Netskope Logo

MCP Server Technical Guide

Comprehensive User Documentation

Hosted at https://mcp-preview.goskope.com/ | Version 3.0

Documentation
v3.0
Updated: November 2025

Test Evaluation Agreement Required

IMPORTANT NOTICE

This MCP server is an experimental test service provided under a signed "Test Evaluation Agreement" between your organization and Netskope, Inc.

The service is subject to the following key terms:

  • Experimental Services: The Test Services are in development, have not been commercially released, and may contain errors or defects
  • Evaluation Period: Services are provided for testing and evaluation purposes only during the agreed Evaluation Period
  • Feedback Obligation: Company agrees to provide feedback, suggestions, and testing results to Netskope
  • No Production Use: Test Services are not intended for production use and should not be deployed in live production environments
  • No Warranties: Services are provided "AS IS" without any warranties, express or implied
  • Confidentiality: All Development Materials and test results are Netskope confidential information

DO NOT USE THIS SERVICE WITHOUT A SIGNED AGREEMENT

Unauthorized use of this experimental MCP server is prohibited. If you have not signed a Test Evaluation Agreement with Netskope, please contact your Netskope representative or email support@netskope.com before proceeding.

ACCESS CODE REQUIRED

Your unique access code will be provided by Netskope once you have a signed agreement.

Evaluation Services: Cloud security services and software for testing purposes

Governed by: Master Subscription Agreement and Test Evaluation Agreement terms

Overview

What is the Netskope MCP Server?

The Netskope MCP Server is an experimental bridge that connects AI assistants to your Netskope tenant using the Model Context Protocol (MCP). It provides 70+ tools and 8 specialized prompts for security operations, incident investigation, policy management, and comprehensive reporting.

Built with FastMCP, this server enables natural language interactions with Netskope APIs, allowing security teams to perform complex queries, generate executive reports, investigate incidents, and manage policies through conversational AI.

Key Capabilities

  • Security Investigations: Search alerts, incidents, and application events with JQL queries
  • DLP Analysis: Forensic investigation with metadata, content extraction, and risk assessment
  • Policy Management: Create/update URL lists, tags, and deploy policy changes
  • User & Identity: User-group membership queries, SCIM user/group provisioning
  • IPsec VPN Management: Create, monitor, and manage IPsec tunnels to Netskope POPs
  • DNS Security: Manage DNS profiles, inheritance groups, and deploy DNS security policies
  • Executive Reporting: Generate HTML reports with interactive visualizations

Architecture Overview

graph LR A[AI Client
Claude/Cursor/Cline] -->|MCP Protocol| B["MCP Server
/tenant-id/code/mcp"] B -->|Bearer Token Auth| C[Netskope APIs] C --> D[Events API
Alerts/Incidents] C --> E[Policy API
URL Lists] C --> F[Services API
CCI/Tags] C --> G[Users API
User Mgmt + SCIM] C --> N[IPsec API
VPN Tunnels] C --> O[DNS Security API
DNS Profiles] C --> P[DEM API
Experience Monitoring] B --> H[77+ Tools] B --> I[7 Prompts] H --> J[JQL Helpers] H --> K[Search Tools] I --> L[Security Reports] I --> M[Analysis Workflows]

Total Tools

80

Prompts

7

Event Types

6

API Categories

7

Getting Started

Prerequisites

  • Netskope Tenant URL: Your organization's Netskope tenant (e.g., https://mytenant.goskope.com)
  • API Bearer Token: Generated from Netskope admin settings with appropriate permissions
  • MCP-Compatible Client: Claude Desktop, Claude Code, Cursor, Cline, GitHub Copilot, etc.

Understanding Tenant URL Mapping

The MCP server supports both standard 3-level and multi-region 4-level FQDN tenants using path-based routing:

Standard 3-Level FQDN:

Tenant: mytenant.goskope.com

Use in URL: /mytenant/{access_code}/mcp

Multi-Region 4-Level FQDN:

Tenant: eurocorp.eu.goskope.com

Use in URL: /eurocorp_eu/mcp (replace dot with underscore)

Tenant: plm-sspm.de.goskope.com

Use in URL: /plm-sspm_de/{access_code}/mcp

Tip: For multi-region tenants, replace the dot between subdomain levels with an underscore in the URL path.

Quick Start: Claude Code (Recommended)

Step 1: Add the MCP Server

claude mcp add \
  --transport http \
  --scope user \
  netskope \
  https://mcp-preview.goskope.com/{tenant_url}/{access_code}/mcp \
  --header "Authorization: Bearer ${NETSKOPE_API_TOKEN}"

Note: Replace both placeholders:

  • {tenant_url}: Your tenant urlentifier
    • Standard: mytenant.goskope.com → use mytenant
    • Multi-region: eurocorp.eu.goskope.com → use eurocorp_eu
  • {access_code}: 6-character security code provided by your Netskope representative

Step 2: Set Environment Variable

export NETSKOPE_API_TOKEN="YOUR_API_TOKEN_HERE"

Step 3: Verify Installation

claude mcp list

You should see netskope listed as a connected server.

Step 4: Start Using

claude code

Claude Code will automatically discover Netskope tools and prompts. Try asking: "Show me security alerts from the last 7 days"

Installation for Other Clients

Claude Desktop

Edit configuration file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json

Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "netskope": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://mcp-preview.goskope.com/{tenant_url}/{access_code}/mcp",
        "--header",
        "Authorization:Bearer {NETSKOPE_API_TOKEN}"
      ],
    }
  }
}

Important: Replace {tenant_url} and {access_code} with your values. The access code is provided by your Netskope representative.

npm is needed to install and run the mcp-remote command.

