Configure the Netskope Plugin for User Risk Exchange
Configure the Netskope Plugin for User Risk Exchange
This document explains how to configure the Netskope integration with the User Risk Exchange workflow of the Netskope Cloud Exchange platform. This integration extracts users from UBA alerts and populates user scores from Netskope.
Prerequisites
To complete this configuration, you need a Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
CE Version Compatibility
This plugin is compatible with all the supported Netskope CE Versions.
Netskope Plugin for User Risk Exchange Support
Type of data pulled | Users and their Risk Scores |
Actions | Add to group, Remove from group, No action |
Mappings
Netskope Pull Mapping
Netskope Field | Netskope CE Field |
---|---|
userkey | |
cci | score |
Score Mapping
The score will be normalized in the Cloud exchange using the below formula:
Netskope Score | Netskope Score Range |
---|---|
Critical | 0-250 |
High | 251-500 |
Medium | 501-750 |
Low | 751-1000 |
Permissions
Access to the required permissions provided here for the v2 REST API scopes.
API Details
List of APIs Used
API Endpoint | Method | Use Case |
---|---|---|
<SCIM_URL>/Users | GET | Get users from Netskope tenant |
/api/v2/ubadatasvc/user/uci | POST | UBA License Verification |
/api/v2/incidents/uba/getuci | POST | Fetch score for user |
<SCIM_URL>/Groups | GET | Get the available groups for Users |
<SCIM_URL>/Groups | POST | Create a Group. |
<SCIM_URL>/Groups/{Groups} | PATCH | Add users in the Group. |
<SCIM_URL>/Groups/{Group_ID} | PATCH | Remove users from the Group. |
Get Users from the Netskope Tenant
API Endpoint: <SCIM_URL>/Users
Method: GET
Parameters:
appname: <name of application separated from ;>
Headers:
Authorization: Bearer {SCIM_KEY}
Sample API Response:
{ "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "totalResults": 1, "Resources": [ { "id": "cf2c8dc0-8806-4007-b6cb-c4f5ee139f31", "externalId": " ", "userName": "", "active": true, "name": { "givenName": null, "familyName": null }, "emails": [ { "type": "work", "value": "", "primary": true } ] }, ], "itemsPerPage": 6, "startIndex": 1 }
UBA License Verification
API Endpoint: /api/v2/ubadatasvc/user/uci
Method: POST
Body:
{ "user": "abc@gmail.com", "fromTime": 0 }
Headers:
Netskope-Api-Token: <V2_Token>
Accept: application/json
Content-Type: application/json
Sample API Response:
{ "userId": "abc@gmail.com", "confidences": [] }
Fetch Score for User
API Endpoint: /api/v2/incidents/uba/getuci
Method: POST
Body:
{"users": [""], "fromTime": 0, "capPerUser": 1}
Headers:
Netskope-Api-Token: <V2_Token>
Accept: application/json
Content-Type: application/json
Sample API Response:
To access the API Response view, log in to your Netskope tenant and go to Settings > Tools > REST API v2 and click API Documentation.
From there, you will be able to request the API mentioned above and obtain the desired API response.
Get the Available Groups for Users
API Endpoint: <SCIM_URL>/Groups
Method: GET
Headers:
Authorization: Bearer <SCIM_KEY>
Accept: application/json
Content-Type: application/json
Sample API Response:
{ "Resources": [ { "displayName": "", "externalId": null, "id": "" }, ], "itemsPerPage": 19, "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "startIndex": 1, "totalResults": 19
Add Users to a Particular Group
API Endpoint: <SCIM_URL>/Groups/{GROUP_ID}
Method: PATCH
Body:
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], "Operations": [ {"op": "add", "path": "members", "value": [{"value": ""}]} ] }
Headers:
Authorization: Bearer <SCIM_KEY>
Accept: application/json
Content-Type: application/json
Sample API Response:
Status: 204 Content-Type: text/xml
The response indicates a successful update of the group with a status code of 204 (No Content).
Remove a User from a Group
API Endpoint: <SCIM_URL>/Groups/{GROUP_ID}
Method: PATCH
Body:
{ "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], "Operations": [ { "op": "remove", "path": "members", "value": [{"value": ""}] } ] }
Headers:
Authorization: Bearer <SCIM_KEY>
Accept: application/json
Content-Type: application/json
Sample API Response:
Status: 204 Content-Type: text/xml
The response indicates a successful update of the group with a status code of 204 (No Content).
User Agent
The user-agent added in this plugin is in the following format:
netskope-ce-<ce_version>
For example:
netskope-ce-5.0.1
Workflow
- Obtain your SCIM Server URL and SCIM Key from your Netskope Tenant.
- Configure the Netskope plugin for User Risk Exchange.
- Configure User Risk Exchange Business Rules for the Netskope plugin.
- Configure a User Risk Exchange 3rd-party plugin.
- Configure User Risk Exchange Actions for the Netskope plugin.
- Validate the Netskope plugin for User Risk Exchange.
- Log in to the Netskope UI.
- Go to Settings > Tools > Directory Tools.
- Select the SCIM Integration tab from the top of the page.
- Make note of the SCIM Server URL.
- Click New Auth Token , enter a Client name, and click Generate Token.
- Save the token and use it for the SCIM Key when configuring the Netskope plugin.
- In Cloud Exchange, go to Settings and enable the User Risk Exchange Module.
- Go to User Risk Exchange and click Plugins > Configure New Plugin.
- Select the Netskope (CRE) box to open the plugin creation page.
- Enter a configuration name, select your Netskope tenant from the dropdown, and click Next.
- Enter your SCIM Server URL and SCIM Key obtained earlier, and then click Next.
- Select the range of scores.
- Click Save.
- Go to User Risk Exchange and click Business Rules.
- Click Create New Rule.
- Select the options in the filter that you want to use. From the dropdowns, select a field, an operator, and a value. For example: Aggregate Score Grouping – Any in – medium.
- Click on Save.
You can see what your users’ scores are by going to Users in the Risk Exchange left panel.
Before you can configure actions here, you need to create a 3rd-party plugin to connect with. Refer to the documentation for steps to configure a 3rd-party plugin. After you have created a 3rd-party plugin, use these steps to configure actions.
- Go to User Risk Exchange and click Actions.
- Click Add Action Configuration.
- On the Business Rule dropdown, select the Business rule you created.
- On the Configuration dropdown, select your 3rd-party User Risk Exchange plugin.
- From the Actions dropdown, select the Add to Group, Remove to Group, or No Action options.
- Add to Group: When triggered, users are added to that group.
- Remove to Group: When triggered, users are removed from that group.
- No Action: This does not perform any actions on users.
- Enable the Generate Alert toggle. Enabling the Generate Alert toggle ensures that new alerts are added in the Ticket Orchestrator module whenever this action executed. Make sure to enable the CTO (Ticket Orchestrator) module from Settings > General.
- If you wish to perform an action during the Maintenance Window, enable the Perform action during Maintenance Window toggle, and the Action will be performed during the Maintenance Window; otherwise, it will be performed instantly.
- Click Save.
- Click Sync.
- Add Time Period and click Fetch, and the number of IoCs will be shared when you click Sync.
- Log in to your Netskope Tenant.
- Click Skope IT.
- Click Users > User Name.
- For UBA Alerts, click Skope IT > Alerts > Add Filter > Inside Alert Type >. Select Uba and Apply.