Skip to content

[Netskope] Add Alerts v2 data stream #14443

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 16 commits into from
Jul 28, 2025
Merged

[Netskope] Add Alerts v2 data stream #14443

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
20b68bc
[Netskope] Add `Alerts v2` data stream
moxarth-rathod Jul 8, 2025
3478528
minor formats in README
moxarth-rathod Jul 8, 2025
bcad1b3
Address doc changes and add PR link in changelog
moxarth-rathod Jul 9, 2025
2f32c4a
Apply suggestions from code review
moxarth-rathod Jul 10, 2025
b2776f5
Address comments
moxarth-rathod Jul 10, 2025
8cd979d
fix lint
moxarth-rathod Jul 10, 2025
51f4893
Update README as per the suggestion
moxarth-rathod Jul 10, 2025
8b609d9
Enhance `setup` steps in README
moxarth-rathod Jul 14, 2025
6bc934c
fix typo
moxarth-rathod Jul 14, 2025
7a059da
Update packages/netskope/data_stream/alerts_v2/fields/base-fields.yml
moxarth-rathod Jul 17, 2025
afd6855
Address comments
moxarth-rathod Jul 17, 2025
6a3afd8
build package
moxarth-rathod Jul 18, 2025
88721db
Update the ecs and kibana versions
moxarth-rathod Jul 22, 2025
65b785c
Update README as per the suggestions
moxarth-rathod Jul 24, 2025
28bc32a
Update ECS version in build.yml
moxarth-rathod Jul 24, 2025
895a316
fix writing style in README
moxarth-rathod Jul 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 53 additions & 1 deletion packages/netskope/_dev/build/docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
# Netskope

This integration is for Netskope. It can be used to receive logs sent by [Netskope Cloud Log Shipper](https://docs.netskope.com/en/cloud-exchange-feature-lists.html#UUID-e7c43f4b-8aad-679e-eea0-59ce19f16e29_section-idm4547044691454432680066508785) on respective TCP ports.
This integration is for Netskope. It can be used to receive logs sent by [Netskope Cloud Log Shipper](https://docs.netskope.com/en/cloud-exchange-feature-lists.html#UUID-e7c43f4b-8aad-679e-eea0-59ce19f16e29_section-idm4547044691454432680066508785) and [Netskope Log Streaming](https://docs.netskope.com/en/log-streaming/). To receive log from Netskope Cloud Log Shipper use TCP input and for Netskope Log Streaming use any of the Cloud based input(AWS, GCS, Azure Blob Storage).

The log message is expected to be in JSON format. The data is mapped to
ECS fields where applicable and the remaining fields are written under
`netskope.<data-stream-name>.*`.

## Setup steps

### For receiving log from Netskope Cloud Shipper
1. Configure this integration with the TCP input in Kibana.
2. For all Netskope Cloud Exchange configurations refer to the [Log Shipper](https://docs.netskope.com/en/cloud-exchange-feature-lists.html#UUID-e7c43f4b-8aad-679e-eea0-59ce19f16e29_section-idm4547044691454432680066508785).
3. In Netskope Cloud Exchange please enable Log Shipper, add your Netskope Tenant.
Expand All @@ -33,6 +34,51 @@ ECS fields where applicable and the remaining fields are written under
> Note: For detailed steps refer to [Configure Log Shipper SIEM Mappings](https://docs.netskope.com/en/configure-log-shipper-siem-mappings.html).
Please make sure to use the given response formats.

### For receiving log from Netskope Log Streaming
1. To configure Log streaming please refer to the [Log Streaming Configuration](https://docs.netskope.com/en/configuring-streams). While Configuring make sure compression is set to GZIP as other compression type is not supported.

### Enabling the integration in Elastic:

1. In Kibana go to **Management** > **Integrations**.
2. In "Search for integrations" search bar, type **Netskope**.
3. Select the **Netskope** integration from the search results.
4. Select the Add **Netskope** Integration button to add the integration.
5. While adding the integration, if you want to collect logs via AWS S3, you'll need to provide the following details:
- Collect logs via S3 Bucket toggled on
- Access Key ID
- Secret Access Key
- Bucket ARN
- Session Token

or if you want to collect logs via AWS SQS, you'll need to provide the following details:
- Collect logs via S3 Bucket toggled off
- Queue URL
- Secret Access Key
- Access Key ID

or if you want to collect logs via GCS, you'll need to provide the following details:
- Project ID
- Buckets
- Service Account Key/Service Account Credentials File

or if you want to collect logs via Azure Blob Storage, you'll need to provide the following details:
For OAuth2 (Microsoft Entra ID RBAC):
- Toggle on **Collect logs using OAuth2 authentication**
- Account Name
- Client ID
- Client Secret
- Tenant ID
- Container Details.

For Service Account Credentials:
- Service Account Key or the URI
- Account Name
- Container Details

Or if you want to collect logs via TCP, you'll need to provide the following details:
- Listen Address
- Listen Port

## Compatibility

This package has been tested against `Netskope version 95.1.0.645` and `Netskope Cloud Exchange version 3.4.0`.
Expand All @@ -55,6 +101,12 @@ Default port: _9021_

