|Vendor Products||Netskope API 48|
|Has index-time operations||true|
|Creates an index||false|
|Implements summarization||Currently, the app does not generate summaries|
About Netskope App For Splunk
The Netskope App for Splunk integrates with the Netskope service to provide value and insight into your data.
This App provides the following scripts:
|bin/netskope.py||The Modular Input used to communicate and consume the API data.|
|netskope_client.py||This chunk of Python contains the Modular Input Classes for Netskope.|
|netskope_url.py||Alert Action script for URL lists.|
|netskope_file_hash.py||Alert Action script for file hash lists.|
|Diag.py||Allows diag-targeted collection of information.|
|ModularInput.py||Inheritable Class to create Modular Inputs|
|RESTClient.py||Inheritable Class to create REST clients|
|Utilities.py||Allows utility interactions with Splunk Endpoints|
Test and QA
Version 1.1.5 of Netskope App For Splunk is compatible with:
|Splunk Enterprise versions||7.0, 7.1, 7.2|
|Vendor Platform||Netskope API 48|
Version 1.1.5 of Netskope App For Splunk has the following known issues:
Version 1.1.0 of Netskope App For Splunk has the following known issues:
netskope_configured_inputsis not configured to use a generating command, therefore the dashboards are failing to create the filtering search.
Version 1.0.3 (83) of Netskope App For Splunk has the following known issues:
Application Detail and Alert Detail dashboards will not work in Splunk 6.4 due to token incompatibilities.
Access questions and answers specific to Netskope App For Splunk at https://answers.splunk.com . Be sure to tag your question with the App.
Support is available via email at email@example.com. Responses vary on working days between working hours.
Because this App runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.
Download Netskope App For Splunk at https://splunkbase.splunk.com/app/3414/.
NOTE: Where referenced, TA-NetSkopeAppForSplunk and IA-NetSkopeAppForSplunk are located on Splunkbase.
Follow these steps to install the app in a single server instance of Splunk Enterprise:
To configure the Netskope application you should start on the Application Configuration page (Administration > Application Configuration)*:
On this screen you can set the base index as well as a flag that specifies that the application is configured. In the future there will be additional configurations available.
If you have configured a proxy server you can view the configuration under this tab. These are proxy server configurations that are being used by existing modular inputs for the Netskope application. You can also delete existing proxy configurations on this tab.
You can view/delete existing credentials on this tab. These are credentials that are being used by existing modular inputs in the Netskope application. These credentials are the credentials used to connect to Netskope appliances.
On this screen you can view and make any changes to existing modular inputs. As you make changes and tab between fields the modular input is modified.
If you need to use a proxy as part of the connection to Netskope, configure it here.
To create a new proxy server configuration, click the Create New Proxy button and fill in the following fields:
By default creating a new modular input with a username and password specified will create the necessary encrypted credentials. However if you want to create encrypted credentials manually follow this process:
NOTE: By default creating a new modular input will automatically create a new encrypted credential so this process is not necessary unless you need a new credential for another purpose.
NOTE: You will need to configure a new modular input for each Netskope url
To create a new modular input configuration click Create New Modular Input.
This will configure the modular input settings in the SPLUNK_HOME/etc/apps/NetskopeAppForSplunk/local/inputs.conf. These settings are available under the modular input tab on the Application Configuration page as well as the data input page under Settings>Data Inputs>Netskope. If the token is to be encrypted then the encrypted token will be written to the encrypted credential store and the token on the modular input will show the value that used to retrieve the encrypted token.
NOTE: To make sure that the modular input gets enabled properly navigate to Settings>Data Inputs>Netskope> and press Disable then press Enable to enable the modular input.
All proxy, encrypted credential and modular input configurations are available in the tabs on the Application Configuration page.
Netskope ships with the knowledge objects required for Enterprise Security integration. These objects need to be imported to Enterprise Security. This can be done in two ways:
Do not install both the App and the TA on the Enterprise Security server. This may cause a precedence import error.
netskope_idx event type will need to be updated to properly locate the data for the Data Models of Enterprise Security.
