Netskope MCP Server - Technical User Guide

Test Evaluation Agreement Required

IMPORTANT NOTICE

This MCP server is an experimental test service provided under a signed "Test Evaluation Agreement" between your organization and Netskope, Inc.

The service is subject to the following key terms:

Experimental Services: The Test Services are in development, have not been commercially released, and may contain errors or defects
Evaluation Period: Services are provided for testing and evaluation purposes only during the agreed Evaluation Period
Feedback Obligation: Company agrees to provide feedback, suggestions, and testing results to Netskope
No Production Use: Test Services are not intended for production use and should not be deployed in live production environments
No Warranties: Services are provided "AS IS" without any warranties, express or implied
Confidentiality: All Development Materials and test results are Netskope confidential information

DO NOT USE THIS SERVICE WITHOUT A SIGNED AGREEMENT

Unauthorized use of this experimental MCP server is prohibited. If you have not signed a Test Evaluation Agreement with Netskope, please contact your Netskope representative or email support@netskope.com before proceeding.

ACCESS CODE REQUIRED

Your unique access code will be provided by Netskope once you have a signed agreement.

Evaluation Services: Cloud security services and software for testing purposes

Governed by: Master Subscription Agreement and Test Evaluation Agreement terms

Overview

What is the Netskope MCP Server?

The Netskope MCP Server is an experimental bridge that connects AI assistants to your Netskope tenant using the Model Context Protocol (MCP). It provides 60+ tools and 7 specialized prompts for security operations, incident investigation, policy management, and comprehensive reporting.

Built with FastMCP, this server enables natural language interactions with Netskope APIs, allowing security teams to perform complex queries, generate executive reports, investigate incidents, and manage policies through conversational AI.

Key Capabilities

Security Investigations: Search alerts, incidents, and application events with JQL queries
DLP Analysis: Forensic investigation with metadata, content extraction, and risk assessment
Policy Management: Create/update URL lists, tags, and deploy policy changes
User & Identity: SCIM-based user/group provisioning and management
IPsec VPN Management: Create, monitor, and manage IPsec tunnels to Netskope POPs
DNS Security: Manage DNS profiles, inheritance groups, and deploy DNS security policies
Executive Reporting: Generate HTML reports with interactive visualizations

Architecture Overview

graph LR A[AI Client
Claude/Cursor/Cline] -->|MCP Protocol| B["MCP Server
/tenant-id/code/mcp"] B -->|Bearer Token Auth| C[Netskope APIs] C --> D[Events API
Alerts/Incidents] C --> E[Policy API
URL Lists] C --> F[Services API
CCI/Tags] C --> G[Users API
SCIM] C --> N[IPsec API
VPN Tunnels] C --> O[DNS Security API
DNS Profiles] B --> H[77+ Tools] B --> I[7 Prompts] H --> J[JQL Helpers] H --> K[Search Tools] I --> L[Security Reports] I --> M[Analysis Workflows]

Total Tools

Prompts

Event Types

API Categories

Getting Started

Prerequisites

Netskope Tenant URL: Your organization's Netskope tenant (e.g., https://mytenant.goskope.com)
API Bearer Token: Generated from Netskope admin settings with appropriate permissions
MCP-Compatible Client: Claude Desktop, Claude Code, Cursor, Cline, GitHub Copilot, etc.

Understanding Tenant URL Mapping

The MCP server supports both standard 3-level and multi-region 4-level FQDN tenants using path-based routing:

Standard 3-Level FQDN:

Tenant: mytenant.goskope.com

Use in URL: /mytenant/{access_code}/mcp

Multi-Region 4-Level FQDN:

Tenant: eurocorp.eu.goskope.com

Use in URL: /eurocorp_eu/mcp (replace dot with underscore)

Tenant: plm-sspm.de.goskope.com

Use in URL: /plm-sspm_de/{access_code}/mcp

Tip: For multi-region tenants, replace the dot between subdomain levels with an underscore in the URL path.

