Configure the Netskope Plugin for Threat Exchange

Configure the Netskope Threat Exchange Plugin

The Netskope Threat Exchange plugin enables you share indicators between a Netskope Tenant and a 3rd-party plugin, like CrowdStrike and Carbon Black.

Prerequisites

To complete this configuration, you need a Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.

CE Version Compatibility

This plugin is compatible with all the supported Netskope CE Versions.

Netskope Plugin for Threat Exchange Support

Use this plugin to fetch the file hashes and URLs (including types URL, IPv4, hostname, domain, and FQDN) from the Malware and Malsite alerts available on the Netskope Tenant. This plugin can share the indicators to File Hash List, URL List and Private App within Netskope. While configuring the Business Rule, factor the maximum size of data that a Netskope File Hash List and URL List can hold is 8 MB.

Fetched indicator types (Malware and Malsite alerts)	SHA256, MD5, Domain, IPv4
Shared indicator types	SHA256, MD5, Domain, IPv4

Mappings

Cloud Exchange Field	Netskope Field
value	Malware local_md5, local_sha256 Malsite url
type	Malware MD5, SHA256 Malsite URL
comments	Malware <Tenant URL> – object Like: https://crest-plugin-support.de.goskope.com – , Malware Name: amtest, Malware Type: hash Malsite <Tenant URL> – malsite_category Like: https://crest-plugin-support.de.goskope.com – Malicious Site, Phish Site, Bot
firstseen, lastseen	timestamp

Permissions

Access to the required permissions is available as explained in the v2 REST API scopes.

API Details

List of APIs used

API Endpoint	Method	Use Case
/api/v2/events/dataexport/alerts/malware	GET	Pull the Malware alerts from Netskope tenant
/api/v2/events/dataexport/alerts/malsite	GET	Pull the Malsite alerts from Netskope tenant
/api/v1/updateFileHashList	POST	Push the file hashes to Netskope Tenant
/api/v2/policy/urllist	POST	Push the URLs to Netskope Tenant using V2 token
/api/v2/policy/urllist/deploy	POST	Deploy changes to Netskope URL List
/api/v2/steering/apps/private	GET	List Private Apps
/api/v2/infrastructure/publishers	GET	List Publishers for Private Apps
/api/v2/steering/apps/private	POST	Create private app in Netskope

Pull the Malware alerts from Netskope tenant

API Endpoint: /api/v2/events/dataexport/alerts/malware

Method: GET

Parameters:

Index: <name of iterator index>

operation: <epoch time from where want to fetch the data>

Headers:

Netskope-Api-Token: <V2_Token>

Accept: application/json

Content-Type: application/json

Sample API Response:

To access the API Response view, please log in to your Netskope tenant and go to Settings > Tools > REST API v2 and click API Documentation.
From there, you will be able to request the API mentioned above and obtain the desired API response.

Pull the Malsite alerts from Netskope tenant

API Endpoint: /api/v2/events/dataexport/alerts/malsite

Method: GET

Parameters:

Index: <name of iterator index>

operation: <epoch time from where want to fetch the data>

Headers:

Netskope-Api-Token: <V2_Token>

Accept: application/json

Content-Type: application/json

Sample API Response

Push the file hashes to Netskope Tenant

API Endpoint: /api/v1/updateFileHashList

Method: POST

Parameters:

token: <Netskope Tenant V1 Token>

Body:

{

“name”: “<Name of FileHash List>”,

“list”: “<MD5 and SHA256 values comma separated>”

}

Sample API Response

Push the URLs to Netskope Tenant using V2 token

API Endpoint: /api/v2/policy/urllist

Method: POST

Headers:

Netskope-Api-Token: <Netskope Tenant V2 Token>

Body:

{

“name”: “<URL List Name>”,

“data”: {

“urls”: [<List of URLs comma separated>]],

“type”:”regex”

}

Sample API Response

List the Private apps from Netskope Tenant

API Endpoint: /api/v2/steering/apps/private

Method: POST

Headers:

Netskope-Api-Token: <Netskope Tenant V2 Token>

Sample Response:

To access the API Response view, log in to your Netskope tenant and go to Settings > Tools > REST API v2 and click API Documentation.
From there, you will be able to request the API mentioned above and obtain the desired API response.

List Publisher for Private Apps

API Endpoint: /api/v2/infrastructure/publishers

Method: GET

Headers:

Netskope-Api-Token: <Netskope Tenant V2 Token>

Sample Response:

Push Private App to Netskope Tenant

API Endpoint: /api/v2/steering/apps/private

Method: POST

Headers:

Netskope-Api-Token: <Netskope Tenant V2 Token>

Body:

{

“app_name”: “<NAME_OF_PRIVATE_APP>”,

“host”: “<hostname with comma seperated>l”,

“protocols”: [

{

“type”: “TCP”,

“port”: “443”

}

“tags”: [

{

“tag_name”: “<TAG_NAME>”

}

]

}

Sample Response:

User Agent

The user-agent added in this plugin is in the following format:

Netskope-ce-<ce_version>

For example: Netskope-ce-5.0.1

Workflow

Create a File profile and a Malware Detection profile.
Configure a Real-Time Protection policy.
Configure the Netskope Threat Exchange Plugin.
Create a Business Rule.
Configure a 3rd-party Plugin.
Configure Sharing between Netskope and the 3rd-party plugin.
Validate the plugin.

