Skip to main content

Netskope Help

AWS Security Lake Plugin for Log Shipper

This document explains how to configure the AWS Security Lake integration with the Cloud Log Shipper module of the Netskope Cloud Exchange platform. The AWS Security Lake plugin supports:

  • Events

  • Alerts

  • WebTx

All Netskope events, alert logs, and web transaction logs will be shared.

Prerequisites

To complete this configuration, you need:

  • A Netskope Tenant (or multiple, for example, production and development/test instances)

  • A Netskope Cloud Exchange tenant with the Log Shipper module already configured.

  • A Security Lake enabled AWS account. You will need to get the Access Key ID and Secret Access Key for your account prior to starting this procedure.

  • An AWS event bridge with the configured Lambda script.

Workflow
  1. Configure the AWS Security Lake plugin.

  2. Configure the Log Shipper Business Rules for AWS Security Lake.

  3. Configure the Log Shipper SIEM Mappings for AWS Security Lake.

  4. Validate the AWS Security Lake plugin.

To watch a demo, click play.

 
  1. In Cloud Exchange, go to Settings > Plugins.

  2. Search for and select the Amazon Security Lake box to open the plugin creation dialog.

    image1.png
  3. For Basic Information, first enter a Configuration Name.

  4. Select the valid Mapping. (Default Mappings for all plugins are available.)

  5. Enable the Transform the raw logs toggle (if not already), as we cannot send data directly to S3 bucket bucket because the lambda expects those files to be in a specific form in order to convert them into parquet.

    image2.png
  6. Click Next.

  7. For Configuration Parameters, enter these values:

    • AWS Access Key ID (Public Key): AWS Security Lake Access Key ID.

    • AWS Secret Access Key (Private Key): AWS Security Lake Secret Access Key.

    • Region Name: Region Name of the bucket.

    • Bucket Name: Bucket name to store a data object.

    image3.png
  8. Click Save.

    image4.png
  1. Click Log Shipper > Business Rules.

    image5.png
  2. Click Create New Rule.

    image6.png
  3. Enter a Rule Name and clickConfigure Filter. Enter Folder Name if any.

  4. Click Save.

    image7.png
  1. Click Log Shipper > SIEM Mappings > Add SIEM Mapping.

    image8.png
  2. Select a Source Configuration , a Destination Configuration, and a Business Rule.

    image9.png
  3. Click Save.

To validate the plugin, you can check from Netskope Cloud Exchange and from AWS.

  1. To validate from Netskope Cloud Exchange, go to Log Shipper > Logging.

    image10.png
  2. To validate from the AWS, go to S3 Bucket and select the configured bucket name for the plugin.

    image11.png
  1. Check the logs from Logging (bottom left corner)

    image12.png
  2. Check in the Log Shipper -> SEIM Mappings -> Total Logs Sent section if any log is sent or not.

  3. To confirm if the logs are pulled or not, check logs from Logging (bottom left corner)

  4. If you see that the data is sent from Netskope and still the parquet files are not visible in the destination bucket, in that case please confirm that the Bucket name in Netskope configuration and SRC_BUCKET in Lambda is the same. Also confirm that the destination bucket you are monitoring for the parquet files is the same bucket specified in DST_BUCKET in Lambda env.

The OCSF versions will be maintained with the update of the plugin.