Quick Start: Claude Code (Recommended)

Step 1: Add the MCP Server

claude mcp add \
  --transport http \
  --scope user \
  netskope \
  https://mcp-preview.goskope.com/{tenant_url}/{access_code}/mcp \
  --header "Authorization: Bearer ${NETSKOPE_API_TOKEN}"

Note: Replace both placeholders:

{tenant_url}: Your tenant urlentifier
- Standard: mytenant.goskope.com → use mytenant
- Multi-region: eurocorp.eu.goskope.com → use eurocorp_eu
{access_code}: 6-character security code provided by your Netskope representative

Step 2: Set Environment Variable

export NETSKOPE_API_TOKEN="YOUR_API_TOKEN_HERE"

Step 3: Verify Installation

claude mcp list

You should see netskope listed as a connected server.

Step 4: Start Using

claude code

Claude Code will automatically discover Netskope tools and prompts. Try asking: "Show me security alerts from the last 7 days"

Installation for Other Clients

Claude Desktop

Edit configuration file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json

Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "netskope": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://mcp-preview.goskope.com/{tenant_url}/{access_code}/mcp",
        "--header",
        "Authorization:Bearer {NETSKOPE_API_TOKEN}"
      ],
    }
  }
}

Important: Replace {tenant_url} and {access_code} with your values. The access code is provided by your Netskope representative.

npm is needed to install and run the mcp-remote command.

Windows: Use the path to npx without spaces, e.g., "C:/PROGRA~1/nodejs/npx.cmd" instead of "npx" for the command value.

Restart Claude Desktop after saving.

Cursor IDE

Navigate to: Settings → MCP Tools → Add Custom MCP

Or edit manually:

~/.cursor/mcp.json or .cursor/mcp.json (project-specific)

{
  "mcpServers": {
    "netskope": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://mcp-preview.goskope.com/{tenant_url}/{access_code}/mcp",
        "--header",
        "Authorization:Bearer ${NETSKOPE_API_TOKEN}"
      ],
      "env": {
        "NETSKOPE_API_TOKEN": "YOUR_API_TOKEN_HERE"
      }
    }
  }
}

Important: Replace {tenant_url} and {access_code} with your values. The access code is provided by your Netskope representative.

Restart Cursor after saving. Tools appear in Composer Agent mode.

VS Code with Cline

Install Cline extension, then configure MCP:

Click Cline icon → MCP Servers → Configure MCP Servers

Option A: Using SSE Transport (Remote HTTP)

{
  "mcpServers": {
    "netskope": {
      "url": "https://mcp-preview.goskope.com/{tenant_url}/{access_code}/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_API_TOKEN_HERE"
      },
      "alwaysAllow": [],
      "disabled": false
    }
  }
}

Option B: Using mcp-remote Proxy (STDIO)

{
  "mcpServers": {
    "netskope": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://mcp-preview.goskope.com/{tenant_url}/{access_code}/mcp",
        "--header",
        "Authorization:Bearer ${NETSKOPE_API_TOKEN}"
      ],
      "env": {
        "NETSKOPE_API_TOKEN": "YOUR_API_TOKEN_HERE"
      },
      "alwaysAllow": [],
      "disabled": false
    }
  }
}

Important: Replace {tenant_url} and {access_code} with your values. The access code is provided by your Netskope representative.

Restart VS Code after saving.

Gemini CLI

Edit configuration file:

~/.gemini/settings.json

{
  "selectedAuthType": "gemini-api-key",
  "theme": "Dracula",
  "mcpServers": {
    "netskope": {
      "httpUrl": "https://mcp-preview.goskope.com/{tenant_url}/{access_code}/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_API_TOKEN_HERE"
      }
    }
  }
}

Important: Replace {tenant_url} and {access_code} with your values. The access code is provided by your Netskope representative.

Preserve any existing settings like selectedAuthType and theme in your configuration file.

The Gemini CLI will automatically load the MCP server on next startup.

Access Code Required

Starting with this version, all MCP server URLs require a 6-character access code in the path:

https://mcp-preview.goskope.com/{tenant_url}/{access_code}/mcp

To obtain your access code: Contact your Netskope representative. The access code is a unique security code tied to your tenant url.

