Skip to main content

Netskope Event Collector

This Integration is part of the Netskope Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

Configure Netskope Event Collector on Cortex XSIAM#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Netskope Event Collector.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URLTrue
    API tokenTrue
    API VersionThe API version to use (v1 or v2).False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
    Max events per fetchThe maximum amount of events to retrieve (up to 30000 events).False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSIAM CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

netskope-get-events#


Returns events extracted from SaaS traffic and or logs.

Base Command#

netskope-get-events

Input#

Argument NameDescriptionRequired
limitThe maximum number of alerts to return (maximum value - 10000).Optional
should_push_eventsSet this argument to True in order to create events, otherwise the command will only display them.Optional

Context Output#

There is no context output for this command.

Command example#

!netskope-get-events limit=1

Context Example#

{
"Netskope": {
"Event": [
{
"_category_id": "8",
"_correlation_id": "c66ef426-b403-4be5-8052-05d2c81ed321",
"_ef_received_at": 1658102836562,
"_event_id": "bd1074e2-fcbc-4c02-98f1-357aeb57f6c8",
"_forwarded_by": "service-event-forwarder",
"_gef_src_dp": "NL-AAA",
"_id": "23a372c433381a6a11798123",
"_insertion_epoch_timestamp": 1658102843,
"_raw_event_inserted_at": 1658102836720,
"_service_identifier": "service-test",
"access_method": "API Connector",
"acked": "false",
"action": "anomaly_detection",
"activity": "Login Successful",
"alert": "yes",
"alert_id": "62d4a3c35b8bdd69ad5e1234",
"alert_name": "Alert Name",
"alert_type": "test",
"anomalyData": {
"_t": "CategoricalModeling",
"binCount": 6,
"convergenceFactor": 0.9863013699,
"featureValue": "1.1.1.1",
"histo": [
{
"bin": "2.2.2.2",
"count": 205
},
{
"bin": "3.3.3.3",
"count": 30
},
{
"bin": "4.4.4.4",
"count": 1
}
],
"modelId": "test",
"observationCount": 0,
"percentileThresholdCount": 6,
"probability": 0,
"sampleCount": 438,
"scope": "User"
},
"anomaly_type": "test-type",
"app": "Microsoft Office 365 Sharepoint Online",
"appcategory": "Collaboration",
"category": "Collaboration",
"cci": 91,
"ccl": "excellent",
"count": 1,
"createdTime": "2022-07-18 00:05:23.321000",
"event_type": "alert",
"instance_id": "test-instance",
"organization_unit": "test",
"other_categories": [],
"score": 75,
"severity": "Low",
"site": "Microsoft Office 365 Sharepoint Sites",
"src_country": "PH",
"src_geoip_src": 2,
"src_latitude": 456.789,
"src_location": "Test",
"src_longitude": 123.456,
"src_region": "Province of Somewhere",
"src_zipcode": "1234",
"srcip": "6.6.6.6",
"timestamp": "2022-07-17T23:48:52.000Z",
"traffic_type": "CloudApp",
"type": "nspolicy",
"ur_normalized": "test@test.com",
"user": "test@test.com",
"userkey": "test@test.com",
"windowId": 1658016000000
},
{
"_category_id": "8",
"_correlation_id": "57e53633-3eb9-4055-9e84-07de4c367347",
"_ef_received_at": 1656449549192,
"_event_id": "7dc94895-fe14-456d-b9c8-0a7f0dac5064",
"_forwarded_by": "service-event-forwarder",
"_gef_src_dp": "ABCD",
"_id": "9f806593aa4385e4fc14865c",
"_insertion_epoch_timestamp": 1656449557,
"_raw_event_inserted_at": 1656449549850,
"_service_identifier": "service-introspection",
"_session_begin": 1,
"access_method": "API Connector",
"activity": "Login Successful",
