Log Shipper v2.0.0 Plugin
Log Shipper v2.0.0 Plugin
This document explains how to configure the Log Shipper plugin in the Cloud Exchange platform. With this plugin, you can collect alerts/events from the Netskope tenant.
Prerequisites
- A Netskope Tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- Connectivity to a Netskope tenant with permission to generate v2 tokens.
CE Version Compatibility
This plugin is compatible with Netskope CE 5.1.0.
Log Shipper Plugin Support
This plugin is used to pull events and alerts data from your Netskope tenant.
Event Types | Yes: Audit, Application, Infrastructure, Network, Incident, Page |
Alert Types | Yes: DLP, Malware, Policy, Compromised Credential, Malsite, Quarantine, Remediation, Security Assessment, Watchlist, CTEP, UBA |
WebTx | No |
Permissions
The required permissions (privilege levels) for the endpoints listed below are available in REST API scopes.
API Details
List of APIs used
API Endpoint | Method | Use Case |
---|---|---|
/api/v2/events/dataexport/alerts/compromisedcredential | GET | Pull data from the Netskope tenant |
/api/v2/events/dataexport/alerts/dlp | GET | Pull data from the Netskope tenant |
/api/v2/events/dataexport/alerts/malware | GET | Pull data from the Netskope tenant |
/api/v2/events/dataexport/alerts/remediation | GET | Pull data from the Netskope tenant |
/api/v2/events/dataexport/alerts/securityassessment | GET | Pull data from the Netskope tenant |
/api/v2/events/dataexport/alerts/ctep | GET | Pull data from the Netskope tenant |
/api/v2/events/dataexport/alerts/malsite | GET | Pull data from the Netskope tenant |
/api/v2/events/dataexport/alerts/policy | GET | Pull data from the Netskope tenant |
/api/v2/events/dataexport/alerts/quarantine | GET | Pull data from the Netskope tenant |
/api/v2/events/dataexport/alerts/uba | GET | Pull data from the Netskope tenant |
/api/v2/events/dataexport/alerts/watchlist | GET | Pull data from the Netskope tenant |
/api/v2/events/dataexport/events/page | GET | Pull data from the Netskope tenant |
/api/v2/events/dataexport/events/application | GET | Pull data from the Netskope tenant |
/api/v2/events/dataexport/events/audit | GET | Pull data from the Netskope tenant |
/api/v2/events/dataexport/events/infrastructure | GET | Pull data from the Netskope tenant |
/api/v2/events/dataexport/events/network | GET | Pull data from the Netskope tenant |
/api/v2/events/dataexport/events/incident | GET | Pull data from the Netskope tenant |
/api/v2/events/dataexport/events/endpoint | GET | Pull data from the Netskope tenant |
Pull Data from the Netskope tenant
Here is an example from one of the above mentioned APIs. To access the API Response for other APIs, you can use the Swagger API in your Netskope tenant (Settings > Tools > REST API v2 > API Documentation).
API Endpoint: /api/v2/events/dataexport/alerts/dlp
Method: GET
Parameters:
Index: <name of iterator index>
operation: <epoch time from where want to fetch the data>
Headers:
Netskope-Api-Token: <V2_Token>
Accept: application/json
Content-Type: application/json
Sample API Response:
To access the API Response view, log in to your Netskope tenant and go to the following URL in order to access the Swagger UI.
https://<TENANT_URL>.com/apidocs (or Settings > Tools > REST API v2 > API Documentation).
From there, you will be able to request the API mentioned above and obtain the desired API response.
User Agent
The user-agent added in this plugin is in the following format:
netskope-ce-<ce_version>
For example: netskope-ce-5.1.0
Workflow
- Generate a v2 token for your Netskope tenant.
- Configure Netskope Log Shipper Plugin.
- Configure a Third Party Plugin.
- Create a Business Rule.
- Add s SIEM Mapping with Netskope Log Shipper Plugin as the Source and Third Party Plugin as destination.
- Validate the plugin.
Click play to watch a video.
Generate a v2 Token
- In your Netskope tenant, go to Settings > Tools > REST API v2.
- Click New Token.
- Enter a Tenant Name.
- Enter an Expire time. Select from Day(s), Hour(s), Week(s), Year(s).
- Click Add Endpoint, select the desired endpoints listed above in API Details, and enable the Read privilege. For more details, go to REST API Scopes.
- Click Save.
- Copy the token. It will be required when configuring the Netskope Tenant plugin in Cloud Exchange. Go here to configure the Netskope Tenant plugin.
Configure the Log Shipper Plugin
- In Cloud Exchange, go to Settings > General and enable the Log Shipper module.
- In Settings, go to Plugins.
- Search for and select the Netskope Log Shipper plugin box.
- Enter a configuration name and select a configured Netskope tenant from the dropdown.
- Click Next and enter the values for the Configuration Parameters.
- Alert Types: Types of alerts to fetch
- Initial Range for Alerts (in days) : Number of days to pull the data for the initial run.
- Event Types: Types of events to fetch.
- Initial Range for Events (in hours): Number of hours to pull the events data for the initial run.
- Click Save.
Create a Business Rule for Log Shipper
- Go to Log Shipper > Business Rule.
- By default, there is a business rule that filters all alerts and events. If you want to filter out any specific type of alert or event, then click Create New Rule and configure a new business rule by adding the rule name and selecting filters, like those shown here.
- Click Save.
Add a SIEM Mapping
In order to add SIEM Mappings, a third-party Log Shipper plugin, like Syslog, has to be configured before proceeding. You need both a source and destination plugin (configurations) to create the SIEM mapping.
- Go to Log Shipper > SIEM Mappings.
- Select the Source plugin (Netskope Log Shipper), Destination plugin (Syslog), and select a business rule.
- Click Save.
After the SIEM mapping is added, the data will start getting pulled from the Netskope tenant, transformed, and ingested into the Syslog plugin.
Validate the Log Shipper Plugin
Validating Events and Alerts are present in Tenant
To validate Events/Alerts in the Netskope tenant.
- In your Netskope tenant, go to Skope IT.
- For Alerts, go to Alerts > Filters and select an option from the Last x Days dropdown in the top-right corner.
- For Events, go to Skope IT and select Application Events, Page Event, or Network Events.
- For Audit Events, go to Settings > Administrator > Audit Log.
Validate the Pull
To validate the pulling of Events/Alerts from the Netskope tenant.
- In Cloud Exchange, go to Logging and search for the pulled logs.
Validate the Push
To validate the plugin workflow in Cloud Exchange.
- Go to Logging and search for ingested events with the filter message contains ingested.
- The ingested logs will be filtered.
Troubleshooting the Log Shipper Plugin
Receiving Error while Configuring the Log Shipper Plugin
Getting the error: The Netskope tenant API V2 token does not have necessary permissions configured. Refer to the list of endpoints for which the token is missing permission. **
Cause: The provided V2 token does not have the minimum required permissions to configure the tenant in CE.
What to do:
- Go to Logging and look for warning log similar to the following pattern:
TENANT Netskope Tenant (Required) [Netskope Tenant]: For Netskope Tenant, received 403 error for following endpoint(s)
- Expand the log and get the list of endpoints for which permissions are missing
- Now update the v2 token permissions and add the permission for the above endpoint list from Netskope Dashboard.