Netskope

Use the Netskope integration to manage your Netskope events and alerts.

This integration was integrated and tested with Netskope v51.

Prerequisites

You need to obtain the following Netskope information.

  • Netskope tenant URL
  • Tenant API token

Configure the Netskope Integration on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Netskope.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • URL of Netskope Tenant : for example, https://tenant.goskope.com
    • Tenant API Token : paste the token that you copied.
    • Do not validate server certificate (unsecure)
    • Use system proxy settings
  4. Click Test to validate the URLs and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get Netskope events: netskope-events
  2. Get Netskope alerts: netskope-alerts

1. Get Netskope events: netskope-events


Retrieve events from your Netskope environment.

Command Example

!netskope-events type=application timeperiod=Last24Hours

Input
Input Parameter Description
query Filter query, for example, foo@test.com
timeperiod Query time period (for example, last 60 minutes, last 24 hours)
starttime Query start time: timestamp or dd-mm-yyyyTHH:MM:SSZ (e.g., 31-12-1999T11:59:59Z)

endtime

Query end time: timestamp or dd-mm-yyyyTHH:MM:SSZ (e.g., 31-12-1999T11:59:59Z)

type

Event type

  • Application
  • Page
  • Audit
limit

Maximum number of events returned (useful for pagination in combination with skip)

Must be an integer less than 5,000.

skip Skip over specific events (useful for pagination in combination with limit)

Context Output
Path Description
Netskope.Events.App Application name
Netskope.Events.Timestamp Event timestamp
Netskope.Events.Activity Event activity
Netskope.Events.Object Document/object from the event
Netskope.Events.hostname Device hostname
Netskope.Events.AppCategory Netskope application category (for example, Cloud Storage, Webmail, and so on)
Netskope.Events.device_classification Device classification (for example, managed vs. unmanaged)
Netskope.Events.User User
Netskope.Events.from_user Login IDs for cloud applications
Netskope.Events.to_user Destination user IDs
Netskope.Events.SourceIP Source IP
Netskope.Events.AccessMethod Access method (for example, client, reverse proxy, Secure Forwarder, and so on)
Netskope.Events.url URL
Netskope.Events.ID Event ID

Raw Output
{  
   "AccessMethod":"API Connector",
   "Activity":"HeadBucket",
   "App":"Amazon Web Services",
   "AppCategory":"IaaS/PaaS",
   "DeviceClassification":null,
   "FromUser":null,
   "Hostname":null,
   "ID":"1382a493090c36ba14bfc2bc",
   "Object":"nstrail",
   "SourceIP":"8.36.116.16",
   "Timestamp":"Mon May 21 2018 13:26:30 GMT+0300 (IDT)",
   "ToUser":null,
   "URL":null,
   "User":"assumed-role/ctaudit/AssumeRoleSession1"
}

2. Get Netskope alerts: netskope-alerts


Retrieve alerts from your Netskope environment.

Command Example

!netskope-alerts type=Malware timeperiod=Last60Days

Input
Input Parameter Description
type Alert type
timeperiod Query time period (for example, last 60 minutes, last 24 hours)
starttime

Query start time: timestamp or dd-mm-yyyyTHH:MM:SSZ (e.g., 31-12-1999T11:59:59Z)

endtime

Query end time: timestamp or dd-mm-yyyyTHH:MM:SSZ (e.g., 31-12-1999T11:59:59Z)

query Valid event query described in the query language document

Context Output
Path Description
Netskope.Alerts.App Application name
Netskope.Alerts.Timestamp Alert timestamp
Netskope.Alerts.Policy Name of policy triggered
Netskope.Alerts.DLPFile Name of DLP file that triggered
Netskope.Alerts.Hostname Hostname
Netskope.Alerts.ID Alert ID

Raw Output
{  
   "App":"Microsoft Office 365 OneDrive for Business",
   "DLPFile":null,
   "DLPProfile":null,
   "Hostname":"Ashutosh’s MacBook Pro",
   "ID":"f95e5638432f538365d5b256",
   "Policy":null,
   "Timestamp":"Mon May 21 2018 13:29:34 GMT+0300 (IDT)"
}