This additional security layer prevents unauthorized access to tenant-specific APIs. Invalid access codes will result in 403 Forbidden errors.

Security Note

Always use environment variables for API tokens in production. Never commit credentials to version control. The MCP server logs tenant url and redacted tokens (first 4 + last 4 characters) for audit purposes.

Available Tools (60+)

The MCP server provides 60+ tools organized into 7 categories for comprehensive Netskope tenant management and documentation search.

JQL Helper Tools

6 tools for query construction and field discovery

6 Tools

Tool Name	Purpose	Key Parameters
`get_field_details`	Retrieve detailed information for specific fields from event type schema	field_names, event_type
`get_all_fields`	Get complete list of queryable fields for an event type	event_type
`get_sample_queries`	View example JQL queries with proper syntax patterns	None
`get_query_guidelines`	Comprehensive JQL syntax rules and best practices	None
`get_current_time_in_UTC_format`	Get current UTC time for time-based queries	None
`utc_to_unix_timestamp_tool`	Convert UTC datetime to Unix timestamp	utc_time_str

Best Practice

Always use get_field_details() before constructing complex queries to ensure field names are valid and understand supported operators.

Events API Tools

13 tools for searching and exporting event data

13 Tools

Tool Name	Purpose	Event Type
`search_audit_events`	Search administrative audit events (config changes, admin actions)	audit
`search_alert_events`	Search security alerts (DLP, policy, UBA, malware, malsite)	alert
`search_application_events`	Search SaaS application usage events	application
`search_incident_events`	Search DLP incidents using JQL queries	incident
`search_network_events`	Search web traffic and network activity	network
`search_page_events`	Search detailed web page events (referer, navigation)	page
`search_clientstatus_events`	Search Netskope client agent status	clientstatus
`search_epdlp_events`	Search Endpoint DLP events (USB, file operations)	epdlp
`export_incident_events`	Bulk export incident data for reporting	incident
`export_infrastructure_events`	Export infrastructure system events	infrastructure
`get_transaction_event_metrics`	Retrieve aggregated transaction metrics	transaction
`get_transaction_events_token`	Get access token for transaction events API	transaction

Performance Tips

Keep limit low (10-20) for raw event queries to avoid timeout
Use aggregations (groupbys) instead of raw events for analysis
Narrow time ranges with starttime/endtime for better performance
Field names are case-sensitive in JQL queries

Incidents API Tools

5 tools for incident management and user risk analysis

5 Tools

Tool Name	Purpose	Use Case
`get_user_uci_impact`	Retrieve User Confidence Index (UCI) time series	User risk scoring (0-1000 scale)
`update_incident_status`	Update incident attributes (status, assignee, severity)	Incident workflow management
`get_dlp_incident_forensics`	Retrieve detailed forensics for DLP incident	Investigation: file metadata, DLP matches, content preview
`get_uba_user_data`	Retrieve UBA UCI time series (identical to get_user_uci_impact)	Behavioral analytics, anomaly detection
`get_uba_anomalies`	Retrieve UBA anomalies with LLM-optimized summary mode	Insider threat investigation, compromised credential analysis

Important Notes

UCI scores range from 0-1000 (not 0-100)
Use dlp_incident_id field (NOT regular incident_id) for forensics
update_incident_status() requires old_value for validation
get_uba_anomalies() returns aggregated summary by default (~96% token reduction). Use summary=False for raw results

Services API Tools

9 tools for app risk assessment and infrastructure

9 Tools

Tool Name	Purpose	Key Parameters
`get_cci_app_info`	Retrieve Cloud Confidence Index (CCI) info for applications	app, category, ccl, tag, limit
`create_tag`	Create tag for categorizing applications	tag_name, apps (list)
`list_tags`	List tags or get all app metadata	apps, ids, appmetadata
`get_tag`	Get applications associated with specific tag	tag
`update_tag`	Update tag (add/remove apps or rename)	tag_name, apps, action, new_name
`delete_tag`	Delete an existing tag	tag_name
`list_publishers`	List infrastructure publishers/connectors	filter, limit
`get_publisher_info`	Get details of specific publisher	publisher_id

Use Case Highlight

Use get_cci_app_info() to assess application risk before creating policies. Tags help organize apps into custom categories for policy groupings.

