Skip to content

Commit 7ec6601

Browse files
keshavm021claude
andcommitted
NetskopeAlertEvents: new Sentinel solution (Alerts & Events via NLS)
Add the Netskope Alerts & Events solution that ingests Netskope Log Streaming Alerts & Events into Microsoft Sentinel via Azure Blob Storage and the CCF (StorageAccountBlobContainer) connector. Contents: - CCF data connector (NetskopeAlertEventsConnector): connector definition, DCR (254-column positional CSV stream + transform), custom table NetskopeAlertEvents_CL, and StorageAccountBlobContainer poller (format=csv, gzip) aligned to the published Netskope connector schema. - Parser NetskopeAlertEvents (.yaml + .txt) normalizing the key fields. - 3 analytic rules: High Severity Alert, Suspicious Application Activity, DLP Incident Spike. - Workbook "Netskope Alerts & Events" (overview, alerts, apps/Shadow IT, DLP, malware & threats, policy, users, advanced analytics, user investigation, geo) + registration in Workbooks/WorkbooksMetadata.json with Black/White preview images. - Solution data/metadata, README, ReleaseNotes, and packaged 3.0.0 artifacts generated with the V3 packaging tool. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 67e362c commit 7ec6601

29 files changed

Lines changed: 8711 additions & 0 deletions
Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
id: a1f6c2d4-8b35-4e19-9c7a-2d4e6f8a1b30
2+
name: Netskope - High Severity Alert
3+
description: |
4+
Detects Netskope alerts raised with a high or critical severity. High severity alerts
5+
typically indicate DLP violations, malware detections, compromised credentials, or
6+
significant policy breaches that warrant immediate investigation.
7+
severity: High
8+
status: Available
9+
requiredDataConnectors:
10+
- connectorId: NetskopeAlertEventsConnector
11+
dataTypes:
12+
- NetskopeAlertEvents_CL
13+
queryFrequency: 1h
14+
queryPeriod: 1h
15+
triggerOperator: gt
16+
triggerThreshold: 0
17+
tactics:
18+
- InitialAccess
19+
- Exfiltration
20+
relevantTechniques:
21+
- T1078
22+
- T1567
23+
query: |
24+
NetskopeAlertEvents_CL
25+
| where TimeGenerated > ago(1h)
26+
| where Alert =~ "yes"
27+
| where Severity in~ ("high", "critical")
28+
| extend NormalizedSeverity = tolower(Severity)
29+
| summarize
30+
AlertCount = count(),
31+
Activities = make_set(Activity, 20),
32+
Applications = make_set(App, 20),
33+
Policies = make_set(Policy, 20),
34+
Actions = make_set(Action, 10),
35+
FirstSeen = min(TimeGenerated),
36+
LastSeen = max(TimeGenerated)
37+
by AlertName, AlertType, NormalizedSeverity, User, Userip, Hostname, SrcCountry
38+
| order by AlertCount desc
39+
| project
40+
LastSeen,
41+
AlertName,
42+
AlertType,
43+
Severity = NormalizedSeverity,
44+
User,
45+
Userip,
46+
Hostname,
47+
SrcCountry,
48+
AlertCount,
49+
Applications,
50+
Activities,
51+
Policies,
52+
Actions,
53+
FirstSeen
54+
entityMappings:
55+
- entityType: Account
56+
fieldMappings:
57+
- identifier: Name
58+
columnName: User
59+
- entityType: IP
60+
fieldMappings:
61+
- identifier: Address
62+
columnName: Userip
63+
- entityType: Host
64+
fieldMappings:
65+
- identifier: HostName
66+
columnName: Hostname
67+
version: 1.0.0
68+
kind: Scheduled
Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
id: b2e7d3c5-9c46-4f2a-8d1b-3e5f7a9c2d41
2+
name: Netskope - Suspicious Application Activity (Low Confidence / Risky App)
3+
description: |
4+
Detects activity involving risky or low Cloud Confidence Level (CCL) applications,
5+
blocked application actions, or sensitive activities (upload, share, download) on
6+
unsanctioned apps. Helps surface Shadow IT and potential data leakage via risky
7+
cloud applications.
8+
severity: Medium
9+
status: Available
10+
requiredDataConnectors:
11+
- connectorId: NetskopeAlertEventsConnector
12+
dataTypes:
13+