Windows: Use the path to npx without spaces, e.g., "C:/PROGRA~1/nodejs/npx.cmd" instead of "npx" for the command value.

Restart Claude Desktop after saving.

Cursor IDE

Navigate to: Settings → MCP Tools → Add Custom MCP

Or edit manually:

~/.cursor/mcp.json or .cursor/mcp.json (project-specific)

{
  "mcpServers": {
    "netskope": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://mcp-preview.goskope.com/{tenant_url}/{access_code}/mcp",
        "--header",
        "Authorization:Bearer ${NETSKOPE_API_TOKEN}"
      ],
      "env": {
        "NETSKOPE_API_TOKEN": "YOUR_API_TOKEN_HERE"
      }
    }
  }
}

Important: Replace {tenant_url} and {access_code} with your values. The access code is provided by your Netskope representative.

Restart Cursor after saving. Tools appear in Composer Agent mode.

VS Code with Cline

Install Cline extension, then configure MCP:

Click Cline icon → MCP Servers → Configure MCP Servers

Option A: Using SSE Transport (Remote HTTP)

{
  "mcpServers": {
    "netskope": {
      "url": "https://mcp-preview.goskope.com/{tenant_url}/{access_code}/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_API_TOKEN_HERE"
      },
      "alwaysAllow": [],
      "disabled": false
    }
  }
}

Option B: Using mcp-remote Proxy (STDIO)

{
  "mcpServers": {
    "netskope": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://mcp-preview.goskope.com/{tenant_url}/{access_code}/mcp",
        "--header",
        "Authorization:Bearer ${NETSKOPE_API_TOKEN}"
      ],
      "env": {
        "NETSKOPE_API_TOKEN": "YOUR_API_TOKEN_HERE"
      },
      "alwaysAllow": [],
      "disabled": false
    }
  }
}

Important: Replace {tenant_url} and {access_code} with your values. The access code is provided by your Netskope representative.

Restart VS Code after saving.

Gemini CLI

Edit configuration file:

~/.gemini/settings.json

{
  "selectedAuthType": "gemini-api-key",
  "theme": "Dracula",
  "mcpServers": {
    "netskope": {
      "httpUrl": "https://mcp-preview.goskope.com/{tenant_url}/{access_code}/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_API_TOKEN_HERE"
      }
    }
  }
}

Important: Replace {tenant_url} and {access_code} with your values. The access code is provided by your Netskope representative.

Preserve any existing settings like selectedAuthType and theme in your configuration file.

The Gemini CLI will automatically load the MCP server on next startup.

Access Code Required

Starting with this version, all MCP server URLs require a 6-character access code in the path:

https://mcp-preview.goskope.com/{tenant_url}/{access_code}/mcp

To obtain your access code: Contact your Netskope representative. The access code is a unique security code tied to your tenant url.

This additional security layer prevents unauthorized access to tenant-specific APIs. Invalid access codes will result in 403 Forbidden errors.

Security Note

Always use environment variables for API tokens in production. Never commit credentials to version control. The MCP server logs tenant url and redacted tokens (first 4 + last 4 characters) for audit purposes.

Available Tools (70+)

The MCP server provides 70+ tools organized into 8 categories for comprehensive Netskope tenant management, device telemetry, and documentation search.

JQL Helper Tools

6 tools for query construction and field discovery

6 Tools
Tool Name Purpose Key Parameters
get_field_details Retrieve detailed information for specific fields from event type schema field_names, event_type
get_all_fields Get complete list of queryable fields for an event type event_type
get_sample_queries View example JQL queries with proper syntax patterns None
get_query_guidelines Comprehensive JQL syntax rules and best practices None
get_current_time_in_UTC_format Get current UTC time for time-based queries None
utc_to_unix_timestamp_tool Convert UTC datetime to Unix timestamp utc_time_str

Best Practice

Always use get_field_details() before constructing complex queries to ensure field names are valid and understand supported operators.

Events API Tools

13 tools for searching and exporting event data

13 Tools
Tool Name Purpose Event Type
search_audit_events Search administrative audit events (config changes, admin actions) audit
search_alert_events Search security alerts (DLP, policy, UBA, malware, malsite) alert
search_application_events Search SaaS application usage events application
search_incident_events Search DLP incidents using JQL queries incident
search_network_events Search web traffic and network activity network
search_page_events Search detailed web page events (referer, navigation) page
search_clientstatus_events Search Netskope client agent status clientstatus
search_epdlp_events Search Endpoint DLP events (USB, file operations) epdlp
export_incident_events Bulk export incident data for reporting incident
export_infrastructure_events Export infrastructure system events infrastructure
get_transaction_event_metrics Retrieve aggregated transaction metrics transaction
get_transaction_events_token Get access token for transaction events API transaction

Performance Tips

  • Keep limit low (10-20) for raw event queries to avoid timeout
  • Use aggregations (groupbys) instead of raw events for analysis
  • Narrow time ranges with starttime/endtime for better performance
  • Field names are case-sensitive in JQL queries

