Netskope

Netskope is a cloud security platform that identifies a variety of events related to cloud service usage and malware events. InsightIDR supports the following alert and event types from Netskope, via Syslog:

  • Anomaly
  • DLP
  • Malware
  • Policy
  • Compromised Credential
  • Malsite
  • Quarantine
  • Remediation
  • Security Assessment
  • Application
  • Page
  • Audit
  • Network

To set up Netskope:

  1. Review Before you Begin and note any requirements.
  2. Set up the event source in InsightIDR.
  3. Verify the configuration works.

Before you begin

Netskope’s integration with Insight IDR is enabled by Cloud Logs Shipper, which pulls logs from their APIs and forwards them via Syslog, in CEF format. In order to configure this event source, you will need to contact the Netskope account team to get Cloud Log Shipper.

Set up Netskope in InsightIDR

  1. From the left menu, go to Data Collection.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the Third Party Alerts section, click the Netskope icon. The Add Event Source panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. If you are sending additional events beyond alerts, select the unparsed logs checkbox.
  6. Select an attribution source.
  7. Specify an unused port on the Collector that can receive forwarded Netskope events.
  8. Choose the protocol you used when setting up Netskope. TCP is their default protocol.
  9. Click Save.

Attribution source options

Netskope product logs can contain information about hosts and accounts. When setting up Netskope as an event source, you will have the ability to specify the following attribution options:

  1. Use IDR engine if possible; if not, use event log

By selecting this option, the InsightIDR attribution engine will perform attribution using the source address present in the log lines. If it's unable to resolve assets or accounts using the source address, it will use the assets or accounts present in the log lines, if any.

  1. Use event log if possible; if not, use IDR engine

By selecting this option, attribution will be done using the assets and accounts present in the log lines. If no assets or accounts are present in the log lines, the InsightIDR attribution engine will perform attribution using the source address present in the log lines.

  1. Use IDR engine only

By selecting this option, the InsightIDR attribution engine will perform the attribution using the source address present in the log lines, ignoring any assets and accounts present in the log lines.

  1. Use event log only

By selecting this option, attribution will be done using the assets and accounts present in the log lines, ignoring the source address.

Verify the configuration

Complete the following steps to view your logs and ensure events are making it to the Collector.

  1. From the left menu, click Log Search to view your raw logs to ensure events are making it to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name. Netskope logs flow into the following Log Sets:
  • Third Party Alerts
  • Web Proxy Activity
  • Virus Alert
  • Virus Infection
  • Ingress Authentication
  • Firewall Activity
  1. Next, click Log Search in the left menu to make sure Netskope events are coming through.

Logs take a minimum of 7 minutes to appear in Log Search

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.

Alerts generated by InsightIDR

InsightIDR generates the following built-in UBA alerts for this event source:

  • Account visits suspicious link
  • First ingress authentication from country
  • Harvested credentials
  • Ingress from account whose password never expires
  • Ingress from community threat
  • Ingress from disabled account
  • Ingress from domain admin
  • Ingress from service account
  • Ingress from threat
  • Multiple country authentications
  • Network access for threat
  • Spear phishing URL detected
  • Third party alert - netskope
  • Virus alert

Sample Logs

Here are some sample Netskope events as they appear in InsightIDR log search.

Anomaly

JSON
1
T1590588553258 <14>May 27 14:09:19 ip-10-0-0-116 CEF:0|Netskope|sedemo|NULL|anomaly|proximity|High|anomalyEventType=proximity cci=89 ccl=high dst=104.18.103.56
2
requestClientApplication=Box sourceServiceName=Box src=173.75.129.162 suser=name@email.com timestamp=1590527456 url=mynetskopedemo.app.box.com

DLP

JSON
1
T1590588539708 <14>May 27 14:09:06 ip-10-0-0-116 CEF:0|Netskope|sedemo|NULL|DLP|[Context DLP] Low Severity PII Warn|Low|accessMethod=Client act=Upload
2
appcategory=Cloud Storage browser=Chrome cci=94 ccl=excellent device=Mac Device deviceClassification=managed deviceExternalId=A89D093B-44A0-A5E5-50B7-98EDD6E0ABF0
3
dlpFile=PII - Match Count 14.xlsx dlpIncidentId=6975643144850582428 dlpProfile=Low Severity - Personally Identifiable Information dlpRule=Low-Sev-US-SSN-Name
4
dlpRuleCount=14 dst=13.107.136.9 fsize=10697 hostname=Matt MacBook Pro instanceId=mynetskopedemo managementId=A1DB28E458555C0FB7B800AC6BD4F9C0
5
md5=992305e037f6560df0d1b8500baed1df object=PII - Match Count 14.xlsx os=Catalina policy=[Context DLP] Low Severity PII Warn requestClientApplication=Microsoft
6
Office 365 OneDrive for Business sha256=856ed8085753868e162e9883381104bfedaa3f7781a0b518136686feecad9488 sourceServiceName=Microsoft Office 365 OneDrive for
7
Business src=162.230.81.248 suser=name@email.com timestamp=1590585443 url=mynetskopedemo
8
my.sharepoint.com/personal/netskopese_mynetskopedemo_com/_api/web/GetFolderById(@a1)/Files/AddUsingPath(DecodedUrl\=@a2,overwrite\=@a3,AutoCheckoutOnInvalidData\=
9
a4)

