Configure Netskope Tenants
Configure Netskope Tenants
To leverage the primary modules to work with Netskope, you need to create a Netskope tenant in CE. Configured Netskope tenants are displayed on the Netskope Tenants page, and Admins can edit and delete configured tenants.
You need your Netskope tenant API token(s) to complete this procedure.
Obtain your v1 RESTful API token by following the steps in REST API v1 Overview CE uses v1 tokens for updating file hashes in Threat Exchange.
Important
A v1 token is required for adding a Netskope tenant in CE, but will not be used if an equivalent v2 endpoint is available.
Create a new v2 RESTful API token by following the steps in REST API v2 Overview. For v2 tokens, specific scopes need to be enabled. For more information, see REST API Scopes.
When you have your token(s), copy them and then add a tenant to CE.
Click play to watch a demo:
Add a Netskope Tenant
- Go to Settings and click Netskope Tenants. A list of configured Netskope tenants are displayed. There are Edit and Delete icons for each tenant in the Action column.
- Click Add Tenant.
- Enter a name for this Netskope tenant configuration.
- Enter your Netskope tenant name. Do not enter the
<tenant-URL>, URL. Enter just your tenant name. For example, if it’smycompany.<tenant-domain>, just entermycompany. - Enter your Netskope tenant API token(s) obtained previously.
- Select alerts types for filtering alerts from the tenant. The below list represents the minimum requirements per module, but each alert type selected requires the corresponding
/api/v2/events/dataexport/alerts/REST API endpoint to be allowed.- Log Shipper: All
- Ticket Orchestrator: All
- Threat Exchange: Malsite, Malware
- User Risk Exchange: Quarantine
- Application Risk Exchange: None
- Set the range for ingesting data from Netskope. In this case, set the Initial Range to 7 days to pre-populate Log Shipper.
- If you use a proxy, enable the proxy toggle.
- Click Save. Your tenant appears on the page.
REST API Scopes
5.0.1 REST API
v1 REST API Scopes
| Netskope Endpoint Permissions | Privilege Level | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) |
|---|---|---|---|---|---|---|
| /api/v1/updateFileHashList | Read + Write (v1 default) | x |
v2 REST API Scopes
| Netskope Endpoint Permissions | Privilege Level | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) |
|---|---|---|---|---|---|---|
| /api/v2/events/dataexport/events/alert | Read | |||||
| /api/v2/events/dataexport/events/application | Read | x | x | |||
| /api/v2/events/dataexport/events/audit | Read | x | ||||
| /api/v2/events/dataexport/events/connection | Not polled | |||||
| /api/v2/events/dataexport/events/incident | Read | x | ||||
| /api/v2/events/dataexport/events/infrastructure | Read | x | ||||
| /api/v2/events/dataexport/events/network | Read | x | ||||
| /api/v2/events/dataexport/events/page | Read | x | ||||
| /api/v2/events/dataexport/alerts/uba | Read | x | x | x | ||
| /api/v2/events/dataexport/alerts/securityassessment | Read | x | x | |||
| /api/v2/events/dataexport/alerts/quarantine | Read | x | x | |||
| /api/v2/events/dataexport/alerts/remediation | Read | x | x | |||
| /api/v2/events/dataexport/alerts/policy | Read | x | x | |||
| /api/v2/events/dataexport/alerts/malware | Read | x | x | x | ||
| /api/v2/events/dataexport/alerts/malsite | Read | x | x | x | ||
| /api/v2/events/dataexport/alerts/compromisedcredential | Read | x | x | |||
| /api/v2/events/dataexport/alerts/ctep (or ips) | Read | x | x | |||
| /api/v2/events/dataexport/alerts/dlp | Read | x | x | |||
| /api/v2/events/dataexport/alerts/watchlist | Read | x | x | |||
| /api/v2/policy/urllist/file | Read + Write | |||||
| /api/v2/policy/urllist | Read + Write | x | ||||
| /api/v2/policy/urllist/deploy | Read + Write | x | ||||
| /api/v2/incidents/uba/getuci | Read + Write | x | ||||
| /api/v2/ubadatasvc/user/uci | Read + Write | x | ||||
| /api/v2/services/cci/app | Read | x | ||||
| /api/v2/services/cci/domain | Read | x | ||||
| /api/v2/services/cci/tags | Read | x | ||||
| /api/v2/infrastructure/publishers | Read + Write | x | ||||
| /api/v2/steering/apps/private/tags | Read + Write | x | ||||
| /api/v2/steering/apps/private | Read + Write | x |
5.0.0 REST API
v1 REST API Scopes
| Netskope Endpoint Permissions | Privilege Level | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) |
|---|---|---|---|---|---|---|
| /api/v1/updateFileHashList | Read + Write (v1 default) | x |
v2 REST API Scopes
| Netskope Endpoint Permissions | Privilege Level | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) |
|---|---|---|---|---|---|---|
| /api/v2/events/dataexport/events/alert | Read | |||||
| /api/v2/events/dataexport/events/application | Read | x | x | |||
| /api/v2/events/dataexport/events/audit | Read | x | ||||
| /api/v2/events/dataexport/events/connection | Not polled | |||||
| /api/v2/events/dataexport/events/incident | Read | x | ||||
| /api/v2/events/dataexport/events/infrastructure | Read | x | ||||
