Netskope

Netskope is a cloud security platform that identifies a variety of events related to cloud service usage and malware events. InsightIDR supports the following alert and event types from Netskope, via Syslog:

  • Anomaly
  • DLP
  • Malware
  • Policy
  • Compromised Credential
  • Malsite
  • Quarantine
  • Remediation
  • Security Assessment
  • Application
  • Page
  • Audit
  • Network

To set up Netskope:

  1. Review Before you Begin and note any requirements.
  2. Set up the event source in InsightIDR.
  3. Verify the configuration works.

Before you begin

Netskope’s integration with Insight IDR is enabled by Cloud Logs Shipper, which pulls logs from their APIs and forwards them via Syslog, in CEF format. In order to configure this event source, you will need to contact the Netskope account team to get Cloud Log Shipper.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Netskope in the event sources search bar.
    • In the Product Type filter, select Third Party Alerts.
  3. Select the Netskope event source tile.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. If you are sending additional events beyond alerts, select the unparsed logs checkbox.
  6. Select an attribution source.
  7. Specify an unused port on the Collector that can receive forwarded Netskope events.
  8. Choose the protocol you used when setting up Netskope. TCP is their default protocol.
  9. Click Save.

Verify the configuration

Complete the following steps to view your logs and ensure events are making it to the Collector.

  1. From the left menu, click Log Search to view your raw logs to ensure events are making it to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name. Netskope logs flow into the following Log Sets:
  • Third Party Alerts
  • Web Proxy Activity
  • Virus Alert
  • Virus Infection
  • Ingress Authentication
  • Firewall Activity
  1. Next, click Log Search in the left menu to make sure Netskope events are coming through.
⚠️

Logs take a minimum of 7 minutes to appear in Log Search

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.

Legacy detection rules

InsightIDR supports the following legacy detection rules for this event source:

  • Account visits suspicious link
  • First ingress authentication from country
  • Harvested credentials
  • Ingress from account whose password never expires
  • Ingress from community threat
  • Ingress from disabled account
  • Ingress from domain admin
  • Ingress from service account
  • Ingress from threat
  • Multiple country authentications
  • Network access for threat
  • Spear phishing URL detected
  • Third party alert - netskope
  • Virus alert

Sample Logs

Here are some sample Netskope events as they appear in InsightIDR log search.

Anomaly

T1590588553258 <14>May 27 14:09:19 ip-10-0-0-116 CEF:0|Netskope|sedemo|NULL|anomaly|proximity|High|anomalyEventType=proximity cci=89 ccl=high dst=104.18.103.56
requestClientApplication=Box sourceServiceName=Box src=173.75.129.162 suser=name@email.com timestamp=1590527456 url=mynetskopedemo.app.box.com

DLP

T1590588539708 <14>May 27 14:09:06 ip-10-0-0-116 CEF:0|Netskope|sedemo|NULL|DLP|[Context DLP] Low Severity PII Warn|Low|accessMethod=Client act=Upload
appcategory=Cloud Storage browser=Chrome cci=94 ccl=excellent device=Mac Device deviceClassification=managed deviceExternalId=A89D093B-44A0-A5E5-50B7-98EDD6E0ABF0
dlpFile=PII - Match Count 14.xlsx dlpIncidentId=6975643144850582428 dlpProfile=Low Severity - Personally Identifiable Information dlpRule=Low-Sev-US-SSN-Name
dlpRuleCount=14 dst=13.107.136.9 fsize=10697 hostname=Matt MacBook Pro instanceId=mynetskopedemo managementId=A1DB28E458555C0FB7B800AC6BD4F9C0
md5=992305e037f6560df0d1b8500baed1df object=PII - Match Count 14.xlsx os=Catalina policy=[Context DLP] Low Severity PII Warn requestClientApplication=Microsoft
Office 365 OneDrive for Business sha256=856ed8085753868e162e9883381104bfedaa3f7781a0b518136686feecad9488 sourceServiceName=Microsoft Office 365 OneDrive for
Business src=162.230.81.248 suser=name@email.com timestamp=1590585443 url=mynetskopedemo
my.sharepoint.com/personal/netskopese_mynetskopedemo_com/_api/web/GetFolderById(@a1)/Files/AddUsingPath(DecodedUrl\=@a2,overwrite\=@a3,AutoCheckoutOnInvalidData\=
a4)

