Netskope
Netskope is a cloud security platform that identifies a variety of events related to cloud service usage and malware events.
SIEM (InsightIDR) supports the following alert and event types from Netskope:
- Alert
- Application events
- Network events
- Page events
- Transaction events
Incidents and Endpoint events not supported
SIEM (InsightIDR) does not currently support parsing for Incidents or Endpoint event types from Netskope. Support for these event types is planned for a future release.
To set up Netskope:
- Review Before you begin and note any requirements.
- Configure Netskope to send data to SIEM InsightIDR
- Configure SIEM (InsightIDR) to collect data from the event source.
- Complete the event source configuration in AWS CloudFormation.
- Verify the configuration.
You can also:
Before you begin
Ensure these prerequisites are in place before you configure this event source:
- Record your Rapid7 user API key.
- Verify you have permission to create IAM roles in AWS.
- Confirm you have an existing Amazon S3 bucket in your AWS environment.
- See Amazon’s documentation on creating an S3 bucket .
- Ensure EventBridge notifications are enabled for your S3 bucket.
- See Amazon’s documentation on enabling EventBridge notifications .
- Ensure the S3 bucket resides in the same AWS Region as your Rapid7 tenant.
- To determine your AWS Region:
- Multi-organization users: Open the Org Switcher in the top-left corner of the Command Platform navigation bar. Locate your current organization in the dropdown. The AWS Region appears next to the organization name.
- Single-organization users: Contact your Platform Administrator to obtain your AWS Region.
- To determine your AWS Region:
Configure Netskope to send data to SIEM (InsightIDR)
Before you configure the Netskope event source in SIEM (InsightIDR), you must configure log streaming in Netskope. Proper configuration ensures that SIEM (InsightIDR) can parse and process Netskope logs without errors.
Important configuration requirements
Logs must be exported with a consistent column order and field set. Changing the field order or disabling fields can cause parsing failures or incomplete data ingestion.
To ensure successful parsing in SIEM (InsightIDR):
- Enable all fields for each exported event type.
- Preserve the default column order.
- Don’t customize or reorder CSV columns.
For detailed instructions on configuring log streaming in Netskope, refer to Netskope’s documentation:
Configure SIEM (InsightIDR) to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).
Task 1: Select Netskope 2.0
- From the Command Platform main menu, go to Data Connectors > Data Collectors.
- Go to the Event Sources tab, then click Add Event Source.
- Do one of the following:
- Search for Netskope 2.0 in the event sources search bar.
- In the Product Type filter, select Third Party Alerts.
- Select the Netskope 2.0 event source tile.
Task 2: Set up your collection method
- Name the event source. This will become the name of the log that contains the event data in Log Search.
- In the Amazon S3 bucket name field, enter the name of the Amazon S3 bucket that stores your Netskope log data.
- This field can’t be edited after you save the event source.
- Click Save and download template.
The event source is saved in SIEM and an AWS CloudFormation template is downloaded to your browser with the file name aws_s3.yml.
Complete the event source configuration in AWS CloudFormation
To complete the setup of the Netskope event source you need to create a stack in AWS CloudFormation and upload the template you downloaded while configuring the event source in SIEM.
This template:
- Creates the required IAM permissions.
- Configures the Amazon EventBridge rule to send S3 events to Rapid7.
- Provisions an Amazon SQS queue for error handling.
To run the template in AWS CloudFormation:
- Log in to AWS CloudFormation .
- Go to Stacks.
- Click Create Stack > With new resources (standard).
- Under Prepare Template, select Choose an existing template.
- Under Specify template, select Upload a template file.
- Click Choose file.
- Locate and select the
aws_s3.ymlfile you downloaded in the Configure SIEM (InsightIDR) to collect data from the event source section. - Click Next.
- Enter a name for your stack.
- Under Parameters, provide the User API key you recorded in the Before you begin section
- Click Next.
- Under Behavior on provisioning failure, select Roll back all stack resources.
- Click Next.
- Review the details and click Submit to launch your stack.
CloudFormation will then proceed to create all the resources defined in the template. See AWS’s documentation on monitoring stack progress and status of the stack creation.
