Skip to content

Netskope Alerts & Events solution (CCF Blob Storage connector)#14560

Open
keshavm021 wants to merge 3 commits into
Azure:masterfrom
keshavm021:feature/netskope-alertevents-connector
Open

Netskope Alerts & Events solution (CCF Blob Storage connector)#14560
keshavm021 wants to merge 3 commits into
Azure:masterfrom
keshavm021:feature/netskope-alertevents-connector

Conversation

@keshavm021

Copy link
Copy Markdown
Contributor

Required items, please complete

Change(s):
Added Netskope CCF connector for Alerts & Events (Blob Storage / StorageAccountBlobContainer ingestion via DCR + Event Grid). Also:

  • Authored the connector in V3 source format (ConnectorDefinition, DCR, DataConnector poller, custom table)
  • NetskopeAlertEvents_CL custom table + DCR with a 254-column positional CSV stream declaration and transform, aligned to the published Netskope Log Streaming Alerts & Events connector schema (format=csv, gzip)
  • Parser NetskopeAlertEvents (.yaml + .txt) normalizing key fields (alert_id, event_type, user, user_ip, application, severity, policy, action, device, location, raw_json, and more)
  • Workbook "Netskope Alerts & Events" with sections: Overview, Alerts, Applications & Shadow IT, DLP Incidents, Malware & Threats, Policy Enforcement, Users, Advanced Analytics (User Risk Scoreboard, Day/Hour Heatmap), User Investigation (interactive drill-down), Devices & Network, and Geographic Distribution — registered in Workbooks/WorkbooksMetadata.json with Black/White preview images
  • 3 Analytics Rules (High Severity Alert, Suspicious Application Activity, DLP Incident Spike)

Version Updated:
3.0.0

Testing Completed:
Yes

@keshavm021 keshavm021 requested review from a team as code owners June 25, 2026 17:08
Add the Netskope Alerts & Events solution that ingests Netskope Log
Streaming Alerts & Events into Microsoft Sentinel via Azure Blob Storage
and the CCF (StorageAccountBlobContainer) connector.

Contents:
- CCF data connector (NetskopeAlertEventsConnector): connector definition,
  DCR (254-column positional CSV stream + transform), custom table
  NetskopeAlertEvents_CL, and StorageAccountBlobContainer poller (format=csv,
  gzip) aligned to the published Netskope connector schema.
- Parser NetskopeAlertEvents (.yaml + .txt) normalizing the key fields.
- 3 analytic rules: High Severity Alert, Suspicious Application Activity,
  DLP Incident Spike.
- Workbook "Netskope Alerts & Events" (overview, alerts, apps/Shadow IT, DLP,
  malware & threats, policy, users, advanced analytics, user investigation,
  geo) + registration in Workbooks/WorkbooksMetadata.json with Black/White
  preview images.
- Solution data/metadata, README, ReleaseNotes, and packaged 3.0.0 artifacts
  generated with the V3 packaging tool.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a new Microsoft Sentinel solution for Netskope Alerts & Events using the Codeless Connector Framework (Blob Storage + DCR + Event Grid), including workbook, parsers, and analytics rules.

Changes:

  • Adds Netskope CCF Blob Storage connector assets (connector definition, polling config, DCR, custom table).
  • Adds content artifacts for the solution (workbook + metadata entry, parser, analytics rules).
  • Adds solution packaging and documentation (README, release notes, solution metadata, UI definition, test parameters).

Reviewed changes

Copilot reviewed 19 out of 29 changed files in this pull request and generated 8 comments.

