Netskope¶
About¶
Netskope delivers a modern cloud security stack, with unified capabilities for data and threat protection, plus secure private access. Use Netskope to understand your cloud risks and safely enable the cloud and web with granular policy controls for all users, locations, and devices. Automatically stop known or suspected threats, with options to alert, block, or quarantine ยท Leverage automated policies and workflows for real-time response.
Product Details¶
Vendor URL: Netskope
Product Type: Alert
Product Tier: Tier I
Integration Method: Custom
Integration URL: Netskope - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 90-100%
Data Label: NETSKOPE_ALERT
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| _id | metadata.product_log_id |
| access_method | extensions.auth.auth_details |
| action | security_result.action |
| activity | metadata.product_event_type |
| activity | security_result.category_details |
| alert_name | security_result.summary |
| alert_type | metadata.product_event_type |
| alert_type | security_result.category_details |
| app | target.application |
| app_activity | metadata.product_event_type |
| appcategory | observer.application |
| browser | network.http.user_agent |
| browser_version | network.http.user_agent |
| dlp_profile | security_result.rule_type |
| dlp_rule | security_result.rule_name |
| dst_country | target.location.country_or_region |
| dst_location | target.location.city |
| dst_region | target.location.state |
| dstip | target.ip |
| file_path | target.file.full_path |
| file_size | target.file.size |
| file_type | target.file.mime_type |
| from_user | principal.user.email_addresses |
| hostname | principal.hostname |
| instance | principal.hostname |
| instance_id | principal.hostname |
| instance_id | network.http.referral_url |
| malware_id | security_result.threat_id |
| malware_name | security_result.threat_name |
| malware_type | security_result.rule_type |
| matched_username | security_result.detection_fields.value |
| md5 | target.file.md5 |
| netskope_pop | observer.hostname |
| netskope_pop | principal.hostname |
| ns_detection_name | security_result.rule_name |
| object | target.file.full_path |
| organization_unit | network.http.referral_url |
| os | principal.platform |
| os_version | principal.platform_version |
| page | network.http.referral_url |
| policy | security_result.rule_name |
| protocol | network.application_protocol |
| referer | network.http.referral_url |
| sha256 | target.file.sha256 |
| shared_credential_user | target.user.userid |
| shared_with | target.user.email_addresses |
| src_country | principal.location.country_or_region |
| src_ip | principal.nat_ip |
| src_location | principal.location.city |
| src_region | principal.location.state |
| to_user | target.user.email_addresses |
| url | target.url |
| user | principal.user.userid |
| userip | principal.ip |
Product Event Types¶
| Event | UDM Event Classification | Security Category | alerting enabled |
|---|---|---|---|
| Added | GENERIC_EVENT | ||
| Compromised Credential | GENERIC_EVENT | ||
| Device | GENERIC_EVENT | ||
| DLP | DATA_AT_REST,DATA_EXFILTRATION | ||
| Edit | GENERIC_EVENT | ||
| Exploit | EXPLOIT | TRUE | |
| File | FILE_UNCATEGORIZED | ||
| High | TRUE | ||
| Link | GENERIC_EVENT | ||
| Login | USER_LOGIN | AUTH_VIOLATION | |
| Low | |||
| EMAIL_TRANSACTION | |||
| malsite | POLICY_VIOLATION | ||
| Malware | SOFTWARE_MALICIOUS | TRUE | |
| Medium | |||
| policy | POLICY_VIOLATION | ||
| Scan | SCAN_UNCATEGORIZED | ||
| Scan | DATA_AT_REST | ||
| Search | GENERIC_EVENT | ||
| Security | TRUE | ||
| Sharing | GENERIC_EVENT | ||
| Storage | FILE_UNCATEGORIZED | ||
| Update user | USER_UNCATEGORIZED | ||
| Viewed | GENERIC_EVENT |
Log Sample¶
{
"access_method": "Client",
"action": "block",
"activity": "Browse",
"alert": "yes",
"app_session_id": appsess,
"browser": "unknown",
"browser_session_id": browssess,
"count": 1,
"device": "Windows Device",
"device_classification": "managed",
"dst_country": "country",
"dst_location": "loc",
"dst_region": "region",
"dst_timezone": "tz",
"dst_zipcode": "zip",
"dstip": "10.221.217.124",
"hostname": "hostname1",
"managed_app": "no",
"netskope_pop": "pop",
"notify_template": "4.html",
"os": "Windows 10",
"os_version": "Windows 10",
"page": "page",
"page_site": "site",
"policy": "WEB - Security Categorical Block",
"protocol": "HTTP\/1.1",
"site": "site",
"src_country": "US",
"src_location": "loc",
"src_region": "reg",
"src_time": "Fri Aug 6 19:57:08 2021",
"src_timezone": "timezone",
"src_zipcode": "zipcode",
"srcip": "10.190.56.70",
"sv": "unknown",
"telemetry_app": "",
"timestamp": 1628294273,
"traffic_type": "Web",
"transaction_id": -trnid,
"type": "nspolicy",
"url": "page",
"user": "john.doe@domain.com",
"userip": "192.168.4.43",
"organization_unit": "",
"nsdeviceuid": "devuid",
"managementID": "",
"userkey": "john.doe@domain.com",
"ur_normalized": "john.doe@domain.com",
"ccl": "unknown",
"acked": "false",
"alert_type": "policy",
"alert_name": "WEB - Security Categorical Block",
"category": "Security Risk - Company (aggregated)",
"_insertion_epoch_timestamp": 1628294574,
"_id": "id",
"other_categories": [
"Parked Domains",
"Security Risk - Company (aggregated)"
],
"page_id": 0,
"appcategory": "Security Risk - Company (aggregated)"
}
Sample Parsing¶
metadata.product_log_id = "id"
metadata.event_timestamp = "2021-08-07T00:02:54Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Netskope"
metadata.product_name = "Alert"
metadata.product_event_type = "Browse"
metadata.ingested_timestamp = "2021-08-07T20:03:53.948452Z"
principal.hostname = "hostname1"
principal.user.userid = "john.doe@domain.com"
principal.platform = "WINDOWS"
principal.ip = "192.168.4.43"
principal.platform_version = "Windows 10"
principal.location.city = "loc"
principal.location.state = "reg"
principal.location.country_or_region = "US"
target.ip = "10.221.217.124"
target.url = "site"
target.location.city = "loc"
target.location.state = "region"
target.location.country_or_region = "country"
observer.hostname = "pop"
observer.application = "Security Risk - Company (aggregated)"
security_result.category = "POLICY_VIOLATION"
security_result.rule_name = "WEB - Security Categorical Block"
security_result.summary = "WEB - Security Categorical Block"
security_result.action = "BLOCK"
security_result.severity = "HIGH"
security_result.confidence = "HIGH_CONFIDENCE"
security_result.priority = "HIGH_PRIORITY"
security_result.alert_state = "ALERTING"
network.application_protocol = "HTTP"
network.http.referral_url = "site"
network.http.user_agent = "unknown "
Parser Alerting¶
Alerting criteria is listed in the Product Event Types table above.
Rules¶
Coming Soon