Netskope (Deprecated)
This Integration is part of the Netskope Pack.#
Deprecated
Use Netskope (API v1) instead.
Use the Netskope integration to manage your Netskope events and alerts.
This integration was integrated and tested with Netskope v51.
Prerequisites
You need to obtain the following Netskope information.
- Netskope tenant URL
- Tenant API token
Configure the Netskope Integration on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for Netskope.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- URL of Netskope Tenant : for example, https://tenant.goskope.com
- Tenant API Token : paste the token that you copied.
- Do not validate server certificate (unsecure)
- Use system proxy settings
- Click Test to validate the URLs and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
1. Get Netskope events: netskope-events
Retrieve events from your Netskope environment.
Command Example
!netskope-events type=application timeperiod=Last24Hours
Input
| Input Parameter | Description |
| query | Filter query, for example, foo@test.com |
| timeperiod | Query time period (for example, last 60 minutes, last 24 hours) |
| starttime |
Query start time: timestamp or dd-mm-yyyyTHH:MM:SSZ (e.g., 31-12-1999T11:59:59Z)
|
| endtime |
Query end time: timestamp or dd-mm-yyyyTHH:MM:SSZ (e.g., 31-12-1999T11:59:59Z) |
| type |
Event type
|
| limit |
Maximum number of events returned (useful for pagination in combination with skip) Must be an integer less than 5,000. |
| skip | Skip over specific events (useful for pagination in combination with limit) |
Context Output
| Path | Description |
| Netskope.Events.App | Application name |
| Netskope.Events.Timestamp | Event timestamp |
| Netskope.Events.Activity | Event activity |
| Netskope.Events.Object | Document/object from the event |
| Netskope.Events.hostname | Device hostname |
| Netskope.Events.AppCategory | Netskope application category (for example, Cloud Storage, Webmail, and so on) |
| Netskope.Events.device_classification | Device classification (for example, managed vs. unmanaged) |
| Netskope.Events.User | User |
| Netskope.Events.from_user | Login IDs for cloud applications |
| Netskope.Events.to_user | Destination user IDs |
| Netskope.Events.SourceIP | Source IP |
| Netskope.Events.AccessMethod | Access method (for example, client, reverse proxy, Secure Forwarder, and so on) |
| Netskope.Events.url | URL |
| Netskope.Events.ID | Event ID |
Raw Output
{
"AccessMethod":"API Connector",
"Activity":"HeadBucket",
"App":"Amazon Web Services",
"AppCategory":"IaaS/PaaS",
"DeviceClassification":null,
"FromUser":null,
"Hostname":null,
"ID":"1382a493090c36ba14bfc2bc",
"Object":"nstrail",
"SourceIP":"8.36.116.16",
"Timestamp":"Mon May 21 2018 13:26:30 GMT+0300 (IDT)",
"ToUser":null,
"URL":null,
"User":"assumed-role/ctaudit/AssumeRoleSession1"
}
2. Get Netskope alerts: netskope-alerts
Retrieve alerts from your Netskope environment.
Command Example
!netskope-alerts type=Malware timeperiod=Last60Days
Input
| Input Parameter | Description |
| type | Alert type |
| timeperiod | Query time period (for example, last 60 minutes, last 24 hours) |
| starttime |
Query start time: timestamp or dd-mm-yyyyTHH:MM:SSZ (e.g., 31-12-1999T11:59:59Z) |
| endtime |
Query end time: timestamp or dd-mm-yyyyTHH:MM:SSZ (e.g., 31-12-1999T11:59:59Z) |
| query | Valid event query described in the query language document |
Context Output
| Path | Description |
| Netskope.Alerts.App | Application name |
| Netskope.Alerts.Timestamp | Alert timestamp |
| Netskope.Alerts.Policy | Name of policy triggered |
| Netskope.Alerts.DLPFile | Name of DLP file that triggered |
| Netskope.Alerts.Hostname | Hostname |
| Netskope.Alerts.ID | Alert ID |
Raw Output
{
"App":"Microsoft Office 365 OneDrive for Business",
"DLPFile":null,
"DLPProfile":null,
"Hostname":"Ashutosh’s MacBook Pro",
"ID":"f95e5638432f538365d5b256",
"Policy":null,
"Timestamp":"Mon May 21 2018 13:29:34 GMT+0300 (IDT)"
}