- NetskopeAlertEvents_CL
14+
queryFrequency: 1h
15+
queryPeriod: 1h
16+
triggerOperator: gt
17+
triggerThreshold: 0
18+
tactics:
19+
- Exfiltration
20+
- CommandAndControl
21+
relevantTechniques:
22+
- T1567
23+
- T1102
24+
query: |
25+
let riskyCcl = dynamic(["low", "poor"]);
26+
let sensitiveActivities = dynamic(["Upload", "Share", "Download", "Post", "Send"]);
27+
NetskopeAlertEvents_CL
28+
| where TimeGenerated > ago(1h)
29+
| where isnotempty(App)
30+
| where tolower(Ccl) in (riskyCcl)
31+
or Action =~ "block"
32+
or (Activity in~ (sensitiveActivities) and tolower(Ccl) != "excellent")
33+
| summarize
34+
EventCount = count(),
35+
Activities = make_set(Activity, 20),
36+
Actions = make_set(Action, 10),
37+
CCLs = make_set(Ccl, 10),
38+
Categories = make_set(Appcategory, 20),
39+
DistinctApps = dcount(App),
40+
Apps = make_set(App, 20),
41+
LastSeen = max(TimeGenerated)
42+
by User, Userip, Hostname, DeviceClassification
43+
| where EventCount > 5 or DistinctApps > 3
44+
| extend RiskIndicators = strcat_array(array_concat(
45+
iff(set_has_element(CCLs, "low") or set_has_element(CCLs, "poor"), dynamic(["Low Confidence App"]), dynamic([])),
46+
iff(set_has_element(Actions, "block"), dynamic(["Blocked Activity"]), dynamic([])),
47+
iff(DistinctApps > 3, dynamic(["Multiple Risky Apps"]), dynamic([]))
48+
), ", ")
49+
| order by EventCount desc
50+
| project
51+
LastSeen,
52+
User,
53+
Userip,
54+
Hostname,
55+
DeviceClassification,
56+
EventCount,
57+
DistinctApps,
58+
Apps,
59+
Categories,
60+
Activities,
61+
Actions,
62+
CCLs,
63+
RiskIndicators
64+
entityMappings:
65+
- entityType: Account
66+
fieldMappings:
67+
- identifier: Name
68+
columnName: User
69+
- entityType: IP
70+
fieldMappings:
71+
- identifier: Address
72+
columnName: Userip
73+
- entityType: Host
74+
fieldMappings:
75+
- identifier: HostName
76+
columnName: Hostname
77+
version: 1.0.0
78+
kind: Scheduled
Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
id: c3f8e4d6-0d57-4a3b-9e2c-4f6a8b0d3e52
2+
name: Netskope - DLP Incident Spike
3+
description: |
4+
Detects a spike in Netskope DLP incidents within a short window. A sudden increase in
5+
DLP violations for a single user or DLP profile can indicate active data exfiltration,
6+
a misconfigured policy, or bulk handling of sensitive data. Triggers when a user
7+
generates more DLP incidents in the last hour than a configurable threshold.
8+
severity: High
9+
status: Available
10+
requiredDataConnectors:
11+
- connectorId: NetskopeAlertEventsConnector
12+
dataTypes:
13+
- NetskopeAlertEvents_CL
14+
queryFrequency: 1h
15+
queryPeriod: 1h
16+
triggerOperator: gt
17+
triggerThreshold: 0
18+
tactics:
19+
- Exfiltration
20+
- Collection
21+
relevantTechniques:
22+
- T1567
23+
- T1530
24+
query: |
25+
let dlpIncidentThreshold = 10;
26+
NetskopeAlertEvents_CL
27+
| where TimeGenerated > ago(1h)
28+
| where AlertType =~ "DLP" or isnotempty(DlpProfile) or isnotempty(DlpIncidentId)
29+
| summarize
30+
IncidentCount = count(),
31+
DistinctIncidents = dcount(DlpIncidentId),
32+
Profiles = make_set(DlpProfile, 20),
33+
Rules = make_set(DlpRule, 20),
34+
Applications = make_set(App, 20),
35+
Files = make_set(DlpFile, 20),
36+
Activities = make_set(Activity, 10),
37+
Actions = make_set(Action, 10),
38+
FirstSeen = min(TimeGenerated),
39+
LastSeen = max(TimeGenerated)
40+
by User, Userip, Hostname
41+
| where IncidentCount > dlpIncidentThreshold
42+
| order by IncidentCount desc
43+
| project
44+
LastSeen,
45+
User,
46+
Userip,
47+
Hostname,
48+
IncidentCount,
49+
DistinctIncidents,
50+
Profiles,
51+
Rules,
52+
Applications,
53+
Files,
54+
Activities,
55+
Actions,
56+
FirstSeen
57+
entityMappings:
58+
- entityType: Account
59+
fieldMappings:
60+
- identifier: Name
61+
columnName: User
62+
- entityType: IP
63+
