Overview
This document encompasses a step by step guide outlining how to send all your Netskope Alerts and Events to Microsoft Sentinel using the Codeless Connector Platform.
Prerequisites
- Netskope API Token
- Azure Log Analytics Workspace
- Microsoft Sentinel Instance
Deployment Steps
- Log into your Azure portal: https://portal.azure.com/signin/index/
- Select what Netskope API endpoints you want to send to Log Analytics (see screenshot below)
- Next navigate in the Azure portal to the Data Collection Endpoints page and create a Data Collection Endpoint for each Netskope API endpoint you want to send to Sentinel: (make sure the DCEs are in the same region and resource group as your Log Analytics workspace)
- Once completed we will need to deploy a custom template for each API endpoint so navigate to Deploy from a custom template in your Azure portal:
- Select Build your own template in the editor and paste the JSON files linked below: (You will need to repeat this step for each endpoint as it has its own JSON file)
https://github.com/mitchellgulledge2/CodelessConnectorSentinelNetskope/blob/main/codelessAlerts.json
https://github.com/mitchellgulledge2/CodelessConnectorSentinelNetskope/blob/main/codelessApplication.json
https://github.com/mitchellgulledge2/CodelessConnectorSentinelNetskope/blob/main/codelessAudit.json
https://github.com/mitchellgulledge2/CodelessConnectorSentinelNetskope/blob/main/codelessConnection.json
https://github.com/mitchellgulledge2/CodelessConnectorSentinelNetskope/blob/main/codelessEndpoint.json
https://github.com/mitchellgulledge2/CodelessConnectorSentinelNetskope/blob/main/codelessIncident.json
https://github.com/mitchellgulledge2/CodelessConnectorSentinelNetskope/blob/main/codelessInfrastructure.json
https://github.com/mitchellgulledge2/CodelessConnectorSentinelNetskope/blob/main/codelessNetwork.json
https://github.com/mitchellgulledge2/CodelessConnectorSentinelNetskope/blob/main/codelessPage.json
- For each endpoint we add you will need to fill in the following parameters:
- ensure that the connector is deployed in the same resource group and region as your log analytics workspace just like with the Data Collection Endpoints
- ensure that the connector is deployed in the same resource group and region as your log analytics workspace just like with the Data Collection Endpoints
- Once you have deployed the custom templates for each endpoint, navigate to your Microsoft Sentinel Instance and navigate to the Data Connectors tab:
- The final step is navigating to each connector and adding your Netskope API token and URL for each endpoint. Below is a list of all the endpoint URLs to use for each connector by selecting the Open Connector page:
https://<insert-tenant-name-here>.goskope.com/api/v2/events/dataexport/events/page?operation=next&index=codeless
https://<insert-tenant-name-here>.goskope.com/api/v2/events/dataexport/events/endpoint?operation=next&index=codeless
https://<insert-tenant-name-here>.goskope.com/api/v2/events/dataexport/events/network?operation=next&index=codeless
https://<insert-tenant-name-here>.goskope.com/api/v2/events/dataexport/events/infrastructure?operation=next&index=codeless
https://<insert-tenant-name-here>.goskope.com/api/v2/events/dataexport/events/connection?operation=next&index=codeless
https://<insert-tenant-name-here>.goskope.com/api/v2/events/dataexport/events/audit?operation=next&index=codeless
https://<insert-tenant-name-here>.goskope.com/api/v2/events/dataexport/events/application?operation=next&index=codeless
https://<insert-tenant-name-here>.goskope.com/api/v2/events/dataexport/events/alerts?operation=next&index=codeless
https://<insert-tenant-name-here>.goskope.com/api/v2/events/dataexport/events/incident?operation=next&index=codelessFor each connector add the respective URL and your API token and click connect and you are finished!!!
Data should appear within the next 30-40 min and you can query the log analytics table NetskopeAlertsEvents_CL