Ticket Orchestrator v.1.0.0 Plugin
Ticket Orchestrator v.1.0.0 Plugin
This document explains how to configure the Cloud Exchange integration with the Cloud Ticket Orchestrator module of the Netskope Cloud Exchange platform.
Prerequisites
To complete this configuration, you need a Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
CE Version Compatibility
This plugin is compatible with all the supported Netskope CE Versions.
Netskope Ticket Orchestrator Plugin Support
This plugin is used to pull alerts data from the Netskope Tenant and store them in Netskope CE.
Alert Types | Yes |
Types of Data Supported
Supported Alert types for notifications | Anomaly, Compromised Credentials, policy, Legal Hold, malsite, Malware, DLP, Security Assessment, watchlist, quarantine, Remediation, uba, ctep, ips, c2 |
Mappings
Netskope API Fields | Netskope CE Fields |
---|---|
_id | id |
alert_name | alertName |
alert_type | alertType |
app | app |
appcategory | appCategory |
type | type |
user | user |
timestamp | time |
raw_fields | rawAlert |
Permissions
Access to the required permissions is available in the v2 REST API scopes.
API Details
List of APIs used
API Endpoint | Method | Use Case |
---|---|---|
/api/v2/events/dataexport/alerts/compromisedcredential | GET | Pull the data from Netskope tenant |
/api/v2/events/dataexport/alerts/dlp | GET | Pull the data from Netskope tenant |
/api/v2/events/dataexport/alerts/malware | GET | Pull the data from Netskope tenant |
/api/v2/events/dataexport/alerts/remediation | GET | Pull the data from Netskope tenant |
/api/v2/events/dataexport/alerts/securityassessment | GET | Pull the data from Netskope tenant |
/api/v2/events/dataexport/alerts/ctep | GET | Pull the data from Netskope tenant |
/api/v2/events/dataexport/alerts/malsite | GET | Pull the data from Netskope tenant |
/api/v2/events/dataexport/alerts/policy | GET | Pull the data from Netskope tenant |
/api/v2/events/dataexport/alerts/quarantine | GET | Pull the data from Netskope tenant |
/api/v2/events/dataexport/alerts/uba | GET | Pull the data from Netskope tenant |
/api/v2/events/dataexport/alerts/watchlist | GET | Pull the data from Netskope tenant |
Pull the Data from Netskope Tenant
This section shows the API parameters for one of the above mentioned APIs. To access the API Response for other APIs, you can use the Swagger API provided by Netskope Tenant.
API Endpoint: /api/v2/events/dataexport/alerts/dlp
Method: GET
Parameters:
Index: <name of iterator index>
operation: <epoch time from where want to fetch the data>
Headers:
Netskope-Api-Token: <V2_Token>
Accept: application/json
Content-Type: application/json
Sample API Response:
To access the API Response view, log in to your Netskope tenant and go to Settings > Tools > REST API v2 and click API Documentation. From there, you will be able to request the API mentioned above and obtain the desired API response.
User Agent
The user-agent added in this plugin is in the following format:
netskope-ce-<ce_version>
For example: netskope-ce-5.0.1
Workflow
- Configure the Netskope Ticket Orchestrator plugin.
- Create a Ticket Orchestrator Business Rule.
- Configure a 3rd-party plugin.
- Configure a Queue to create tickets based on the business rules.
- Validate the Netskope plugin.
- In Cloud Exchange, go to Settings and enable the Ticket Orchestrator Module.
- Go to Ticket Orchestrator and click Plugins > Configure New Plugin.
- Search for and select the Netskope ITSM plugin box.
- On the Basic Information page, enter a Configuration Name.
- Adjust the Sync Interval to appropriate value: Suggested is 5+ minutes.
- Click the Next to open the Filter Alerts page.
- Choose Alert Types. (This will filter alerts based on types you select.)
- Click Save.
- In Ticket Orchestrator, click Business Rules > Create New Rule.
- Enter an appropriate Rule Name in the text box and build the appropriate filter query condition on the field(s) for the business rule. You can also type the query manually by pressing the Filter Query button.
- Click Save.
- To test the newly created business rule, click on the icon and enter a time period (in days) and click the Fetch button. This will show the number of alerts that are eligible for incident/ticket creation.
Before you can configure Queues here, you need to create a 3rd-party plugin to connect to. Refer to the documentation for steps to configure a 3rd-party plugin. After you have created a 3rd-party plugin, use the following section to add Queues.
- In Ticket Orchestrator, click Queues.
- Click Add Queue Configuration.
- Select the Business Rule created previously from the dropdown.
- Select the 3rd-party plugin you created from the Configuration dropdown.
- Select the Queues from the dropdown. This will list the groups available on the configured Target instance. The issues/tickets will be assigned to the selected group.
- Add/Map appropriate values between alerts and incidents under the Map Field section. Alert’s attributes can be accessed via “$” in the custom message field. Click on the Add button to add more field mappings.
- Click Save.
- Based on the business rule(s), issues/tickets for incoming alerts will be created automatically. To create issues/tickets for historical alerts, click on button on the configured queue and enter the time period (in days) and click the Fetch button. This will show the number of alerts that are eligible for issues/tickets creation. Click on the Sync button to create issues/tickets for those alerts.
All the tickets created will be displayed on the Tickets page.
Validate the Netskope Plugin for Ticket Orchestrator
Validating Alerts are Present in the Tenant
To validate Alerts from the Netskope Tenant:
- Log in to Netskope Tenant.
- Click Skope IT.
- Click Alerts and filter the Last x Days according to your needs.
Validate the Pull
To validate the pulling of Alerts from the Netskope tenant and getting stored in the Netskope CE. Go to Ticket Orchestrator >Alerts
Validate the Push
Check logs to validate the successful creation of tickets.
If issues/tickets are not being created, look at the audit logs in Cloud Exchange. Go to Logging and look through the logs for errors.