Can you send me all Netskope log data in Microsoft Sentinel?

  • 7 January 2023
  • 4 replies
  • 295 views
S
Userlevel 2
Badge +9

If you work with Security Architects, SOC Engineer, or a SOC Analyst, all of them will tell you one thing “Send me ‘ALL’ the logs!” because their ability to find threats or investigate incidents is reduced without the log data or if the required log data is dispersed in various log data stores. If your chosen partner for cloud is Microsoft, then they will also tell you one more thing “Send it to Microsoft Sentinel!” If you happen to be a person responsible to fetch these logs from Netskope then it’s okay to establish feeling where you think the whole world is working towards making your life difficult. I can tell you one thing – I’m not one of them so let me explain why I think I’m the angel 👼 out there to save you ....!

Let’s get some fundamentals out of our way:

  • Cloud Exchange – it’s our integration platform to enable third party partner integrations. Packaged as a multi-container application.
  • Modules - Cloud Exchange (CE) comes with four primary modules: Log Shipper, Ticket Orchestrator, Threat Exchange, and Risk Exchange.
  • Plug-ins – Cloud Exchange has individual plugins that leverage functionality provided by 3rd-party partners.
  • Log Types – Depending on what features are licensed and used by you inside Netskope tenant there are four types of logs we have Network Events, Application Events, Security Alerts, Web Transactions.
    • Network Events - Provides insight into cloud firewall and network private access events.
    • Application Events - Provides insights into application usage, specifically by devices, users, users and traffic patterns.
    • Security Alerts - Provides visibility into security incidents and violations and the ability to identify effects of a breach.
    • Web Transactions - Provide granular information about the web sites that users have accessed.

At the high level this is what you will do to send the logs to Microsoft Sentinel:

  • Deploy Cloud Exchange
  • Add Netskope tenant details and enable log shipper module
  • Configure Netskope tenant plugin for Cloud Log shipper
  • Configure Microsoft Sentinel plug-in

Okay, so the first thing you want to settle on is to decide where should you deploy Cloud Exchange? You can deploy Cloud Exchange on a Virtual Machine with Docker engine. Your decision for deployment choice will depends on your overall architecture and design, requirements and in house expertise. From the lens of Microsoft Cloud Adoption Framework and Azure Landing Zones – Cloud Exchange belongs to “Management” Subscription. To help you with this deployment, I have created few Infrastructure as Code (IaC) templates using Terraform  that are available on Netskope’s public GitHub repositories.  Who doesn’t like flexibility or choices? so I have provided quite a few IaC templates for you to pick depending on your situation.

These two templates are using terraform base code and help you with the deployment  (i.e., deployment on a VM – each repo comes with readme file with instructions …)

Cloud Exchange (VM) Deployment into an existing Virtual Network  

Cloud Exchange (VM) into a new Virtual Network  

Here is a video walkthrough of this deployment using one of the templates.

 

With the deployment of Cloud Exchange done, you are ready to add Netskope tenant details and enable modules and plug-ins? For the “Modules” you will enable Cloud Exchange “Log Shipper” module as the name suggest and for the plug-ins you will use Netskope, Netskope WebTX (only needed if you want them) and Microsoft Azure Sentinel plug-ins – You may have noticed by now that we are very creative when it comes to naming the plugins 😊

For thinking mind, you wonder can’t we not just have one plug-in to do this all? Probably we could have but by decoupling we can use and reference the common plug-ins in multiple ways.  I digressed a little … back to the topic, the product documentation provides step by step instructions on these steps so I wouldn’t repeat it – check out these links on how to perform these steps:

This is all what is needed to send the logs from Netskope to Microsoft Sentinel, but as I said earlier, I’m here to make your life easier so let me share another item while we are at the discussing log data. These will give you some “brownie” points with your SOC team members for sure!

Having all the logs available inside your SIEM solution (Microsoft Sentinel) is good but wouldn’t it be nice to have these logs parsed to provide valuable insights and comprehensive monitoring into Netskope log data?  This will give you a starting point to know what’s is happening inside your Netskope environment.

Security operations teams love dashboards and visual representation of log data, showing trends over time, and detecting anomalies are essential for their daily work. Microsoft Sentinel has a concept of “Workbooks” which allows you to do all those things. The good news is that I have done the hard work already and have published Netskope workbook as a Microsoft Sentinel Gallery Item – just do a search “Netskope” inside your Microsoft Sentinel under Workbooks Templates to find it.

All you have to do to consume is hit “Save” button and that’s it. Once the logs are start flowing into your Microsoft Sentinel Log Analytics Workspace, Netskope workbook will be able to parse your log data to produce various dashboard – 10 in total. You will be able to get visibility in to your Netskope Security Cloud and quickly identify threats, anomalies, traffic patterns, cloud application usage, blocked URL addresses and more.

Here are all the screenshots from this workbook.

 

 

Security Alerts are then further grouped based on their categories.

Are you still not convinced even after seeing all the screenshots that it's a good start for any SOC analyst? Well, the workbook is fully customizable so feel free to edits these widgets and produce further insights as you require and do share with Netskope community after all “Sharing is Caring” and I’m sure I can pass the credits to you in our next release of the workbook. Wait, What if I tell you “One More Thing…” to change your mind?

Steve Jobs (May his soul rest in peace) who famously said: "Picasso had a saying 'good artists copy; great artists steal' so it’s my intent to steal the line from Steve’s job keynotes.

