Skip to main content

Netskope Help

QRadar Plugin for Log Shipper

This document explains how to configure your QRadar integration with the Log Shipper module of the Netskope Cloud Exchange platform. This integration allows pushing alerts and events from Netskope to the QRadar platform.

Prerequisites

To complete this configuration, you need:

  • A Netskope Tenant (or multiple, for example, production and development/test instances)

  • A Netskope Cloud Exchange tenant with the Log Shipper module already configured.

  • A QRadar instance.

Note

Verify your QRadar instance permissions are secure and not set up for open public access. Only allow access to your cloud storage instance from your Cloud Exchange Host and any other addresses that need access.

The QRadar plugin support is:

Event Support

Yes

Alert Support

Yes

WebTx Support

Yes

Logs Support

Yes

All Netskope events, alert logs, and web transaction logs will be shared.

Note

  • Incident event type is supported from Core version 4.1.0.

  • CTEP alert type will be supported from Core version 4.2.0

Compatibility

CE version: v4.0.1, v4.1.0, and v4.2.0.

API Details

The plugin uses a logging third-party library to push the data to the Syslog collector.

Refer to the official documentation for more information on the logging library.

https://docs.python.org/3/library/logging.html

Performance Matrix

Logs Ingested

Time Taken

9940000

2 hours

Workflow
  1. Configure your QRadar Server, Port, and TLS Certificate information.

  2. Configure the QRadar Plugin.

  3. Configure Log Shipper Business Rules for QRadar.

  4. Configure Log Shipper SIEM Mappings for QRadar.

  5. Validate the QRadar plugin.

Click play to watch a video.

 

To create a log source in QRadar (through a Log Source Management app) for ingesting data with TCP/UDP/TLS protocol from Netskope, perform following steps:

  1. Download and install the Netskope Security Cloud DSM from here

  2. Go to the Log Source Management App via the Admin Panel.

    image1.png
  3. When a separate window opens, click + New Log Source.

    image2.png
  4. Select Netskope for the Log Source type.

    image3.png
  5. For receiving data sent through TCP/UDP protocol from Log Shipper, select protocol type as Syslog; for receiving data sent through TLS select protocol type as TLS Syslog.

    Note

    The Default port for TCP/UDP (Syslog) in QRadar is 514, and for TLS Syslog is 6514.

    For more information, refer:- https://www.ibm.com/docs/en/qsip/7.4?topic=qradar-port-usage

    image4.png
  6. In the section under Configure Log Source parameters, enter the name of the log source, keep the log source enabled, and the Coalescing events checkbox disabled.

    image5.png
    image6.png
  7. In the section under Configure the protocol parameters, enter a Log Source Identifier, like netskopece.

    • Once you have successfully deployed a log source after that take the TLS certificate by running the command (cat /opt/qradar/conf/trusted_certificates/syslog-tls.cert) from the QRadar VM where the log source is deployed. This TLS certificate is required while configuring QRadar Plugin with TLS Protocol.

    • For the field Max Payload Length, we have observed that events are getting truncated even if we set the value to maximum, like 32768, in this field. To avoid truncation of payload, we recommend changing payload length by following the steps given here.

    image7.png
  8. Click Skip Test and then Finish. Next, deploy a log source.

Deploy Log Source

Click on Deploy as shown below.

image8.png
  1. In Cloud Exchange, go to Settings > Plugins.

  2. Search for and select the QRadar box to open the plugin creation pages.

  3. Enter a Configuration Name.

  4. Select a valid Mapping. (Default Mapping for all plugins are available.

    Transform the raw logs: If enabled, Raw logs will be transformed using selected mapping file, else raw logs will be sent to SIEM. The ingestion may be affected if the SIEM does not accept raw logs format.

    image9.png
  5. Click Next.

    image17.png
  6. Enter a QRadar Server, select a QRadar Format and QRadar Protocol, and then enter your QRadar Port and QRadar Certificate information.

  7. Enter the information for yourQRadar Server, select the QRadar Format and QRadar Protocol, and then enter QRadar Port and QRadar Certificate.

    image10.png
  8. Enter a Log Source Identifier. The Default value would be netskopece. The Log Source Identifier should not contain the whitespaces. This will be added as a prefix to all logs.

    image11.png
  9. Click Save.

  1. Go to Log Shipper > Business Rules.

    image12.png
  2. Click Create New Rule.

    image13.png
  3. Enter a Rule Name and select the filters to use.

    image14.png
  4. Click Save.

  1. Go to Log Shipper > SIEM Mappings and click Add SIEM Mapping.

    image15.png
  2. Select a Source Configuration, Business Rule, and Destination Configuration.

    image16.png
  3. Click Save.

To validate the plugin workflow, you can check from Netskope Cloud Exchange and from your QRadar instance.

In Cloud Exchange

Go to Logging.

image17.png

In QRadar

  1. Go to your QRadar instance.

  2. Click Log Activity.

  3. Apply filters to see specific logs.

    image18.png
  4. You can see all logs there.

    image19.png