Document toolboxDocument toolbox

Netskope API V2 collector

Owned by Juan Tomás Alonso Nieto (Deactivated), created
Last updated: Jul 02, 2024
10 min read
[ 1 Overview ] [ 2 Devo collector features ] [ 3 Data sources ] [ 4 Vendor setup ] [ 5 Rate limiting ] [ 6 Run the collector ] [ 7 Change log ]

Overview

Netskope Cloud Access Security Broker (CASB) is a security solution designed to provide visibility, control, and protection for data and applications in cloud environments. CASBs address the security challenges posed by the increasing adoption of cloud services, offering a layer of security between cloud service users and cloud applications to enforce security policies.

Netskope CASB Collector requests logs from Netskope APIs and sends them to Devo.

Devo collector features

Feature

Details

Feature

Details

Allow parallel downloading (multipod)

not allowed

Running environments

  • collector server

  • on-premise

Populated Devo events

table

Data sources

The data is collected using a Devo collector that can be run on the Devo collector server or standalone in a Docker container. The data is sent and stored in the Devo platform in these tables:

Type

Event / Alert

Devo table

Type

Event / Alert

Devo table

Event

alert

casb.netskope.alert

application

casb.netskope.application

audit

casb.netskope.audit

incident

casb.netskope.incident

infrastructure

casb.netskope.infrastructure

network

casb.netskope.network

page

casb.netskope.page

Alert

compromisedcredential

casb.netskope.compromisedcredential

ctep

casb.netskope.ctep

dlp

casb.netskope.dlp

malsite

casb.netskope.malsite

malware

casb.netskope.malware

policy

casb.netskope.policy

quarantine

casb.netskope.quarantine

remediation

casb.netskope.remediation

securityassessment

casb.netskope.securityassessment

uba

casb.netskope.uba

watchlist

casb.netskope.watchlist

More information about the API calls can be found here.

For more information on how the events are parsed, visit our page.

Vendor setup

Netskope API collector works over the API to retrieve the data, so a token is required to get the data via API. Follow the steps here to get an API token.

Rate limiting

Rate-limiting must be factored in when using the Netskope REST APIs. A standard 429 Too Many Requests error will be returned if an excessive usage level is reached. To avoid this error, limit your REST API calls. The global rate limit can be checked at the top of the page.

image-20240626-065915.png

In this example (4 req/s), limit the API calls to no more than 20 requests every 5 seconds. Four requests are processed in the first second, while 16 are queued and processed over the next four seconds.

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Change log

Release

Released on

Release type

Details

Recommendations

Release

Released on

Release type

Details

Recommendations

v1.1.0

May 30, 2024

IMPROVEMENTS

Improvements:

  • Updated DC SDK to v1.11.1

  • Updated Docker image base to version v1.2.0 in Dockerfile

Recommended

v1.0.1

Sep 25, 2023

IMPROVEMENTS

Improvements:

  • Update default configuration values to avoid rate-limiting

Upgrade

v1.0.0

Aug 29, 2023

FEATURE

New features:

  • Updating to newest SDK 1.6.2 to 1.9.2

  • Upgrade internal dependencies

  • Store lookup instances into DevoSender to avoid the creation of new instances for the same lookup

  • Ensure service_config is a dict into templates

  • Ensure special characters are properly sent to the platform

  • Changed log level to some messages from info to debug

  • Changed some wrong log messages

  • Upgraded some internal dependencies

  • Changed queue passed to setup instance constructor

  • Ability to validate collector setup and exit without pulling any data

  • Ability to store in the persistence the messages that couldn't be sent after the collector stopped

  • Ability to send messages from the persistence when the collector starts and before the puller begins working

  • Ensure the special characters are properly sent to the platform

  • Added a lock to enhance the sender object

  • Added new class attrs to the setstate and getstate queue methods

  • Fix sending attribute value to the setstate and getstate queue methods

  • Added log traces when queues are full and have to wait

  • Added log traces of queue time waiting every minute in debug mode

  • Added method to calculate queue size in bytes

  • Block incoming events in queues when there is no space left

  • Send telemetry events to the Devo platform

  • Upgraded internal Python dependency Redis to v4.5.4

  • Upgraded internal Python dependency DevoSDK to v5.1.3

  • Fixed obfuscation not working when messages are sent from templates

  • New method to figure out if a puller thread is stopping

  • Upgraded internal Python dependency DevoSDK to v5.0.6

  • Improved logging on messages/bytes sent to the Devo platform

  • Fixed wrong byte size calculation for queues

Upgrade