Configure the Netskope Plugin for User Risk Exchange

Configure the Netskope Plugin for User Risk Exchange

This document explains how to configure the Netskope integration with the User Risk Exchange workflow of the Netskope Cloud Exchange platform. This integration extracts users from UBA alerts and populates user scores from Netskope.

Prerequisites

To complete this configuration, you need a Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.

CE Version Compatibility

This plugin is compatible with all the supported Netskope CE Versions.

Netskope Plugin for User Risk Exchange Support
Type of data pulledUsers and their Risk Scores
ActionsAdd to group, Remove from group, No action
Mappings
Netskope Pull Mapping
Netskope Field Netskope CE Field
userkey email
cci score
Score Mapping

The score will be normalized in the Cloud exchange using the below formula:

Netskope Score Netskope Score Range
Critical 0-250
High 251-500
Medium 501-750
Low 751-1000
Permissions

Access to the required permissions provided here for the v2 REST API scopes.

API Details
List of APIs Used
API Endpoint Method Use Case
<SCIM_URL>/Users GET Get users from Netskope tenant
/api/v2/ubadatasvc/user/uci POST UBA License Verification
/api/v2/incidents/uba/getuci POST Fetch score for user
<SCIM_URL>/Groups GET Get the available groups for Users
<SCIM_URL>/Groups POST Create a Group.
<SCIM_URL>/Groups/{Groups} PATCH Add users in the Group.
<SCIM_URL>/Groups/{Group_ID} PATCH Remove users from the Group.
Get Users from the Netskope Tenant

API Endpoint: <SCIM_URL>/Users
Method: GET
Parameters:
appname: <name of application separated from ;>
Headers:
Authorization: Bearer {SCIM_KEY}
Sample API Response:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ],
    "totalResults": 1,
    "Resources": [
        {
            "id": "cf2c8dc0-8806-4007-b6cb-c4f5ee139f31",
            "externalId": " ",
            "userName": "",
            "active": true,
            "name": {
                "givenName": null,
                "familyName": null
            },
            "emails": [
                {
                    "type": "work",
                    "value": "",
                    "primary": true
                }
            ]
        },   
     ],
    "itemsPerPage": 6,
    "startIndex": 1
}
UBA License Verification

API Endpoint: /api/v2/ubadatasvc/user/uci
Method: POST
Body:

{
  "user": "abc@gmail.com",
  "fromTime": 0
}

Headers:
Netskope-Api-Token: <V2_Token>
Accept: application/json
Content-Type: application/json
Sample API Response:

{
    "userId": "abc@gmail.com",
    "confidences": []
}
Fetch Score for User

API Endpoint: /api/v2/incidents/uba/getuci
Method: POST
Body:

{"users": [""], "fromTime": 0, "capPerUser": 1}

Headers:
Netskope-Api-Token: <V2_Token>
Accept: application/json
Content-Type: application/json
Sample API Response:
To access the API Response view, log in to your Netskope tenant and go to Settings > Tools > REST API v2 and click API Documentation.
From there, you will be able to request the API mentioned above and obtain the desired API response.

Get the Available Groups for Users

API Endpoint: <SCIM_URL>/Groups
Method: GET
Headers:
Authorization: Bearer <SCIM_KEY>
Accept: application/json
Content-Type: application/json
Sample API Response:

{
    "Resources": [
        {
            "displayName": "",
            "externalId": null,
            "id": ""
        },
    ],
    "itemsPerPage": 19,
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ],
    "startIndex": 1,
    "totalResults": 19
Add Users to a Particular Group

API Endpoint: <SCIM_URL>/Groups/{GROUP_ID}
Method: PATCH
Body:

    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
    "Operations": [
        {"op": "add", "path": "members", "value": [{"value": ""}]}
    ]
}

Headers:
Authorization: Bearer <SCIM_KEY>
Accept: application/json
Content-Type: application/json
Sample API Response:

Status: 204
Content-Type: text/xml

The response indicates a successful update of the group with a status code of 204 (No Content).

Remove a User from a Group

API Endpoint: <SCIM_URL>/Groups/{GROUP_ID}
Method: PATCH
Body:

{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
    "Operations": [
        {
            "op": "remove",
            "path": "members",
            "value": [{"value": ""}]
        }
    ]
}

Headers:
Authorization: Bearer <SCIM_KEY>
Accept: application/json
Content-Type: application/json
Sample API Response:

Status: 204
Content-Type: text/xml

The response indicates a successful update of the group with a status code of 204 (No Content).