"alert": "no",
"app": "Microsoft Office 365 Sharepoint Online",
"app_activity": "UserLoggedIn",
"app_session_id": 6162799428773683,
"appcategory": "Collaboration",
"browser": "unknown",
"category": "Collaboration",
"cci": 91,
"ccl": "excellent",
"count": 1,
"device": "Other",
"dst_latitude": "",
"dst_longitude": "",
"event_type": "application",
"from_user": "test@test.com",
"instance_id": "some-instance",
"netskope_activity": "False",
"object": "test@test.com",
"object_id": "test@test.com",
"object_type": "User",
"organization_unit": "test",
"os": "unknown",
"other_categories": [],
"site": "Microsoft Office 365 Sharepoint Sites",
"src_country": "PH",
"src_geoip_src": 2,
"src_latitude": 456,
"src_location": "test",
"src_longitude": 123,
"src_region": "Province of Test",
"src_zipcode": "1234",
"srcip": "2.2.2.2",
"timestamp": "2022-06-28T16:59:15.000Z",
"traffic_type": "CloudApp",
"type": "nspolicy",
"ur_normalized": "test@test.com",
"user": "test@test.com",
"userip": "2.2.2.2",
"userkey": "test@test.com"
},
{
"_id": "efac69202c964c91fd59bcb9",
"_insertion_epoch_timestamp": 1658331170,
"audit_log_event": "Client Disable Request Submitted",
"ccl": "unknown",
"count": 1,
"event_type": "audit",
"organization_unit": "test",
"severity_level": 1,
"supporting_data": {
"data_type": "hostname",
"data_values": "HAMRGBCNX147"
},
"timestamp": "2022-07-20T15:27:50.000Z",
"type": "admin_audit_logs",
"ur_normalized": "test@test.com",
"user": "test@test.com"
},
{
"_correlation_id": "5f3e3987-115c-4fed-9c5e-f69e184069af",
"_ef_received_at": 1657742097188,
"_event_id": "bd3de3e3-378e-4e01-ba8d-a5d72565bde7",
"_forwarded_by": "msg-relayer",
"_gef_src_dp": "IN-AAA1",
"_id": "e03cf756afc2a707666fcbc0",
"_insertion_epoch_timestamp": 1657742104,
"_raw_event_inserted_at": 1657742097698,
"_service_identifier": "service-npa",
"_tenant_id": "test-tenant",
"access_method": "Client",
"action": "allow",
"app": "[CS SEG's]",
"appcategory": "n/a",
"category": "",
"cci": 0,
"ccl": "unknown",
"client_bytes": 1593,
"client_packets": 13,
"count": 1,
"device": "Windows",
"dsthost": "8.8.8.8",
"dstip": "",
"dstport": 443,
"end_time": "2022-07-13T19:53:02+00:00",
"event_type": "network",
"hostname": "L-101861180",
"ip_protocol": "TCP",
"netskope_pop": "IN-AAA1",
"network_session_id": "12345678",
"num_sessions": 1,
"numbytes": 2387,
"organization_unit": "test",
"os": "Windows",
"os_version": "10.0 (2009)",
"policy": "Netskope Private Apps Allowed",
"protocol": "Http",
"protocol_port": "TCP:443",
"publisher_cn": "abcd1234",
"publisher_name": "test",
"server_bytes": 794,
"server_packets": 11,
"session_duration": 23461,
"site": "1.1.1.1",
"srcip": "",
"srcport": 447,
"start_time": "2022-07-13T19:52:51+00:00",
"timestamp": "2022-07-13T19:54:57.000Z",
"total_packets": 24,
"traffic_type": "PrivateApp",
"tunnel_id": "1150",
"tunnel_type": "NPA",
"tunnel_up_time": 23461,
"type": "network",
"ur_normalized": "test@test.com",
"user": "test@test.com",
"userip": "",
"userkey": "test@test.com"
}
]
}
}

Human Readable Output#

Events List:#

IdTimestampTypeAccess MethodAppTraffic Type
23a372c433381a6a117981232022-07-17T23:48:52.000ZnspolicyAPI ConnectorMicrosoft Office 365 Sharepoint OnlineCloudApp
9f806593aa4385e4fc14865c2022-06-28T16:59:15.000ZnspolicyAPI ConnectorMicrosoft Office 365 Sharepoint OnlineCloudApp
efac69202c964c91fd59bcb92022-07-20T15:27:50.000Zadmin_audit_logs
e03cf756afc2a707666fcbc02022-07-13T19:54:57.000ZnetworkClient[CS SEG's]PrivateApp