🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Netskope SSE Integration Guide

integrations cloud netskope


The Netskope SSE platform protects against advanced and cloud-enabled threats and safeguards data across any cloud, any app and any user.

The following instructions are for configuring Netskope to facilitate log ingestion into Secureworks® Taegis™ XDR.

Connectivity Requirements

Source Destination Port/Protocol
Cloud Log Shipper Taegis™ XDR Collector (mgmt IP) TCP/601

Netskope Requirements

The XDR integration with Netskope requires Netskope’s Cloud Log Shipper, which is part of Netskope’s Cloud Exchange, a free download. The Cloud Log Shipper pulls logs from their APIs and forwards them via Syslog, in CEF format.

Data Provided from Integration

The following Netskope event types (and their associated XDR schemas) are normalized.

Note

Netskope event types not listed below can be searched in XDR as generic events.

  Antivirus Auth DHCP DNS Email Encrypt Filemod HTTP Management Netflow NIDS Process Thirdparty
Netskope V Y           D   D V   V

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configure the Netskope Cloud Log Shipper

Follow the instructions in the Netskope documentation for the Log Shipper Module. This Syslog Defaults Mapping is used for the XDR integration.

Choose the following options:

Option Required Value
Plugin Syslog
Mapping Syslog Defaults Mapping

Enter the following information:

Option Required Value
Syslog Server XDR Collector (mgmt IP)
Syslog Protocol TCP
Syslog Port 601

Advanced Search using the Query Language

Netskope Advanced Search

Netskope Advanced Search

Example Query Language Searches

To search for auth events from the last 24 hours:

`FROM auth WHERE sensor_type = 'Netskope' and EARLIEST=-24h`

To search for nids events:

`FROM nids WHERE sensor_type = 'Netskope'`

To search for http events that were classified by Netskope as "malsite":

`FROM http WHERE sensor_type = 'Netskope' AND original_data CONTAINS 'malsite'`

To search for antivirus events that were classified by Netskope as "TROJAN":

`FROM antivirus WHERE sensor_type = 'Netskope' AND threat_category = 'TROJAN'`

Event Details

Netskope Event Details

Netskope Event Details

 

On this page: