Netskope
This guide describes how to integrate Netskope with Google Security Operations (Google SecOps).
Use cases
Integrating Netskope with Google SecOps can help you solve the following use cases:
-
Phishing URL investigation and blocking:upon receiving a phishing URL alert, use the Google SecOps capabilities to query the Netskope cloud security platform for information about the URL reputation and categorization. If URL is confirmed as malicious, Netskope can automatically block the URL across your organization network.
-
Malware analysis and containment:use the Google SecOps capabilities to submit a malware sample to Netskope for dynamic analysis. Based on the analysis results, Netskope can then enforce policies to quarantine infected devices or block further communication with malicious command-and-control servers.
-
Compromised account remediation:use the Google SecOps capabilities to identify suspicious login attempts or activities and enforce actions, such as password resets, multi-factor authentication challenges, or account suspension.
-
Vulnerability scanning and patching:use the Google SecOps capabilities to receive alerts about vulnerabilities detected in cloud applications.
-
Incident response automation:use the Google SecOps capabilities to gather contextual information about the incident, such as user activity, network traffic, and data access logs and automate incident response tasks, such as isolating affected systems, blocking malicious traffic, and notifying relevant stakeholders.
-
Threat intelligence enrichment:use the Google SecOps capabilities to integrate with Netskope threat intelligence feeds and enrich security alerts with additional context.
Before you begin
Before you configure the Netskope integration in Google SecOps, you must acquire specific credentials from your Netskope tenant. This integration supports two authentication methods, depending on the API version your actions use.
For detailed guidance on locating these settings in the Netskope platform, see the Netskope Knowledge Portal .
REST API V1 (legacy)
This method is required for actions that use the V1 API. To use this method you must acquire an API token (also referred to as the API key). See the Netskope REST API v1 Overview for instructions on generating a token.
REST API V2 (OAuth 2.0)
This method is required for actions that use the V2 API. To use this method you must acquire the following:
- Client ID: Generated when you create a new OAuth client.
- Client secret: Generated with the Client ID.
Refer to the Netskope REST API V2 Overview for instructions on setting up an OAuth client.
Network settings
To configure the network settings for the integration, refer to the following table:
| Function | Default port | Direction | Protocol |
|---|---|---|---|
|
API
|
443 | Outbound | HTTPS |
Integrate Netskope with Google SecOps
The Netskope integration requires the following parameters:
| Parameter | Description |
|---|---|
Api Root
|
Required. The API root of the Netskope instance. |
Api Key
|
Optional. The API token value obtained from the Netskope console used to authenticate against actions using the V1 API. |
Client ID
|
Optional. The client ID used for V2 API (OAuth 2.0) authentication. This parameter is required for actions using the V2 API. |
Client Secret
|
Optional. The client secret used for V2 API (OAuth 2.0) authentication. This parameter is required for actions using the V2 API. |
Verify SSL
|
Optional. If selected, the integration validates the SSL certificate when connecting to the Netskope server. |
For instructions about how to configure an integration in Google SecOps, see Configure integrations .
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances .
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action .
Add Entities To URL List
Use the Add Entities To URL Listaction to append new URLs, domains, or IP addresses to an existing Netskope URL list.
This action runs on the following Google SecOps entities:
-
Domain -
IP Address -
URLAction inputs
The Netskopeaction requires the following parameters:
| Parameter | Description |
|---|---|
URL List Name
|
Required. The name of the existing Netskope URL list to update (such as |
Entries
|
Optional. A comma-separated list of URLs, domains, or IP addresses to add to the list. The action also automatically processes |
Deploy URL List Changes
|
Optional. If selected, the action triggers a global deployment of all pending changes across every URL list in the tenant (not just the list being updated). |
Action outputs
The Netskopeaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Netskopeaction:
{
"added_entities"
:
[
"https://aistudio.google.com/prompts"
,
"https://docs.google.com/"
],
"failed_entities"
:
[
"not_real_url"
,
10500
],
"url_list_name"
:
"Allowed URL List"
,
"modify_by"
:
"SOAR_API2"
,
"modify_time"
:
"2026-02-26T15:28:07.000Z"
,
"pending"
:
1
}
Output messages
The Netskopeaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action. Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Netskopeaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Allow File
Use the Allow Fileaction to allow a quarantined file.