Incidents API Tools

5 tools for incident management and user risk analysis

5 Tools
Tool Name Purpose Use Case
get_user_uci_impact Retrieve User Confidence Index (UCI) time series User risk scoring (0-1000 scale)
update_incident_status Update incident attributes (status, assignee, severity) Incident workflow management
get_dlp_incident_forensics Retrieve detailed forensics for DLP incident Investigation: file metadata, DLP matches, content preview
get_uba_user_data Retrieve UBA UCI time series (identical to get_user_uci_impact) Behavioral analytics, anomaly detection
get_uba_anomalies Retrieve UBA anomalies with LLM-optimized summary mode Insider threat investigation, compromised credential analysis

Important Notes

  • UCI scores range from 0-1000 (not 0-100)
  • Use dlp_incident_id field (NOT regular incident_id) for forensics
  • update_incident_status() requires old_value for validation
  • get_uba_anomalies() returns aggregated summary by default (~96% token reduction). Use summary=False for raw results

Services API Tools

9 tools for app risk assessment and infrastructure

9 Tools
Tool Name Purpose Key Parameters
get_cci_app_info Retrieve Cloud Confidence Index (CCI) info for applications app, category, ccl, tag, limit
create_tag Create tag for categorizing applications tag_name, apps (list)
list_tags List tags or get all app metadata apps, ids, appmetadata
get_tag Get applications associated with specific tag tag
update_tag Update tag (add/remove apps or rename) tag_name, apps, action, new_name
delete_tag Delete an existing tag tag_name
list_publishers List infrastructure publishers/connectors filter, limit
get_publisher_info Get details of specific publisher publisher_id

Use Case Highlight

Use get_cci_app_info() to assess application risk before creating policies. Tags help organize apps into custom categories for policy groupings.

Policy API Tools

6 tools for URL list and policy management

6 Tools
Tool Name Purpose Required Parameters
create_url_list Create new URL list for policies name, urls (list), list_type
deploy_policy Deploy pending policy changes None
list_url_lists List URL lists with pagination limit, offset
get_url_list Get specific URL list details list_id
update_url_list Update URL list (append or remove URLs) list_id, action, urls (list)
delete_url_list Delete URL list list_id

Critical Workflow

After creating or updating URL lists, you MUST call deploy_policy() to activate changes. Changes remain in "pending" status until deployed.

Users API Tools

9 tools for user-group membership queries and SCIM provisioning

9 Tools

User Management API (Query & Membership)

Tool Name Purpose API
query_user_groups Query groups with member counts, provisioner info, and metadata User Mgmt
query_users Query users with group membership data (parentGroups) User Mgmt
get_group_members Get all users belonging to a specific group User Mgmt

SCIM CRUD (Create, Update, Delete)

Tool Name Purpose API
create_scim_user Provision new user via SCIM SCIM 2.0
update_scim_user Update user attributes via SCIM PATCH SCIM 2.0
delete_scim_user Deprovision user SCIM 2.0
create_scim_group Create new organizational group SCIM 2.0
update_scim_group Update group attributes/members SCIM 2.0
delete_scim_group Delete group SCIM 2.0

User Management API vs SCIM

The User Management API tools (query_users, query_user_groups, get_group_members) use /api/v2/users/ endpoints and return richer data including group membership (parentGroups) and member counts (userCount). Use JSON filter dicts (e.g., {"and": [{"emails": {"eq": "user@example.com"}}]}).

The SCIM tools use /api/v2/scim/ endpoints for create/update/delete operations. SCIM CRUD tools require scimId (UUID), obtainable from query_users or query_user_groups responses.

Documentation Search Tools

1 tool for searching official Netskope documentation

1 Tool
Tool Name Purpose Use Cases
search_netskope_documentation Search official Netskope documentation for product information, configuration guides, and troubleshooting Feature lookup, best practices, release notes, API reference

Common Queries:

  • Golden Release Information: Search for "golden release" to find current recommended client versions
  • Configuration Help: Search for "configure SSL decryption" or "steering policy setup"
  • Feature Documentation: Search for "DLP policy", "private access", "cloud firewall"
  • Troubleshooting: Search for "client connection issues" or error messages
  • API Reference: Search for "API authentication" or specific endpoint documentation
  • Version Information: Search for "release 132.0.0 features" or specific version notes

How It Works

The top search result includes complete page content for comprehensive information, while additional results provide relevant excerpts. This tool searches the public Netskope Knowledge Portal at docs.netskope.com and requires no additional credentials.

Note

This tool searches public documentation only, not your tenant-specific configuration. For tenant-specific queries, use the Events, Services, Policy, or Users API tools.

IPsec API Tools

5 tools for IPsec VPN tunnel management

5 Tools
Tool Name Purpose Key Parameters
list_ipsec_pops List available Points of Presence (POPs) with location, encryption capabilities, and bandwidth options name, region, country, limit, offset
list_ipsec_tunnels List all configured IPsec tunnels with status and POP connections status, site, pop, limit, offset
create_ipsec_tunnel Create a new IPsec VPN tunnel to Netskope POPs site, pops, psk, srcidentity, bandwidth, encryption
modify_ipsec_tunnel Update existing tunnel configuration (partial updates supported) tunnel_id, + optional: site, pops, bandwidth, encryption, enable
delete_ipsec_tunnel Delete an IPsec tunnel configuration tunnel_id

Typical Workflow:

  1. Discover POPs: Use list_ipsec_pops() to find available POPs by region or country
  2. Create Tunnel: Use create_ipsec_tunnel() with selected POPs, PSK, and encryption settings
  3. Monitor Status: Use list_ipsec_tunnels() to check tunnel connectivity
  4. Update Settings: Use modify_ipsec_tunnel() to change bandwidth or encryption

Valid Parameter Values:

  • Encryption: AES128-CBC, AES192-CBC, AES256-CBC, AES128-GCM, AES256-GCM
  • Bandwidth (Mbps): 50, 100, 150, 200, 250, 1000
  • POPs: 109+ globally (e.g., ord1, ord2, ams1, atl1, lhr1)

Best Practices

Select 2 POPs for redundancy (primary and backup). Choose POPs geographically close to your site for lower latency. Use list_ipsec_pops(country="US") to find the closest POPs to a specific country.

