CrowdStrike LogScale Plugin for Log Shipper

This document explains how to ingest Netskope Alerts, Events, and Web transaction logs in JSON format from your Netskope tenant to the CrowdStrike LogScale HTTP Event Collector using Cloud Exchange with the CLS CrowdStrike LogScale plugin.

The plugin transforms and ingests the alerts, events, and WebTX logs into the CrowdStrike LogScale HTTP Event Collector.

Prerequisites

To complete this configuration, you need:

LogScale Plugin Support

Event Support	Yes
Alert Support	Yes
WebTx Support	Yes

All Netskope events, alert logs, and web transaction logs will be shared.

Compatibility

Netskope CE: v4.1.0, v4.2.0, v5.0.0

Permissions

For generating the Ingest Token, make sure your user account has the Change ingest tokens option. If not, contact your Organization Owner to generate and provide the Change ingest tokens access to your user.

Performance Matrix

This performance reading is for a Large Stack CE with 200K EPM tested on the below-mentioned VM specifications.

Stack Size	Large Core: 16 RAM: 32 GB
Alerts/Events	4 MBps
WebTx	6 MBps

Workflow

Click play to watch a video.

Get your LogScale Configuration Parameters

Following configuration parameters are needed to configure the CrowdStrike LogScale plugin for Netskope Log Shipper.

• CrowdStrike LogScale Host: URL of your CrowdStrike LogScale Platform.
• Ingest Token: An Ingest Token is a unique string that identifies a repository and allows you to send data to that repository.

Generate an Ingest Token

1. Log in to your CrowdStrike LogScale instance.
2. Select your repository from the repositories and views page and click Settings.
3. Go to Ingest tokens and click Add token.

   

4. Add a Token name and select a json parser by selecting a json parser from the Assigned parser list.
5. Click Save.
6. Click on the eye icon on the Ingest Token page for the token you have created, you will see your Ingest token value. Copy it to use while configuring the plugin.

Configure the CrowdStrike LogScale Plugin

1. Go to Settings > Plugins. Search for and select the CLS CrowdStrike LogScale plugin to open the plugin creation pages.

   

2. Add a Configuration Name and make sure the CrowdStrike LogScale Default Mapping is selected.

   Disable the toggle button that is used to transform the raw logs, as the plugin only supports sharing of JSON formatted data.

   

3. Click Next and provide value for the below parameters:
   1. CrowdStrike LogScale Host
   2. Ingest Token

   

4. Click Save. Your new plugin configuration can be seen at Log Shipper > Plugin.

   

Configure a Log Shipper Business Rule for LogScale

1. Go to Log Shipper > Business Rule, and by default, there’s a business rule that filters all alerts and events.

   

2. If you want to filter out any specific type of alert or event, click Create New Rule and configure a new business rule by adding the rule name and filter. When finished, click Save.

   

Configure Log Shipper SIEM Mappings for LogScale

1. Go to Log Shipper > SIEM Mappings and click Add SIEM Mapping. After the SIEM mapping is added, the data will start to pull from your Netskope tenant, transformed and ingested to the CrowdStrike LogScale platform.

   

2. Select the Source plugin (Netskope CLS), Destination plugin (CrowdStrike LogScale plugin), and business rule, and then click Save.

   

3. For ingestion of WebTransaction, select the Netskope WebTx plugin in Source and CrowdStrike LogScale plugin in Destination, and then click Save.

   

Validate the LogScale Plugin

Validate in Cloud Exchange

1. Go to Logging.
2. Search for ingested alerts with the filter “message contains ingested”.
3. The ingested logs will be filtered.

Validate in CrowdStrike LogScale

1. Log in to the LogScale platform.
2. Go to the Search tab and apply filters to see specific data.