Редагувати

Поділитися через


Netskope Data Connector (using Azure Functions) connector for Microsoft Sentinel

The Netskope data connector provides the following capabilities:

  1. NetskopeToAzureStorage : Get the Netskope Alerts and Events data from Netskope and post to Azure storage.
  2. StorageToSentinel : Get the Netskope Alerts and Events data from Azure storage and post to custom log table in log analytics workspace.
  3. WebTxMetrics : Get the WebTxMetrics data from Netskope and post to custom log table in log analytics workspace.

For more details of REST APIs refer to the below documentations:

  1. Netskope API documentation
  2. Azure storage documentation
  3. Microsoft log analytic documentation

This is autogenerated content. For changes, contact the solution provider.

Connector attributes

Connector attribute Description
Log Analytics table(s) alertscompromisedcredentialdata_CL
alertsctepdata_CL
alertsdlpdata_CL
alertsmalsitedata_CL
alertsmalwaredata_CL
alertspolicydata_CL
alertsquarantinedata_CL
alertsremediationdata_CL
alertssecurityassessmentdata_CL
alertsubadata_CL
eventsapplicationdata_CL
eventsauditdata_CL
eventsconnectiondata_CL
eventsincidentdata_CL
eventsnetworkdata_CL
eventspagedata_CL
Netskope_WebTx_metrics_CL
Data collection rules support Not currently supported
Supported by Netskope

Query samples

Netskope CompromisedCredential Alerts Data

alertscompromisedcredentialdata_CL

| sort by TimeGenerated desc

Netskope CTEP Alerts Data

alertsctepdata_CL

| sort by TimeGenerated desc

Netskope DLP Alerts Data

alertsdlpdata_CL

| sort by TimeGenerated desc

Netskope Malsite Alerts Data

alertsmalsitedata_CL

| sort by TimeGenerated desc

Netskope Malware Alerts Data

alertsmalwaredata_CL

| sort by TimeGenerated desc

Netskope Policy Alerts Data

alertspolicydata_CL

| sort by TimeGenerated desc

Netskope Quarantine Alerts Data

alertsquarantinedata_CL

| sort by TimeGenerated desc

Netskope Remediation Alerts Data

alertsremediationdata_CL

| sort by TimeGenerated desc

Netskope SecurityAssessment Alerts Data

alertssecurityassessmentdata_CL

| sort by TimeGenerated desc

Netskope Uba Alerts Data

alertsubadata_CL

| sort by TimeGenerated desc

Netskope Application Events Data.

eventsapplicationdata_CL

| sort by TimeGenerated desc

Netskope Audit Events Data

eventsauditdata_CL

| sort by TimeGenerated desc

Netskope Connection Events Data

eventsconnectiondata_CL

| sort by TimeGenerated desc

Netskope Incident Events Data

eventsincidentdata_CL

| sort by TimeGenerated desc

Netskope Network Events Data

eventsnetworkdata_CL

| sort by TimeGenerated desc

Netskope Page Events Data

eventspagedata_CL

| sort by TimeGenerated desc

Netskope WebTransactions Metrics Data

Netskope_WebTx_metrics_CL

| sort by TimeGenerated desc

Prerequisites

To integrate with Netskope Data Connector (using Azure Functions) make sure you have:

  • Azure Subscription: Azure Subscription with owner role is required to register an application in azure active directory() and assign role of contributor to app in resource group.
  • Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. See the documentation to learn more about Azure Functions.
  • REST API Credentials/permissions: Netskope Tenant and Netskope API Token is required. See the documentation to learn more about API on the Rest API reference

Vendor installation instructions

Note

This connector uses Azure Functions to connect to the Netskope APIs to pull its Alerts and Events data into custom log table. Check the Azure Functions pricing page for details.

(Optional Step) Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. Follow these instructions to use Azure Key Vault with an Azure Function App.

STEP 1 - App Registration steps for the Application in Microsoft Entra ID

This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID:

  1. Sign in to the Azure portal.
  2. Search for and select Microsoft Entra ID.
  3. Under Manage, select App registrations > New registration.
  4. Enter a display Name for your application.
  5. Select Register to complete the initial app registration.
  6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the Application (client) ID and Tenant ID. The client ID and Tenant ID is required as configuration parameters for the execution of the TriggersSync playbook.

Reference link: /azure/active-directory/develop/quickstart-register-app

STEP 2 - Add a client secret for application in Microsoft Entra ID

Sometimes called an application password, a client secret is a string value required for the execution of TriggersSync playbook. Follow the steps in this section to create a new Client Secret:

  1. In the Azure portal, in App registrations, select your application.
  2. Select Certificates & secrets > Client secrets > New client secret.
  3. Add a description for your client secret.
  4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.
  5. Select Add.
  6. Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page. The secret value is required as configuration parameter for the execution of TriggersSync playbook.

Reference link: /azure/active-directory/develop/quickstart-register-app#add-a-client-secret

STEP 3 - Assign role of Contributor to application in Microsoft Entra ID

Follow the steps in this section to assign the role:

  1. In the Azure portal, Go to Resource Group and select your resource group.
  2. Go to Access control (IAM) from left panel.
  3. Click on Add, and then select Add role assignment.
  4. Select Contributor as role and click on next.
  5. In Assign access to, select User, group, or service principal.
  6. Click on add members and type your app name that you have created and select it.
  7. Now click on Review + assign and then again click on Review + assign.

Reference link: /azure/role-based-access-control/role-assignments-portal

STEP 4 - Steps to create/get Credentials for the Netskope account

Follow the steps in this section to create/get Netskope Hostname and Netskope API Token:

  1. Login to your Netskope Tenant and go to the Settings menu on the left navigation bar.
  2. Click on Tools and then REST API v2
  3. Now, click on the new token button. Then it will ask for token name, expiration duration and the endpoints that you want to fetch data from.
  4. Once that is done click the save button, the token will be generated. Copy the token and save at a secure place for further usage.

STEP 5 - Steps to create the azure functions for Netskope Alerts and Events Data Collection

IMPORTANT: Before deploying Netskope data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Netskope API Authorization Key(s).

Using the ARM template deploy the function apps for ingestion of Netskope events and alerts data to Sentinel.

  1. Click the Deploy to Azure button below.

    Deploy To Azure

  2. Select the preferred Subscription, Resource Group and Location.

  3. Enter the below information : Netskope HostName Netskope API Token Select Yes in Alerts and Events types dropdown for that endpoint you want to fetch Alerts and Events Log Level Workspace ID Workspace Key

  4. Click on Review+Create.

  5. Then after validation click on Create to deploy.

Next steps

For more information, go to the related solution in the Azure Marketplace.