Risk Insights

Risk Insights

Risk Insights provide a quick and easy way to discover cloud apps in your environment to establish a baseline risk assessment for your cloud apps usage.

You can upload the log files from your enterprise web proxy, next generation firewalls, and other devices to your tenant instance in the Netskope cloud. Netskope Log Collector can parse these logs to provide insight into the cloud apps being used, like who is using the app, what the app is, its bandwidth and session usage, the source and destination IP of cloud app traffic, and so on.

Logs can be uploaded to Netskope in these ways:

  • Upload logs directly to the Netskope cloud from your tenant UI or via SFTP.
  • Deploy an On-Premises Log Parser (OPLP) virtual appliance and upload the logs to the OPLP. You can also directly stream the logs via syslog to the OPLP. All the log processing happens on the OPLP. Log collector processes on the device will parse the logs, extract the necessary events, and send only the extracted cloud app events to your tenant instance in the Netskope cloud. For more information, refer to Configure the Virtual Appliance.

This document describes how to upload logs from your tenant or via SFTP, and explains how to use predefined and custom parsers. To use OPLP on a virtual appliance to upload logs, refer to those sections to configure those systems before proceeding.

Supported Log Formats

Netskope currently supports the following log formats:

DeviceLog Format
Cisco-ASAasa,asa-syslog
Bro-IDSbro-ids
Checkpointchkp
Cisco Catalystcisco-fwsm-syslog
Cisco IronPortcisco-wsa, cisco-wsa-syslog
Fortinetfortigate
Bluecoat logs sent to Greenplum logservergreenplum-bluecoat
Microsoft-ISAisa-splunk
Juniper SRXjuniper-srx-structured-syslog
Juniper SRXjuniper-srx-unstructured-syslog
Juniper Netscreennetscreen-traffic
Mcafee Web GWmcafee
Palo Alto Networkspanw,panw-syslog
Blue Coatproxysg, proxysg-http-main
Bluecoat logs exported In websense formatproxysg-websense
Cisco ScanSafescansafe
Sensage SIEMsensage
Sonicwallsonicwall-syslog
Squid Proxysquid
Sophos Web Gatewaysophos
Symantec Web SecuritySymantec-web-security
Trustwavetrustwave
Websensewebsense
Zscalerzscaler

Netskope log based discovery requires the destination URL in addition to the destination IP address to accurately identify and map cloud apps. Since most service providers use netblocks to host their services, a destination IP address can be shared by multiple services and therefore, the destination IP address alone does not provide sufficient information required to identify the cloud app.

Netskope recommends either turning on SSL decryption on your firewall or proxy server to capture the destination URLs in the logs so that Netskope can more accurately determine the cloud app service in use, or steering user traffic through Netskope cloud for the most accurate understanding of apps, tenants, and activities.

Log Requirements

  • You can compress the logs before uploading. Bzip, zip and gzip are currently supported.
  • Each compressed file can contain only one single log file.
  • Make sure to upload the log to the correct log folder. For example, for checkpoint logs, use the upload/chkp folder, and for Bluecoat Proxy logs use the upload/proxysg-http-main folder, and so on.

Please reach out to your SE to learn if there are any new log formats that are not listed.

Use port 22 to upload logs to the tenant UI via SFTP.

Supported Character Encoding

Netskope supports ASCII and UTF-8 character encoding formats.

OPLP Sizing Guide

To ensure you have enough processing power for the amount of logs being processed, review these guidelines. Keep in mind these guidelines are for predefined parsers; core and RAM requirements for custom parsers vary depending on the complexity of the logs.

Expected Log TrafficCores RequiredRAM RequiredDisk Space Required
Approximately 72 GB per day or 3 GB per hour832 GB400 GB
Approximately 144 GB per day or 6 GB per hour1664 GB600 GB
Approximately 216 GB per day or 8 GB per hour2496 GB900 GB
Share this Doc

Risk Insights

Or copy link

In this topic ...