{{event "alerts"}}

### Alerts V2

{{fields "alerts_v2"}}

{{event "alerts_v2"}}

### Events

{{fields "events"}}
Expand Down
5 changes: 5 additions & 0 deletions packages/netskope/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.1.0"
changes:
- description: Add support for Alert v2 data stream.
type: enhancement
link: https://github.com/elastic/integrations/pull/1
- version: "2.0.0"
changes:
- description: Change mapping of field `netskope.alerts.breach.date` from `double` to `date`.
Expand Down
10 changes: 0 additions & 10 deletions packages/netskope/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,6 @@
},
"type": "policy",
"url": {
"extension": "com\\\\/open",
"original": "http:\\\\/\\\\/www.example.com\\\\/open?id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg",
"path": "\\\\/\\\\/www.example.com\\\\/open",
"query": "id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg",
Expand Down Expand Up @@ -285,7 +284,6 @@
},
"type": "DLP",
"url": {
"extension": "com\\\\/open",
"original": "http:\\\\/\\\\/www.example.com\\\\/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg",
"path": "\\\\/\\\\/www.example.com\\\\/open",
"query": "id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg",
Expand Down Expand Up @@ -473,7 +471,6 @@
},
"type": "quarantine",
"url": {
"extension": "com\\\\/open",
"original": "https:\\\\/\\\\/www.example.com\\\\/open?id=o3MyjFxoNAcb514WLYNjJTI9_klcx82rGg7aPGxKgEyq",
"path": "\\\\/\\\\/www.example.com\\\\/open",
"query": "id=o3MyjFxoNAcb514WLYNjJTI9_klcx82rGg7aPGxKgEyq",
Expand Down Expand Up @@ -942,7 +939,6 @@
"page": {
"site": "examplesecuritycheck",
"url": {
"extension": "com/tests/execute/9",
"original": "examplesecuritycheck.com/tests/execute/9",
"path": "examplesecuritycheck.com/tests/execute/9"
}
Expand Down Expand Up @@ -1693,7 +1689,6 @@
"page": {
"site": "examplesecuritycheck",
"url": {
"extension": "com/tests/execute/9",
"original": "examplesecuritycheck.com/tests/execute/9",
"path": "examplesecuritycheck.com/tests/execute/9"
}
Expand Down Expand Up @@ -2465,7 +2460,6 @@
"page": {
"site": "examplesecuritycheck",
"url": {
"extension": "com/tests/execute/9",
"original": "examplesecuritycheck.com/tests/execute/9",
"path": "examplesecuritycheck.com/tests/execute/9"
}
Expand Down Expand Up @@ -3253,7 +3247,6 @@
},
"type": "DLP",
"url": {
"extension": "com\\\\/open",
"original": "http:\\\\/\\\\/www.example.com\\\\/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg",
"path": "\\\\/\\\\/www.example.com\\\\/open",
"query": "id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg",
Expand Down Expand Up @@ -3429,7 +3422,6 @@
},
"type": "DLP",
"url": {
"extension": "com\\\\/open",
"original": "http:\\\\/\\\\/www.example.com\\\\/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg",
"path": "\\\\/\\\\/www.example.com\\\\/open",
"query": "id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg",
Expand Down Expand Up @@ -3650,7 +3642,6 @@
"page": {
"site": "examplesecuritycheck",
"url": {
"extension": "com/tests/execute/9",
"original": "examplesecuritycheck.com/tests/execute/9",
"path": "examplesecuritycheck.com/tests/execute/9"
}
Expand Down Expand Up @@ -4272,7 +4263,6 @@
},
"type": "policy",
"url": {
"extension": "com/",
"original": "www.example.com/",
"path": "www.example.com/"
}
Expand Down
9 changes: 9 additions & 0 deletions packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/env.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
version: '2.3'
services:
terraform:
environment:
- AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
- AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
- AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
- AWS_DEFAULT_PROFILE=${AWS_DEFAULT_PROFILE}
- AWS_REGION=${AWS_REGION:-us-east-1}
Binary file added packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/files/test-alerts-v2.csv.gz
View file
Open in desktop
Binary file not shown.
57 changes: 57 additions & 0 deletions packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
provider "aws" {
region = "us-east-1"
default_tags {
tags = {
environment = var.ENVIRONMENT
repo = var.REPO
branch = var.BRANCH
build = var.BUILD_ID
created_date = var.CREATED_DATE
}
}
}

resource "aws_s3_bucket" "bucket" {
bucket = "elastic-package-netskope-alert-v2-bucket-${var.TEST_RUN_ID}"
}

resource "aws_sqs_queue" "queue" {
name = "elastic-package-netskope-alert-v2-queue-${var.TEST_RUN_ID}"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:*:*:elastic-package-netskope-alert-v2-queue-${var.TEST_RUN_ID}",
"Condition": {
"ArnEquals": { "aws:SourceArn": "${aws_s3_bucket.bucket.arn}" }
}
}
]
}
POLICY
}

resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.bucket.id

queue {
queue_arn = aws_sqs_queue.queue.arn
events = ["s3:ObjectCreated:*"]
}
}

resource "aws_s3_object" "object" {
bucket = aws_s3_bucket.bucket.id
key = "test-alerts-v2.csv.gz"
source = "./files/test-alerts-v2.csv.gz"
Copy link
Member

@andrewkroh andrewkroh Jul 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you use the base64gzip function to avoid adding an opaque gzip file to the repo, which makes it hard to review changes via diffs?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, let me use base64gzip function.


depends_on = [aws_sqs_queue.queue]
}

output "queue_url" {
value = aws_sqs_queue.queue.url
}
26 changes: 26 additions & 0 deletions packages/netskope/data_stream/alerts_v2/_dev/deploy/tf/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
variable "BRANCH" {
description = "Branch name or pull request for tagging purposes"
default = "unknown-branch"
}

variable "BUILD_ID" {
description = "Build ID in the CI for tagging purposes"
default = "unknown-build"
}

variable "CREATED_DATE" {
description = "Creation date in epoch time for tagging purposes"
default = "unknown-date"
}

variable "ENVIRONMENT" {
default = "unknown-environment"
}

variable "REPO" {
default = "unknown-repo-name"
}

variable "TEST_RUN_ID" {
default = "detached"
}
Loading