Policy API Tools

6 tools for URL list and policy management

6 Tools

Tool Name	Purpose	Required Parameters
`create_url_list`	Create new URL list for policies	name, urls (list), list_type
`deploy_policy`	Deploy pending policy changes	None
`list_url_lists`	List URL lists with pagination	limit, offset
`get_url_list`	Get specific URL list details	list_id
`update_url_list`	Update URL list (append or remove URLs)	list_id, action, urls (list)
`delete_url_list`	Delete URL list	list_id

Critical Workflow

After creating or updating URL lists, you MUST call deploy_policy() to activate changes. Changes remain in "pending" status until deployed.

Users API Tools (SCIM)

10 tools for user and group provisioning

10 Tools

Tool Name	Purpose	Protocol
`get_scim_users`	Query SCIM users with optional filtering	SCIM 2.0
`get_scim_groups`	Query SCIM groups with optional filtering	SCIM 2.0
`create_scim_user`	Provision new user via SCIM	SCIM 2.0
`get_scim_user`	Get specific user by SCIM ID	SCIM 2.0
`update_scim_user`	Update user attributes via SCIM PATCH	SCIM 2.0
`delete_scim_user`	Deprovision user	SCIM 2.0
`create_scim_group`	Create new organizational group	SCIM 2.0
`get_scim_group`	Get specific group details	SCIM 2.0
`update_scim_group`	Update group attributes/members	SCIM 2.0
`delete_scim_group`	Delete group	SCIM 2.0

SCIM Protocol

All user/group tools follow SCIM 2.0 standard. Use filter parameter with SCIM filter syntax (e.g., userName eq "john@example.com")

Documentation Search Tools

1 tool for searching official Netskope documentation

1 Tool

Tool Name	Purpose	Use Cases
`search_netskope_documentation`	Search official Netskope documentation for product information, configuration guides, and troubleshooting	Feature lookup, best practices, release notes, API reference

Common Queries:

Golden Release Information: Search for "golden release" to find current recommended client versions
Configuration Help: Search for "configure SSL decryption" or "steering policy setup"
Feature Documentation: Search for "DLP policy", "private access", "cloud firewall"
Troubleshooting: Search for "client connection issues" or error messages
API Reference: Search for "API authentication" or specific endpoint documentation
Version Information: Search for "release 132.0.0 features" or specific version notes

How It Works

The top search result includes complete page content for comprehensive information, while additional results provide relevant excerpts. This tool searches the public Netskope Knowledge Portal at docs.netskope.com and requires no additional credentials.

Note

This tool searches public documentation only, not your tenant-specific configuration. For tenant-specific queries, use the Events, Services, Policy, or Users API tools.

IPsec API Tools

5 tools for IPsec VPN tunnel management

5 Tools

Tool Name	Purpose	Key Parameters
`list_ipsec_pops`	List available Points of Presence (POPs) with location, encryption capabilities, and bandwidth options	name, region, country, limit, offset
`list_ipsec_tunnels`	List all configured IPsec tunnels with status and POP connections	status, site, pop, limit, offset
`create_ipsec_tunnel`	Create a new IPsec VPN tunnel to Netskope POPs	site, pops, psk, srcidentity, bandwidth, encryption
`modify_ipsec_tunnel`	Update existing tunnel configuration (partial updates supported)	tunnel_id, + optional: site, pops, bandwidth, encryption, enable
`delete_ipsec_tunnel`	Delete an IPsec tunnel configuration	tunnel_id

Typical Workflow:

Discover POPs: Use list_ipsec_pops() to find available POPs by region or country
Create Tunnel: Use create_ipsec_tunnel() with selected POPs, PSK, and encryption settings
Monitor Status: Use list_ipsec_tunnels() to check tunnel connectivity
Update Settings: Use modify_ipsec_tunnel() to change bandwidth or encryption

Valid Parameter Values:

Encryption: AES128-CBC, AES192-CBC, AES256-CBC, AES128-GCM, AES256-GCM
Bandwidth (Mbps): 50, 100, 150, 200, 250, 1000
POPs: 109+ globally (e.g., ord1, ord2, ams1, atl1, lhr1)

Best Practices

Select 2 POPs for redundancy (primary and backup). Choose POPs geographically close to your site for lower latency. Use list_ipsec_pops(country="US") to find the closest POPs to a specific country.