Netskope App For Splunk v1.0.6 introduces 2 alert actions, File Hash and URL lists. In order to use the Adaptive responses, a corresponding list must be created in the Netskope product. The list must have the same name for both URL and file hash lists.
Application Configurationpage of the TA/App.
Create New Netskope Alert Action Global Configurationand fill out the fields for hostname, token, and list.
Removeand the field name that contains the value to update.
NOTE: When running adaptive responses from the Incident Review dashboard in Enterprise Security, the results are written to the notable index. If this needs changed, please contact support.
Netskope App For Splunk v1.1.2 introduces the ability to specify a time offset.This setting allows the user to specify an offset to be used to retrieve events that start further back in time. Example: the modular input runs and pulls events between 6:00 AM and 12:00 PM. Because the Netskope API may not process some events in real-time some events may not be available from the API until a later period. To handle this the Splunk admin can specify a time offset to go backwards to pull events.
inputs.confconfiguration file in the local folder of the IA/App.
NOTE: This is an advanced setting and should only be set when directed by support. NetSkope support will guide you with the appropriate setting for your environment.
Customers running Enterprise Security (or any searches using a small timeframe): Some correlation searches in ES only look back 60 minutes. Using an offset may cause the searches in ES (or small timeframe searches) may not work properly. Therefore it may be necessary to tune some correlation searches to account for the offset.
By default all events will be written to the main index. You should change the index on the modular input to match your specific index.
>=v6.5) for errors
Another troubleshooting method for the Netskope App For Splunk app is using this search:
If you are still having problems, use the Command line and run this command:
$SPLUNK_HOME/bin/splunk diag --collect app:NetSkopeAppForSplunk
Send the generated diag file to Netskope App For Splunk support.
log.cfg file from
default of the app to the
local folder, and edit the settings to reflect which items need increased verbosity.
Upgrade Netskope App For Splunk by re-installing into your environment per Splunk Documentation and your environment (see steps above).
If you experiencing issues, and would like to reset the Netskope Data to factory install, there are few steps to take.
The Netskope App for Splunk is fully compliant with the Common Information Model (CIM) provided by Splunk to normalize data fields. This table indicates the CIM datamodels and tags that apply to the Netskope data.
|Data Loss Prevention||dlp||netskope_cim_application, netskope_cim_alert|
|Inventory||inventory||netskope_cim_connection, netskope_clients, netskope_infrastructure|
|Malware||malware, attack, operations||netskope_cim_malware, netskope_cim_application, netskope_cim_alert|
|Network Traffic||network, communicat||netskope_cim_connection|
|Splunk Audit Logs||modaction||netskope_action_modresult|
Netskope App For Splunk contains no automatically generated lookups.
The following lookup files are generated automatically during Alert Action operations.
Netskope App For Splunk does make use of an event generator. There are four sample event files supplied for event generation. These samples are found in the samples folder of the app and are:
NOTE: To generate events the Eventgen app must be installed. The app and instructions can be found at https://splunkbase.splunk.com/app/1924/. This app should not be installed on a production system unless you understand the ramifications of generated data being mixed with production data.
- [NET-111] - Change Name for Check point files in Windows
- [NET-107] - Change Name for Check point files in Windows
- [NET-110] - Add support for ingestion timestamp based event lookup.
- Updated timestamp extraction for client timestamp
- Test and QA
- [NET-102] - Remove duplicates from default.meta
- New Feature
- [NET-93] - Web Dashboard
- [NET-98] - Health Application Page
- [NET-99] - Add alert action to log.cfg
- [NET-100] - Fix Health Checks
- [NET-101] - Health Checks for common issues
[NET-89] - Update Tenant URL validator to avoid special characters
[NET-91] - Separate calls for applications and page events
[NET-92] - Configurable Offset Parameter
v1.1.1 fixes a bug in populating searches for Host dropdowns.
v1.1.0 introduces Adaptive Response Actions, and improved data collection.
[NET-68] - Feature Request - Add infrastructure eventtype
[NET-69] - Update UserAgent
[NET-70] - Implement KVStore Checkpointing (advanced usage)
[NET-71] - Implement "per page" output of events
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.