Netskope

Integration version: 10.0

Configure Netskope to work with Google Security Operations SOAR

Credentials

To configure the Netskope Cloud Security Platform, you need to generate an API Key. For more instructions about how to generate API Key, see Configure the Netskope Cloud Security Platform event source.

Network

Function Default Port Direction Protocol
API Multivalues Outbound apikey

Configure Netskope integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
Api Root String https://{IP} Yes Address of the Netskope instance.
Api Key String N/A Yes The API Key of the user.
Verify SSL Checkbox Unchecked No Use this checkbox, if your Netskope connection requires an SSL verification (unchecked by default).
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Allow File

Description

Allow a quarantined file.

Parameters

Parameter Type Default Value Is Mandatory Description
File ID String N/A Yes ID of a file, that's needed to identify a file.
Quarantine Profile ID String N/A Yes ID of a quarantine profile.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
success True/False success:False
JSON Result
N/A

Block File

Description

Block a quarantined file.

Parameters

Parameter Type Default Value Is Mandatory Description
File ID String N/A Yes ID of a file, needed to identify a file.
Quarantine Profile ID String N/A Yes ID of a quarantine profile.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
success True/False success:False
JSON Result
N/A

Download File

Description

Download a quarantined file.

Parameters

Parameter Type Default Value Description
File ID String N/A ID of a file, needed to identify a file.
Quarantine Profile ID String N/A ID of a quarantine profile.

Run On

This action runs on the IP Address entity.

Action Results

Script Result
Script Result Name Value Options Example
success True/False success:False
JSON Result
N/A

List Alerts

Description

List alerts.

Parameters

Parameter Type Default Value Is Mandatory Description
Query String N/A No This acts as a filter for all the cloud app events in the alerts database.
Type String N/A No The type of the alert to filter by. Valid values: anomaly | 'compromised credential' |policy|'legal hold' |malsite||Malware DLP| |watchlist | quarantine | Remediation.
Time Period String N/A No Time period to search alerts at (milliseconds backwards). Valid Values: 3600.
Start time String N/A No Restrict alerts to those that have timestamps greater than this (unixtime). Needed only if time period is not passed.
End Time String N/A No Restrict alerts to those that have timestamps less than this (unixtime). Needed only if time period is not passed.
Is Acknowledged Checkbox Unchecked No Whether to get only acknowledged alerts.
Limit String N/A No Number of results to return. Default: 100.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
alerts N/A N/A
JSON Result
[
    {
        "dstip": "1.1.1.1",
        "app": "Amazon Web Services",
        "profile_id": "NS_307",
        "device": "iPad",
        "shared_credential_user": "jarod.kelly@example.com",
        "app_session_id": 2961859388,
        "dst_location": "Ashburn",
        "dst_region": "Virginia",
        "policy": "Copy prohibited",
        "page_id": 380765822,
        "object_type": "File",
        "dst_latitude": 39.0481,
        "timestamp": 1548603047,
        "src_region": "California",
        "from_user": "bloomberg@example.com",
        "src_location": "San Luis Obispo",
        "traffic_type": "CloudApp",
        "appcategory": "IaaS/PaaS",
        "src_latitude": 35.2635,
        "count": 2,
        "type": "anomaly",
        "risk_level_id": 2,
        "activity": "Upload",
        "userip": "127.0.0.1",
        "src_longitude": -120.6509,
        "browser": "Safari",
        "alert_type": "anomaly",
        "event_type": "user_shared_credentials",
        "_insertion_epoch_timestamp": 1548601562,
        "site": "Amazon Web Services",
        "id": 3561,
        "category": "IaaS/PaaS",
        "orig_ty": "nspolicy",
        "dst_country": "US",
        "src_zipcode": "93401",
        "cci": 94,
        "ur_normalized": "jess.ashby@example.com",
        "object": "quarterly_report.pdf",
        "organization_unit": "",
        "acked": "false",
        "dst_longitude": -77.4728,
        "alert": "yes",
        "user": "Jess.Ashby@example.com",
        "userkey": "Jess.Ashby@example.com",
        "srcip": "72.29.184.1",
        "org": "example.com",
        "src_country": "US",
        "bin_timestamp": 1548633600,
        "dst_zipcode": "20149",
        "url": "http://aws.amazon.com/",
        "sv": "unknown",
        "ccl": "excellent",
        "alert_name": "user_shared_credentials",
        "risk_level": "high",
        "_mladc": ["ur"],
        "threshold_time": 86400,
        "_id": "cadee4a8488b3e139b084134",
        "os": "iOS 6"
    }
]

List Clients

Description

List clients.

Parameters

Parameter Type Default Value Is Mandatory Description
Query String N/A No This acts as a filter for all the cloud app events in the alerts database.
Limit String N/A No Number of results to return. Default: 25.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
clients N/A N/A
JSON Result
[
       {
         "client_install_time": 1532040251,
         "users":
        [
            {
                "heartbeat_status_since": 1532040385,
                "user_added_time": 1532040167,
                "last_event":
                {
                    "status": "Enabled",
                    "timestamp": 1548578307,
                    "event": "Tunnel Up",
                    "actor": "System"
                },
                "device_classification_status": "Not Configured",
                "username": "john_doe@example.com",
                "user_source": "Manual",
                "userkey": "K00fuSXl8yMIqgdg",
                "_id": "2461dee6dc8cgdgda",
                "heartbeat_status": "Active"
            }],
        "last_event":
        {
            "status": "Enabled",
            "timestamp": 1548578307,
            "event": "Tunnel Up",
            "actor": "System"
        },
        "host_info":
        {
            "device_model": "VMware Virtual Platform",
            "os": "Windows",
            "hostname": "JbortnickVM-10ex64",
            "device_make": "VMware, Inc.",
            "os_version": "10.0"
        },
        "client_version": "1.1.1.1",
        "_id": "JbortnickVM-10ex64",
        "device_id": "JbortnickVM-10ex64"
    }
 ]

List Events

Description

List events.

Parameters

Parameter Type Default Value Is Mandatory Description
Query String N/A No This acts as a filter for all the cloud app events in the alerts database.
Type String N/A No The type of the alert to filter by. Valid values: page |application | audit | infrastructure.
Time Period String N/A No Time period to search events at (milliseconds backwards). Valid Values: 3600 |86400| 604800|2592000.
Start time String N/A No Restrict events to those that have timestamps greater than this (unixtime). Needed only if time period is not passed.
End Time String N/A No Restrict events to those that have timestamps less than this (unixtime). Needed only if time period is not passed.
Limit String N/A No Number of results to return. Default: 100.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
events N/A N/A
JSON Results

    {
        "dstip": "52.4.228.64",
        "browser_session_id": 1066949788113471080,
        "srcip": "54.203.63.36",
        "app_session_id": 4502249472406092569,
        "os_version": "WindowsServer2016",
        "dst_region": "Virginia",
        "numbytes": 37480,
        "req_cnt": 18,
        "server_bytes": 8994,
        "page_id": 0,
        "page_duration": 867,
        "page_endtime": 1548577530,
        "dst_latitude": 39.0481,
        "timestamp": 1548576663,
        "src_region": "Oregon",
        "src_location": "Boardman",
        "ur_normalized": "mclark@casb.us",
        "appcategory": "",
        "src_latitude": 45.8491,
        "count": 1,
        "bypass_traffic": "no",
        "type": "page",
        "userip": "172.16.1.253",
        "src_longitude": -119.7143,
        "page": "WebBackground",
        "browser": "",
        "domain": "WebBackground",
        "dst_location": "Ashburn",
        "_insertion_epoch_timestamp": 1548577621,
        "site": "WebBackground",
        "access_method": "Client",
        "browser_version": "",
        "category": "",
        "client_bytes": 28486,
        "user_generated": "no",
        "hostname": "IP-C0A84AC",
        "dst_country": "US",
        "resp_cnt": 18,
        "src_zipcode": "97818",
        "traffic_type": "Web",
        "http_transaction_count": 18,
        "organization_unit": "casb.us/Users",
        "page_starttime": 1548576663,
        "dst_longitude": -77.4728,
        "user": "mclark@casb.us",
        "userkey": "mclark@casb.us",
        "device": "WindowsDevice",
        "src_country": "US",
        "dst_zipcode": "20149",
        "url": "WebBackground",
        "sv": "",
        "ccl": "unknown",
        "useragent": "RestSharp/105.2.3.0",
        "_id": "5156e4d6cca4be0215d7bbdb",
        "os": "WindowsServer2016"
    }
]

List Quarantined Files

Description

List quarantined files.

Parameters

Parameter Type Default Value Is Mandatory Description
Start time String N/A No Restrict events to those that have timestamps greater than this (unixtime). Needed only if time period is not passed.
End Time String N/A No Restrict events to those that have timestamps less than this (unixtime). Needed only if time period is not passed.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
files N/A N/A
JSON Result
N/A

Ping

Description

Test connectivity to Netskope.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
success True/False success:False
JSON Result
N/A