Overview

Netskope is a software company providing a computer security platform. The platform offers cloud-native solutions to businesses for data protection and defense against threats in cloud applications, cloud infrastructure, and the web.
Hunters parse the data and use it to protect your network in a more comprehensive way - both in detection and investigation phases in the Hunters’ pipeline.

Supported data types

  • Netskope Audit Events: This data type includes events extracted from SaaS traffic and or logs from type audit.

  • Netskope Application Events: This data type includes events extracted from SaaS traffic and or logs from type application.

  • Netskope Alerts: This data type includes alerts by Netskope, including policy, DLP, and watch list alerts.

Sending data to Hunters

Prerequisites

In order to integrate with Hunters' API collection for Netskope, provide the following details:

  • Domain - your Netskope domain, in the format https://<DOMAIN>.goskope.com/

  • API Token - To generate an API token, go to your console -> Settings -> Tools -> REST API v1 -> GENERATE NEW TOKEN

Expected Format

In case you choose to collect the data on your own and deliver it to Hunters via a shared storage these are the expected formats:

Netskope Audit Events Sample
{"timestamp": 1653898407, "type": "admin_audit_logs", "user": "jhon@doe.com", "severity_level": 2, "audit_log_event": "Logout Successful", "supporting_data": {"data_type": "reason", "data_values": ["Logged out due to inactivity"]}, "organization_unit": "", "ur_normalized": "jhon@doe.com", "ccl": "unknown", "count": 1, "_insertion_epoch_timestamp": 1653898710, "_id": "1234"}
CODE
Netskope Application Events Sample
{"_id": "1234", "_insertion_epoch_timestamp": 1653904450, "access_method": "Client", "activity": "View All", "alert": "no", "app": "Slack", "app_session_id": 1234, "appcategory": "Collaboration", "browser": "Native", "browser_session_id": 1234, "category": "Collaboration", "cci": 86, "ccl": "high", "connection_id": 1234, "count": 1, "device": "Mac Device", "device_classification": "not configured", "dst_country": "DE", "dst_latitude": 8.6843, "dst_location": "Frankfurt am Main", "dst_longitude": 50.1188, "dst_region": "Hesse", "dst_timezone": "Europe/Berlin", "dst_zipcode": "60313", "dstip": "1.1.1.1", "from_user": "jhon@doe.com", "hostname": "name", "instance_id": "netskope", "managed_app": "no", "managementID": "1234", "netskope_pop": "IL", "nsdeviceuid": "F-F-F-F", "organization_unit": "", "os": "Monterey", "os_version": "Monterey", "other_categories": ["Technology", "Collaboration"], "page": "netskope.slack.com", "page_site": "Slack", "policy_id": "ID 2022-05-05 07:38:40.068446", "protocol": "HTTPS/1.1", "request_id": 1234, "sanctioned_instance": "", "severity": "unknown", "site": "Slack", "src_country": "IL", "src_latitude": 34, "src_location": "Tel Aviv", "src_longitude": 32, "src_region": "Tel Aviv", "src_time": "Mon May 05 12:53:08 2022", "src_timezone": "Asia/Jerusalem", "src_zipcode": "N/A", "srcip": "1.1.1.1", "telemetry_app": "", "timestamp": 1653904443, "traffic_type": "CloudApp", "transaction_id": 1234, "type": "nspolicy", "ur_normalized": "jhon@doe.com", "url": " ", "user": "jhon@doe.com", "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 12_3_1) AppleWebKit/537.36 (KHTML, like Gecko) Slack/4.25.0 Chrome/98.0.4758.109 Electron/17.1.2 Safari/537.36 AppleSilicon Sonic Slack_SSB/4.25.0", "userip": "1.1.1.1", "userkey": "jhon@doe.com"}
CODE
Netskope Alerts Sample
{"_id": "1234", "_insertion_epoch_timestamp": 1653837070, "access_method": "Client", "acked": "false", "action": "block", "activity": "Browse", "alert": "yes", "alert_name": "Simulate - Block Any - Any", "alert_type": "policy", "app_session_id": 1234, "appcategory": "Uncategorized", "browser": "Chrome", "browser_version": "102.0.5005.61", "category": "Uncategorized", "cci": 0, "ccl": "unknown", "connection_id": 0, "count": 1, "device": "Mac Device", "device_classification": "not configured", "dst_country": "Israel", "dst_latitude": 33, "dst_location": "Israel", "dst_longitude": 29, "dst_region": "Gush Dan", "dst_timezone": "UTC +3", "dst_zipcode": "N/A", "dstip": "1.1.1.1", "hostname": "name", "managed_app": "no", "managementID": "12", "netskope_pop": "IL-TLV1", "notify_template": "block_page.html", "nsdeviceuid": "F-F-F-F", "organization_unit": "", "os": "Monterey", "os_version": "Monterey", "other_categories": ["Uncategorized"], "policy": "Simulate - Block Any - Any", "policy_id": "1234 2022-05-05", "protocol": "HTTPS/1.1", "request_id": 1234, "severity": "unknown", "site": "site", "src_country": "IL", "src_latitude": 33, "src_location": "Tel Aviv", "src_longitude": 34, "src_region": "Tel Aviv", "src_time": "Sun May 29 18:10:00 2022", "src_timezone": "Asia/Jerusalem", "src_zipcode": "N/A", "srcip": "1.1.1.1", "telemetry_app": "", "timestamp": 1653837064, "traffic_type": "Web", "transaction_id": 1234, "type": "nspolicy", "ur_normalized": "jhon@doe.com", "url": " ", "user": "jhon@doe.com", "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36", "userip": "1.1.1.1", "userkey": "jhon@doe.com"}
CODE