Netskope
This guide describes how to integrate Netskope with Google Security Operations (Google SecOps).
Integration version: 11.0
Use cases
Integrating Netskope with Google SecOps can help you solve the following use cases:
Phishing URL investigation and blocking: upon receiving a phishing URL alert, use the Google SecOps capabilities to query the Netskope cloud security platform for information about the URL reputation and categorization. If URL is confirmed as malicious, Netskope can automatically block the URL across your organization network.
Malware analysis and containment: use the Google SecOps capabilities to submit a malware sample to Netskope for dynamic analysis. Based on the analysis results, Netskope can then enforce policies to quarantine infected devices or block further communication with malicious command-and-control servers.
Compromised account remediation: use the Google SecOps capabilities to identify suspicious login attempts or activities and enforce actions, such as password resets, multi-factor authentication challenges, or account suspension.
Vulnerability scanning and patching: use the Google SecOps capabilities to receive alerts about vulnerabilities detected in cloud applications.
Incident response automation: use the Google SecOps capabilities to gather contextual information about the incident, such as user activity, network traffic, and data access logs and automate incident response tasks, such as isolating affected systems, blocking malicious traffic, and notifying relevant stakeholders.
Threat intelligence enrichment: use the Google SecOps capabilities to integrate with Netskope threat intelligence feeds and enrich security alerts with additional context.
Before you begin
Before you configure the Netskope integration in Google SecOps, generate the Netskope API key.
To generate the API key, complete the following steps:
- In the Netskope Admin Console, select Settings.
- Go to Tools > REST API v1.
- Copy the API Token value to use it later when configuring the
Api Keyparameter.
To configure the network setting for the integration, refer to the following table:
| Function | Default port | Direction | Protocol |
|---|---|---|---|
| API | Multivalues | Outbound | apikey |
Integrate Netskope with Google SecOps
The Netskope integration requires the following parameters:
| Parameter | Description |
|---|---|
Api Root |
Required
The API root of the Netskope instance. |
Api Key |
Required
The API key to authenticate with the Netskope API. To configure this parameter, enter the API token value that you obtained when you generated the API key. |
Verify SSL |
Optional
If selected, the integration verifies that the SSL certificate for connecting to the Netskope server is valid. Not selected by default. |
For instructions about configuring an integration in Google SecOps, see Configure integrations.
You can make changes at a later stage if needed. After you configure an integration instance, you can use it in playbooks. For more information about configuring and supporting multiple instances, see Supporting multiple instances.
Actions
For more information about actions, see Respond to pending actions from your workdesk and Perform a manual action.
Allow File
Use the Allow File action to allow a quarantined file.
This action runs on all Google SecOps entities.
Action inputs
The Allow File action requires the following parameters:
| Parameter | Description |
|---|---|
File ID |
Required
The ID of the file to allow. |
Quarantine Profile ID |
Required
The ID of the quarantine profile that is associated with the file. |
Action outputs
The Allow File action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Allow File action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Block File
Use the Block File action to block a quarantined file.
This action runs on all Google SecOps entities.
Action inputs
The Block File action requires the following parameters:
| Parameter | Description |
|---|---|
File ID |
Required
The ID of the file to block in Netskope. |
Quarantine Profile ID |
Required
The ID of the quarantine profile to use when blocking the file. |
Action outputs
The Block File action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Block File action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Download File
Use the Download File action to download a quarantined file.
This action runs on the Google SecOps IP Address entity.
Action inputs
The Download File action requires the following parameters:
| Parameter | Description |
|---|---|
File ID |
Required
The ID of the file to download from quarantine. |
Quarantine Profile ID |
Required
The ID of the quarantine profile which the file belongs to. |
Action outputs
The Download File action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Download File action:
| Script result name | Value |
|---|---|
is_success |
True or False |
List Alerts
Use the List Alerts action to list alerts.
This action runs on all Google SecOps entities.
