Netskope
Integration version: 10.0
Configure Netskope to work with Google Security Operations SOAR
Credentials
To configure the Netskope Cloud Security Platform, you need to generate an API Key. For more instructions about how to generate API Key, see Configure the Netskope Cloud Security Platform event source.
Network
Function | Default Port | Direction | Protocol |
---|---|---|---|
API | Multivalues | Outbound | apikey |
Configure Netskope integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
Description | String | N/A | No | Description of the Instance. |
Api Root | String | https://{IP} | Yes | Address of the Netskope instance. |
Api Key | String | N/A | Yes | The API Key of the user. |
Verify SSL | Checkbox | Unchecked | No | Use this checkbox, if your Netskope connection requires an SSL verification (unchecked by default). |
Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Allow File
Description
Allow a quarantined file.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
File ID | String | N/A | Yes | ID of a file, that's needed to identify a file. |
Quarantine Profile ID | String | N/A | Yes | ID of a quarantine profile. |
Run On
This action runs on all entities.
Action Results
Script Result
Script Result Name | Value Options | Example |
---|---|---|
success | True/False | success:False |
JSON Result
N/A
Block File
Description
Block a quarantined file.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
File ID | String | N/A | Yes | ID of a file, needed to identify a file. |
Quarantine Profile ID | String | N/A | Yes | ID of a quarantine profile. |
Run On
This action runs on all entities.
Action Results
Script Result
Script Result Name | Value Options | Example |
---|---|---|
success | True/False | success:False |
JSON Result
N/A
Download File
Description
Download a quarantined file.
Parameters
Parameter | Type | Default Value | Description |
---|---|---|---|
File ID | String | N/A | ID of a file, needed to identify a file. |
Quarantine Profile ID | String | N/A | ID of a quarantine profile. |
Run On
This action runs on the IP Address entity.
Action Results
Script Result
Script Result Name | Value Options | Example |
---|---|---|
success | True/False | success:False |
JSON Result
N/A
List Alerts
Description
List alerts.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Query | String | N/A | No | This acts as a filter for all the cloud app events in the alerts database. |
Type | String | N/A | No | The type of the alert to filter by. Valid values: anomaly | 'compromised credential' |policy|'legal hold' |malsite||Malware DLP| |watchlist | quarantine | Remediation. |
Time Period | String | N/A | No | Time period to search alerts at (milliseconds backwards). Valid Values: 3600. |
Start time | String | N/A | No | Restrict alerts to those that have timestamps greater than this (unixtime). Needed only if time period is not passed. |
End Time | String | N/A | No | Restrict alerts to those that have timestamps less than this (unixtime). Needed only if time period is not passed. |
Is Acknowledged | Checkbox | Unchecked | No | Whether to get only acknowledged alerts. |
Limit | String | N/A | No | Number of results to return. Default: 100. |
Run On
This action runs on all entities.
Action Results
Script Result
Script Result Name | Value Options | Example |
---|---|---|
alerts | N/A | N/A |
JSON Result
[
{
"dstip": "1.1.1.1",
"app": "Amazon Web Services",
"profile_id": "NS_307",
"device": "iPad",
"shared_credential_user": "jarod.kelly@example.com",
"app_session_id": 2961859388,
"dst_location": "Ashburn",
"dst_region": "Virginia",
"policy": "Copy prohibited",
"page_id": 380765822,
"object_type": "File",
"dst_latitude": 39.0481,
"timestamp": 1548603047,
"src_region": "California",
"from_user": "bloomberg@example.com",
"src_location": "San Luis Obispo",
"traffic_type": "CloudApp",
"appcategory": "IaaS/PaaS",
"src_latitude": 35.2635,
"count": 2,
"type": "anomaly",
"risk_level_id": 2,
"activity": "Upload",
"userip": "127.0.0.1",
"src_longitude": -120.6509,
"browser": "Safari",
"alert_type": "anomaly",
"event_type": "user_shared_credentials",
"_insertion_epoch_timestamp": 1548601562,
"site": "Amazon Web Services",
"id": 3561,
"category": "IaaS/PaaS",
"orig_ty": "nspolicy",
"dst_country": "US",
"src_zipcode": "93401",
"cci": 94,
"ur_normalized": "jess.ashby@example.com",
"object": "quarterly_report.pdf",
"organization_unit": "",
"acked": "false",
"dst_longitude": -77.4728,
"alert": "yes",
"user": "Jess.Ashby@example.com",
"userkey": "Jess.Ashby@example.com",
"srcip": "72.29.184.1",
"org": "example.com",
"src_country": "US",
"bin_timestamp": 1548633600,
"dst_zipcode": "20149",
"url": "http://aws.amazon.com/",
"sv": "unknown",
"ccl": "excellent",
"alert_name": "user_shared_credentials",
"risk_level": "high",
"_mladc": ["ur"],
"threshold_time": 86400,
"_id": "cadee4a8488b3e139b084134",
"os": "iOS 6"
}
]
List Clients
Description
List clients.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Query | String | N/A | No | This acts as a filter for all the cloud app events in the alerts database. |
Limit | String | N/A | No | Number of results to return. Default: 25. |
Run On
This action runs on all entities.
