Netskope

Overview

Netskope is a software company providing a computer security platform. The platform offers cloud-native solutions to businesses for data protection and defense against threats in cloud applications, cloud infrastructure, and the web.

Hunters parse the data and use it to protect your network in a more comprehensive way - both in detection and investigation phases in the Hunters’ pipeline.

Supported data types

Netskope Audit Events

Table name: netskope_audit_events

This data type includes events extracted from SaaS traffic and or logs from type audit.

Netskope Application Events

Table name: netskope_application_events

This data type includes events extracted from SaaS traffic and or logs from type application.

Netskope Alerts

Table name: netskope_alerts

This data type includes alerts by Netskope, including policy, DLP, and watch list alerts.

Send data to Hunters

Hunters supports the collection of logs from Netskope using API.

To connect Netskope logs:

1. Follow this guide to retrieve the following information from Netskope:

   • Domain - your Netskope domain, in the format https://<DOMAIN>.goskope.com/

   • API Token - navigate to your console -> Settings -> Tools -> REST API v2 -> GENERATE NEW TOKEN

   📘 Note

   Following Netskope's API V2 release, we require the following permissions for Netskope v2 API token:

   • {{api/v2/events/dataexport/events/alert}}

   • {{api/v2/events/dataexport/events/application}}

   • {{api/v2/events/dataexport/events/audit}}

2. Complete the process on the Hunters platform, following this guide.

💡Connecting Netskope V2

When connecting Netskope V2, use the V2 tile.

Expected format

In case you choose to collect the data on your own and deliver it to Hunters via a shared storage these are the expected formats:

Audit Events Sample

V1

{"timestamp": 1653898407, "type": "admin_audit_logs", "user": "[email protected]", "severity_level": 2, "audit_log_event": "Logout Successful", "supporting_data": {"data_type": "reason", "data_values": ["Logged out due to inactivity"]}, "organization_unit": "", "ur_normalized": "[email protected]", "ccl": "unknown", "count": 1, "_insertion_epoch_timestamp": 1653898710, "_id": "1234"}

V2

{"audit_log_event": "SSO Login Failed", "severity_level": 1, "supporting_data": {"data_type": "user", "data_values": ["[email protected]"]}, "timestamp": 1736151783, "type": "admin_audit_logs", "user": "[email protected]", "organization_unit": "", "ur_normalized": "[email protected]", "count": 1, "_id": "123456", "userPrincipalName": "", "ccl": "", "details": [], "sAMAccountName": ""}

Application Events Sample

V1

{"_id": "1234", "_insertion_epoch_timestamp": 1653904450, "access_method": "Client", "activity": "View All", "alert": "no", "app": "Slack", "app_session_id": 1234, "appcategory": "Collaboration", "browser": "Native", "browser_session_id": 1234, "category": "Collaboration", "cci": 86, "ccl": "high", "connection_id": 1234, "count": 1, "device": "Mac Device", "device_classification": "not configured", "dst_country": "DE", "dst_latitude": 8.6843, "dst_location": "Frankfurt am Main", "dst_longitude": 50.1188, "dst_region": "Hesse", "dst_timezone": "Europe/Berlin", "dst_zipcode": "60313", "dstip": "1.1.1.1", "from_user": "[email protected]", "hostname": "name", "instance_id": "netskope", "managed_app": "no", "managementID": "1234", "netskope_pop": "IL", "nsdeviceuid": "F-F-F-F", "organization_unit": "", "os": "Monterey", "os_version": "Monterey", "other_categories": ["Technology", "Collaboration"], "page": "netskope.slack.com", "page_site": "Slack", "policy_id": "ID 2022-05-05 07:38:40.068446", "protocol": "HTTPS/1.1", "request_id": 1234, "sanctioned_instance": "", "severity": "unknown", "site": "Slack", "src_country": "IL", "src_latitude": 34, "src_location": "Tel Aviv", "src_longitude": 32, "src_region": "Tel Aviv", "src_time": "Mon May 05 12:53:08 2022", "src_timezone": "Asia/Jerusalem", "src_zipcode": "N/A", "srcip": "1.1.1.1", "telemetry_app": "", "timestamp": 1653904443, "traffic_type": "CloudApp", "transaction_id": 1234, "type": "nspolicy", "ur_normalized": "[email protected]", "url": " ", "user": "[email protected]", "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 12_3_1) AppleWebKit/537.36 (KHTML, like Gecko) Slack/4.25.0 Chrome/98.0.4758.109 Electron/17.1.2 Safari/537.36 AppleSilicon Sonic Slack_SSB/4.25.0", "userip": "1.1.1.1", "userkey": "[email protected]"}

