Netskope Security Cloud DSM

Table of Contents
Introduction 2
Deployment Architecture 2
Compatibility Matrix 3
Release Notes 3
App Installation & Configuration 4
Prerequisites 4
Upgrade 4
v.3.0.0 4
Installation 4
App Configuration 7
Step 1) Create Log Source 7
Step 2) Deploy 11
Configuring Netskope QRadar CLS 13
Configuring Netskope QRadar CLS with TCP protocol 13
Configuring Netskope QRadar CLS with UDP protocol 14
Configuring Netskope QRadar CLS with TLS protocol 15
Configuring SIEM Mappings 20
Uninstalling the Application 22
Assumptions 23
Troubleshooting 23
Case #1 – Netskope events are shown up as NetskopeCustom events 23
Case #2 – Netskope events are shown up as Unknown events 24
Case #3 – Netskope events are not ingesting in QRadar 25
Case #4 – All other issues which are not part of the document 28

1
Netskope Security Cloud DSM

Introduction
This document is intended to provide overall App Specification for the Netskope Security Cloud
DSM. It contains details of step by step guide to install, setup & configure Netskope Security
Cloud DSM.

Deployment Architecture
IBM QRadar SIEM is a network security management platform that provides situational
awareness and compliance support. It collects, processes, aggregates, and stores network data
in real time. IBM Security QRadar SIEM (Security Information and Event Management) is a
modular architecture that provides real-time visibility of your IT infrastructure, which you can use
for threat detection and prioritization.

The Netskope platform offers cloud-native solutions to businesses for data protection and
defense against threats in cloud applications, cloud infrastructure, and the web.

Netskope software is delivered as a SaaS (software as a service) solution which steers cloud
and Web traffic to a cloud-native service for the purposes of inspection and policy enforcement.
Clients of Netskope log into the software via a web browser interface where they can access
reports and analytics on cloud, cloud usage, compliance, and set policies to control and secure
specific usage behavior or alert an administrator.

Netskope customers have a variety of SIEM and event curation solutions that require many
different formats for ingestion: API (JSON) and Syslog Common Event Format (CEF). These
solutions require output from a tool (Netskope CLS) that is ready to work with Netskope API’s,
easy to tune for their specific needs, low cost to deploy, and compatible with their parsing
engines. CLS provides the ability to map Netskope fields with the SYSLOG-CEF fields,
transform data and post results which are SYSLOG-CEF compliant. This posted data is
consumed by various SIEM platforms like IBM QRadar. CLS would also have a CLI based
installer which supports the process of installation, repair (Add, remove or edit any configured
integration) and uninstall from the host machine seamlessly.

2
Netskope Security Cloud DSM

Compatibility Matrix
QRadar Enterprise Version: 7.4.3, 7.5.0
Netskope CE: 4.1.0, 4.2.0
Netskope QRadar Default Mapping Version: 3.0.0
QRadar CLS version: 3.0.0
Compatible Browsers: Chrome, Edge, Firefox

Release Notes
v3.0.0
● Added support for CTEP Alert and Incident Event.
● Added CEPs to extract new Webtx formats.

v2.0.0
● Added support for UBA Alert, Connection Event, V2 WebTx and Netskope CE Application
Log.
● Updated QRadar Minimum supported version to 7.4.3 GA.
● Below CEP names have been renamed.

CEP names in v1 (for QRadar version lower CEP names in v2

than 7.4.3)

Bytes From Client Bytes Sent

Bytes From Server Bytes Received
Policy Policy Name
Name Full Name
Packets From Client Packets Sent
Packets From Server Packets Received
Source Host Name Source Hostname

v1.0.0
● Added support for DLP, Anomaly, Malware, Policy, Compromised Credentials, Legal
Hold, Malsite, Quarantine, Remediation, Security Assessment, Watchlist alert types and
Application, Page, Audit, Network and Infrastructure event types.
● Provided event mappings and CEPs to extract ingested Netskope events.

3
Netskope Security Cloud DSM

App Installation & Configuration

Prerequisites
Below is a list of requirements needed to run the app (v3.0.0) on QRadar:
● Netskope Security Cloud DSM (v3.0.0)
● QRadar version: 7.4.3, 7.5.0
● Netskope CE : 4.1.0 , 4.2.0
● Netskope QRadar Default Mapping Version: 3.0.0
● QRadar CLS version: 3.0.0

QRadar expects exactly 7 header fields from CEF payload. So, for any reason if CEF payload
does not contain 7 header fields then nothing will be extracted for that event. And that event will
be considered as NetskopeMessage/Unknown events.

