Skip to main content

Overview


Cloud Exchange CLS’s Syslog forwarding gives you the ability to send Netskope Event, Alert, and WebTx messages to any Syslog server. Using the Microsoft Incoming Webhook application from the Admin center Cloud Exchange will send messages to a configured Teams channel to notify you when an Alert was seen from Netskope. 


Requirements



  • CloudExchange 4.2 or newer

  • Basic Cloud Exchange setup (Netskope tenant API v1 and v2 setup)

  • Netskope plug - Netskope CLS

  • Any Syslog server


Syslog Server


For testing and writing this document, I am running a Ubuntu 20 LTS Compute Engine on GCP  with Docker and Graylog running in a container. Leave a comment if you would like me to write up that setup. 


Verify url/ip and port of your Syslog server


In Graylog you can see the input port by going to System > Inputs



 


 


Netskope Cloud Exchange setup steps


Cloud Exchange Plugins


On your Netskope Cloud Exchange go to Settings > Plugins


You will need two plugins configured for this solution, sending WebTx logs is optional. The Netskope CLS plugin and the Syslog CLS plugin. I ran this test with Syslog CLS plugin version 2.0.1. If you need to update your plugins go to the Plugin Repository tab and select ‘check for updates’. 


 



 


 


Configure Netskope CLS Plugin


Select Netskope CLS


Name our plugin and select your Tenant


Next


 



 


 


Select which Alert and Event Types you want and Initial Range. Most of the time I leave these as default. 



 


 


Configure Netskope WebTx CLS Plugin Optional


WebTx logs will track every web packet your users send. This can generate a large amount of data, so it may be necessary to scale up your Cloud Exchange to handle the increased load. Additionally, you should verify that your Syslog server can handle the increased traffic. Event streaming must be enabled on your tenant to support WebTx.


https://docs.netskope.com/en/webtx-plugin-for-log-shipper.html


 


Select Netskope WebTx CLS


Name our plugin and select your Tenant


Next



 


 


Add your Configuration Parameters which includes your Service Account JSON and Subscription Path. See below on where to find those. 



 


 


You can find the needed Event Streaming in your Netskope tenant, log into your tenant with a Tenant Admin account and go to 


Settings > Tools > Event Streaming



 


Configure Syslog CLS Plugin


From the plugin page select Syslog v2.0.1(CLS) or greater. 


Give it a Configuration Name and select a Mapping


 


Note: The mapping file will transform the data into the format you want. Some of the names of fields may be different from other products. For example, some products call applications apps. You can use the mapping file to map the names as you would like. Here is our documentation page on it. https://docs.netskope.com/en/log-shipper-syslog-mapping.html 


 


Next


 



 


 


Add your Configuration Parameters 


The Log Source Identifier will be sent in the message and is a good keyword to filter with on your Syslog server. 


Save



 


Create a Cloud Exchange Business Rule


On your Cloud Exchange interface go to Log Shipper > Business Rules


A pre-configured rule is here for sending all events and alerts



 


 


If you would like to create your own select Create New Rule


Here is an example of one that will match all Alerts coming from Netskope. 



 


Add a SIEM Mapping


Log Shipper > SIEM Mappings


The SIEM mapping will control which source you are sending to which destination and include the business rule as a filter. You will need a new SIEM mapping rule for each source and/or business rule you want to apply. 


If you are sending WebTx logs the only business rule that can be used is All. 


Save once you are done. 



 


 


Verify Integration


At this point you should have Cloud Exchange plugins sending Alerts, Events, and maybe WebTx logs to your Syslog server. 


 


To  test this in my environment, I created a Real-time Protection policy to trigger an Alert if I upload credit card information to a cloud storage account. I used the action of Alert and left it for all users but you could also tie it to just your test use by including your test  username as the Source. This is what my policy looks like. 


 


Real-time Protection Policy


Source - <test client username>


Destination - Category - All Categories


Activities & Constraints - Download, Upload


Profile & Action - Action:Alert


Set Policy - Name your policy






 


 


Upload test credit card data to cloud storage. 


 


Note: if you need test credit card data you can find it by searching for “dlp test credit card file” on the internet.


 


Verify that you are seeing the Alerts in SkopeIT


Copy the Incident Id and search for it on your Syslog server. 


 



 


 


Checking Syslog server


Add your Incident Id to your search field to see all records from that incident. 


I had used JENGAnetskope in my Log Source Identifier of my Syslog plugin. You will see that at the beginning of each record. 



 




Be the first to reply!

Reply