Collect logs for Netskope
This page provides instructions for adding a hosted collector and HTTP sources, and configuring collection agents to collect findings for the Netskope App. Click a link to jump to a topic:
- Collection overview
- Step 1: Adding a Hosted Collector and HTTP Source
- Step 2: Getting a token from the Netskope Portal
- Step 3: Configuring a Sumo Logic Netskope collector
- Updating the Sumo Logic Netskope collector
- Sample log message
- Query sample
Collection overview
Sumo Logic provides a collector agent which pulls logs from Netskope with API calls. You can configure the list of events and alerts to be collected, but by default all events and alerts are collected.
The events and alerts are forwarded to the Sumo Logic HTTP endpoint in JSON format. The configuration from a yaml file, which is stored in the home directory, is used. By default the collection starts from last 7 days, but this setting is configurable.
The Netskope App has the following components:
- Application Usage: Insights into application usage; specifically by devices, users, users and traffic patterns.
- Security Alerts: Visibility into Netskope security alerts and violations and the ability to identify effects of a breach.
Step 1: Adding a Hosted Collector and HTTP Source
This section demonstrates how to add a hosted Sumo Logic collector and HTTP Logs and Metrics source, to collect events for Netskope
Prerequisite
Before creating the HTTP source, identify the Sumo Logic Hosted Collector you want to use, or create a new Hosted Collector as described in the following task.
To add a hosted collector and HTTP source, do the following:
-
To create a new Sumo Logic Hosted Collector, perform the steps in Configure a Hosted Collector.
-
Add an HTTP Logs and Metrics Source.
-
In Advanced Options for Logs, under Timestamp Format, click Specify a format and enter the following:
- Specify Format as epoch
- Specify Timestamp locator as \"timestamp\": (.*),
- Click Add.
Step 2: Getting a token from the Netskope Portal
Netskope REST APIs use an auth token to make authorized calls to the API. This section demonstrates how to obtain a token from the Netskope user interface (UI).
To obtain a Netskope auth token, do the following:
- Login to Netskope as the Tenant Admin.
- Go to the API portion of the Netskope, Settings > Tools > Rest API.
- Copy the existing token to your clipboard, or you can generate a new token and copy that token.
Step 3: Configuring a Sumo Logic Netskope collector
This section provides walkthrough instructions that demonstrate how to configure a Sumo Logic Netskope collector.
To create a Sumo Logic Netskope collector, do the following:
- Login to a Linux machine.
- Install the collector using the following command.
pip install sumologic-netskope-collector
- Download the netskope.yaml configuration file and place in the home directory.
- Edit the netskope.yaml file in the following way:
Netskope: TOKEN: "ExampleTokenGxrtwdshciB7gHR7efDQbZPW" NETSKOPE_EVENT_ENDPOINT: https://example.goskope.com/api/v1/events NETSKOPE_ALERT_ENDPOINT: https://example.goskope.com/api/v1/alerts SumoLogic: SUMO_ENDPOINT: "https://collectors.sumologic.com/receiver/v1/http/ZaVnC4dhaxxExampleEndpointxxx==="
- Create a cron job to run the collector every 5 minutes, (use the crontab -e option) and add the following line:
*/5 * * * * /usr/bin/python -m sumonetskopecollector.netskope > /dev/null 2>&1
Updating the Sumo Logic Netskope collector
Sumo Logic periodically makes changes to the collector. To make sure your collector is up-to-date, perform the following tasks on each machine running the collector:
- Check the latest version of the Netskope collector on this page: https://pypi.org/project/sumologic-netskope-collector/#history
- Check the version of the collector you have installed by running the following command:
pip show sumologic-netskope-collector - If you are not running the latest collector, do the following:
- Disable your cron job.
- Stop all existing collector processes.
- Run the following command to upgrade your collector:
pip install sumologic-netskope-collector --upgrade - Enable the cron job.
Advanced Configuration
The following table explains the configuration file parameters and their usage.
| Parameter | Usage |
|---|---|
|
EVENT_TYPES |
List of events to fetch from Netskope:
|
|
ALERT_TYPES |
List of alerts to fetch from Netskope:
|
|
BACKFILL_DAYS |
Number of days before the event collection will start. If the value is 1, then events are fetched from yesterday to today. |
|
PAGINATION_LIMIT |
Number of events to fetch in a single API call |
|
LOG_FORMAT |
Log format used by the python logging module to write logs in a file |
|
ENABLE_LOGFILE |
Set to TRUE to write all logs and errors to a log file |
|
ENABLE_CONSOLE_LOG |
Enables printing logs in a console |
|
LOG_FILEPATH |
Path of the log file used when ENABLE_LOGFILE is set to TRUE |
|
NUM_WORKERS |
Number of threads to spawn for API calls |
|
MAX_RETRY |
Number of retries to attempt in case of request failure |
|
BACKOFF_FACTOR |
A backoff factor to apply between attempts after the second try. If the backoff_factor is 0.1, then sleep() will sleep for [0.0s, 0.2s, 0.4s, ...] between retries. |
|
TIMEOUT |
Request time out used by the requests library |
|
TOKEN |
API Token used for API calls authentication |
|
SUMO_ENDPOINT |
HTTP source endpoint url created in Sumo Logic |
Sample log message
{
"dstip": "74.125.239.150",
"dst_location": "Mountain View",
"app": "Google Gmail",
"_insertion_epoch_timestamp": 1547391690,
"site": "Google Gmail",
"src_location": "Pomerol",
"organization_unit": "",
"object_type": "Mail",
"id": 3764,
"app_session_id": 4252577042,
"category": "Webmail",
"dst_region": "California",
"userkey": "Tanja.Barton@kkrlogistics.com",
"dst_country": "US",
"src_zipcode": "33500",
"ur_normalized": "tanja.barton@kkrlogistics.com",
"type": "nspolicy",
"object": "Welcome Novak Dimitrov",
"srcip": "77.194.46.1",
"dst_latitude": 37.405991,
"timestamp": 1547400222,
"src_region": "Gironde",
"dst_longitude": -122.078514,
"alert": "no",
"to_user": "ns-india@microsoft.com, hrglobal@microsoft.com",
"user": "Tanja.Barton@kkrlogistics.com",
"from_user": "bloomberg@bloomberg.com",
"device": "Windows PC",
"org": "kkrlogistics.com",
"src_country": "FR",
"traffic_type": "CloudApp",
"dst_zipcode": "N/A",
"count": 2,
"src_latitude": 44.9333,
"url": "https://mail.google.com/",
"page_id": 2641483218,
"sv": "unknown",
"ccl": "excellent",
"cci": 92,
"activity": "Send",
"userip": "127.0.0.1",
"src_longitude": -0.2,
"_id": "5df996d5b66a9ea963e812ce",
"os": "Windows 8",
"browser": "Internet Explorer",
"appcategory": "Webmail"
}
]
}
Query sample
The following query sample was is from the Total Sessions panel of the Application Overview Dashboard.
_sourceCategory="netskope_events" "no" "nspolicy" | json "_id", "alert", "type", "srcip", "dstip", "appcategory", "app", "os", "user", "device", "acked", "site", "timestamp", "ccl", "activity", "browser", "object", "object_type", "from_user", "to_user", "app_session_id" as alert_id, is_alert, type, src_ip, dest_ip, appcategory, app, os, user, device, acked, site, timestamp, ccl, activity, browser, object, object_type, from_user, to_user, app_session_id nodrop | where is_alert="no" and type="nspolicy" | count by app_session_id | count