| /api/v2/events/dataexport/events/network | Read | x | ||||
| /api/v2/events/dataexport/events/page | Read | x | ||||
| /api/v2/events/dataexport/alerts/uba | Read | x | x | x | ||
| /api/v2/events/dataexport/alerts/securityassessment | Read | x | x | |||
| /api/v2/events/dataexport/alerts/quarantine | Read | x | x | |||
| /api/v2/events/dataexport/alerts/remediation | Read | x | x | |||
| /api/v2/events/dataexport/alerts/policy | Read | x | x | |||
| /api/v2/events/dataexport/alerts/malware | Read | x | x | x | ||
| /api/v2/events/dataexport/alerts/malsite | Read | x | x | x | ||
| /api/v2/events/dataexport/alerts/compromisedcredential | Read | x | x | |||
| /api/v2/events/dataexport/alerts/ctep (or ips) | Read | x | x | |||
| /api/v2/events/dataexport/alerts/dlp | Read | x | x | |||
| /api/v2/events/dataexport/alerts/watchlist | Read | x | x | |||
| /api/v2/policy/urllist/file | Read + Write | |||||
| /api/v2/policy/urllist | Read + Write | x | ||||
| /api/v2/policy/urllist/deploy | Read + Write | x | ||||
| /api/v2/incidents/uba/getuci | Read + Write | x | ||||
| /api/v2/ubadatasvc/user/uci | Read + Write | x | ||||
| /api/v2/services/cci/app | Read | x | ||||
| /api/v2/services/cci/domain | Read | x | ||||
| /api/v2/services/cci/tags | Read | x |
4.2.0 REST API
Dataexport Error Codes
| Error Codes | User-Action Required | Description |
|---|---|---|
| 403 | Yes | Check the API V2 token is associated with the valid endpoint & its not expired.Retry will solve the problem only after solving the token issue by following these guidelines. |
| 409 | No | Concurrency conflict and the request cannot be processed at this point of time.
DataExport API V2 endpoints do not support downloading the same event type concurrently with the same iterator index, and the Client is expected to validate that the logic to pull the events is single-threaded. |
| 429 | No | Too many requests for the same tenant accessing the same endpoint.
The Client is expected to honor the rate limit to avoid 429 error and as part of the response header, it carries the reset time in the header ratelimit-reset. The Client is expected to sleep/wait ( ratelimit-reset ) to avoid 429. The current rate limit is 4 req / second/endpoint. |
| 5XX | Yes | Netskope is having a temporary server issue for some reason:
Upon receiving a 5xx error from Netskope Server , the User is recommended to do a back off of 5 seconds wait time before the next call. |
v1 REST API Scopes
| Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) | Notes |
|---|---|---|---|---|---|---|---|
| Token Generated and Not Expired | (all) | x | Required for sharing file hashes |
v2 REST API Scopes
Note
Starting with CE 4.2.0, you are required to use the dataexport endpoint permission for the alerts and events you have configured in Cloud Exchange when setting up Netskope Tenants.
| Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) | Notes |
|---|---|---|---|---|---|---|---|
| /api/v2/events/data/alert | Read | ||||||
| /api/v2/events/data/application | Read | ||||||
| /api/v2/events/data/audit | Read | ||||||
| /api/v2/events/data/infrastructure | Read | ||||||
| /api/v2/events/data/network | Read | ||||||
| /api/v2/events/data/page | Read | ||||||
| /api/v2/events/dataexport/events/alert | Read | x | x | x | x | x | Required to validate API token |
| /api/v2/events/dataexport/events/application | Read | x | x | ||||
| /api/v2/events/dataexport/events/audit | Read | x | |||||
| /api/v2/events/dataexport/events/connection | Read | ||||||
| /api/v2/events/dataexport/events/incident | Read | x | |||||
| /api/v2/events/dataexport/events/infrastructure | Read | x | |||||
| /api/v2/events/dataexport/events/network | Read | x | |||||
| /api/v2/events/dataexport/events/page | Read | x | |||||
| /api/v2/events/dataexport/alerts/uba | Read | x | x | ||||
| /api/v2/events/dataexport/alerts/securityassessment | Read | x | x | ||||
| /api/v2/events/dataexport/alerts/quarantine | Read | x | x | x | |||
| /api/v2/events/dataexport/alerts/remediation | Read | x | x | ||||
| /api/v2/events/dataexport/alerts/policy | Read | x | x | ||||
| /api/v2/events/dataexport/alerts/malware | Read | x | x | x | |||
| /api/v2/events/dataexport/alerts/malsite | Read | x | x | x | |||
| /api/v2/events/dataexport/alerts/compromisedcredential | Read | x | x | ||||
| /api/v2/events/dataexport/alerts/ctep (or ips) | Read | x | x | ||||
| /api/v2/events/dataexport/alerts/dlp | Read | x | x | ||||
| /api/v2/events/dataexport/alerts/watchlist | Read | x | x | ||||
| /api/v2/policy/urllist/file | Read + Write | ||||||
| /api/v2/policy/urllist | Read + Write | x | |||||
| /api/v2/policy/urllist/deploy | Read + Write | x | |||||
| /api/v2/incidents/uba/getuci | Read + Write | x | |||||
| /api/v2/ubadatasvc/user/uci | Read + Write | x | |||||
| /api/v2/services/cci/app | Read | x | |||||
| /api/v2/services/cci/domain | Read | x | |||||
| /api/v2/services/cci/tags | Read | x |
x: Required API scopes for the corresponding CE module.