fieldMappings:
64+
- identifier: Address
65+
columnName: Userip
66+
- entityType: Host
67+
fieldMappings:
68+
- identifier: HostName
69+
columnName: Hostname
70+
version: 1.0.0
71+
kind: Scheduled
Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
# Netskope Alerts & Events Connector (via Netskope Log Streaming)
2+
#
3+
# NOTE ON FORMAT
4+
# --------------
5+
# The Microsoft Sentinel V3 solution packaging tool (createSolutionV3.ps1) only
6+
# recognizes a Codeless Connector Framework (CCF) connector when its definition is
7+
# authored as JSON with the ARM wrapper. The build-critical, machine-consumed
8+
# connector definition therefore lives at:
9+
#
10+
# Data Connectors/NetskopeAlertEvents_CCF/NetskopeAlertEvents_connectorDefinition.json
11+
# Data Connectors/NetskopeAlertEvents_CCF/NetskopeAlertEvents_DCR.json
12+
# Data Connectors/NetskopeAlertEvents_CCF/NetskopeAlertEvents_Table.json
13+
# Data Connectors/NetskopeAlertEvents_CCF/NetskopeAlertEvents_PollingConfig.json
14+
#
15+
# This YAML is a human-readable specification of that connector and is provided
16+
# for review/documentation. It is intentionally NOT referenced by
17+
# Data/Solution_NetskopeAlertEvents.json.
18+
19+
connectorName: NetskopeAlertEventsConnector
20+
title: Netskope Alerts & Events (via Log Streaming)
21+
publisher: Netskope
22+
connectorType: CCF # Codeless Connector Framework (StorageAccountBlobContainer)
23+
dataType: Alerts + Events
24+
table: NetskopeAlertEvents_CL
25+
streamName: Custom-NetskopeAlertEvents
26+
27+
dataFlow: >
28+
Netskope Log Streaming -> Azure Blob Storage -> Event Grid -> Storage Queue
29+
-> Sentinel CCF Connector -> Log Analytics custom table (NetskopeAlertEvents_CL)
30+
31+
ingestion:
32+
format: csv # Netskope NLS streams Alerts & Events as positional gzipped CSV
33+
isGzipCompressed: true
34+
eventsJsonPaths: ["$"]
35+
auth: ServicePrincipal
36+
fieldOrderCritical: true # 254 columns are mapped BY POSITION; NLS field order must match the DCR stream declaration
37+
38+
parameters:
39+
- name: principalId # Service Principal (object) ID of the Sentinel CCF app
40+
- name: blobContainerUri # Blob Container URL
41+
- name: blobFolderName # Optional sub-folder
42+
- name: StorageAccountLocation
43+
- name: StorageAccountResourceGroupName
44+
- name: StorageAccountSubscription
45+
- name: EGSystemTopicName # Existing Event Grid system topic (optional)
46+
47+
configurationSteps:
48+
- step: 1
49+
title: Configure Netskope Log Streaming
50+
description: >
51+
In the Netskope tenant admin console, create a Log Streaming configuration
52+
that streams Alerts and Events to an Azure Blob Storage container as
53+
gzip-compressed CSV. The field/column order produced by NLS must match the
54+
254-column DCR stream declaration, because values are mapped by position.
55+
- step: 2
56+
title: Configure Azure Blob Storage
57+
description: >
58+
Create (or identify) the storage account and blob container that Netskope
59+
streams to. Note the container URL, storage account location, resource
60+
group, and subscription ID.
61+
- step: 3
62+
title: Deploy ARM template
63+
description: >
64+
Install the solution from Content Hub (Package/mainTemplate.json). This
65+
registers the data connector definition, DCR, custom table, and parser.
66+
- step: 4
67+
title: Connect in Sentinel
68+
description: >
69+
Open the "Netskope Alerts & Events (via Log Streaming)" data connector,
70+
supply the Service Principal ID, Blob Container URL, storage account
71+
details, and (optionally) an existing Event Grid topic, then click Connect.
72+
The Connect action provisions the live DCE/DCR, the notification and
73+
dead-letter storage queues, the Event Grid subscription, and the required
74+
role assignments.

0 commit comments

Comments
 (0)