Data Type

Sub Type

Netskope Field

OCSF Field

Default value

Webtx

v2

x-cs-app

app_name

None

Webtx

v2

sc-bytes

bytes_in

None

Webtx

v2

x-c-country

country

None

Webtx

v2

x-c-device

device.name

None

Webtx

v2

None

device.type_id

-1

Webtx

v2

time-taken

duration

None

Webtx

v2

cs-username

email_addr

None

Webtx

v2

cs-method

http_method

None

Webtx

v2

sc-status

http_status

None

Webtx

v2

x-c-os

os.name

None

Webtx

v2

None

os.type_id

-1

Webtx

v2

x-c-zipcode

postal_code

None

Webtx

v2

cs-referer

referrer

None

Webtx

v2

x-cs-session-id

session_uid

None

Webtx

v2

cs-user-agent

user_agent

None

Webtx

v2

bytes

bytes

None

Webtx

v2

c-ip

src_endpoint.ip

None

Webtx

v2

cs-bytes

bytes_out

None

Webtx

v2

cs-dns

domain

None

Webtx

v2

cs-host

hostname

None

Webtx

v2

cs-uri-port

port

None

Webtx

v2

cs-uri-query

query_string

None

Webtx

v2

cs-uri-scheme

scheme

None

Webtx

v2

s-ip

dst_endpoint.ip

None

Webtx

v2

sc-content-type

content_type

None

Webtx

v2

x-transaction-id

transaction_uid

None

Alerts

anomaly

srcip

src_endpoint.ip

None

Alerts

anomaly

dstip

dst_endpoint.ip

None

Alerts

anomaly

app

app_name

None

Alerts

anomaly

user

user.name

None

Alerts

anomaly

activity

activity

None

Alerts

anomaly

timestamp

_time

None

Alerts

anomaly

url

text

None

Alerts

anomaly

class_name

event_type

None

Alerts

Compromised Credential

timestamp

_time

None

Alerts

policy

srcip

src_endpoint.ip

None

Alerts

policy

dstip

dst_endpoint.ip

None

Alerts

policy

app

app_name

None

Alerts

policy

user

user.name

None

Alerts

policy

activity

activity

None

Alerts

policy

timestamp

_time

None

Alerts

policy

hostname

hostname

None

Alerts

policy

device

device.name

None

Alerts

policy

None

device.type_id

-1

Alerts

policy

os

os.name

None

Alerts

policy

None

os.type_id

-1

Alerts

policy

policy

policy

None

Alerts

policy

url

text

None

Alerts

policy

referer

referrer

None

Alerts

Legal Hold

srcip

src_endpoint.ip

None

Alerts

Legal Hold

dstip

dst_endpoint.ip

None

Alerts

Legal Hold

app

app_name

None

Alerts

Legal Hold

user

user.name

None

Alerts

Legal Hold

activity

activity

None

Alerts

Legal Hold

timestamp

_time

None

Alerts

Legal Hold

hostname

hostname

None

Alerts

Legal Hold

device

device.name

None

Alerts

Legal Hold

None

device.type_id

-1

Alerts

Legal Hold

os

os.name

None

Alerts

Legal Hold

None

os.type_id

-1

Alerts

Legal Hold

mime_type

mime_type

None

Alerts

Legal Hold

policy

policy

None

Alerts

Legal Hold

md5

md5

None

Alerts

Legal Hold

sha256

sha2

None

Alerts

Legal Hold

instance_id

instance_uid

None

Alerts

Legal Hold

modified

modified_time

None

Alerts

Legal Hold

lh_original_filename

file.name

None

Alerts

Legal Hold

file_path

file.path

None

Alerts

Legal Hold

None

file.type_id

-1

Alerts

Malsite

srcip

src_endpoint.ip

None

Alerts

Malsite

dstip

dst_endpoint.ip

None

Alerts

Malsite

app

app_name

None

Alerts

Malsite

user

user.name

None

Alerts

Malsite

timestamp

_time

None

Alerts

Malsite

hostname

hostname

None

Alerts

Malsite

device

device.name

None

Alerts

Malsite

None

device.type_id

-1

Alerts

Malsite

os

os.name

None

Alerts

Malsite

None

os.type_id

-1

Alerts

Malsite

policy

policy

None

Alerts

Malsite

url

text

None

Alerts

Malsite

referer

referrer

None

Alerts

Malsite

app_session_id

session_uid

None

Alerts

malware

local_md5

md5

None

Alerts

malware

local_sha256

sha2

None

Alerts

malware

local_sha1

sha1

None

Alerts

malware

srcip

src_endpoint.ip

None

Alerts

malware

dstip

dst_endpoint.ip

None

Alerts

malware

app

app_name

None

Alerts

malware

user

user.name

None

Alerts

malware

activity

activity

None

Alerts

malware

timestamp

_time

None

Alerts

malware

hostname

hostname

None

Alerts

malware

device

device.name

None

Alerts

malware

None

device.type_id

-1

Alerts

malware

os

os.name

None

Alerts

malware

None

os.type_id

-1

Alerts

malware

file_size

size

None

Alerts

malware

url

text

None

Alerts

malware

referer

referrer

None

Alerts

malware

malware_id

uid

None

Alerts

dlp

srcip

src_endpoint.ip

None

Alerts

dlp

dstip

dst_endpoint.ip

None

Alerts

dlp

app

app_name

None

Alerts

dlp

user

user.name

None

Alerts

dlp

activity

activity

None

Alerts

dlp

timestamp

_time

None

Alerts

dlp

hostname

hostname

None

Alerts

dlp

device

device.name

None

Alerts

dlp

None

device.type_id

-1

Alerts

dlp

os

os.name

None

Alerts

dlp

None

os.type_id

-1

Alerts

dlp

mime_type

mime_type

None

Alerts

dlp

policy

policy

None

Alerts

dlp

md5

md5

None

Alerts

dlp

sha256

sha2

None

Alerts

dlp

file_size

size

None

Alerts

dlp

instance_id

instance_uid

None

Alerts

dlp

url

text

None

Alerts

dlp

dlp_rule

rule.name

None

Alerts

Security Assessment

app

app_name

None

Alerts

Security Assessment

user

user.name

None

Alerts

Security Assessment

activity

activity

None

Alerts

Security Assessment

timestamp

_time

None

Alerts

Security Assessment

os

os.name

None

Alerts

Security Assessment