Important

Tunnel IDs are integers returned by list_ipsec_tunnels(). Use the numeric ID (not the site name) when calling modify_ipsec_tunnel() or delete_ipsec_tunnel(). Deletion is permanent and cannot be undone.

DNS Security API Tools

15 tools for DNS profile, inheritance group, and configuration management

15 Tools

DNS Profile Tools (6)

Tool Name	Purpose	Key Parameters
`get_dns_profiles`	List DNS Security profiles with filtering and pagination	filter, limit, offset, fields, sortby, sortorder
`get_dns_profile`	Get detailed DNS profile configuration by ID	id, filter, fields
`create_dns_profile`	Create a new DNS Security profile	name
`update_dns_profile`	Update DNS profile configuration (domain rules, tunneling, custom DNS)	id, name, description, log_traffic, domain_config, tunnel_config, custom_config, inheritance_groups
`delete_dns_profile`	Delete a DNS Security profile by ID	id
`deploy_dns_profiles`	Deploy pending DNS profile changes	all, ids, change_note

DNS Inheritance Group Tools (6)

Tool Name	Purpose	Key Parameters
`get_dns_inheritance_groups`	List DNS inheritance groups with filtering and pagination	filter, limit, offset, fields, sortby, sortorder
`get_dns_inheritance_group`	Get specific DNS inheritance group by ID	id, fields
`create_dns_inheritance_group`	Create a new DNS inheritance group	name, interactive
`update_dns_inheritance_group`	Update inheritance group configuration and DNS profile assignments	id, name, description, dns_profiles, interactive
`delete_dns_inheritance_group`	Delete a DNS inheritance group by ID	id, interactive
`deploy_dns_inheritance_groups`	Deploy pending inheritance group changes (max 16 groups per call)	all, ids, change_note

DNS Configuration Tools (3)

Tool Name	Purpose	Key Parameters
`get_dns_tunnels`	List DNS tunnel configurations for tunneling detection	filter, limit, offset, fields, sortby, sortorder
`get_dns_domain_categories`	Retrieve DNS domain categories (Security & Business)	filter, limit, offset, fields, sortby, sortorder
`get_dns_record_types`	Retrieve supported DNS record types for filtering	filter, limit, offset, fields, sortby, sortorder

Typical Workflow:

Discover Options: Use get_dns_domain_categories() and get_dns_record_types() to see available filtering options
List Profiles: Use get_dns_profiles() to view existing DNS security configurations
Create Profile: Use create_dns_profile(name="Production DNS") to create a new profile
Configure Rules: Use update_dns_profile() to set domain allow/block lists, tunneling detection, and custom DNS
Review Tunnels: Use get_dns_tunnels() to audit DNS tunnel detection configurations
Assign to Groups: Use update_dns_inheritance_group() to assign profiles to organizational groups
Deploy Changes: Use deploy_dns_profiles() or deploy_dns_inheritance_groups() to activate

Filter Syntax:

Operators: eq (equals), sw (starts with), in (multiple values), co (contains)
Example: filter='name sw "Production" and status eq "active"'
Attributes: id, name, status, description, inheritance_groups, dns_profiles, category_type (for domain categories)

Best Practices

Use interactive=True when making changes to stage them for review before deployment. Always include a change_note when deploying for audit trail purposes. Test DNS profile changes in a non-production group before deploying to production.

Important

DNS profile changes can affect network connectivity. Verify domain allow/block lists carefully before deployment. When deploying inheritance groups, a maximum of 16 group IDs can be deployed per call. Deletion operations are permanent.

