Netskope¶
About¶
Netskope delivers a modern cloud security stack, with unified capabilities for data and threat protection, plus secure private access. Use Netskope to understand your cloud risks and safely enable the cloud and web with granular policy controls for all users, locations, and devices. Automatically stop known or suspected threats, with options to alert, block, or quarantine ยท Leverage automated policies and workflows for real-time response.
Product Details¶
Vendor URL: Netskope
Product Type: Alert
Product Tier: Tier I
Integration Method: Custom
Integration URL: Netskope - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON, KV, CSV
Expected Normalization Rate: 90-100%
Data Label: NETSKOPE_CASB
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| clientBytes | additional.fields |
| clientPackets | additional.fields |
| device | principal.platform |
| dpt | principal.user.department |
| dst | target.hostname |
| from_user | principal.user.email_addresses |
| hostname | principal.hostname |
| instance | principal.hostname |
| instance_id | network.http.referral_url |
| malware_id | security_result.threat_id |
| malware_name | security_result.threat_name |
| malware_type | security_result.rule_type |
| matched_username | security_result.detection_fields.value |
| md5 | target.file.md5 |
| networkSessionId | network.session_id |
| netskope_pop | observer.hostname |
| ns_detection_name | security_result.rule_name |
| object | target.file.full_path |
| organization_unit | network.http.referral_url |
| os | principal.platform |
| osVersion | principal.platform_version |
| page | network.http.referral_url |
| policy | security_result.rule_name |
| proto | network.application_protocol |
| protocol | network.application_protocol |
| referer | network.http.referral_url |
| requestClientApplication | target.application |
| requestMethod | network.http.method |
| serverBytes | additional.fields |
| serverPackets | additional.fields |
| sessionDuration | network.session_duration.seconds |
| sha256 | target.file.sha256 |
| shared_credential_user | target.user.userid |
| shared_with | target.user.email_addresses |
| src_country | principal.location.country_or_region |
| src_ip | principal.nat_ip |
| src_location | principal.location.city |
| src_region | principal.location.state |
| spt | principal.port |
| src | principal.ip |
| suser | principal.user.userid |
| to_user | target.user.email_addresses |
| trafficType | extensions.auth.details |
| tunnelId | additional.fields |
| tunnelType | additional.fields |
| tunnelUpTime | additional.fields |
| url | target.url |
| user | principal.user.userid |
| userip | principal.ip |
Product Event Types¶
| Event | UDM Event Classification | Security Category | alerting enabled |
|---|---|---|---|
| Added | GENERIC_EVENT | ||
| Compromised Credential | GENERIC_EVENT | ||
| Device | GENERIC_EVENT | ||
| DLP | DATA_AT_REST,DATA_EXFILTRATION | ||
| Edit | GENERIC_EVENT | ||
| Exploit | EXPLOIT | TRUE | |
| File | FILE_UNCATEGORIZED | ||
| High | TRUE | ||
| Link | GENERIC_EVENT | ||
| Login | USER_LOGIN | AUTH_VIOLATION | |
| Low | |||
| EMAIL_TRANSACTION | |||
| malsite | POLICY_VIOLATION | ||
| Malware | SOFTWARE_MALICIOUS | TRUE | |
| Medium | |||
| policy | POLICY_VIOLATION | ||
| Scan | SCAN_UNCATEGORIZED | ||
| Scan | DATA_AT_REST | ||
| Search | GENERIC_EVENT | ||
| Security | TRUE | ||
| Sharing | GENERIC_EVENT | ||
| Storage | FILE_UNCATEGORIZED | ||
| Update user | USER_UNCATEGORIZED | ||
| Viewed | GENERIC_EVENT |
Log Sample¶
<14>Apr 01 21:10:01 netskopece CEF:0|Netskope|Acme|NULL|network|NULL|Unknown|action=allow cci=null ccl=unknown clientBytes=747 clientPackets=9 device=Windows dpt=999 dst=null end=2024-04-01T21:11:10+00:00 networkSessionId=8946374238613143169 os=Windows osVersion=10.0.19044 policy=private-app-discovery proto=Other requestClientApplication=[Netskope_Discovery_App] requestMethod=Client serverBytes=2962 serverPackets=8 sessionDuration=122340 shost=null sourceServiceName=acme.com spt=0 src=null start=2024-04-01T21:10:09+00:00 suser=john.smith@acme.com timestamp=1712005990 trafficType=PrivateApp tunnelId=34884 tunnelType=NPA tunnelUpTime=122340
Sample Parsing¶
metadata.event_type = NETWORK_CONNECTION
metadata.vendor_name = "Netskope"
metadata.product_name = "Alert"
metadata.additional.fields.key = "clientPackets"
metadata.additional.fields.value.string_value = "9"
metadata.additional.fields.key = "trafficType"
metadata.additional.fields.string_value = "PrivateApp"
metadata.additional.fields.key = "tunnelId"
metadata.additional.fields.string_value = "34884"
metadata.additional.fields.key = "tunnelType"
metadata.additional.fields.string_value = "NPA"
metadata.additional.fields.key = "tunnelUpTime"
metadata.additional.fields.string_value = "122340"
principal.hostname = "null"
principal.user.userid = "john.smith@acme.com"
principal.user.department = "999"
principal.platform = WINDOWS
principal.platform_version = "10.0.19044"
target.hostname = "null"
target.application = "[Netskope_Discovery_App]"
observer.hostname = "acme.com"
security_result.rule_name = "private-app-discovery"
network.sent_bytes = 747
network.session_duration.seconds = 122340
network.session_id = "8946374238613143169"
network.http.method = "Client"
network.http.referral_url = "999"
extensions.auth.auth_details = "PrivateApp"
Parser Alerting¶
Alerting criteria is listed in the Product Event Types table above.