Threat Exchange v1.0.0 Plugin
Threat Exchange v1.0.0 Plugin
The Netskope Threat Exchange plugin enables you share indicators between a Netskope Tenant and a 3rd-party plugin, like CrowdStrike and Carbon Black.
Prerequisites
To complete this configuration, you need a Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
CE Version Compatibility
This plugin is compatible with all the supported Netskope CE Versions.
Netskope Plugin for Threat Exchange Support
Use this plugin to fetch the file hashes and URLs (including types URL, IPv4, hostname, domain, and FQDN) from the Malware and Malsite alerts available on the Netskope Tenant. This plugin can share the indicators to File Hash List, URL List and Private App within Netskope. While configuring the Business Rule, factor the maximum size of data that a Netskope File Hash List and URL List can hold is 8 MB.
Fetched indicator types (Malware and Malsite alerts) |
SHA256, MD5, Domain, IPv4 |
Shared indicator types |
SHA256, MD5, Domain, IPv4 |
Mappings
Cloud Exchange Field |
Netskope Field |
value |
Malware local_md5, local_sha256 Malsite url |
type |
Malware MD5, SHA256 Malsite URL |
comments |
Malware <Tenant URL> – object Like: https://crest-plugin-support.de.goskope.com – , Malware Name: amtest, Malware Type: hash Malsite <Tenant URL> – malsite_category Like: https://crest-plugin-support.de.goskope.com – Malicious Site, Phish Site, Bot |
firstseen, lastseen |
timestamp |
Permissions
Access to the required permissions is available as explained in the v2 REST API scopes.
API Details
List of APIs used
API Endpoint |
Method | Use Case |
/api/v2/events/dataexport/alerts/malware | GET |
Pull the Malware alerts from Netskope tenant |
/api/v2/events/dataexport/alerts/malsite |
GET | Pull the Malsite alerts from Netskope tenant |
/api/v1/updateFileHashList | POST |
Push the file hashes to Netskope Tenant |
/api/v2/policy/urllist |
POST | Push the URLs to Netskope Tenant using V2 token |
/api/v2/policy/urllist/deploy | POST |
Deploy changes to Netskope URL List |
/api/v2/steering/apps/private |
GET | List Private Apps |
/api/v2/infrastructure/publishers | GET |
List Publishers for Private Apps |
/api/v2/steering/apps/private |
POST |
Create private app in Netskope |
Pull the Malware alerts from Netskope tenant
API Endpoint: /api/v2/events/dataexport/alerts/malware
Method: GET
Parameters:
Index: <name of iterator index>
operation: <epoch time from where want to fetch the data>
Headers:
Netskope-Api-Token: <V2_Token>
Accept: application/json
Content-Type: application/json
Sample API Response:
To access the API Response view, please log in to your Netskope tenant and go to Settings > Tools > REST API v2 and click API Documentation.
From there, you will be able to request the API mentioned above and obtain the desired API response.
Pull the Malsite alerts from Netskope tenant
API Endpoint: /api/v2/events/dataexport/alerts/malsite
Method: GET
Parameters:
Index: <name of iterator index>
operation: <epoch time from where want to fetch the data>
Headers:
Netskope-Api-Token: <V2_Token>
Accept: application/json
Content-Type: application/json
Sample API Response
To access the API Response view, please log in to your Netskope tenant and go to Settings > Tools > REST API v2 and click API Documentation.
From there, you will be able to request the API mentioned above and obtain the desired API response.
Push the file hashes to Netskope Tenant
API Endpoint: /api/v1/updateFileHashList
Method: POST
Parameters:
token: <Netskope Tenant V1 Token>
Body:
{ “name”: “<Name of FileHash List>”, “list”: “<MD5 and SHA256 values comma separated>” } |
Sample API Response
To access the API Response view, please log in to your Netskope tenant and go to Settings > Tools > REST API v2 and click API Documentation.
From there, you will be able to request the API mentioned above and obtain the desired API response.
Push the URLs to Netskope Tenant using V2 token
API Endpoint: /api/v2/policy/urllist
Method: POST
Headers:
Netskope-Api-Token: <Netskope Tenant V2 Token>
Body:
{ “name”: “<URL List Name>”, “data”: { “urls”: [<List of URLs comma separated>]], “type”:”regex” } } |
Sample API Response
To access the API Response view, please log in to your Netskope tenant and go to Settings > Tools > REST API v2 and click API Documentation.