V2

{"_id":"12345d8393706a8fb5","access_method":"Client","activity":"Download","alert":"no","app":"Amazon S3","app_session_id":1234520240568470,"appcategory":"Cloud Storage","appsuite":"Amazon","browser":"Chrome","browser_session_id":12345156725175,"browser_version":"121.0.0.0","category":"Cloud Storage","cci":91,"ccl":"excellent","connection_id":123457252589298,"count":1,"device":"Mac Device","device_classification":"not configured","dst_country":"US","dst_latitude":45.8491,"dst_location":"Boardman","dst_longitude":-119.7143,"dst_region":"Oregon","dst_timezone":"America/Los_Angeles","dst_zipcode":"123418","dstip":"12.123.123.12","dstport":443,"file_size":1234,"file_type":"Portable Network Graphics (PNG)","hostname":"ABC MacBook Pro","ja3":"abcsd012e9b69ebfb1600e1","ja3s":"NotAvailable","managed_app":"no","md5":"12345968ab7ad36c6d54ecc","netskope_pop":"IN-ABC","object":"png.png","object_type":"File","organization_unit":"","os":"Sonoma","os_version":"Mac ABC 12.1.1","other_categories":["ALL CAT","Cloud Storage"],"page":"app.abc.com","page_site":"Web Background","policy_id":"ABCD 2024-12-28 01:07:35.212437","protocol":"HTTPS/1.1","referer":"https://app.example.com/","request_id":123450042337024,"severity":"unknown","site":"Amazon S3","src_country":"IN","src_latitude":12.9634,"src_location":"Bengaluru","src_longitude":77.5855,"src_region":"Karnataka","src_time":"Mon Jan 6 14:22:08 2025","src_timezone":"Asia/Kolkata","src_zipcode":"12345","srcip":"123.123.12.12","telemetry_app":"","timestamp":1736153549,"traffic_type":"CloudApp","transaction_id":12345393705636,"tss_mode":"inline","type":"nspolicy","ur_normalized":"[email protected]","url":"abc.s3.us-west-2.example.com/companies/thumbnail.png","user":"[email protected]","useragent":"Mozilla/5.0 (ABC; Intel Mac OS X 10_15_7) ","userip":"123.123.1.5","userkey":"[email protected]","smtp_to":[],"custom_connector":"","dlp_fail_reason":"","notify_template":"","suppression_end_time":0,"shared_with":"","action":"","owner":"","loginurl":"","suppression_start_time":0,"dlp_file":"","orignal_file_path":"","instance_id":"","modified":0,"server_bytes":0,"CononicalName":"","audit_category":"","dlp_rule_severity":"","numbytes":0,"object_id":"","sha256":"","channel_id":"","mime_type":"","userPrincipalName":"","dlp_profile":"","file_lang":"","true_obj_category":"","dlp_mail_parent_id":"","sanctioned_instance":"","dlp_rule_count":0,"data_type":"","justification_reason":"","total_collaborator_count":0,"resp_cnt":0,"file_path":"","title":"","universal_connector":"","audit_type":"","data_center":"","conn_duration":0,"dst_geoip_src":0,"workspace":"","dlp_unique_count":0,"log_file_name":"","retro_scan_name":"","custom_attr":{},"web_universal_connector":"","tss_scan_failed":"","client_bytes":0,"dlp_incident_id":0,"instance":"","justification_type":"","dsthost":"","req_cnt":0,"to_user":"","internal_collaborator_count":0,"serial":"","policy":"","dlp_parent_id":0,"src_geoip_src":0,"workspace_id":"","tss_fail_reason":"","exposure":"","netskope_activity":"","user_category":"","logintype":"","suppression_key":"","app_activity":"","user_confidence_index":0,"user_id":"","ext_labels":[],"parent_id":"","dlp_scan_failed":"","from_user_category":"","dlp_rule":"","managementID":"","sessionid":"","nsdeviceuid":"","true_obj_type":"","alert_type":"","org":"","sAMAccountName":"","from_user":"","fromlogs":"","dlp_is_unique_count":"","scan_type":""}

