Netskope Tenant Plugin
Netskope Tenant Plugin
This document explains how to configure the Netskope Tenant (v1) plugin in the Cloud Exchange platform. This plugin is responsible for configuring Netskope tenants and collecting alerts, events, and WebTx data from Netskope into Cloud Exchange. Beginning with Cloud Exchange 5.1.0, Netskope tenants are configured through a Tenant plugin and not through Settings > Netskope Tenants.
Prerequisites
Connectivity to a Netskope tenant with permission to generate v2 tokens.
CE Version Compatibility
This plugin is compatible with Netskope CE 5.1.0.
Tenant Plugin Support
This plugin is used to pull events and alerts data from your Netskope tenant, and WebTx data from a GCP pubsub topic for other Netskope plugins.
Event Types | Yes (Audit, Application, Infrastructure, Network, Incident, Page, Endpoint) |
Alert Types | Yes (DLP, Malware, Policy, Compromised Credential, Malsite, Quarantine, Remediation, Security Assessment, Watchlist, CTEP, UBA) |
WebTx | Yes |
Permissions
The required permissions (privilege levels) per plugin are available in REST API scopes.
API Details
List of APIs used
API Endpoint | Method | Use Case |
---|---|---|
/api/v1/app_instances | GET | To validate the v1 token |
/api/v2/events/dataexport/events/alert | GET | To validate the v2 token while configuring a tenant. |
Pull data from the Netskope tenant
Here is an example from one of the above mentioned APIs. To access the API Response for other APIs, you can use the Swagger API in your Netskope tenant (Settings > Tools > REST API v2 > API Documentation).
API Endpoint: /api/v2/events/dataexport/events/alert
Method: GET
Parameters:
Index: <name of iterator index>
operation: <epoch time from where want to fetch the data>
Headers:
Netskope-Api-Token: <v2_Token>
Accept: application/json
Content-Type: application/json
Sample API Response:
To access the API Response view, log in to your Netskope tenant and go to the following URL in order to access the Swagger UI.
https://<TENANT_URL>.com/apidocs (or Settings > Tools > REST API v2 > API Documentation).
From there, you will be able to request the API mentioned above and obtain the desired API response.
User Agent
The user-agent added in this plugin is in the following format:
netskope-ce-<ce_version>
For example: netskope-ce-5.1.0
Workflow
- Generate a v1 and/or v2 Token for your Netskope tenant.
- Configure the Netskope Tenant plugin.
- Validate the plugin.
Click play to watch a video.
Generate a v1 Token
Using a v1 token is optional; using a v2 token is recommended.
- In your Netskope tenant, go to Settings > Tools > REST API v1.
- Click Generate New Token.
- Click Generate.
- Click the edit icon located directly beneath the token to adjust the token’s expiration.
By default, the token is generated with no expiry. Choose the expiry duration from the dropdown menu. Select from 30 days, 60 days, 90 days, 180 days, or 365 days. - Click Save.
- Copy the token. It will be required when configuring the Netskope tenant in Cloud Exchange.
Generate a v2 Token
- In your Netskope tenant, go to Settings > Tools > REST API v2.
- Click New Token.
- Enter a Tenant Name.
- Enter an Expire time. Select from Day(s), Hour(s), Week(s), Year(s).
- Click Add Endpoint and select the endpoint shown and enable the Read privilege. For more details, go to REST API Scopes.
- Click Save.
- Copy the token. It is required when configuring the Netskope Tenant Plugin in Cloud Exchange.
Configure the Netskope Tenant Plugin
The tenant creation workflow has been updated in CE 5.1.0, and you no longer go to Settings > Netskope Tenants to configure your tenants in Cloud Exchange.
- In Cloud Exchange, go to Settings > Plugins.
- Search for and select the Netskope Tenant plugin box.
- Enter a tenant plugin name.
- Enter the tenant URL. Be sure to enter the full tenant URL (like https://support.de.goskope.com).
- Paste your API token in the appropriate field (v1 or v2).
- Click Save.
Troubleshooting the Netskope Plugin
Receiving an Error while Configuring the Tenant
Getting the error: The Netskope tenant API v2 token does not have necessary permissions configured. Refer to the list of endpoints for which the token is missing permission. **
Cause: The provided v2 token does not have the minimum required permissions to configure the tenant in CE.
What to do:
- Go to Logging and look for a warning log similar to the following pattern:
“TENANT Netskope Tenant (Required) [Netskope Tenant]: For **, received 403 error for following endpoint(s)” - Expand the log and get the list of endpoints for which permissions are missing.
- Now update the v2 token permissions and add the permission for the shown endpoint.
Receiving a Connection Error. Check the tenant URL and network settings.
Cause: This error might be occurring either due to invalid tenant url or due to network connectivity issue of machine.
What to do:
- Validate that the tenant URL starts with https://, and it should be the full tenant URL (like https://support.goskope.com)
- If the tenant URL is correct, validate to see if your CE machine is able to communicate with your tenant URL.
- Re-run the setup script and enter proxy details if required, and the full tenant URL, then check to see if tenant connectivity check is passed. If the connectivity check is failed, please reach out to your IT team.