Specialized Prompts (7)

Prompts are pre-built, multi-step workflows that orchestrate multiple tools to accomplish complex security analysis tasks. They appear as slash commands in MCP clients.

Security Posture Report

Comprehensive 90-day security assessment with interactive HTML report

Most Comprehensive

What It Does:

Generates a comprehensive executive-ready HTML report analyzing your organization's security landscape across 11 major sections including alerts, DLP incidents, application usage, network traffic, endpoint compliance, insider risk, and threat intelligence.

Report Sections:

Executive Summary with KPI cards
Security Alerts distribution and analysis
DLP Incidents status and patterns
Application Usage and risk assessment
Network and Endpoint compliance
Insider Risk multi-vector correlation
Threat Intelligence findings
Actionable Recommendations (30-60-90 day roadmap)

Output Format:

Single-file HTML5 document with embedded CSS/JS, Chart.js visualizations, Tailwind CSS styling, and Font Awesome icons. Fully responsive and ready for PDF printing.

How to Use:

Claude Code:

/mcp__netskope__security_posture_report

Cursor/Cline: Ask the AI:

"Generate a comprehensive security posture report for the last 90 days"

The AI will automatically select this prompt and execute the workflow.

Incident Analysis

DLP incident investigation with forensics and operational analysis

Multi-Capability

Core Capabilities:

Generate Comprehensive Executive Reports - Full incident analysis with forensics
Fetch Critical/Severe Incidents - Priority-based incident retrieval
Update Incident Attributes - Status, assignee, severity management
Create Investigation Plans - Structured investigation workflows
Perform Operational Analysis - Incident lifecycle metrics

Forensic Features:

File metadata extraction (hash, size, type)
DLP pattern matches with content offsets
Sensitive data pattern analysis
DLP rule correlation
File preview images

Example Usage:

"/mcp__netskope__incident_analysis"

AI will prompt you to select:
1. Generate executive report
2. Fetch critical incidents
3. Update incident status
4. Create investigation plan
5. Operational analysis

Insider Risk Analysis

Multi-vector user risk prioritization and threat correlation

Risk Prioritization

Arguments:

timeperiod (str): Number of days to analyze (1-90 days)
instructions (str): Special instructions

Alert Types Analyzed:

High Risk

• UBA anomalies
• DLP violations
• Malware encounters

Medium Risk

• Malicious sites
• Compromised credentials
• Bypassed warnings

Prioritization Logic:

Priority 1: Users with UBA + DLP + Malware (multi-vector threats)
Priority 2: Users with any 2 of 3 categories (dual-vector)
Priority 3: Users with high counts in single category (>50 alerts)

Example Usage:

"Analyze insider risk for the last 30 days"

Output: Prioritized list of high-risk users with:
- Risk score and priority level
- Alert breakdown by type
- Recommended watchlist additions
- Strategic preventive measures

User Activity Report

Individual user risk assessment with timeline analysis

Forensic

Arguments:

userEmail (str): User email address to analyze
timeperiod (str): Days of data (1-90 days)
instructions (str): Special instructions (e.g., "CEO report", "Investigation Plan")

Analysis Phases:

Data Collection: Extract page, application, and alert events
Preprocessing: Deduplication, normalization, baseline establishment
Analysis: Temporal patterns, risk correlation, anomaly detection
Report Generation: Executive summary with risk rating and recommendations

Focus Areas:

High-risk app usage (gambling, non-business)
After-hours/weekend activity anomalies
Geographic access inconsistencies
Policy violations and DLP incidents
Malware/malsite encounters
UBA behavioral anomalies

Example Usage:

"Generate user activity report for john@example.com for the last 30 days"

Output:
- Overall Risk Rating (Low/Medium/High)
- Activity breakdown by application and time
- Security event timeline
- Immediate, short-term, and long-term recommendations

Additional Prompts (3 more)

Client version analysis, application activity, incident status

Client Version Analysis

Analyzes client/device versions against Current Golden Release, identifies outdated devices, and generates compliance recommendations.

Arguments: timeperiod (days), instructions

"/mcp__netskope__client_version_analysis"

Application Activity Analysis

Interactive analysis of cloud application usage with 21 pre-built example queries (SAML/SSO, encryption, compliance, risk assessment, sharing patterns).

