Version: 1.0
 

Applies to: Netskope integration with IBM QRadar (https://apps.xforce.ibmcloud.com/extension/ff97aaadc10ed96b0e05d1a1f24af2f7)

Overview

This community article clarifies the three distinct methods for sending Netskope alerts, events, and web transaction logs to your IBM QRadar SIEM. Choosing the correct integration path is crucial for performance, scalability, and achieving your security monitoring goals.

A prerequisite for all three methods is the installation of the Netskope Security Cloud DSM on your QRadar instance. You can download the DSM from https://apps.xforce.ibmcloud.com/extension/ff97aaadc10ed96b0e05d1a1f24af2f7.

For detailed, step-by-step installation and configuration instructions for all methods described below, please refer to the official Netskope Security Cloud DSM User Guide. This guide also includes steps to check various things such as versions for protocols, troubleshooting sections, etc.

The three available integration methods are:

1. Netskope Cloud Log Shipper (CLS) via Syslog
2. Universal Cloud REST API (UREST) Protocol
3. Amazon AWS S3 REST API Protocol

No one method is “best” - each is intended for different business requirements.

Method 1: Netskope Cloud Log Shipper (CLS) with Syslog

This traditional method uses the Netskope Cloud Exchange (CE) platform's Cloud Log Shipper (CLS) module and Qradar plugin to fetch data and forward it to QRadar in the Common Event Format (CEF) over Syslog. Detailed steps are present in the section “Create a Log Source to collect data from Netskope CE” of the user guide.

When to Use This Method:

• You require WebTx (web transaction) logs (today) and have not yet migrated away from pub/sub-lite to the Netskope log streaming architecture
• You already have Netskope Cloud Exchange deployed in your environment.
• You need to stream logs to destinations in addition to Qradar
• You need to apply complex business rules to filter or transform log data before it reaches QRadar.

Supported Data Types:

• All Alerts
• All Events
• WebTx Logs

Prerequisites:

• QRadar Enterprise Version: 7.4.3+
• Netskope CE Version: 4.1.0 or 4.2.0 or higher
• Netskope QRadar CLS Plugin Version: 3.1.0 or higher

Method 2: Universal Cloud REST API (UREST) Protocol

This method provides a direct integration where QRadar uses the UREST protocol within Qradar to pull alerts and events directly from the Netskope RESTful APIv2 dataexport endpoints. This approach does not require the Netskope Cloud Exchange. Detailed steps are present in the section “Create a Log Source using the UREST protocol to collect data from the Netskope API” of the user guide.

When to Use This Method:

• You prefer a direct API integration without the additional cost of deploying and managing  Cloud Exchange to run Cloud Log Shipper.
• Your primary need is for Netskope alerts and events (Web event transaction logs are not supported via this method).

Supported Data Types:

• All Alerts
• All Events
• Not Supported: WebTx Logs

Prerequisites:

• QRadar Enterprise Version: 7.5.0+
• Workflows: You must configure specific workflows for the data you wish to collect. These can be downloaded from the official IBM GitHub repository: Netskope UREST Workflows.
• UREST Protocol: The Universal Cloud REST API protocol must be installed on QRadar. The User Guide provides detailed instructions on how to install and verify this under the section “Steps to check UREST protocol version”.

Method 3: Amazon AWS S3 REST API Protocol

This method is designed for scalability and bulk data ingestion. Netskope Log Streaming is configured to deliver logs as compressed CSV files to an AWS S3 bucket, and QRadar is then configured to retrieve the data from that S3 bucket.

When to Use This Method:

• You are a Netskope customer that has just purchased event streaming services in order to obtain web transaction logs (today).
• You need to ingest a very high volume of event and alert data (e.g., tens of millions of events per day per endpoint). The CLS and UREST methods may face performance challenges at this scale.
• You already leverage AWS S3 for log aggregation and archival.

Performance and Scalability

This method is purpose-built for obtaining web transaction logs as well as for high-volume event and alert log data ingestion and is the recommended solution for customers who need to transport massive log volumes efficiently. 

Benchmark Test Results

Netskope ran multiple performance tests on a generic but limited architecture to validate performance at a scale of 5000 events per second max (licensed limit) and found it could average 4-5K EPS 

Key Performance Observations

• License Saturation: In both tests, the ingestion rate consistently approached the QRadar license limit of 5,000 EPS. This indicates that the integration's throughput is primarily constrained by the QRadar appliance's capacity, not by the S3 protocol itself. With a higher EPS license, even greater performance could be expected.
• Engineered for Bulk Data: The S3 method's architecture, which processes large, compressed files, is inherently more efficient for bulk transport than the real-time, event-by-event streaming of Syslog or the API polling of UREST. This makes it the only viable option for environments that generate millions of events per hour.

Supported Data Types:

• This method is currently limited to specific alert and event types as found here.
• Note: Infrastructure events and DLP Incidents collected via the S3 REST API protocol will be parsed as unknown due to the absence of the "type" key in the event schema.

Prerequisites:

• QRadar Enterprise Version: 7.5.0 UP4+
• An AWS S3 bucket configured to receive data from Netskope.
• Proper AWS IAM credentials configured in your QRadar log source.

Summary and Comparison