Collect Netskope alert logs v2

Supported in:

Google SecOps SIEM

Overview

This parser extracts Netskope alert logs from JSON-formatted messages, transforming them into the Google Security Operations UDM. It normalizes fields, parses timestamps, handles alerts and severities, extracts network information (IPs, ports, protocols), enriches user and file data, and maps fields to the UDM structure. The parser also handles specific Netskope activities like logins and DLP events and adds custom labels for enhanced context.

Before you begin

Ensure that you have a Google SecOps instance.
Ensure that you have privileged access to Netskope.

Enable Netskope REST API Access

Sign in to the Netskope tenant using your administrator credentials.
Go to Settings > Tools > REST API v2.
Enable REST API Status.
Create a new token:
1. Click New Token.
2. Enter the token name (for example, Google SecOps Token).
3. Enter the token expiration time.
4. Click Add Endpoint to select the API endpoints to use with the token.
5. Specify the privileges for the endpoint:
  - Read privileges include GET.
  - Read+Write privileges include GET, PUT, POST, PATCH, and DELETE.
  Note: Endpoint privileges vary. Some endpoints, such as alert and audit, only have the Read privilege. Other endpoints, such as the URL list/file endpoint has both Read+Write privileges.
6. Click Save.
7. A confirmation box opens showing whether the token creation was successful.
8. Click Copy Token and save it for later use in the API Authentication header.
Note: The only option to copy the token is immediately after you create it. The token is required in your API requests.

Configure a feed in Google SecOps to ingest Netskope Alert logs v2

Click Add new.
In the Feed name field, enter a name for the feed (for example, Netskope Alert Logs v2).
Select Third party API as the Source type.
Select Netskope V2 as the Log type.
Click Next.
Specify values for the following input parameters:
- Authentication HTTP Header: token previously generated in a Netskope-Api-Token:<value> format (for example, Netskope-Api-Token:AAAABBBBCCCC111122223333).
- API Hostname: The FQDN (fully qualified domain name) of your Netskope REST API endpoint (for example myinstance.goskope.com).
- API Endpoint: Enter alerts.
- Content Type: Allowed values for alerts are uba, securityassessment, quarantine, remediation, policy, malware, malsite, compromisedcredential, ctep, dlp, watchlist.
- Asset namespace: the asset namespace.
- Ingestion labels: the label applied to the events from this feed.
Click Next.
Review the feed configuration in the Finalize screen, and then click Submit.

Optional: Add a feed configuration to ingest Netskope Event logs v2

Go to SIEM Settings > Feeds.
Click Add new.
In the Feed name field, enter a name for the feed (for example, Netskope Event Logs v2).
Select Third party API as the Source type.
Select Netskope V2 as the Log type.
Click Next.
Specify values for the following input parameters:
- Authentication HTTP Header: key pair generated previously in <key>:<secret> format, used to authenticate against the Netskope API.
- API Hostname: The FQDN (fully qualified domain name) of your Netskope REST API endpoint (for example myinstance.goskope.com).
- API Endpoint: Enter events.
- Content Type: Allowed values for events are application, audit, connection, incident, infrastructure, network, page.
- Asset namespace: the asset namespace.
- Ingestion labels: the label applied to the events from this feed.
Click Next.
Review the feed configuration in the Finalize screen, and then click Submit.

UDM Mapping Table

Log Field	UDM Mapping	Logic
`_id`	`metadata.product_log_id`	Directly mapped from `_id`.
`access_method`	`extensions.auth.auth_details`	Directly mapped from `access_method`.
`action`	`security_result.action`	Mapped to `QUARANTINE` because the value is "alert". Also mapped to `security_result.action_details` as "alert".
`app`	`target.application`	Directly mapped from `app`.
`appcategory`	`security_result.category_details`	Directly mapped from `appcategory`.
`browser`	`network.http.user_agent`	Directly mapped from `browser`.
`browser_session_id`	`network.session_id`	Directly mapped from `browser_session_id`.
`browser_version`	`network.http.parsed_user_agent.browser_version`	Directly mapped from `browser_version`.
`ccl`	`security_result.confidence_details`	Directly mapped from `ccl`.
`device`	`principal.resource.type`, `principal.resource.resource_subtype`	`principal.resource.type` is set to "DEVICE". `principal.resource.resource_subtype` is directly mapped from `device`.
`dst_country`	`target.location.country_or_region`	Directly mapped from `dst_country`.
`dst_latitude`	`target.location.region_coordinates.latitude`	Directly mapped from `dst_latitude`.
`dst_longitude`	`target.location.region_coordinates.longitude`	Directly mapped from `dst_longitude`.
`dst_region`	`target.location.name`	Directly mapped from `dst_region`.
`dstip`	`target.ip`, `target.asset.ip`	Directly mapped from `dstip`.
`metadata.event_type`	`metadata.event_type`	Set to `NETWORK_CONNECTION` because both principal and target IP addresses are present and the protocol is not HTTP.
`metadata.product_event_type`	`metadata.product_event_type`	Directly mapped from `type`.
`metadata.product_name`	`metadata.product_name`	Set to "NETSKOPE_ALERT_V2" by the parser.
`metadata.vendor_name`	`metadata.vendor_name`	Set to "NETSKOPE_ALERT_V2" by the parser.
`object_type`	`additional.fields`	Added as a key-value pair to `additional.fields` where key is "object_type" and value is the content of `object_type`.
`organization_unit`	`principal.administrative_domain`	Directly mapped from `organization_unit`.
`os`	`principal.platform`	Mapped to `WINDOWS` because the value matches the regex "(?i)Windows.*".
`policy`	`security_result.summary`	Directly mapped from `policy`.
`site`	`additional.fields`	Added as a key-value pair to `additional.fields` where key is "site" and value is the content of `site`.
`src_country`	`principal.location.country_or_region`	Directly mapped from `src_country`.
`src_latitude`	`principal.location.region_coordinates.latitude`	Directly mapped from `src_latitude`.
`src_longitude`	`principal.location.region_coordinates.longitude`	Directly mapped from `src_longitude`.
`src_region`	`principal.location.name`	Directly mapped from `src_region`.
`srcip`	`principal.ip`, `principal.asset.ip`	Directly mapped from `srcip`.
`timestamp`	`metadata.event_timestamp.seconds`	Directly mapped from `timestamp`.
`type`	`metadata.product_event_type`	Directly mapped from `type`.
`ur_normalized`	`principal.user.email_addresses`	Directly mapped from `ur_normalized`.
`url`	`target.url`	Directly mapped from `url`.
`user`	`principal.user.email_addresses`	Directly mapped from `user`.

Changes

2024-09-25

Newly created parser.