icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Cancel Visit New Splunkbase Visit
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

End User License Agreement for Third-Party Content

Splunk Websites Terms and Conditions of Use

Thank You

Downloading Netskope Add-on For Splunk
SHA256 checksum (netskope-add-on-for-splunk_340.tgz) 3e75f3983d2cc5ad11ee03b5ceb24fb680ee93369878ec18a9f5f226ae56174b SHA256 checksum (netskope-add-on-for-splunk_331.tgz) 6b5f9f26d2cc52f6f057f83b55e1765eac2c9448eb362105a2a55f3f38ddb0f1 SHA256 checksum (netskope-add-on-for-splunk_330.tgz) ca8a084fa2c1c61934a0607297d90bea5728c1d6cad25e5702e47a0f03fb307f SHA256 checksum (netskope-add-on-for-splunk_320.tgz) 0f5a4093205d75da0f45ce7487ef0ca056c21fa49dfee93540cde1531e53918a SHA256 checksum (netskope-add-on-for-splunk_312.tgz) 45df55250d1d76f6f51d5abba7082882e624495ece794c454a4c6013ff7af810 SHA256 checksum (netskope-add-on-for-splunk_300.tgz) 8d7a0470cd0224d1b9cb297540475d46221323352a95431283aeb945dffb7b8c
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate
splunk

Netskope Add-on For Splunk

Splunk Cloud
Overview
Details
THIS COMPONENT IS REQUIRED AND SHOULD BE INSTALLED BEFORE THE NETSKOPE APP FOR SPLUNK
PLEASE GO TO DETAILS AND READ THE INSTALLATION INSTRUCTIONS

!! UPGRADING IS SUPPORTED WITHIN THE >= 2.X CHAIN. IF COMING FROM 1.X, PLEASE REMOVE 1.X BEFORE INSTALLING ?=2.X !!

The Add-on typically imports and enriches data from Netskope API, creating a rich data set ready for direct analysis or use in an App. The Netskope Add-on for Splunk will provide the below functionalities:
* Collect data from Netskope via REST endpoints and store it in Splunk indexes
* Categorize the data in different source types
* Parse the data and extract important fields

## DEPRECATION WARNING
* Inputs named "Events (Deprecated)" and "Alerts (Deprecated)" will be removed soon in future releases. So, it is recommended to move to "Events (Iterator)" and "Alerts (Iterator)" inputs.

## DEPRECATION INFO
* Input named "Web Transaction V1" has been been removed from v3.4.0. So, it is recommended to move to the "Web Transaction V2" input.

Splunk Add-on for Netskope

This is an add-on powered by the Splunk Add-on Builder

OVERVIEW

  • The Add-on typically imports and enriches data from Netskope API, creating a rich data set ready for direct analysis or use in an App.
  • Author - Netskope, Inc.

  • Version - 3.4.0

  • Compatible with:

  • Splunk Enterprise version: 9.1.x, 9.0.x, 8.2.x
  • OS: Platform independent
  • Browser: Google Chrome, Firefox
    NOTE: Compatible OS with Web transactions V2 Input: Latest Ubuntu, CentOS, RHEL and Windows

DEPRECATION WARNING

  • Inputs named "Events (Deprecated)" and "Alerts (Deprecated)" will be removed soon in future releases. So, it is recommended to move to "Events (Iterator)" and "Alerts (Iterator)" inputs.

DEPRECATION INFO

  • Input named "Web Transaction V1" has been been removed from v3.4.0. So, it is recommended to move to the "Web Transaction V2" input.

PREREQUISITES

Netskope Webtransactions V2 input:

  • The Web transactions v2 is GA; it is a licensed feature. You must be a web transaction v2 customer to use the WebTxv2 endpoint functionality. Please ensure that web transaction v2 logs are enabled, this is not done by default. Support can ensure this is done. Splunk will get a 404 for the web transactions polling response if they are not enabled.
  • If you are using Web transactions V2 input, make sure that the underlying Operating System is as latest as possible, as it is using OS-dependent functionalities while collecting events that might not work in older OS.
  • For admins restricting access to the internet for their Splunk heavy forwarders or Cloud IDM, please add a bi-directional firewall to allow the rule to reach "pubsublite.googleapis.com" on TCP:443 and all GCP (Google Cloud Platform) hosts. The Add-on will first send the request to "pubsublite.googleapis.com:443" and fetch a list of GCP hosts to later request them for web transaction events. Check out the below links for getting a list of CIDRs of GCP hosts for setting firewall rules.
  • Make sure that SSL inspection is disabled for the mentioned list of IP ranges.
  • As Webtx2 input is not supporting HTTPS_PROXY, make sure that it is not configured (in TA, OS, and Network level) Splunk environment.