Visit the third-party vendor's documentation
For the most accurate information on creating a stack in AWS CloudFormation, we recommend that you visit AWS’s documentation on creating a stack from the CloudFormation console .
Verify the configuration
Complete the following steps to view your logs and ensure events are making it to the Collector.
- From the left menu, click Log Search to view your raw logs to ensure events are making it to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name. Netskope logs flow into the following Log Sets:
- Third Party Alerts
- Web Proxy Activity
- Virus Alert
- Virus Infection
- Ingress Authentication
- Firewall Activity
- Next, click Log Search in the left menu to make sure Netskope events are coming through.
Logs take a minimum of 7 minutes to appear in Log Search
Note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.
Legacy detection rules
SIEM (InsightIDR) supports the following legacy detection rules for this event source:
- Account visits suspicious link
- First ingress authentication from country
- Harvested credentials
- Ingress from account whose password never expires
- Ingress from community threat
- Ingress from disabled account
- Ingress from domain admin
- Ingress from service account
- Ingress from threat
- Multiple country authentications
- Network access for threat
- Spear phishing URL detected
- Third party alert - netskope
- Virus alert
Sample Logs
Here are some sample Netskope events as they appear in SIEM (InsightIDR) log search.
Alert
_id,access_method,account_name,acked,acting_user,action,activity,act_user,alert,alert_name,s
everity,alert_source,alert_type,appcategory,appsuite,app,app_session_id,assignee,bcc,browser
,browser_session_id,server_bytes,client_bytes,cc,cci,ccl,cloud_provider,breach_id,eeml,breach
_score,connection_id,src_country,shared_credential_user,breach_date,policy_name,policy_acti
on,dst_country,dst_geoip_src,dsthost,dstip,dst_location,dstport,dst_region,dst_timezone,dst_zi
pcode,detection_engine,device,device_classification,device_sn,dlp_file,dlp_fingerprint_classific
ation,dlp_fingerprint_match,dlp_fingerprint_score,dlp_match_info,inline_dlp_match_info,dlp_inci
dent_id,dlp_parent_id,dlp_profile_name,dlp_profile,dlp_rule_count,dlp_rule,dlp_rule_severity,dl
p_rule_score,dlp_unique_count,dlp_is_unique_count,dns_profile,domain,driver,conn_duration,e
ncryption_status,conn_endtime,end_time,computer_name,executable_hash,executable_signed
,sharedType,file_category,destination_file_directory,file_exposure,file_id,file_md5,destination_fil
e_name,filename,file_origin,file_owner,destination_file_path,file_path,filepath,sha256,file_size,fi
le_type,email_from_user,from_user,app-gdpr-
level,usergroup,device_type,hostname,dinsid,incident_id,latest_incident_id,instance_id,instanc
e,instance_name,sanctioned_instance,ip_protocol,dst_latitude,src_latitude,local_md5,local_sha
1,local_sha256,loc,location,src_location,dst_longitude,src_longitude,mal_id,malware_id,mal_se
v,malware_severity,mal_type,malware_type,managed_app,managementID,vendor_id,md5,mes
sage_id,mime_type,tss_mode,product_id,modified_date,src_network,network_session_id,ur_no
rmalized,oauth,object,object_id,owner,object_type,org,organization_unit,os,os_details,os_family
,os_user_name,os_version,page,parent_id,owner_pdl,policy_name_enforced,policy,policy_vers
