Collect logs for Netskope

Collection Overview (DEPRECATED)

Sumo Logic provides a collector agent that pulls logs from Netskope with API calls. You can configure the list of events and alerts to be collected, but by default all events and alerts are collected.

The events and alerts are forwarded to the Sumo Logic HTTP endpoint in JSON format. The configuration from a yaml file, which is stored in the home directory, is used. By default the collection starts from last 7 days, but this setting is configurable.

The Netskope App has the following components:

Application Usage: Insights into application usage; specifically by devices, users, users and traffic patterns.
Security Alerts: Visibility into Netskope security alerts and violations and the ability to identify effects of a breach.

Step 1: Adding a Hosted Collector and HTTP Source (DEPRECATED)

This section demonstrates how to add a hosted Sumo Logic collector and HTTP Logs and Metrics source, to collect events for Netskope

Prerequisite

Before creating the HTTP source, identify the Sumo Logic Hosted Collector you want to use, or create a new Hosted Collector as described in the following task.

To add a hosted collector and HTTP source, do the following:

To create a new Sumo Logic Hosted Collector, perform the steps in Configure a Hosted Collector.
Add an HTTP Logs and Metrics Source.
In Advanced Options for Logs, under Timestamp Format, click Specify a format and enter the following:

Specify Format as epoch
Specify Timestamp locator as \"timestamp\": (.*),

Click Add.

Step 2: Getting a token from the Netskope Portal (DEPRECATED)

Netskope REST APIs use an auth token to make authorized calls to the API. This section demonstrates how to obtain a token from the Netskope user interface (UI).

To obtain a Netskope auth token, do the following:

Login to Netskope as the Tenant Admin.
Go to the API portion of the Netskope, Settings > Tools > Rest API.
Copy the existing token to your clipboard, or you can generate a new token and copy that token.

Configuring a Sumo Logic Netskope collector (DEPRECATED)

This section provides walkthrough instructions that demonstrate how to configure a Sumo Logic Netskope collector.

To create a Sumo Logic Netskope collector, do the following:

Login to a Linux machine.
Install the collector using the following command.

pip install sumologic-netskope-collector

Download the netskope.yaml configuration file and place in the home directory.
Edit the netskope.yaml file in the following way:
1. Replace <SUMO HTTP SOURCE ENDPOINT> with the Sumo Logic HTTPS Source endpoint you created in Step 1.
2. Replace <Netskope API Token> with the Netskope API token you created in Step 2.
3. Replace <Netskope Domain> with your Netskope domain name.
  
  Example of an edited netskope.yaml file:

Netskope:
 TOKEN: "ExampleTokenGxrtwdshciB7gHR7efDQbZPW"
 NETSKOPE_EVENT_ENDPOINT: https://example.goskope.com/api/v1/events
 NETSKOPE_ALERT_ENDPOINT: https://example.goskope.com/api/v1/alerts

SumoLogic:
 SUMO_ENDPOINT: "https://collectors.sumologic.com/receiver/v1/http/ZaVnC4dhaxxExampleEndpointxxx==="

Create a cron job to run the collector every 5 minutes, (use the crontab -e option) and add the following line:

*/5 * * * *  /usr/bin/python -m sumonetskopecollector.netskope > /dev/null 2>&1

Updating the Sumo Logic Netskope collector (DEPRECATED)

Sumo Logic periodically makes changes to the collector. To make sure your collector is up-to-date, perform the following tasks on each machine running the collector:

Check the latest version of the Netskope collector on this page: https://pypi.org/project/sumologic-netskope-collector/#history
Check the version of the collector you have installed by running the following command: pip show sumologic-netskope-collector
If you are not running the latest collector, do the following:

Disable your cron job.
Stop all existing collector processes.
Run the following command to upgrade your collector: pip install sumologic-netskope-collector --upgrade
Enable the cron job.

Advanced Configuration (DEPRECATED)

The following table explains the configuration file parameters and their usage.

Parameter	Usage
EVENT_TYPES	List of events to fetch from Netskope: page application audit infrastructure
ALERT_TYPES	List of alerts to fetch from Netskope: Malware Malsite Compromised Credential Anomaly DLP Watchlist Quarantine Policy
BACKFILL_DAYS	Number of days before the event collection will start. If the value is 1, then events are fetched from yesterday to today.
PAGINATION_LIMIT	Number of events to fetch in a single API call
LOG_FORMAT	Log format used by the python logging module to write logs in a file
ENABLE_LOGFILE	Set to TRUE to write all logs and errors to a log file
ENABLE_CONSOLE_LOG	Enables printing logs in a console
LOG_FILEPATH	Path of the log file used when ENABLE_LOGFILE is set to TRUE
NUM_WORKERS	Number of threads to spawn for API calls
MAX_RETRY	Number of retries to attempt in case of request failure
BACKOFF_FACTOR	A backoff factor to apply between attempts after the second try. If the backoff_factor is 0.1, then sleep() will sleep for [0.0s, 0.2s, 0.4s, ...] between retries.
TIMEOUT	Request time out used by the requests library
TOKEN	API Token used for API calls authentication
SUMO_ENDPOINT	HTTP source endpoint url created in Sumo Logic

Sample log message

{
           "dstip": "74.125.239.150",
           "dst_location": "Mountain View",
           "app": "Google Gmail",
           "_insertion_epoch_timestamp": 1547391690,
           "site": "Google Gmail",
           "src_location": "Pomerol",
           "organization_unit": "",
           "object_type": "Mail",
           "id": 3764,
           "app_session_id": 4252577042,
           "category": "Webmail",
           "dst_region": "California",
           "userkey": "Tanja.Barton@kkrlogistics.com",
           "dst_country": "US",
           "src_zipcode": "33500",
           "ur_normalized": "tanja.barton@kkrlogistics.com",
           "type": "nspolicy",
           "object": "Welcome Novak Dimitrov",
           "srcip": "77.194.46.1",
           "dst_latitude": 37.405991,
           "timestamp": 1547400222,
           "src_region": "Gironde",
           "dst_longitude": -122.078514,
           "alert": "no",
           "to_user": "ns-india@microsoft.com, hrglobal@microsoft.com",
           "user": "Tanja.Barton@kkrlogistics.com",
           "from_user": "bloomberg@bloomberg.com",
           "device": "Windows PC",
           "org": "kkrlogistics.com",
           "src_country": "FR",
           "traffic_type": "CloudApp",
           "dst_zipcode": "N/A",
           "count": 2,
           "src_latitude": 44.9333,
           "url": "https://mail.google.com/",
           "page_id": 2641483218,
           "sv": "unknown",
           "ccl": "excellent",
           "cci": 92,
           "activity": "Send",
           "userip": "127.0.0.1",
           "src_longitude": -0.2,
           "_id": "5df996d5b66a9ea963e812ce",
           "os": "Windows 8",
           "browser": "Internet Explorer",
           "appcategory": "Webmail"
       }
   ]
}

Query sample

The following query sample was is from the Total Sessions panel of the Application Overview Dashboard.

_sourceCategory="netskope_events" "no" "nspolicy"
| json "_id", "alert", "type", "srcip", "dstip", "appcategory", "app", "os", "user", "device", 
"acked", "site", "timestamp", "ccl", "activity", "browser", "object", "object_type", "from_user", 
"to_user", "app_session_id" as alert_id, is_alert, type, src_ip, dest_ip, appcategory, app, os, 
user, device, acked, site, timestamp, ccl, activity, browser, object, object_type, from_user, 
to_user, app_session_id  nodrop
| where is_alert="no" and type="nspolicy"
| count by app_session_id
| count