From there, you will be able to request the API mentioned above and obtain the desired API response.
List the Private apps from Netskope Tenant
API Endpoint: /api/v2/steering/apps/private
Method: POST
Headers:
Netskope-Api-Token: <Netskope Tenant V2 Token>
Sample Response:
To access the API Response view, log in to your Netskope tenant and go to Settings > Tools > REST API v2 and click API Documentation.
From there, you will be able to request the API mentioned above and obtain the desired API response.
List Publisher for Private Apps
API Endpoint: /api/v2/infrastructure/publishers
Method: GET
Headers:
Netskope-Api-Token: <Netskope Tenant V2 Token>
Sample Response:
To access the API Response view, log in to your Netskope tenant and go to Settings > Tools > REST API v2 and click API Documentation.
From there, you will be able to request the API mentioned above and obtain the desired API response.
Push Private App to Netskope Tenant
API Endpoint: /api/v2/steering/apps/private
Method: POST
Headers:
Netskope-Api-Token: <Netskope Tenant V2 Token>
Body:
{ “app_name”: “<NAME_OF_PRIVATE_APP>”, “host”: “<hostname with comma seperated>l”, “protocols”: [ { “type”: “TCP”, “port”: “443” } ], “tags”: [ { “tag_name”: “<TAG_NAME>” } ] } |
Sample Response:
To access the API Response view, log in to your Netskope tenant and go to Settings > Tools > REST API v2 and click API Documentation.
From there, you will be able to request the API mentioned above and obtain the desired API response.
User Agent
The user-agent added in this plugin is in the following format:
Netskope-ce-<ce_version>
For example: Netskope-ce-5.0.1
Workflow
- Create a File profile and a Malware Detection profile.
- Configure a Real-Time Protection policy.
- Configure the Netskope Threat Exchange Plugin.
- Create a Business Rule.
- Configure a 3rd-party Plugin.
- Configure Sharing between Netskope and the 3rd-party plugin.
- Validate the plugin.
- In the Netskope UI, go to Policies , select File , and click New File Profile.
- Click File Hash in the left panel, select SHA256 from the File Hash dropdown list.
- Enter a temporary value in the text field. Netskope does not support progressing without having a value in this field, and recommends entering a string of 64 characters that consists of the character
f
. For example,ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
. This will have a very low possibility of matching a valid file format. - Click Next.
- Enter a Profile Name and a Description. We recommend not having blank spaces in your profile name; use underscores for spaces.
- Click Save.
- To publish this profile into the tenant, click Apply Changes in the top right.
- In the Netskope UI, go to Policies, select Threat Protection , and click New Malware Detection Profile.
- Click Next.
Note
For this configuration example, we will be using the intelligence for this list as a block list. Netskope does support inclusion of both allow and block lists in the threat profiles.
- Click Next.
- Select the File Profile you created previously and click Next.
- Enter a Malware Detection Profile name and click Save Malware Detection Profile.
- To publish this profile in the tenant, click Apply Changes in the top right.
Create a Real-Time Protection Policy
- Go to Policies > Real-time Protection. The policy configuration is just an example. Modify as appropriate for your organization.
- Click New Policy, and then select Cloud App Access.
- For Source, leave the default as User = Any.
- Click Category.
- The window expands to allow you to search for and select the option All Categories.
- Click outside of this list to close the search dialog.
- For Activities & Constraints, click Edit.
- Select Upload and Download.
- Click Save.
- For Profile and Action, click Add Profile and select Threat Protection Profile.
- Click in the new Threat Protection Profile box and it will open up a list of available profiles.
- Choose the Malware Detection Profile you created previously.
- Adjust the Action: Alert to reflect Action: Block for each of the Severity options.
- In the Set Policy text box, enter a descriptive Policy Name.
- Click Save.
- Select To the top option when it is presented.
- To publish this policy into the tenant, click Apply Changes on the top right of the Screen.
Enable and Configure the Netskope Threat Exchange Plugin
- In Cloud Exchange, go to Settings > General and enable the Threat Exchange module.
- Go to the Threat Exchange module and click Plugins > Configure New Plugin.
- Search for and select the Netskope CTE Plugin.
- Enter these parameters:
- Configuration Name: Enter a unique name.
- Tenant: Select the desired Tenant from the dropdown menu. The primary tenant is automatically selected by default.
- Aging Criteria: Specify the criteria for aging the indicator, with the default expiration set at 90 days.