This action runs on all Google SecOps entities.
Action inputs
The Allow Fileaction requires the following parameters:
| Parameter | Description |
|---|---|
File ID
|
Required
The ID of the file to allow. |
Quarantine Profile ID
|
Optional
The ID of the quarantine profile that is associated with the file. |
Use V2 API
|
Optional
If selected, the action uses the Netskope V2 API endpoint instead of V1. This requires valid V2 API credentials. This parameter requires OAuth 2.0 support. Ensure a valid |
Action outputs
The Allow Fileaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Allow Fileaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Block File
Use the Block Fileaction to block a quarantined file.
This action runs on all Google SecOps entities.
Action inputs
The Block Fileaction requires the following parameters:
| Parameter | Description |
|---|---|
File ID
|
Required
The ID of the file to block in Netskope. |
Quarantine Profile ID
|
Optional
The ID of the quarantine profile that is associated with the file. |
Use V2 API
|
Optional
If selected, the action uses the Netskope V2 API endpoint instead of V1. This requires valid V2 API credentials. This parameter requires OAuth 2.0 support. Ensure a valid |
Action outputs
The Block Fileaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Block Fileaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Deploy URL List Changes
Use the Deploy URL List Changesaction to push pending configurations to the active policy engine, ensuring that any staged updates are applied and enforced for URL Lists.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Deploy URL List Changesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Deploy URL List Changesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action. Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Deploy URL List Changesaction:
| Script result name | Value |
|---|---|
is_success
|
true
or false
|
Download File
Use the Download Fileaction to download a quarantined file.
This action runs on the Google SecOps IP Address
entity.
Action inputs
The Download Fileaction requires the following parameters:
File ID
The ID of the file to download from quarantine.
Quarantine Profile ID
The ID of the quarantine profile that is associated with the file.
Use V2 API
If selected, the action uses the Netskope V2 API endpoint instead of V1.
This requires valid V2 API credentials.
Enabling this parameter introduces the following requirements and changes:
- Authentication: Requires OAuth 2.0 support. Ensure
a valid
Client IDandClient Secretare configured in the integration settings. - Storage logic: Enabling this parameter switches the source from Classic Storageto NextGen Storage.
Action outputs
The Download Fileaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Download Fileaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
List Alerts
Use the List Alertsaction to list alerts.
This action runs on all Google SecOps entities.
Action inputs
The List Alertsaction requires the following parameters:
Query
A query to filter the cloud application events in the alerts database.
Type
A type of alerts to filter by.
The possible values are as follows:
-
Anomaly -
Compromised Credential -
Policy -
Legal Hold -
Malsite -
Malware -
DLP -
Watchlist -
Quarantine -
Remediation
Time Period
The time period in milliseconds prior to now to search for alerts.
The possible values are 3600
, 86400
, 604800
, and 2592000
.
Start Time
A start time to filter alerts with timestamps greater than the specified Unix epoch time.
Use this parameter only if you
didn't set the Time Period
parameter.
End Time
An end time to filter alerts with timestamps less than the specified Unix epoch time.
Use this parameter only if you
didn't set the Time Period
parameter.
Is Acknowledged
If selected, the integration filters for acknowledged alerts.
Not selected by default.
Limit
The number of the results to return.
The default value is 100
.
