Netskope Help

Configure Threat Exchange Business Rules
  1. Go to Threat Exchange > Business Rules. A page appears showing previously configured business rules (if applicable), with a minimum of the default rule “All”, which matches on all indicator types.

    image1.png
  2. Click Create New Rule button. This opens a window where the rule can be given a descriptive name and a set of matching conditions selected. The boolean logic allows for “not”, “and”, and “or” functions for more than one rule to match on metadata provided about the IoC, including source, reputation, tag, severity, extended information, and many more.

    image3.png

    You can add more rules and create groups of rules that can be additive or alternative. Rules can also be deleted by clicking on the rule and selecting the red garbage can.

    image2.png

    Finally, rules can also be copied from the IOC page for use in a business rule by clicking on the Copy Filter button, or created from the IOC page by clicking on the document plus icon.

  3. When finished, click the Save button. Whenever a rule is saved or deleted, a green pop-up box will appear in the upper right corner reporting successful completion of the command.

  4. Exceptions can be made in rules in order to tune them by clicking on the plus button to the right of the Exception Rules found when opening the carrot to the left of the Rule. Exceptions work like the business rules and can pivot off of the query language or particular tags, making it easier to remove certain kinds of data (for example, those IoC that have been tagged as benign by the SecOps team) from the primary matching rule.

    image4.png
  5. Other actions that can be taken on rules include:

    1. Editing existing rules by clicking on the pencil icon

    2. Deleting rules by clicking on the garbage can icon

    3. Testing rules by clicking on the synchronization icon. Doing this enables the admin to see how many IOC will match the rule from a given period of time. Clicking the Fetch button will invoke the test - it will not result in the IOC being shared. That requires configuring a sharing rule.

      image5.png
  6. The number of rules shown on the page can be modified if there are more than 10 to show many more.

Note that each plugin for which a sharing rule is intended may have requirements that dictate the nature of the business rule - there is no point in creating a sharing rule to match IoC for sharing if that rule will be used to push information towards a system that can not use or can not receive those IoC types (STIX/TAXI for example is a push, never a pull, model).

Additionally, there is a section on best practices for sharing that suggest mechanisms to insert manual overrides to dictate exactly when IOC are shared, rather than allowing the system to automatically share all rules. Tags are a central part of this approach.