ion,pop_id,netskope_pop,port,web_url,connection_type,process_name,process_cert_subject,pi
d,process_path,publisher_cn,domain_ip,redirect_url,referer,region_name,src_region,region_id,i
aas_remediated,iaas_remediation_action,iaas_remediated_by,iaas_remediated_on,req,req_cnt
,request_id,resource_category,resource_group,resp,resp_cnt,risk_level_id,sa_profile_name,sa
_rule_compliance,sa_rule_name,sa_rule_severity,sender,session_duration,session_number_un
ique,serverity,severity_level,severity_id,shared_with,shared_domains,tunnel_id,smtp_status,sm
tp_to,src_geoip_src,srcip,srcport,conn_starttime,start_time,status,subject,tags,telemetry_app,th
reat_type,timestamp,src_timezone,to_user,numbytes,traffic_type,transaction_id,tss_license,two
_factor_auth,type,unc_path,nsdeviceuid,url,user,useragent,user_confidence_index,user_confid
ence_level,user_id,userip,userkey,violation,site,src_zipcode,account_id,alert_id,appact,audit_ty
pe,response_time,email_modified,email_title,subtype,event_uuid,file_cls_encrypted,fllg,file_pdl,
local_source_time,server_packets,client_packets,flpp,risk_score,suppression_count,spet,spst,t
hr,email_user,tur,total_packets,num_users,watchlist_name,custom_attr,record_type
9b541e70382603f8a79561af,Client,-,-,-,alert,Download,-,yes,-,unknown,-,-,IaaS/PaaS,-,Google
Cloud
Platform,8197115700555465165,-,-,Go,8265960451305484156,-,-,-,89,high,-,-,-,-,0,US,-,-,-,-,M
X,-,-,142.251.34.206,Queretaro,443,Queretaro,America/Mexico_City,N/A,-,Windows
Device,unmanaged,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,packages.cloud.google.com,-,-,-,-,-,-,-,-,-,Archive
and Compressed,-,-,-,-,-,-,-,-,-,-,-,-,8897,GZ
Compress,-,-,-,-,-,random_hostname.com,-,8282945461328723956,-,-,-,-,-,-,-100.38392639160
156|20.600095748901367,-121.1871|45.599899999999998,-,-,-,-,-,The
Dalles,-100.38392639160156|20.600095748901367,-121.1871|45.599899999999998,-,-,-,-,-,-,
no,-,-,ea0a15a433f438f9f678257363bf5546,-,-,-,-,-,-,-,user@example.com,-,index.gz,-,-,File,-,,
Windows Server 2016,-,Windows Server,-,Windows Server
10.0,packages.cloud.google.com/yuck/repos/google-compute-engine-
stable/index.gz,-,-,-,Unmanaged Client DLP Policy,-,-,US-
SEA2,443,-,-,-,-,-,-,-,-,-,-,-,Oregon,-,-,-,-,-,-,-,8282945461328723956,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-
,-,12.12.123.123,-,-,-,-,-,-,,-,1767948789,America/Los_Angeles,-,-,CloudApp,828294546132872
3956,-,-,nspolicy,-,00000000-0000-0000-0000-
000000000000,packages.cloud.google.com/yuck/repos/google-compute-engine-
stable/index.gz,user@example.com,Go-http-
client/1.1,-,-,-,10.0.0.10,user@example.com,-,Google Cloud
Platform,97058,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,alertApplication Event
_id,access_method,account_name,acked,acting_user,action,activity,act_user,alert,alert_name,s
everity,alert_source,alert_type,appcategory,appsuite,app,app_session_id,assignee,bcc,browser
,browser_session_id,server_bytes,client_bytes,cc,cci,ccl,cloud_provider,breach_id,eeml,breach
_score,connection_id,src_country,shared_credential_user,breach_date,policy_name,policy_acti
on,dst_country,dst_geoip_src,dsthost,dstip,dst_location,dstport,dst_region,dst_timezone,dst_zi
pcode,detection_engine,device,device_classification,device_sn,dlp_file,dlp_fingerprint_classific
ation,dlp_fingerprint_match,dlp_fingerprint_score,dlp_match_info,inline_dlp_match_info,dlp_inci
