Netskope Event Collector

This Integration is part of the Netskope Pack.

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

This is the default integration for this content pack when configured by the Data Onboarder in Cortex XSIAM.

Configure Netskope Event Collector on Cortex XSIAM

1. Navigate to Settings > Integrations > Servers & Services.

2. Search for Netskope Event Collector.

3. Click Add instance to create and configure a new integration instance.

   Parameter	Description	Required
   Server URL		True
   API token		True
   Trust any certificate (not secure)		False
   Use system proxy settings		False
   Max events per fetch	The maximum amount of events to retrieve per each event type. For more information about event types see the help section.	False

4. Click Test to validate the URLs, token, and connection.

Fetch Events Limitation

The collector can handle 10K events per minute on average per each event type

Commands

You can execute these commands from the Cortex XSIAM CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

netskope-get-events

---

Returns events extracted from SaaS traffic and or logs.

Base Command

netskope-get-events

Input

Argument Name	Description	Required
limit	The maximum number of alerts to return (maximum value - 10000).	Optional
should_push_events	Set this argument to True in order to create events, otherwise the command will only display them.	Optional

Context Output

There is no context output for this command.

Command example

!netskope-get-events limit=1

Context Example

{

"Netskope": {

"Event": [

{

"_category_id": "8",

"_correlation_id": "c66ef426-b403-4be5-8052-05d2c81ed321",

"_ef_received_at": 1658102836562,

"_event_id": "bd1074e2-fcbc-4c02-98f1-357aeb57f6c8",

"_forwarded_by": "service-event-forwarder",

"_gef_src_dp": "NL-AAA",

"_id": "23a372c433381a6a11798123",

"_insertion_epoch_timestamp": 1658102843,

"_raw_event_inserted_at": 1658102836720,

"_service_identifier": "service-test",

"access_method": "API Connector",

"acked": "false",

"action": "anomaly_detection",

"activity": "Login Successful",

"alert": "yes",

"alert_id": "62d4a3c35b8bdd69ad5e1234",

"alert_name": "Alert Name",

"alert_type": "test",

"anomalyData": {

"_t": "CategoricalModeling",

"binCount": 6,

"convergenceFactor": 0.9863013699,

"featureValue": "1.1.1.1",

"histo": [

{

"bin": "2.2.2.2",

"count": 205

},

{

"bin": "3.3.3.3",

"count": 30

},

{

"bin": "4.4.4.4",

"count": 1

}

],

"modelId": "test",

"observationCount": 0,

"percentileThresholdCount": 6,

"probability": 0,

"sampleCount": 438,

"scope": "User"