Alerts Sample

V1

{"_id": "1234", "_insertion_epoch_timestamp": 1653837070, "access_method": "Client", "acked": "false", "action": "block", "activity": "Browse", "alert": "yes", "alert_name": "Simulate - Block Any - Any", "alert_type": "policy", "app_session_id": 1234, "appcategory": "Uncategorized", "browser": "Chrome", "browser_version": "102.0.5005.61", "category": "Uncategorized", "cci": 0, "ccl": "unknown", "connection_id": 0, "count": 1, "device": "Mac Device", "device_classification": "not configured", "dst_country": "Israel", "dst_latitude": 33, "dst_location": "Israel", "dst_longitude": 29, "dst_region": "Gush Dan", "dst_timezone": "UTC +3", "dst_zipcode": "N/A", "dstip": "1.1.1.1", "hostname": "name", "managed_app": "no", "managementID": "12", "netskope_pop": "IL-TLV1", "notify_template": "block_page.html", "nsdeviceuid": "F-F-F-F", "organization_unit": "", "os": "Monterey", "os_version": "Monterey", "other_categories": ["Uncategorized"], "policy": "Simulate - Block Any - Any", "policy_id": "1234 2022-05-05", "protocol": "HTTPS/1.1", "request_id": 1234, "severity": "unknown", "site": "site", "src_country": "IL", "src_latitude": 33, "src_location": "Tel Aviv", "src_longitude": 34, "src_region": "Tel Aviv", "src_time": "Sun May 29 18:10:00 2022", "src_timezone": "Asia/Jerusalem", "src_zipcode": "N/A", "srcip": "1.1.1.1", "telemetry_app": "", "timestamp": 1653837064, "traffic_type": "Web", "transaction_id": 1234, "type": "nspolicy", "ur_normalized": "[email protected]", "url": " ", "user": "[email protected]", "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36", "userip": "1.1.1.1", "userkey": "[email protected]"}