Important

Tunnel IDs are integers returned by list_ipsec_tunnels(). Use the numeric ID (not the site name) when calling modify_ipsec_tunnel() or delete_ipsec_tunnel(). Deletion is permanent and cannot be undone.

DNS Security API Tools

15 tools for DNS profile, inheritance group, and configuration management

15 Tools

DNS Profile Tools (6)

Tool Name Purpose Key Parameters
get_dns_profiles List DNS Security profiles with filtering and pagination filter, limit, offset, fields, sortby, sortorder
get_dns_profile Get detailed DNS profile configuration by ID id, filter, fields
create_dns_profile Create a new DNS Security profile name
update_dns_profile Update DNS profile configuration (domain rules, tunneling, custom DNS) id, name, description, log_traffic, domain_config, tunnel_config, custom_config, inheritance_groups
delete_dns_profile Delete a DNS Security profile by ID id
deploy_dns_profiles Deploy pending DNS profile changes all, ids, change_note

DNS Inheritance Group Tools (6)

Tool Name Purpose Key Parameters
get_dns_inheritance_groups List DNS inheritance groups with filtering and pagination filter, limit, offset, fields, sortby, sortorder
get_dns_inheritance_group Get specific DNS inheritance group by ID id, fields
create_dns_inheritance_group Create a new DNS inheritance group name, interactive
update_dns_inheritance_group Update inheritance group configuration and DNS profile assignments id, name, description, dns_profiles, interactive
delete_dns_inheritance_group Delete a DNS inheritance group by ID id, interactive
deploy_dns_inheritance_groups Deploy pending inheritance group changes (max 16 groups per call) all, ids, change_note

DNS Configuration Tools (3)

Tool Name Purpose Key Parameters
get_dns_tunnels List DNS tunnel configurations for tunneling detection filter, limit, offset, fields, sortby, sortorder
get_dns_domain_categories Retrieve DNS domain categories (Security & Business) filter, limit, offset, fields, sortby, sortorder
get_dns_record_types Retrieve supported DNS record types for filtering filter, limit, offset, fields, sortby, sortorder

Typical Workflow:

  1. Discover Options: Use get_dns_domain_categories() and get_dns_record_types() to see available filtering options
  2. List Profiles: Use get_dns_profiles() to view existing DNS security configurations
  3. Create Profile: Use create_dns_profile(name="Production DNS") to create a new profile
  4. Configure Rules: Use update_dns_profile() to set domain allow/block lists, tunneling detection, and custom DNS
  5. Review Tunnels: Use get_dns_tunnels() to audit DNS tunnel detection configurations
  6. Assign to Groups: Use update_dns_inheritance_group() to assign profiles to organizational groups
  7. Deploy Changes: Use deploy_dns_profiles() or deploy_dns_inheritance_groups() to activate

Filter Syntax:

  • Operators: eq (equals), sw (starts with), in (multiple values), co (contains)
  • Example: filter='name sw "Production" and status eq "active"'
  • Attributes: id, name, status, description, inheritance_groups, dns_profiles, category_type (for domain categories)

Best Practices

Use interactive=True when making changes to stage them for review before deployment. Always include a change_note when deploying for audit trail purposes. Test DNS profile changes in a non-production group before deploying to production.

Important

DNS profile changes can affect network connectivity. Verify domain allow/block lists carefully before deployment. When deploying inheritance groups, a maximum of 16 group IDs can be deployed per call. Deletion operations are permanent.

DEM (Digital Experience Monitoring) Tool

1 multi-action tool with 9 operations for user experience monitoring, metrics, and alerts

1 Tool / 9 Actions

Available Actions (9)

Action Purpose Key Parameters
query_metrics Query RUM, traceroute, HTTP, UX score metrics from 17 data sources data_source (required), select, groupby, where, orderby, begin, end, limit
query_entities List users with experience scores, devices, and locations starttime, endtime (required), user, application, device_os, exp_score, limit
query_states Query agent and device connection states data_source (required), select, begin, end, groupby, where, limit
query_traceroute Get network path graph data (hop-by-hop analysis) data_source (required), select, begin, end, groupby, where, limit
get_field_definitions Discover available fields and data sources for querying data_source (optional filter)
search_alerts Search DEM alerts by category, type, and severity alert_category, alert_type, severity, limit, offset, sortby
get_alert Get full details for a specific DEM alert alert_id (required)
get_alert_entities Get users and devices impacted by an alert alert_id (required), limit, offset, sortby, sortorder
list_monitored_apps List applications monitored by DEM app_type, app_name, limit, offset

