Netskope
This guide describes how to integrate Netskope with Google Security Operations (Google SecOps).
Integration version: 11.0
Use cases
Integrating Netskope with Google SecOps can help you solve the following use cases:
-
Phishing URL investigation and blocking:upon receiving a phishing URL alert, use the Google SecOps capabilities to query the Netskope cloud security platform for information about the URL reputation and categorization. If URL is confirmed as malicious, Netskope can automatically block the URL across your organization network.
-
Malware analysis and containment:use the Google SecOps capabilities to submit a malware sample to Netskope for dynamic analysis. Based on the analysis results, Netskope can then enforce policies to quarantine infected devices or block further communication with malicious command-and-control servers.
-
Compromised account remediation:use the Google SecOps capabilities to identify suspicious login attempts or activities and enforce actions, such as password resets, multi-factor authentication challenges, or account suspension.
-
Vulnerability scanning and patching:use the Google SecOps capabilities to receive alerts about vulnerabilities detected in cloud applications.
-
Incident response automation:use the Google SecOps capabilities to gather contextual information about the incident, such as user activity, network traffic, and data access logs and automate incident response tasks, such as isolating affected systems, blocking malicious traffic, and notifying relevant stakeholders.
-
Threat intelligence enrichment:use the Google SecOps capabilities to integrate with Netskope threat intelligence feeds and enrich security alerts with additional context.
Before you begin
Before you configure the Netskope integration in Google SecOps, generate the Netskope API key.
To generate the API key, complete the following steps:
- In the Netskope Admin Console, select Settings.
- Go to Tools > REST API v1.
- Copy the API Tokenvalue to use it later when configuring the
Api Keyparameter .
To configure the network setting for the integration, refer to the following table:
| Function | Default port | Direction | Protocol |
|---|---|---|---|
|
API
|
Multivalues | Outbound | apikey
|
Integrate Netskope with Google SecOps
The Netskope integration requires the following parameters:
| Parameter | Description |
|---|---|
Api Root
|
Required
The API root of the Netskope instance. |
Api Key
|
Required
The API key to authenticate with the Netskope API. To configure this parameter, enter the API token value that you obtained when you generated the API key. |
Verify SSL
|
Optional
If selected, the integration verifies that the SSL certificate for connecting to the Netskope server is valid. Not selected by default. |
For instructions about configuring an integration in Google SecOps, see Configure integrations .
You can make changes at a later stage if needed. After you configure an integration instance, you can use it in playbooks. For more information about configuring and supporting multiple instances, see Supporting multiple instances .
Actions
For more information about actions, see Respond to pending actions from your workdesk and Perform a manual action .
Allow File
Use the Allow Fileaction to allow a quarantined file.
This action runs on all Google SecOps entities.
Action inputs
The Allow Fileaction requires the following parameters:
| Parameter | Description |
|---|---|
File ID
|
Required
The ID of the file to allow. |
Quarantine Profile ID
|
Required
The ID of the quarantine profile that is associated with the file. |
Action outputs
The Allow Fileaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Allow Fileaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Block File
Use the Block Fileaction to block a quarantined file.
This action runs on all Google SecOps entities.
Action inputs
The Block Fileaction requires the following parameters:
| Parameter | Description |
|---|---|
File ID
|
Required
The ID of the file to block in Netskope. |
Quarantine Profile ID
|
Required
The ID of the quarantine profile to use when blocking the file. |
Action outputs
The Block Fileaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Block Fileaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Download File
Use the Download Fileaction to download a quarantined file.
This action runs on the Google SecOps IP Address
entity.
Action inputs
The Download Fileaction requires the following parameters:
| Parameter | Description |
|---|---|
File ID
|
Required
The ID of the file to download from quarantine. |
Quarantine Profile ID
|
Required
The ID of the quarantine profile which the file belongs to. |
Action outputs
The Download Fileaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Download Fileaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
List Alerts
Use the List Alertsaction to list alerts.
This action runs on all Google SecOps entities.
Action inputs
The List Alertsaction requires the following parameters:
Query
A query to filter the cloud application events in the alerts database.
Type
A type of alerts to filter by.
The possible values are as follows:
-
Anomaly -
Compromised Credential -
Policy -
Legal Hold -
Malsite -
Malware -
DLP -
Watchlist -
Quarantine -
Remediation
Time Period
The time period in milliseconds prior to now to search for alerts.
The possible values are 3600
, 86400
, 604800
, and 2592000
.
Start Time
A start time to filter alerts with timestamps greater than the specified Unix epoch time.
