Skip to main content
Sumo Logic

Collect logs for Netskope

  1. Last updated
  2. Save as PDF
This page provides instructions for configuring log collection for the Sumo Logic App for Netskope.

This page provides instructions for adding a hosted collector and HTTP sources, and configuring collection agents to collect findings for the Netskope App. Click a link to jump to a topic:

Collection overview

Sumo Logic provides a collector agent which pulls logs from Netskope with API calls. You can configure the list of events and alerts to be collected, but by default all events and alerts are collected.

The events and alerts  are then forwarded to Sumo Logic’s HTTP endpoint in JSON format. The configuration from a yaml file, which is stored in home directory, is used. By default the collection starts from last 7 days, but this setting is also configurable.

The Netskope App has the following components:

  • Application Usage: Insights into application usage; specifically by devices, users, users and traffic patterns.
  • Security Alerts: Visibility into Netskope security alerts and violations and the ability to identify effects of a breach.  

Step 1: Add a Hosted Collector and HTTP Source

This section demonstrates how to add a hosted Sumo Logic collector and HTTP Logs and Metrics source, to collect events for Netskope

Prerequisite

Before creating the HTTP source, identify the Sumo Logic Hosted Collector you want to use, or create a new Hosted Collector as described in the following task.

To add a hosted collector and HTTP source, do the following:

  1. To create a new Sumo Logic Hosted Collector, perform the steps in Configure a Hosted Collector.

  2. Add an  HTTP Logs and Metrics Source.

  3. In Advanced Options for Logs, under Timestamp Format, click Specify a format and enter the following:

  • Specify Format as epoch
  • Specify Timestamp locator as \"timestamp\": (.*),

NS_Collectors-Sources-dialog.png

  1. Click Add.

Step 2: Getting a token from the Netskope Portal

Netskope REST APIs use an auth token to make authorized calls to the API. This section demonstrates how to obtain a token from the Netskope user interface (UI).

To obtain a Netskope auth token, do the following:

  1. Login to Netskope as the Tenant Admin.
  2. Go to the API portion of the Netskope, Settings > Tools > Rest API.
  3. Copy the existing token to your clipboard, or you can generate a new token and copy that token.

Step 3: Configuring a Sumo Logic Netskope collector

This section provides walkthrough instructions that demonstrate how to configure a Sumo Logic Netskope collector.

To create a Sumo Logic Netskope collector, do the following:

  1. Login to a Linux machine.
  2. Install the collector using the following command. 
pip install sumologic-netskope-collector
  1. Download the netskope.yaml configuration file and place in the home directory.  
  2. Edit the netskope.yaml file in the following way:
    1. Replace <SUMO HTTP SOURCE ENDPOINT> with the Sumo Logic HTTPS Source endpoint you created in Step 1.
    2. Replace <Netskope API Token> with the Netskope API token you created in Step 2.
    3. Replace <Netskope Domain> with your Netskope domain name.

      Example of an edited netskope.yaml file: 
Netskope:
TOKEN: "ExampleTokenGxrtwdshciB7gHR7efDQbZPW"
NETSKOPE_EVENT_ENDPOINT: https://example.goskope.com/api/v1/events
NETSKOPE_ALERT_ENDPOINT: https://example.goskope.com>/api/v1/alerts

SumoLogic:
SUMO_ENDPOINT: "https://collectors.sumologic.com/receiver/v1/http/ZaVnC4dhaxxExampleEndpointxxx==="
  1. Create a cron job  to run the collector every 5 minutes, (use the crontab -e option) and add the following line:
*/5 * * * *  /usr/bin/python -m sumonetskopecollector.netskope > /dev/null 2>&1

Advanced Configuration

The following table explains the configuration file parameters and their usage.

Parameter Usage

EVENT_TYPES

List of events to fetch from Netskope:

  • page
  • application
  • audit
  • infrastructure

ALERT_TYPES

List of alerts to fetch from Netskope:

  • Malware
  • Malsite
  • Compromised Credential
  • Anomaly
  • DLP
  • Watchlist
  • Quarantine
  • Policy

BACKFILL_DAYS

Number of days before the event collection will start. If the value is 1, then events are fetched from yesterday to today.

PAGINATION_LIMIT

Number of events to fetch in a single API call

LOG_FORMAT

Log format used by the python logging module to write logs in a file

ENABLE_LOGFILE

Set to TRUE to write all logs and errors to a log file

ENABLE_CONSOLE_LOG

Enables printing logs in a console

LOG_FILEPATH

Path of the log file used when ENABLE_LOGFILE is set to TRUE

NUM_WORKERS

Number of threads to spawn for API calls

MAX_RETRY

Number of retries to attempt in case of request failure

BACKOFF_FACTOR

A backoff factor to apply between attempts after the second try. If the backoff_factor is 0.1, then sleep() will sleep for [0.0s, 0.2s, 0.4s, ...] between retries.

TIMEOUT

Request time out used by the requests library

TOKEN

API Token used for API calls authentication

SUMO_ENDPOINT

HTTP source endpoint url created in Sumo Logic

Sample log message

{
           "dstip": "74.125.239.150",
           "dst_location": "Mountain View",
           "app": "Google Gmail",
           "_insertion_epoch_timestamp": 1547391690,
           "site": "Google Gmail",
           "src_location": "Pomerol",
           "organization_unit": "",
           "object_type": "Mail",
           "id": 3764,
           "app_session_id": 4252577042,
           "category": "Webmail",
           "dst_region": "California",
           "userkey": "Tanja.Barton@kkrlogistics.com",
           "dst_country": "US",
           "src_zipcode": "33500",
           "ur_normalized": "tanja.barton@kkrlogistics.com",
           "type": "nspolicy",
           "object": "Welcome Novak Dimitrov",
           "srcip": "77.194.46.1",
           "dst_latitude": 37.405991,
           "timestamp": 1547400222,
           "src_region": "Gironde",
           "dst_longitude": -122.078514,
           "alert": "no",
           "to_user": "ns-india@microsoft.com, hrglobal@microsoft.com",
           "user": "Tanja.Barton@kkrlogistics.com",
           "from_user": "bloomberg@bloomberg.com",
           "device": "Windows PC",
           "org": "kkrlogistics.com",
           "src_country": "FR",
           "traffic_type": "CloudApp",
           "dst_zipcode": "N/A",
           "count": 2,
           "src_latitude": 44.9333,
           "url": "https://mail.google.com/",
           "page_id": 2641483218,
           "sv": "unknown",
           "ccl": "excellent",
           "cci": 92,
           "activity": "Send",
           "userip": "127.0.0.1",
           "src_longitude": -0.2,
           "_id": "5df996d5b66a9ea963e812ce",
           "os": "Windows 8",
           "browser": "Internet Explorer",
           "appcategory": "Webmail"
       }
   ]
}

Query sample

The following query sample was is from the Total Sessions panel of the Application Overview Dashboard.

_sourceCategory="netskope_events" "no" "nspolicy"
| json "_id", "alert", "type", "srcip", "dstip", "appcategory", "app", "os", "user", "device", 
"acked", "site", "timestamp", "ccl", "activity", "browser", "object", "object_type", "from_user", 
"to_user", "app_session_id" as alert_id, is_alert, type, src_ip, dest_ip, appcategory, app, os, 
user, device, acked, site, timestamp, ccl, activity, browser, object, object_type, from_user, 
to_user, app_session_id  nodrop
| where is_alert="no" and type="nspolicy"
| count by app_session_id
| count