Netskope Alerts & Events solution (CCF Blob Storage connector)#14560
Open
keshavm021 wants to merge 3 commits into
Open
Netskope Alerts & Events solution (CCF Blob Storage connector)#14560keshavm021 wants to merge 3 commits into
keshavm021 wants to merge 3 commits into
Conversation
Add the Netskope Alerts & Events solution that ingests Netskope Log Streaming Alerts & Events into Microsoft Sentinel via Azure Blob Storage and the CCF (StorageAccountBlobContainer) connector. Contents: - CCF data connector (NetskopeAlertEventsConnector): connector definition, DCR (254-column positional CSV stream + transform), custom table NetskopeAlertEvents_CL, and StorageAccountBlobContainer poller (format=csv, gzip) aligned to the published Netskope connector schema. - Parser NetskopeAlertEvents (.yaml + .txt) normalizing the key fields. - 3 analytic rules: High Severity Alert, Suspicious Application Activity, DLP Incident Spike. - Workbook "Netskope Alerts & Events" (overview, alerts, apps/Shadow IT, DLP, malware & threats, policy, users, advanced analytics, user investigation, geo) + registration in Workbooks/WorkbooksMetadata.json with Black/White preview images. - Solution data/metadata, README, ReleaseNotes, and packaged 3.0.0 artifacts generated with the V3 packaging tool.
7ec6601 to
b360160
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a new Microsoft Sentinel solution for Netskope Alerts & Events using the Codeless Connector Framework (Blob Storage + DCR + Event Grid), including workbook, parsers, and analytics rules.
Changes:
- Adds Netskope CCF Blob Storage connector assets (connector definition, polling config, DCR, custom table).
- Adds content artifacts for the solution (workbook + metadata entry, parser, analytics rules).
- Adds solution packaging and documentation (README, release notes, solution metadata, UI definition, test parameters).
Reviewed changes
Copilot reviewed 19 out of 29 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| Workbooks/WorkbooksMetadata.json | Registers the new Netskope workbook with dependencies and preview images. |
| Workbooks/NetskopeAlertEvents_Workbook.json | Adds the Netskope Alerts & Events workbook template (root workbooks). |
| Solutions/NetskopeAlertEvents/Workbooks/NetskopeAlertEventsDashboard/NetskopeAlertEvents_Workbook.json | Adds the workbook template within the solution package structure. |
| Solutions/NetskopeAlertEvents/SolutionMetadata.json | Defines solution publisher/offer metadata and support info. |
| Solutions/NetskopeAlertEvents/ReleaseNotes.md | Adds initial release notes entry for version 3.0.0. |
| Solutions/NetskopeAlertEvents/README.md | Adds solution documentation, architecture, deployment, validation, troubleshooting. |
| Solutions/NetskopeAlertEvents/Parsers/NetskopeAlertEvents.yaml | Adds the shipped Sentinel parser function (YAML form). |
| Solutions/NetskopeAlertEvents/Parsers/NetskopeAlertEvents.txt | Adds a text-form parser (function body) for reference/packaging. |
| Solutions/NetskopeAlertEvents/Package/testParameters.json | Adds ARM test parameters for solution packaging validation. |
| Solutions/NetskopeAlertEvents/Package/createUiDefinition.json | Adds the solution install UI definition (Content Hub experience). |
| Solutions/NetskopeAlertEvents/Data/Solution_NetskopeAlertEvents.json | Adds the solution manifest listing all packaged artifacts. |
| Solutions/NetskopeAlertEvents/Data Connectors/NetskopeAlertEvents_CCF/NetskopeAlertEvents_connectorDefinition.json | Adds the CCF connector definition and UI configuration. |
| Solutions/NetskopeAlertEvents/Data Connectors/NetskopeAlertEvents_CCF/NetskopeAlertEvents_Table.json | Adds the custom table schema (NetskopeAlertEvents_CL). |
| Solutions/NetskopeAlertEvents/Data Connectors/NetskopeAlertEvents_CCF/NetskopeAlertEvents_PollingConfig.json | Adds the Blob Storage polling connector configuration (CSV + gzip). |
| Solutions/NetskopeAlertEvents/Data Connectors/NetskopeAlertEvents_CCF/NetskopeAlertEvents_DCR.json | Adds the DCR stream declaration and transform mapping to 254-column schema. |
