data type
`lw_id`	`string`
`time`	`timestamp`
`_category_id`	`string`
`_category_name`	`string`
`_category_tags`	`array<bigint>`
`_correlation_id`	`string`
`_creation_timestamp`	`bigint`
`_ef_received_at`	`bigint`
`_enriched`	`boolean`
`_enriched_all`	`boolean`
`_event_id`	`string`
`_forwarded_by`	`string`
`_gef_src_dp`	`string`
`_id`	`string`
`_ingress_client_bytes`	`bigint`
`_ingress_server_bytes`	`bigint`
`_insertion_epoch_timestamp`	`bigint`
`_nshostname`	`string`
`_raw_event_inserted_at`	`bigint`
`_service_identifier`	`string`
`_skip_geoip_lookup`	`string`
`_src_epoch_now`	`bigint`
`_src_gmt_offset`	`bigint`
`access_method`	`string`
`acked`	`string`
`alert_name`	`string`
`alert_type`	`string`
`app`	`string`
`app_session_id`	`bigint`
`app_tags`	`array<string>`
`appcategory`	`string`
`browser`	`string`
`browser_session_id`	`bigint`
`browser_version`	`string`
`bypass_reason`	`string`
`bypass_traffic`	`string`
`category`	`string`
`cci`	`bigint`
`ccl`	`string`
`client_bytes`	`bigint`
`conn_duration`	`bigint`
`conn_endtime`	`bigint`
`conn_starttime`	`bigint`
`connection_id`	`bigint`
`count`	`bigint`
`device`	`string`
`domain`	`string`
`dst_country`	`string`
`dst_latitude`	`double`
`dst_location`	`string`
`dst_longitude`	`double`
`dst_region`	`string`
`dst_timezone`	`string`
`dst_zipcode`	`string`
`dstip`	`string`
`dstport`	`bigint`
`http_transaction_count`	`bigint`
`netskope_pop`	`string`
`numbytes`	`bigint`
`organization_unit`	`string`
`os`	`string`
`os_family`	`string`
`os_version`	`string`
`other_categories`	`array<string>`
`page`	`string`
`policy`	`string`
`protocol`	`string`
`req_cnt`	`bigint`
`resp_cnt`	`bigint`
`resp_content_len`	`bigint`
`resp_content_type`	`string`
`server_bytes`	`bigint`
`severity`	`string`
`site`	`string`
`src_country`	`string`
`src_geoip_src`	`bigint`
`src_latitude`	`double`
`src_location`	`string`
`src_longitude`	`double`
`src_region`	`string`
`src_time`	`string`
`src_timezone`	`string`
`src_zipcode`	`string`
`srcip`	`string`
`ssl_decrypt_policy`	`string`
`tags`	`array<string>`
`timestamp`	`bigint`
`traffic_type`	`string`
`type`	`string`
`ur_normalized`	`string`
`url`	`string`
`user`	`string`
`user_generated`	`string`
`useragent`	`string`
`userip`	`string`
`userkey`	`string`

Required Netskope API token permissions

The Netskope REST API v2 token's role must have View access to the events and alerts you want to ingest. For details, see Configure authentication to Netskope.

Connector options​

Supported source tables​

Destination table schemas​

audit​

application​

incident​

infrastructure​

network​

page​

alert_compromisedcredential​

alert_content​

alert_ctep​

alert_device​

alert_dlp​

alert_malsite​

alert_malware​

alert_policy​

alert_quarantine​

alert_remediation​

alert_securityassessment​

alert_uba​

alert_watchlist​

Required Netskope API token permissions​