Arguments: None (interactive)

"/mcp__netskope__application_activity_analysis"

Incident Status Analysis

Operational analysis of incident lifecycle: status distribution, severity correlation, workflow health assessment, bottleneck identification.

Arguments: timeperiod (days), instructions

"/mcp__netskope__incident_status_analysis"

Using Prompts Across MCP Clients

Different MCP clients have varying levels of support for MCP prompts. Here's how to use Netskope prompts in each environment.

Claude Code CLI

Full Support

Using Prompts as Slash Commands

In Claude Code, MCP prompts automatically become available as slash commands with the format:

/mcp__netskope__<prompt_name>

Discovering Prompts

# List all available commands (including MCP prompts)
claude code
# Type "/" to see autocomplete list

# View MCP server status
/mcp

Example Usage

Security Posture Report:

/mcp__netskope__security_posture_report

Insider Risk Analysis (with arguments):

/mcp__netskope__insider_risk_analysis 30 "Focus on engineering team"

Arguments: timeperiod=30, instructions="Focus on engineering team"

Advantages

Direct slash command access to prompts
Autocomplete for prompt discovery
Easy argument passing (space-separated)

Claude Desktop

Full Support

Using Prompts

MCP prompts appear in Claude Desktop's tool list and can be invoked via slash commands or natural language:

Method 1: Slash Command

/mcp__netskope__incident_analysis

Method 2: Natural Language (Recommended)

"Generate a comprehensive security posture report"

Claude Desktop will automatically detect that this matches the security_posture_report prompt and execute it.

Note

Natural language invocation is more user-friendly. Simply describe what you want, and Claude will select the appropriate prompt automatically.

Cursor IDE

Limited Support

Current Status

Cursor's MCP implementation focuses on tools rather than prompts. As of 2025, Cursor does not have native support for MCP prompts as slash commands.

Workaround: Natural Language

In Composer/Agent mode, explicitly instruct the AI to use specific capabilities:

"Use the Netskope tools to generate a security posture report for the last 90 days"

The AI will orchestrate multiple tool calls to accomplish the task, effectively replicating prompt behavior.

Important

Cursor requires explicit instructions to use MCP tools. The AI won't automatically select prompts, so be specific about what you want to accomplish.

VS Code with Cline

Good Support

Using Prompts in Cline

Cline supports MCP tools well. While it doesn't expose prompts as slash commands, you can trigger them via natural language:

Example 1: Security Report

"Generate a comprehensive 90-day security posture report for our Netskope tenant"

Example 2: User Investigation

"Create a user activity report for john@example.com for the last 30 days"

Example 3: Incident Analysis

"Analyze DLP incidents and generate an executive report with forensics"

Best Practice

Be descriptive about what analysis you want. Cline will orchestrate the necessary tool calls to accomplish complex multi-step tasks.

MCP Prompt Support Comparison

Client	Slash Commands	Natural Language	Prompt Discovery	Recommendation
Claude Code	✓ Full	✓ Full	✓ "/" autocomplete	Best Choice
Claude Desktop	✓ Full	✓ Full	✓ Tool list	Excellent
Cline (VS Code)	✗ No	✓ Full	~ MCP panel	Good
Cursor	✗ No	~ Requires explicit instruction	~ MCP settings	Limited

Practical Examples

Real-world scenarios demonstrating how to use the MCP server for common security operations tasks.

Example 1: Investigating a Compromised User

Multi-Step

Scenario:

Security team suspects user john@example.com may be compromised based on unusual activity patterns.

Investigation Steps:

Generate User Activity Report

"Generate user activity report for john@example.com for the last 30 days with focus on after-hours access"

Search for Security Alerts

"Search alert events where user eq 'john@example.com' for the last 30 days, grouped by alert_type"

Check User Risk Score

"Get UCI impact data for john@example.com"

Review DLP Incidents

"Search incident events where user eq 'john@example.com' and show severity breakdown"

Generate Executive Summary

"Create investigation summary report for john@example.com with recommendations"

Expected Outcome

Complete investigation package with risk assessment, timeline of events, alert correlation, and actionable recommendations for remediation.