Note: Netskope Security Cloud DSM application will parse the data of CEF format only.
To receive Incident Events Netskope CE version would be 4.1.0 or later.
To receive CTEP Alerts Netskope CE version would be 4.2.0 or later.

Upgrade

v.3.0.0
● To upgrade the app from 2.0.0 to 3.0.0 follow the Installation steps.
● Clear the browser cache and refresh the QRadar page.

Installation
The application installation requires access to the QRadar console machine via a web interface.
The web interface can be accessed via https://<<QRadarconsoleIP>>/. The installation process
is as follows:
a. Login to QRadar console.

4
Netskope Security Cloud DSM

b. Go to Admin → Extension Management.

c. Download the Netskope Security Cloud DSM v3.0.0 from IBM app exchange.
d. Choose the downloaded zip file by clicking on Add.

e. The QRadar will prompt a list of changes being made by the app. Click on the install
button.

5
Netskope Security Cloud DSM

f. Thereafter, it will show a window that the App is installed successfully along with the
DSM Event Mappings list.

6
Netskope Security Cloud DSM

g. Clear cache and refresh the browser window after the app gets installed successfully.

App Configuration

Note: Before configuring the app, we recommend increasing the payload size in QRadar so as
to prevent truncation of the payload. Perform the following steps for the same:
1. Navigate to System settings by going to the Admin panel.
2. Click on the button under Switch To → Advanced.
3. There is an option for Max TCP/UDP Syslog Payload Length.
4. Increase the value of these fields to 32000.
5. Click on Deploy Changes.
6. Click on Restart Event Collection Services to set the changes into effect.

Step 1) Create Log Source

To create a log source in QRadar (through Log Source Management app) for ingesting data with
TCP/UDP/TLS protocol from Netskope, perform following steps:
1. Go to the Log Source Management App via the Admin Panel.

7
Netskope Security Cloud DSM

2. A separate window will pop up. Click on + New Log Source button as shown below:

3. Select Log Source type as “Netskope”.

4. For receiving data sent through TCP/UDP protocol from Netskope CLS, select protocol
type as “Syslog” and for receiving data sent through TLS select protocol type as “TLS
Syslog”.

8
Netskope Security Cloud DSM

Note:- Default port for TCP/UDP (Syslog) in QRadar is 514 and for TLS Syslog is 6514.
For more information, refer:-
https://www.ibm.com/docs/en/qsip/7.4?topic=qradar-port-usage

5. In the section under Configure Log Source parameters, enter the name of the log
source, keep the log source enabled and Coalescing events checkbox disabled.

9
Netskope Security Cloud DSM

6. In the section under Configure the protocol parameters, enter Log Source Identifier for
e.g. ‘netskopece’.
Note:-
i) The value of Log Source Identifier used in this step must also be used in “Log Source
Identifier” field while configuring Netskope QRadar Plugin. Ensure that the correct value
is entered for the Log Source Identifier field, otherwise ingested events would not be
identified as Netskope events.

ii) Once you have successfully deployed a log source after that take the TLS certificate
by running the command (cat /opt/qradar/conf/trusted_certificates/syslog-tls.cert)
from the QRadar VM where the log source is deployed. This TLS certificate is required
while configuring QRadar Plugin with TLS Protocol.

iii) For the field “Max Payload Length”, we have observed that events are getting
truncated even if we set the value to maximum, i.e., 32768 in this field. To avoid
truncation of payload, we recommend changing payload length by following the steps
given here.

10
Netskope Security Cloud DSM

7. Now click on the Skip Test and Finish button. Now, Go to STEP 2) Deploy

Step 2) Deploy
1. Click on Deploy as shown below.

2. To collect events in QRadar, Configure Netskope QRadar CLS by following steps given
here.
Note:-
● To receive events and alerts, configure Netskope CLS plugin.
● To receive webtx, configure Netskope WebTx plugin.
● To receive Netskope CE application Logs, configure Syslog for CE plugin.
After configuring above source plugins, create SIEM Mappings for all source mappings
and keep QRadar CLS plugin as destination.

3. After successful receiving events via created Log source, the status of Log source will be
OK.

11
Netskope Security Cloud DSM

Note:
i. “Log Source Time” displayed on drilldown of the event in the Log activity section
of QRadar is mapped to the “timestamp”, “createdAt” and “deviceCustomDate1”
field in payload received from Netskope CLS and is according to the time zone of
QRadar system.
ii. The “Time” field which is seen in the Log Activity tab is the time at which the
event is received by QRadar instance.