Action Results
Script Result
Script Result Name | Value Options | Example |
---|---|---|
clients | N/A | N/A |
JSON Result
[
{
"client_install_time": 1532040251,
"users":
[
{
"heartbeat_status_since": 1532040385,
"user_added_time": 1532040167,
"last_event":
{
"status": "Enabled",
"timestamp": 1548578307,
"event": "Tunnel Up",
"actor": "System"
},
"device_classification_status": "Not Configured",
"username": "john_doe@example.com",
"user_source": "Manual",
"userkey": "K00fuSXl8yMIqgdg",
"_id": "2461dee6dc8cgdgda",
"heartbeat_status": "Active"
}],
"last_event":
{
"status": "Enabled",
"timestamp": 1548578307,
"event": "Tunnel Up",
"actor": "System"
},
"host_info":
{
"device_model": "VMware Virtual Platform",
"os": "Windows",
"hostname": "JbortnickVM-10ex64",
"device_make": "VMware, Inc.",
"os_version": "10.0"
},
"client_version": "1.1.1.1",
"_id": "JbortnickVM-10ex64",
"device_id": "JbortnickVM-10ex64"
}
]
List Events
Description
List events.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Query | String | N/A | No | This acts as a filter for all the cloud app events in the alerts database. |
Type | String | N/A | No | The type of the alert to filter by. Valid values: page |application | audit | infrastructure. |
Time Period | String | N/A | No | Time period to search events at (milliseconds backwards). Valid Values: 3600 |86400| 604800|2592000. |
Start time | String | N/A | No | Restrict events to those that have timestamps greater than this (unixtime). Needed only if time period is not passed. |
End Time | String | N/A | No | Restrict events to those that have timestamps less than this (unixtime). Needed only if time period is not passed. |
Limit | String | N/A | No | Number of results to return. Default: 100. |
Run On
This action runs on all entities.
Action Results
Script Result
Script Result Name | Value Options | Example |
---|---|---|
events | N/A | N/A |
JSON Results
{
"dstip": "52.4.228.64",
"browser_session_id": 1066949788113471080,
"srcip": "54.203.63.36",
"app_session_id": 4502249472406092569,
"os_version": "WindowsServer2016",
"dst_region": "Virginia",
"numbytes": 37480,
"req_cnt": 18,
"server_bytes": 8994,
"page_id": 0,
"page_duration": 867,
"page_endtime": 1548577530,
"dst_latitude": 39.0481,
"timestamp": 1548576663,
"src_region": "Oregon",
"src_location": "Boardman",
"ur_normalized": "mclark@casb.us",
"appcategory": "",
"src_latitude": 45.8491,
"count": 1,
"bypass_traffic": "no",
"type": "page",
"userip": "172.16.1.253",
"src_longitude": -119.7143,
"page": "WebBackground",
"browser": "",
"domain": "WebBackground",
"dst_location": "Ashburn",
"_insertion_epoch_timestamp": 1548577621,
"site": "WebBackground",
"access_method": "Client",
"browser_version": "",
"category": "",
"client_bytes": 28486,
"user_generated": "no",
"hostname": "IP-C0A84AC",
"dst_country": "US",
"resp_cnt": 18,
"src_zipcode": "97818",
"traffic_type": "Web",
"http_transaction_count": 18,
"organization_unit": "casb.us/Users",
"page_starttime": 1548576663,
"dst_longitude": -77.4728,
"user": "mclark@casb.us",
"userkey": "mclark@casb.us",
"device": "WindowsDevice",
"src_country": "US",
"dst_zipcode": "20149",
"url": "WebBackground",
"sv": "",
"ccl": "unknown",
"useragent": "RestSharp/105.2.3.0",
"_id": "5156e4d6cca4be0215d7bbdb",
"os": "WindowsServer2016"
}
]
List Quarantined Files
Description
List quarantined files.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Start time | String | N/A | No | Restrict events to those that have timestamps greater than this (unixtime). Needed only if time period is not passed. |
End Time | String | N/A | No | Restrict events to those that have timestamps less than this (unixtime). Needed only if time period is not passed. |
Run On
This action runs on all entities.
Action Results
Script Result
Script Result Name | Value Options | Example |
---|---|---|
files | N/A | N/A |
JSON Result
N/A
Ping
Description
Test connectivity to Netskope.
Run On
This action runs on all entities.
Action Results
Script Result
Script Result Name | Value Options | Example |
---|---|---|
success | True/False | success:False |
JSON Result
N/A