Vendor: Netskope

April 15, 2026 · View on GitHub

Product: Netskope Security Cloud

RulesModelsMITRE ATT&CK® TTPsActivity TypesParsers
3521405218107
Use-CaseActivity Types/ParsersMITRE ATT&CK® TTPContent
Abnormal Authentication & Accessaccount-creation
netskope-sc-json-file-auditlogevent
netskope-sc-sk4-file-delete-success-folderdeleted

app-activity
netskope-sc-cef-file-write-success-listupdated
netskope-sc-cef-file-read-success-preview
netskope-sc-cef-file-write-success-edit
netskope-sc-cef-file-read-success-pageviewedextended
netskope-sc-cef-file-write-success-listcreated
netskope-sc-cef-file-write-success-listitemupdated
netskope-sc-cef-file-read-success-view
netskope-sc-cef-file-browse
netskope-sc-cef-file-write-success-create
netskope-sc-json-file-read-success-introspectionscan
netskope-sc-cef-file-read-success-accessedextended
netskope-sc-cef-file-write-success-move
netskope-sc-cef-file-permission-modify-success-share
netskope-sc-cef-file-delete-success-filedeleted
netskope-sc-cef-file-download-success-download
netskope-sc-cef-file-upload-success-upload
netskope-sc-cef-file-read-success-viewall
netskope-sc-cef-file-delete-success-delete
netskope-sc-cef-file-write-success-listcolumncreated
netskope-sc-cef-file-delete-success-listitemdeleted
netskope-sc-cef-file-write-success-modifiedextended
netskope-sc-sk4-app-activity-success-view
netskope-sc-sk4-app-activity-success-post
netskope-sc-sk4-app-activity-success-upload
netskope-sc-sk4-app-activity-success-emaillogsearch
netskope-sc-sk4-app-activity-success-like
netskope-sc-sk4-app-activity-success-updatetimestamp
netskope-sc-json-app-activity-success-share
netskope-sc-sk4-app-activity-success-powerups
netskope-sc-sk4-app-activity-success-loginattempt
netskope-sc-sk4-app-activity-success-receive
netskope-sc-sk4-app-activity-success-alertcenterlistchange
netskope-sc-sk4-app-activity-success-approve
netskope-sc-sk4-app-activity-success-download
netskope-sc-sk4-app-activity-success-follow
netskope-sc-sk4-app-activity-success-delete
netskope-sc-sk4-app-activity-success-creategmailsetting
netskope-sc-sk4-app-activity-success-searchqueryperformed
netskope-sc-sk4-app-activity-success-alertcentergetsitlink
netskope-sc-sk4-app-activity-success-alertcenterview
netskope-sc-sk4-app-activity-success-dislike
netskope-sc-sk4-app-activity-success-securityinvestigationquery
netskope-sc-sk4-app-activity-success-alertcenterlistrelatedalerts
netskope-sc-sk4-app-activity-success-create
netskope-sc-sk4-app-activity-success-pageprefetched
netskope-sc-sk4-app-activity-success-groupmembersdownload
netskope-sc-sk4-app-activity-success-invite
netskope-sc-sk4-app-activity-success-move
netskope-sc-sk4-app-activity-success-updategroupmember
netskope-sc-sk4-app-activity-success-mark
netskope-sc-sk4-app-activity-success-changegmailsetting
netskope-sc-sk4-app-activity-success-share
netskope-sc-sk4-app-activity-success-viewall
netskope-sc-sk4-app-activity-success-send
netskope-sc-sk4-app-activity-success-sitecolumncreated
netskope-sc-sk4-app-activity-success-alertcenterlistfeedback
netskope-sc-sk4-app-activity-success-edit
netskope-sc-sk4-app-activity-success-terminate
netskope-sc-json-app-activity-appactivity
netskope-sc-sk4-app-activity-adminauditlogs
netskope-sc-json-app-activity-success-browsersession
netskope-sc-json-file-auditlogevent
netskope-sc-sk4-file-delete-success-folderdeleted
netskope-sc-json-app-activity-success-browsersessionid
netskope-sc-sk4-app-activity-success-strongauthentication
netskope-sc-sk4-app-activity-success-copyobject
netskope-sc-sk4-app-activity-success-deleteuser
netskope-sc-sk4-app-activity-success-deletesetting
netskope-sc-sk4-app-activity-success-requesttransfer
netskope-sc-sk4-app-activity-success-driverestore
netskope-sc-sk4-app-activity-success-archiveuser
netskope-sc-sk4-app-activity-success-deleteobject
netskope-sc-json-file-write-app-activity-success-rename
netskope-sc-json-endpoint-activity-success-access_method

app-login
netskope-sc-cef-app-login-success-loginsuccessful
netskope-sc-json-app-login-success-login
netskope-sc-json-app-login-success-login-1
netskope-sc-json-app-login-success-loginsuccessful
netskope-sc-json-app-login-success-loginsuccessful-1
netskope-sc-json-app-login-success-ssologin-1
netskope-sc-json-file-auditlogevent

failed-app-login
netskope-sc-cef-app-login-fail-loginfailed
netskope-sc-json-app-login-fail-loginfailed

web-activity-allowed
netskope-sc-cef-http-session-success-cloudapp
netskope-sc-str-http-session-websocket
netskope-sc-str-http-session-success-webtransaction
netskope-sc-str-http-session-success-cloudapptransaction
netskope-sc-str-http-session-success-transaction
netskope-sc-json-network-traffic-traffictype-1
netskope-sc-json-network-traffic-traffictype