- Override Reputation: Assign a value [1-10] to override the reputation received from this configuration; leave it blank for the default setting.
- Click Next and enter these parameters:
- Enable Polling: This allows the data polling from the Netskope.
- Type of Threat data: Select the type of data to poll Malware/Malsite or Both
- Type of Malware to Pull: Select a malware indicator [SHA256, MD5] to extract from the Netskope malware alerts and store it in CTE.
- Enable Tagging: The unshared tag indicators can be tagged using this feature.
- Click Save.
Create a Business Rule from the Threat IoCs
- In Threat Exchange, go to Threat IoCs.
- Create the Business Rule based on the filters selected on top.
- Create the Business Rule by clicking Apply Filter.
- Enter a Rule Name and click Save.
You can also create a Business Rule from the page by clicking Create New Rule and configure a new business rule by adding Rule Names and Filters..
Configure Sharing for the Netskope Threat Exchange Plugin
Before you can configure sharing here, you need to create a 3rd-party plugin to share with. Refer to the documentation for steps to configure a 3rd-party plugin. After you have created a 3rd-party plugin, use the following sections to share a URL List, a File Hash List, and a Private App.
Add to a URL List
- Go to Sharing and click Add Sharing Configuration.
- Select how to share the indicators.
- Select the Source Plugin.
- Select the Business Rule.
- Select the Destination Plugin.
- Select the Target > Add to URL List.
- Select the list name from the dropdown menu if you wish to add the URL to a list that has already been created.
OR - Create a New List by giving the name to the field Create New List.
- Select the list name from the dropdown menu if you wish to add the URL to a list that has already been created.
- Choose the format in which you’d like the URL to be stored within the list.
- Exact
OR - Regex
- Exact
- Select the List Size [Maximum Size of the Limit is 8MB]
- Enter the Default URL.
- Click Save.
Add to a File Hash List
- Go to Sharing and click Add Sharing Configuration.
- Select how to share the indicators.
- Select the Source Plugin.
- Select the Business Rule.
- Select the Destination Plugin.
- Select the Target > Add to File Hash List.
- Provide the name of the file hash list on Netskope.
- Select a List Size (Maximum Size is 8 MB).
- Click Save.
Add to a Private App
- Configure a Third Party Plugin. Refer the documentation for steps for configuration of Third party Plugin.
- Go to Sharing and click Add Sharing Configuration.
- Select how to share the indicators.
- Select the Soruce Plugin.
- Select the Business Rule.
- Select the Destination Plugin.
- Select the Target > Add to Private App.
- Select the Private App Name from the dropdown menu if you wish to add the domain/hostanme to already created app.
OR - Create New Private App
- Select the Private App Name from the dropdown menu if you wish to add the domain/hostanme to already created app.
- Select a Protocol.
- Provide the comma separated TCP and UDP ports (For the selected protocol).
- Select the Publisher.
- Use Publisher DNS (if needed for connectivity).
- Enter a Default Host.
- Click Save.
Validate the Threat Exchange Plugin
Validate the Pull in Cloud Exchange
To validate the pulling of Alert from Netskope:
- Go to Logging and search for the pulled logs.
Validate the Stored Indicator in Cloud Exchange
To validate the stored indicator in the Netskope:
- Go to Threat IoCs.
- Add a filter to search the indicator.
Validate that Alerts are Present in the Tenant
To validate Alerts from the Netskope Tenant:
- Log in to Netskope Tenant.
- Click Skope IT.
- Click Alerts.
- Click Add Filter and select the options per your needs.
- Filter the Last x Days according to your needs.
Validate the Push in Cloud Exchange
To validate the plugin workflow on Netskope Cloud Exchange:
- Go to Logging and search for pushed indicator with the filter message contains pushed.
- The pushed logs will be filtered.
Validate the Push on a Netskope Tenant
To ensure the push of indicators on the Netskope Tenant from the 3rd-party.
For Malsite types of alerts:
- Log in to the Netskope Tenant.
- Go to Policies.
- Click Web > URL Lists.
- Click the List Name where the URL is stored.
- The List will show here.
For Malware types of alerts:
- Log in to Netskope Tenant.
- Go to Policies.
- Click Web > File.
- Click the File Name > File Hash where the MD5 and SHA256 File Hash is stored.
For domain and host types of alerts:
- Log in to Netskope Tenant.
- Go to Settings.
- Click Security Cloud Platform > App Definition > Private App.
- Click the application name where the hostname and domain details are shared.