Malware

T1590588648155 <14>May 27 14:10:54 ip-10-0-0-116 CEF:0|Netskope|sedemo|NULL|Malware|Gen.Malware.Detect.By.StHeur|High|accessMethod=Client act=Download
action=Detection appcategory=n/a browser=Chrome cci=null ccl=unknown device=Windows Device dst=216.239.38.21 fsize=302 md5=87922cbc19d3e0def4d13aa5467fa9b2
mwDetectionEngine=Netskope Advanced Heuristic Analysis mwDetectionName=Gen.Malware.Detect.By.StHeur mwDetectionType=Virus mwId=24cd26f41427b1d1fb4d69e9b121932e
mwScannerResult=malicious mwType=Virus object=6 os=Windows 10 referer=http://netskopesecuritycheck.com/ requestClientApplication=netskopesecuritycheck
sourceServiceName=netskopesecuritycheck src=204.195.59.80 suser=name@email.com timestamp=1590523425 url=netskopesecuritycheck.com/tests/execute/6

Policy

T1590588533255 <14>May 27 14:08:59 ip-10-0-0-116 CEF:0|Netskope|sedemo|NULL|policy|[AccessControl] - Block Login to non-sanctioned SaaS
instances|accessMethod=Client act=Login Attempt action=block appcategory=Cloud Storage browser=Chrome device=Mac Device deviceClassification=managed
deviceExternalId=A89D093B-44A0-A5E5-50B7-98EDD6E0ABF0 dst=162.125.3.1 hostname=Matt MacBook Pro managementId=A1DB28E458555C0FB7B800AC6BD4F9C0 os=Catalina policy
[AccessControl] - Block Login to non-sanctioned SaaS instances referer=https://www.dropbox.com/login?src\=logout requestClientApplication=Dropbox
sourceServiceName=Dropbox src=162.230.81.248 suser=name@email.com timestamp=1590586365 url=www.dropbox.com/ajax_login

Compromised Credential

2020-09-11T15:27:07+00:00 ip-10-0-0-87 CEF: 0|Netskope|qadp01|NULL|Compromised Credential|ExploitIN 800M - Part 25|Low|ccBreachDate=1592438400
ccBreachMediaReferences=null ccBreachScore=40 ccEmailSource=CSV ccMatchedUsername=name@email.com timestamp=1599133208

Malsite

<14>Jun 05 16:22:49 ip-10-0-0-116 CEF:0|Netskope|sedemo|NULL|malsite|mtron.in|Medium|accessMethod=Client action=block appcategory=Prohibited Websites
browser=Chrome device=Windows Device deviceClassification=unmanaged dst=45.114.142.143 hostname=IP-C0A84625 ms_app_session_id=3134360458668230443 ms_category
['Phish Site'] ms_id=108cc1176c66dd0f59e718fc ms_malicious=yes ms_match_field=domain ms_page=mtron.in/images/favicon.ico os=Windows Server 2016 policy
[NetskopeForWeb] Block sites that violate AUP sourceServiceName=mtron src=35.167.150.121 suser=name@email.com.com timestamp=1591373686
url=mtron.in/images/favicon.ico

Quarantine

T1590588648735 <14>May 27 14:10:55 ip-10-0-0-116 CEF:0|Netskope|sedemo|NULL|quarantine|DICOM Detection|High|accessMethod=Client act=Upload appcategory=Cloud
Storage browser=Chrome cci=80 ccl=high device=Mac Device deviceClassification=managed deviceExternalId=1A5E8B7E-1D18-0B21-1164-829450AFD1F9 dst=162.125.2.6
fsize=15774 hostname=Ashutosh\\u2019s MacBook Pro 15 managementId=0E6ADAF5E61B51D4A37C534071F9EC84 md5=8ac692ef2cc78adfc523188e54d52933 object=PII SSN Large
v3.xlsx os=Mojave policy=DICOM Detection q_transaction_id=3021013883821793546 requestClientApplication=Dropbox sourceServiceName=Dropbox src=73.92.72.30
suser=name@email.com timestamp=1588884900