Events & Alerts Input

  • If the Netskope and Splunk admin wants to leverage API v2, they should create a new v2 API token that is fully entitled with every read scope (Refer to section "Details > #SUPPORTED TOKENS AND REQUIRED PERMISSIONS").
    NOTE: If Splunk is stopped or input is disabled or some intermediate error occurs from API while TA is collecting data, then it might result in data duplication during that period.

Orchestration Actions (Populate URL list or Filehash list)

  • File Hash Alert Action supports only the V1 token which doesn't require setting any scope.
  • To use the URL list, Netskope admin will need to increase the APIv2 token's scope to include read AND write scope (Refer to section "Details > #SUPPORTED TOKENS AND REQUIRED PERMISSIONS").

RECOMMENDED SYSTEM CONFIGURATION

TOPOLOGY AND SETTING UP SPLUNK ENVIRONMENT

This Add-On can be set up in two ways:

1) Standalone Mode: Install the Add-on app on a single machine. This single machine would serve as a Search Head + Indexer + Heavy Forwarder for this setup.
2) Distributed Environment: Install Add-on on Search Head and Heavy Forwarde (or Cloud IDM) * Add-on resides on search head machine need not require any configuration unless user wants to use alert action.
* If alert actions are used, configure account, proxy and logging in configuration page on Search Head. * Add-on needs to be installed and configured on the Heavy Forwarder system. * Execute the following command on Heavy Forwarder to forward the collected data to the indexer.
$SPLUNK_HOME/bin/splunk add forward-server <indexer_ip_address>:9997 * On the Indexer machine, enable event listening on port 9997 (recommended by Splunk). * Add-on needs to be installed on search head for CIM mapping.
NOTE: Here $SPLUNK_HOME is the absolute path where splunk is installed.

SUPPORTED TOKENS AND REQUIRED PERMISSIONS

  • Ensure you are configuring inputs or alert actions with an account configured with tokens as shown below.
    Event types: Connection, Application, Network, Audit, Infrastructure, Incident
    Alert Types: compromisedcredential, ctep, dlp, malsite, malware, policy, quarantine, remediation, securityassessment, uba, watchlist
Input Name / Alert Action Supported Tokens / Key
Events (Iterator) / (Data Export) V2 Token
Alerts (Iterator) / (Data Export) V2 Token
Events (Deprecated) V1/V2 Token (V2 Token will be used if both are configured)
Alerts (Deprecated) V1/V2 Token (V2 Token will be used if both are configured)
Clients V1 Token
Web Transactions V2 V2 Token
URL List Alert Action V1/V2 Token (V2 Token will be used if both are configured)
File Hash Alert Action V1 Token
  • If V2 Token is configured, ensure it has sufficient endpoint permissions for respective inputs or alert actions as listed in the table.
Input Name / Alert Action Endpoint Permissions
Events (Iterator) / (Data Export) /api/v2/events/data/page, /api/v2/events/dataexport/events/*
Alerts (Iterator) / (Data Export) /api/v2/events/data/page, /api/v2/events/dataexport/events/audit, /api/v2/events/dataexport/events/alert , /api/v2/events/dataexport/alerts/*
Web Transactions V2 /api/v2/events/token/transaction_events
Deprecated inputs [ Events (Deprecated) / Alerts (Deprecated) ] /api/v2/events/data/*
URL List Alert Action /api/v2/policy/* (Read & Write Both)

Note: * Here "/api/v2/events/dataexport/events/*" means all endpoints starting with the "/api/v2/events/dataexport/events/" prefix. * To update the V2 Token permission, login to the netskope portal and then navigate to Settings > Tools > REST API v2. * V1 Token doesn't require any additional steps of adding permissions. * When configuring "Token V2" on the account page, "/api/v2/events/dataexport/events/audit" or "/api/v2/events/data/page" endpoint permissions will be required for Iterator or Deprecated inputs, respectively.

