AI, ML, Skope AI

Netskope Plugin for Microsoft Security CoPilot

  • 6 February 2024
  • 7 replies
  • 688 views

Userlevel 1

Microsoft has enhanced Security Copilot by preinstalling a set of plugins for their security services and frequently used websites. Additionally, you have the option to incorporate Netskope custom plugins, expanding Gen AI capabilities on your Netskope platform.

Requirements

Create a local yaml file called NetskopeCoPilotSkill.yaml (filename can be anything). And paste the below in your yaml file:

 

Descriptor:
Name: Netskope Reporting for Threat and Data Protection
DisplayName: Netskope Reporting API endpoints
Description: The API plugin offers 6 skills that range from displaying Netskope Alerts and Events for Threat Hunting and Data Protection.
SupportedAuthTypes:
- ApiKey
Authorization:
Type: APIKey
Key: Netskope-api-token
Location: Header
AuthScheme: ''
Icon: https://go.netskope.com/rs/665-KFP-612/images/Netskope-Primary-Logo-Full-Color-RGB.svg

SkillGroups:
- Format: API
Settings:
OpenApiSpecUrl: https://raw.githubusercontent.com/mitchellgulledge2/MsftCoPilotPlugin/main/dataoas.yaml
EndpointUrl: "https://<insert_tenant_here>.goskope.com/api/v2/events"

 

Note that in the file you will need to add your tenant domain in line 18 of the yaml file.

In addition to the local file you will also need your Netskope API token from your tenant with Read  permissions for the below Netskope API v2 endpoints:

 

For more information on creating a v2 API token please refer to:

REST API v2 Overview - Netskope Knowledge Portal

Uploading Netskope Plugin as a custom Plugin

Installing custom plugins

This is where you will upload the Netskope Threat Hunting and Reporting Plugin.

Plugin requirements

Every Security Copilot plugin requires a YAML or JSON formatted manifest file, for example skillset.yaml or skillset.json, which describes metadata about the plugin and how to invoke the plugin.

This method is how we will upload the Netskope plugin with various skills.

 

1. Select the Security Copilot plugin icon.

2. In Manage plugins, scroll down to the Custom section.

3. Select Add plugin. You can choose between a Security Copilot plugin or an OpenAI plugin.

 

 

4. Under Select an upload format click Security Copilot plugin and upload the yaml file you created in Requirements section. 

5. Finally you will be able to paste the API token you gathered in the previous steps from Netskope. (See above)

 

Sample Netskope Prompts

 

 

 

 

 

 

 

 

You can validate the 6 Skills are visible by entering /get as seen below:

 


7 replies

Userlevel 1

Updated YAML file:
 

Descriptor:
Name: Netskope Rest API Plugin
DisplayName: Netskope Dataexport Reporting endpoints
Description: The API plugin offers a wide array of endpoint functionalities, including displaying alerts, managing incidents, and tracking infrastructure and network events. With support for DLP alerts, malware alerts, and security assessment events, it provides comprehensive monitoring and management capabilities in a concise package.
SupportedAuthTypes:
- ApiKey
Authorization:
Type: APIKey
Key: Netskope-api-token
Location: Header
AuthScheme: ''
Icon: https://go.netskope.com/rs/665-KFP-612/images/Netskope-Primary-Logo-Full-Color-RGB.svg

SkillGroups:
- Format: API
Settings:
OpenApiSpecUrl: https://gist.githubusercontent.com/mitchellgulledge2/2e57bfdf43c0a2a7b7e41c9a2adec6e9/raw/23e4dd50ab6109a05ee0c73aa7dde96aebfd7550/SecurityCoPilotDataexport.yaml
EndpointUrl: "https://{insert your tenant here}.goskope.com/api/v2/events"
Badge +5

Good to see this being developed. I’ve created the Custom Plugin however my prompts are not working as shown below. If I run the query via the API using the epoc I do get responses. What is the best way to get support on this?

 

sample error returned on all of my prompts

 

Userlevel 1

Hey @paulatv thanks for reaching out, seems like it is selecting the correct plugin but some error is occurring with the API call. Can you try it again with operation being head this will grab all the alerts from the top of the list. 

If you get the same error, I can jump on a call with you and we can run a few tests including executing this script:
 

import requests, json

tenant = 'insert_tenant_name'

headers = {
'Accept': 'application/json',
'Netskope-api-token': 'insert api token'
}

base_url = f"https://{tenant}.goskope.com/api/v2/events/dataexport/events/application"

response = requests.request(
"GET",
f"{base_url}?operation=head",
headers=headers,
data={}).json()

print(response)

Or this curl command:

 
curl -X GET \ https://insert_tenant_name.goskope.com/api/v2/events/dataexport/events/application?operation=head \  -H 'Accept: application/json' \  -H 'Netskope-api-token: insert api token' 
Userlevel 1

This will tell us if we need to look at Netskope API vs the Plugin

 

Badge +5

Hi @mgulledge, thank you for the reply. Yesterday I was troubleshooting with colleague within my org and they informed they have a similar issues with a few of their plugins so we raised this to the Microsoft team. Microsoft is currently investigating so I at this time I suspect issue may be on Microsoft side of things. Once we get confirmation I will try steps you provided if we still experience the issue. Appreciate your help with this.

Userlevel 1

Thanks for the heads up, maybe so we can correlate logs can you try the curl command if they dont find anything??

Userlevel 1

@paulatv I have just updated the manifest file to use the query API endpoints. /data instead of /dataexport. The natural language processing is much better from what we have seen and better performing.

Can you create a new API key for the 6 endpoints listed in updated article and upload new manifest file? Thanks for partnering with us on this :) 

 

Reply