User Agent

The user-agent added in this plugin is in the following format:

netskope-ce-<ce_version>

For example:

 netskope-ce-5.0.1

Workflow

  1. Obtain your SCIM Server URL and SCIM Key from your Netskope Tenant.
  2. Configure the Netskope plugin for User Risk Exchange.
  3. Configure User Risk Exchange Business Rules for the Netskope plugin.
  4. Configure a User Risk Exchange 3rd-party plugin.
  5. Configure User Risk Exchange Actions for the Netskope plugin.
  6. Validate the Netskope plugin for User Risk Exchange.

Get your SCIM Server URL and SCIM Key

  1. Log in to the Netskope UI.
  2. Go to Settings > Tools > Directory Tools.
  3. Select the SCIM Integration tab from the top of the page.
    image11.png
  4. Make note of the SCIM Server URL.
  5. Click New Auth Token , enter a Client name, and click Generate Token.
    image1.png
  6. Save the token and use it for the SCIM Key when configuring the Netskope plugin.

Configure the Netskope Plugin for User Risk Exchange

  1. In Cloud Exchange, go to Settings and enable the User Risk Exchange Module.
  2. Go to User Risk Exchange and click Plugins > Configure New Plugin.
  3. Select the Netskope (CRE) box to open the plugin creation page.
    image3.png
  4. Enter a configuration name, select your Netskope tenant from the dropdown, and click Next.
    image9.png
  5. Enter your SCIM Server URL and SCIM Key obtained earlier, and then click Next.
    image12.png
  6. Select the range of scores.
    image8.png
  7. Click Save.
    image2.png

Configure Business Rules for User Risk Exchange

  1. Go to User Risk Exchange and click Business Rules.
  2. Click Create New Rule.
  3. Select the options in the filter that you want to use. From the dropdowns, select a field, an operator, and a value. For example: Aggregate Score Grouping – Any in – medium.
    image6.png
  4. Click on Save.

You can see what your users’ scores are by going to Users in the Risk Exchange left panel.

Configure Actions for User Risk Exchange

Before you can configure actions here, you need to create a 3rd-party plugin to connect with. Refer to the documentation for steps to configure a 3rd-party plugin. After you have created a 3rd-party plugin, use these steps to configure actions.

  1. Go to User Risk Exchange and click Actions.
  2. Click Add Action Configuration.
  3. On the Business Rule dropdown, select the Business rule you created.
  4. On the Configuration dropdown, select your 3rd-party User Risk Exchange plugin.
  5. From the Actions dropdown, select the Add to Group, Remove to Group, or No Action options.
    • Add to Group: When triggered, users are added to that group.
    • Remove to Group: When triggered, users are removed from that group.
    • No Action: This does not perform any actions on users.
      image5.png
  6. Enable the Generate Alert toggle. Enabling the Generate Alert toggle ensures that new alerts are added in the Ticket Orchestrator module whenever this action executed. Make sure to enable the CTO (Ticket Orchestrator) module from Settings > General.
  7. If you wish to perform an action during the Maintenance Window, enable the Perform action during Maintenance Window toggle, and the Action will be performed during the Maintenance Window; otherwise, it will be performed instantly.
  8. Click Save.
  9. Click Sync.
  10. Add Time Period and click Fetch, and the number of IoCs will be shared when you click Sync.

Validate the Netskope Plugin for User Risk Exchange

Validate UBA Alerts are present in Skope IT

  1. Log in to your Netskope Tenant.
  2. Click Skope IT.
  3. Click Users > User Name.
  4. For UBA Alerts, click Skope IT > Alerts > Add Filter > Inside Alert Type >. Select Uba and Apply.

Validate the Netskope Plugin for User Risk Exchange

To verify the Users pulled from the Netskope URE, go to Risk Exchange > Users.

Validate the Pulling of Users

To validate the pulling of UBA Alerts from the Netskope tenant, go to Logging in Cloud Exchange and search for the pulled logs.
Share this Doc

Configure the Netskope Plugin for User Risk Exchange

Or copy link

In this topic ...