Netskope SSE Integration Guide🔗
The Netskope SSE platform protects against advanced and cloud-enabled threats and safeguards data across any cloud, any app and any user.
The following instructions are for configuring Netskope to facilitate log ingestion into Secureworks® Taegis™ XDR.
Connectivity Requirements🔗
| Source | Destination | Port/Protocol |
|---|---|---|
| Cloud Log Shipper | Taegis™ XDR Collector (mgmt IP) | TCP/601 |
Netskope Requirements🔗
The XDR integration with Netskope requires Netskope’s Cloud Log Shipper, which is part of Netskope’s Cloud Exchange, a free download. The Cloud Log Shipper pulls logs from their APIs and forwards them via Syslog, in CEF format.
Data Provided from Integration🔗
The following Netskope event types (and their associated XDR schemas) are normalized.
Note
Netskope event types not listed below can be searched in XDR as generic events.
- Audit (Auth)
- Compromised Credential (Thirdparty)
- Connection (Http)
- Malsite (Http)
- Malware (Antivirus)
- Network (Netflow)
- Policy (Nids)
- Remediation (Antivirus)
- UBA (Thirdparty)
- Watchlist (Thirdparty)
- WebTX (Http)
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Netskope | Auth | HTTP, Netflow | Antivirus, NIDS, Thirdparty |
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Configure the Netskope Cloud Log Shipper🔗
Follow the instructions in the Netskope documentation for the Log Shipper Module. This Syslog Defaults Mapping is used for the XDR integration.
Choose the following options:
| Option | Required Value |
|---|---|
| Plugin | Syslog |
| Mapping | Syslog Defaults Mapping |
Enter the following information:
| Option | Required Value |
|---|---|
| Syslog Server | XDR Collector (mgmt IP) |
| Syslog Protocol | TCP |
| Syslog Port | 601 |
Advanced Search using the Query Language🔗
Example Query Language Searches🔗
To search for auth events from the last 24 hours:
`FROM auth WHERE sensor_type = 'Netskope' and EARLIEST=-24h`
To search for nids events:
`FROM nids WHERE sensor_type = 'Netskope'`
To search for http events that were classified by Netskope as "malsite":
`FROM http WHERE sensor_type = 'Netskope' AND original_data CONTAINS 'malsite'`
To search for antivirus events that were classified by Netskope as "TROJAN":
`FROM antivirus WHERE sensor_type = 'Netskope' AND threat_category = 'TROJAN'`
Event Details🔗
