This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask the community

Cribl Netskope Events and Alerts Integration

Gary-Jenkins
Netskope
Netskope

‎07-13-2023 03:51 PM - edited ‎07-13-2023 03:53 PM

Cribl Netskope Events and Alerts Integration

 

Netskope’s Events and Alerts can be pulled into Cribl via the Netskope REST v2 APIs. You can use Cribl Stream to filter and redirect to the destination of your liking. 

Requirements

  • Netskope tenant with API v2 enabled
  • Cribl Stream account

Setup Steps

Netskope 

  • Generate API token

 

Cribl

  • Create Data Source

 

Verify

  • Save and Run

 

Netskope

Generate API token

In your Netskope tenant go to Settings > Tools > REST API v2 > New Token

 

GaryJenkins_0-1689288526640.png

 

Add permission scopes to the token. You will need to add all scopes that you want to pull. In my example, I am going to grab all Events and Alerts.

 

Give your token a name, and expiration period. 

Use the following scopes

 

Events

/api/v2/events/dataexport/events/application

/api/v2/events/dataexport/events/audit

/api/v2/events/dataexport/events/incident

/api/v2/events/dataexport/events/infrastructure

/api/v2/events/dataexport/events/network

/api/v2/events/dataexport/events/page

Alerts

/api/v2/events/dataexport/alerts/uba

/api/v2/events/dataexport/alerts/securityassessment

/api/v2/events/dataexport/alerts/quarantine

/api/v2/events/dataexport/alerts/remediation

/api/v2/events/dataexport/alerts/policy

/api/v2/events/dataexport/alerts/malware

/api/v2/events/dataexport/alerts/malsite 

/api/v2/events/dataexport/alerts/compromisedcredential

/api/v2/events/dataexport/alerts/ctep

/api/v2/events/dataexport/alerts/dlp

/api/v2/events/dataexport/alerts/watchlist

 

Save and use the “copy token” button to copy your token. You will only get a chance to get your token at this time, or you will have to revoke and reissue your token to get another chance to copy it.

 

Cribl

Create Data Source

Log into Cribl and go to Stream > Worker Groups and choose the appropriate worker group for the new data source.

 

GaryJenkins_1-1689288526717.png

 

 

Data > Sources

GaryJenkins_2-1689288526683.png

 

> Collectors REST

GaryJenkins_3-1689288526617.png

 

 

Add Collector

GaryJenkins_4-1689288526671.png

 

 

  1. Give your collector a Name
  2. Under Discover select Item List. Include all of the items you want to pull with the one call. Example Alerts: uba, securityassessment, quarantine, Remediation, policy, malware, maliste, compromisedcredential, ctep, dlp, watchlist
  3. Collect URL - Add the url to pull. This should be your tenant followed by the base API call you are making, with ${id} at the end. Be sure to place this in `` like : `https://<your tenant name>.goskope.com/api/v2/events/dataexport/alerts/${id}`
  4. Collect method = GET
  5. Collect parameters = operation `head`
  6. Collect headers
    1. Accept  `application/json`
    2. Netskope-api-token <your v2 token>

GaryJenkins_5-1689288526672.png

 

 

At this point, you should be able to Save & Run to verify that everything is working. Once you have verified that it works as expected, you will need to add a Route to send the logs to a destination that you have. 

Labels:
0 Replies 0
Subscribe
Labels

In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below

Sign In