Log Shipper v2.0.0 Plugin

Log Shipper v2.0.0 Plugin

This document explains how to configure the Log Shipper plugin in the Cloud Exchange platform. With this plugin, you can collect alerts/events from the Netskope tenant.

Prerequisites

  • A Netskope Tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • Connectivity to a Netskope tenant with permission to generate v2 tokens.
CE Version Compatibility

This plugin is compatible with Netskope CE 5.1.0.

Log Shipper Plugin Support

This plugin is used to pull events and alerts data from your Netskope tenant. 

Event Types Yes: Audit, Application, Infrastructure, Network, Incident, Page
Alert Types Yes: DLP, Malware, Policy, Compromised Credential, Malsite, Quarantine, Remediation, Security Assessment, Watchlist, CTEP, UBA
WebTx No
Permissions

The required permissions (privilege levels) for the endpoints listed below are available in REST API scopes.

API Details
List of APIs used
API Endpoint Method Use Case
/api/v2/events/dataexport/alerts/compromisedcredential GET Pull data from the Netskope tenant
/api/v2/events/dataexport/alerts/dlp GET Pull data from the Netskope tenant
/api/v2/events/dataexport/alerts/malware GET Pull data from the Netskope tenant
/api/v2/events/dataexport/alerts/remediation GET Pull data from the Netskope tenant
/api/v2/events/dataexport/alerts/securityassessment GET Pull data from the Netskope tenant
/api/v2/events/dataexport/alerts/ctep GET Pull data from the Netskope tenant
/api/v2/events/dataexport/alerts/malsite GET Pull data from the Netskope tenant
/api/v2/events/dataexport/alerts/policy GET Pull data from the Netskope tenant
/api/v2/events/dataexport/alerts/quarantine GET Pull data from the Netskope tenant
/api/v2/events/dataexport/alerts/uba GET Pull data from the Netskope tenant
/api/v2/events/dataexport/alerts/watchlist GET Pull data from the Netskope tenant
/api/v2/events/dataexport/events/page GET Pull data from the Netskope tenant
/api/v2/events/dataexport/events/application GET Pull data from the Netskope tenant
/api/v2/events/dataexport/events/audit GET Pull data from the Netskope tenant
/api/v2/events/dataexport/events/infrastructure GET Pull data from the Netskope tenant
/api/v2/events/dataexport/events/network GET Pull data from the Netskope tenant
/api/v2/events/dataexport/events/incident GET Pull data from the Netskope tenant
/api/v2/events/dataexport/events/endpoint GET Pull data from the Netskope tenant
Pull Data from the Netskope tenant

Here is an example from one of the above mentioned APIs. To access the API Response for other APIs, you can use the Swagger API in your Netskope tenant (Settings > Tools > REST API v2 > API Documentation).

API Endpoint: /api/v2/events/dataexport/alerts/dlp

Method: GET

Parameters:

Index: <name of iterator index>

operation: <epoch time from where want to fetch the data>

Headers:

Netskope-Api-Token: <V2_Token>

Accept: application/json

Content-Type: application/json

Sample API Response:

To access the API Response view, log in to your Netskope tenant and go to the following URL in order to access the Swagger UI.

https://<TENANT_URL>.com/apidocs (or Settings > Tools > REST API v2 > API Documentation).

From there, you will be able to request the API mentioned above and obtain the desired API response.

User Agent

The user-agent added in this plugin is in the following format:

netskope-ce-<ce_version>

For example: netskope-ce-5.1.0

Workflow

  1. Generate a v2 token for your Netskope tenant.
  2. Configure Netskope Log Shipper Plugin.
  3. Configure a Third Party Plugin.
  4. Create a Business Rule.
  5. Add s SIEM Mapping with Netskope Log Shipper Plugin as the Source and Third Party Plugin as destination.
  6. Validate the plugin.

Click play to watch a video.

 

Generate a v2 Token

  1. In your Netskope tenant, go to Settings > Tools > REST API v2.
  2. Click New Token.
  3. Enter a Tenant Name.
  4. Enter an Expire time. Select from Day(s), Hour(s), Week(s), Year(s).
  5. Click Add Endpoint, select the desired endpoints listed above in API Details, and enable the Read privilege. For more details, go to REST API Scopes.
  6. Click Save.
  7. Copy the token. It will be required when configuring the Netskope Tenant plugin in Cloud Exchange. Go here to configure the Netskope Tenant plugin.

Configure the Log Shipper Plugin

  1. In Cloud Exchange, go to Settings > General and enable the Log Shipper module.
  2. In Settings, go to Plugins.
  3. Search for and select the Netskope Log Shipper plugin box.
  4. Enter a configuration name and select a configured Netskope tenant from the dropdown.
  5. Click Next and enter the values for the Configuration Parameters.
    • Alert Types: Types of alerts to fetch
    • Initial Range for Alerts (in days) : Number of days to pull the data for the initial run.
    • Event Types: Types of events to fetch.
    • Initial Range for Events (in hours): Number of hours to pull the events data for the initial run.

  6. Click Save.

Create a Business Rule for Log Shipper

  1. Go to Log Shipper > Business Rule.
  2. By default, there is a business rule that filters all alerts and events. If you want to filter out any specific type of alert or event, then click Create New Rule and configure a new business rule by adding the rule name and selecting filters, like those shown here.
  3. Click Save.

Add a SIEM Mapping

In order to add SIEM Mappings, a third-party Log Shipper plugin, like Syslog, has to be configured before proceeding. You need both a source and destination plugin (configurations) to create the SIEM mapping. 

  1. Go to Log Shipper > SIEM Mappings.
  2. Select the Source plugin (Netskope Log Shipper), Destination plugin (Syslog), and select a business rule.
  3. Click Save.

After the SIEM mapping is added, the data will start getting pulled from the Netskope tenant, transformed, and ingested into the Syslog plugin.

Validate the Log Shipper Plugin

Validating Events and Alerts are present in Tenant

To validate Events/Alerts in the Netskope tenant.

  1. In your Netskope tenant, go to Skope IT.
  2. For Alerts, go to Alerts > Filters and select an option from the Last x Days dropdown in the top-right corner.
  3. For Events, go to Skope IT and select Application Events, Page Event, or Network Events.
  4. For Audit Events, go to Settings > Administrator > Audit Log.

Validate the Pull

To validate the pulling of Events/Alerts from the Netskope tenant.

  1. In Cloud Exchange, go to Logging and search for the pulled logs.

Validate the Push

To validate the plugin workflow in Cloud Exchange.

  1. Go to Logging and search for ingested events with the filter message contains ingested.
  2. The ingested logs will be filtered.

Troubleshooting the Log Shipper Plugin

Receiving Error while Configuring the Log Shipper Plugin

Getting the error: The Netskope tenant API V2 token does not have necessary permissions configured. Refer to the list of endpoints for which the token is missing permission. **

Cause: The provided V2 token does not have the minimum required permissions to configure the tenant in CE.

What to do:

  1. Go to Logging and look for warning log similar to the following pattern:

    TENANT Netskope Tenant (Required) [Netskope Tenant]: For Netskope Tenant, received 403 error for following endpoint(s)

  2. Expand the log and get the list of endpoints for which permissions are missing
  3. Now update the v2 token permissions and add the permission for the above endpoint list from Netskope Dashboard.
Share this Doc

Log Shipper v2.0.0 Plugin

Or copy link

In this topic ...