Netskope
Integration version: 6.0
Configure Netskope to work with Google Security Operations SOAR
Credentials
To configure the Netskope Cloud Security Platform, you need to generate an API Key. For more instructions about how to generate API Key, see Configure the Netskope Cloud Security Platform event source.
Network
| Function | Default Port | Direction | Protocol |
|---|---|---|---|
| API | Multivalues | Outbound | apikey |
Configure Netskope integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| Api Root | String | https://{IP} | Yes | Address of the Netskope instance. |
| Api Key | String | N/A | Yes | The API Key of the user. |
| Verify SSL | Checkbox | Unchecked | No | Use this checkbox, if your Netskope connection requires an SSL verification (unchecked by default). |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Allow File
Description
Allow a quarantined file.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| File ID | String | N/A | Yes | ID of a file, that's needed to identify a file. |
| Quarantine Profile ID | String | N/A | Yes | ID of a quarantine profile. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| success | True/False | success:False |
JSON Result
N/A
Block File
Description
Block a quarantined file.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| File ID | String | N/A | Yes | ID of a file, needed to identify a file. |
| Quarantine Profile ID | String | N/A | Yes | ID of a quarantine profile. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| success | True/False | success:False |
JSON Result
N/A
Download File
Description
Download a quarantined file.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| File ID | String | N/A | ID of a file, needed to identify a file. |
| Quarantine Profile ID | String | N/A | ID of a quarantine profile. |
Run On
This action runs on the IP Address entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| success | True/False | success:False |
JSON Result
N/A
List Alerts
Description
List alerts.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Query | String | N/A | No | This acts as a filter for all the cloud app events in the alerts database. |
| Type | String | N/A | No | The type of the alert to filter by. Valid values: anomaly | 'compromised credential' |policy|'legal hold' |malsite||Malware DLP| |watchlist | quarantine | Remediation. |
| Time Period | String | N/A | No | Time period to search alerts at (milliseconds backwards). Valid Values: 3600. |
| Start time | String | N/A | No | Restrict alerts to those that have timestamps greater than this (unixtime). Needed only if time period is not passed. |
| End Time | String | N/A | No | Restrict alerts to those that have timestamps less than this (unixtime). Needed only if time period is not passed. |
| Is Acknowledged | Checkbox | Unchecked | No | Whether to get only acknowledged alerts. |
| Limit | String | N/A | No | Number of results to return. Default: 100. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| alerts | N/A | N/A |
JSON Result
[
{
"dstip": "1.1.1.1",
"app": "Amazon Web Services",
"profile_id": "NS_307",
"device": "iPad",
"shared_credential_user": "jarod.kelly@example.com",
"app_session_id": 2961859388,
"dst_location": "Ashburn",
"dst_region": "Virginia",
"policy": "Copy prohibited",
"page_id": 380765822,
"object_type": "File",
"dst_latitude": 39.0481,
"timestamp": 1548603047,
"src_region": "California",
"from_user": "bloomberg@example.com",
"src_location": "San Luis Obispo",
"traffic_type": "CloudApp",
"appcategory": "IaaS/PaaS",
"src_latitude": 35.2635,
"count": 2,
"type": "anomaly",
"risk_level_id": 2,
"activity": "Upload",
"userip": "127.0.0.1",
"src_longitude": -120.6509,
"browser": "Safari",
"alert_type": "anomaly",
"event_type": "user_shared_credentials",
"_insertion_epoch_timestamp": 1548601562,
"site": "Amazon Web Services",
"id": 3561,
"category": "IaaS/PaaS",
"orig_ty": "nspolicy",
"dst_country": "US",
"src_zipcode": "93401",
"cci": 94,
"ur_normalized": "jess.ashby@example.com",
"object": "quarterly_report.pdf",
"organization_unit": "",
"acked": "false",
"dst_longitude": -77.4728,
"alert": "yes",
"user": "Jess.Ashby@example.com",
"userkey": "Jess.Ashby@example.com",
"srcip": "72.29.184.1",
"org": "example.com",
"src_country": "US",
"bin_timestamp": 1548633600,
"dst_zipcode": "20149",