Action outputs
The List Alertsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the List Alertsaction:
[
{
"dstip"
:
"192.0.2.1"
,
"app"
:
"Amazon Web Services"
,
"profile_id"
:
" ID
"
,
"device"
:
"iPad"
,
"shared_credential_user"
:
"example@example.com"
,
"app_session_id"
:
2961859388
,
"dst_location"
:
"Ashburn"
,
"dst_region"
:
"Virginia"
,
"policy"
:
"Copy prohibited"
,
"page_id"
:
380765822
,
"object_type"
:
"File"
,
"dst_latitude"
:
39.0481
,
"timestamp"
:
1548603047
,
"src_region"
:
"California"
,
"from_user"
:
"user@example.com"
,
"src_location"
:
"San Luis Obispo"
,
"traffic_type"
:
"CloudApp"
,
"appcategory"
:
"IaaS/PaaS"
,
"src_latitude"
:
35.2635
,
"count"
:
2
,
"type"
:
"anomaly"
,
"risk_level_id"
:
2
,
"activity"
:
"Upload"
,
"userip"
:
"203.0.113.1"
,
"src_longitude"
:
-120.6509
,
"browser"
:
"Safari"
,
"alert_type"
:
"anomaly"
,
"event_type"
:
"user_shared_credentials"
,
"_insertion_epoch_timestamp"
:
1548601562
,
"site"
:
"Amazon Web Services"
,
"id"
:
3561
,
"category"
:
"IaaS/PaaS"
,
"orig_ty"
:
"nspolicy"
,
"dst_country"
:
"US"
,
"src_zipcode"
:
"93401"
,
"cci"
:
94
,
"ur_normalized"
:
"user@example.com"
,
"object"
:
"quarterly_report.pdf"
,
"organization_unit"
:
""
,
"acked"
:
"false"
,
"dst_longitude"
:
-77.4728
,
"alert"
:
"yes"
,
"user"
:
"user@example.com"
,
"userkey"
:
"user@example.com"
,
"srcip"
:
"7198.51.100.1"
,
"org"
:
"example.com"
,
"src_country"
:
"US"
,
"bin_timestamp"
:
1548633600
,
"dst_zipcode"
:
"20149"
,
"url"
:
"http://aws.amazon.com/"
,
"sv"
:
"unknown"
,
"ccl"
:
"excellent"
,
"alert_name"
:
"user_shared_credentials"
,
"risk_level"
:
"high"
,
"_mladc"
:
[
"ur"
],
"threshold_time"
:
86400
,
"_id"
:
"cadee4a8488b3e139b084134"
,
"os"
:
"iOS 6"
}
]
Script result
The following table lists the value for the script result output when using the List Alertsaction:
| Script result name | Value |
|---|---|
alerts
|
ALERT_LIST
|
List Clients
Use the List Clientsaction to list clients.
This action runs on all Google SecOps entities.
Action inputs
The List Clientsaction requires the following parameters:
| Parameter | Description |
|---|---|
Query
|
Optional
Filters the clients retrieved from the database. |
Limit
|
Optional
Limits the number of clients returned by the action. The default value is |
Use V2 API
|
Optional
If selected, the action uses the Netskope V2 API endpoint instead of V1. This requires valid V2 API credentials. This parameter requires OAuth 2.0 support. Ensure a valid |
Action outputs
The List Clientsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the List Clientsaction:
[
{
"client_install_time"
:
1532040251
,
"users"
:
[
{
"heartbeat_status_since"
:
1532040385
,
"user_added_time"
:
1532040167
,
"last_event"
:
{
"status"
:
"Enabled"
,
"timestamp"
:
1548578307
,
"event"
:
"Tunnel Up"
,
"actor"
:
"System"
},
"device_classification_status"
:
"Not Configured"
,
"username"
:
"user@example.com"
,
"user_source"
:
"Manual"
,
"userkey"
:
"K00fuSXl8yMIqgdg"
,
"_id"
:
" ID
"
,
"heartbeat_status"
:
"Active"
}],
"last_event"
:
{
"status"
:
"Enabled"
,
"timestamp"
:
1548578307
,
"event"
:
"Tunnel Up"
,
"actor"
:
"System"
},
"host_info"
:
{
"device_model"
:
"VMware Virtual Platform"
,
"os"
:
"Windows"
,
"hostname"
:
" HOSTNAME
"
,
"device_make"
:
"VMware, Inc."
,
"os_version"
:
"10.0"
},
"client_version"
:
"1.1.1.1"
,
"_id"
:
" ID
"
,
"device_id"
:
" DEVICE_ID
"
}
]
Script result
The following table lists the value for the script result output when using the List Clientsaction:
| Script result name | Value |
|---|---|
clients
|
CLIENT_LIST
|
List Events
Use the List Eventsaction to list events.
This action runs on all Google SecOps entities.
Action inputs
The List Eventsaction requires the following parameters:
Query
A query to filter the cloud application events in the events database.
