CrowdStrike LogScale Plugin for Log Shipper

CrowdStrike LogScale Plugin for Log Shipper

This document explains how to ingest Netskope Alerts, Events, and Web transaction logs in JSON format from your Netskope tenant to the CrowdStrike LogScale using Cloud Exchange with the CLS CrowdStrike LogScale plugin. The plugin transforms and ingests the alerts, events, and WebTX logs into the CrowdStrike LogScale HTTP Event Collector.

Prerequisites

To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • A Netskope Cloud Exchange tenant with the Log Shipper module already configured.
  • A Netskope Cloud Exchange tenant with the WebTx plugin already configured.
  • Your LogScale configuration parameters.
  • Connectivity to the CrowdStrike LogScale Platform. Example: https://cloud.community.humio.com.
LogScale Plugin Support

The Crowdstrike LogScale plugin is used to ingest Netskope Events, Netskope Alerts data & Web Transaction data in JSON format to the LogScale platform.

Event Support

Yes

Alert Support

Yes

WebTx Support

Yes

All Netskope events, alert logs, and web transaction logs will be shared.

Compatibility

Netskope CE: v4.2.0, v5.0.0

Permissions

For generating the Ingest Token, make sure your user account has the Change ingest tokens option. If not, contact your Organization Owner to generate and provide the Change ingest tokens access for your user.

API Details
List of APIs Used
API Endpoint Method Use Case
/api/v1/ingest/hec POST Ingest data to Crowdstrike LogScale
Ingest Data

API Endpoint: /api/v1/ingest/hec
Method: POST
Parameters:
N/A
Headers:
Authorization: Bearer <API Token>
Content-Type: application/json
Data:

{"event": {"x-cs-app": "bwlviwkwep", "x-category": 0, "x-other-category": 0, "x-c-country": 0, "x-c-zipcode": 0, "x-c-latitude": 0, "x-c-longitude": 0, "severity": "low", "cs-content-type": "cs-content-type", "_id": "224663acb2caf3ed8f833dd1", "justification_type": 54, "_insertion_epoch_timestamp": 1659017873, "access_method": "Client", "activity": "Upload", "activity_status": "Access Denied", "alert": "no", "app": "Alfresco", "app_session_id": 3606717343140728736, "appcategory": "Business Process Management", "browser": "Chrome", "browser_session_id": 2888757212810986401, "browser_version": "54.0.2840.90", "category": "Business Process Management", "cci": 56, "ccl": "low", "connection_id": 465830538214629538, "count": 1, "device": "Windows Device", "device_classification": "unmanaged", "dst_country": "US", "dst_geoip_src": 1, "dst_latitude": 47.682899, "dst_location": "Redmond", "dst_longitude": -122.120903, "dst_region": "Washington", "dst_timezone": "America/Los_Angeles", "dst_zipcode": "98052", "dstip": "13.107.6.151", "file_size": 105224532, "instance_id": "autoskope", "managed_app": "yes", "md5": "018c06f8ebef9e4c2ee6075db5825e24", "object": "TestResult_20170904-002256_demo.jpg", "object_type": "File", "organization_unit": "", "os": "Windows Server 2012", "os_version": "Windows Server 2012", "other_categories": ["Cloud Storage"], "page": " ", "page_site": "alfresco.com", "parent_id": "/personal/autotest3_autoskope_com/Documents", "policy": "abc_ga_ti", "alert_name": "Malware found", "referer": "https:// ", "site": "Alfresco.com", "slc_latitude": 13.0878400803, "slc_longitude": 80.2784729004, "src_country": "IN", "src_geoip_src": 2, "src_latitude": 12.8996, "src_location": "Chennai", "src_longitude": 80.2209, "src_region": "Tamil Nadu", "src_timezone": "N/A", "src_zipcode": "600001", "srcip": "52.172.6.204", "telemetry_app": "", "traffic_type": "CloudApp", "transaction_id": 1131464417688413744, "type": "nspolicy", "ur_normalized": "valeri.bradshaw@kkrlogistics.com", "url": "autoskope-my.sharepoint.com/personal/autotest3_autoskope_com/_api/web/GetFolderByServerRelativeUrl(@a1)/Files/Add(url=@a2,overwrite=@a3)", "user": "Valeri.Bradshaw@kkrlogistics.com", "userip": "10.0.0.5", "userkey": "v@kkrlogistics.com", "@timestamp": "2022-07-28T14:17:49Z"}}
{"event": {"_id": "224663acb2caf3ed8f833dd2", "justification_type": 23, "_insertion_epoch_timestamp": 1659017873, "access_method": "Client", "severity": "medium", "activity": "Upload", "activity_status": "Access Denied", "alert": "no", "app": "Alfresco", "app_session_id": 3606717343140728736, "appcategory": "Business Process Management", "browser": "Chrome", "browser_session_id": 2888757212810986401, "browser_version": "54.0.2840.90", "category": "Business Process Management", "cci": 56, "ccl": "low", "policy": "abc_ga_ti", "alert_name": "Malware found", "connection_id": 465830538214629538, "count": 1, "device": "Windows Device", "device_classification": "unmanaged", "dst_country": "US", "dst_geoip_src": 1, "dst_latitude": 47.682899, "dst_location": "Redmond", "dst_longitude": -122.120903, "dst_region": "Washington", "dst_timezone": "America/Los_Angeles", "dst_zipcode": "98052", "dstip": "13.107.6.151", "file_size": 105224532, "instance_id": "autoskope", "managed_app": "yes", "md5": "018c06f8ebef9e4c2ee6075db5825e24", "object": "TestResult_20170904-002256_demo.jpg", "object_type": "File", "organization_unit": "", "os": "Windows Server 2012", "os_version": "Windows Server 2012", "other_categories": ["Cloud Storage"], "page": " ", "page_site": "alfresco.com", "parent_id": "/personal/autotest3_autoskope_com/Documents", "referer": "https:// ", "site": "Alfresco.com", "slc_latitude": 13.0878400803, "slc_longitude": 80.2784729004, "src_country": "IN", "src_geoip_src": 2, "src_latitude": 12.8996, "src_location": "Chennai", "src_longitude": 80.2209, "src_region": "Tamil Nadu", "src_timezone": "N/A", "src_zipcode": "600001", "srcip": "52.172.6.204", "telemetry_app": "", "traffic_type": "CloudApp", "transaction_id": 1131464417688413744, "type": "nspolicy", "ur_normalized": "valeri.bradshaw@kkrlogistics.com", "url": "autoskope-my.sharepoint.com/personal/autotest3_autoskope_com/_api/web/GetFolderByServerRelativeUrl(@a1)/Files/Add(url=@a2,overwrite=@a3)", "user": "Valeri.Bradshaw@kkrlogistics.com", "userip": "10.0.0.5", "userkey": "v@kkrlogistics.com", "@timestamp": "2022-07-28T14:17:49Z"}}