Malware

JSON
1
T1590588648155 <14>May 27 14:10:54 ip-10-0-0-116 CEF:0|Netskope|sedemo|NULL|Malware|Gen.Malware.Detect.By.StHeur|High|accessMethod=Client act=Download
2
action=Detection appcategory=n/a browser=Chrome cci=null ccl=unknown device=Windows Device dst=216.239.38.21 fsize=302 md5=87922cbc19d3e0def4d13aa5467fa9b2
3
mwDetectionEngine=Netskope Advanced Heuristic Analysis mwDetectionName=Gen.Malware.Detect.By.StHeur mwDetectionType=Virus mwId=24cd26f41427b1d1fb4d69e9b121932e
4
mwScannerResult=malicious mwType=Virus object=6 os=Windows 10 referer=http://netskopesecuritycheck.com/ requestClientApplication=netskopesecuritycheck
5
sourceServiceName=netskopesecuritycheck src=204.195.59.80 suser=name@email.com timestamp=1590523425 url=netskopesecuritycheck.com/tests/execute/6

Policy

JSON
1
T1590588533255 <14>May 27 14:08:59 ip-10-0-0-116 CEF:0|Netskope|sedemo|NULL|policy|[AccessControl] - Block Login to non-sanctioned SaaS
2
instances|accessMethod=Client act=Login Attempt action=block appcategory=Cloud Storage browser=Chrome device=Mac Device deviceClassification=managed
3
deviceExternalId=A89D093B-44A0-A5E5-50B7-98EDD6E0ABF0 dst=162.125.3.1 hostname=Matt MacBook Pro managementId=A1DB28E458555C0FB7B800AC6BD4F9C0 os=Catalina policy
4
[AccessControl] - Block Login to non-sanctioned SaaS instances referer=https://www.dropbox.com/login?src\=logout requestClientApplication=Dropbox
5
sourceServiceName=Dropbox src=162.230.81.248 suser=name@email.com timestamp=1590586365 url=www.dropbox.com/ajax_login

Compromised Credential

JSON
1
2020-09-11T15:27:07+00:00 ip-10-0-0-87 CEF: 0|Netskope|qadp01|NULL|Compromised Credential|ExploitIN 800M - Part 25|Low|ccBreachDate=1592438400
2
ccBreachMediaReferences=null ccBreachScore=40 ccEmailSource=CSV ccMatchedUsername=name@email.com timestamp=1599133208

Malsite

JSON
1
<14>Jun 05 16:22:49 ip-10-0-0-116 CEF:0|Netskope|sedemo|NULL|malsite|mtron.in|Medium|accessMethod=Client action=block appcategory=Prohibited Websites
2
browser=Chrome device=Windows Device deviceClassification=unmanaged dst=45.114.142.143 hostname=IP-C0A84625 ms_app_session_id=3134360458668230443 ms_category
3
['Phish Site'] ms_id=108cc1176c66dd0f59e718fc ms_malicious=yes ms_match_field=domain ms_page=mtron.in/images/favicon.ico os=Windows Server 2016 policy
4
[NetskopeForWeb] Block sites that violate AUP sourceServiceName=mtron src=35.167.150.121 suser=name@email.com.com timestamp=1591373686
5
url=mtron.in/images/favicon.ico

Quarantine

JSON
1
T1590588648735 <14>May 27 14:10:55 ip-10-0-0-116 CEF:0|Netskope|sedemo|NULL|quarantine|DICOM Detection|High|accessMethod=Client act=Upload appcategory=Cloud
2
Storage browser=Chrome cci=80 ccl=high device=Mac Device deviceClassification=managed deviceExternalId=1A5E8B7E-1D18-0B21-1164-829450AFD1F9 dst=162.125.2.6
3
fsize=15774 hostname=Ashutosh\\u2019s MacBook Pro 15 managementId=0E6ADAF5E61B51D4A37C534071F9EC84 md5=8ac692ef2cc78adfc523188e54d52933 object=PII SSN Large
4
v3.xlsx os=Mojave policy=DICOM Detection q_transaction_id=3021013883821793546 requestClientApplication=Dropbox sourceServiceName=Dropbox src=73.92.72.30
5
suser=name@email.com timestamp=1588884900