4.1.0 REST API
v1 REST API Scopes
| Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) | Notes |
|---|---|---|---|---|---|---|---|
| Token Generated and Not Expired | (all) | x | Required for sharing file hashes |
v2 REST API Scopes
| Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) | Notes |
|---|---|---|---|---|---|---|---|
| /api/v2/events/data/alert | Read | ||||||
| /api/v2/events/data/application | Read | ||||||
| /api/v2/events/data/audit | Read | ||||||
| /api/v2/events/data/infrastructure | Read | ||||||
| /api/v2/events/data/network | Read | ||||||
| /api/v2/events/data/page | Read | ||||||
| /api/v2/events/dataexport/events/alert | Read | x | x | x | x | x | Required to validate API token |
| /api/v2/events/dataexport/events/application | Read | x | x | ||||
| /api/v2/events/dataexport/events/audit | Read | x | |||||
| /api/v2/events/dataexport/events/connection | Read | ||||||
| /api/v2/events/dataexport/events/incident | Read | x | |||||
| /api/v2/events/dataexport/events/infrastructure | Read | x | |||||
| /api/v2/events/dataexport/events/network | Read | x | |||||
| /api/v2/events/dataexport/events/page | Read | x | |||||
| /api/v2/events/dataexport/alerts/uba | Read | x | x | ||||
| /api/v2/events/dataexport/alerts/securityassessment | Read | x | x | ||||
| /api/v2/events/dataexport/alerts/quarantine | Read | x | x | x | |||
| /api/v2/events/dataexport/alerts/remediation | Read | x | x | ||||
| /api/v2/events/dataexport/alerts/policy | Read | x | x | ||||
| /api/v2/events/dataexport/alerts/malware | Read | x | x | x | |||
| /api/v2/events/dataexport/alerts/malsite | Read | x | x | x | |||
| /api/v2/events/dataexport/alerts/compromisedcredential | Read | x | x | ||||
| /api/v2/events/dataexport/alerts/ctep (or ips) | Read | ||||||
| /api/v2/events/dataexport/alerts/dlp | Read | x | x | ||||
| /api/v2/events/dataexport/alerts/watchlist | Read | x | x | ||||
| /api/v2/policy/urllist/file | Read + Write | ||||||
| /api/v2/policy/urllist | Read + Write | x | |||||
| /api/v2/policy/urllist/deploy | Read + Write | x | |||||
| /api/v2/incidents/uba/getuci | Read + Write | x | |||||
| /api/v2/ubadatasvc/user/uci | Read + Write | x | |||||
| /api/v2/services/cci/app | Read | x | |||||
| /api/v2/services/cci/domain | Read | x | |||||
| /api/v2/services/cci/tags | Read | x |
x: Required API scopes for the corresponding CE module.