Data Sources for query_metrics

Data Source Description
ux_scoreUser Experience Scores (device_score, net_score, app_score, composite_score)
rum_steeredReal User Monitoring for traffic routed through Netskope POPs
rum_bypassedReal User Monitoring for direct/bypassed traffic
traceroute_popTraceroute diagnostics to Netskope POPs
traceroute_bypassedTraceroute for bypassed connections
traceroute_allAll traceroute diagnostics combined
http_steered / http_bypassed / http_allHTTP performance metrics (steered, bypassed, or all)
agent_status / client_statusDEM agent and Netskope client connection states
npa_gateway / npa_metric / npa_stitcherNetwork Path Analysis data

Typical Troubleshooting Workflow:

  1. Find Issues: dem(action="search_alerts", severity=["critical"]) to discover active alerts
  2. Get Details: dem(action="get_alert", alert_id="...") to understand the alert
  3. Find Impact: dem(action="get_alert_entities", alert_id="...") to see affected users/devices
  4. Check Scores: dem(action="query_entities", starttime=..., endtime=...) to review user experience
  5. Deep Dive: dem(action="query_metrics", data_source="ux_score", ...) to analyze specific metrics
  6. Ask AI: dem(action="copilot_query", question="Why is user X experiencing poor performance?")

DEM Key Concepts:

  • User Experience Score (0-100): Composite of device_score + net_score + app_score
  • RUM (Real User Monitoring): Actual user traffic analysis from Netskope Client
  • Steered vs Bypassed: Steered = traffic through Netskope POP; Bypassed = direct traffic
  • Time Ranges: query_metrics uses {"relative": "-24h"} or {"absolute": "ISO datetime"}; query_entities uses Unix epoch seconds
  • Alert Categories: Network, Platform, Private Apps, User Experience, Site
  • Alert Severities: info, low, medium, high, critical

Rich Error Responses

The DEM tool returns detailed error messages when parameters are missing or invalid. Each error includes the valid values, a working example, and contextual hints. This allows LLM clients to self-correct without user intervention. Start with get_field_definitions to discover available fields, or copilot_query to ask natural language questions.

Required RBAC Permissions

DEM API endpoints require specific RBAC API groups: dem_user (queries, copilot), dem_alerts (alert operations), and dem_advanced_diagnostics (field definitions, advanced queries). Ensure your API token has the appropriate DEM permissions enabled.

ADEM (Advanced DEM — Device Telemetry) Tool

1 multi-action tool with 14 operations for per-user, per-device health diagnostics

1 Tool / 14 Actions

Available Actions (14)

Action Purpose Key Parameters
get_user_info User overview with devices, experience score, and last known location user, starttime, endtime (required)
get_device_list List devices for a user with device IDs, OS, and per-device scores user, starttime, endtime (required); user_location (optional)
get_rca Root cause analysis: CPU utilization with top processes, memory usage/utilization, disk usage/utilization, score breakdown by component. Supports per-application and per-NPA-host filtering. user, starttime, endtime, device_id (required); app_name, npa_host (optional)
get_device_scores Aggregated per-device scores: appScore, deviceScore, networkScore, npaHostScore, expScore (all 0-100) user, starttime, endtime, device_id (required); aggregation_type (optional: avg/min/max)
get_exp_score_timeseries Experience score over time at 5-minute intervals — identify when degradation started user, starttime, endtime, device_id (required)
get_network_metrics Latency and packet loss time series for a device user, starttime, endtime, device_id (required); metric_type (optional: all/latency/packetloss)
get_traceroute_timestamps Available traceroute collection timestamps — use before calling get_traceroute user, starttime, endtime, device_id (required)
get_traceroute Network path topology with per-hop latency, IP addresses, ASN info. Supports per-application filtering. user, starttime, endtime, device_id (required); app_name (optional)
get_locations Geographic locations of users/devices (city, country, lat/lng) starttime, endtime (required); user NOT required
get_npa_hosts Network Path Analysis hosts for on-premises apps (IPs, ports, scores) user, starttime, endtime, device_id (required)
get_device_details Device hardware, software, and network details — CPU, memory, OS, client version, geo location, POP assignment, gateway, public/private IPs, device classification user, starttime, endtime, device_id (required)
get_applications List all applications accessed on a device with per-application avg experience scores — the entry point for full per-app visibility. Returns {appName, expScore} for every app; pass all names to get_app_exp_scores for time-series detail. user, starttime, endtime, device_id (required)
get_app_exp_scores Per-application experience score time series — breaks down experience scores by specific applications or NPA hosts (distinct from the overall get_exp_score_timeseries) user, starttime, endtime, device_id (required); applications, npa_hosts, browser_applications (optional lists)
get_npa_network_paths NPA network path topology — device → gateway → stitcher → publishers → NPA host with per-edge latency and session counts user, starttime, endtime, device_id, npa_host (required); policy_drops_only (optional)

Typical Troubleshooting Workflow (chains with DEM tool):

  1. Find Alerts: dem(action="search_alerts", severity=["critical"]) — discover active DEM alerts
  2. Find Impacted Users: dem(action="get_alert_entities", alert_id="...") — get affected users
  3. User Overview: adem(action="get_user_info", user="jane@corp.com", starttime=..., endtime=...)
  4. Get Device IDs: adem(action="get_device_list", user="jane@corp.com", ...)
  5. Discover Apps: adem(action="get_applications", user="jane@corp.com", device_id="...", ...) — ALL apps on the device with per-app avg scores (device_id required)
  6. Device Context: adem(action="get_device_details", ..., device_id="...") — hardware, software, geo, POP details
  7. Identify Degraded Component: adem(action="get_device_scores", ..., device_id="...")
  8. Per-App Scores: adem(action="get_app_exp_scores", ..., applications=["..."]) — which app is degraded?
  9. If device_score low: adem(action="get_rca", ..., app_name="...") — CPU, memory, disk + top processes
  10. If network_score low: adem(action="get_network_metrics", ...) — latency/packet loss
  11. Network path: adem(action="get_traceroute_timestamps", ...) then adem(action="get_traceroute", ..., app_name="...")
  12. If npa_score low: adem(action="get_npa_hosts", ...) then adem(action="get_npa_network_paths", ..., npa_host="...")

