Welcome to the Netskope One DSPM Knowledge Base

You will find your answers here!

    Sorry, we didn't find any relevant articles for you.

    Send us your queries using the form below and we will get back to you with a solution.

    API Integration Guide

    Table of Contents

    Introduction Benefits of Integrating with Netskope One DSPM Glossary of Netskope One DSPM Terms Understanding Netskope One DSPM’s Open API Rest API Tokens Authentication Retrieving Data From Netskope One DSPM Fetch Infrastructure Connections Fetch Connected Data Stores Fetch Data Store Tags Augmenting Netskope One DSPM with Your Data Create Data Tags in the Data Tag Catalog Add Data Tags to Connected Data Stores

    Introduction

    This guide is designed to help customers & partners quickly integrate their systems with Netskope One DSPM, to either retrieve Netskope One DSPM insights and/or incorporate their own system’s details into the Netskope One DSPM application.

    Benefits of Integrating with Netskope One DSPM

    Netskope One DSPM is a data security posture management (DSPM) platform that automates data security and governance controls, on-prem and in your cloud, to protect your data throughout its entire journey. We provide visibility, control, and remediation for structured, semi-structured, and unstructured data across cloud and on-prem databases, data lakes, and data warehouses. With Netskope One DSPM, you get robust Data Security Posture Management (DSPM), Data Access Governance (DAG), Data Detection and Response (DDR), enhancing compliance and audit readiness.

    Problems that Netskope One DSPM can help you solve:

    1. Little to no visibility into data sprawl, increasing the likelihood of data breaches. Netskope One DSPM continuously discovers data stores for complete visibility across cloud, on-prem, and hybrid environments, helping improve data security posture across the organization.
    2. Manual data classification and tagging are time-consuming and error-prone. Netskope One DSPM continuously classifies sensitive data, then programmatically assigns sensitivity levels and business purpose tags and maps them to known regulations.
    3. Sensitive data exposure due to misconfigurations. Netskope One DSPM performs configuration analysis to identify data stores with issues and prevent data exposure.
    4. Challenges in implementing least-privilege access for hundreds of users. Netskope One DSPM performs privilege analysis to detect excess privilege to sensitive data automatically.
    5. Inability to detect risky and privacy-violating data interactions. Netskope One DSPM profiles user behavior based on query analysis to help mitigate risky data interactions at scale and ensure regulatory compliance.
    6. Overwhelming management of many complex data security issues. Netskope One DSPM’s risk scores and advanced policy engine provide workflows to help prioritize and automate remediation.

    Glossary of Netskope One DSPM Terms

    Term Definition

    Infrastructure Connection

    Connection between Netskope One DSPM and a major cloud service provider, such as AWS, GCP, or Azure. This can be either individual accounts (projects / subscriptions) or organizations (tenants)
    Data Store

    Connection to an individual data source, either structured or unstructured. These are typically connected after an auto-discovery process that runs on your Infrastructure Connections.
    Data Tags xxxxx
    Platform User xxxxx
    Authentication Token xxxxx

    Understanding Netskope One DSPM’s Open API

    All available Netskope One DSPM API routes are described within master Swagger UI documentation, which can be accessed on your Netskope console by navigating to All available Netskope One DSPM API routes are described within master Swagger UI documentation, which can be accessed on your Netskope console by navigating to Settings > Tools > REST API v2.

    After authentication, the base path for all API resources is:

    https://<TENANTURL>.goskope.com/api/v2/dspm/

    The following diagram illustrates the relationship between data stores and related data (accounts, tags, etc.). Each table is labeled with its corresponding API resource route:

    The Connected Data Stores object, its key fields, and foreign key relationships to related objects

    Rest API Tokens

    Netskope REST API tokens are used by external applications for authenticating into Netskope One DSPM’s Open API.  The token informs the API that the bearer of the token has been authorized to access the API and perform authorized actions.

    To create a token, please visit the main Rest API v2 Overview article. Once generated, have your stakeholder share with you the token value for use below using your preferred method.

    Because tokens are associated to Netskope Administrators, it is recommended that your stakeholder create them using a dedicated user and with limited scope. 

    Authentication

    To use the Netskope One DSPM API, you must first authenticate to it with an authentication token.  Such tokens inform the API that the bearer of the token has been authorized to access the API and perform authorized actions.  