Use this parameter only if you
didn't set the Time Period
parameter.
End Time
An end time to filter alerts with timestamps less than the specified Unix epoch time.
Use this parameter only if you
didn't set the Time Period
parameter.
Is Acknowledged
If selected, the integration filters for acknowledged alerts.
Not selected by default.
Limit
The number of the results to return.
The default value is 100
.
Action outputs
The List Alertsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the List Alertsaction:
[
{
"dstip"
:
"192.0.2.1"
,
"app"
:
"Amazon Web Services"
,
"profile_id"
:
" ID
"
,
"device"
:
"iPad"
,
"shared_credential_user"
:
"example@example.com"
,
"app_session_id"
:
2961859388
,
"dst_location"
:
"Ashburn"
,
"dst_region"
:
"Virginia"
,
"policy"
:
"Copy prohibited"
,
"page_id"
:
380765822
,
"object_type"
:
"File"
,
"dst_latitude"
:
39.0481
,
"timestamp"
:
1548603047
,
"src_region"
:
"California"
,
"from_user"
:
"user@example.com"
,
"src_location"
:
"San Luis Obispo"
,
"traffic_type"
:
"CloudApp"
,
"appcategory"
:
"IaaS/PaaS"
,
"src_latitude"
:
35.2635
,
"count"
:
2
,
"type"
:
"anomaly"
,
"risk_level_id"
:
2
,
"activity"
:
"Upload"
,
"userip"
:
"203.0.113.1"
,
"src_longitude"
:
-120.6509
,
"browser"
:
"Safari"
,
"alert_type"
:
"anomaly"
,
"event_type"
:
"user_shared_credentials"
,
"_insertion_epoch_timestamp"
:
1548601562
,
"site"
:
"Amazon Web Services"
,
"id"
:
3561
,
"category"
:
"IaaS/PaaS"
,
"orig_ty"
:
"nspolicy"
,
"dst_country"
:
"US"
,
"src_zipcode"
:
"93401"
,
"cci"
:
94
,
"ur_normalized"
:
"user@example.com"
,
"object"
:
"quarterly_report.pdf"
,
"organization_unit"
:
""
,
"acked"
:
"false"
,
"dst_longitude"
:
-77.4728
,
"alert"
:
"yes"
,
"user"
:
"user@example.com"
,
"userkey"
:
"user@example.com"
,
"srcip"
:
"7198.51.100.1"
,
"org"
:
"example.com"
,
"src_country"
:
"US"
,
"bin_timestamp"
:
1548633600
,
"dst_zipcode"
:
"20149"
,
"url"
:
"http://aws.amazon.com/"
,
"sv"
:
"unknown"
,
"ccl"
:
"excellent"
,
"alert_name"
:
"user_shared_credentials"
,
"risk_level"
:
"high"
,
"_mladc"
:
[
"ur"
],
"threshold_time"
:
86400
,
"_id"
:
"cadee4a8488b3e139b084134"
,
"os"
:
"iOS 6"
}
]
Script result
The following table lists the value for the script result output when using the List Alertsaction:
| Script result name | Value |
|---|---|
alerts
|
ALERT_LIST
|
List Clients
Use the List Clientsaction to list clients.
This action runs on all Google SecOps entities.
Action inputs
The List Clientsaction requires the following parameters:
| Parameter | Description |
|---|---|
Query
|
Optional
Filters the clients retrieved from the database. |
Limit
|
Optional
Limits the number of clients returned by the action. The default value is |
Action outputs
The List Clientsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the List Clientsaction:
[
{
"client_install_time"
:
1532040251
,
"users"
:
[
{
"heartbeat_status_since"
:
1532040385
,
"user_added_time"
:
1532040167
,
"last_event"
:
{
"status"
:
"Enabled"
,
"timestamp"
:
1548578307
,
"event"
:
"Tunnel Up"
,
"actor"
:
"System"
},
"device_classification_status"
:
"Not Configured"
,
"username"
:
"user@example.com"
,
"user_source"
:
"Manual"
,
"userkey"
:
"K00fuSXl8yMIqgdg"
,
"_id"
:
" ID
"
,
"heartbeat_status"
:
"Active"
}],
"last_event"
:
{
"status"
:
"Enabled"
,
"timestamp"
:
1548578307
,
"event"
:
"Tunnel Up"
,
"actor"
:
"System"
},
"host_info"
:
{
"device_model"
:
"VMware Virtual Platform"
,
"os"
:
"Windows"
,
"hostname"
:
" HOSTNAME
"
,
"device_make"
:
"VMware, Inc."