Example 2: Creating Policy for ChatGPT Data Protection

Policy Management

Scenario:

Organization needs to block access to specific ChatGPT URLs while allowing approved AI tools.

Implementation Steps:

Research Current Usage

"Search application events where app eq 'OpenAI ChatGPT' for last 7 days"

Create URL List

"Create URL list named 'Blocked-ChatGPT-URLs' with type 'exact' containing:
- chat.openai.com/chat
- chatgpt.com
- platform.openai.com/playground"

Verify URL List

"List all URL lists and show details for Blocked-ChatGPT-URLs"

Deploy Policy Changes
```
"Deploy pending policy changes"
```

Monitor Effectiveness

"Search alert events where app eq 'OpenAI ChatGPT' and action eq 'block' for last 24 hours"

Critical Step

Always call deploy_policy() after URL list changes. Changes remain pending until deployment.

Example 3: Monthly Executive Security Review

Reporting

Scenario:

CISO needs comprehensive monthly security metrics for board presentation.

Solution: Single Command

/mcp__netskope__security_posture_report

Or with natural language:

"Generate a comprehensive 90-day security posture report with executive summary, charts, and recommendations"

Report Contents:

Executive Summary with KPIs (alerts, incidents, applications, devices)
Security Alerts: Distribution by type, severity, and trend analysis
DLP Incidents: Status workflow, top sources, severity breakdown
Application Usage: Top apps, risk assessment, CCI analysis
Network & Endpoint: Compliance status, client version distribution
Insider Risk: Multi-vector user correlation and priority rankings
Threat Intelligence: Malware, malsite, compromised credential analysis
30-60-90 Day Roadmap with prioritized recommendations

Time Savings

This single prompt replaces hours of manual data collection, analysis, and report formatting. Output is a print-ready HTML document with interactive visualizations.

Best Practices & Recommendations

Performance Optimization

✓ DO

• Use groupbys for aggregations instead of raw events
• Keep limit low (10-20) for raw event queries
• Narrow time ranges with starttime/endtime
• Use field details tools before complex queries
• Test queries with small limits first

✗ DON'T

• Fetch large volumes of raw events unnecessarily
• Use unbounded time ranges for high-volume event types
• Guess field names without validation
• Ignore case-sensitivity in JQL queries
• Skip error handling in production workflows

Security Best Practices

API Token Management

• Always use environment variables for API tokens
• Never commit credentials to version control
• Rotate API tokens regularly (every 90 days)
• Use least-privilege principles when generating tokens

Access Control

• Restrict MCP server access to authorized personnel
• Review audit logs regularly
• Implement multi-factor authentication for token generation
• Document who has access to MCP credentials

JQL Query Construction

Discover Fields First

Use get_all_fields('event_type') to see available fields before querying

Validate Field Details

Use get_field_details(field_names, event_type) to understand types and operators

Review Examples

Use get_sample_queries() to learn syntax patterns

Test with Small Limits

Start with limit=10 to verify query syntax before expanding

Prefer Aggregations

Use groupbys to aggregate data rather than fetching thousands of raw events

Common Pitfalls to Avoid

❌ Forgetting to Deploy Policies

After creating or updating URL lists, changes remain in "pending" status until you call deploy_policy().

Solution: Always deploy after policy modifications.

❌ Case-Insensitive Field Names

JQL field names are case-sensitive. Alert_Type will fail; use alert_type.

Solution: Use get_all_fields() to verify exact field names.

❌ Using incident_id Instead of dlp_incident_id

DLP forensics require dlp_incident_id, not regular incident_id.

Solution: Check field details for the correct identifier field.

❌ Unbounded Time Ranges

Querying without starttime/endtime can timeout on high-volume event types.

Solution: Always specify time bounds for production queries.

❌ Fetching Raw Events Instead of Aggregations

Retrieving 10,000 raw events is slow and unnecessary for analysis.

Solution: Use groupbys to aggregate data at query time.