    Include the token in your request header as apikey. For example:

    curl -X 'GET' \
  'https://example.goskope.com/api/v2/dspm/data_stores/discovered?offset=0&limit=20' \
  -H 'accept: application/json' \
  -H 'apikey: `cd123456-789d-0123-4567-e8c901234fbb'

    Retrieving Data From Netskope One DSPM

    Follow these instructions to use Netskope One DSPM’s Open API to pull data defined / generated within Netskope One DSPM for use within your own systems. These instructions are applicable for any CSP and assume you have:

    1. Onboarded at least one Infrastructure Connection (ex: AWS)
    2. Connected at least one Data Store for said Infrastructure Connection (ex: RDS PostgreSQL)

    To learn more about each activity, visit our main Using Netskope DSPM category and select the relevant subject.

    Fetch Infrastructure Connections

    Begin by pulling a list of Infrastructure Connections, whose response will include the following details for each account:

    • Which cloud platform (AWS, GCP, or Azure)
    • The account’s unique identifier in that platform
    • Its parent organization (if any)

    With this information, you can pair it to like connections in your system and later use the IDs to filter the data stores.

    Action Example
    Get list of all supported platforms

    Request

    GET https://example.goskope.com/api/v2/dspm/infrastructure_connections/platforms

    Response

    {
  "total": 7,
  "results": [
    {
      "id": 0,
      "name": "AWS"
    },
    {
      "id": 1,
      "name": "GCP"
    },
    {
      "id": 2,
      "name": "Azure"
    },
    {
      "id": 3,
      "name": "Heroku"
    },
    {
      "id": 4,
      "name": "Other"
    },
    {
      "id": 5,
      "name": "Snowflake"
    }
  ]
}
    Get list of Infrastructure Connections filtered by a specific platform (ex: AWS)

    Request

    GET https://example.goskope.com/api/v2/dspm/infrastructure_connections?filter=platform_id%20eq%200

    Response

    {
  "total": 2,
  "results": [
    {
      "id": 1,
      "name": "aws-demo",
      "account_id": "123456789012",
      "auto_discovery_enabled": true,
      "platform_id": 0,
      "organization_id": "567890567890"
    },
    {
      "id": 2,
      "name": "aws-production",
      "account_id": "234567890123",
      "auto_discovery_enabled": true,
      "platform_id": 0,
      "organization_id": "567890567890"
    }    
  ]
}

    Fetch Connected Data Stores

    Once you know which Infrastructure Connection(s) whose Data Stores you wish to inspect, next you will pull a list of their Connected Data Stores:

    • The entire list
    • A subset filtered by Infrastructure Connection ID (ex: AWS Production)
    • A subset further filtered by database services (ex: PostgreSQL)
    Action Example
    Get list of all supported services

    Request

    GET https://example.goskope.com/api/v2/dspm/data_stores/services

    Response

    {
  "total": 23,
  "results": [
    {
      "id": 5,
      "name": "rdspostgres",
      "display_name": "Postgres",
      "enabled_features": {
        "classification": true,
        "data_in_use_monitoring": false,
        "query_analysis": false,
        "users_and_roles": true,
        "privilege_analysis": false
      }
    },
    {
      "id": 6,
      "name": "microsoftsqlserver",
      "display_name": "SQL Server",
      "enabled_features": {
        "classification": true,
        "data_in_use_monitoring": false,
        "query_analysis": false,
        "users_and_roles": true,
        "privilege_analysis": true
      }
    },
    ...
  ]
} 
    Get list of all Connected Data Stores

