NetSkope

NetSkope is integrated with LogScale through the following package:

  • Netskope CASB package can be used to parse incoming syslog CEF Logs from Netskope. See Netskope CASB Package.

Netskope CASB Package

The Netskope CASB package can be used to parse incoming syslog CEF Logs from Netskope and then visualize the data using the dashboards provided.

Package Prerequisites

Setup and Installation

Create a new Log Shipper in Netskope and configure it with your Log Receiver's IP address and TCP/UDP port. During configuration, select all fields and values. Next, configure SIEM mappings as described here. Install the Falcon LogScale Collector.

The HEC Log Shipper will forward all events to your LogScale repository. You can use logshipper.log to debug should any problems arise. Logshipper also sends logs retroactively, so it will send all logs that already exist to your LogScale instance.

Installing the Package in LogScale

Find the repository where you want to send the Netskope Reveal X data, or create a new one.

  1. Navigate to your repository in the LogScale interface, click Settings and then Packages on the left.

  2. Click Marketplace and install the LogScale package for Netskope (i.e. netskope/casb).

  3. When the package has finished installing, click Ingest tokens on the left (still under the Settings).

  4. In the right panel, click + Add Token to create a new token. Give the token an appropriate name (e.g. the name of the server the token is ingesting logs for).

    Before leaving this page, view the ingest token and copy it to your clipboard — to save it temporarily elsewhere.

    Now that you have a repository set up in LogScale along with an ingest token you're ready to send logs to LogScale.

Package Contents

The package contains the following:

Parser

  • Netskope syslog CEF

Dashboards

  • CASB Overview

  • Alert Overview

  • Detection Overview