Skip to main content

Netskope Help

Microsoft Azure Sentinel Plugin for Log Shipper

This document explains how to configure your Azure Sentinel integration with the Log Shipper module of the Netskope Cloud Exchange platform. This integration allows ingestion of Netskope events and alerts into an Azure Sentinel tenant. The Azure Sentinel plugin support is:

Event Support

Yes

Alert Support

Yes

WebTx Support

Yes

Prerequisites
  • A Netskope Tenant (or multiple, for example, production and development/test instances).

  • A Netskope Cloud Exchange tenant with the Log Shipper module already configured.

  • An Azure Sentinel instance.

Note

Verify your Azure Sentinel instance permissions are secure and not set up for open public access. Only allow access to your cloud storage instance from your Cloud Exchange Host and any other addresses that need access.

Workflow
  1. Get your Azure Sentinel Workspace ID and Primary Key.

  2. Configure the Azure Sentinel plugin.

  3. Configure Log Shipper Business Rules.

  4. Create Log Shipper SIEM mappings.

  5. Validate the plugin.

Click play to watch a video.

 
  1. Go to your Azure Sentinel instance https://portal.azure.com/.

    image1.png
  2. Log in to your Sentinel instance.

    image2.png
  3. Under the Azure Services section click More Services.

    image3.png
  4. Find and click Azure Sentinel.

    image4.png
  5. Click Create.

    image5.png
  6. Click Create a new workspace. Select Resource Group, enter a name, and select your Region. Click Review + Create.

    image6.png
  7. Click Create.

    image7.png
  8. It will take a few seconds to deploy. After deployment succeeds, click Refresh. Click on the Workspace that you created and click Add.

    image8.png
  9. It will take a few seconds to add a workspace.

    image9.png
  10. After successfully adding a workspace, go to Home All Services Log Analytics workspaces.

    image10.png
  11. Click on the workspace name that you created.

    image11.png
  12. Click Agent Management.

    image12.png
  13. Copy and save the Workspace ID and Primary Key.

  1. In Cloud Exchange, go to Settings > Plugins.

  2. Search for and select the Azure Sentinel v2.0.2 (CLS) box to open the plugin creation pages.

    image10.png
  3. Enter these parameters:

    • Configuration Name: Create a unique name for the configuration.

    • Mapping: Select the valid Mapping. (Default Mapping for all plugins are available. If you want to Create New Mapping, follow the CLS guide to Create New Mapping.)

    • Use System Proxy: Enable if the proxy is required for communication.

    • Transform the raw logs: Disable if need to send Raw Data. (Default: It will be enabled and send Transformed data)

      image11.png
  4. Click Next.

    image14.png
  5. Enter these parameters:

    • Workspace ID: The unique identifier of your Microsoft Azure Sentinel Workspace.

    • Primary Key: The authentication key for your Microsoft Azure Sentinel Workspace.

    • Alerts Log Type Name: Custom Log Type name for alerts. Based on this name, schema for alerts will be created in Log Analytics Workspace with suffix _CL. Note that the value Netskope_Alerts or Netskope_Alerts_CL for this parameter matches the Netskope published playbooks in the Azure marketplace.

    • Events Log Type Name: Custom Log Type name for events. Based on this name, schema for events will be created in Log Analytics Workspace with suffix _CL. Note that the value Netskope_Events or Netskope_Events_CL for this parameter matches the Netskope published playbooks in the Azure marketplace.

    • WebTX Log Type Name: Custom Log Type name for web transactions. Based on this name, schema for web transactions will be created in Log Analytics Workspace with suffix _CL. Note that the value Netskope_WebTx or Netskope_WebTX_CL for this parameter matches the Netskope published playbooks in the Azure marketplace.

    image12.png
  6. Click Save.

    image13.png

Skip this step if you do not want to filter out alerts or events before ingestion.

  1. Go to Log Shipper > Business Rules.

    image16.png
  2. Click Create New Rule.

    Note

    If you want all the events and alerts ingested into your SIEM Mapping, you can use the default ALL rule.

    image17.png
  3. If creating a new rule, enter a Rule Name and select the filters to use.

  4. Click Save.

    image18.png
  1. Go to Log Shipper > SIEM Mappings and click Add SIEM Mapping.

    image19.png
  2. For Source, select the Netskope CLS plugin configuration, select a Business Rule, and for Destination, select the Azure Sentinel plugin configuration.

  3. Click on Save.

    image20.png

To validate the plugin workflow, you can check from Netskope Cloud Exchange and from Azure Sentinel instance.

To validate from Netskope Cloud Exchange:

  • Go to Logging, and . check to see if the Logs are getting ingested. Filter using message contains <plugin_configuration_name>.

    image21.png

To validate from the Azure Sentinel instance:

  1. Go to Home All Services Log Analytics workspaces.

    image10.png
  2. Click on the workspace name that you created.

    image11.png
  3. Click Logs.

    image22.png
  4. Hover over Custom Logs Netskope_Events_CL and click See preview data, or you can write your query to filter data.

    image23.png