Cybereason Plugin for Threat Exchange
Cybereason Plugin for Threat Exchange
This document explains how to configure the v1.1.0 Cybereason plugin with the Threat Exchange module of the Netskope Cloud Exchange platform. The Cybereason plugin is designed to fetch the IoCs (Domain, IPv4, IPv6, MD5, and SHA256) from the Security Profile > Reputations page, and store them in Cloud Exchange. Additionally, the plugin supports sharing of IoCs (Domain, IPv4, IPv6, MD5, and SHA256) to the Cybereason Security Profile > Reputations page.
Prerequisites
To complete this configuration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- A Secure Web Gateway subscription for URL sharing.
- A Netskope Threat Prevention subscription for malicious file hash sharing.
- A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
- Your Cybereason account username and password.
- Connectivity to the following host: https://integration.cybereason.net:8443.
CE Version Compatibility
Netskope CE: v4.2.0, and v5.0.1
Cybereason Plugin Support
Fetched indicator types | SHA256, MD5, Domain, IPv4, IPv6 |
Shared indicator types | SHA256, MD5, Domain, IPv4, IPv6 |
Permissions
To access this plugin you will need admin access to your Cybereason platform. Contact the Cybereason team for admin access.
Mappings
Pull Mapping
Netskope CE Fields | Cybereason Fields |
---|---|
Value | Value |
Type | Type |
First Seen | Added On |
Last Seen | Last Modified |
Push Mapping
Netskope CE Fields | Cybereason UI Fields |
---|---|
Comment | Description |
Value | Value |
Permissions
To access this plugin, you will need admin access to your Cybereason platform. Contact the Cybereason team for admin access.
API Details
List of APIs used
API Endpoint | Method | Use Case |
---|---|---|
/login.html | POST | To authenticate the plugin |
/rest/classification/reputations/list | POST | To Pull Reputations (IoCs) |
/rest/classification/upload | POST | To Push Reputations (IoCs) |
To Authenticate
API Endpoint: https://<baseurl>/login.html
Method: POST
Headers
Key | Value |
---|---|
User-Agent | <User Agent> |
Content-Type | application/x-www-form-urlencoded |
Cookie | <Cookie> |
Accept | application/json |
Payload:
Key | Value |
---|---|
username | <username> |
password | <password> |
Sample API Response:
<!doctype html> <html> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <title>Cybereason</title> <meta name="viewport" content="width=device-width"> <link rel="shortcut icon" href="favicon.ico"> </head> <body class="cbr-theme-light"> <app></app> <script type="text/javascript"> (function () { var loadScript = function({ uri, async, onLoad, onError, attrs }) { var isSync = async === undefined ? true : async; const script = document.createElement('script'); script.setAttribute('type', 'text/javascript'); script.setAttribute('src', uri); script.async = isSync; if (onLoad) script.onload = onLoad; if (onError) script.onerror = onError; if (attrs && attrs.length) attrs.forEach(function (attr) {script.setAttribute(attr.name, attr.val)}); document.body.appendChild(script); }; var loadCSS = function(uri) { const head = document.getElementsByTagName('head')[0]; const link = document.createElement('link'); link.rel = 'stylesheet'; link.type = 'text/css'; link.href = uri; link.media = 'all'; head.appendChild(link); }; var attrs = [{ name: 'data-shell-sdk-url', val: 'rest/uimodules/js/shell-sdk' }]; function loadFallbackGlobalStyles() { loadScript({ uri: '/externals/cbr-global-styles-1.4.1.js' }); } function requireGlobalStyles() { var initRuntimesPromise = window.CbrInfraShell && window.CbrInfraShell.initRuntimesPromise; if (initRuntimesPromise) { initRuntimesPromise.then(() => { require(['@cbr/global-styles']); }).catch(() => { loadFallbackGlobalStyles(); }) } else { loadFallbackGlobalStyles(); } } function loadFallback() { window.__isLoadShellFallback__ = true; var fallbSrc = '/rest/uimodules/js/shell-sdk/latest/shell.js'; loadScript({ uri: fallbSrc, async: false, onLoad: requireGlobalStyles, onError: loadFallbackGlobalStyles, attrs }); // prevent chaching by adding query param loadCSS('/public/common.css?23.2.120'); loadCSS('/public/vendors.css?23.2.120'); loadCSS('/public/app.css?23.2.120'); loadScript({ uri: '/public/common.js?23.2.120' }); loadScript({ uri: '/public/vendors.js?23.2.120' }); loadScript({ uri: '/app.js?23.2.120' }); loadScript({ uri: '/externals/pendo.js' }); } var tenant = window.location.hostname.split('.')[0]; var _shellSdkUri = (window?.localStorage && window?.localStorage.getItem('shell.shellSdkUri')) || ''; var shellSrc = (_shellSdkUri || '/rest/dynamic/v1/ui-infra-shell/public-api/js/shell.js') + '?pVersion=23.2.120&tenantId='+ tenant; loadScript({ uri: shellSrc, async: false, onLoad: requireGlobalStyles, onError: loadFallback, attrs }); })(); </script> </body> </html>
Pull Reputations (IoCs)
API Endpoint: https://<baseurl>/rest/classification/reputations/list
Method: POST
Headers:
Key | Value |
---|---|
User-Agent | <User Agent> |
Content-Type | application/json |
Sample Payload:
{ "filter": { "includeExpired": true, }, "page": 0, "size": 20 }
Sample API Response
{ "outcome": "success", "data": { "reputations": [ { "key": "2001:0db8:0:0:0:ff00:42:8888", "reputationType": "IP", "isBlocking": false, "maliciousType": "blacklist", "comment": "", "expiration": -1, "owningUser": "gjenkins@netskope.com", "firstSeen": 1713948991801, "lastUpdated": 1713948991801, "additionalKeys": [], "lookupKeyType": "IPV6" } ], "total": 1 } }
Push Reputations (IoCs)
API Endpoint: https://<baseurl>/rest/classification/upload
Method: POST
Headers:
Key | Value |
---|---|
User-Agent | <User Agent> |
Cookie | <cookie> |
Payload:
Key | Value |
---|---|
classification_file | CSV file [Upload the reputations csv file] |
Performance Matrix
Below is the performance reading conducted by pulling and sharing 100K indicators from/to Cybereason on a Large CE Stack with the below specifications.