Action inputs
The List Alerts action requires the following parameters:
| Parameter | Description |
|---|---|
Query |
Optional A query to filter the cloud application events in the alerts database. |
Type |
Optional A type of alerts to filter by. The possible values are as follows:
|
Time Period |
Optional The time period in milliseconds prior to now to search for alerts. The possible values are |
Start Time |
Optional A start time to filter alerts with timestamps greater than the specified Unix epoch time. Use this parameter only if you
didn't set the |
End Time |
Optional An end time to filter alerts with timestamps less than the specified Unix epoch time. Use this parameter only if you
didn't set the |
Is Acknowledged |
Optional If selected, the integration filters for acknowledged alerts. Not selected by default. |
Limit |
Optional The number of the results to return. The default value is |
Action outputs
The List Alerts action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the List Alerts action:
[
{
"dstip": "192.0.2.1",
"app": "Amazon Web Services",
"profile_id": "ID",
"device": "iPad",
"shared_credential_user": "example@example.com",
"app_session_id": 2961859388,
"dst_location": "Ashburn",
"dst_region": "Virginia",
"policy": "Copy prohibited",
"page_id": 380765822,
"object_type": "File",
"dst_latitude": 39.0481,
"timestamp": 1548603047,
"src_region": "California",
"from_user": "user@example.com",
"src_location": "San Luis Obispo",
"traffic_type": "CloudApp",
"appcategory": "IaaS/PaaS",
"src_latitude": 35.2635,
"count": 2,
"type": "anomaly",
"risk_level_id": 2,
"activity": "Upload",
"userip": "203.0.113.1",
"src_longitude": -120.6509,
"browser": "Safari",
"alert_type": "anomaly",
"event_type": "user_shared_credentials",
"_insertion_epoch_timestamp": 1548601562,
"site": "Amazon Web Services",
"id": 3561,
"category": "IaaS/PaaS",
"orig_ty": "nspolicy",
"dst_country": "US",
"src_zipcode": "93401",
"cci": 94,
"ur_normalized": "user@example.com",
"object": "quarterly_report.pdf",
"organization_unit": "",
"acked": "false",
"dst_longitude": -77.4728,
"alert": "yes",
"user": "user@example.com",
"userkey": "user@example.com",
"srcip": "7198.51.100.1",
"org": "example.com",
"src_country": "US",
"bin_timestamp": 1548633600,
"dst_zipcode": "20149",
"url": "http://aws.amazon.com/",
"sv": "unknown",
"ccl": "excellent",
"alert_name": "user_shared_credentials",
"risk_level": "high",
"_mladc": ["ur"],
"threshold_time": 86400,
"_id": "cadee4a8488b3e139b084134",
"os": "iOS 6"
}
]
Script result
The following table lists the value for the script result output when using the List Alerts action:
| Script result name | Value |
|---|---|
alerts |
ALERT_LIST |
List Clients
Use the List Clients action to list clients.
This action runs on all Google SecOps entities.
Action inputs
The List Clients action requires the following parameters:
| Parameter | Description |
|---|---|
Query |
Optional
Filters the clients retrieved from the database. |
Limit |
Optional
Limits the number of clients returned by the action. The default value is |
Action outputs
The List Clients action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the List Clients action:
[
{
"client_install_time": 1532040251,
"users":
[
{
"heartbeat_status_since": 1532040385,
"user_added_time": 1532040167,
"last_event":
{
"status": "Enabled",
"timestamp": 1548578307,
"event": "Tunnel Up",
"actor": "System"
},
"device_classification_status": "Not Configured",
"username": "user@example.com",
"user_source": "Manual",
"userkey": "K00fuSXl8yMIqgdg",
"_id": "ID",
"heartbeat_status": "Active"
}],
"last_event":
{
"status": "Enabled",
"timestamp": 1548578307,
"event": "Tunnel Up",
"actor": "System"
},
"host_info":
{
"device_model": "VMware Virtual Platform",
"os": "Windows",
"hostname": "HOSTNAME",
"device_make": "VMware, Inc.",
"os_version": "10.0"
},
"client_version": "1.1.1.1",
"_id": "ID",
"device_id": "DEVICE_ID"
}
]
Script result
The following table lists the value for the script result output when using the List Clients action:
| Script result name | Value |
|---|---|
clients |
CLIENT_LIST |
List Events
Use the List Events action to list events.
