Collect Netskope Client logs
Supported in:
This document explains how to ingest Netskope Client logs into Google Security Operations using Google Cloud Storage V2. Netskope Client is a SASE/SSE endpoint agent that generates telemetry covering device posture, steering decisions, tunnel status, and client-side security events.
Before you begin
Make sure that you have the following prerequisites:
- A Google SecOps instance
- A GCP project with Cloud Storage API enabled
- Permissions to create and manage GCS buckets and IAM policies
- Privileged access to the Netskope tenant admin console
Create Google Cloud Storage bucket
- Go to the Google Cloud Console.
- Select your project or create a new one.
- In the navigation menu, go to Cloud Storage > Buckets.
- Click Create bucket.
Provide the following configuration details:
Setting Value Name your bucket Enter a globally unique name (for example, netskope-client-logs)Location type Choose based on your needs (Region, Dual-region, Multi-region) Location Select the location (for example, us-central1)Storage class Standard (recommended for frequently accessed logs) Access control Uniform (recommended) Protection tools Optional: Enable object versioning or retention policy Click Create.
Export Netskope Client logs to Google Cloud Storage
Netskope supports exporting log data to cloud storage via the Cloud Log Shipping (CLS) feature in the Netskope admin console.
- Sign in to the Netskope tenant admin console.
- Navigate to the Cloud Log Shipping configuration. Depending on your Netskope version, this may be under Settings > Tools > Cloud Log Shipping in the admin console, or configured through the Netskope Cloud Exchange platform.
- Click New Cloud Log Shipping Configuration (or edit an existing one).
- Select Google Cloud Storage as the destination.
- Provide the following configuration details:
- Bucket name: Enter the bucket name (for example,
netskope-client-logs) - Path prefix: Enter a folder prefix (for example,
netskope-client/) - Service account credentials: Upload or paste the GCP service account JSON key with write access to the bucket
- Bucket name: Enter the bucket name (for example,
- Select the log types to export:
- Client events (steering, tunnel, posture)
- Set the export interval and format (JSON recommended for Chronicle ingestion).
- Click Save.
Verify that log files begin appearing in the GCS bucket under the specified prefix.
- Ensure that the GCP service account used for the export has the Storage Object Creator role on the target bucket.
- Log files are written in JSON format, with each file containing one or more event records.
Retrieve the Google SecOps service account
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- Click Configure a single feed.
- Select Google Cloud Storage V2 as the Source type.
- Select Netskope Client as the Log type.
Click Get Service Account. A unique service account email will be displayed, for example:
chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.comCopy this email address. You will use it in the next step.
- Each Google SecOps instance has a unique service account. Do not use service accounts from other documentation or examples.
Grant IAM permissions to the Google SecOps service account
- Go to Cloud Storage > Buckets.
- Click your bucket name.
- Go to the Permissions tab.
- Click Grant access.
- Provide the following configuration details:
- Add principals: Paste the Google SecOps service account email
- Assign roles: Select Storage Object Viewer
Click Save.
- If you plan to use the deletion option (delete transferred files), grant Storage Object Admin role instead of Storage Object Viewer.
Configure a feed in Google SecOps to ingest Netskope Client logs
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- Click Configure a single feed.
- In the Feed name field, enter a name for the feed (for example,
Netskope Client logs). - Select Google Cloud Storage V2 as the Source type.
- Select Netskope Client as the Log type.
- Click Next.
Specify values for the following input parameters:
Field Value Storage bucket URI gs://netskope-client-logs/netskope-client/Source Deletion Option Select the deletion option according to your preference Maximum File Age (Days) Default is 180 days Asset namespace The asset namespace Ingestion labels The label to be applied to the events from this feed - Replace
netskope-client-logswith your actual GCS bucket name. - Always include the trailing slash (
/) at the end of the URI.
- Replace
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.
UDM field mapping reference
| Log Field | UDM Mapping | Logic |
|---|---|---|
| timestamp | metadata.event_timestamp | Timestamp when the event occurred |
| metadata.event_type | Type of event (e.g., USER_LOGIN, NETWORK_CONNECTION) | |
| clientBytes | network.sent_bytes | Number of bytes sent by the client |
| serverBytes | network.received_bytes | Number of bytes received by the server |
| clientPackets | network.sent_packets | Number of packets sent by the client |
| sessionDuration | network.session_duration.seconds | Duration of the network session in seconds |
| networkSessionId | network.session_id | Unique identifier for the network session |
| proto | network.application_protocol | Application protocol used in the network connection |
| os | principal.platform | Platform of the principal device |
| osVersion | principal.platform_version | Version of the platform |
| requestClientApplication | principal.application | Application associated with the principal |
| suser | principal.user.userid | User ID of the principal |
| sourceServiceName, shost | principal.hostname | Hostname of the principal |
| shost | principal.asset.hostname | Hostname of the principal's asset |
| sourceServiceName | principal.ip | IP address of the principal |
| spt | principal.port | Port number used by the principal |
| action | security_result.action | Action taken by the security system |
| ccl | security_result.confidence_details | Confidence level or details of the security result |
| cci, policy, proto, requestMethod, trafficType, tunnelId, tunnelType, tunnelUpTime, start, end | security_result.detection_fields | Additional detection fields from the security result |
| dst | target.ip | IP address of the target |
| dpt | target.port | Port number of the target |
| metadata.product_name | Product name of the security vendor | |
| metadata.vendor_name | Vendor/company name |
Need more help? Get answers from Community members and Google SecOps professionals.