If you wish to see events (real-time) with log source time instead of start time, then
perform following steps:
a. Go to the Log activity tab → Click on Search dropdown → Click on New Search.

b. Do not select any saved search. Select Search Mode radio button to Basic.
Select Time Range radio button to Real Time (streaming). Under the Column
definition tab, click on Advanced View definition. In columns remove Time column
and add Log source time column. Apply these filters: Order by → Log source
time → Desc. Remove the default result limit of 1000. In Search Parameter
Select Log Source [Indexed], select equals operator and select name of the Log
source that was created in this step.

12
Netskope Security Cloud DSM

Configuring Netskope QRadar CLS

Configuring Netskope QRadar CLS with TCP protocol

1. Login to Netskope CE.
2. On the left-hand navigation panel, click on Settings then Plugins.
3. Click on QRadar CLS from the plugins listed.
4. Provide basic information like configuration name and Mapping value.
5. In configuration parameters, provide Qradar server IP, Qradar format as CEF, Qradar
protocol as TCP, Qradar port, and Log Source Identifier same as the value of Log
Source Identifier used while creating the Log Source in QRadar.

13
Netskope Security Cloud DSM

Configuring Netskope QRadar CLS with UDP protocol

1. Login to Netskope CE.
2. On the left-hand navigation panel, click on Settings then Plugins.
3. Click on QRadar CLS from the plugins listed.
4. Provide basic information like configuration name and Mapping value.
5. In configuration parameters, provide Qradar server IP, Qradar format as CEF, Qradar
protocol as UDP, Qradar port and Log Source Identifier same as the value of Log
Source Identifier used while creating the Log Source in QRadar.

14
Netskope Security Cloud DSM

Configuring Netskope QRadar CLS with TLS protocol

1. Ensure that Log source is created as per steps given here.
2. In the section under Configure Log Source parameters, enter the name of the log
source, keep the log source enabled and disable Coalescing events checkbox.
3. Click on Deploy as shown below

15
Netskope Security Cloud DSM

16
Netskope Security Cloud DSM

17
Netskope Security Cloud DSM

4. You can test the connection by clicking on Start Test and verify SSL connection.

18
Netskope Security Cloud DSM

5. Login to Netskope CE.

6. On the left-hand navigation panel, click on Settings then Plugins.
7. Click on QRadar CLS from the plugins listed.
8. Provide basic information like configuration name and Mapping value.
9. In configuration parameters provide Qradar server IP, Qradar format as CEF, Qradar
protocol as TLS, QRadar port as 6514 and Log Source Identifier same as the value of
Log Source Identifier used while creating the Log Source in QRadar.

Note : Certificate can be seen by writing below command in QRadar SSH.

cat /opt/qradar/conf/trusted_certificates/syslog-tls.cert

19
Netskope Security Cloud DSM

Configuring SIEM Mappings

Admin can configure SIEM mappings to ingest the events and alerts from a Netskope tenant
into their SIEM platform. Admin should configure Netskope and SIEM destination plugin, and
also configure a business rule if they plan to ingest only selective alerts/events.
Role Required: admin
1. Login to Netskope CE. Navigate to Log Shipper > SIEM Mappings.
2. Select source configuration and provide the name of the configured plugin which will
fetch data from Netskope.
3. Select destination configuration and provide the name of the configuration you entered
while configuring the QRadar CLS plugin to ingest data from Netskope to QRadar.

20
Netskope Security Cloud DSM

4. Then select the business rule.

21
Netskope Security Cloud DSM

Uninstalling the Application

To uninstall the application, the user needs to perform the following steps.
1. Go to the Admin Page.
2. Open Extension Management.
3. Select Netskope Security Cloud DSM application.
4. Click on Uninstall.

Note: On uninstalling the app, all the CEP and Log source will be removed but Log source type,
Log source extension, DSM mappings (including QIDs) will not be removed automatically. Users
need to remove manually, if needed.

22
Netskope Security Cloud DSM

Assumptions
It is assumed that the current pack supports DLP, Anomaly, Malware, Policy, Compromised
Credentials, Legal Hold, Malsite, Quarantine, Remediation, Security Assessment, Watchlist,
UBA, CTEP alert types and Application, Page, Audit, Network, Infrastructure, and Connection,
Incident event types and WebTx and Netskope CE Application Log.
If any new property for an alert or event type is added or modified from Netskope, then to
support those properties will require adding or modification of custom properties and events in
QRadar accordingly.