},

"anomaly_type": "test-type",

"app": "Microsoft Office 365 Sharepoint Online",

"appcategory": "Collaboration",

"category": "Collaboration",

"cci": 91,

"ccl": "excellent",

"count": 1,

"createdTime": "2022-07-18 00:05:23.321000",

"event_type": "alert",

"instance_id": "test-instance",

"organization_unit": "test",

"other_categories": [],

"score": 75,

"severity": "Low",

"site": "Microsoft Office 365 Sharepoint Sites",

"src_country": "PH",

"src_geoip_src": 2,

"src_latitude": 456.789,

"src_location": "Test",

"src_longitude": 123.456,

"src_region": "Province of Somewhere",

"src_zipcode": "1234",

"srcip": "6.6.6.6",

"timestamp": "2022-07-17T23:48:52.000Z",

"traffic_type": "CloudApp",

"type": "nspolicy",

"ur_normalized": "test@test.com",

"user": "test@test.com",

"userkey": "test@test.com",

"windowId": 1658016000000

},

{

"_category_id": "8",

"_correlation_id": "57e53633-3eb9-4055-9e84-07de4c367347",

"_ef_received_at": 1656449549192,

"_event_id": "7dc94895-fe14-456d-b9c8-0a7f0dac5064",

"_forwarded_by": "service-event-forwarder",

"_gef_src_dp": "ABCD",

"_id": "9f806593aa4385e4fc14865c",

"_insertion_epoch_timestamp": 1656449557,

"_raw_event_inserted_at": 1656449549850,

"_service_identifier": "service-introspection",

"_session_begin": 1,

"access_method": "API Connector",

"activity": "Login Successful",

"alert": "no",

"app": "Microsoft Office 365 Sharepoint Online",

"app_activity": "UserLoggedIn",

"app_session_id": 6162799428773683,

"appcategory": "Collaboration",

"browser": "unknown",

"category": "Collaboration",

"cci": 91,

"ccl": "excellent",

"count": 1,

"device": "Other",

"dst_latitude": "",

"dst_longitude": "",

"event_type": "application",

"from_user": "test@test.com",

"instance_id": "some-instance",

"netskope_activity": "False",

"object": "test@test.com",

"object_id": "test@test.com",

"object_type": "User",

"organization_unit": "test",

"os": "unknown",

"other_categories": [],

"site": "Microsoft Office 365 Sharepoint Sites",

"src_country": "PH",

"src_geoip_src": 2,

"src_latitude": 456,

"src_location": "test",

"src_longitude": 123,

"src_region": "Province of Test",

"src_zipcode": "1234",

"srcip": "2.2.2.2",

"timestamp": "2022-06-28T16:59:15.000Z",

"traffic_type": "CloudApp",

"type": "nspolicy",

"ur_normalized": "test@test.com",

"user": "test@test.com",

"userip": "2.2.2.2",

"userkey": "test@test.com"

},

{

"_id": "efac69202c964c91fd59bcb9",

"_insertion_epoch_timestamp": 1658331170,

"audit_log_event": "Client Disable Request Submitted",

"ccl": "unknown",

"count": 1,

"event_type": "audit",

"organization_unit": "test",

"severity_level": 1,

"supporting_data": {

"data_type": "hostname",

"data_values": "HAMRGBCNX147"

},

"timestamp": "2022-07-20T15:27:50.000Z",

"type": "admin_audit_logs",

"ur_normalized": "test@test.com",

"user": "test@test.com"

},

{

"_correlation_id": "5f3e3987-115c-4fed-9c5e-f69e184069af",

"_ef_received_at": 1657742097188,

"_event_id": "bd3de3e3-378e-4e01-ba8d-a5d72565bde7",

"_forwarded_by": "msg-relayer",

"_gef_src_dp": "IN-AAA1",

"_id": "e03cf756afc2a707666fcbc0",

"_insertion_epoch_timestamp": 1657742104,

"_raw_event_inserted_at": 1657742097698,

"_service_identifier": "service-npa",

"_tenant_id": "test-tenant",

"access_method": "Client",

"action": "allow",

"app": "[CS SEG's]",

"appcategory": "n/a",

"category": "",

"cci": 0,

"ccl": "unknown",

"client_bytes": 1593,

"client_packets": 13,

"count": 1,

"device": "Windows",

"dsthost": "8.8.8.8",

"dstip": "",

"dstport": 443,

"end_time": "2022-07-13T19:53:02+00:00",

"event_type": "network",

"hostname": "L-101861180",

"ip_protocol": "TCP",

"netskope_pop": "IN-AAA1",

"network_session_id": "12345678",

"num_sessions": 1,

"numbytes": 2387,

"organization_unit": "test",

"os": "Windows",

"os_version": "10.0 (2009)",

"policy": "Netskope Private Apps Allowed",

"protocol": "Http",

"protocol_port": "TCP:443",

"publisher_cn": "abcd1234",

"publisher_name": "test",

"server_bytes": 794,

"server_packets": 11,

"session_duration": 23461,

"site": "1.1.1.1",

"srcip": "",

"srcport": 447,

"start_time": "2022-07-13T19:52:51+00:00",

"timestamp": "2022-07-13T19:54:57.000Z",

"total_packets": 24,

"traffic_type": "PrivateApp",

"tunnel_id": "1150",

"tunnel_type": "NPA",

"tunnel_up_time": 23461,

"type": "network",

"ur_normalized": "test@test.com",

"user": "test@test.com",

"userip": "",

"userkey": "test@test.com"

}

]

}

}

Human Readable Output

Events List:

Id	Timestamp	Type	Access Method	App	Traffic Type
23a372c433381a6a11798123	2022-07-17T23:48:52.000Z	nspolicy	API Connector	Microsoft Office 365 Sharepoint Online	CloudApp
9f806593aa4385e4fc14865c	2022-06-28T16:59:15.000Z	nspolicy	API Connector	Microsoft Office 365 Sharepoint Online	CloudApp
efac69202c964c91fd59bcb9	2022-07-20T15:27:50.000Z	admin_audit_logs
e03cf756afc2a707666fcbc0	2022-07-13T19:54:57.000Z	network	Client	[CS SEG's]	PrivateApp