    Request

    GET https://example.goskope.com/api/v2/dspm/data_stores/connected

    Response

    {
  "total": 3,
  "results": [
    {
      "id": 1,
      "name": "engineering",
      "infrastructure_connection_id": 1,
      "account_id": "123456789012",
      "endpoint": "postgres-engineering.abcdefghijk1.us-west-2.rds.amazonaws.com:5432/dev",
      "service_id": 5,
      "data_owners": [],
      "region": "us-west-2",
      "data_store_sensitivity_score": 20,
      "data_store_risk_rating": 36,
      "table_count": 11,
      "field_count": 91,
      "sensitive_field_count": 32,
      "sensitive_record_count": 71,
      "data_tags": [],
      "database_count": 1,
      "schema_count": 5,
      "total_query_count": 12766,
      "total_alert_count": 11,
      "misconfiguration_risk_score": 42,
      "publicly_inaccessible": "On",
      "encryption": "Off",
      "backup": "On",
      "over_privileged_risk_score": 65,
      "stale_user_count": 27,
      "data_store_sensitive_data_access_risk_score": 0,
      "users_with_access_to_sensitive_data_count": 28,
      "scan_status": 1
    },
    {
      "id": 2,
      "name": "finance",
      "infrastructure_connection_id": 2,
      "account_id": "23456789012",
      "endpoint": "mysql-db-dev.abcdefghijk1.us-west-2.rds.amazonaws.com:3306",
      "service_id": 4,
      "data_owners": [
        3
      ],
      "region": "us-west-2",
      "data_store_sensitivity_score": 21,
      "data_store_risk_rating": 0,
      "table_count": 0,
      "field_count": 0,
      "sensitive_field_count": 0,
      "sensitive_record_count": 452,
      "data_tags": [],
      "database_count": 0,
      "schema_count": 0,
      "total_query_count": -1,
      "total_alert_count": 1,
      "misconfiguration_risk_score": 0,
      "publicly_inaccessible": "On",
      "encryption": "On",
      "backup": "On",
      "over_privileged_risk_score": -1,
      "stale_user_count": 0,
      "data_store_sensitive_data_access_risk_score": 0,
      "users_with_access_to_sensitive_data_count": 9,
      "scan_status": 1
    },
    {
      "id": 3,
      "name": "production",
      "infrastructure_connection_id": 1,
      "account_id": "123456789012",
      "endpoint": "production.abcdefghijk1.us-west-2.rds.amazonaws.com:5432/prod",
      "service_id": 5,
      "data_owners": [
        3
      ],
      "region": "us-west-2",
      "data_store_sensitivity_score": 20,
      "data_store_risk_rating": -1,
      "table_count": 13,
      "field_count": 70,
      "sensitive_field_count": 22,
      "sensitive_record_count": 813,
      "data_tags": [],
      "database_count": 1,
      "schema_count": 1,
      "total_query_count": 0,
      "total_alert_count": 0,
      "misconfiguration_risk_score": 0,
      "publicly_inaccessible": "On",
      "encryption": "On",
      "backup": "On",
      "over_privileged_risk_score": -1,
      "stale_user_count": 0,
      "data_store_sensitive_data_access_risk_score": 0,
      "users_with_access_to_sensitive_data_count": 0,
      "scan_status": 1
    }
  ]
}
    Get list of Connected Data Stores filtered by a specific Infrastructure Connection

    Request

    GET https://example.goskope.com/api/v2/dspm/data_stores/connected?filter=infrastructure_connection_id%20eq%201

    Response

    {
  "total": 2,
  "results": [
    {
      "id": 1,
      "name": "engineering",
      "infrastructure_connection_id": 1,
      "account_id": "123456789012",
      "endpoint": "postgres-engineering.abcdefghijk1.us-west-2.rds.amazonaws.com:5432/dev",
      "service_id": 5,
      "data_owners": [],
      "region": "us-west-2",
      "data_store_sensitivity_score": 20,
      "data_store_risk_rating": 36,
      "table_count": 11,
      "field_count": 91,
      "sensitive_field_count": 32,
      "sensitive_record_count": 71,
      "data_tags": [],
      "database_count": 1,
      "schema_count": 5,
      "total_query_count": 12766,
      "total_alert_count": 11,
      "misconfiguration_risk_score": 42,
      "publicly_inaccessible": "On",
      "encryption": "Off",
      "backup": "On",
      "over_privileged_risk_score": 65,
      "stale_user_count": 27,
      "data_store_sensitive_data_access_risk_score": 0,
      "users_with_access_to_sensitive_data_count": 28,
      "scan_status": 1
    },
    {
      "id": 3,
      "name": "production",
      "infrastructure_connection_id": 1,
      "account_id": "123456789012",
      "endpoint": "production.abcdefghijk1.us-west-2.rds.amazonaws.com:5432/prod",
      "service_id": 5,
      "data_owners": [
        3
      ],
      "region": "us-west-2",
      "data_store_sensitivity_score": 20,
      "data_store_risk_rating": -1,
      "table_count": 13,
      "field_count": 70,
      "sensitive_field_count": 22,
      "sensitive_record_count": 813,
      "data_tags": [],
      "database_count": 1,
      "schema_count": 1,
      "total_query_count": 0,
      "total_alert_count": 0,
      "misconfiguration_risk_score": 0,
      "publicly_inaccessible": "On",
      "encryption": "On",
      "backup": "On",
      "over_privileged_risk_score": -1,
      "stale_user_count": 0,
      "data_store_sensitive_data_access_risk_score": 0,
      "users_with_access_to_sensitive_data_count": 0,
      "scan_status": 1
    }
  ]
}
    Get list of Connected Data Stores filtered by both a specific Infrastructure Connection and service