,
"os_version"
:
"10.0"
},
"client_version"
:
"1.1.1.1"
,
"_id"
:
" ID
"
,
"device_id"
:
" DEVICE_ID
"
}
]
Script result
The following table lists the value for the script result output when using the List Clientsaction:
| Script result name | Value |
|---|---|
clients
|
CLIENT_LIST
|
List Events
Use the List Eventsaction to list events.
This action runs on all Google SecOps entities.
Action inputs
The List Eventsaction requires the following parameters:
Query
A query to filter the cloud application events in the events database.
Type
A type of alerts to filter by.
The possible values are as follows:
-
page -
application -
audit -
infrastructure
Time Period
The time period in milliseconds prior to now to search for events.
The possible values are as follows: 3600
, 86400
, 604800
, and 2592000
.
Start Time
A start time to filter events with timestamps greater than the specified Unix epoch time.
Use this parameter only if you
didn't set the Time Period
parameter.
End Time
An end time to filter events with timestamps less than the specified Unix epoch time.
Use this parameter only if you
didn't set the Time Period
parameter.
Limit
The number of the results to return.
The default value is 100
.
Action outputs
The List Eventsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the List Eventsaction:
{
"dstip"
:
"192.0.2.64"
,
"browser_session_id"
:
1066949788113471080
,
"srcip"
:
"198.51.100.36"
,
"app_session_id"
:
4502249472406092569
,
"os_version"
:
"WindowsServer2016"
,
"dst_region"
:
"Virginia"
,
"numbytes"
:
37480
,
"req_cnt"
:
18
,
"server_bytes"
:
8994
,
"page_id"
:
0
,
"page_duration"
:
867
,
"page_endtime"
:
1548577530
,
"dst_latitude"
:
39.0481
,
"timestamp"
:
1548576663
,
"src_region"
:
"Oregon"
,
"src_location"
:
"Boardman"
,
"ur_normalized"
:
"user@example.com"
,
"appcategory"
:
""
,
"src_latitude"
:
45.8491
,
"count"
:
1
,
"bypass_traffic"
:
"no"
,
"type"
:
"page"
,
"userip"
:
"203.0.113.253"
,
"src_longitude"
:
-119.7143
,
"page"
:
"WebBackground"
,
"browser"
:
""
,
"domain"
:
"WebBackground"
,
"dst_location"
:
"Ashburn"
,
"_insertion_epoch_timestamp"
:
1548577621
,
"site"
:
"WebBackground"
,
"access_method"
:
"Client"
,
"browser_version"
:
""
,
"category"
:
""
,
"client_bytes"
:
28486
,
"user_generated"
:
"no"
,
"hostname"
:
"IP-C0A84AC"
,
"dst_country"
:
"US"
,
"resp_cnt"
:
18
,
"src_zipcode"
:
"97818"
,
"traffic_type"
:
"Web"
,
"http_transaction_count"
:
18
,
"organization_unit"
:
"example.com/Users"
,
"page_starttime"
:
1548576663
,
"dst_longitude"
:
-77.4728
,
"user"
:
"user@example.com"
,
"userkey"
:
"user@example.com"
,
"device"
:
"WindowsDevice"
,
"src_country"
:
"US"
,
"dst_zipcode"
:
"20149"
,
"url"
:
"WebBackground"
,
"sv"
:
""
,
"ccl"
:
"unknown"
,
"useragent"
:
"RestSharp/192.0.2.0"
,
"_id"
:
" ID
"
,
"os"
:
"WindowsServer2016"
}
]
Script result
The following table lists the value for the script result output when using the List Eventsaction:
| Script result name | Value |
|---|---|
events
|
EVENT_LIST
|
List Quarantined Files
Use the List Quarantined Filesaction to list quarantined files.
This action runs on all Google SecOps entities.
Action inputs
The List Quarantined Filesaction requires the following parameters:
| Parameter | Description |
|---|---|
Start Time
|
Optional
A start time to restrict events with the timestamps greater than the value of this parameter in the Unix format. |
End Time
|
Optional
An end time to restrict events with the timestamps less than the value of this parameter in the Unix format. |
Action outputs
The List Quarantined Filesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the List Quarantined Filesaction:
| Script result name | Value |
|---|---|
files
|
FILE_LIST
|
Ping
Use the Pingaction to test the connectivity to Netskope.
This action runs on all Google SecOps entities.
Action inputs
None.
Action outputs
The Pingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Pingaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Need more help? Get answers from Community members and Google SecOps professionals.