"url": "http://aws.amazon.com/",
"sv": "unknown",
"ccl": "excellent",
"alert_name": "user_shared_credentials",
"risk_level": "high",
"_mladc": ["ur"],
"threshold_time": 86400,
"_id": "cadee4a8488b3e139b084134",
"os": "iOS 6"
}
]
List Clients
Description
List clients.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Query | String | N/A | No | This acts as a filter for all the cloud app events in the alerts database. |
| Limit | String | N/A | No | Number of results to return. Default: 25. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| clients | N/A | N/A |
JSON Result
[
{
"client_install_time": 1532040251,
"users":
[
{
"heartbeat_status_since": 1532040385,
"user_added_time": 1532040167,
"last_event":
{
"status": "Enabled",
"timestamp": 1548578307,
"event": "Tunnel Up",
"actor": "System"
},
"device_classification_status": "Not Configured",
"username": "john_doe@example.com",
"user_source": "Manual",
"userkey": "K00fuSXl8yMIqgdg",
"_id": "2461dee6dc8cgdgda",
"heartbeat_status": "Active"
}],
"last_event":
{
"status": "Enabled",
"timestamp": 1548578307,
"event": "Tunnel Up",
"actor": "System"
},
"host_info":
{
"device_model": "VMware Virtual Platform",
"os": "Windows",
"hostname": "JbortnickVM-10ex64",
"device_make": "VMware, Inc.",
"os_version": "10.0"
},
"client_version": "1.1.1.1",
"_id": "JbortnickVM-10ex64",
"device_id": "JbortnickVM-10ex64"
}
]
List Events
Description
List events.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Query | String | N/A | No | This acts as a filter for all the cloud app events in the alerts database. |
| Type | String | N/A | No | The type of the alert to filter by. Valid values: page |application | audit | infrastructure. |
| Time Period | String | N/A | No | Time period to search events at (milliseconds backwards). Valid Values: 3600 |86400| 604800|2592000. |
| Start time | String | N/A | No | Restrict events to those that have timestamps greater than this (unixtime). Needed only if time period is not passed. |
| End Time | String | N/A | No | Restrict events to those that have timestamps less than this (unixtime). Needed only if time period is not passed. |
| Limit | String | N/A | No | Number of results to return. Default: 100. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| events | N/A | N/A |
JSON Results
{
"dstip": "52.4.228.64",
"browser_session_id": 1066949788113471080,
"srcip": "54.203.63.36",
"app_session_id": 4502249472406092569,
"os_version": "WindowsServer2016",
"dst_region": "Virginia",
"numbytes": 37480,
"req_cnt": 18,
"server_bytes": 8994,
"page_id": 0,
"page_duration": 867,
"page_endtime": 1548577530,
"dst_latitude": 39.0481,
"timestamp": 1548576663,
"src_region": "Oregon",
"src_location": "Boardman",
"ur_normalized": "mclark@casb.us",
"appcategory": "",
"src_latitude": 45.8491,
"count": 1,
"bypass_traffic": "no",
"type": "page",
"userip": "172.16.1.253",
"src_longitude": -119.7143,
"page": "WebBackground",
"browser": "",
"domain": "WebBackground",
"dst_location": "Ashburn",
"_insertion_epoch_timestamp": 1548577621,
"site": "WebBackground",
"access_method": "Client",
"browser_version": "",
"category": "",
"client_bytes": 28486,
"user_generated": "no",
"hostname": "IP-C0A84AC",
"dst_country": "US",
"resp_cnt": 18,
"src_zipcode": "97818",
"traffic_type": "Web",
"http_transaction_count": 18,
"organization_unit": "casb.us/Users",
"page_starttime": 1548576663,
"dst_longitude": -77.4728,
"user": "mclark@casb.us",
"userkey": "mclark@casb.us",
"device": "WindowsDevice",
"src_country": "US",
"dst_zipcode": "20149",
"url": "WebBackground",
"sv": "",
"ccl": "unknown",
"useragent": "RestSharp/105.2.3.0",
"_id": "5156e4d6cca4be0215d7bbdb",
"os": "WindowsServer2016"
}
]
List Quarantined Files
Description
List quarantined files.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Start time | String | N/A | No | Restrict events to those that have timestamps greater than this (unixtime). Needed only if time period is not passed. |
| End Time | String | N/A | No | Restrict events to those that have timestamps less than this (unixtime). Needed only if time period is not passed. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| files | N/A | N/A |
JSON Result
N/A
Ping
Description
Test connectivity to Netskope.
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| success | True/False | success:False |
JSON Result
N/A