Create a Secure Web Gateway Custom File Profile

In the Netskope UI, go to Policies , select File , and click New File Profile.
Click File Hash in the left panel, select SHA256 from the File Hash dropdown list.
Enter a temporary value in the text field. Netskope does not support progressing without having a value in this field, and recommends entering a string of 64 characters that consists of the character f. For example, ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff. This will have a very low possibility of matching a valid file format.
Click Next.
Enter a Profile Name and a Description. We recommend not having blank spaces in your profile name; use underscores for spaces.
Click Save.
To publish this profile into the tenant, click Apply Changes in the top right.

Create a Malware Detection Profile

In the Netskope UI, go to Policies, select Threat Protection , and click New Malware Detection Profile.
Click Next.
Note
For this configuration example, we will be using the intelligence for this list as a block list. Netskope does support inclusion of both allow and block lists in the threat profiles.
Click Next.
Select the File Profile you created previously and click Next.
Enter a Malware Detection Profile name and click Save Malware Detection Profile.
To publish this profile in the tenant, click Apply Changes in the top right.

Create a Real-Time Protection Policy

Go to Policies > Real-time Protection. The policy configuration is just an example. Modify as appropriate for your organization.
Click New Policy, and then select Cloud App Access.
For Source, leave the default as User = Any.
Click Category.
The window expands to allow you to search for and select the option All Categories.
Click outside of this list to close the search dialog.
For Activities & Constraints, click Edit.
Select Upload and Download.
Click Save.
For Profile and Action, click Add Profile and select Threat Protection Profile.
Click in the new Threat Protection Profile box and it will open up a list of available profiles.
Choose the Malware Detection Profile you created previously.
Adjust the Action: Alert to reflect Action: Block for each of the Severity options.
In the Set Policy text box, enter a descriptive Policy Name.
Click Save.
Select To the top option when it is presented.
To publish this policy into the tenant, click Apply Changes on the top right of the Screen.

Enable and Configure the Netskope Threat Exchange Plugin

In Cloud Exchange, go to Settings > General and enable the Threat Exchange module.
Go to the Threat Exchange module and click Plugins > Configure New Plugin.
Search for and select the Netskope CTE Plugin.
Enter these parameters:
- Configuration Name: Enter a unique name.
- Tenant: Select the desired Tenant from the dropdown menu. The primary tenant is automatically selected by default.
- Aging Criteria: Specify the criteria for aging the indicator, with the default expiration set at 90 days.
- Override Reputation: Assign a value [1-10] to override the reputation received from this configuration; leave it blank for the default setting.
Click Next and enter these parameters:
- Enable Polling: This allows the data polling from the Netskope.
- Type of Threat data: Select the type of data to poll Malware/Malsite or Both
- Type of Malware to Pull: Select a malware indicator [SHA256, MD5] to extract from the Netskope malware alerts and store it in CTE.
- Enable Tagging: The unshared tag indicators can be tagged using this feature.
Click Save.

Create a Business Rule from the Threat IoCs

In Threat Exchange, go to Threat IoCs.
Create the Business Rule based on the filters selected on top.
Create the Business Rule by clicking Apply Filter.
Enter a Rule Name and click Save.

You can also create a Business Rule from the page by clicking Create New Rule and configure a new business rule by adding Rule Names and Filters..

Configure Sharing for the Netskope Threat Exchange Plugin

Before you can configure sharing here, you need to create a 3rd-party plugin to share with. Refer to the documentation for steps to configure a 3rd-party plugin. After you have created a 3rd-party plugin, use the following sections to share a URL List, a File Hash List, and a Private App.

Add to a URL List

Go to Sharing and click Add Sharing Configuration.
Select how to share the indicators.
1. Select the Source Plugin.
2. Select the Business Rule.
3. Select the Destination Plugin.
4. Select the Target > Add to URL List.
  - Select the list name from the dropdown menu if you wish to add the URL to a list that has already been created.
    OR
  - Create a New List by giving the name to the field Create New List.
5. Choose the format in which you’d like the URL to be stored within the list.
  - Exact
    OR
  - Regex
6. Select the List Size [Maximum Size of the Limit is 8MB]
7. Enter the Default URL.
Click Save.

Add to a File Hash List

Go to Sharing and click Add Sharing Configuration.
Select how to share the indicators.
1. Select the Source Plugin.
2. Select the Business Rule.
3. Select the Destination Plugin.
4. Select the Target > Add to File Hash List.
5. Provide the name of the file hash list on Netskope.
6. Select a List Size (Maximum Size is 8 MB).
Click Save.

Add to a Private App

Configure a Third Party Plugin. Refer the documentation for steps for configuration of Third party Plugin.
Go to Sharing and click Add Sharing Configuration.
Select how to share the indicators.
1. Select the Soruce Plugin.
2. Select the Business Rule.
3. Select the Destination Plugin.
4. Select the Target > Add to Private App.
  1. Select the Private App Name from the dropdown menu if you wish to add the domain/hostanme to already created app.
    OR
  2. Create New Private App
5. Select a Protocol.
6. Provide the comma separated TCP and UDP ports (For the selected protocol).
7. Select the Publisher.
8. Use Publisher DNS (if needed for connectivity).
9. Enter a Default Host.
Click Save.

Validate the Threat Exchange Plugin

Validate the Pull in Cloud Exchange

To validate the pulling of Alert from Netskope:

Go to Logging and search for the pulled logs.

Validate the Stored Indicator in Cloud Exchange

To validate the stored indicator in the Netskope:

Go to Threat IoCs.
Add a filter to search the indicator.

Validate that Alerts are Present in the Tenant

To validate Alerts from the Netskope Tenant:

Log in to Netskope Tenant.
Click Skope IT.
Click Alerts.
1. Click Add Filter and select the options per your needs.
2. Filter the Last x Days according to your needs.