CAUTION

Note: Webtx2 input is not supporting HTTPS_PROXY.

  • This component is required and must be addressed before installing the Netskope TA.
  • The TA only supports polling Netskope events at 10,000 items per page for events, alerts or clients input.
  • Upgrading is supported within the 2.x version chain. If you are upgrading from TA v1.x, please remove it before installing version 2.x.
  • If Splunk is stopped or input is disabled or some intermediate error occurs from API while TA is collecting data, then it might result in data duplication during that period.

CONFIGURATION

Follow the below steps for configuring Netskope Add-on for Splunk

Account

  • From the Splunk Home Page, click on Netskope Add-on for Splunk and navigate to the Configuration section.
  • In the Account tab, click on the Add button to configure a new Account.
  • Enter the required details like Account Name (To uniquely identify accounts in Splunk), Hostname, Token V1, Token V2. Click on Save to save the configuration.

Logging

  • To configure the Log Level, go to the Configuration -> Logging tab.

Proxy

  • To use a proxy as part of the connection to Netskope, go to the Configuration -> Proxy tab and provide the required details. Don't forget to check the Enable option.

Advance Settings (For custom Splunk index usage)

  • To change the Base Event Type, go to Add-on Settings tab. It will be the base search for all event types(All the Dashboards of Netskope App for Splunk will refer to this Base Event Type to populate the data in the Dashboards)

Events, Alerts & Clients Input

  • To manage the Modular Inputs, navigate to the Inputs section.
  • Click on the Create New Input button provided on the top right and select specific Input Name.
  • Specify all required parameters needed to configure inputs.
  • For Events, Alerts & Clients related input, provide details like Name, Interval, Index, Netskope Account, Start Date Time, Query, Event Types, Alert Types, etc, and click on Save to save the input configuration.
  • If you are collecting data in the custom index then don't forget to update the Base Event Type under Add-on Settings of Configuration Section. E.g. index=main OR index=custom_index_1 OR index=custom_index_2
  • User can enable/disable/edit/delete Modular Input by selecting specific action.

Note: * If token is updated in existing account then existing inputs will start using new token within 30 minutes. If you want to make it use new token, then disable and enable the existing inputs. * If v1 & v2 both tokens are configured in selected account, then Inputs or Alert Action will first Prioritise v2 token. * In "Alerts (Iterator)" input, select the specific alert type instead of "All" to get detailed alert events. Selecting each alert type creates a separate thread to collect alerts, which might increase resource consumption. * The "Alerts (Iterator)" input may cause resource usage to increase if separate alert types are selected (instead of All), since the threading mechanism will collect all types of alerts simultaneously. * Netskope recommends using the dataexport iterator endpoints whenever possible as they provide greater reliability in log delivery and better performance overall. * Splunk admins should not query the same event or alert data export endpoint from multiple Splunk instances. Admin can reduce HA capacity requirements by splitting endpoints up between multiple TA, each of which is solely responsible for polling those particular endpoints.

Netskope Webtransaction V2 Input Configuration

Follow the below steps for configuring Netskope Web transaction V2 * Navigate to Inputs -> Create New Input -> Web Transactions V2. * Enter the Input Name, Index & Netskope Account (which has V2 Token with rewuired permission mentioned in ## SUPPORTED TOKENS AND REQUIRED PERMISSIONS). * Click on Save.

CONFIGURATION OF MULTIPLE PARALLEL INGESTION PIPELINE STEPS

Note: * Adding multiple ingestion pipelines, requires significant hardware resources. Reference: https://docs.splunk.com/Documentation/Splunk/9.0.3/Capacity/Referencehardware

