This parser extracts Netskope alert logs from JSON-formatted messages, transforming them into the Google Security Operations UDM. It normalizes fields, parses timestamps, handles alerts and severities, extracts network information (IPs, ports, protocols), enriches user and file data, and maps fields to the UDM structure. The parser also handles specific Netskope activities like logins and DLP events and adds custom labels for enhanced context.
Before you begin
Ensure that you have the following prerequisites:
Google SecOps instance.
Privileged access to Netskope.
Enable Netskope REST API Access
Sign in to the Netskope tenant using your administrator credentials.
Go to Settings>Tools>REST API v2.
Enable REST API Status.
Create a new token:
Click New Token.
Enter the token name (for example, Google SecOps Token).
Enter the token expiration time.
Click Add Endpoint to select the API endpoints to use with the token.
Specify the privileges for the endpoint:
Read privileges include GET.
Read+Write privileges include GET, PUT, POST, PATCH, and DELETE.
Click Save.
A confirmation box opens showing whether the token creation was successful.
Click Copy Token and save it for later use in the API Authentication header.
Set up feeds
To configure a feed, follow these steps:
Go to SIEM Settings>Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed; for example, Netskope Alert Logs v2.
Select Third party API as the Source type.
Select Netskope V2 as the Log type.
Click Next.
Specify values for the following input parameters:
Authentication HTTP Header: token previously generated in a Netskope-Api-Token:<value> format (for example, Netskope-Api-Token:AAAABBBBCCCC111122223333).
API Hostname: The FQDN (fully qualified domain name) of your Netskope REST API endpoint (for example myinstance.goskope.com).
API Endpoint: Enter alerts.
Content Type: Allowed values for alerts are uba, securityassessment, quarantine, remediation, policy, malware, malsite, compromisedcredential, ctep, dlp, watchlist.
Click Next.
Review the feed configuration in the Finalize screen, and then click Submit.
Optional: Add a feed configuration to ingest Netskope Event logs v2
Go to SIEM Settings>Feeds.
Click Add new feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed (for example, Netskope Event Logs v2).
Select Third party API as the Source type.
Select Netskope V2 as the Log type.
Click Next.
Specify values for the following input parameters:
Authentication HTTP Header: key pair generated previously in <key>:<secret> format, used to authenticate against the Netskope API.
API Hostname: The FQDN (fully qualified domain name) of your Netskope REST API endpoint (for example myinstance.goskope.com).
API Endpoint: Enter events.
Content Type: Allowed values for events are application, audit, connection, incident, infrastructure, network, page.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis parser transforms Netskope alert logs from JSON format into Google Security Operations UDM, normalizing fields, parsing timestamps, and handling alerts, severities, network information, user data, and file data.\u003c/p\u003e\n"],["\u003cp\u003eTo utilize this feature, users must have a Google SecOps instance and privileged access to Netskope, along with enabling the Netskope REST API v2, generating an API token, and setting up a feed in Google SecOps.\u003c/p\u003e\n"],["\u003cp\u003eNetskope alert logs are ingested via a configured feed in Google SecOps, specifying the 'Netskope V2' log type, a generated API token, the API hostname, and specific content types such as 'uba', 'dlp', or 'watchlist'.\u003c/p\u003e\n"],["\u003cp\u003eNetskope Event logs can optionally be ingested using a similar process, specifying the 'Netskope V2' log type, a key/secret pair for authentication, the API hostname, and specific content types like 'application', 'audit', 'connection' or 'network'.\u003c/p\u003e\n"],["\u003cp\u003eThe parser maps various Netskope log fields, such as \u003ccode\u003e_id\u003c/code\u003e, \u003ccode\u003eapp\u003c/code\u003e, \u003ccode\u003edstip\u003c/code\u003e, and \u003ccode\u003euser\u003c/code\u003e, to corresponding UDM fields, like \u003ccode\u003emetadata.product_log_id\u003c/code\u003e, \u003ccode\u003etarget.application\u003c/code\u003e, \u003ccode\u003etarget.ip\u003c/code\u003e, and \u003ccode\u003eprincipal.user.email_addresses\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Collect Netskope alert logs v2\n==============================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nOverview\n--------\n\nThis parser extracts Netskope alert logs from JSON-formatted messages, transforming them into the Google Security Operations UDM. It normalizes fields, parses timestamps, handles alerts and severities, extracts network information (IPs, ports, protocols), enriches user and file data, and maps fields to the UDM structure. The parser also handles specific Netskope activities like logins and DLP events and adds custom labels for enhanced context.