dent_id,dlp_parent_id,dlp_profile_name,dlp_profile,dlp_rule_count,dlp_rule,dlp_rule_severity,dl
p_rule_score,dlp_unique_count,dlp_is_unique_count,dns_profile,domain,driver,conn_duration,e
ncryption_status,conn_endtime,end_time,computer_name,executable_hash,executable_signed
,sharedType,file_category,destination_file_directory,file_exposure,file_id,file_md5,destination_fil
e_name,filename,file_origin,file_owner,destination_file_path,file_path,filepath,sha256,file_size,fi
le_type,email_from_user,from_user,app-gdpr-
level,usergroup,device_type,hostname,dinsid,incident_id,latest_incident_id,instance_id,instanc
e,instance_name,sanctioned_instance,ip_protocol,dst_latitude,src_latitude,local_md5,local_sha
1,local_sha256,loc,location,src_location,dst_longitude,src_longitude,mal_id,malware_id,mal_se
v,malware_severity,mal_type,malware_type,managed_app,managementID,vendor_id,md5,mes
sage_id,mime_type,tss_mode,product_id,modified_date,src_network,network_session_id,ur_no
rmalized,oauth,object,object_id,owner,object_type,org,organization_unit,os,os_details,os_family
,os_user_name,os_version,page,parent_id,owner_pdl,policy_name_enforced,policy,policy_vers
ion,pop_id,netskope_pop,port,web_url,connection_type,process_name,process_cert_subject,pi
d,process_path,publisher_cn,domain_ip,redirect_url,referer,region_name,src_region,region_id,i
aas_remediated,iaas_remediation_action,iaas_remediated_by,iaas_remediated_on,req,req_cnt
,request_id,resource_category,resource_group,resp,resp_cnt,risk_level_id,sa_profile_name,sa
_rule_compliance,sa_rule_name,sa_rule_severity,sender,session_duration,session_number_un
ique,serverity,severity_level,severity_id,shared_with,shared_domains,tunnel_id,smtp_status,sm
tp_to,src_geoip_src,srcip,srcport,conn_starttime,start_time,status,subject,tags,telemetry_app,th
reat_type,timestamp,src_timezone,to_user,numbytes,traffic_type,transaction_id,tss_license,two
_factor_auth,type,unc_path,nsdeviceuid,url,user,useragent,user_confidence_index,user_confid
ence_level,user_id,userip,userkey,violation,site,src_zipcode,account_id,alert_id,appact,audit_ty
pe,response_time,email_modified,email_title,subtype,event_uuid,file_cls_encrypted,fllg,file_pdl,
local_source_time,server_packets,client_packets,flpp,risk_score,suppression_count,spet,spst,t
hr,email_user,tur,total_packets,num_users,watchlist_name,custom_attr,record_type
9658581311d83afc5e13010d,CASB API,-,-,-,-,Login Failed,-,no,-,-,-,-,Cloud Storage,-,Microsoft
Office 365 OneDrive for
Business,7218762417634559691,-,-,unknown,-,-,-,-,82,high,-,-,-,-,7218762417634559691,US,-,
-,-,-,-,-,-,-,-,-,-,-,-,-,unknown,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,
-,-,-,-,tenant.example.com,tenant.example.com,-,yes,-,-,-84.5|33.61,-,-,-,-,-,Atlanta,-,-84.5|33.61,
-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,user@example.com,-,user@example.com,-,-,User,-,-,unknown,-,-,-,-,-,-,
-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,Georgia,-,-,-,-,-,-,-,7218762417634559691,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,
-,203.0.113.50,-,-,-,-,-,-,-,-,1747208789,-,-,-,cloudapp,7218762417634559691,-,-,nspolicy,-,-,-,us
er@example.com,-,-,-,-,203.0.113.50,user@example.com,-,Microsoft Office 365 OneDrive for
Business,30349,-,-,CASB API Scan,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,applicationNetwork Event