ADEM Key Concepts:

  • ADEM vs DEM: DEM provides fleet-level analytics and alerts; ADEM provides per-user, per-device drill-down
  • device_id: Required for most actions — always call get_device_list first to obtain device IDs
  • Time format: All times are Unix epoch seconds (NOT milliseconds like DEM query_metrics)
  • RCA Response: Returns CPU_UTILIZATION with TOP_PROCESSES (name + %), MEMORY_USAGE_KB, MEMORY_UTILIZATION, DISK_USAGE_KB, DISK_UTILIZATION
  • Score Breakdown: get_device_scores returns appScore, deviceScore, networkScore, npaHostScore, expScore (all 0-100)
  • Traceroute Workflow: First call get_traceroute_timestamps to find available times, then get_traceroute with starttime=endtime=specific_timestamp

Rich Error Responses

The ADEM tool returns detailed error messages when parameters are missing or invalid. Missing device_id errors include a working get_device_list example to help LLM clients self-correct. Start with get_user_info for an overview, then get_device_list to discover device IDs.

Required RBAC Permissions

ADEM API endpoints require the same RBAC API groups as DEM: dem_user and dem_advanced_diagnostics. Ensure your API token has DEM permissions enabled.

Specialized Prompts (8)

Prompts are pre-built, multi-step workflows that orchestrate multiple tools to accomplish complex security analysis tasks. They appear as slash commands in MCP clients.

Security Posture Report

Comprehensive 90-day security assessment with interactive HTML report

Most Comprehensive

What It Does:

Generates a comprehensive executive-ready HTML report analyzing your organization's security landscape across 11 major sections including alerts, DLP incidents, application usage, network traffic, endpoint compliance, insider risk, and threat intelligence.

Report Sections:

  • Executive Summary with KPI cards
  • Security Alerts distribution and analysis
  • DLP Incidents status and patterns
  • Application Usage and risk assessment
  • Network and Endpoint compliance
  • Insider Risk multi-vector correlation
  • Threat Intelligence findings
  • Actionable Recommendations (30-60-90 day roadmap)

Output Format:

Single-file HTML5 document with embedded CSS/JS, Chart.js visualizations, Tailwind CSS styling, and Font Awesome icons. Fully responsive and ready for PDF printing.

How to Use:

Claude Code:

/mcp__netskope__security_posture_report

Cursor/Cline: Ask the AI:

"Generate a comprehensive security posture report for the last 90 days"

The AI will automatically select this prompt and execute the workflow.

Incident Analysis

DLP incident investigation with forensics and operational analysis

Multi-Capability

Core Capabilities:

  1. Generate Comprehensive Executive Reports - Full incident analysis with forensics
  2. Fetch Critical/Severe Incidents - Priority-based incident retrieval
  3. Update Incident Attributes - Status, assignee, severity management
  4. Create Investigation Plans - Structured investigation workflows
  5. Perform Operational Analysis - Incident lifecycle metrics

Forensic Features:

  • File metadata extraction (hash, size, type)
  • DLP pattern matches with content offsets
  • Sensitive data pattern analysis
  • DLP rule correlation
  • File preview images

Example Usage:

"/mcp__netskope__incident_analysis"

AI will prompt you to select:
1. Generate executive report
2. Fetch critical incidents
3. Update incident status
4. Create investigation plan
5. Operational analysis

Insider Risk Analysis

Multi-vector user risk prioritization and threat correlation

Risk Prioritization

Arguments:

  • timeperiod (str): Number of days to analyze (1-90 days)
  • instructions (str): Special instructions

Alert Types Analyzed:

High Risk

  • • UBA anomalies
  • • DLP violations
  • • Malware encounters

Medium Risk

  • • Malicious sites
  • • Compromised credentials
  • • Bypassed warnings

Prioritization Logic:

  • Priority 1: Users with UBA + DLP + Malware (multi-vector threats)
  • Priority 2: Users with any 2 of 3 categories (dual-vector)
  • Priority 3: Users with high counts in single category (>50 alerts)

Example Usage:

"Analyze insider risk for the last 30 days"

Output: Prioritized list of high-risk users with:
- Risk score and priority level
- Alert breakdown by type
- Recommended watchlist additions
- Strategic preventive measures

User Activity Report

Individual user risk assessment with timeline analysis

Forensic

Arguments:

  • userEmail (str): User email address to analyze
  • timeperiod (str): Days of data (1-90 days)
  • instructions (str): Special instructions (e.g., "CEO report", "Investigation Plan")

Analysis Phases:

  1. Data Collection: Extract page, application, and alert events
  2. Preprocessing: Deduplication, normalization, baseline establishment
  3. Analysis: Temporal patterns, risk correlation, anomaly detection
  4. Report Generation: Executive summary with risk rating and recommendations

