What Changed
Two new ASIM AlertEvent parsers are introduced for Netskope Security Cloud:
- ASimAlertEventNetskopeSecurityCloud â the unfiltered/batch parser
- vimAlertEventNetskopeSecurityCloud â the filtering parser (supports all standard imAlertEvent filter parameters: starttime, endtime, ipaddr_has_any_prefix, hostname_has_any, username_has_any, attacktactics_has_any, attacktechniques_has_any, threatcategory_has_any, alertverdict_has_any, eventseverity_has_any)
Both parsers are registered into the top-level ASimAlertEvent (v0.1.4) and imAlertEvent (v0.1.4) umbrella parsers, meaning any existing source-agnostic detection or hunting query using imAlertEvent will automatically pick up Netskope alert data without modification.
Parser Impact
Source table: NetskopeAlerts_CL (ingested via the community CCF connector by Tim Groothuis)
Schema normalised: ASIM AlertEvent v0.1
Key field mappings:
| ASIM Field | Source Field / Logic |
|---|---|
| EventSeverity | severity â High/Medium/Low/Informational |
| EventSubType | alert_type â Threat / Compliance Violation / Anomaly |
| DetectionMethod | alert_type â DLP / AV / CASB / IDS / TI / Behavioral / Reputation |
| DvcAction | action â Block / Allow / Detect |
| EventResult | action â Failure (block) / Success (all others) |
| ThreatCategory | category â MaliciousUrl / Adware / Security Policy Violation / Unknown |
| Username / UsernameType | user with UPN / Windows / Simple heuristic detection |
| UserType | prefix-based heuristic (Service / Admin / Regular / Anonymous) |
| DvcId / DvcIdType | nsdeviceuid with type Other |
Alert types covered: malware, c2, malsite, ips, compromised credential, dlp, policy, uba
pack mode: when enabled, AdditionalFields captures access_method, app, app_sessionid, browser, cci (Cloud Confidence Index), ccl, malsite_category, malsite_country, srcip, dstip, referer, and object_type.
No pre-existing fields broken: this is a net-new parser; no existing field names or filter logic were modified. The umbrella parser registration is backward-compatible â the new sub-parser is disabled by adding ExcludeASimAlertEventNetskopeSecurityCloud to the workspace DisabledParsers watchlist if needed.
Detection Surface Unlocked
Environments ingesting Netskope Security Cloud via the CCF connector into NetskopeAlerts_CL can now:
- Apply any existing imAlertEvent-based detection or hunting query against Netskope DLP, malware, and C2 alert data without custom KQL
- Hunt on ThreatCategory == “MaliciousUrl” or DetectionMethod == “Threat Intelligence” across all normalised alert sources simultaneously
- Correlate Netskope compromised credential alerts with identity signals using the normalised Username/UsernameType fields
Affected Files
.script/tests/KqlvalidationsTests/CustomTables/NetskopeAlerts_CL.json
ASIM/dev/ASimTester/ASimTester.csv
Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json
Parsers/ASimAlertEvent/ARM/ASimAlertEventNetskopeSecurityCloud/ASimAlertEventNetskopeSecurityCloud.json
Parsers/ASimAlertEvent/ARM/ASimAlertEventNetskopeSecurityCloud/README.md
Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json
Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json
Parsers/ASimAlertEvent/ARM/vimAlertEventNetskopeSecurityCloud/README.md
Parsers/ASimAlertEvent/ARM/vimAlertEventNetskopeSecurityCloud/vimAlertEventNetskopeSecurityCloud.json
Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEvent.md
Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventNetskopeSecurityCloud.md
Parsers/ASimAlertEvent/CHANGELOG/imAlertEvent.md
Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventNetskopeSecurityCloud.md
Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml
Parsers/ASimAlertEvent/Parsers/ASimAlertEventNetskopeSecurityCloud.yaml
Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml
Parsers/ASimAlertEvent/Parsers/vimAlertEventNetskopeSecurityCloud.yaml
Sample Data/ASIM/Netskope_Security Cloud_AlertEvent_IngestedLogs.csv