Hi All, I am looking for getting alerts from the Netskope tenant. So far I am seeing 2 API endpoints which gives me similar results. https://docs.netskope.com/en/get-alerts-data.html https://docs.netskope.com/en/view-security-assessment-violations.htmlCan someone please help me understand the difference between them? And when should I use which endpoints? I am very new here, let me know if I started the discussion at the wrong place. thanks!

So far I have gathered the following details. Please feel free to add more if I missed something. Alerts Security AssessmentIt is a generic endpoint providing alerts for multiple categoriesThe security assessment is just one category of alertIt provides historical data. that means you can even get the alerts that were generated in past. It provides the alerts which are currently open. Only the last snapshot instead of historical. For Security assessment alerts, there's no way to check if the alert is resolved or not. The status parameter can tell if the rule is passed or not in the present time. start-time & end-time parameters are required to get the historical data. It will only provide the latest data. Since the alert endpoint is used for many categories, it provides much more details in the response. Only the details specific to the security alert are provided. but so far, it does the job. For filtering, only the "query" request param is available.For filtering, multiple params are available. But so far, both ways are equally good.

What is the difference between Alert and Security_assessment endpoints in API?

Hi All,

I am looking for getting alerts from the Netskope tenant. So far I am seeing 2 API endpoints which gives me similar results.

Can someone please help me understand the difference between them? And when should I use which endpoints?

I am very new here, let me know if I started the discussion at the wrong place. thanks!

Page 1 / 1

@nking @ekorhonen @jhwong would any of you be able to provide some insight into the 2 API endpoints and when a user should use them?

So far I have gathered the following details. Please feel free to add more if I missed something.

Alerts	Security Assessment
It is a generic endpoint providing alerts for multiple categories	The security assessment is just one category of alert
It provides historical data. that means you can even get the alerts that were generated in past.	It provides the alerts which are currently open. Only the last snapshot instead of historical.
For Security assessment alerts, there's no way to check if the alert is resolved or not.	The status parameter can tell if the rule is passed or not in the present time.
start-time & end-time parameters are required to get the historical data.	It will only provide the latest data.
Since the alert endpoint is used for many categories, it provides much more details in the response.	Only the details specific to the security alert are provided. but so far, it does the job.
For filtering, only the "query" request param is available.	For filtering, multiple params are available. But so far, both ways are equally good.

That looks correct to me. A useful way to think the security-assessment endpoint vs. the alerts endpoint is to see the first one as an alias for a subset of the latter with some useful additional filter shortcuts built in.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded