Collect logs for Netskope
This page provides instructions for adding a hosted collector and HTTP sources, and configuring collection agents to collect findings for the Netskope App.
Collection overview
Sumo Logic provides a collector agent which pulls logs from Netskope with API calls. You can configure the list of events and alerts to be collected, but by default all events and alerts are collected.
The events and alerts are then forwarded to Sumo Logic’s HTTP endpoint in JSON format. The configuration from a yaml file, which is stored in home directory, is used. By default the collection starts from last 7 days, but this setting is also configurable.
The Netskope App has the following components:
- Application Usage: Insights into application usage; specifically by devices, users, users and traffic patterns.
- Security Alerts: Visibility into Netskope security alerts and violations and the ability to identify effects of a breach.
Step 1: Add a Hosted Collector and HTTP Source
This section demonstrates how to add a hosted Sumo Logic collector and HTTP Logs and Metrics source, to collect events for Netskope
Prerequisite
Before creating the HTTP source, identify the Sumo Logic Hosted Collector you want to use, or create a new Hosted Collector as described in the following task.
To add a hosted collector and HTTP source, do the following:
-
To create a new Sumo Logic Hosted Collector, perform the steps in Configure a Hosted Collector.
-
Add an HTTP Logs and Metrics Source.
-
In Advanced Options for Logs, under Timestamp Format, click Specify a format and enter the following:
- Specify Format as epoch
- Specify Timestamp locator as \"timestamp\": (.*),
- Click Add.
Step 2: Getting a token from Netskope Portal
Netskope REST APIs use an auth token to make authorized calls to the API. This section demonstrates how to obtain a token from the Netskope user interface (UI).
To obtain a Netskope auth token, do the following:
- Login to Netskope as the Tenant Admin.
- Go to the API portion of the Netskope, Settings > Tools > Rest API.
- Copy the existing token to your clipboard, or you can generate a new token and copy that token.
Step 3: Configuring a Sumo Logic Netskope collector
This section provides walkthrough instructions that demonstrate how to configure a Sumo Logic Netskope collector.
To create a Sumo Logic Netskope collector, do the following:
- Login to a Linux machine.
- Install the collector using the following command.
pip install sumologic-netskope-collector
- Create a configuration file netskope.yaml in home directory and the enter the SUMO_ENDPOINT and TOKEN as shown in the following example, replacing the <netskope domain> variable with your Netskope portal domain.
- Create a cron job to run the collector every 5 minutes, (use the crontab -e option) and add the following line:
*/5 * * * * /usr/bin/python -m sumonetskopecollector.netskope > /dev/null 2>&1
Advanced Configuration
You can download the full configuration file here.
The following table explains the configuration file parameters and their usage.
| Parameter | Usage |
|---|---|
|
EVENT_TYPES |
List of events to fetch from Netskope:
|
|
ALERT_TYPES |
List of alerts to fetch from Netskope:
|
|
BACKFILL_DAYS |
Number of days before the event collection will start. If the value is 1, then events are fetched from yesterday to today. |
|
PAGINATION_LIMIT |
Number of events to fetch in a single API call |
|
LOG_FORMAT |
Log format used by the python logging module to write logs in a file |
|
ENABLE_LOGFILE |
Set to TRUE to write all logs and errors to a log file |
|
ENABLE_CONSOLE_LOG |
Enables printing logs in a console |
|
LOG_FILEPATH |
Path of the log file used when ENABLE_LOGFILE is set to TRUE |
|
NUM_WORKERS |
Number of threads to spawn for API calls |
|
MAX_RETRY |
Number of retries to attempt in case of request failure |
|
BACKOFF_FACTOR |
A backoff factor to apply between attempts after the second try. If the backoff_factor is 0.1, then sleep() will sleep for [0.0s, 0.2s, 0.4s, ...] between retries. |
|
TIMEOUT |
Request time out used by the requests library |
|
TOKEN |
API Token used for API calls authentication |
|
SUMO_ENDPOINT |
HTTP source endpoint url created in Sumo Logic |
Sample log message
{
"dstip": "74.125.239.150",
"dst_location": "Mountain View",
"app": "Google Gmail",
"_insertion_epoch_timestamp": 1547391690,
"site": "Google Gmail",
"src_location": "Pomerol",
"organization_unit": "",
"object_type": "Mail",
"id": 3764,
"app_session_id": 4252577042,
"category": "Webmail",
"dst_region": "California",
"userkey": "Tanja.Barton@kkrlogistics.com",
"dst_country": "US",
"src_zipcode": "33500",
"ur_normalized": "tanja.barton@kkrlogistics.com",
"type": "nspolicy",
"object": "Welcome Novak Dimitrov",
"srcip": "77.194.46.1",
"dst_latitude": 37.405991,
"timestamp": 1547400222,
"src_region": "Gironde",
"dst_longitude": -122.078514,
"alert": "no",
"to_user": "ns-india@microsoft.com, hrglobal@microsoft.com",
"user": "Tanja.Barton@kkrlogistics.com",
"from_user": "bloomberg@bloomberg.com",
"device": "Windows PC",
"org": "kkrlogistics.com",
"src_country": "FR",
"traffic_type": "CloudApp",
"dst_zipcode": "N/A",
"count": 2,
"src_latitude": 44.9333,
"url": "https://mail.google.com/",
"page_id": 2641483218,
"sv": "unknown",
"ccl": "excellent",
"cci": 92,
"activity": "Send",
"userip": "127.0.0.1",
"src_longitude": -0.2,
"_id": "5df996d5b66a9ea963e812ce",
"os": "Windows 8",
"browser": "Internet Explorer",
"appcategory": "Webmail"
}
]
}
Query sample
The following query sample was is from the Total Sessions panel of the Application Overview Dashboard.
_sourceCategory="netskope_events" "no" "nspolicy" | json "_id", "alert", "type", "srcip", "dstip", "appcategory", "app", "os", "user", "device", "acked", "site", "timestamp", "ccl", "activity", "browser", "object", "object_type", "from_user", "to_user", "app_session_id" as alert_id, is_alert, type, src_ip, dest_ip, appcategory, app, os, user, device, acked, site, timestamp, ccl, activity, browser, object, object_type, from_user, to_user, app_session_id nodrop | where is_alert="no" and type="nspolicy" | count by app_session_id | count