Skip to main content

Netskope Help

Chronicle Plugin for Log Shipper

This document explains how to configure your Chronicle integration with the Log Shipper module of the Netskope Cloud Exchange platform. This integration allows pushing alerts and events from Netskope to the Chronicle platform.

Prerequisites

To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances)

  • A Netskope Cloud Exchange tenant with the Log Shipper module already configured.

  • A Chronicle account. Obtain your Chronicle Base URL and API Key from your Chronicle representative before proceeding.

Note

Verify your Chronicle instance permissions are secure and not set up for open public access. Only allow access to your cloud storage instance from your Cloud Exchange Host and any other addresses that need access.

Workflow
  1. Configure the Chronicle Plugin.

  2. Configure Log Shipper Business Rules for Chronicle.

  3. Configure Log Shipper SIEM Mappings for Chronicle.

  4. Validate the Chronicle plugin.

Click play to watch a video.

 
  1. Go to Settings > Plugins.

  2. Select the Chronicle box to open the plugin creation dialog.

  3. Enter a Configuration Name.

  4. Select a valid Mapping (Default Mappings for all plugins are available). Click Next.

    image1.png
  5. Enter your Chronicle Base URL , API key (which is provided to you by your Chronicle representative), and Valid Extensions (as shown).

    image2.png
  6. Click Save.

    image3.png
  1. Go to Log Shipper > Business Rules.

    image4.png
  2. Click Create New Rule.

    image5.png
  3. Enter a Rule Name and select the filters to use.

  4. Click Save.

    image6.png
  1. GoLog Shipper > SIEM Mappings and click Add SIEM Mapping.

  2. Select a Source Configuration, Business Rule, and Destination Configuration.

    image7.png
  3. Click Save

To validate the plugin workflow, you can check from Netskope Cloud Exchange and from Chronicle Platform.

To validate from Netskope Cloud Exchange, go to Logging.

image8.png

To validate from the Chronicle Platform.

  1. Log in to the Chronicle Platform to view data.

    image9.png
  2. Enter a keyword that you want to search for (in this case, an application).

    image10.png
  3. Click Search.

    image11.png
  4. Click Row Log Scan.

    image12.png
  5. Set Start Time (UTC) and End Time (UTC) accordingly. (You can also select both times by reference (like 1 minute, 2 hour, 1 day). Click Search.

    image13.png
  6. Click the adjacent icon to see details of the log.

    image14.png
  7. Then you see the ingested data.

    image15.png