Skip to main content
  • EN

1. Overview

This guide provides a complete walkthrough for deploying and configuring the custom Netskope Alerts (v2) data connector for Microsoft Sentinel. Following these steps will enable you to create the necessary Netskope API token, set up the required Azure infrastructure, deploy the connector using the provided ARM template, and validate that data is flowing into your workspace.

 

This solution guide will allow you to achieve Multi-tenancy where:

  • Each API endpoint per tenant will receive its own Data Collection Endpoint, Data Collection Rule, Log Analytics Table and individual Data Connector inside Sentinel
  • Tenant 1 has 4 connectors polling 4 Events and Alerts endpoints with 4 Log Analytics table

2. Prerequisites

Before you begin, please ensure you have the following:

  • Azure Subscription: An active Azure subscription with permissions to create resources, including Resource Groups, Data Collection Endpoints, and Microsoft Sentinel deployments. You will also need permissions to create and assign roles.
  • Microsoft Sentinel Workspace: An existing Log Analytics Workspace with Microsoft Sentinel enabled.
  • Netskope Tenant Access: Administrative access to your Netskope tenant to generate a REST API v2 token.
  • ARM Template File: The final, corrected JSON ARM template file saved locally on your computer.
  • Optional: SentinelHealth for troubleshooting API connectivity status changes

3. Deployment Steps

Step 1: Generate a Netskope API Token

The first step is to create a secure API token within your Netskope tenant that Microsoft Sentinel can use to authenticate and pull alert/event data.

  1. Log in to your Netskope tenant with an administrator account.
  2. Navigate to Settings > Tools > REST API v2.
  3. Click New Token.
  4. In the "New Token" configuration window, provide a descriptive Token Name (e.g., Microsoft_Sentinel_Connector_Token).
  5. Set an Expiration Date for the token. For security, it's recommended to set a reasonable expiration period.
  6. Click Add Endpoint.
  7. In the scope selection, carefully find and select the one or all of the endpoints below:
    • /api/v2/events/dataexport/events/alert
    • /api/v2/events/dataexport/events/audit
    • /api/v2/events/dataexport/events/page
    • /api/v2/events/dataexport/events/application
    • /api/v2/events/dataexport/events/network
    • /api/v2/events/dataexport/events/connection
    • /api/v2/events/dataexport/events/incident
    • * or any other individual dataexport/alert specific endpoint not highlighted here
  8. Ensure only this scope is selected and click Save.
  9. The new token will be generated and displayed. This is the only time the token will be shown. Copy the token value immediately and save it to a secure location, like a password manager. You will need it later.

AD_4nXeMbtQLQl9C_i-Fy4voLW5maJanKjEXBWPIMXfABL1sxvzZerNx7H0_DmxZFeKAiBqywHZ7EpFqVWz20r8Xw8IC2ujCG7eQL_mKU_rNA9u4TSjOk9iXbb6X5QjzeYwPyQhUFsbt4g?key=B7Ce0LNH_vG1PGGzSc9tRQAD_4nXdu54yQdYo9JwKlevg5wRcQCFxQNoeEqyNKd42ePeBW_fSIZS_PkTpk8Q8rfXmJxWGxLNbpczIg9jGtGwxwM2EnRYKgZ15KXGmABE5bEbljVydggPcI-siPEL_YY1y0X_BSTbSX?key=B7Ce0LNH_vG1PGGzSc9tRQ

Step 2: Create an Azure Data Collection Endpoint (DCE)

The DCE provides a secure endpoint for ingesting the data polled from the Netskope API.

  1. In the Azure Portal, search for Data Collection Endpoints in the top search bar and select it.
  2. Click the Create button.
  3. Fill in the required details on the "Basics" tab:
    • Subscription: Select your Azure subscription.
    • Resource Group: Choose the same resource group where your Microsoft Sentinel workspace is located.
    • Endpoint Name: Provide a unique and descriptive name for your DCE (e.g., netskope-dce-tenant2).
    • Region: Select the same region as your Microsoft Sentinel workspace.
  4. Click Review + create, and after validation passes, click Create.
  5. Once the deployment is complete, navigate to the newly created DCE resource.
  6. On the Overview page, find the Logs ingestion URI. Copy this full URI and save it. You will need it in a later step.

AD_4nXdwhzBJMi4eGemeigzm8flJWt5L0jgvinL8Fi6ZIwRRRxbQDAbyn5tpNY2x7vKMx-nMJQHpEYmA-OHCz1auSG20oMhtBNeUBTVG0eE9yvNNYQD5MloT-fn4Uf1VPh3Jo6w3O2oVHw?key=B7Ce0LNH_vG1PGGzSc9tRQ

 

Step 3: Deploy the ARM Template

Now, you will use the ARM template to deploy the solution package, which includes the data connector, the Data Collection Rule (DCR), and the custom table definition.

  1. In the Azure Portal, search for Deploy a custom template and select it.
  2. Click on Build your own template in the editor.
  3. Delete any existing content in the editor pane.
  4. Open the following JSON ARM template file, copy the entire contents, and paste it into the editor.:
    https://raw.githubusercontent.com/mitchellgulledge2/CodelessConnectorSentinelNetskope/refs/heads/main/Multi-TenantAlert.json
  5. Click Save.
  6. You will be taken to the "Custom deployment" screen. Fill in the parameters as follows:
    • Subscription & Resource Group: Select the subscription and resource group where your Sentinel workspace resides.
    • Workspace: Enter the name of your Microsoft Sentinel-enabled Log Analytics Workspace.
    • Data Collection Endpoint Name: Enter the name of the DCE you created in Step 2 (e.g., netskope-dce-tenant2), not the full URI.
    • Solution/DCR/Connector Names: The remaining parameters (solutionName, solutionTitle, dcrName, etc.) are pre-filled with values for your specific tenant. You can leave these as they are.
  7. Click Review + create, and once validation succeeds, click Create.

