Netskope Web Transactions: 51-Field Schema Expansion Unlocks Threat Protection and Endpoint Posture Visibility

What Changed

The NetskopeWebTransactions_CL custom table and its associated DCR transform have been expanded with 51 additional Web Transaction fields grouped into five new categories: Threat Protection, Endpoint Posture, Process Activity, Identity and Authentication, and Action Analysis.

The NetskopeWebtx KQL parser has been simultaneously updated with two distinct change classes:

1. Column reference migration — every existing field mapping has moved from raw W3C log field names to DCR-normalised PascalCase equivalents (e.g. cs-bytes to CsBytes). This reflects the DCR transform now renaming columns at ingestion time rather than leaving them in raw hyphenated form.

2. Net-new field mappings — 51 additional fields added, including:

   • Threat protection: malware name, threat type, malware severity, detection engine results
   • Endpoint posture: device classification, OS family, Netskope client version, managed/unmanaged device state
   • Process telemetry: originating process name, parent process name
   • Identity and authorization: authenticated user, authorization groups
   • Remote geo: destination country, region, city for the remote endpoint
   • Action: policy action and action reason

Security Impact (Visibility and Fidelity)

Parser column rename — breaking change for existing queries. Any saved Hunting Queries, Analytic Rules, or workbook KQL referencing the NetskopeWebtx parser against the old raw column names (e.g., cs-bytes, cs-username, x-cs-app) will return null for all rows after this update, because the parser now maps from the DCR-normalised names. This is a data fidelity gap that silently surfaces as empty results rather than an error.

New threat protection fields unlock previously unavailable detections. Prior to this release, malware detection results, threat severity, and engine verdicts from Netskope were not available in NetskopeWebTransactions_CL. SOC teams that assumed this table represented complete web proxy telemetry had an undetected blind spot in malware-in-transit coverage.

Endpoint posture data enables device trust context in web session analysis. The new device classification and Netskope client version fields allow correlation of web transaction anomalies with unmanaged or outdated endpoint states — a gap relevant to T1078 (Valid Accounts) and T1190 (Exploit Public-Facing Application) scenarios where attacker sessions from unmanaged devices would previously have been indistinguishable from legitimate traffic.

Workbook

The Netskope Web Transactions workbook (previously titled Netskope Web Transactions Dashboard) has been refreshed with five new sections: Threat Protection, Endpoint Posture, Process Activity, Identity and Authentication, and Action Analysis — covering the net-new schema fields.

Affected Files

Solutions/NetskopeWebTx/Data Connectors/NetskopeWebTx_CCF/NetskopeWebtx_DCR.json
Solutions/NetskopeWebTx/Data Connectors/NetskopeWebTx_CCF/NetskopeWebtx_PollingConfig.json
Solutions/NetskopeWebTx/Data Connectors/NetskopeWebTx_CCF/NetskopeWebtx_Table.json
Solutions/NetskopeWebTx/Data Connectors/NetskopeWebTx_CCF/NetskopeWebtx_connectorDefinition.json
Solutions/NetskopeWebTx/Parsers/NetskopeWebtx.yaml
Solutions/NetskopeWebTx/README.md
Solutions/NetskopeWebTx/Workbooks/NetskopeWebtxDashboard/NetskopeWebTx_Workbook.json
Workbooks/NetskopeWebTx_Workbook.json
(packaging artefacts: 3.0.1.zip, ReleaseNotes.md, Solution_NetskopeWebTx.json, createUiDefinition.json, mainTemplate.json)