This action runs on all Google SecOps entities.
Action inputs
The List Events action requires the following parameters:
| Parameter | Description |
|---|---|
Query |
Optional A query to filter the cloud application events in the events database. |
Type |
Optional A type of alerts to filter by. The possible values are as follows:
|
Time Period |
Optional The time period in milliseconds prior to now to search for events. The possible values are as follows:
|
Start Time |
Optional A start time to filter events with timestamps greater than the specified Unix epoch time. Use this parameter only if you
didn't set the |
End Time |
Optional An end time to filter events with timestamps less than the specified Unix epoch time. Use this parameter only if you
didn't set the |
Limit |
Optional The number of the results to return. The default value is |
Action outputs
The List Events action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the List Events action:
{
"dstip": "192.0.2.64",
"browser_session_id": 1066949788113471080,
"srcip": "198.51.100.36",
"app_session_id": 4502249472406092569,
"os_version": "WindowsServer2016",
"dst_region": "Virginia",
"numbytes": 37480,
"req_cnt": 18,
"server_bytes": 8994,
"page_id": 0,
"page_duration": 867,
"page_endtime": 1548577530,
"dst_latitude": 39.0481,
"timestamp": 1548576663,
"src_region": "Oregon",
"src_location": "Boardman",
"ur_normalized": "user@example.com",
"appcategory": "",
"src_latitude": 45.8491,
"count": 1,
"bypass_traffic": "no",
"type": "page",
"userip": "203.0.113.253",
"src_longitude": -119.7143,
"page": "WebBackground",
"browser": "",
"domain": "WebBackground",
"dst_location": "Ashburn",
"_insertion_epoch_timestamp": 1548577621,
"site": "WebBackground",
"access_method": "Client",
"browser_version": "",
"category": "",
"client_bytes": 28486,
"user_generated": "no",
"hostname": "IP-C0A84AC",
"dst_country": "US",
"resp_cnt": 18,
"src_zipcode": "97818",
"traffic_type": "Web",
"http_transaction_count": 18,
"organization_unit": "example.com/Users",
"page_starttime": 1548576663,
"dst_longitude": -77.4728,
"user": "user@example.com",
"userkey": "user@example.com",
"device": "WindowsDevice",
"src_country": "US",
"dst_zipcode": "20149",
"url": "WebBackground",
"sv": "",
"ccl": "unknown",
"useragent": "RestSharp/192.0.2.0",
"_id": "ID",
"os": "WindowsServer2016"
}
]
Script result
The following table lists the value for the script result output when using the List Events action:
| Script result name | Value |
|---|---|
events |
EVENT_LIST |
List Quarantined Files
Use the List Quarantined Files action to list quarantined files.
This action runs on all Google SecOps entities.
Action inputs
The List Quarantined Files action requires the following parameters:
| Parameter | Description |
|---|---|
Start Time |
Optional
A start time to restrict events with the timestamps greater than the value of this parameter in the Unix format. |
End Time |
Optional
An end time to restrict events with the timestamps less than the value of this parameter in the Unix format. |
Action outputs
The List Quarantined Files action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the List Quarantined Files action:
| Script result name | Value |
|---|---|
files |
FILE_LIST |
Ping
Use the Ping action to test the connectivity to Netskope.
This action runs on all Google SecOps entities.
Action inputs
None.
Action outputs
The Ping action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Ping action:
| Script result name | Value |
|---|---|
is_success |
True or False |