Trimming Logs with Netskope Cloud Exchange, Cloud Log Shipper (CLS)

Netskope provides rich logs for all aspects of security and connectivity but sometimes you may not want so much detail on things like the device type or OS. For example, in our DLP logs, this is the information you would get on the device. 

            "category": "Cloud Storage",

            "ccl": "low",

            "device": "iPhone 6S Plus",

            "os": "iOS  9.6",

            "owner": "dte3831@test.netskope.com",

            "policy": "policy_ga32",

            "request_id": "2459149802892628500",

            "scan_type": "Ongoing",

            "site": "Verizon Media",

Maybe you just need one of those fields. 

In Cloud Log Shipper we can control which information is sent on to the destination by editing the mapping file. You can even have two destinations one with the full logs that you can send somewhere like an AWS S3 bucket for long term storage and then another one that you can send on to your SIEM that trims down the logs to reduce your cost. Be sure to work with your SIEM team and make sure that they are okay with you trimming the logs down. Not all SIEM tools are good at doing that. 

Prerequisites

You will need a Netskope tenant and Cloud Exchange with CLS enabled. 

Workflow

1. Select which mapping file you are using
2. Edit the new mapping file
3. Add fields to the mapping file
4. Apply your new mapping file to your plugin
5. Apply your new mapping file to your plugin

Select which mapping file you are using

Go to Settings > Log Shipper, Mapping and then select the copy icon. You have to do this because editing the default isn’t allowed. 

Edit the new mapping file

Give your new mapping file a name > select which Event, Alert, or WebTx event you want to delete. 

Note: If you select RAW logs in the output plugin, you can’t edit the logs. They will go out without being changed. 

Add fields to the mapping file

If you scroll down on any of the alert types you will also see an Add field. In these mapping files we did the best that we could to map what is important to the CEF fields. Netskope has many more fields than there are CEF fields to map them to. If a field isn’t mapped by default you can add it here. 

In the drop down Netskope Field you can select the field that you would like to map. The left Target Field is the name that will be applied to that field as it goes to your SIEM/Syslog server.

Once it is Saved you will need to apply it in your destination CLS plugin. 

Apply your new mapping file to your plugin

Go to the home page by clicking on the arrow next to Settings at the top. Edit your outbound plugin. 

Select your new Mapping file. 

Done. 

Note part two: earlier in this I talked about sending the logs out RAW. If you want the logs untouched change this setting so that it is gray. The logs will then be sent unchanged by the Mapping file and will be in RAW JSON format. Not all SIEMs support this so be sure to test.