AD_4nXeii5ECR88Yrq8yuaGUIV0MBoOpNfsv-HsNVr9JwWFf4UyA6gZCow41zdt6Q2JpB-M9Z95sYLAPPXVhs8bkmqcAWxhkueQkm8tDLXM2nrlBhUx0Rp1lsYwYdBZgqER-wuMBie4M?key=B7Ce0LNH_vG1PGGzSc9tRQ

AD_4nXdCcUDTGJ4UZZOfN1mSrcHnidlrqD7J15Uste4yHaMR9Oaff5qnVkAnQ0MQ1AHY-zCfmOm764yIFmjPLDHacbR6FkhWpV_8A09-QIN0k_cjBWUiz0poHXfUSq2rpxc-5ynSwbE_?key=B7Ce0LNH_vG1PGGzSc9tRQ

Step 4: Configure and Connect in Microsoft Sentinel

With the resources deployed, the final step is to activate the connection from within Microsoft Sentinel.

  1. Navigate to your Microsoft Sentinel workspace.
  2. From the left-hand menu, under "Configuration," select Data connectors.
  3. Use the search bar to find your newly deployed connector (e.g., "Netskope Alerts CCP Tenant 2").
  4. Click on the connector and then click the Open connector page button.
  5. On the connector page, under the "Configuration" section, fill in the required fields:
    • Alerts v2 Endpoint: Enter the URL for your Netskope API. This will be in the format https://<tenant_name>.goskope.com/api/v2/events/dataexport/events/alert?operation=next&index=codeless.
    • Netskope v2 API key: Paste the API token you saved from Step 1.
  6. Click Connect. The status should change to Connected.

AD_4nXftKNs0TybEXsTtaNFWoyc_RhtLp6_hqZNWJrol-ivujJb8CVy8pPZ-Gx9aXj46qZYZMV8p6ha-i_CUElY2r2vvDtkUd37bMy1KSxWEqWQ4F6tWPFebz0d9SPiSF-tZsihi1KWZyw?key=B7Ce0LNH_vG1PGGzSc9tRQ

Step 5: Validate Data Ingestion

After connecting, you need to verify that data is being successfully pulled and ingested.

  1. Check Polling Status: In the data connector page, you will see a "Data received" chart. It can take 15-20 minutes for the first logs to appear after the initial connection.
    AD_4nXdo9pTaaYcxTVQnRF4aTqu71SKLsMQsmHsVBNgGlszFwB-QyIz5-G17jx6NOsHaYkyJ7gj6jTkI-l27Un2FJczfyD06-l8pjyOPtZS3Ch89cK0R7WocEz8Eu1a55o4zbGxnZ2OBqQ?key=B7Ce0LNH_vG1PGGzSc9tRQ
  2. Query the Logs: Once enough time has passed, go to your Log Analytics Workspace and select Logs.
  3. Run the following KQL query to see if data is present in your custom table:


NetskopeAlertsEvents9_CL

| take 100

  1. If records are returned, your data connector is working correctly.

AD_4nXdlt-VkKHSSgbLuWCnUHM9zW8kwc5McuUSoOX5WmpCb8-5FMIlucj_bznRaZjWZGdbSY--q33i-_Rt1VyFS5CXqxZnyxkzDmZ7HAI19SaCyED1Uaq6Py6eTYbEbexSjga40nODKyA?key=B7Ce0LNH_vG1PGGzSc9tRQ

4. Troubleshooting

  • Schema Mismatch Error: If you encounter an error about an invalid table schema during deployment, it means a previous failed attempt created the custom table with an incorrect structure. You must manually delete the NetskopeAlertsEvents_CL table from the Log Analytics workspace and then redeploy the ARM template.
  • Query the SentinelHealth table to validate API connectivity:

AD_4nXfErKbXbPrLUbDxC6e4WpwX2HTfrHVVHMfQrfDcxeEegHCenYPvMR9OFzsR_18ww-1xhN3S8ZQnwkj2apUx_JnzKPaTff57nbA3HBGnFDHcP1P_WJpsIiFqoMs9zSwn0Rfh0wfwkQ?key=B7Ce0LNH_vG1PGGzSc9tRQ

  • No Data Ingested: If the connector is "Connected" but no data appears after 30 minutes, double-check that the Netskope API token has the correct scope and has not expired. Also, verify that there are no firewalls blocking communication between Azure and the Netskope API endpoint.
  • Validate token in Netskope or company swa gger:

AD_4nXfMDduhe2va9ksCHyBXGPxrbEz7fnBPUCtrAjFefFU_3zuZDziFPe9tzmDzdeVOTHNmG5wy1d7t3lVHuYH38UqVkpq_pjxF0w13bFJmidugY6ORALxRdyjIqWBUSYSWmya98uyzRw?key=B7Ce0LNH_vG1PGGzSc9tRQ

 

AD_4nXdo9pTaaYcxTVQnRF4aTqu71SKLsMQsmHsVBNgGlszFwB-QyIz5-G17jx6NOsHaYkyJ7gj6jTkI-l27Un2FJczfyD06-l8pjyOPtZS3Ch89cK0R7WocEz8Eu1a55o4zbGxnZ2OBqQ?key=B7Ce0LNH_vG1PGGzSc9tRQ

 

@mgulledge I think you posted this guide in the wrong section?

Hi ​@bnorcutt , thank you for flagging this, moved this into a community common article space.

Badges Winner

Show all badges

Not finding what you're looking for?

Don't be shy and let us know about your challenge.

Ask your question here!
Terms & ConditionsCookie settingsAccessibility statement