    Request

    GET https://example.goskope.com/api/v2/dspm/data_stores/connected?filter=infrastructure_connection_id%20eq%202&&service_id%20eq%204

    Response

    {
  "total": 1,
  "results": [
    {
      "id": 2,
      "name": "finance",
      "infrastructure_connection_id": 2,
      "account_id": "23456789012",
      "endpoint": "mysql-db-dev.abcdefghijk1.us-west-2.rds.amazonaws.com:3306",
      "service_id": 4,
      "data_owners": [
        3
      ],
      "region": "us-west-2",
      "data_store_sensitivity_score": 21,
      "data_store_risk_rating": 0,
      "table_count": 0,
      "field_count": 0,
      "sensitive_field_count": 0,
      "sensitive_record_count": 452,
      "data_tags": [],
      "database_count": 0,
      "schema_count": 0,
      "total_query_count": -1,
      "total_alert_count": 1,
      "misconfiguration_risk_score": 0,
      "publicly_inaccessible": "On",
      "encryption": "On",
      "backup": "On",
      "over_privileged_risk_score": -1,
      "stale_user_count": 0,
      "data_store_sensitive_data_access_risk_score": 0,
      "users_with_access_to_sensitive_data_count": 9,
      "scan_status": 1
    }
  ]
} 

    Many different values are available for Connected Data Stores, but those of the most value to external systems include:

    • endpoint: the unique remote identifier for the cloud data set, which you can use to correlate Netskope One DSPM Data Stores with your own system’s data set connections
    • data_tags: array of Netskope One DSPM Data Tag IDs, if any are assigned.  See below to learn how to retrieve details for each
    • data_store_sensitivity_score: xxxxx
    • data_store_risk_rating: xxxxx
    • data_store_sensitive_data_access_risk_score: xxxxx

    Fetch Data Store Tags

    Often, Data Stores will be tagged with one or more Data Tags.  Each Data Tag participates in a single Data Tag Category, which may be information useful to your system.  

    Traditionally, Data Tags and Data Tag Categories don’t change as often as Connected Data Store information, so you may not need to retrieve this kind of data as often.

    Follow these steps to pull details for each Data Tag ID:

    Action Example
    Get list of all Data Tags

    Request

    GET https://example.goskope.com/api/v2/dspm/data_tags

    Response

    {
  "total": 6,
  "data_tags": [
    {
      "id": 1000004,
      "name": "GDPR",
      "description": "GDPR-protected data",
      "category_id": 3,
      "color": "#e3d9ff",
      "is_enabled": true
    },
    {
      "id": 1000005,
      "name": "CCPA",
      "description": "CCPA-protected data",
      "category_id": 3,
      "color": "#bfa3cb",
      "is_enabled": true
    },
    {
      "id": 1000006,
      "name": "PCI",
      "description": "Payment card data",
      "category_id": 3,
      "color": "#d4d4d4",
      "is_enabled": true
    },
    {
      "id": 1000007,
      "name": "PII",
      "description": "Personally identifiable information",
      "category_id": 5,
      "color": "#ffd0f4",
      "is_enabled": true
    },
    {
      "id": 1000008,
      "name": "SOX",
      "description": "Data regulated by the Sarbanes-Oxley Act",
      "category_id": 3,
      "color": "#c2d9bf",
      "is_enabled": true
    },
    {
      "id": 1000009,
      "name": "HIPAA",
      "description": "Healthcare data",
      "category_id": 3,
      "color": "#aabcc8",
      "is_enabled": true
    }
  ]
}
    Get details for specific Data Tag IDs