Focus Areas:

  • High-risk app usage (gambling, non-business)
  • After-hours/weekend activity anomalies
  • Geographic access inconsistencies
  • Policy violations and DLP incidents
  • Malware/malsite encounters
  • UBA behavioral anomalies

Example Usage:

"Generate user activity report for john@example.com for the last 30 days"

Output:
- Overall Risk Rating (Low/Medium/High)
- Activity breakdown by application and time
- Security event timeline
- Immediate, short-term, and long-term recommendations

ADEM User Experience Troubleshooting

Investigate a user's digital experience issues using ADEM device telemetry — given a support ticket with username, time range, and optional application

Ticket-Driven

What It Does:

Guides the AI through a systematic investigation workflow using ADEM telemetry data: discovers user devices and applications, analyzes per-component health scores, identifies which component (device, network, application, or NPA) is degraded, and performs targeted root cause analysis with per-application and per-NPA-host drill-down.

Investigation Steps:

  1. Get user overview and device list
  2. Discover applications the user accesses
  3. Get device hardware/software/network details
  4. Analyze aggregated scores (device, network, app, NPA)
  5. Get per-application experience score time series
  6. Drill into root cause based on degraded component:
    • Device issues → RCA with CPU/memory/disk + top processes
    • Network issues → latency/packet loss + traceroute path
    • App issues → app-specific RCA and traceroute
    • NPA issues → NPA host scores + network path topology

Arguments:

  • user_email (required) — The user's email address from the support ticket
  • timeperiod (required) — Time range (e.g., "last 8 hours", "2026-04-10 09:00 to 17:00 UTC")
  • application (optional) — Application to focus on (e.g., "Microsoft Office 365 Suite")

How to Use:

Claude Code:

/mcp__netskope__adem_troubleshooting

Cursor/Cline: Ask the AI:

"Investigate user jane@corp.com's experience issues over the last 24 hours for Microsoft Teams"

The AI will automatically select this prompt and execute the full investigation workflow.

Additional Prompts (3 more)

Client version analysis, application activity, incident status

Client Version Analysis

Analyzes client/device versions against Current Golden Release, identifies outdated devices, and generates compliance recommendations.

Arguments: timeperiod (days), instructions

"/mcp__netskope__client_version_analysis"

Application Activity Analysis

Interactive analysis of cloud application usage with 21 pre-built example queries (SAML/SSO, encryption, compliance, risk assessment, sharing patterns).

Arguments: None (interactive)

"/mcp__netskope__application_activity_analysis"

Incident Status Analysis

Operational analysis of incident lifecycle: status distribution, severity correlation, workflow health assessment, bottleneck identification.

Arguments: timeperiod (days), instructions

"/mcp__netskope__incident_status_analysis"

Using Prompts Across MCP Clients

Different MCP clients have varying levels of support for MCP prompts. Here's how to use Netskope prompts in each environment.

Claude Code CLI

Full Support

Using Prompts as Slash Commands

In Claude Code, MCP prompts automatically become available as slash commands with the format:

/mcp__netskope__<prompt_name>

Discovering Prompts

# List all available commands (including MCP prompts)
claude code
# Type "/" to see autocomplete list

# View MCP server status
/mcp

Example Usage

Security Posture Report:

/mcp__netskope__security_posture_report

Insider Risk Analysis (with arguments):

/mcp__netskope__insider_risk_analysis 30 "Focus on engineering team"

Arguments: timeperiod=30, instructions="Focus on engineering team"

Advantages

  • Direct slash command access to prompts
  • Autocomplete for prompt discovery
  • Easy argument passing (space-separated)

Claude Desktop

Full Support

Using Prompts

MCP prompts appear in Claude Desktop's tool list and can be invoked via slash commands or natural language:

Method 1: Slash Command

/mcp__netskope__incident_analysis

Method 2: Natural Language (Recommended)

"Generate a comprehensive security posture report"

Claude Desktop will automatically detect that this matches the security_posture_report prompt and execute it.

Note

Natural language invocation is more user-friendly. Simply describe what you want, and Claude will select the appropriate prompt automatically.

Cursor IDE

Limited Support

Current Status

Cursor's MCP implementation focuses on tools rather than prompts. As of 2025, Cursor does not have native support for MCP prompts as slash commands.

Workaround: Natural Language

In Composer/Agent mode, explicitly instruct the AI to use specific capabilities:

"Use the Netskope tools to generate a security posture report for the last 90 days"

The AI will orchestrate multiple tool calls to accomplish the task, effectively replicating prompt behavior.

Important

Cursor requires explicit instructions to use MCP tools. The AI won't automatically select prompts, so be specific about what you want to accomplish.

VS Code with Cline

Good Support

Using Prompts in Cline

Cline supports MCP tools well. While it doesn't expose prompts as slash commands, you can trigger them via natural language:

Example 1: Security Report

"Generate a comprehensive 90-day security posture report for our Netskope tenant"

Example 2: User Investigation

"Create a user activity report for john@example.com for the last 30 days"

Example 3: Incident Analysis

"Analyze DLP incidents and generate an executive report with forensics"

Best Practice

Be descriptive about what analysis you want. Cline will orchestrate the necessary tool calls to accomplish complex multi-step tasks.

