Netskope

Collect security events from your Netskope platform including application usage, network traffic, alerts, DLP incidents, and user activity.

Ingest Methods

RunReveal offers the following ways to ingest Netskope logs:

• API Polling

API Polling

RunReveal connects to Netskope using REST API v2 dataexport iterator endpoints (/api/v2/events/dataexport), polling for new events every 30 seconds. To get set up, create a Netskope role with the right permissions and a service account with an API token (Steps 1–2), then add the source in RunReveal (Step 3). If the token cannot read a selected event type, that stream is skipped while others continue ingesting.

Step 1: Create a role

1. Go to Settings → Administration → Administrators & Roles, open the Roles tab, and click Create Role.
2. Name the role RunReveal-Logs (or any name you prefer).
3. Grant View on the functional areas that match the event types you want to collect.
4. Permissions map directly to API paths—for example, Access Control → Application Events covers /api/v2/events/dataexport/events/application. You pick functional areas; Netskope handles the path mapping. Use the role editor tooltips or Mapping API v2 endpoints to RBAC v3 Roles if you’re unsure which permission covers which stream.
5. The event type values in RunReveal match the segment after /events/ in those paths:

Step 2: Service account and token

1. In the same Administrators & Roles area, open the Administrators tab.
2. Click Add Service Account (the button label may vary by tenant).
3. Enter a name for the account, such as runreveal-integration.
4. Assign the role you created in Step 1.
5. Click Save.
6. Generate an API token from the service account. Copy it immediately—it is shown only once.

For a full walkthrough, see Netskope’s Create a new service account guide.

Step 3: Connect in RunReveal

1. In RunReveal, go to Sources and click Add Source.
2. Select the Netskope tile and click Connect Netskope Source.
3. Source name — Enter a name and slug you’ll recognize later.
4. Netskope Tenant — Enter the subdomain only. For acmecorp.goskope.com, enter acmecorp. Do not include https:// or .goskope.com.
5. API Token — Paste the token from Step 2.
6. Event types — Enable only the types your role has View access for (see the Step 1 table). Selecting an unsupported type won’t break the source—those streams are silently skipped—but at least one type must be selected.
7. Click Connect Source. RunReveal backfills existing logs on first sync, then polls every 30 seconds going forward.

Verify It’s Working

Logs usually appear within a few minutes. Run:

SELECT * FROM runreveal.logs WHERE sourceType = 'netskope' LIMIT 10

For Netskope-specific columns, use the netskope_logs view in the schema below.

Schema

The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.