_id,access_method,account_name,acked,acting_user,action,activity,act_user,alert,alert_name,s
everity,alert_source,alert_type,appcategory,appsuite,app,app_session_id,assignee,bcc,browser
,browser_session_id,server_bytes,client_bytes,cc,cci,ccl,cloud_provider,breach_id,eeml,breach
_score,connection_id,src_country,shared_credential_user,breach_date,policy_name,policy_acti
on,dst_country,dst_geoip_src,dsthost,dstip,dst_location,dstport,dst_region,dst_timezone,dst_zi
pcode,detection_engine,device,device_classification,device_sn,dlp_file,dlp_fingerprint_classific
ation,dlp_fingerprint_match,dlp_fingerprint_score,dlp_match_info,inline_dlp_match_info,dlp_inci
dent_id,dlp_parent_id,dlp_profile_name,dlp_profile,dlp_rule_count,dlp_rule,dlp_rule_severity,dl
p_rule_score,dlp_unique_count,dlp_is_unique_count,dns_profile,domain,driver,conn_duration,e
ncryption_status,conn_endtime,end_time,computer_name,executable_hash,executable_signed
,sharedType,file_category,destination_file_directory,file_exposure,file_id,file_md5,destination_fil
e_name,filename,file_origin,file_owner,destination_file_path,file_path,filepath,sha256,file_size,fi
le_type,email_from_user,from_user,app-gdpr-
level,usergroup,device_type,hostname,dinsid,incident_id,latest_incident_id,instance_id,instanc
e,instance_name,sanctioned_instance,ip_protocol,dst_latitude,src_latitude,local_md5,local_sha
1,local_sha256,loc,location,src_location,dst_longitude,src_longitude,mal_id,malware_id,mal_se
v,malware_severity,mal_type,malware_type,managed_app,managementID,vendor_id,md5,mes
sage_id,mime_type,tss_mode,product_id,modified_date,src_network,network_session_id,ur_no
rmalized,oauth,object,object_id,owner,object_type,org,organization_unit,os,os_details,os_family
,os_user_name,os_version,page,parent_id,owner_pdl,policy_name_enforced,policy,policy_vers
ion,pop_id,netskope_pop,port,web_url,connection_type,process_name,process_cert_subject,pi
d,process_path,publisher_cn,domain_ip,redirect_url,referer,region_name,src_region,region_id,i
aas_remediated,iaas_remediation_action,iaas_remediated_by,iaas_remediated_on,req,req_cnt
,request_id,resource_category,resource_group,resp,resp_cnt,risk_level_id,sa_profile_name,sa
_rule_compliance,sa_rule_name,sa_rule_severity,sender,session_duration,session_number_un
ique,serverity,severity_level,severity_id,shared_with,shared_domains,tunnel_id,smtp_status,sm
tp_to,src_geoip_src,srcip,srcport,conn_starttime,start_time,status,subject,tags,telemetry_app,th
reat_type,timestamp,src_timezone,to_user,numbytes,traffic_type,transaction_id,tss_license,two
_factor_auth,type,unc_path,nsdeviceuid,url,user,useragent,user_confidence_index,user_confid
ence_level,user_id,userip,userkey,violation,site,src_zipcode,account_id,alert_id,appact,audit_ty
pe,response_time,email_modified,email_title,subtype,event_uuid,file_cls_encrypted,fllg,file_pdl,
local_source_time,server_packets,client_packets,flpp,risk_score,suppression_count,spet,spst,t
hr,email_user,tur,total_packets,num_users,watchlist_name,custom_attr,record_type
f25329fb48ccdeac584b0ed7,Client,-,-,-,block,-,-,-,-,-,-,-,n/a,-,ssl,-,-,-,-,-,132,1871,-,-,-,-,-,-,-,-,US,
-,-,-,-,US,2,mtalk.google.com,142.250.99.188,Mountain
View,4321,California,-,94043,-,,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,mtalk.google.com,-,-,-,-,2026-01-
09T05:57:52+00:00,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,TCP,-122.08|37.41,-121.19|45.
