Cribl Netskope Events and Alerts Integration

  • 14 July 2023
  • 1 reply

Userlevel 3
Badge +15

Cribl Netskope Events and Alerts Integration


Netskope’s Events and Alerts can be pulled into Cribl via the Netskope REST v2 APIs. You can use Cribl Stream to filter and redirect to the destination of your liking. 

Note: Netskope Steaming Events (WebTx) aren’t supported currently. 


  • Netskope tenant with API v2 enabled
  • Cribl Stream account

Setup Steps


  • Generate API token



  • Create Data Source



  • Save and Run



Generate API token

In your Netskope tenant go to Settings > Tools > REST API v2 > New Token




Add permission scopes to the token. You will need to add all scopes that you want to pull. In my example, I am going to grab all Events and Alerts.


Give your token a name, and expiration period. 

Use the following scopes






















Save and use the “copy token” button to copy your token. You will only get a chance to get your token at this time, or you will have to revoke and reissue your token to get another chance to copy it.



Create Data Source

Log into Cribl and go to Stream > Worker Groups and choose the appropriate worker group for the new data source.





Data > Sources



> Collectors REST




Add Collector




  1. Give your collector a Name
  2. Under Discover select Item List. Include all of the items you want to pull with the one call. Example Alerts: uba, securityassessment, quarantine, Remediation, policy, malware, maliste, compromisedcredential, ctep, dlp, watchlist
  3. Collect URL - Add the url to pull. This should be your tenant followed by the base API call you are making, with ${id} at the end. Be sure to place this in `` like : `https://<your tenant name>${id}`
  4. Collect method = GET
  5. Collect parameters = operation `head`
  6. Collect headers
    1. Accept  `application/json`
    2. Netskope-api-token <your v2 token>


Note: After having some customers test this, they found that they needed to make a couple more tweets to get things working correctly. 


Make the following changes to the retries. Under the Retry HTTP codes, add 429, 503, and 409. 



The other thing that needed to be changed is the Max event bytes. Change this to 134217728




At this point, you should be able to Save & Run to verify that everything is working. Once you have verified that it works as expected, you will need to add a Route to send the logs to a destination that you have. 

1 reply

Is there any best practice on how to configure the Scheduled job including pagination and so on!?