V2

{"_id":"1234567abcdefghjkil","access_method":"Client","acked":"false","action":"block","activity":"Download","alert":"yes","alert_name":"Block Whatsapp Upload and Download","alert_type":"policy","app":"WhatsApp","app_session_id":11223344556857821,"appcategory":"Chat & other communication","browser":"Chrome","browser_session_id":1234567891011730,"browser_version":"123.0.0.0","category":"Chat & other communication","cci":12,"ccl":"poor","connection_id":1234567891011638,"count":1,"device":"Mac Device","device_classification":"not configured","domain":"abc.abcr2-2.fna.whatsapp.net","dst_country":"IN","dst_latitude":12.1234,"dst_location":"Bengaluru","dst_longitude":12.1235,"dst_region":"Karnataka","dst_timezone":"Asia/Kolkata","dst_zipcode":"560002","dstip":"12.123.12.12","dstport":123,"file_size":1234567,"hostname":"MacBook Pro","managed_app":"no","netskope_pop":"IN-MAA2","notify_template":"abc_block.html","object_id":"1234567_12345648830768_12345678967210923","object_type":"File","organization_unit":"","os":"Mac OS","os_version":"Mac OSX 12.3.0","other_categories":["ALL CATEGORIES","Chat & other communication"],"page":"abc.whatsapp.com","page_site":"WhatsApp","policy":"Block Whatsapp Upload and Download","policy_id":"ABCDEFGHJILKH126E0BF70FF36A 2024-12-28 01:07:35.212437","protocol":"HTTPS/1.1","referer":"https://web.whatsapp.com/","request_id":1234567804992,"severity":"unknown","site":"WhatsApp","src_country":"IN","src_latitude":12.1234,"src_location":"Bengaluru","src_longitude":11.2222,"src_region":"Karnataka","src_time":"Mon Jan 6 14:33:00 2025","src_timezone":"Asia/Kolkata","src_zipcode":"560002","srcip":"106.51.119.212","suppression_end_time":1736154257,"suppression_start_time":1736154197,"telemetry_app":"","timestamp":1736154198,"traffic_type":"CloudApp","transaction_id":8847222077216958610,"type":"abpolicy","ur_normalized":"[email protected]","url":"abc.fblr2-2.fna.whatsapp.net/v/t62.7118-24/21229218_1592287148830768_2876205646567210923_n.enc","user":"[email protected]","useragent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/123.12 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36","userip":"123.123.0.123","userkey":"[email protected]","user_id":"","malicious":"","to_object":"","dlp_unique_count":0,"numbytes":0,"malsite_ip_host":"","parent_id":"","last_location":"","netskope_activity":"","sa_rule_id":"","sanctioned_instance":"","dlp_rule":"","breach_date":0,"last_app":"","last_timestamp":0,"userPrincipalName":"","profile_id":"","src_geoip_src":0,"iaas_asset_tags":[],"breach_description":"","server_bytes":0,"from_user":"","req_cnt":0,"severity_level_id":0,"universal_connector":"","data_type":"","sAMAccountName":"","object":"","shared_with":"","alert_id":"","true_obj_category":"","dlp_rule_severity":"","http_transaction_count":0,"policy_actions":[],"conn_starttime":0,"justification_reason":"","breach_id":"","true_obj_type":"","nsdeviceuid":"","custom_attr":{},"title":"","asset_object_id":"","breach_score":"","tss_mode":"","malsite_latitude":0.0,"web_universal_connector":"","threat_match_field":"","malsite_id":"","mime_type":"","dlp_is_unique_count":"","evt_src_chnl":"","org":"","breach_media_references":"","last_region":"","resp_cnt":0,"modified":0,"iaas_remediated":"","instance":"","last_country":"","event_type":"","threshold":0,"serial":"","two_factor_auth":"","web_url":"","malsite_longitude":0.0,"sa_profile_id":0,"compliance_standards":[],"dlp_parent_id":0,"malsite_category":[],"file_lang":"","password_type":"","dst_geoip_src":0,"resource_group":"","app_activity":"","dlp_rule_count":0,"user_confidence_index":0,"last_device":"","region_name":"","account_name":"","fromlogs":"","dlp_incident_id":0,"external_collaborator_count":0,"threat_match_value":"","justification_type":"","exposure":"","sessionid":"","conn_endtime":0,"threat_source_id":0,"threshold_time":0,"conn_duration":0,"CononicalName":"","dlp_mail_parent_id":"","instance_id":"","file_path":"","sa_profile_name":"","external_email":0,"dlp_profile":"","scan_type":"","orignal_file_path":"","severity_level":"","malsite_country":"","breach_target_references":"","orig_ty":"","matched_username":"","total_collaborator_count":0,"asset_id":"","file_type":"","email_source":"","bypass_traffic":"","appsuite":"","md5":"","log_file_name":"","retro_scan_name":"","sa_rule_severity":"","file_cls_encrypted":false,"internal_collaborator_count":0,"sa_rule_name":"","resource_category":"","ext_labels":[],"region_id":"","owner":"","sha256":"","shared_domains":"","managementID":"","suppression_key":"","dsthost":"","account_id":"","malsite_region":"","user_generated":"","client_bytes":0,"dlp_file":""}