API Request Endpoint:

https://cloud.community.humio.com/api/v1/ingest/hec

Sample API Response:

 {
    "text": "Success",
    "code": 0,
    "eventCount": 2
}
Performance Matrix

This performance reading is for a Large Stack CE tested with these VM specifications. These readings are added considering that it will ingest 10K alerts and events in 15 seconds, and 7K WebTx logs in 16 seconds.

Stack Size

Large

Core: 16

RAM: 32 GB

Alerts/Events ingested to a 3rd-party SIEM

200K EPM

WebTx ingested to a 3rd-party SIEM

6 MBps

User Agent

The user agent added in this plugin is in the following format:

 netskope-ce-<ce_version>-<module>-<plugin_name>-v<plugin_version>

For example:

netskope-ce-5.0.0-cls-crowdstrike-logscale/1.1.0

Workflow

  1. Get your LogScale configuration parameters.
  2. Configure the LogScale plugin.
  3. Configure Log Shipper Business Rules for LogScale.
  4. Configure Log Shipper SIEM Mappings for LogScale.
  5. Validate the LogScale plugin.

Click play to watch a video.

 

Get your LogScale Configuration Parameters

Following configuration parameters are needed to configure the CrowdStrike LogScale plugin for Netskope Log Shipper.

  • CrowdStrike LogScale Host: URL of your CrowdStrike LogScale Platform.
  • Ingest Token: An Ingest Token is a unique string that identifies a repository and allows you to send data to that repository.

Generate an Ingest Token

  1. Log in to your CrowdStrike LogScale instance.
  2. Select your repository from the repositories and views page and click Settings.
  3. Go to Ingest tokens and click Add token.
  4. Add a Token name and select a JSON parser by selecting a JSON parser from the Assigned parser list.
  5. Click Save.
  6. Click on the eye icon on the Ingest Token page for the token you have created, you will see your Ingest token value. Copy it to use while configuring the plugin.

Configure the CrowdStrike LogScale Plugin

  1. Go to Settings > Plugins. Search for and select the CLS CrowdStrike LogScale plugin to open the plugin creation pages.
  2. Add a Configuration Name and make sure the CrowdStrike LogScale Default Mapping is selected.

    Disable the toggle button that is used to transform the raw logs, as the plugin only supports sharing of JSON formatted data.

  3. Click Next and enter these parameters:
    • CrowdStrike LogScale Host
    • Ingest Token

  4. Click Save. Your new plugin configuration can be seen at Log Shipper > Plugin.

Configure a Log Shipper Business Rule for LogScale

  1. Go to Log Shipper > Business Rule, and by default, there’s a business rule that filters all alerts and events.
  2. If you want to filter out any specific type of alert or event, click Create New Rule and configure a new business rule by adding the rule name and filter. When finished, click Save.

Configure Log Shipper SIEM Mappings for LogScale

  1. Go to Log Shipper > SIEM Mappings and click Add SIEM Mapping. After the SIEM mapping is added, the data will start to pull from your Netskope tenant, transformed, and ingested to the CrowdStrike LogScale platform.
  2. Select the Source plugin (Netskope CLS), Destination plugin (CrowdStrike LogScale plugin), and the business rule, and then click Save.
  3. For ingestion of WebTransaction, create another SIEM mapping and select the Netskope WebTx plugin in Source and CrowdStrike LogScale plugin in Destination, and then click Save.

Validate the LogScale Plugin

Validate the Pull

In Cloud Exchange, go to Logging search for the pulled logs with the filter message contains pulled.

.

Validate the Push

Validate in Cloud Exchange

  1. Go to Logging.
  2. Search for ingested alerts with the filter message contains ingested.
  3. The ingested logs will be filtered.

Validate in CrowdStrike LogScale

  1. Go to the Search tab.
  2.  Apply filters to see specific data.

Troubleshooting

Ingested data is not visible on the LogScale Platform.

The LogScale cloud community has a data retention of 7 days. Any data older than the data retention period will not be available on the CrowdStrike LogScale platform.
What to do: Check the data retention time on your platform from Settings > Data retention.
Update the data retention time. If you do not have access to update the data retention time, contact your CrowdStrike LogScale administration team.

Share this Doc

CrowdStrike LogScale Plugin for Log Shipper

Or copy link

In this topic ...