Netskope SSE Integration Guide
The Netskope SSE platform protects against advanced and cloud-enabled threats and safeguards data across any cloud, any app and any user.
The following instructions are for configuring Netskope to facilitate log ingestion into Secureworks® Taegis™ XDR.
Connectivity Requirements ⫘
Source | Destination | Port/Protocol |
---|---|---|
Cloud Log Shipper | Taegis™ XDR Collector (mgmt IP) | TCP/601 |
Netskope Requirements ⫘
The XDR integration with Netskope requires Netskope’s Cloud Log Shipper, which is part of Netskope’s Cloud Exchange, a free download. The Cloud Log Shipper pulls logs from their APIs and forwards them via Syslog, in CEF format.
Data Provided from Integration ⫘
The following Netskope event types (and their associated XDR schemas) are normalized.
Note
Netskope event types not listed below can be searched in XDR as generic
events.
- Audit (Auth)
- Compromised Credential (Thirdparty)
- Connection (Http)
- Malsite (Http)
- Malware (Antivirus)
- Network (Netflow)
- Policy (Nids)
- Remediation (Antivirus)
- UBA (Thirdparty)
- Watchlist (Thirdparty)
- WebTX (Http)
Antivirus | Auth | DHCP | DNS | Encrypt | Filemod | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Netskope | V | Y | D | D | V | V |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Configure the Netskope Cloud Log Shipper ⫘
Follow the instructions in the Netskope documentation for the Log Shipper Module. This Syslog Defaults Mapping is used for the XDR integration.
Choose the following options:
Option | Required Value |
---|---|
Plugin | Syslog |
Mapping | Syslog Defaults Mapping |
Enter the following information:
Option | Required Value |
---|---|
Syslog Server | XDR Collector (mgmt IP) |
Syslog Protocol | TCP |
Syslog Port | 601 |
Advanced Search using the Query Language ⫘
Netskope Advanced Search
Example Query Language Searches ⫘
To search for auth
events from the last 24 hours:
`FROM auth WHERE sensor_type = 'Netskope' and EARLIEST=-24h`
To search for nids
events:
`FROM nids WHERE sensor_type = 'Netskope'`
To search for http
events that were classified by Netskope as "malsite":
`FROM http WHERE sensor_type = 'Netskope' AND original_data CONTAINS 'malsite'`
To search for antivirus
events that were classified by Netskope as "TROJAN":
`FROM antivirus WHERE sensor_type = 'Netskope' AND threat_category = 'TROJAN'`
Event Details ⫘
Netskope Event Details