MCP Prompt Support Comparison

Client Slash Commands Natural Language Prompt Discovery Recommendation
Claude Code ✓ Full ✓ Full ✓ "/" autocomplete Best Choice
Claude Desktop ✓ Full ✓ Full ✓ Tool list Excellent
Cline (VS Code) ✗ No ✓ Full ~ MCP panel Good
Cursor ✗ No ~ Requires explicit instruction ~ MCP settings Limited

Practical Examples

Real-world scenarios demonstrating how to use the MCP server for common security operations tasks.

Example 1: Investigating a Compromised User

Multi-Step

Scenario:

Security team suspects user john@example.com may be compromised based on unusual activity patterns.

Investigation Steps:

  1. Generate User Activity Report 
    "Generate user activity report for john@example.com for the last 30 days with focus on after-hours access"
  2. Search for Security Alerts 
    "Search alert events where user eq 'john@example.com' for the last 30 days, grouped by alert_type"
  3. Check User Risk Score 
    "Get UCI impact data for john@example.com"
  4. Review DLP Incidents 
    "Search incident events where user eq 'john@example.com' and show severity breakdown"
  5. Generate Executive Summary 
    "Create investigation summary report for john@example.com with recommendations"

Expected Outcome

Complete investigation package with risk assessment, timeline of events, alert correlation, and actionable recommendations for remediation.

Example 2: Creating Policy for ChatGPT Data Protection

Policy Management

Scenario:

Organization needs to block access to specific ChatGPT URLs while allowing approved AI tools.

Implementation Steps:

  1. Research Current Usage 
    "Search application events where app eq 'OpenAI ChatGPT' for last 7 days"
  2. Create URL List 
    "Create URL list named 'Blocked-ChatGPT-URLs' with type 'exact' containing:
- chat.openai.com/chat
- chatgpt.com
- platform.openai.com/playground"
  3. Verify URL List 
    "List all URL lists and show details for Blocked-ChatGPT-URLs"
  4. Deploy Policy Changes 
    "Deploy pending policy changes"
  5. Monitor Effectiveness 
    "Search alert events where app eq 'OpenAI ChatGPT' and action eq 'block' for last 24 hours"

Critical Step

Always call deploy_policy() after URL list changes. Changes remain pending until deployment.

Example 3: Monthly Executive Security Review

Reporting

Scenario:

CISO needs comprehensive monthly security metrics for board presentation.

Solution: Single Command

/mcp__netskope__security_posture_report

Or with natural language:

"Generate a comprehensive 90-day security posture report with executive summary, charts, and recommendations"

Report Contents:

  • Executive Summary with KPIs (alerts, incidents, applications, devices)
  • Security Alerts: Distribution by type, severity, and trend analysis
  • DLP Incidents: Status workflow, top sources, severity breakdown
  • Application Usage: Top apps, risk assessment, CCI analysis
  • Network & Endpoint: Compliance status, client version distribution
  • Insider Risk: Multi-vector user correlation and priority rankings
  • Threat Intelligence: Malware, malsite, compromised credential analysis
  • 30-60-90 Day Roadmap with prioritized recommendations

Time Savings

This single prompt replaces hours of manual data collection, analysis, and report formatting. Output is a print-ready HTML document with interactive visualizations.

Best Practices & Recommendations

Performance Optimization

✓ DO

  • • Use groupbys for aggregations instead of raw events
  • • Keep limit low (10-20) for raw event queries
  • • Narrow time ranges with starttime/endtime
  • • Use field details tools before complex queries
  • • Test queries with small limits first

✗ DON'T

  • • Fetch large volumes of raw events unnecessarily
  • • Use unbounded time ranges for high-volume event types
  • • Guess field names without validation
  • • Ignore case-sensitivity in JQL queries
  • • Skip error handling in production workflows

Security Best Practices

API Token Management

  • • Always use environment variables for API tokens
  • • Never commit credentials to version control
  • • Rotate API tokens regularly (every 90 days)
  • • Use least-privilege principles when generating tokens

Access Control

  • • Restrict MCP server access to authorized personnel
  • • Review audit logs regularly
  • • Implement multi-factor authentication for token generation
  • • Document who has access to MCP credentials

JQL Query Construction

1

Discover Fields First

Use get_all_fields('event_type') to see available fields before querying

2

Validate Field Details

Use get_field_details(field_names, event_type) to understand types and operators

3

Review Examples

Use get_sample_queries() to learn syntax patterns

4

Test with Small Limits

Start with limit=10 to verify query syntax before expanding

5

Prefer Aggregations

Use groupbys to aggregate data rather than fetching thousands of raw events

Common Pitfalls to Avoid

❌ Forgetting to Deploy Policies

After creating or updating URL lists, changes remain in "pending" status until you call deploy_policy().

Solution: Always deploy after policy modifications.

❌ Case-Insensitive Field Names

JQL field names are case-sensitive. Alert_Type will fail; use alert_type.

Solution: Use get_all_fields() to verify exact field names.

❌ Using incident_id Instead of dlp_incident_id

DLP forensics require dlp_incident_id, not regular incident_id.

Solution: Check field details for the correct identifier field.

❌ Unbounded Time Ranges

Querying without starttime/endtime can timeout on high-volume event types.

Solution: Always specify time bounds for production queries.

❌ Fetching Raw Events Instead of Aggregations

Retrieving 10,000 raw events is slow and unnecessary for analysis.

Solution: Use groupbys to aggregate data at query time.