Netskope Help

Rapid7 Plugin for Log Shipper

This document explains how to configure your Rapid7 Insight IDR integration with the Log Shipper module of the Netskope Cloud Exchange platform. This integration allows fetching behavior scores of users from your Insight IDR instance.

Requirements

To complete this configuration, you need:

  • A Netskope Tenant (or multiple, for example, production and development/test instances)

  • A Netskope Cloud Exchange tenant with the Log Shipper module already configured.

  • A Rapid7 Insight IDR instance.

Note

Verify your Rapid7 Insight IDR instance permissions are secure and not set up for open public access. Only allow access to your cloud storage instance from your Cloud Exchange Host and any other addresses that need access.

Workflow
  1. Obtain Rapid7 server and port information.

  2. Configure the Rapid7 plugin.

  3. Configure Log Shipper Business Rules for Rapid7.

  4. Configure Log Shipper SIEM Mappings for Rapid7.

  5. Validate the Rapid7 plugin.

Click play to watch a video.

 
  1. Go to your Rapid7 instance at https://insight.rapid7.com.

    image1.png
  2. Log in to Rapid7.

    image2.png
  3. Click Data Collection, Collectors and then click Download Collector. Download the Collector for your OS.

    image3.png
  4. Install the Collector to your machine. (Installation Steps: Collector Installation and Deployment | InsightIDR Documentation)

  5. Click Data Collection, Event Sources, and then click Add Event Source.

  6. Scroll down and select Custom Logs.

    image4.png
  7. Select the Collector you activated. Enter a Name Event Source and select your Timezone.

    image5.png
  8. Click Listen on Network Port, enter a Port Number, and then select a Protocol.

  9. Click Save.

    image6.png
  10. Click Data Collection and then Event Sources to see the configured Event source.

    image7.png
  1. Go to Settings > Plugins.

  2. Select the Rapid7 box to open the plugin creation dialog.

  3. Enter a Configuration Name.

  4. Select a valid Mapping (Default Mapping for all plugins are available).

    image8.png
  5. Click Next.

    image9.png
  6. Enter your Rapid7 Server, information, select a Rapid7 Format and Rapid7 Protocol, and then enter your Rapid7 Port and Rapid7 Certificate information.

  7. Enter Valid Extensions if you have others than the default.

    image10.png
  8. Click Save.

    image11.png
  1. Go to Log Shipper > Business Rules.

    image12.png
  2. Click Create New Rule.

    image13.png
  3. Enter a Rule Name and select the filters to use.

  4. Click Save .

    image14.png
  1. Go to Log Shipper > SIEM Mappings and click Add SIEM Mapping.

    image15.png
  2. Select a Source Configuration, Business Rule, and Destination Configuration.

  3. Click Save.

    image16.png

To validate the plugin workflow, you can check from Netskope Cloud Exchange and from Rapid7 instance.

To validate from Netskope Cloud Exchange, go to Logging.

image17.png

To validate from the Rapid7 instance, there are 2 ways.

From Data Collection:

  1. Go to Data Collection > Event Sources.

    image18.png
  2. Click View raw log for a configured event source to see ingested data.

    image19.png

From Log Source:

Click Log Source and select configured event source to see logs.

image20.png