| Solutions/NetskopeAlertEvents/Data Connectors/NetskopeAlertEventsConnectorDefinition.yaml | Adds a human-readable connector spec (not used by packaging). |
| Solutions/NetskopeAlertEvents/Analytic Rules/NetskopeAlertEvents_Rule1.yaml | Adds scheduled analytic rule: High Severity Alert. |
| Solutions/NetskopeAlertEvents/Analytic Rules/NetskopeAlertEvents_Rule2.yaml | Adds scheduled analytic rule: Suspicious Application Activity. |
| Solutions/NetskopeAlertEvents/Analytic Rules/NetskopeAlertEvents_Rule3.yaml | Adds scheduled analytic rule: DLP Incident Spike. |
| ], | ||
| "Hunting Queries": [], | ||
| "Playbooks": [], | ||
| "BasePath": "/Users/kmaheshwari/Documents/GitHub/Azure-Sentinel/Solutions/NetskopeAlertEvents", |
| Netskope Log Streaming | ||
| | | ||
| v | ||
| Azure Blob Storage (gzip-compressed JSON) |
| | summarize count() by Severity, AlertType | ||
| ``` | ||
| 5. Open the **Netskope Alerts & Events** workbook and confirm tiles render. | ||
|
|
Comment on lines
+1
to
+3
| | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | | ||
| |-------------|--------------------------------|-----------------------------------------------------| | ||
| | 3.0.0 | 17-06-2026 | Initial solution release. Netskope Alerts & Events CCF (Blob Storage) connector, custom table `NetskopeAlertEvents_CL`, parser, 1 workbook, and 3 analytic rules. | |
| "config": { | ||
| "isWizard": false, | ||
| "basics": { | ||
| "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/netskope.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NetskopeAlertEvents/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Netskope Alerts & Events solution enables streaming of alert and event logs from Netskope to Microsoft Sentinel via Azure Blob Storage and Event Grid. It provides visibility into DLP incidents, malware and threat detections, policy violations, anomalous behavior, and cloud application activity across the Netskope Security Cloud.\n\n**Included Content:**\n- 1 Data Connector (CCP-based Blob Storage connector)\n- 1 Workbook (Alerts & Events Dashboard)\n- 3 Analytics Rules\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", |
Comment on lines
+94
to
+99
| "type": "ServicePrincipalIDTextBox_test", | ||
| "parameters": { | ||
| "tenantId": "[subscription().tenantId]", | ||
| "name": "principalId", | ||
| "appId": "4f05ce56-95b6-4612-9d98-a45c8cc33f9f" | ||
| } |
| | extend | ||
| TenantId = column_ifexists('TenantId', ''), | ||
| SourceSystem = column_ifexists('SourceSystem', ''), | ||
| TimeGenerated = column_ifexists('TimeGenerated', ''), |
| "type": 3, | ||
| "content": { | ||
| "version": "KqlItem/1.0", | ||
| "query": "NetskopeAlertEvents_CL\n| where TimeGenerated {TimeRange}\n| where User == '{SelectedUser}'\n| summarize Events = count(), Alerts = countif(Alert =~ 'yes') by bin(TimeGenerated, {TimeRange:grain})\n| order by TimeGenerated asc", |
Collaborator
|
Hi @keshavm021, |
Collaborator
|
Hi @keshavm021, |
- Register NetskopeAlertEvents_CL custom table schema for KqlValidations - Add NetskopeAlertEventsConnector to ValidConnectorIds.json for DetectionTemplateSchemaValidation - Remove disallowed .txt parser file (logic already lives in NetskopeAlertEvents.yaml)
…alertevents-connector # Conflicts: # Workbooks/WorkbooksMetadata.json
Contributor
Author
|
Hi @v-atulyadav Could you please check it now. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Required items, please complete
Change(s):
Added Netskope CCF connector for Alerts & Events (Blob Storage / StorageAccountBlobContainer ingestion via DCR + Event Grid). Also:
NetskopeAlertEvents_CLcustom table + DCR with a 254-column positional CSV stream declaration and transform, aligned to the published Netskope Log Streaming Alerts & Events connector schema (format=csv, gzip)NetskopeAlertEvents(.yaml + .txt) normalizing key fields (alert_id, event_type, user, user_ip, application, severity, policy, action, device, location, raw_json, and more)Workbooks/WorkbooksMetadata.jsonwith Black/White preview imagesVersion Updated:
3.0.0
Testing Completed:
Yes