Skip to main content

Hi,

I have integrated a Syslog SIEM with the Cloud Exchange Log Shipper module, and everything is working fine. However, in the mapping file pushed to the SIEM, I’d like to include the User Group information from the alerts/events, and I can’t figure out how to do that.

When I check the Mapping File Wizard to edit an existing mapping—or even when creating a new one—I can't find any “Netskope Field” that corresponds to the User Group attribute of the generated alerts/events. I need to send that attribute to the SIEM.

Does anyone know how I can map it?

Thanks in advance.

Regards

You don’t see a mapping for it in Cloud Exchange because usergroup isn’t in any of the event or alert logs. 


But the “user” information is in the logs, and the user group is an attribute associated with the user… 

In any Skope IT events or alerts you can see the User and User Group information. Can’t this same information be sent to the SIEM with cloud exchange?


I looked at the output from every event and alert API call, and I didn’t see user group in any of them. I can add a feature request for it but it is not available today. I did start at SkopeIT and saw it there for my client and then did API calls to look for it.


I looked at the output from every event and alert API call, and I didn’t see user group in any of them. I can add a feature request for it but it is not available today. I did start at SkopeIT and saw it there for my client and then did API calls to look for it.

 

​I’ve noticed the same thing, you can’t get the group data from the API, so I’m not sure it’s actually part of the event/alert at all. It might be resolved when the query is run in Skope-IT.

 


Thanks ​@Gary-Jenkins and ​@notskope  for your responses and help!

I looked at the output from every event and alert API call, and I didn’t see user group in any of them. I can add a feature request for it but it is not available today. I did start at SkopeIT and saw it there for my client and then did API calls to look for it.

 

Here you said that you can add a feature request inr oder to include the user group information in the API call, I’d be really thankfull if this can be done, and if you let me know how can I follow-up this request


Reply