6,-,-,-,-,-,The
Dalles,-122.08|37.41,-121.19|45.6,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,user@example.com,-,-,-,-,-,-,,Windo
ws Server 10.0,-,-,-,-,-,-,-,-,default,-,0X0A0F,US-
SEA2,-,-,-,-,-,-,-,-,-,-,-,-,Oregon,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,29,-,-,-,-,-,-,1136959617090588,-,-,2,12
.12.190.123,12345,-,2026-01-09T05:57:52+00:00,-,-,-,-,-,1767938272,-,-,2003,non-
web,-,-,-,network,-,-,-,user@example.com,-,-,-,-,10.0.0.10,user@example.com,-,ssl,97058,-,-,-,-
,-,-,-,-,-,-,-,-,-,3,4,-,-,-,-,-,-,-,-,7,-,-,-,networkPage Event
_id,access_method,account_name,acked,acting_user,action,activity,act_user,alert,alert_name,s
everity,alert_source,alert_type,appcategory,appsuite,app,app_session_id,assignee,bcc,browser
,browser_session_id,server_bytes,client_bytes,cc,cci,ccl,cloud_provider,breach_id,eeml,breach
_score,connection_id,src_country,shared_credential_user,breach_date,policy_name,policy_acti
on,dst_country,dst_geoip_src,dsthost,dstip,dst_location,dstport,dst_region,dst_timezone,dst_zi
pcode,detection_engine,device,device_classification,device_sn,dlp_file,dlp_fingerprint_classific
ation,dlp_fingerprint_match,dlp_fingerprint_score,dlp_match_info,inline_dlp_match_info,dlp_inci
dent_id,dlp_parent_id,dlp_profile_name,dlp_profile,dlp_rule_count,dlp_rule,dlp_rule_severity,dl
p_rule_score,dlp_unique_count,dlp_is_unique_count,dns_profile,domain,driver,conn_duration,e
ncryption_status,conn_endtime,end_time,computer_name,executable_hash,executable_signed
,sharedType,file_category,destination_file_directory,file_exposure,file_id,file_md5,destination_fil
e_name,filename,file_origin,file_owner,destination_file_path,file_path,filepath,sha256,file_size,fi
le_type,email_from_user,from_user,app-gdpr-
level,usergroup,device_type,hostname,dinsid,incident_id,latest_incident_id,instance_id,instanc
e,instance_name,sanctioned_instance,ip_protocol,dst_latitude,src_latitude,local_md5,local_sha
1,local_sha256,loc,location,src_location,dst_longitude,src_longitude,mal_id,malware_id,mal_se
v,malware_severity,mal_type,malware_type,managed_app,managementID,vendor_id,md5,mes
sage_id,mime_type,tss_mode,product_id,modified_date,src_network,network_session_id,ur_no
rmalized,oauth,object,object_id,owner,object_type,org,organization_unit,os,os_details,os_family
,os_user_name,os_version,page,parent_id,owner_pdl,policy_name_enforced,policy,policy_vers
ion,pop_id,netskope_pop,port,web_url,connection_type,process_name,process_cert_subject,pi
d,process_path,publisher_cn,domain_ip,redirect_url,referer,region_name,src_region,region_id,i
aas_remediated,iaas_remediation_action,iaas_remediated_by,iaas_remediated_on,req,req_cnt
,request_id,resource_category,resource_group,resp,resp_cnt,risk_level_id,sa_profile_name,sa
_rule_compliance,sa_rule_name,sa_rule_severity,sender,session_duration,session_number_un
ique,serverity,severity_level,severity_id,shared_with,shared_domains,tunnel_id,smtp_status,sm
tp_to,src_geoip_src,srcip,srcport,conn_starttime,start_time,status,subject,tags,telemetry_app,th
reat_type,timestamp,src_timezone,to_user,numbytes,traffic_type,transaction_id,tss_license,two
_factor_auth,type,unc_path,nsdeviceuid,url,user,useragent,user_confidence_index,user_confid
ence_level,user_id,userip,userkey,violation,site,src_zipcode,account_id,alert_id,appact,audit_ty
pe,response_time,email_modified,email_title,subtype,event_uuid,file_cls_encrypted,fllg,file_pdl,
local_source_time,server_packets,client_packets,flpp,risk_score,suppression_count,spet,spst,t
hr,email_user,tur,total_packets,num_users,watchlist_name,custom_attr,record_type
4d4795c4d825d6bee5515aa5,Client,-,-,-,-,-,-,-,-,unknown,-,-,Technology,-,Google App
Bypass,1494365267375841033,-,-,Chrome,2120028816926628866,18275437,29272,-,-,-,-,-,-,-,
4841498802315193211,US,-,-,-,-,MX,-,-,142.251.34.202,Queretaro,443,Queretaro,America/Me
xico_City,N/A,-,Windows Device,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,optimizationguide-