If you are having significant input data for Web Transaction V2 input and Splunk is not able to match the ingestion rate, then follow the below steps to configure multiple ingestion pipelines in Splunk to achieve a higher ingestion rate for Web Transaction V2 Input.
1. Disable web transaction V2 input.
Note: If web transaction V2 input is not created then first create it from Inputs -> Netskope Web Transactions V2
2. From backend, navigate to $SPLUNK_HOME/etc/system/local/server.conf and modify [general] stanza to make "parallelIngestionPipelines" property value with the required parallel pipelines value (Recommended max parallel pipelines are 2).
Note: If server.conf files do not exist at the specified location then create it and apply changes.
3. From backend navigate to $SPLUNK_HOME/etc/apps/TA-NetSkopeAppForSplunk/local/inputs.conf and in [netskope_webtransactions_v2://<<web txn V2 input name>>] stanza add "parallel_ingestion_pipeline" property with same value as provided in [general] stanza in step #2.
4. In $SPLUNK_HOME/etc/apps/TA-NetSkopeAppForSplunk/local/inputs.conf there will be [batch://$SPLUNK_HOME/var/spool/splunk/webtxn1/<account_name><input_name>__web_transactions_v2.gz] stanza for the Web Transactions V2 input. Make replica of same batch stanza and its property values in same inputs.conf file.
5. In this replicated batch stanza change the directory name "webtxn1" with "webtxn2" (i.e. [batch://$SPLUNK_HOME/var/spool/splunk/webtxn1/<account_name><input_name>__web_transactions_v2.gz] to [batch://$SPLUNK_HOME/var/spool/splunk/webtxn2/<account_name>_<input_name>__web_transactions_v2.gz]). Do the same and make number of batch stanzas same as the number of ingestion pipelines.
Note: Give the names for webtxn{N} in batch stanza sequentially.
6. Restart Splunk.
Note: * In case of editing or deleting of Web Transactions V2 input, apply the changes for all of the batch stanzas property in $SPLUNK_HOME/etc/apps/TA-NetSkopeAppForSplunk/local/inputs.conf from the backend.

ALERT ACTION

Two types of Alert Actions * Netskope File Hash Alert Action * Netskope URL Alert Action

Warning:
* If you want to use API v2 token then configure API v2 token in the existing account which is used in URL list alert action. If a new account is created for the existing URL list alert action, then the old URL list will be removed & it will start filling from that point.

END USER LICENSE AGREEMENT

https://www.netskope.com/software-eula

Support

  • Support Email: support@netskope.com
  • Responses vary on working days between working hours.
  • Supported TA: v3.x.x

COPYRIGHT INFORMATION

Copyright (C) 2023 Netskope, Inc. All rights reserved.

Release Notes

Version 3.4.0
Sept. 20, 2023
  • NOTE: This version v3.4.0 has some breaking changes, so please check the 'UPGRADE' section in the Installation tab before proceeding with the update.
  • Changed the configuration logic for the "Web Transaction V2" input to obtain the Subscription path and Subscription Key using the V2 token instead.
  • Added back pressure mechanism for 'Web Transaction V2' input, to handle the situation of too many files in the spool location.
  • Added End Datetime support for the "Events (Iterator)" and "Alerts (Iterator)" inputs.
  • Added retry logic for the validation of the "Events (Iterator)" and "Alerts (Iterator)" inputs.
  • Changed retry count to be configurable for the "Events (Iterator)" and "Alerts (Iterator)" inputs.
  • Updated logging time to GMT/UTC timezone for all inputs.
  • Upgraded Netskope SDK to 0.0.33.
Version 3.3.1
April 25, 2023
  • Improved the data collection logic for "Web Transaction V2" input to prevent slow ingestion during header format changes.
  • Retry logic for the "Events (Iterator)" and "Alerts (Iterator)" inputs has been enhanced by adding a backoff factor between each retry calls.
  • Added validation for the selected events/alerts type on the "Events (Iterator)" and "Alerts (Iterator)" input pages.
  • Added feature for auto-read newly configured account tokens without manual changes.
  • Security fix (CVE-2022-23491) - Upgraded the certifi library to the latest version.
Version 3.3.0
Dec. 30, 2022

Version 3.3.0

  • Added the support of the "Alert Type" filter for "Alerts (Iterator)" input.
  • Enhanced data collection logic for "Alerts (Iterator)" input.
  • Added the tooltips for various configuration fields.
  • Enhanced the validation in the account page for the "Input Types" field.
Version 3.2.0
Dec. 1, 2022

