Netskope
Use the Netskope integration to manage your Netskope events and alerts.
This integration was integrated and tested with Netskope v51.
Prerequisites
You need to obtain the following Netskope information.
- Netskope tenant URL
- Tenant API token
Configure the Netskope Integration on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for Netskope.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- URL of Netskope Tenant : for example, https://tenant.goskope.com
- Tenant API Token : paste the token that you copied.
- Do not validate server certificate (unsecure)
- Use system proxy settings
- Click Test to validate the URLs and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
1. Get Netskope events: netskope-events
Retrieve events from your Netskope environment.
Command Example
!netskope-events type=application timeperiod=Last24Hours
Input
Input Parameter | Description |
query | Filter query, for example, foo@test.com |
timeperiod | Query time period (for example, last 60 minutes, last 24 hours) |
starttime |
Query start time: timestamp or dd-mm-yyyyTHH:MM:SSZ (e.g., 31-12-1999T11:59:59Z)
|
endtime |
Query end time: timestamp or dd-mm-yyyyTHH:MM:SSZ (e.g., 31-12-1999T11:59:59Z) |
type |
Event type
|
limit |
Maximum number of events returned (useful for pagination in combination with skip) Must be an integer less than 5,000. |
skip | Skip over specific events (useful for pagination in combination with limit) |
Context Output
Path | Description |
Netskope.Events.App | Application name |
Netskope.Events.Timestamp | Event timestamp |
Netskope.Events.Activity | Event activity |
Netskope.Events.Object | Document/object from the event |
Netskope.Events.hostname | Device hostname |
Netskope.Events.AppCategory | Netskope application category (for example, Cloud Storage, Webmail, and so on) |
Netskope.Events.device_classification | Device classification (for example, managed vs. unmanaged) |
Netskope.Events.User | User |
Netskope.Events.from_user | Login IDs for cloud applications |
Netskope.Events.to_user | Destination user IDs |
Netskope.Events.SourceIP | Source IP |
Netskope.Events.AccessMethod | Access method (for example, client, reverse proxy, Secure Forwarder, and so on) |
Netskope.Events.url | URL |
Netskope.Events.ID | Event ID |
Raw Output
{ "AccessMethod":"API Connector", "Activity":"HeadBucket", "App":"Amazon Web Services", "AppCategory":"IaaS/PaaS", "DeviceClassification":null, "FromUser":null, "Hostname":null, "ID":"1382a493090c36ba14bfc2bc", "Object":"nstrail", "SourceIP":"8.36.116.16", "Timestamp":"Mon May 21 2018 13:26:30 GMT+0300 (IDT)", "ToUser":null, "URL":null, "User":"assumed-role/ctaudit/AssumeRoleSession1" }
2. Get Netskope alerts: netskope-alerts
Retrieve alerts from your Netskope environment.
Command Example
!netskope-alerts type=Malware timeperiod=Last60Days
Input
Input Parameter | Description |
type | Alert type |
timeperiod | Query time period (for example, last 60 minutes, last 24 hours) |
starttime |
Query start time: timestamp or dd-mm-yyyyTHH:MM:SSZ (e.g., 31-12-1999T11:59:59Z) |
endtime |
Query end time: timestamp or dd-mm-yyyyTHH:MM:SSZ (e.g., 31-12-1999T11:59:59Z) |
query | Valid event query described in the query language document |
Context Output
Path | Description |
Netskope.Alerts.App | Application name |
Netskope.Alerts.Timestamp | Alert timestamp |
Netskope.Alerts.Policy | Name of policy triggered |
Netskope.Alerts.DLPFile | Name of DLP file that triggered |
Netskope.Alerts.Hostname | Hostname |
Netskope.Alerts.ID | Alert ID |
Raw Output
{ "App":"Microsoft Office 365 OneDrive for Business", "DLPFile":null, "DLPProfile":null, "Hostname":"Ashutosh’s MacBook Pro", "ID":"f95e5638432f538365d5b256", "Policy":null, "Timestamp":"Mon May 21 2018 13:29:34 GMT+0300 (IDT)" }