Netskope
Use the Netskope integration to manage your Netskope events and alerts.
This integration was integrated and tested with Netskope v51.
Prerequisites
You need to obtain the following Netskope information.
- Netskope tenant URL
- Tenant API token
Configure the Netskope Integration on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for Netskope.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- URL of Netskope Tenant : for example, https://tenant.goskope.com
- Tenant API Token : paste the token that you copied.
- Do not validate server certificate (unsecure)
- Use system proxy settings
- Click Test to validate the URLs and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
1. Get Netskope events: netskope-events
Retrieve events from your Netskope environment.
Command Example
!netskope-events type=application timeperiod=Last24Hours
Input
| Input Parameter | Description |
| query | Filter query, for example, foo@test.com |
| timeperiod | Query time period (for example, last 60 minutes, last 24 hours) |
| starttime |
Query start time: timestamp or dd-mm-yyyyTHH:MM:SSZ (e.g., 31-12-1999T11:59:59Z)
|
| endtime |
Query end time: timestamp or dd-mm-yyyyTHH:MM:SSZ (e.g., 31-12-1999T11:59:59Z) |
| type |
Event type
|
| limit |
Maximum number of events returned (useful for pagination in combination with skip) Must be an integer less than 5,000. |
| skip | Skip over specific events (useful for pagination in combination with limit) |
Context Output
| Path | Description |
| Netskope.Events.App | Application name |
| Netskope.Events.Timestamp | Event timestamp |
| Netskope.Events.Activity | Event activity |
| Netskope.Events.Object | Document/object from the event |
| Netskope.Events.hostname | Device hostname |
| Netskope.Events.AppCategory | Netskope application category (for example, Cloud Storage, Webmail, and so on) |
| Netskope.Events.device_classification | Device classification (for example, managed vs. unmanaged) |
| Netskope.Events.User | User |
| Netskope.Events.from_user | Login IDs for cloud applications |
| Netskope.Events.to_user | Destination user IDs |
| Netskope.Events.SourceIP | Source IP |
| Netskope.Events.AccessMethod | Access method (for example, client, reverse proxy, Secure Forwarder, and so on) |
| Netskope.Events.url | URL |
| Netskope.Events.ID | Event ID |
Raw Output
{
"AccessMethod":"API Connector",
"Activity":"HeadBucket",
"App":"Amazon Web Services",
"AppCategory":"IaaS/PaaS",
"DeviceClassification":null,
"FromUser":null,
"Hostname":null,
"ID":"1382a493090c36ba14bfc2bc",
"Object":"nstrail",
"SourceIP":"8.36.116.16",
"Timestamp":"Mon May 21 2018 13:26:30 GMT+0300 (IDT)",
"ToUser":null,
"URL":null,
"User":"assumed-role/ctaudit/AssumeRoleSession1"
}
2. Get Netskope alerts: netskope-alerts
Retrieve alerts from your Netskope environment.
Command Example
!netskope-alerts type=Malware timeperiod=Last60Days
Input
| Input Parameter | Description |
| type | Alert type |
| timeperiod | Query time period (for example, last 60 minutes, last 24 hours) |
| starttime |
Query start time: timestamp or dd-mm-yyyyTHH:MM:SSZ (e.g., 31-12-1999T11:59:59Z) |
| endtime |
Query end time: timestamp or dd-mm-yyyyTHH:MM:SSZ (e.g., 31-12-1999T11:59:59Z) |
| query | Valid event query described in the query language document |
Context Output
| Path | Description |
| Netskope.Alerts.App | Application name |
| Netskope.Alerts.Timestamp | Alert timestamp |
| Netskope.Alerts.Policy | Name of policy triggered |
| Netskope.Alerts.DLPFile | Name of DLP file that triggered |
| Netskope.Alerts.Hostname | Hostname |
| Netskope.Alerts.ID | Alert ID |
Raw Output
{
"App":"Microsoft Office 365 OneDrive for Business",
"DLPFile":null,
"DLPProfile":null,
"Hostname":"Ashutosh’s MacBook Pro",
"ID":"f95e5638432f538365d5b256",
"Policy":null,
"Timestamp":"Mon May 21 2018 13:29:34 GMT+0300 (IDT)"
}