Remediation

T1590588547021 <14>May 27 14:09:13 ip-10-0-0-116 CEF:0|Netskope|sedemo|NULL|Remediation|null|High|accessMethod=API Connector act=Introspection Scan action=alert
appcategory=Cloud Storage cci=94 ccl=excellent dst=13.107.136.9 fsize=46744 md5=ab9bb7c4b0f50907f5b30e4b1a9d9be1 mimeType=application/octet-stream
mwDetectionName=Win64.Hacktool.Mimikatz mwId=be3983498cc7a1c021f87b185e99ece4 object=C.exe r_app_session_id=116085447250174 requestClientApplication=Microsoft
Office 365 OneDrive for Business sourceServiceName=Microsoft Office 365 OneDrive for Business suser=name@email.com timestamp=1588952849
url=https://mynetskopedemo-my.sharepoint.com/personal/netskopese_mynetskopedemo_com/Documents/MYee/Threats/C.exe

Security Assessment

<14>Apr 17 13:03:08 ip-10-0-0-116 CEF:0|Netskope|sedemo|NULL|Security Assessment|PCI-AWS \| 10.2.4 Implement automated audit trails for all system components : S3
Buckets Lack Versioning|High|accessMethod=API Connector act=Introspection Scan action=alert appcategory=IaaS/PaaS browser=unknown cci=96 ccl=excellent
instanceId=MynetskopeDemo AWS object=scarberry os=unknown policy=AWS CSA Scanning requestClientApplication=Amazon Web Services sa_account_id=332671050434
sa_asset_object_id=54e4130facd45c5394a876c9 sa_asset_tags=null sa_profile_name=PCI-DSS v3.2.1 (AWS) sa_rule_name=PCI-AWS | 10.2.4 Implement automated audit trails
for all system components : S3 Buckets Lack Versioning sa_rule_remediation=<html>\\n <body>\\n <b>Perform the following to configure S3 Bucket Versioning </b>\\n
<b> Via CLI </b>\\n <p>Replace &lt;bucket_name&gt; with respective AWS S3 Bucket</p>\\n <p>aws s3api put-bucket-versioning --bucket &lt;bucket_name&gt; -
versioning-configuration {"Status":"Enabled"} </p>\\n</body>\\n</html>\\n sourceServiceName=Amazon Web Services suser=name@email.com timestamp=1586996613

Application

2020-09-11T15:28:47+00:00 ip-10-0-0-87 CEF: 0|Netskope|sedemo|NULL|application|NULL|Unknown|appSessionId=4127238491198687592 appcategory=Collaboration 
browser=Native cci=87 ccl=high device=Mac Device dst=54.87.197.95 os=Catalina requestClientApplication=Slack sourceServiceName=Slack src=73.246.13.110 
suser=name@email.com timestamp=1599837613 url=netskope.slack.com/api/chat.postMessage

Page

<14>Apr 17 13:03:18 ip-10-0-0-116 CEF:0|Netskope|sedemo|NULL|page|NULL|Unknown|appcategory=Security browser=Chrome cci=null ccl=unknown clientBytes=277637 
device=Windows Device dst=176.32.118.124 os=Windows 10 page=us-west-1.console.aws.amazon.com/ec2/v2/home pageEndtime=1587125569 pageId=1356694626260201523 
pageStarttime=1587125518 requestClientApplication=AWS KMS serverBytes=314509 sourceServiceName=AWS KMS src=139.167.149.156 suser=name@email.com 
timestamp=1587125503 url=us-west-1.console.aws.amazon.com/ec2/v2/home

Audit

2020-09-11T15:29:12+00:00 ip-10-0-0-87 CEF: 0|Netskope|qadp01|NULL|audit|NULL|Low|auditLogEvent=Logout Successful auditType=admin_audit_logs 
suser=name@email.com timestamp=1599837436

Network

2020-09-11T15:29:44+00:00 ip-10-0-0-87 CEF: 0|Netskope|qadp01|NULL|network|NULL|Unknown|action=allow cci=null ccl=unknown clientBytes=1891 clientPackets=2 
device=Windows dpt=443 dst=null end=2020-09-10T15:21:59+00:00 networkSessionId=1495164501 os=Windows osVersion=10.0 (2004) policy=DWalker NPA Google proto=Http 
requestClientApplication=172.217.7.206 requestMethod=Client serverBytes=2308 serverPackets=4 sessionDuration=259 s shost=ns-8127.us-sjc1.npa.goskope.com 
sourceServiceName=172.217.7.206 spt=16 src=10.120.109.64 start=2020-09-10T15:17:40+00:00 suser=name@email.com timestamp=1599751379 trafficType=PrivateApp 
tunnelId=1495164501 tunnelType=NPA tunnelUpTime=259