Netskope Data Connector
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Connector ID | NetskopeDataConnector |
| Publisher | Netskope |
| Used in Solutions | Netskopev2 |
| Collection Method | Azure Function |
| Connector Definition Files | Netskope_FunctionApp.json |
| Ingestion API | HTTP Data Collector API — Azure Function code uses SharedKey/HTTP Data Collector API |
| Custom Log V1 Tables | Yes 🔶 — ingests into tables with type-suffixed columns |
The Netskope data connector provides the following capabilities:
- NetskopeToAzureStorage :
- Get the Netskope Alerts and Events data from Netskope and ingest to Azure storage.
- StorageToSentinel :
- Get the Netskope Alerts and Events data from Azure storage and ingest to custom log table in log analytics workspace.
- WebTxMetrics :
- Get the WebTxMetrics data from Netskope and ingest to custom log table in log analytics workspace.
For more details of REST APIs refer to the below documentations:
- Netskope API documentation:
https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/
- Azure storage documentation:
https://learn.microsoft.com/azure/storage/common/storage-introduction
- Microsoft log analytic documentation:
https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-overview
Tables Ingested
This connector ingests data into the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
Netskope_WebTx_metrics_CL 🔶 |
? | ✓ | ? |
alertscompromisedcredentialdata_CL 🔶 |
? | ✓ | ? |
alertsctepdata_CL 🔶 |
? | ✓ | ? |
alertsdlpdata_CL 🔶 |
? | ✓ | ? |
alertsmalsitedata_CL 🔶 |
? | ✓ | ? |
alertsmalwaredata_CL 🔶 |
? | ✓ | ? |
alertspolicydata_CL 🔶 |
? | ✓ | ? |
alertsquarantinedata_CL 🔶 |
? | ✓ | ? |
alertsremediationdata_CL 🔶 |
? | ✓ | ? |
alertssecurityassessmentdata_CL 🔶 |
? | ✓ | ? |
alertsubadata_CL 🔶 |
? | ✓ | ? |
eventsapplicationdata_CL 🔶 |
? | ✓ | ? |
eventsauditdata_CL 🔶 |
? | ✓ | ? |
eventsconnectiondata_CL 🔶 |
? | ✓ | ? |
eventsincidentdata_CL 🔶 |
? | ✓ | ? |
eventsnetworkdata_CL 🔶 |
? | ✓ | ? |
eventspagedata_CL 🔶 |
? | ✓ | ? |
💡 Tip: Tables with Ingestion API support allow data ingestion via the Azure Monitor Data Collector API, which also enables custom transformations during ingestion.
Permissions
Resource Provider Permissions: - Workspace (Workspace): read and write permissions on the workspace are required. - Keys (Workspace): read permissions to shared keys for the workspace are required. See the documentation to learn more about workspace keys.
Custom Permissions: - Azure Subscription: Azure Subscription with owner role is required to register an application in azure active directory() and assign role of contributor to app in resource group. - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. See the documentation to learn more about Azure Functions. - REST API Credentials/permissions: Netskope Tenant and Netskope API Token is required. See the documentation to learn more about API on the Rest API reference
Setup Instructions
⚠️ Note: These instructions were automatically generated from the connector's user interface definition file using AI and may not be fully accurate. Please verify all configuration steps in the Microsoft Sentinel portal.
NOTE: This connector uses Azure Functions to connect to the Netskope APIs to pull its Alerts and Events data into custom log table. Check the Azure Functions pricing page for details.
(Optional Step) Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. Follow these instructions to use Azure Key Vault with an Azure Function App.
STEP 1 - App Registration steps for the Application in Microsoft Entra ID
This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID: 1. Sign in to the Azure portal. 2. Search for and select Microsoft Entra ID. 3. Under Manage, select App registrations > New registration. 4. Enter a display Name for your application. 5. Select Register to complete the initial app registration. 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the Application (client) ID and Tenant ID. The client ID and Tenant ID is required as configuration parameters for the execution of the TriggersSync playbook.
Reference link: https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app
STEP 2 - Add a client secret for application in Microsoft Entra ID
Sometimes called an application password, a client secret is a string value required for the execution of TriggersSync playbook. Follow the steps in this section to create a new Client Secret: 1. In the Azure portal, in App registrations, select your application. 2. Select Certificates & secrets > Client secrets > New client secret. 3. Add a description for your client secret. 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months. 5. Select Add. 6. Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page. The secret value is required as configuration parameter for the execution of TriggersSync playbook.
Reference link: https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret
STEP 3 - Assign role of Contributor to application in Microsoft Entra ID
Follow the steps in this section to assign the role:
1. In the Azure portal, Go to Resource Group and select your resource group.
2. Go to Access control (IAM) from left panel.
3. Click on Add, and then select Add role assignment.
4. Select Contributor as role and click on next.
5. In Assign access to, select User, group, or service principal.
6. Click on add members and type your app name that you have created and select it.
7. Now click on Review + assign and then again click on Review + assign.
Reference link: https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal
STEP 4 - Steps to create/get Credentials for the Netskope account
Follow the steps in this section to create/get Netskope Hostname and Netskope API Token: 1. Login to your Netskope Tenant and go to the Settings menu on the left navigation bar. 2. Click on Tools and then REST API v2 3. Now, click on the new token button. Then it will ask for token name, expiration duration and the endpoints that you want to fetch data from. 5. Once that is done click the save button, the token will be generated. Copy the token and save at a secure place for further usage.
STEP 5 - Steps to create the azure functions for Netskope Alerts and Events Data Collection
IMPORTANT: Before deploying Netskope data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Netskope API Authorization Key(s). - Workspace ID:
WorkspaceIdNote: The value above is dynamically provided when these instructions are presented within Microsoft Sentinel. - Primary Key:PrimaryKeyNote: The value above is dynamically provided when these instructions are presented within Microsoft Sentinel.
Using the ARM template deploy the function apps for ingestion of Netskope events and alerts data to Sentinel.
-
Click the Deploy to Azure button below.
2. Select the preferred Subscription, Resource Group and Location. 3. Enter the below information : Netskope HostName Netskope API Token Select Yes in Alerts and Events types dropdown for that endpoint you want to fetch Alerts and Events Log Level Workspace ID Workspace Key 4. Click on Review+Create. 5. Then after validation click on Create to deploy.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