Remediation

JSON
1
T1590588547021 <14>May 27 14:09:13 ip-10-0-0-116 CEF:0|Netskope|sedemo|NULL|Remediation|null|High|accessMethod=API Connector act=Introspection Scan action=alert
2
appcategory=Cloud Storage cci=94 ccl=excellent dst=13.107.136.9 fsize=46744 md5=ab9bb7c4b0f50907f5b30e4b1a9d9be1 mimeType=application/octet-stream
3
mwDetectionName=Win64.Hacktool.Mimikatz mwId=be3983498cc7a1c021f87b185e99ece4 object=C.exe r_app_session_id=116085447250174 requestClientApplication=Microsoft
4
Office 365 OneDrive for Business sourceServiceName=Microsoft Office 365 OneDrive for Business suser=name@email.com timestamp=1588952849
5
url=https://mynetskopedemo-my.sharepoint.com/personal/netskopese_mynetskopedemo_com/Documents/MYee/Threats/C.exe

Security Assessment

JSON
1
<14>Apr 17 13:03:08 ip-10-0-0-116 CEF:0|Netskope|sedemo|NULL|Security Assessment|PCI-AWS \| 10.2.4 Implement automated audit trails for all system components : S3
2
Buckets Lack Versioning|High|accessMethod=API Connector act=Introspection Scan action=alert appcategory=IaaS/PaaS browser=unknown cci=96 ccl=excellent
3
instanceId=MynetskopeDemo AWS object=scarberry os=unknown policy=AWS CSA Scanning requestClientApplication=Amazon Web Services sa_account_id=332671050434
4
sa_asset_object_id=54e4130facd45c5394a876c9 sa_asset_tags=null sa_profile_name=PCI-DSS v3.2.1 (AWS) sa_rule_name=PCI-AWS | 10.2.4 Implement automated audit trails
5
for all system components : S3 Buckets Lack Versioning sa_rule_remediation=<html>\\n <body>\\n <b>Perform the following to configure S3 Bucket Versioning </b>\\n
6
<b> Via CLI </b>\\n <p>Replace <bucket_name> with respective AWS S3 Bucket</p>\\n <p>aws s3api put-bucket-versioning --bucket <bucket_name> -
7
versioning-configuration {"Status":"Enabled"} </p>\\n</body>\\n</html>\\n sourceServiceName=Amazon Web Services suser=name@email.com timestamp=1586996613

Application

JSON
1
2020-09-11T15:28:47+00:00 ip-10-0-0-87 CEF: 0|Netskope|sedemo|NULL|application|NULL|Unknown|appSessionId=4127238491198687592 appcategory=Collaboration 
2
browser=Native cci=87 ccl=high device=Mac Device dst=54.87.197.95 os=Catalina requestClientApplication=Slack sourceServiceName=Slack src=73.246.13.110 
3
suser=name@email.com timestamp=1599837613 url=netskope.slack.com/api/chat.postMessage

Page

JSON
1
<14>Apr 17 13:03:18 ip-10-0-0-116 CEF:0|Netskope|sedemo|NULL|page|NULL|Unknown|appcategory=Security browser=Chrome cci=null ccl=unknown clientBytes=277637 
2
device=Windows Device dst=176.32.118.124 os=Windows 10 page=us-west-1.console.aws.amazon.com/ec2/v2/home pageEndtime=1587125569 pageId=1356694626260201523 
3
pageStarttime=1587125518 requestClientApplication=AWS KMS serverBytes=314509 sourceServiceName=AWS KMS src=139.167.149.156 suser=name@email.com 
4
timestamp=1587125503 url=us-west-1.console.aws.amazon.com/ec2/v2/home

Audit

JSON
1
2020-09-11T15:29:12+00:00 ip-10-0-0-87 CEF: 0|Netskope|qadp01|NULL|audit|NULL|Low|auditLogEvent=Logout Successful auditType=admin_audit_logs 
2
suser=name@email.com timestamp=1599837436

Network

JSON
1
2020-09-11T15:29:44+00:00 ip-10-0-0-87 CEF: 0|Netskope|qadp01|NULL|network|NULL|Unknown|action=allow cci=null ccl=unknown clientBytes=1891 clientPackets=2 
2
device=Windows dpt=443 dst=null end=2020-09-10T15:21:59+00:00 networkSessionId=1495164501 os=Windows osVersion=10.0 (2004) policy=DWalker NPA Google proto=Http 
3
requestClientApplication=172.217.7.206 requestMethod=Client serverBytes=2308 serverPackets=4 sessionDuration=259 s shost=ns-8127.us-sjc1.npa.goskope.com 
4
sourceServiceName=172.217.7.206 spt=16 src=10.120.109.64 start=2020-09-10T15:17:40+00:00 suser=name@email.com timestamp=1599751379 trafficType=PrivateApp 
5
tunnelId=1495164501 tunnelType=NPA tunnelUpTime=259