Skip to main content

Seamless Log Shipping: Unlocking Netskope’s Native Integration with Microsoft Sentinel

In today’s security landscape, visibility and real-time insights into your organization’s data are critical for effective threat hunting and incident management. To meet these needs, Netskope has developed a native integration with Microsoft Sentinel using the Codeless Connector Platform—allowing organizations to easily stream all CASB alerts, DLP incidents, and threat logs into Microsoft’s cloud-native SIEM.

 

This blog explores how this new integration simplifies log shipping and delivers a scalable, cost-efficient way to leverage Microsoft Sentinel without deploying additional infrastructure like Cloud Exchange.

 

Why This Matters for Security Teams

Security teams are constantly battling an increasing volume of threats while juggling multiple tools and platforms for managing data and incidents. Many enterprises use Microsoft Sentinel for incident response and threat hunting, but previously, getting comprehensive Netskope data into the Azure console involved additional steps and costs.

 

With this integration, you now have a simplified, direct path to push logs and alerts into Microsoft Sentinel—no need to deploy the Cloud Exchange platform. 

 

Key Benefits of the Netskope–Microsoft Sentinel Integration

  • Effortless Setup at No Additional Cost: The Microsoft Codeless Connector Platform allows you to send your logs directly into Microsoft Sentinel without the complexities of custom configurations or expensive middle layers. You’ll save both time and money by skipping Cloud Exchange, making this integration a cost-efficient choice for businesses. Please note that while using the codeless connector incurs no extra cost, you’ll still need to manage data storage costs within the Azure environment.
  • Comprehensive Data Insights in Microsoft Sentinel: Netskope’s integration ensures all CASB alerts, DLP incidents, and threat intelligence are piped directly into Microsoft Sentinel. This gives you full visibility into potential risks and incidents, all within the Azure console, where your SOC team already operates. Having everything in one place makes it easier to manage incidents and launch threat-hunting initiatives without needing to switch platforms.
  • Enabling Your SOC with Scalable Log Shipping:The integration offers a scalable approach to log shipping, supporting businesses of any size as they grow. Security teams can now quickly send large volumes of Netskope data to Microsoft Sentinel without infrastructure bottlenecks or manual overhead. The Codeless Connector allows for one-click integration, meaning your logs are ready to go with minimal setup, while being easily digestible for SOC analysts to act on.
  • Focus on Incident Response and Policy Changes, Not Infrastructure: With this integration, security teams can focus on what really matters—incident response and policy enforcement—without getting bogged down by infrastructure concerns. All your Netskope alerts and logs will be accessible within Microsoft Sentinel, allowing your SOC team to quickly investigate and respond to incidents. The integration also helps streamline threat-hunting operations, reducing the need to log into multiple systems unless necessary for specific policy adjustments.

 

How It Works: A Seamless Process for Log Management

Netskope’s native integration allows for rapid log shipping without any additional deployment overhead. Here’s how you can enable the integration today:

 

  1. Navigate to the Azure Portal and select Deploy a Custom Template and paste this json file in the editor file: (under Build your own template in the editor )
    1. https://gist.githubusercontent.com/mitchellgulledge2/1a91f1aec2fc9ff6e053fb32cb1de897/raw/bc9f580e9c5c0234e72a383efd5ff6d28f05b496/sentinel_ccp_arm.json 
      AD_4nXcl1u-7IkuE2acN3Bs2J4Lhj_RPzN9FqjRsgB6F-B_tHT_IBR7aUFHyWamXkfrix3Mu76d-uq58mxGyB7-iRGDeOxwBKTkNarKU0Mp0BqcV61XXrJiTf630QJSiMqtPMAgl-pQ9PBcSl1TOWUZJrjRxFUbR?key=REP-zJXq2bXPf16xtLFriQ
  2. Once pasted click next and you will be brought to the following screen will you will need to fill out the workspace location, region and resource group:
    AD_4nXfBhQ0G1Qcx97rYC_IOyb7eW8cHPHconpp7rhJawbpu4Ylta5xKEQNOkCSeyzTrJwNC1B-x-RBxm3yPDCfsP_PzWm87UHsxlIGD1P5csPaat2uBwc9Vmdx1TCbc8lxSkQJgvTUnA2vrVoLzCykdjNXD50jv?key=REP-zJXq2bXPf16xtLFriQ
    3. After clicking review and create you will need to navigate to your sentinel instance under Data Connectors where you will see Netskope Alerts CCP:
     

