Netskope Tenant Plugin

Netskope Tenant Plugin

This document explains how to configure the Netskope Tenant (v1) plugin in the Cloud Exchange platform. This plugin is responsible for configuring Netskope tenants and collecting alerts, events, and WebTx data from Netskope into Cloud Exchange. Beginning with Cloud Exchange 5.1.0, Netskope tenants are configured through a Tenant plugin and not through Settings > Netskope Tenants.

Prerequisites

Connectivity to a Netskope tenant with permission to generate v2 tokens.

CE Version Compatibility

This plugin is compatible with Netskope CE 5.1.0.

Tenant Plugin Support

This plugin is used to pull events and alerts data from your Netskope tenant, and WebTx data from a GCP pubsub topic for other Netskope plugins.

Event Types Yes (Audit, Application, Infrastructure, Network, Incident, Page, Endpoint)
Alert Types Yes (DLP, Malware, Policy, Compromised Credential, Malsite, Quarantine, Remediation, Security Assessment, Watchlist, CTEP, UBA)
WebTx Yes
Permissions

The required permissions (privilege levels) per plugin are available in REST API scopes.

API Details
List of APIs used
API Endpoint Method Use Case
/api/v1/app_instances GET To validate the v1 token
/api/v2/events/dataexport/events/alert GET To validate the v2 token while configuring a tenant.
Pull data from the Netskope tenant

Here is an example from one of the above mentioned APIs. To access the API Response for other APIs, you can use the Swagger API in your Netskope tenant (Settings > Tools > REST API v2 > API Documentation).

API Endpoint: /api/v2/events/dataexport/events/alert

Method: GET

Parameters:

Index: <name of iterator index>

operation: <epoch time from where want to fetch the data>

Headers:

Netskope-Api-Token: <v2_Token>

Accept: application/json

Content-Type: application/json

Sample API Response:

To access the API Response view, log in to your Netskope tenant and go to the following URL in order to access the Swagger UI.

https://<TENANT_URL>.com/apidocs (or Settings > Tools > REST API v2 > API Documentation).

From there, you will be able to request the API mentioned above and obtain the desired API response.

User Agent

The user-agent added in this plugin is in the following format:

netskope-ce-<ce_version>

For example: netskope-ce-5.1.0

Workflow
  1. Generate a v1 and/or v2 Token for your Netskope tenant.
  2. Configure the Netskope Tenant plugin.
  3. Validate the plugin.

Click play to watch a video.

 

Generate a v1 Token

Using a v1 token is optional; using a v2 token is recommended.

  1. In your Netskope tenant, go to Settings > Tools > REST API v1.
  2. Click Generate New Token.
  3. Click Generate.
  4. Click the edit icon located directly beneath the token to adjust the token’s expiration.
    By default, the token is generated with no expiry. Choose the expiry duration from the dropdown menu. Select from 30 days, 60 days, 90 days, 180 days, or 365 days.
  5. Click Save.
  6. Copy the token. It will be required when configuring the Netskope tenant in Cloud Exchange.

Generate a v2 Token

  1. In your Netskope tenant, go to Settings > Tools > REST API v2.
  2. Click New Token.
  3. Enter a Tenant Name.
  4. Enter an Expire time. Select from Day(s), Hour(s), Week(s), Year(s).
  5. Click Add Endpoint and select the endpoint shown and enable the Read privilege. For more details, go to REST API Scopes.
  6. Click Save.
  7. Copy the token. It is required when configuring the Netskope Tenant Plugin in Cloud Exchange.

Configure the Netskope Tenant Plugin

The tenant creation workflow has been updated in CE 5.1.0, and you no longer go to Settings > Netskope Tenants to configure your tenants in Cloud Exchange.

  1. In Cloud Exchange, go to Settings > Plugins.
  2. Search for and select the Netskope Tenant plugin box.
  3. Enter a tenant plugin name.
  4. Enter the tenant URL. Be sure to enter the full tenant URL (like https://support.de.goskope.com).
  5. Paste your API token in the appropriate field (v1 or v2).
  6. Click Save.

Troubleshooting the Netskope Plugin

Receiving an Error while Configuring the Tenant

Getting the error: The Netskope tenant API v2 token does not have necessary permissions configured. Refer to the list of endpoints for which the token is missing permission. **

Cause: The provided v2 token does not have the minimum required permissions to configure the tenant in CE.

What to do:

  1. Go to Logging and look for a warning log similar to the following pattern:
    “TENANT Netskope Tenant (Required) [Netskope Tenant]: For **, received 403 error for following endpoint(s)”
  2. Expand the log and get the list of endpoints for which permissions are missing.
  3. Now update the v2 token permissions and add the permission for the shown endpoint.
Receiving a Connection Error. Check the tenant URL and network settings.


Cause: This error might be occurring either due to invalid tenant url or due to network connectivity issue of machine.

What to do:

  1. Validate that the tenant URL starts with https://, and it should be the full tenant URL (like https://support.goskope.com)
  2. If the tenant URL is correct, validate to see if your CE machine is able to communicate with your tenant URL.
  3. Re-run the setup script and enter proxy details if required, and the full tenant URL, then check to see if tenant connectivity check is passed. If the connectivity check is failed, please reach out to your IT team.
Share this Doc

Netskope Tenant Plugin

Or copy link

In this topic ...