SentinelOne Netskope Direct Integration 

There are a few ways to integrate SentinelOne and Netskope. Netskope can send them logs with Cloud Log Shipper, Cloud Threat Exchange can pull URLs and IoC hashes from SentinelOne into Netskope, and with this direct integration. You can use the Netskope application in the Singularity Marketplace for enrichment. I will be going over this last one in this document. 

Taken from https://community.sentinelone.com/
Configure the Netskope App to enrich threats to centralize data into one threat and accelerate investigations. Correlate your Netskope alert data and user risk scores into the SentinelOne threat enrichment view. This lets you easily ingest events from Netskope into Singularity™ Data Lake.

You can also trigger XDR Manual Response Actions in Netskope to minimize the potential expansion of an attack or compromise. These actions are available in the SentinelOne threats in the Management Console for a one-click response.

Prerequisites

• A Netskope Tenant with a client agent running
• The ability to generate an REST APIv2 token
• SentinelOne agent deployed
• A Singularity Data Lake Log Access Write key

Workflow

• Create REST APIv2 token on Netskope
• Add new URL List to Netskope
• Create Data Lake token on Singularity Data Lake
• Configure Netskope integration in Singularity Marketplace
• Verify

Netskope

Create REST APIv2 token on Netskope

On your Netskope tenant go to 

Settings > Tools > REST API v2 > New Token

Add the following endpoints and copy the token when you save it. 

Read

• /api/v2/events/data/alert
• /api/v2/policy/urllist

Read/Write

• /api/v2/ubadatasvc/user/uci
• /api/v2/policy/urllist/deploy

It should look like this. 

Add new URL List to Netskope

On your Netskope tenant go to 

Policies > Web > URL List > New URL List

Give it a name and you will need to add an IP or a URL in the text box. It won’t let you save it if it is blank. 

Save

Create Data Lake token on Singularity Data Lake

In the SentinelOne interface go to 

> Visibility (Enhanced)

Select your name > API Keys

Copy the base URL and the Key Value.

Configure Netskope integration in Singularity Marketplace

In the SentinelOne interface select the Marketplace

Search for Netskope

Select the Netskope Application. 

Simulation Mode - Leave this unchecked. It is for internal testing only. 

Connection - 

API URL - Add your Netskope Tenant URL. See below for example

API Token - This is the Netskope REST APIv2 that you got from your Netskope tenant. 

Enrichment

In the text box you will add the domains of your clients. Netskope gets username information from the Netskope client and SentinelOne’s agent will receive client username information based on the user logging into their domain. 

Using the enrichments will add Netskope Alerts with the top option and Netskope’s user risk score with the bottom. 

Response Actions

With response actions you can push found URL threats into Netskope so that you can block them with a Real Time Policy. The advantage of doing this is once a threat is found on any endpoint it is immediately blocked on all users using Netskope inline. 

Automation Trigger Options

• No automated threat response
• All threats
• Malicious threats
• Threats created by users using ‘Mark as Threat’
• Threats marks as ‘True Positive’

Enter Custom URL Name

• This is the name that you named the Netskope URL List

Ingestion

Netskope alerts can be pulled into the Singularity Data Lake by selecting which ones you would like to be brought in. 

Adding the Data Lake URL and Token will bring in the ingestion. The API was gathered in one of the first steps.

Verify

Go into the Singularity Data Lake > All Data and use this as a filter dataSource.name = 'Netskope' 

Getting to the Data Lake

As you can see I have DLP Alerts. To get these, I ran a test downloading fake credit card numbers which I have a policy to alert on. 

If you click on any of them you can drill down into all of the details.