web-activity-denied
netskope-sc-cef-http-session-fail-block-1
netskope-sc-cef-http-session-fail-block
netskope-sc-str-http-session-websocket
netskope-sc-str-http-session-success-webtransaction
netskope-sc-str-http-session-success-cloudapptransaction
netskope-sc-str-http-session-success-transaction
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1133 - External Remote Services
  • 21 Rules
  • 10 Models
Account Manipulationaccount-creation
netskope-sc-json-file-auditlogevent
netskope-sc-sk4-file-delete-success-folderdeleted

app-activity
netskope-sc-cef-file-write-success-listupdated
netskope-sc-cef-file-read-success-preview
netskope-sc-cef-file-write-success-edit
netskope-sc-cef-file-read-success-pageviewedextended
netskope-sc-cef-file-write-success-listcreated
netskope-sc-cef-file-write-success-listitemupdated
netskope-sc-cef-file-read-success-view
netskope-sc-cef-file-browse
netskope-sc-cef-file-write-success-create
netskope-sc-json-file-read-success-introspectionscan
netskope-sc-cef-file-read-success-accessedextended
netskope-sc-cef-file-write-success-move
netskope-sc-cef-file-permission-modify-success-share
netskope-sc-cef-file-delete-success-filedeleted
netskope-sc-cef-file-download-success-download
netskope-sc-cef-file-upload-success-upload
netskope-sc-cef-file-read-success-viewall
netskope-sc-cef-file-delete-success-delete
netskope-sc-cef-file-write-success-listcolumncreated
netskope-sc-cef-file-delete-success-listitemdeleted
netskope-sc-cef-file-write-success-modifiedextended
netskope-sc-sk4-app-activity-success-view
netskope-sc-sk4-app-activity-success-post
netskope-sc-sk4-app-activity-success-upload
netskope-sc-sk4-app-activity-success-emaillogsearch
netskope-sc-sk4-app-activity-success-like
netskope-sc-sk4-app-activity-success-updatetimestamp
netskope-sc-json-app-activity-success-share
netskope-sc-sk4-app-activity-success-powerups
netskope-sc-sk4-app-activity-success-loginattempt
netskope-sc-sk4-app-activity-success-receive
netskope-sc-sk4-app-activity-success-alertcenterlistchange
netskope-sc-sk4-app-activity-success-approve
netskope-sc-sk4-app-activity-success-download
netskope-sc-sk4-app-activity-success-follow
netskope-sc-sk4-app-activity-success-delete
netskope-sc-sk4-app-activity-success-creategmailsetting
netskope-sc-sk4-app-activity-success-searchqueryperformed
netskope-sc-sk4-app-activity-success-alertcentergetsitlink
netskope-sc-sk4-app-activity-success-alertcenterview
netskope-sc-sk4-app-activity-success-dislike
netskope-sc-sk4-app-activity-success-securityinvestigationquery
netskope-sc-sk4-app-activity-success-alertcenterlistrelatedalerts
netskope-sc-sk4-app-activity-success-create
netskope-sc-sk4-app-activity-success-pageprefetched
netskope-sc-sk4-app-activity-success-groupmembersdownload
netskope-sc-sk4-app-activity-success-invite
netskope-sc-sk4-app-activity-success-move
netskope-sc-sk4-app-activity-success-updategroupmember
netskope-sc-sk4-app-activity-success-mark
netskope-sc-sk4-app-activity-success-changegmailsetting
netskope-sc-sk4-app-activity-success-share
netskope-sc-sk4-app-activity-success-viewall
netskope-sc-sk4-app-activity-success-send
netskope-sc-sk4-app-activity-success-sitecolumncreated
netskope-sc-sk4-app-activity-success-alertcenterlistfeedback
netskope-sc-sk4-app-activity-success-edit
netskope-sc-sk4-app-activity-success-terminate
netskope-sc-json-app-activity-appactivity
netskope-sc-sk4-app-activity-adminauditlogs
netskope-sc-json-app-activity-success-browsersession
netskope-sc-json-file-auditlogevent
netskope-sc-sk4-file-delete-success-folderdeleted
netskope-sc-json-app-activity-success-browsersessionid
netskope-sc-sk4-app-activity-success-strongauthentication
netskope-sc-sk4-app-activity-success-copyobject
netskope-sc-sk4-app-activity-success-deleteuser
netskope-sc-sk4-app-activity-success-deletesetting
netskope-sc-sk4-app-activity-success-requesttransfer
netskope-sc-sk4-app-activity-success-driverestore
netskope-sc-sk4-app-activity-success-archiveuser
netskope-sc-sk4-app-activity-success-deleteobject
netskope-sc-json-file-write-app-activity-success-rename
netskope-sc-json-endpoint-activity-success-access_method
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
  • 23 Rules
  • 9 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Phishing: Spearphishing Link

External Remote Services

Valid Accounts

Drive-by Compromise

Exploit Public Fasing Application

Phishing

User Execution

Create Account

External Remote Services

Valid Accounts

Server Software Component: Web Shell

Account Manipulation

Server Software Component

Boot or Logon Autostart Execution

Create Account: Create: Local Account

Account Manipulation: Exchange Email Delegate Permissions

Valid Accounts

Exploitation for Privilege Escalation

Boot or Logon Autostart Execution

Obfuscated Files or Information: Indicator Removal from Tools

Indicator Removal on Host: File Deletion

Valid Accounts

Indicator Removal on Host

Obfuscated Files or Information

OS Credential Dumping

File and Directory Discovery

Internal Spearphishing

Email Collection

Email Collection: Email Forwarding Rule

Web Service

Application Layer Protocol: Web Protocols

Dynamic Resolution

Dynamic Resolution: Domain Generation Algorithms

Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration Over C2 Channel

Automated Exfiltration

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration Over Web Service

Data Destruction

Resource Hijacking

Data Encrypted for Impact