Version 3.2.0

  • Added support for incident data collection in "Events (Iterator)" input.
  • Added CIM mapping for incident data.
  • Updated thread allocation logic for iterator inputs.
  • Added dynamic wait time between consecutive API calls for iterator inputs.
  • Upgraded AOB to v4.1.1
  • Added API rate limiting feature for iterator inputs.
  • Enhanced Account token validation.
Version 3.1.2
Sept. 26, 2022
  • Enhanced the logic to provide a seamless upgrade
Version 3.0.0
Jan. 11, 2022
  • Updated the data collection approach for Events and Alerts input.
  • Updated the checkpoint format for Events, Alerts, Clients Input.
  • Added support of API Token version 2 in Events, Alerts & URL List Alert Action.
  • Invalid URLs handling is added in URL List Alert Action.
  • Upgraded AOB to v4.0.0
  • Upgraded internal libraries
  • Added new input named "Netskope Webtransactions V2"
  • Added feature to reconnect on Idle Connection Timeout in Web Transaction V2.
  • Added feature to reconnect in case of any error during event processing in Web Transaction V2.
  • Added support for multiple ingestion pipelines in Web Transaction V2 input for better performance.
  • Only TA v3.0 is supported by Netskope
7,521
Downloads
Share Subscribe LOGIN TO DOWNLOAD
Version
Built by
Technology Integrations
Support
Developer Supported
Contact Developer Questions on Splunk Answers Flag as inappropriate App Contents: Inputs, Alert Actions App Contents: Inputs, Alert Actions App Contents: Inputs, Alert Actions App Contents: Inputs, Alert Actions App Contents: Inputs, Alert Actions App Contents: Inputs, Alert Actions
Compatibility
This version of the app (3.4.0) is not available for Splunk Cloud. However, version 3.3.1 of this app is available for Splunk Cloud.
This version of the app (3.0.0) is not available for Splunk Cloud. However, version 3.3.1 of this app is available for Splunk Cloud.
Products: Splunk Enterprise Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise
Splunk Versions: 9.1, 9.0, 8.2 Platform: Platform Independent CIM Versions: 5.x Splunk Versions: 9.1, 9.0, 8.2 Platform: Platform Independent CIM Versions: 5.x Splunk Versions: 9.1, 9.0, 8.2 Platform: Platform Independent CIM Versions: 5.x Splunk Versions: 9.1, 9.0, 8.2 Platform: Platform Independent CIM Versions: 5.x Splunk Versions: 9.1, 9.0, 8.2 Platform: Platform Independent CIM Versions: 5.x Splunk Versions: 9.1, 9.0, 8.2, 8.1 Platform: Platform Independent CIM Versions: 4.x
Licensing
End User License Agreement for Third-Party Content
Category & Contents
Categories: IT Operations, IoT & Industrial Data
App Type: Add-on
Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Submit New Splunk App Dev Resources
PLATFORM
Data-to-Everything Platform
Splunk Cloud
Splunk Enterprise
Splunk Machine Learning Toolkit
Splunk Data Stream Processor
Pricing
Free Trials & Downloads
SECURITY PRODUCTS
Splunk Enterprise Security
Splunk Phantom
Splunk Mission Control
Splunk User Behavior Analytics
IT OPERATIONS & OBSERVABILITY PRODUCTS
Splunk Infrastructure Monitoring
Splunk IT Service Intelligence
Splunk Application Performance Monitoring
Splunk On-Call
SOLUTIONS BY INITIATIVE
Cloud Transformation
SOLUTIONS BY FUNCTION
Security
IT
Devops
SOLUTIONS BY INDUSTRY
Aerospace & Defense
Communications
Energy & Utilities
Financial Services
Healthcare
Higher Education
Manufacturing
Nonprofits
Online Services
Public Sector
Retail
WHY SPLUNK?
Why Splunk?
Customer Stories
Partners
Data-to-Everything
Diversity & Inclusion
SUPPORT
Support Portal
Support Programs
Splunk Answers
Contact Us
Product Security Updates
RESOURCES
Events
Webinars
Blogs
Customer Success
Expert Services
Data Insider
View All Resources
FOR DEVELOPERS
Documentation
Best Practices
Get Started with Splunk
Training & Certification
User Groups
Community
Splunkbase
Splunk dev
COMPANY
About Splunk
Careers
Leadership
Splunk for Good
Splunk Ventures
Splunk Protects
Newsroom
COVID-19 Response
SPLUNK SITES
.conf
Splunk Live!
T-Shirt Store
Investor Relations
Follow Us:
© 2005-2023 Splunk Inc. All rights reserved.
Sitemap | Privacy | Website Terms of Use | Splunk Licensing Terms | Export Control | Modern Slavery Statement | Splunk Patents | Report a Problem
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.