4.0.x REST API
v1 REST API Scopes
| Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) | Notes |
|---|---|---|---|---|---|---|---|
| Token Generated and Not Expired | (all) | y | y | x+y (*) | y | y | * Required for sharing file hashes |
v2 REST API Scopes
| Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) | Notes |
|---|---|---|---|---|---|---|---|
| /api/v2/events/data/alert | Read | y | y | y | y | y | |
| /api/v2/events/data/application | Read | y | |||||
| /api/v2/events/data/audit | Read | y | |||||
| /api/v2/events/data/infrastructure | Read | y | |||||
| /api/v2/events/data/network | Read | y | |||||
| /api/v2/events/data/page | Read | y | |||||
| /api/v2/events/dataexport/events/alert | Read | x | x | x | x | x | |
| /api/v2/events/dataexport/events/application | Read | x | x | ||||
| /api/v2/events/dataexport/events/audit | Read | x | |||||
| /api/v2/events/dataexport/events/connection | Read | ||||||
| /api/v2/events/dataexport/events/incident | Read | ||||||
| /api/v2/events/dataexport/events/infrastructure | Read | x | |||||
| /api/v2/events/dataexport/events/network | Read | x | |||||
| /api/v2/events/dataexport/events/page | Read | x | |||||
| /api/v2/events/dataexport/alerts/uba | Read | ||||||
| /api/v2/events/dataexport/alerts/securityassessment | Read | ||||||
| /api/v2/events/dataexport/alerts/quarantine | Read | ||||||
| /api/v2/events/dataexport/alerts/remediation | Read | ||||||
| /api/v2/events/dataexport/alerts/policy | Read | ||||||
| /api/v2/events/dataexport/alerts/malware | Read | ||||||
| /api/v2/events/dataexport/alerts/malsite | Read | ||||||
| /api/v2/events/dataexport/alerts/compromisedcredential | Read | ||||||
| /api/v2/events/dataexport/alerts/ctep (or ips) | Read | ||||||
| /api/v2/events/dataexport/alerts/dlp | Read | ||||||
| /api/v2/events/dataexport/alerts/watchlist | Read | ||||||
| /api/v2/policy/urllist/file | Read + Write | ||||||
| /api/v2/policy/urllist | Read + Write | x + y | |||||
| /api/v2/policy/urllist/deploy | Read + Write | x + y | |||||
| /api/v2/incidents/uba/getuci | Read + Write | x + y | |||||
| /api/v2/ubadatasvc/user/uci | Read + Write | x + y | |||||
| /api/v2/services/cci/app | Read | x + y | |||||
| /api/v2/services/cci/domain | Read | x + y | |||||
| /api/v2/services/cci/tags | Read | x + y |
x: Required API scopes for the corresponding CE module if modern /events/dataexport endpoints will be used (recommended).
y: Required API scopes for the corresponding CE module if legacy /events/data endpoints will be used (deprecated starting in 4.1.0).
x+y: Required API scopes for the corresponding CE module (when using either /events/dataexport or /events/data endpoints).
3.4.x REST API
v1 REST API Scopes
| Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) | Notes |
|---|---|---|---|---|---|---|---|
| Token Generated and Not Expired | (all) | y | Required for sharing file hashes |
v2 REST API Scopes
| Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | Cloud Risk Exchange (CRE) | Notes |
|---|---|---|---|---|---|---|
| /api/v2/events/data/alert | Read | y | y | y | y | |
| /api/v2/events/data/application | Read | y | ||||
| /api/v2/events/data/audit | Read | y | ||||
| /api/v2/events/data/infrastructure | Read | y | ||||
| /api/v2/events/data/network | Read | y | ||||
| /api/v2/events/data/page | Read | y | ||||
| /api/v2/events/dataexport/events/alert | Read | |||||
| /api/v2/events/dataexport/events/application | Read | |||||
| /api/v2/events/dataexport/events/audit | Read | |||||
| /api/v2/events/dataexport/events/connection | Read | |||||
| /api/v2/events/dataexport/events/incident | Read | |||||
| /api/v2/events/dataexport/events/infrastructure | Read | |||||
| /api/v2/events/dataexport/events/network | Read | |||||
| /api/v2/events/dataexport/events/page | Read | |||||
| /api/v2/events/dataexport/alerts/uba | Read | |||||
| /api/v2/events/dataexport/alerts/securityassessment | Read | |||||
| /api/v2/events/dataexport/alerts/quarantine | Read | |||||
| /api/v2/events/dataexport/alerts/remediation | Read | |||||
| /api/v2/events/dataexport/alerts/policy | Read | |||||
| /api/v2/events/dataexport/alerts/malware | Read | |||||
| /api/v2/events/dataexport/alerts/malsite | Read | |||||
| /api/v2/events/dataexport/alerts/compromisedcredential | Read | |||||
| /api/v2/events/dataexport/alerts/ctep (or ips) | Read | |||||
| /api/v2/events/dataexport/alerts/dlp | Read | |||||
| /api/v2/events/dataexport/alerts/watchlist | Read | |||||
| /api/v2/policy/urllist/file | Read + Write | |||||
| /api/v2/policy/urllist | Read + Write | y | ||||
| /api/v2/policy/urllist/deploy | Read + Write | y | ||||
| /api/v2/incidents/uba/getuci | Read + Write | y | ||||
| /api/v2/ubadatasvc/user/uci | Read + Write | y | ||||
| /api/v2/services/cci/app | Read | |||||
| /api/v2/services/cci/domain | Read | |||||
| /api/v2/services/cci/tags | Read |
y: Required API scopes for the corresponding CE module.