None

os.type_id

-1

Alerts

Security Assessment

policy

policy

None

Alerts

Security Assessment

instance_id

instance_uid

None

Alerts

Watchlist

srcip

src_endpoint.ip

None

Alerts

Watchlist

dstip

dst_endpoint.ip

None

Alerts

Watchlist

app

app_name

None

Alerts

Watchlist

user

user.name

None

Alerts

Watchlist

activity

activity

None

Alerts

Watchlist

timestamp

_time

None

Alerts

Watchlist

hostname

hostname

None

Alerts

Watchlist

device

device.name

None

Alerts

Watchlist

None

device.type_id

-1

Alerts

Watchlist

os

os.name

None

Alerts

Watchlist

None

os.type_id

-1

Alerts

Qurantine

quarantine_file_id

quarantine_uid

None

Alerts

Qurantine

srcip

src_endpoint.ip

None

Alerts

Qurantine

dstip

dst_endpoint.ip

None

Alerts

Qurantine

app

app_name

None

Alerts

Qurantine

user

user.name

None

Alerts

Qurantine

activity

activity

None

Alerts

Qurantine

timestamp

_time

None

Alerts

Qurantine

hostname

hostname

None

Alerts

Qurantine

device

device.name

None

Alerts

Qurantine

None

device.type_id

-1

Alerts

Qurantine

os

os.name

None

Alerts

Qurantine

None

os.type_id

-1

Alerts

Qurantine

mime_type

mime_type

None

Alerts

Qurantine

policy

policy

None

Alerts

Qurantine

md5

md5

None

Alerts

Qurantine

file_size

size

None

Alerts

Qurantine

transaction_id

transaction_uid

None

Alerts

Remediation

srcip

src_endpoint.ip

None

Alerts

Remediation

dstip

dst_endpoint.ip

None

Alerts

Remediation

app

app_name

None

Alerts

Remediation

user

user.name

None

Alerts

Remediation

activity

activity

None

Alerts

Remediation

timestamp

_time

None

Alerts

Remediation

hostname

hostname

None

Alerts

Remediation

device

device.name

None

Alerts

Remediation

None

device.type_id

-1

Alerts

Remediation

os

os.name

None

Alerts

Remediation

None

os.type_id

-1

Alerts

Remediation

policy

policy

None

Alerts

Remediation

md5

md5

None

Alerts

Remediation

file_size

size

None

Alerts

Remediation

url

text

None

Alerts

Remediation

app_session_id

session_uid

None

Alerts

uba

event_type

class_name

None

Alerts

uba

srcip

src_endpoint.ip

None

Alerts

uba

dstip

dst_endpoint.ip

None

Alerts

uba

app

app_name

None

Alerts

uba

user

user.name

None

Alerts

uba

activity

activity

None

Alerts

uba

timestamp

_time

None

Alerts

uba

hostname

hostname

None

Alerts

uba

device

device.name

None

Alerts

uba

None

device.type_id

-1

Alerts

uba

os

os.name

None

Alerts

uba

None

os.type_id

-1

Alerts

uba

policy

policy

None

Alerts

uba

url

text

None

Events

infrastructure

timestamp

_time

None

Events

infrastructure

device

device.name

None

Events

infrastructure

None

device.type_id

-1

Events

infrastructure

serial

serial_number

None

Events

page

app

app_name

None

Events

page

user

user.name

None

Events

page

timestamp

_time

None

Events

page

device

device.name

None

Events

page

None

device.type_id

-1

Events

page

os

os.name

None

Events

page

None

os.type_id

-1

Events

page

transaction_id

transaction_uid

None

Events

page

client_bytes

bytes_out

None

Events

page

server_bytes

bytes_in

None

Events

page

url

text

None

Events

page

site

service.name

None

Events

page

srcip

src_endpoint.ip

None

Events

page

dstip

dst_endpoint.ip

None

Events

application

app

app_name

None

Events

application

user

user.name

None

Events

application

timestamp

_time

None

Events

application

device

device.name

None

Events

application

None

device.type_id

-1

Events

application

os

os.name

None

Events

application

None

os.type_id

-1

Events

application

transaction_id

transaction_uid

None

Events

application

client_bytes

bytes_out

None

Events

application

server_bytes

bytes_in

None

Events

application

url

text

None

Events

application

srcip

src_endpoint.ip

None

Events

application

dstip

dst_endpoint.ip

None

Events

application

type

type

None

Events

application

site

service.name

None

Events

audit

user

user.name

None

Events

audit

timestamp

_time

None

Events

audit

transaction_id

transaction_uid

None

Events

audit

type

type

None

Events

network

transaction_id

transaction_uid

None

Events

network

app

app_name

None

Events

network

user

user.name

None

Events

network

domain

domain

None

Events

network

start_time

start_time

None

Events

network

end_time

end_time

None

Events

network

timestamp

_time

None

Events

network

device

device.name

None

Events

network

None

device.type_id

-1

Events

network

os

os.name

None

Events

network

None

os.type_id

-1

Events

network

policy

policy

None

Events

network

client_bytes

bytes_out

None

Events

network

server_bytes

bytes_in

None

Events

network

client_packets

packets_out

None

Events

network

server_packets

packets_in

None

Events

network

protocol

protocol_name

None

Events

network

os_version

edition

None

Events

network

srcip

src_endpoint.ip

None

Events

network

srcport

src_endpoint.port

None

Events

network

dstip

dst_endpoint.ip

None

Events

network

dstip

dst_endpoint.port

None

Events

network

site

service.name

None