pa.googleapis.com,-,48,-,1767938266,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,instance-
ngcc1,-,-,-,-,-,-,-,-,-100.38392639160156|20.600095748901367,-121.1871|45.59989999999999
8,-,-,-,-,-,The
Dalles,-100.38392639160156|20.600095748901367,-121.1871|45.599899999999998,-,-,-,-,-,-,-
,-,-,-,-,-,-,-,-,-,-,user@example.com,-,-,-,-,-,-,,Windows Server 2016,-,Windows Server,-,Windows
Server 10.0,optimizationguide-pa.googleapis.com/downloads,-,-,-,-,-,-,US-
SEA2,-,-,-,-,-,-,-,-,-,-,-,-,Oregon,-,-,-,-,-,-,20,-,-,-,-,20,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,34.82.123.123,-,176
7938218,-,-,-,-,-,-,1767938218,America/Los_Angeles,-,18304709,CloudApp,-,-,-,connection,-,-,
optimizationguide-pa.googleapis.com/downloads,user@example.com,"Mozilla/5.0 (Windows
NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0
Safari/537.36",-,-,-,10.0.0.10,user@example.com,-,Google App
Bypass,97058,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,page
Transaction Event
date,time,time-taken,cs-bytes,sc-bytes,bytes,c-ip,s-ip,cs-username,cs-method,cs-uri-
scheme,cs-uri-query,cs-user-agent,cs-content-type,sc-status,sc-content-type,cs-dns,cs-host,cs-
uri,cs-uri-port,cs-referer,x-cs-session-id,x-cs-access-method,x-cs-app,x-s-country,x-s-latitude,x-
s-longitude,x-s-location,x-s-region,x-s-zipcode,x-c-country,x-c-latitude,x-c-longitude,x-c-
location,x-c-region,x-c-zipcode,x-c-os,x-c-browser,x-c-browser-version,x-c-device,x-cs-site,x-cs-
timestamp,x-cs-page-id,x-cs-userip,x-cs-traffic-type,x-cs-tunnel-id,x-category,x-other-
category,x-type,x-server-ssl-err,x-client-ssl-err,x-transaction-id,x-request-id,x-cs-sni,x-cs-
domain-fronted-sni,x-category-id,x-other-category-id,x-sr-headers-name,x-sr-headers-value,x-
cs-ssl-ja3,x-sr-ssl-ja3s,x-ssl-bypass,x-ssl-bypass-reason,x-r-cert-subject-cn,x-r-cert-issuer-cn,x-
r-cert-startdate,x-r-cert-enddate,x-r-cert-valid,x-r-cert-expired,x-r-cert-untrusted-root,x-r-cert-
incomplete-chain,x-r-cert-self-signed,x-r-cert-revoked,x-r-cert-revocation-check,x-r-cert-
mismatch,x-cs-ssl-fronting-error,x-cs-ssl-handshake-error,x-sr-ssl-handshake-error,x-sr-ssl-
client-certificate-error,x-sr-ssl-malformed-ssl,x-s-custom-signing-ca-error,x-cs-ssl-engine-
action,x-cs-ssl-engine-action-reason,x-sr-ssl-engine-action,x-sr-ssl-engine-action-reason,x-ssl-
policy-src-ip,x-ssl-policy-dst-ip,x-ssl-policy-dst-host,x-ssl-policy-dst-host-source,x-ssl-policy-
categories,x-ssl-policy-action,x-ssl-policy-name,x-cs-ssl-version,x-cs-ssl-cipher,x-sr-ssl-
version,x-sr-ssl-cipher,x-cs-src-ip-egress,x-s-dp-name,x-cs-src-ip,x-cs-src-port,x-cs-dst-ip,x-cs-
dst-port,x-sr-src-ip,x-sr-src-port,x-sr-dst-ip,x-sr-dst-port,x-cs-ip-connect-xff,x-cs-ip-xff,x-cs-
connect-host,x-cs-connect-port,x-cs-connect-user-agent,x-cs-url,x-cs-uri-path,x-cs-http-
version,rs-status,x-cs-app-category,x-cs-app-cci,x-cs-app-ccl,x-cs-app-tags,x-cs-app-suite,x-cs-
app-instance-id,x-cs-app-instance-name,x-cs-app-instance-tag,x-cs-app-activity,x-cs-app-from-
user,x-cs-app-to-user,x-cs-app-object-type,x-cs-app-object-name,x-cs-app-object-id,x-rs-file-
type,x-rs-file-category,x-rs-file-language,x-rs-file-size,x-rs-file-md5,x-rs-file-sha256,x-error,x-c-
local-time,x-policy-action,x-policy-name,x-policy-src-ip,x-policy-dst-ip,x-policy-dst-host,x-policy-
dst-host-source,x-policy-justification-type,x-policy-justification-reason,x-sc-notification-name
2025-11-
18,07:48:29,25,178,1055,1233,10.0.0.5,203.0.113.11,user@example.com,OPTIONS,https,-,Ge
nericAgent/1.0,-,403,-,onedrive.example.com,onedrive.example.com,/,443,-,100000000000000
0001,Client,Example
OneDrive,US,0.000000,0.000000,City,State,00000,US,0.000000,0.000000,City,State,N/A,Wind
ows 10,Native,-,Windows
Device,live,1763452109,5398075370891712522,10.0.0.5,CloudApp,-,Cloud Storage,Cloud
Storage,http_transaction,-,-,7061116132216555741,7061116132216555741,onedrive.example.