\n| **Note:** For more information, see [Netskope API Reference](https://docs.netskope.com/en/rest-api-v2-overview-312207/).\n\nBefore you begin\n----------------\n\nEnsure that you have the following prerequisites:\n\n- Google SecOps instance.\n- Privileged access to Netskope.\n\nEnable Netskope REST API Access\n-------------------------------\n\n1. Sign in to the Netskope tenant using your administrator credentials.\n2. Go to **Settings** \\\u003e **Tools** \\\u003e **REST API v2**.\n3. Enable **REST API Status**.\n4. Create a new token:\n\n 1. Click **New Token**.\n 2. Enter the token name (for example, **Google SecOps Token**).\n 3. Enter the token expiration time.\n 4. Click **Add Endpoint** to select the API endpoints to use with the token.\n 5. Specify the privileges for the endpoint:\n\n - Read privileges include **GET**.\n - Read+Write privileges include **GET** , **PUT** , **POST** , **PATCH** , and **DELETE**.\n\n | **Note:** Endpoint privileges vary. Some endpoints, such as alert and audit, only have the Read privilege. Other endpoints, such as the URL list/file endpoint has both Read+Write privileges.\n 6. Click **Save**.\n\n 7. A confirmation box opens showing whether the token creation was successful.\n\n 8. Click **Copy Token** and **save** it for later use in the API Authentication header.\n\n | **Note:** The only option to copy the token is immediately after you create it. The token is required in your API requests.\n\nSet up feeds\n------------\n\nTo configure a feed, follow these steps:\n\n1. Go to **SIEM Settings** \\\u003e **Feeds**.\n2. Click **Add New Feed**.\n3. On the next page, click **Configure a single feed**.\n4. In the **Feed name** field, enter a name for the feed; for example, **Netskope Alert Logs v2**.\n5. Select **Third party API** as the **Source type**.\n6. Select **Netskope V2** as the **Log type**.\n7. Click **Next**.\n8. Specify values for the following input parameters:\n - **Authentication HTTP Header:** token previously generated in a `Netskope-Api-Token:\u003cvalue\u003e` format (for example, **Netskope-Api-Token:AAAABBBBCCCC111122223333**).\n - **API Hostname:** The FQDN (fully qualified domain name) of your Netskope REST API endpoint (for example `myinstance.goskope.com`).\n - **API Endpoint:** Enter **alerts**.\n - **Content Type:** Allowed values for **alerts** are **uba** , **securityassessment** , **quarantine** , **remediation** , **policy** , **malware** , **malsite** , **compromisedcredential** , **ctep** , **dlp** , **watchlist**.\n9. Click **Next**.\n10. Review the feed configuration in the **Finalize** screen, and then click **Submit**.\n\nOptional: Add a feed configuration to ingest Netskope Event logs v2\n-------------------------------------------------------------------\n\n1. Go to **SIEM Settings** \\\u003e **Feeds**.\n2. Click **Add new feed**.\n3. On the next page, click **Configure a single feed**.\n4. In the **Feed name** field, enter a name for the feed (for example, **Netskope Event Logs v2**).\n5. Select **Third party API** as the **Source type**.\n6. Select **Netskope V2** as the **Log type**.\n7. Click **Next**.\n8. Specify values for the following input parameters:\n - **Authentication HTTP Header:** key pair generated previously in `\u003ckey\u003e:\u003csecret\u003e` format, used to authenticate against the Netskope API.\n - **API Hostname:** The FQDN (fully qualified domain name) of your Netskope REST API endpoint (for example `myinstance.goskope.com`).\n - **API Endpoint:** Enter **events**.\n - **Content Type:** Allowed values for **events** are **application** , **audit** , **connection** , **incident** , **infrastructure** , **network** , **page**.\n - **Asset namespace** : the [asset namespace](/chronicle/docs/investigation/asset-namespaces).\n - **Ingestion labels**: the label applied to the events from this feed.\n9. Click **Next**.\n10. Review the feed configuration in the **Finalize** screen, and then click **Submit**.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