As you may be aware, Microsoft Sentinel has a concept of “Playbooks” which are collections of procedures that can be run from Microsoft Sentinel in response to an alert or incident. Playbooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps. Think of it as Security, orchestration, automation and response (SOAR). I have created a Netskope Playbook that provides an integrated solution and allow your SOC to leverage automation to add malicious URL to Netskope as a response to Microsoft Sentinel incidents. You can start automating blocking of these URLs with minimum configurations and effort and this is extremely useful when a Microsoft Sentinel Incident identifies a malicious URL communication, and you want to quickly add it to your Netskope URL block list hence accelerating detection of URLs that should be blacklisted. The playbook is available at Microsoft “GitHub” Repository Here 

 

Well, this was a long post folks and I hope you enjoyed reading it as much as I did while writing it, this is all for now ...time to watch Mosquito coast season 2 finale.

4 replies

rmanley
Badge +10

This is amazing 

sbrunstrom
Rank
Badge +9

This is great!  However, I cannot seem to find the Workbook template in Azure?  Can you link to it?

S
Userlevel 2
Badge +9

Hi, @sbrunstrom the workbook is published as a Microsoft Sentinel Gallery Item – if you do a search “Netskope” inside your Microsoft Sentinel under Workbooks Templates, you will find it. To consume the workbook it doesn't require any template provisioning etc. It's Just a click of button to hit save and it will be added to your Sentinel. Screen shot title "Microsoft Sentinel - Netskope Workbook" shows this step. HTH.

M
Rank
Userlevel 1

Team, below is a high level summary of all the options we have right now for sending alerts, events and web transactions to sentinel. (log analytics)

Netskope Logs to Azure Sentinel / Azure Log Analytics

Netskope Alerts and Events

There are 3 options to get Alert and Event logs from Netskope to Azure Sentinel. All are viable options and should be considered based on customer VM/serverless requirements, number of users, amount of data, technical expertise, etc.

Option 1: Cloud Exchange

  • Preferred solution unless customer/environment prefers direct integrations
  • Simpler and more straightforward than Multi-Function Azure deployment
  • Requires VM (on-prem or in Azure)
  • Similar scale and speed as Azure Functions

Option 2: Single Function

  • “Netskope (using Azure Functions) connector for Microsoft Sentinel”
  • Built by Microsoft with best effort maintenance
  • Documentation needs to be updated
  • Use “Option 2 - Manual Deployment” until further notice.
  • When deploying DO NOT USE the arm template but rather paste the code directly from https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Netskope/Data%20Connectors/Netskope/AzureFunctionNetskope/run.ps1 
  • Simple but not scalable (be careful with deployments over 1000 users)
  • Great for POV
  • Only good for small price conscious customers
  • Script runs every 5 minutes
  • Supports Netskope REST API v2 (uses legacy /data/ endpoints)
    • /api/v2/events/data/alert
    • /api/v2/events/data/application
    • /api/v2/events/data/audit
    • /api/v2/events/data/infrastructure
    • /api/v2/events/data/network
    • /api/v2/events/data/page

AD_4nXd1S_sBQeqAsJZyDAc8ArVoBzdt6kX2Wt5cfSc_-r-yHskvfZN3htWcjtWCh9lJe6z5riMukGbZ1_qxFYXSk_Yodj-qIG_hFj7hP7NtHC0dvLvoRFPxlacSMfueOvRSimY_8iP6qYh2x8QaPnz6-8ewCV9k?key=vmWDSTqfysuRfRDUlHtjTA

* note when manually deploying the single function make sure you have all the environment variables correctly defined. (CASE SENSITIVE)

Option 3: Multi-Function Highly Scalable

https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/netskope-data-connector 

 

  • “Netskope Data Connector (using Azure Functions) connector for Microsoft Sentinel”
  • Built and maintained by Netskope
  • Any real deployment that does not want to deploy a VM in their environment
  • Not cheap
  • Con: 1 Function pulls for each Netskope log endpoint to local storage blob. Another function reads and “garbage collects” the logs in the blob and uploads to log analytics table. This means there wont be any cost savings compared to VM. (Storage costs)
  • Supports Netskope REST API v2 (uses modern /dataexport/ endpoints, but not all)
    • /api/v2/events/dataexport/compromisedcredential
    • /api/v2/events/dataexport/ctep
    • /api/v2/events/dataexport/dlp
    • /api/v2/events/dataexport/malsite
    • /api/v2/events/dataexport/malware
    • /api/v2/events/dataexport/policy
    • /api/v2/events/dataexport/quarantine
    • /api/v2/events/dataexport/remediation
    • /api/v2/events/dataexport/securityassessment
    • /api/v2/events/dataexport/uba
    • /api/v2/events/dataexport/application
    • /api/v2/events/dataexport/audit
    • /api/v2/events/dataexport/connection
    • /api/v2/events/dataexport/incident
    • /api/v2/events/dataexport/network
    • /api/v2/events/dataexport/page


Web Transaction Events (Event Streaming, WebTx)

There are 2 options to get Web Transaction Events from Netskope into Azure Sentinel. All are viable options and should be considered based on customer VM/serverless requirements, number of users, amount of data, technical expertise, etc.

Option 1: Cloud Exchange

Option 2: Azure Container Solution

Reply


Terms & ConditionsCookie settings