Ticket Orchestrator v.1.0.0 Plugin

Ticket Orchestrator v.1.0.0 Plugin

This document explains how to configure the Cloud Exchange integration with the Cloud Ticket Orchestrator module of the Netskope Cloud Exchange platform.

Prerequisites

To complete this configuration, you need a Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.

CE Version Compatibility

This plugin is compatible with all the supported Netskope CE Versions.

Netskope Ticket Orchestrator Plugin Support

This plugin is used to pull alerts data from the Netskope Tenant and store them in Netskope CE.

Alert Types Yes
Types of Data Supported
Supported Alert types for notifications Anomaly, Compromised Credentials, policy, Legal Hold, malsite, Malware, DLP, Security Assessment, watchlist, quarantine, Remediation, uba, ctep, ips, c2
Mappings
Netskope API Fields Netskope CE Fields
_id id
alert_name alertName
alert_type alertType
app app
appcategory appCategory
type type
user user
timestamp time
raw_fields rawAlert
Permissions

Access to the required permissions is available in the v2 REST API scopes.

API Details
List of APIs used
API Endpoint Method Use Case
/api/v2/events/dataexport/alerts/compromisedcredential GET Pull the data from Netskope tenant
/api/v2/events/dataexport/alerts/dlp GET Pull the data from Netskope tenant
/api/v2/events/dataexport/alerts/malware GET Pull the data from Netskope tenant
/api/v2/events/dataexport/alerts/remediation GET Pull the data from Netskope tenant
/api/v2/events/dataexport/alerts/securityassessment GET Pull the data from Netskope tenant
/api/v2/events/dataexport/alerts/ctep GET Pull the data from Netskope tenant
/api/v2/events/dataexport/alerts/malsite GET Pull the data from Netskope tenant
/api/v2/events/dataexport/alerts/policy GET Pull the data from Netskope tenant
/api/v2/events/dataexport/alerts/quarantine GET Pull the data from Netskope tenant
/api/v2/events/dataexport/alerts/uba GET Pull the data from Netskope tenant
/api/v2/events/dataexport/alerts/watchlist GET Pull the data from Netskope tenant
Pull the Data from Netskope Tenant

This section shows the API parameters for one of the above mentioned APIs. To access the API Response for other APIs, you can use the Swagger API provided by Netskope Tenant.
API Endpoint: /api/v2/events/dataexport/alerts/dlp
Method: GET
Parameters:
Index: <name of iterator index>
operation: <epoch time from where want to fetch the data>
Headers:
Netskope-Api-Token: <V2_Token>
Accept: application/json
Content-Type: application/json
Sample API Response:
To access the API Response view, log in to your Netskope tenant and go to Settings > Tools > REST API v2 and click API Documentation. From there, you will be able to request the API mentioned above and obtain the desired API response.

User Agent

The user-agent added in this plugin is in the following format:
netskope-ce-<ce_version>
For example: netskope-ce-5.0.1

Workflow

  1. Configure the Netskope Ticket Orchestrator plugin.
  2. Create a Ticket Orchestrator Business Rule.
  3. Configure a 3rd-party plugin.
  4. Configure a Queue to create tickets based on the business rules.
  5. Validate the Netskope plugin.

Configure the Netskope Plugin for Ticket Orchestrator

  1. In Cloud Exchange, go to Settings and enable the Ticket Orchestrator Module.
  2. Go to Ticket Orchestrator and click Plugins > Configure New Plugin.
  3. Search for and select the Netskope ITSM plugin box.
  4. On the Basic Information page, enter a Configuration Name.
  5. Adjust the Sync Interval to appropriate value: Suggested is 5+ minutes.
    image5.png
  6. Click the Next to open the Filter Alerts page.
  7. Choose Alert Types. (This will filter alerts based on types you select.)
  8. Click Save.
    image7.png

Create Business Rules for Ticket Orchestrator

  1. In Ticket Orchestrator, click Business Rules > Create New Rule.
  2. Enter an appropriate Rule Name in the text box and build the appropriate filter query condition on the field(s) for the business rule. You can also type the query manually by pressing the Filter Query button.
  3. Click Save.
  4. To test the newly created business rule, click on the image1.pngicon and enter a time period (in days) and click the Fetch button. This will show the number of alerts that are eligible for incident/ticket creation.
    image6.png

Create a Queue for Ticket Orchestrator

Before you can configure Queues here, you need to create a 3rd-party plugin to connect to. Refer to the documentation for steps to configure a 3rd-party plugin. After you have created a 3rd-party plugin, use the following section to add Queues.

  1. In Ticket Orchestrator, click Queues.
    image2.png
  2. Click Add Queue Configuration.
    image10.png
  3. Select the Business Rule created previously from the dropdown.
  4. Select the 3rd-party plugin you created from the Configuration dropdown.
  5. Select the Queues from the dropdown. This will list the groups available on the configured Target instance. The issues/tickets will be assigned to the selected group.
  6. Add/Map appropriate values between alerts and incidents under the Map Field section. Alert’s attributes can be accessed via “$” in the custom message field. Click on the Add button to add more field mappings.
  7. Click Save.
    image8.png
  8. Based on the business rule(s), issues/tickets for incoming alerts will be created automatically. To create issues/tickets for historical alerts, click on image1.png button on the configured queue and enter the time period (in days) and click the Fetch button. This will show the number of alerts that are eligible for issues/tickets creation. Click on the Sync button to create issues/tickets for those alerts.
    image3.png

All the tickets created will be displayed on the Tickets page.

Validate the Netskope Plugin for Ticket Orchestrator

Validating Alerts are Present in the Tenant

To validate Alerts from the Netskope Tenant:

  1. Log in to Netskope Tenant.
  2. Click Skope IT.
  3. Click Alerts and filter the Last x Days according to your needs.

Validate the Pull

To validate the pulling of Alerts from the Netskope tenant and getting stored in the Netskope CE. Go to Ticket Orchestrator >Alerts

Validate the Push

Check logs to validate the successful creation of tickets.

If issues/tickets are not being created, look at the audit logs in Cloud Exchange. Go to Logging and look through the logs for errors.

image12.png
Share this Doc

Ticket Orchestrator v.1.0.0 Plugin

Or copy link

In this topic ...