    Request

    GET https://example.goskope.com/api/v2/dspm/data_tags?filter=id%20eq%201000004||ideq%2021000005

    Response

    {
  "total": 2,
  "data_tags": [
    {
      "id": 1000004,
      "name": "GDPR",
      "description": "GDPR-protected data",
      "category_id": 3,
      "color": "#e3d9ff",
      "is_enabled": true
    },
    {
      "id": 1000005,
      "name": "CCPA",
      "description": "CCPA-protected data",
      "category_id": 3,
      "color": "#bfa3cb",
      "is_enabled": true
    }
  ]
}

    Augmenting Netskope One DSPM with Your Data

    In turn, you can use Netskope One DSPM’s Open API to supply Netskope One DSPM with Data Tags that represent information from your own systems.  

    For example, if your system was responsible for backing up data sets, you could tag Netskope One DSPM’s Connected Data Stores to show which aren’t enrolled in backup protection.  In turn, Netskope One DSPM’s policy engine could take action on such Data Tags to drive outcomes, such as creating ServiceNow tickets to remedy such scenarios.

    Create Data Tags in the Data Tag Catalog

    Before you can tag a Connected Data Store, you must first make the Data Tag available in the Data Tag Catalog.  You might also create a custom Data Tag Category, so your custom Data Tags can be collected and easily-identifiable throughout the system.

    Follow these steps to create and update your custom Data Tags:

    Once a Data Tag has been added to the Data Tag Catalog, it is recommended to never delete it, as doing so  also removes the Data Tag from any associated record (including but not limited to Connected Data Stores).

     
    Action Example
    Create new Data Tag Category

    Request

    POST https://example.goskope.com/api/v2/dspm/data_tag_categories

    {
  "name": "Remote System",
  "description": "External tags defined in remote system",
  "is_system_created": false,
  "is_enabled": true
}

    Response

    {
  "id": 6,
  "name": "Remote System",
  "description": "External tags defined in remote system",
  "is_system_created": false,
  "is_enabled": true
}
    Create new Data Tag

    Request

    POST https://example.goskope.com/api/v2/dspm/data_tags

    {
  "name": "Unprotected",
  "description": "Data store is not currently-protected within remote system",
  "category_id": 1,
  "color": "#e3d9ff",
  "is_enabled": true
}

    Response

    {
  "id": 11,
  "name": "Unprotected",
  "description": "Data store is not currently-protected within remote system",
  "category_id": 6,
  "color": "#e3d9ff",
  "is_enabled": true
} 
    Get list of all Data Tags for a specific Data Tag Category

    Request

    GET https://example.goskope.com/api/v2/dspm/data_tags?filter=category_id%20eq%206 

    Response

    {
  "total": 1,
  "data_tags": [
    {
      "id": 11,
      "name": "Unprotected",
      "description": "Data store is not currently-protected within remote system",
      "category_id": 6,
      "color": "#e3d9ff",
      "is_enabled": true
    }
  ]
}
    Update existing Data Tag

    Request:

    PUT https://example.goskope.com/api/v2/dspm/data_tags

    {
  "id": 11,
  "name": "Unprotected",
  "description": "Deprecated category",
  "category_id": 6,
  "color": "#e3d9ff",
  "is_enabled": false
}

    Response

    {
  "id": 11,
  "name": "Unprotected",
  "description": "Deprecated category",
  "category_id": 6,
  "color": "#e3d9ff",
  "is_enabled": false
}
    Delete existing Data Tag

    Request:

    DELETE https://example.goskope.com/api/v2/dspm/data_tags/11

    Response

    11

    Add Data Tags to Connected Data Stores

    Once your custom Data Tags are available in Netskope One DSPM, you can now tag your Connected Data Stores know which Infrastructure Connection(s) whose Data Stores you wish to inspect, next you will pull a list of their Connected Data Stores:

    Action Example
    Associate specific Data Tags to Connected Data Store

    Request

    PUT https://example.goskope.com/api/v2/dspm/connected_data_stores

    {
  "id": 3,
  "name": "Production DB",
  "endpoint": "production.abcdefghijk1.us-west-2.rds.amazonaws.com:5432/prod",
  "service_id": 5,
  "data_tags": [
    11
  ]
}

    Response

    19

    Was this article helpful?

    Still can't find what you are looking for?

    Contact Netskope Technical Support