AD_4nXe79gq7S6fQ2NZjv_xnx3ormpqPgcbWtJLqiCD43kqpA4JIK71tSZNiy4TD15-mOwa1W1vd31gdSGNCPCoKVq6g7LRQMOcdrgNRJaxn7I-n8hcE6y1UL_SeHNhY6jUMjrlnESOWLES_pmiY3LeOggaK0rAT?key=REP-zJXq2bXPf16xtLFriQ

 

4. Select Open connector page and you will need to fill out your organization name (if you have alliances.goskope.com your org name is alliances) and API key:

AD_4nXfNsTI2NjvemRUxEi3LVPpC27pQuD5cMYb0wcIvlYYvMBxP0zOhrnC43irf0e1ClIxn-V07-rfzRLRrtDnQ89xyNFjTs7KWLeJS4PtmzY2RDKjoyHqtAqyCdQr4j-J0MVW5vjyu4sVszswwt2TgEUXiFYB7?key=REP-zJXq2bXPf16xtLFriQ

5. Click connect and data should start flowing within 20-30 min

 

Included Endpoints: 

https://<insert-tenant-name-here>.goskope.com/api/v2/events/dataexport/events/page?operation=next&index=codeless

 

https://<insert-tenant-name-here>.goskope.com/api/v2/events/dataexport/events/endpoint?operation=next&index=codeless

 

https://<insert-tenant-name-here>.goskope.com/api/v2/events/dataexport/events/network?operation=next&index=codeless

 

https://<insert-tenant-name-here>.goskope.com/api/v2/events/dataexport/events/infrastructure?operation=next&index=codeless

 

https://<insert-tenant-name-here>.goskope.com/api/v2/events/dataexport/events/connection?operation=next&index=codeless

 

https://<insert-tenant-name-here>.goskope.com/api/v2/events/dataexport/events/audit?operation=next&index=codeless

 

https://<insert-tenant-name-here>.goskope.com/api/v2/events/dataexport/events/application?operation=next&index=codeless

 

https://<insert-tenant-name-here>.goskope.com/api/v2/events/dataexport/events/alerts?operation=next&index=codeless

 

https://<insert-tenant-name-here>.goskope.com/api/v2/events/dataexport/events/incident?operation=next&index=codeless

 

Take Control of Your Security with This Simplified Integration

By leveraging Netskope’s native integration with Microsoft Sentinel, you’ll empower your SOC team with a simple, scalable, and cost-efficient way to gain full visibility over your data. The Codeless Connector Platform removes the friction associated with setting up log shipping pipelines, giving you more time to focus on threat hunting and incident management.

 

Ready to streamline your security operations? Activate the integration today and unlock the power of Netskope data within Microsoft Sentinel.

 

FAQs

 

Q: What does this integration cost? A: The integration leverages Microsoft’s Codeless Connector Platform, which incurs no additional setup cost. However, organizations will need to account for Azure storage costs for the data ingested into Sentinel.

 

Q: Do I need to deploy Netskope Cloud Exchange? A: No, the native integration with the Codeless Connector removes the need to deploy Cloud Exchange, saving both time and money.

 

Q: What types of data can I send to Microsoft Sentinel? A: You can send all CASB alerts, DLP incidents, and threat logs directly to Sentinel, where they can be easily analyzed and used for incident response.

 

By integrating Netskope’s powerful security data into Microsoft Sentinel, you’ll give your team the tools they need to protect your organization—efficiently and effectively.

 

Shoutouts

Also this was made possible by Tim Groothuis at Masero who authored the ARM template and has his own Medium talking about the integration: https://medium.com/@TimGroothuis/announcing-the-netskope-ccp-connector-9470afa8eab3