Configure Netskope for Arctic Wolf monitoring

You can configure Netskope® to send the necessary logs to Arctic Wolf® for security monitoring.

These resources are required:

  • Administrator permissions for the Netskope dashboard

Create a Netskope API token

Depending on which API tokens your tenant supports, do one of these actions:
Note: You only need one API token, not both.

Create a V2 API token

  1. Sign in to the Netskope dashboard.
  2. Click Settings.
  3. Click Tools > REST API v2.
  4. If the Rest API Status is Disabled, click edit to enable it.
  5. In the Create REST API Token dialog, click New Token.
  6. In the TOKEN NAME field, enter a name for the token.
  7. In the EXPIRE IN field, enter an expiry date that aligns with your needs.

    You will provide this value to Arctic Wolf later.

  8. Click Add Endpoint.
  9. In the SCOPE section, for each dataexport endpoint, select the corresponding Read checkbox.
  10. Click Save.

    A confirmation box displays the API token.

  11. Copy the API token, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.
  12. Click OK.

Create an RBACv3 API token

  1. Sign in to the Netskope dashboard.
  2. Click Settings.
  3. Create a new role:
    1. Navigate to Administration > Administrators & Roles.
    2. Click the Roles tab.
    3. Click New.
    4. In the Role Name field, enter a name for the role.
      For example, arcticwolf_sensor.
    5. In the Privileges section, select the checkboxes for these functional areas:
      • Administration
      • DLP
      • Risk Insights
    6. For each function, select None.
      This makes sure that the role follows the principle of least privilege.
    7. Click Add Filter > API.
    8. Enter /api/v2/events/dataexport.
    9. For each remaining permission, click View.
      • Administration > Audit Log
      • DLP > Incidents
      • Infrastructure > Infrastructure Log
      • NS Client > Devices
      • Skope IT > Alerts
      • Skope IT > Application Events
      • Skope IT > Endpoint Events
      • Skope IT > Network Events
      • Skope IT > Page Events
    10. Click Clear > Clear all filters to remove the filter.
    11. Locate the Infrastructure > On-Premises permission, and then click View.
    12. Click Save.
  4. Create a service account:
    1. On the Administrators & Roles page, click the Administrators tab.
    2. Click Service Account.
    3. In the Service Account Name field, enter a name.
    4. In the Role field, assign the new role.
    5. In the REST API Token section, enter an expiry date that aligns with your needs.

      You will provide this value to Arctic Wolf later.

    6. Click Create.
      A confirmation box displays the API token.
  5. Copy the API token, and then save it in a safe, encrypted location.

    You will provide this value to Arctic Wolf later.

  6. Click OK.

Provide Netskope credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Netskope.
  5. Configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • API URL — Enter the API URL that you used to sign in to Netskope in Create a Netskope API token.
      Note:

      The URL must include https://. For example, https://instance_name.goskope.com.

    • API Token — Enter the API token from Create a Netskope API token.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  6. Click Test and submit credentials.