Skip to main content

Netskope Help

QRadar Plugin for Log Shipper

This document explains how to configure your QRadar integration with the Log Shipper module of the Netskope Cloud Exchange platform. This integration allows pushing alerts and events from Netskope to the QRadar platform.

Prerequisites

To complete this configuration, you need:

  • A Netskope Tenant (or multiple, for example, production and development/test instances)

  • A Netskope Cloud Exchange tenant with the Log Shipper module already configured.

  • A QRadar instance.

Note

Verify your QRadar instance permissions are secure and not set up for open public access. Only allow access to your cloud storage instance from your Cloud Exchange Host and any other addresses that need access.

Workflow
  1. Obtain the QRadar Server, Port, and TLS Certificate information.

  2. Configure the QRadar Plugin.

  3. Configure Log Shipper Business Rules for QRadar.

  4. Configure Log Shipper SIEM Mappings for QRadar.

  5. Validate the QRadar plugin.

Click play to watch a video.

 
  1. Go to your QRadar instance.

    image1.png
  2. Log in to QRadar.

    image2.png
  3. Click Admin and then click DSM Editor.

    image3.png
  4. Click Create New.

    image4.png
  5. Enter a Log Source Type Name and click Save. It takes a few seconds to create a Log Source Type.

    image5.png
  6. Go to your QRadar instance, click on Admin, and then click Launch.

    image6.png
  7. Click Log Sources.

    image7.png
  8. Click + New Log Source.

    image8.png
  9. Click Single Log Source.

    image9.png
  10. Select the Log Source Type that you created and click Step 2: Select Protocol Type.

    image10.png
  11. Select a Protocol Type and click Step 3: Configure Log Source Parameters.

    image11.png
  12. Enter a Name and click Step 4: Configure Protocol Parameters.

    image12.png
  13. Enter the Required parameters and click Step 5: Test Protocol Parameters.

    image13.png
  14. Click Skip Test and Finish.

    image14.png
  15. Go to your QRadar instance and click Admin > Deploy Changes. It takes few minutes to deploy changes.

    image15.png
  16. To get TLS Certificate (If you choose TLS as protocol), go to your QRadar VM and download the certificate from path ‘/opt/qradar/conf/trusted_certificates’.

  1. Go to Settings > Plugins.

  2. Select the QRadar box to open the plugin creation dialog.

  3. Enter a Configuration Name.

  4. Select a valid Mapping. (Default Mapping for all plugins are available.

    image16.png
  5. Click Next.

    image17.png
  6. Enter a QRadar Server, select a QRadar Format and QRadar Protocol, and then enter your QRadar Port and QRadar Certificate information.

  7. Enter Valid Extensions if you have other than the default one.

  8. Click Save.

  1. Go to Log Shipper > Business Rules.

    image18.png
  2. Click Create New Rule.

    image19.png
  3. Enter a Rule Name and select the filters to use.

  4. Click Save.

    image20.png
  1. Go to Log Shipper > SIEM Mappings and click Add SIEM Mapping.

    image21.png
  2. Select a Source Configuration, Business Rule, and Destination Configuration.

  3. Click Save.

To validate the plugin workflow, you can check from Netskope Cloud Exchange and from your QRadar instance.

To validate from Netskope Cloud Exchange, go to Logging.

image22.png

To validate from the QRadar instance, go to your QRadar instance and click Log Activity. You can see all logs, and can apply filters to see specific logs.

image23.png