Type
A type of alerts to filter by.
The possible values are as follows:
-
page -
application -
audit -
infrastructure
Time Period
The time period in milliseconds prior to now to search for events.
The possible values are as follows: 3600
, 86400
, 604800
, and 2592000
.
Start Time
A start time to filter events with timestamps greater than the specified Unix epoch time.
Use this parameter only if you
didn't set the Time Period
parameter.
End Time
An end time to filter events with timestamps less than the specified Unix epoch time.
Use this parameter only if you
didn't set the Time Period
parameter.
Limit
The number of the results to return.
The default value is 100
.
Action outputs
The List Eventsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the List Eventsaction:
{
"dstip"
:
"192.0.2.64"
,
"browser_session_id"
:
1066949788113471080
,
"srcip"
:
"198.51.100.36"
,
"app_session_id"
:
4502249472406092569
,
"os_version"
:
"WindowsServer2016"
,
"dst_region"
:
"Virginia"
,
"numbytes"
:
37480
,
"req_cnt"
:
18
,
"server_bytes"
:
8994
,
"page_id"
:
0
,
"page_duration"
:
867
,
"page_endtime"
:
1548577530
,
"dst_latitude"
:
39.0481
,
"timestamp"
:
1548576663
,
"src_region"
:
"Oregon"
,
"src_location"
:
"Boardman"
,
"ur_normalized"
:
"user@example.com"
,
"appcategory"
:
""
,
"src_latitude"
:
45.8491
,
"count"
:
1
,
"bypass_traffic"
:
"no"
,
"type"
:
"page"
,
"userip"
:
"203.0.113.253"
,
"src_longitude"
:
-119.7143
,
"page"
:
"WebBackground"
,
"browser"
:
""
,
"domain"
:
"WebBackground"
,
"dst_location"
:
"Ashburn"
,
"_insertion_epoch_timestamp"
:
1548577621
,
"site"
:
"WebBackground"
,
"access_method"
:
"Client"
,
"browser_version"
:
""
,
"category"
:
""
,
"client_bytes"
:
28486
,
"user_generated"
:
"no"
,
"hostname"
:
"IP-C0A84AC"
,
"dst_country"
:
"US"
,
"resp_cnt"
:
18
,
"src_zipcode"
:
"97818"
,
"traffic_type"
:
"Web"
,
"http_transaction_count"
:
18
,
"organization_unit"
:
"example.com/Users"
,
"page_starttime"
:
1548576663
,
"dst_longitude"
:
-77.4728
,
"user"
:
"user@example.com"
,
"userkey"
:
"user@example.com"
,
"device"
:
"WindowsDevice"
,
"src_country"
:
"US"
,
"dst_zipcode"
:
"20149"
,
"url"
:
"WebBackground"
,
"sv"
:
""
,
"ccl"
:
"unknown"
,
"useragent"
:
"RestSharp/192.0.2.0"
,
"_id"
:
" ID
"
,
"os"
:
"WindowsServer2016"
}
]
Script result
The following table lists the value for the script result output when using the List Eventsaction:
| Script result name | Value |
|---|---|
events
|
EVENT_LIST
|
List Quarantined Files
Use the List Quarantined Filesaction to list quarantined files.
This action runs on all Google SecOps entities.
Action inputs
The List Quarantined Filesaction requires the following parameters:
| Parameter | Description |
|---|---|
Start Time
|
Optional
A start time to restrict events with the timestamps greater than the value of this parameter in the Unix format. |
End Time
|
Optional
An end time to restrict events with the timestamps less than the value of this parameter in the Unix format. |
Use V2 API
|
Optional
If selected, the action uses the Netskope V2 API endpoint instead of V1. This requires valid V2 API credentials. This parameter requires OAuth 2.0 support. Ensure a valid |
Action outputs
The List Quarantined Filesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the List Quarantined Filesaction:
| Script result name | Value |
|---|---|
files
|
FILE_LIST
|
Ping
Use the Pingaction to test the connectivity to Netskope.
This action runs on all Google SecOps entities.
Action inputs
None.
Action outputs
The Pingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Pingaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Need more help? Get answers from Community members and Google SecOps professionals.

