SentinelOne Netskope Direct Integration
There are a few ways to integrate SentinelOne and Netskope. Netskope can send them logs with Cloud Log Shipper, Cloud Threat Exchange can pull URLs and IoC hashes from SentinelOne into Netskope, and with this direct integration. You can use the Netskope application in the Singularity Marketplace for enrichment. I will be going over this last one in this document.
Taken from https://community.sentinelone.com/
Configure the Netskope App to enrich threats to centralize data into one threat and accelerate investigations. Correlate your Netskope alert data and user risk scores into the SentinelOne threat enrichment view. This lets you easily ingest events from Netskope into Singularity™ Data Lake.
You can also trigger XDR Manual Response Actions in Netskope to minimize the potential expansion of an attack or compromise. These actions are available in the SentinelOne threats in the Management Console for a one-click response.
Prerequisites
- A Netskope Tenant with a client agent running
- The ability to generate an REST APIv2 token
- SentinelOne agent deployed
- A Singularity Data Lake Log Access Write key
Workflow
- Create REST APIv2 token on Netskope
- Add new URL List to Netskope
- Create Data Lake token on Singularity Data Lake
- Configure Netskope integration in Singularity Marketplace
- Verify
Netskope
Create REST APIv2 token on Netskope
On your Netskope tenant go to
Settings > Tools > REST API v2 > New Token
Add the following endpoints and copy the token when you save it.
Read
- /api/v2/events/data/alert
- /api/v2/policy/urllist
Read/Write
- /api/v2/ubadatasvc/user/uci
- /api/v2/policy/urllist/deploy
It should look like this.
Add new URL List to Netskope
On your Netskope tenant go to
Policies > Web > URL List > New URL List
Give it a name and you will need to add an IP or a URL in the text box. It won’t let you save it if it is blank.
Save
Create Data Lake token on Singularity Data Lake
In the SentinelOne interface go to
> Visibility (Enhanced)
Select your name > API Keys
Copy the base URL and the Key Value.
Configure Netskope integration in Singularity Marketplace
In the SentinelOne interface select the Marketplace
Search for Netskope
Select the Netskope Application.
Simulation Mode - Leave this unchecked. It is for internal testing only.
Connection -
API URL - Add your Netskope Tenant URL. See below for example
API Token - This is the Netskope REST APIv2 that you got from your Netskope tenant.
Enrichment
In the text box you will add the domains of your clients. Netskope gets username information from the Netskope client and SentinelOne’s agent will receive client username information based on the user logging into their domain.
Using the enrichments will add Netskope Alerts with the top option and Netskope’s user risk score with the bottom.
Response Actions
With response actions you can push found URL threats into Netskope so that you can block them with a Real Time Policy. The advantage of doing this is once a threat is found on any endpoint it is immediately blocked on all users using Netskope inline.
Automation Trigger Options
- No automated threat response
- All threats
- Malicious threats
- Threats created by users using ‘Mark as Threat’
- Threats marks as ‘True Positive’
Enter Custom URL Name
- This is the name that you named the Netskope URL List
Ingestion
Netskope alerts can be pulled into the Singularity Data Lake by selecting which ones you would like to be brought in.
Adding the Data Lake URL and Token will bring in the ingestion. The API was gathered in one of the first steps.
Verify
Go into the Singularity Data Lake > All Data and use this as a filter dataSource.name = 'Netskope'
Getting to the Data Lake
As you can see I have DLP Alerts. To get these, I ran a test downloading fake credit card numbers which I have a policy to alert on.
If you click on any of them you can drill down into all of the details.