Troubleshooting

This section describes the common issues that might happen during the deployment or the
running of the app and the steps to resolve the issues.

Case #1 – Netskope events are shown up as NetskopeCustom events

Problem:
Netskope events will show up as NetskopeCustom rather than getting identified as the right
QRadar category. This will be seen in the “Log Activity” tab in QRadar when a user might be
searching for an event pertaining to Netskope log source.

Troubleshooting Steps:
This issue is caused when the event payload size is more than 4096 bytes which leads to
breaking of the event payload. 4096 is default size configured in QRadar platform. Following
steps need to be followed to resolve this issue:
1. Navigate to System settings by going to the Admin panel.
2. Click on the button under Switch To → Advanced.
3. There are two options: Max TCP Syslog Payload Length and Max UDP Syslog Payload
Length.
Below is a screenshot for quick reference:

23
Netskope Security Cloud DSM

4. Increase the value of these fields according to need (Recommended: 32000).

5. Click on Deploy Changes.
6. Click on Restart Event Collection Services to set the changes into effect.

Case #2 – Netskope events are shown up as Unknown events

Problem:
Netskope events shown up as Unknown events.

Troubleshooting Steps:
1. Go to Log Activity.
2. Click on Add Filter. Select Parameter → Log Source Type[Indexed], Operator → Equals
and Log Source → Netskope.
3. Select ‘Last 7 Days’ in Views filter dropdown.
4. If any events come as Unknown,

24
Netskope Security Cloud DSM

i) Right click on that particular event.

ii) View in DSM editor.
iii) Check the value of Event ID and Event Category under Log activity Preview.
iv) If Event ID and Event Category value come as unknown, create a support ticket with
Netskope.

Case #3 – Netskope events are not ingesting in QRadar

Problem:
Netskope events are not being ingested in QRadar.

Troubleshooting Steps:
Please follow below steps:
1. Login to the Netskope CE UI, go to the Home tab and check whether the disk storage is
full or not. In the below image, graph shows the available storage.

Available disk space should be more than low watermark value.

Data ingestion is relied on the Available Disk.

If Available Disk is lower than Low Watermark it affects the Data Ingestion.

25
Netskope Security Cloud DSM

2. Go to Log Shipper => Plugins and check for the CLS which is configured to ingest
events into QRadar is enabled or not. Below image shows the enabled CLS.

If the CLS is disabled (Red down arrow) then enable it.

3. Go to Log Shipper => SIEM Mappings and check for the mapping of Netskope CLS to
QRadar CLS. If not added then add by clicking Add SIEM Mapping button.

4. Go to logging (Left Bottom) and apply below filters and check for the Logs containing
any errors containing pulling or ingestion events.

26
Netskope Security Cloud DSM

If there is error of pulling or ingestion then events will not get ingested into QRadar.

5. Go to Tasks (Left Bottom) and appy below filters and check for the any tasks in any of
stages Inqueue , InProgress, Error.

If any tasks have status Inprocess or Inqueue then wait for it to become completed.
If any tasks have status error then events are not getting ingested into QRadar.

6. Check for undeployed changes in Admin Tab.

27
Netskope Security Cloud DSM

If there are any undeployed changes then deploy them.

7. Make sure that the correct protocol is selected in QRadar Pluging and in the QRadar Log
source.

● For Netskope CE side, if TCP/UDP Protocol is selected then verify that Port is 514 and
QRadar side the Protocol of the Log Source is ‘Syslog’.
● For Netskope CE side, if TLS Protocol is selected then verify that Port is 6514 and
QRadar side the Protocol of the Log Source is ‘TLS Syslog’.

Case #4 – All other issues which are not part of the document
Problem:
If the problem is not listed in the document, please follow below steps.
Troubleshooting Steps:
Please follow below steps:
1. Click on System and License Management in the Admin Panel.
2. Select the host on which Netskope Security Cloud DSM is installed.
3. Click on Actions in the top panel and select the option Collect Log Files.
4. A pop-up named Log File Collection will open.
5. Click on Advance Options.
6. Select the checkbox to Include Debug Logs, Application Extension Logs, Setup Logs
(Current Version).
7. Click on Collect Log Files Button after selecting 2 days as data input.
8. Click on "Click here to download files".
9. This will download all the log files in a single zip on your local machine.
10. Create a support case with Netskope and attach this log file.

-- END OF DOCUMENT --

28