Netskope Community
07-13-2023 03:51 PM - edited 07-13-2023 03:53 PM
Cribl Netskope Events and Alerts Integration
Netskope’s Events and Alerts can be pulled into Cribl via the Netskope REST v2 APIs. You can use Cribl Stream to filter and redirect to the destination of your liking.
In your Netskope tenant go to Settings > Tools > REST API v2 > New Token
Add permission scopes to the token. You will need to add all scopes that you want to pull. In my example, I am going to grab all Events and Alerts.
Give your token a name, and expiration period.
Use the following scopes
/api/v2/events/dataexport/events/application
/api/v2/events/dataexport/events/audit
/api/v2/events/dataexport/events/incident
/api/v2/events/dataexport/events/infrastructure
/api/v2/events/dataexport/events/network
/api/v2/events/dataexport/events/page
/api/v2/events/dataexport/alerts/uba
/api/v2/events/dataexport/alerts/securityassessment
/api/v2/events/dataexport/alerts/quarantine
/api/v2/events/dataexport/alerts/remediation
/api/v2/events/dataexport/alerts/policy
/api/v2/events/dataexport/alerts/malware
/api/v2/events/dataexport/alerts/malsite
/api/v2/events/dataexport/alerts/compromisedcredential
/api/v2/events/dataexport/alerts/ctep
/api/v2/events/dataexport/alerts/dlp
/api/v2/events/dataexport/alerts/watchlist
Save and use the “copy token” button to copy your token. You will only get a chance to get your token at this time, or you will have to revoke and reissue your token to get another chance to copy it.
Log into Cribl and go to Stream > Worker Groups and choose the appropriate worker group for the new data source.
Data > Sources
> Collectors REST
Add Collector
At this point, you should be able to Save & Run to verify that everything is working. Once you have verified that it works as expected, you will need to add a Route to send the logs to a destination that you have.
In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below
Sign In