Log Shipper v1.0.0 Plugin

Log Shipper v1.0.0 Plugin

This document explains how to configure the Cloud Exchange integration with the Log Shipper module of the Netskope Cloud Exchange platform. The Log Shipper plugin collects alerts/events from the Netskope tenant.

Prerequisites

To complete this configuration, you need a Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.

CE Version Compatibility

This plugin is compatible with all the supported Netskope CE Versions.

Log Shipper Plugin Support

This plugin is used to pull events and alerts data from the Netskope Tenant.

Event TypesYes
Alert TypesYes
WebTxNo
Permissions

Access to the required permissions is available in the v2 REST API scopes.

API Details
List of APIs used
API EndpointMethodUse Case
/api/v2/events/dataexport/alerts/compromisedcredentialGETPull the data from the Netskope tenant
/api/v2/events/dataexport/alerts/dlpGETPull the data from the Netskope tenant
/api/v2/events/dataexport/alerts/malwareGETPull the data from the Netskope tenant
/api/v2/events/dataexport/alerts/remediationGETPull the data from the Netskope tenant
/api/v2/events/dataexport/alerts/securityassessmentGETPull the data from the Netskope tenant
/api/v2/events/dataexport/alerts/ctepGETPull the data from the Netskope tenant
/api/v2/events/dataexport/alerts/malsiteGETPull the data from the Netskope tenant
/api/v2/events/dataexport/alerts/policyGETPull the data from the Netskope tenant
/api/v2/events/dataexport/alerts/quarantineGETPull the data from the Netskope tenant
/api/v2/events/dataexport/alerts/ubaGETPull the data from the Netskope tenant
/api/v2/events/dataexport/alerts/watchlistGETPull the data from the Netskope tenant
/api/v2/events/dataexport/events/pageGETPull the data from the Netskope tenant
/api/v2/events/dataexport/events/applicationGETPull the data from the Netskope tenant
/api/v2/events/dataexport/events/auditGETPull the data from the Netskope tenant
/api/v2/events/dataexport/events/infrastructureGETPull the data from the Netskope tenant
/api/v2/events/dataexport/events/networkGETPull the data from the Netskope tenant
/api/v2/events/dataexport/events/incidentGETPull the data from the Netskope tenant
Pull the data from Netskope tenant

This section shows the parameters one of the above mentioned APIs. To access the API Response for other APIs, you can utilize the Swagger API provided by Netskope Tenant.

API Endpoint: /api/v2/events/dataexport/alerts/dlp

Method: GET

Parameters:

Index: <name of iterator index>

operation: <epoch time from where want to fetch the data>

Headers:

Netskope-Api-Token: <V2_Token>

Accept: application/json

Content-Type: application/json

Sample API Response:

To access the API Response view, log in to your Netskope tenant and go to Settings > Tools > REST API v2 and click API Documentation. From there, you will be able to request the API mentioned above and obtain the desired API response.

User Agent

The user-agent added in this plugin is in the following format:

netskope-ce-<ce_version>

For example: netskope-ce-5.0.1

Workflow

  1. Configure the Netskope plugin for Log Shipper.
  2. Add a Log Shipper Business Rule.
  3. Configure a 3rd-party Log Shipper plugin.
  4. Configure Log Shipper SIEM mappings.
  5. Validate the Netskope plugin for Log Shipper.

Configure the Netskope Plugin for Log Shipper

  1. In Cloud Exchange, go to Settings > General and enable the Log Shipper module.
  2. Go to Log Shipper and click Plugins > Configure New Plugin.
  3. Search for and select the Netskope (CLS) box to open the plugin creation page.
  4. Enter a Configuration Name.
  5. Select your Tenant from the dropdown.
    image6.png
  6. Click Next.
  7. Choose Event Types. (This will filter events based on types you select.)
  8. Enter the number of days to pull the data for initial run.
  9. Click Save.
    image3.png

Create a Business Rule for Log Shipper

  1. In Log Shipper, go to Business Rules.
  2. Click Create New Rule.
    image7.png
  3. By default, we have a business rule that filters all alerts and events. If you want to filter out any specific types of alerts or events, click Create New Rule and configure a new business rule by adding the rule name and filter.
  4. Click Save.

Configure SIEM Mappings for the Log Shipper

Before you can configure SIEM mappings here, you need to create a 3rd-party plugin to map to. Refer to the documentation for steps to configure a 3rd-party plugin. After you have created a 3rd-party plugin, use the following section to add SIEM mappings.

  1. In Log Shipper, go to SIEM Mappings.
  2. Click Add SIEM Mappings.
    image5.png
  3. Use the Source and Destination Configuration dropdowns to determine the SIEM mapping. Select the Netskope Log Shipper plugin for the Source, and the 3rd-party plugin as the Destination.
    image4.png
  4. Click the Business Rule dropdown and select the Business rule you created previously.
  5. Click Save.

After the SIEM mapping is saved, the data will start getting pulled from the Netskope Tenant, transformed and ingested into the 3rd-party plugin platform.

Validate the Netskope Log Shipper Plugin

Validating Events and Alerts are Present in Tenant

To validate Events/Alerts from the Netskope Tenant

  1. Log in to Netskope Tenant.
  2. Click Skope IT.
  3. Click Alerts > Add Filter and define the Last x Days according to your needs.
  4. For Events, go to Skope IT > Application Events, Skope IT > Page Events, or Skope IT > Network Events.
  5. For Audit Events, go to Settings > Administrator > Audit Log.

Validate the Pull

To validate the pulling of Events/Alerts from the Netskope tenant.

  1. Go to Logging in Cloud Exchange and search for the pulled logs.

Validate the Push

To validate the plugin workflow.

  1. Go to Logging and search for ingested events with the filter message contains ingested.
  2. The ingested logs will be filtered.
Share this Doc

Log Shipper v1.0.0 Plugin

Or copy link

In this topic ...