com,-,7,7,-,-,HASH1,NotAvailable,No,-,onedrive.example.com,Example TLS CA,Oct 27
12:22:37 2025 GMT,Apr 25 12:22:37 2026
GMT,Yes,No,No,No,No,Disabled,-,No,No,No,No,No,No,No,Allow,Established,Allow,Established,
10.0.0.5,203.0.113.12,onedrive.example.com,Sni,Cloud Storage,Decrypt,-,TLSv1.2,ECDHE-
ECDSA-AES256-GCM-SHA384,TLSv1.3,TLS_AES_256_GCM_SHA384,203.0.113.90,TEST-
DP,10.0.0.5,5768,203.0.113.12,443,203.0.113.80,42858,203.0.113.11,443,-,-,-,-,-,https://onedriv
e.example.com/,/,HTTP1.1,403,Cloud Storage,85,high,"Category",Example
Live,-,-,-,Browse,-,-,-,-,-,-,-,-,-,-,-,http,2025-11-18
02:48:30,allow_default,DefaultAction,10.0.0.5,203.0.113.11,onedrive.example.com,HttpHostHe
ader,-,-,-Troubleshooting
If you experience issues with the Netskope event source, try the solutions provided in this section.
Logs are not appearing in Rapid7 SIEM
You’ve configured the Netskope event source, but no log data is appearing in Log Search or in the event source’s raw log view.
The likely cause is that EventBridge notifications are not enabled on your Amazon S3 bucket. This is a required prerequisite. Without EventBridge notifications, Rapid7 SIEM has no mechanism to detect when new log files land in your S3 bucket, so ingestion never begins.
To resolve this issue:
- Log in to the AWS S3 console.
- Go to the S3 bucket you configured for Netskope log streaming.
- Select the Properties tab.
- Under Amazon EventBridge, confirm that Send notifications to Amazon EventBridge for all events in this bucket is set to On. If it is not, enable it.
For detailed steps, see Amazon’s documentation on enabling EventBridge notifications .
After enabling EventBridge notifications, allow up to 10 minutes for logs to begin flowing. Only logs added to the bucket after you enable notifications will be collected.
Verify that logs are arriving using one of these methods:
In Rapid7 SIEM:
- Go to Data Connectors > Data Collectors
- Go to the Event Sources tab.
- Select Monitor Health on the Netskope event source to check for incoming data.
In the AWS IAM console:
- Go to CloudFormation.
- Select the stack you created when you completed the event source configuration.
- Select the Rapid7 S3 Read Role.
- Go to the Last Accessed tab.
- Open your bucket and select the Last Accessed tab to confirm that Rapid7 is accessing your log files.
- If logs are flowing, the Amazon S3 service will have a recent date and time in the Last accessed column.
- If logs are not flowing, the Amazon S3 service will display
Not accessed in the tracking periodin the Last accessed column.
See Amazon’s documentation on viewing last accessed information for IAM for more information.
Confirm CloudFormation stack is configured
If you enable EventBridge notifications but logs still don’t appear after 10 minutes, confirm that your CloudFormation stack completed successfully and that the stack’s parameters include the correct Rapid7 User API key. See Complete the event source configuration in AWS CloudFormation.
If the issue persists, contact Rapid7 Support.