Show a summary per file
File Description
Workbooks/WorkbooksMetadata.json Registers the new Netskope workbook with dependencies and preview images.
Workbooks/NetskopeAlertEvents_Workbook.json Adds the Netskope Alerts & Events workbook template (root workbooks).
Solutions/NetskopeAlertEvents/Workbooks/NetskopeAlertEventsDashboard/NetskopeAlertEvents_Workbook.json Adds the workbook template within the solution package structure.
Solutions/NetskopeAlertEvents/SolutionMetadata.json Defines solution publisher/offer metadata and support info.
Solutions/NetskopeAlertEvents/ReleaseNotes.md Adds initial release notes entry for version 3.0.0.
Solutions/NetskopeAlertEvents/README.md Adds solution documentation, architecture, deployment, validation, troubleshooting.
Solutions/NetskopeAlertEvents/Parsers/NetskopeAlertEvents.yaml Adds the shipped Sentinel parser function (YAML form).
Solutions/NetskopeAlertEvents/Parsers/NetskopeAlertEvents.txt Adds a text-form parser (function body) for reference/packaging.
Solutions/NetskopeAlertEvents/Package/testParameters.json Adds ARM test parameters for solution packaging validation.
Solutions/NetskopeAlertEvents/Package/createUiDefinition.json Adds the solution install UI definition (Content Hub experience).
Solutions/NetskopeAlertEvents/Data/Solution_NetskopeAlertEvents.json Adds the solution manifest listing all packaged artifacts.
Solutions/NetskopeAlertEvents/Data Connectors/NetskopeAlertEvents_CCF/NetskopeAlertEvents_connectorDefinition.json Adds the CCF connector definition and UI configuration.
Solutions/NetskopeAlertEvents/Data Connectors/NetskopeAlertEvents_CCF/NetskopeAlertEvents_Table.json Adds the custom table schema (NetskopeAlertEvents_CL).
Solutions/NetskopeAlertEvents/Data Connectors/NetskopeAlertEvents_CCF/NetskopeAlertEvents_PollingConfig.json Adds the Blob Storage polling connector configuration (CSV + gzip).
Solutions/NetskopeAlertEvents/Data Connectors/NetskopeAlertEvents_CCF/NetskopeAlertEvents_DCR.json Adds the DCR stream declaration and transform mapping to 254-column schema.
Solutions/NetskopeAlertEvents/Data Connectors/NetskopeAlertEventsConnectorDefinition.yaml Adds a human-readable connector spec (not used by packaging).
Solutions/NetskopeAlertEvents/Analytic Rules/NetskopeAlertEvents_Rule1.yaml Adds scheduled analytic rule: High Severity Alert.
Solutions/NetskopeAlertEvents/Analytic Rules/NetskopeAlertEvents_Rule2.yaml Adds scheduled analytic rule: Suspicious Application Activity.
Solutions/NetskopeAlertEvents/Analytic Rules/NetskopeAlertEvents_Rule3.yaml Adds scheduled analytic rule: DLP Incident Spike.

],
"Hunting Queries": [],
"Playbooks": [],
"BasePath": "/Users/kmaheshwari/Documents/GitHub/Azure-Sentinel/Solutions/NetskopeAlertEvents",
Netskope Log Streaming
|
v
Azure Blob Storage (gzip-compressed JSON)
| summarize count() by Severity, AlertType
```
5. Open the **Netskope Alerts & Events** workbook and confirm tiles render.

Comment on lines +1 to +3
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|-----------------------------------------------------|
| 3.0.0 | 17-06-2026 | Initial solution release. Netskope Alerts & Events CCF (Blob Storage) connector, custom table `NetskopeAlertEvents_CL`, parser, 1 workbook, and 3 analytic rules. |
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/netskope.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NetskopeAlertEvents/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Netskope Alerts & Events solution enables streaming of alert and event logs from Netskope to Microsoft Sentinel via Azure Blob Storage and Event Grid. It provides visibility into DLP incidents, malware and threat detections, policy violations, anomalous behavior, and cloud application activity across the Netskope Security Cloud.\n\n**Included Content:**\n- 1 Data Connector (CCP-based Blob Storage connector)\n- 1 Workbook (Alerts & Events Dashboard)\n- 3 Analytics Rules\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
Comment on lines +94 to +99
"type": "ServicePrincipalIDTextBox_test",
"parameters": {
"tenantId": "[subscription().tenantId]",
"name": "principalId",
"appId": "4f05ce56-95b6-4612-9d98-a45c8cc33f9f"
}
| extend
TenantId = column_ifexists('TenantId', ''),
SourceSystem = column_ifexists('SourceSystem', ''),
TimeGenerated = column_ifexists('TimeGenerated', ''),
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetskopeAlertEvents_CL\n| where TimeGenerated {TimeRange}\n| where User == '{SelectedUser}'\n| summarize Events = count(), Alerts = countif(Alert =~ 'yes') by bin(TimeGenerated, {TimeRange:grain})\n| order by TimeGenerated asc",
@v-atulyadav

Copy link
Copy Markdown
Collaborator

Hi @keshavm021,
Please review the suggestions above, address the validation failures, and resolve the branch conflicts. Thanks

@v-atulyadav

Copy link
Copy Markdown
Collaborator

Hi @keshavm021,
Please review the suggestions above, address the validation failures, resolve the branch conflicts, and update the PR. Thanks!

- Register NetskopeAlertEvents_CL custom table schema for KqlValidations
- Add NetskopeAlertEventsConnector to ValidConnectorIds.json for DetectionTemplateSchemaValidation
- Remove disallowed .txt parser file (logic already lives in NetskopeAlertEvents.yaml)
…alertevents-connector

# Conflicts:
#	Workbooks/WorkbooksMetadata.json
@keshavm021 keshavm021 requested a review from a team as a code owner July 2, 2026 12:17
@keshavm021

Copy link
Copy Markdown
Contributor Author

Hi @v-atulyadav Could you please check it now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants