Skip to main content

Netskope Help

Google Cloud SCC Plugin for Log Shipper

This document explains how to configure your Google Cloud SCC integration with the Log Shipper module of the Netskope Cloud Exchange platform. This integration allows ingestion of Netskope alerts and events into your Goggle Cloud SCC tenant.

Prerequisites

To complete this configuration, you need:

  • A Netskope Tenant (or multiple, for example, production and development/test instances).

  • A Netskope Cloud Exchange tenant with the Log Shipper module already configured.

  • Google Cloud Platform credentials with specified roles on a particular project.

Note

Verify your Google Cloud SCC instance permissions are secure and not set up for open public access. Only allow access to your cloud storage instance from your Cloud Exchange Host and any other addresses that need access.

Workflow
  1. Obtain Google Cloud SCC credentials.

  2. Configure a Log Shipper Mapping File.

  3. Configure the Google Cloud SCC Plugin.

  4. Configure the Log Shipper Business Rules for Google Cloud SCC.

  5. Configure Log Shipper SIEM Mappings for Google Cloud SCC.

  6. Validate the Google Cloud SCC plugin.

Click play to watch a video.

 
  1. Log in to Google Cloud Platform at https://console.cloud.google.com/.

    image1.png
  2. Select your Project and click Open.

    image2.png
  3. Go to IAM & Admin Service Accounts.

    image3.png
  4. Click + Create Service Account.

    image4.png
  5. Enter a Service account name and Service account description, and then click Create and Continue.

    image5.png
  6. Click Continue.

    image6.png
  7. Click Done.

    image7.png
  8. Click the 3 dots under Action.

    image8.png
  9. Click Manage Keys.

    image9.png
  10. Click Add Key and then click Create new key.

    image10.png
  11. Select JSON and click Create to download the key to your local device.

    image11.png
  12. Go to https://cloud.google.com/security-command-center/docs/reference/rest/v1beta1/organizations.sources/create

    image12.png
  13. Click Try It. Enter Parent and Request Body data, check Google OAuth 2.0 and API Key, and then click Execute.

    image13.png
  14. Note the Save Source ID specified in name in the response.

    image14.png

Log Shipper comes up with a default mapping file for the CSCC plugin. This mapping file does not need to be modified to ingest all Netskope alerts and events on GCP.

If only specific, or additional, alerts and events fields are desired on GCP, then create a new mapping file and add those fields into the contents of the default mapping file so Log Shipper will ingest only those attributes defined in the custom file.

  1. Go to Settings > Plugins.

  2. Select the Google Cloud SCC box to open the plugin creation dialog.

  3. Enter a Configuration Name.

  4. Select a valid Mapping. (Default Mapping for all plugins are available).

    image15.png
  5. Click Next.

    image16.png
  6. Enter your Organization ID, Source ID, and Key File.

  7. Click Save.

    image17.png

Skip this step if you do not want to filter out alerts or events before ingestion.

  1. Go to Log Shipper > Business Rules.

    image18.png
  2. Click on the Create New Rule.

    image19.png
  3. Enter a Rule Name and select the filters to use.

  4. Click Save.

    image20.png
  1. Go to Log Shipper > SIEM Mappings and click Add SIEM Mapping.

    image21.png
  2. Select a Source Configuration, Business Rule, and Destination Configuration.

  3. Click Save.

    image22.png

To validate the plugin workflow, you can check from Netskope Cloud Exchange and from your GCP instance.

To validate from Netskope Cloud Exchange, go to Logging.

image18.png

To validate from the Google Cloud Platform:

  1. Log in to Google Cloud Platform https://console.cloud.google.com/.

    image1.png
  2. Go to Security Security Command Center.

    image2.png
  3. Go to the Findings Tab and View by Findings Changed.

    image3.png
  4. You can click on any events and alerts to view a particular log.

    image4.png
    image5.png