Stack details | Size: Large RAM: 32 GB CPU: 16 Cores |
Indicators fetched from Cybereason | ~15K per minute |
Indicators shared with Cybereason | ~1K per minute |
User Agent
netskope-ce-5.0.1-cte-cybereason-v1.1.0
Workflow
- Get your Cybereason instance information.
- Configure the Cybereason Plugin.
- Configure a business rule for Cybereason.
- Configure sharing between Netskope and Cybereason.
- Validate the Cybereason Plugin.
Click play to watch a video.
Get your Cybereason Information
For configuring the Cybereason plugin, you will need the Base URL, Username, and Password from your Cybereason instance.
- Username: Username of your Cybereason platform.
- Password: Password of your Cybereason platform.
Configure the Cybereason Plugin
- In Cloud Exchange, go to Settings > Plugins.
- Search for and select the Cybereason plugin box.
- For Basic Information, enter these values:
- Configuration Name: Unique name for the configuration.
- Sync Interval: Interval to fetch data from this plugin source.
- Aging Criteria: Expire indicators after a specific time.
- Override Reputation: Set value to override the reputation of indicators.
- Enable SSL verification: Enable if SSL verification is required for communication.
- Use System Proxy: Enable if the proxy is required for communication.
- Click Next.
- For Configuration Parameters, enter these values:
- Base URL: URL of Cybereason console from which you want to fetch the data.
- Username: API username/Username to access the Cybereason platform.
- Password: API Password/Password of the Cybereason platform.
- Enable Polling: Enable if you want to fetch data.
- Click Save.
Add a Threat Exchange Business Rule for Cybereason
To share the indicators to Cybereason, add a business rule to filter out the data that you want to share. To do this, follow these steps.
- Go to Threat Exchange > Business rule.
- Click Create New Rule.
- Add a Rule name and create filters per your requirements, like those shown below.
- Click Save.
Configure Threat Exchange Sharing for Cybereason
Configure Sharing in order to share the IoCs with Cybereason.
- In Threat Exchange, go to Sharing.
- Click Add Sharing Configuration.
- Click on the Source Configuration dropdown and choose Netskope (or any source plugin that you want to share IoCs from).
- Click the Business Rule dropdown and select the Business Rule created earlier.
- Click the Destination Configuration dropdown and select Cybereason.
- For sharing IoCs, click on the Target dropdown and choose Share Indicators.
- For sharing URLs, click on the Target dropdown and choose Add to URL List. Enter the URL List name from your Netskope tenant and create a new list. Select the URL List Type, then enter a List Size and the Default URL.
- For sharing hashes, click on the Target dropdown and choose Add to File Hash List. Enter the List Name (File Profile) from your Netskope tenant, and then enter a List Size.
- Click Save.
Validate the Cybereason Plugin
Validate the Pull
- Indicators from Cybereason are pulled from this page: Security Profile > Reputation.
Note that indicators that have a “created from netskope” description will not be pulled. - Indicators stored in Cloud Exchange can be verified from the Threat Exchange > Threat IoCs page.
- Search the Cybereason IoCs by filtering indicators from Cybereason.
Example: Add a query on the Threat IoCs page like “sources.source Is equal “<plugin configuration name>”. - You can also verify the indicators pulled in Cloud Exchange from the logs available on the Logging page.
Validate the Push
Shared IoCs to Netskope/Cybereason can be verified from logs available on the Logging page of Cloud Exchange.
Troubleshooting
Unable to Validate/Push the data on the Cybereason Platform
If you are unable to view the data on the Cybereason platform, it could be due to one of these reasons:
- URLs with invalid format (format not supported by Cybereason platform), example: protocol.subdomain.domainname are being shared for which the API returns a success message, but the whole batch of IoCs will not be shared.
- Invalid (MD5, SHA256) IoCs are shared.
- While pushing the data in batches, there could be server error from the Cybereason platform, and hence the batch push has been skipped.
To solve these issues:
- Remove the URLs with invalid format (format not supported by Cybereason platform) protocol.subdomain.domainname and try to again share the IoCs using manual sync.
- Verify in Cloud Exchange, there will be a log present which IoC is invalid. Remove the particular IoC and try to share the IoCs using manual sync.
- Try to again push the data using manual sync.
Unable to pull the data from the Cybereason Platform
If you are unable to pull the data on the Cybereason platform, it could be due to one of these reasons:
- No IOCs are present on the platform to pull.
- API returning read timeout while pulling the IoCs.
- Polling is set to “No” in the Cybereason plugin configuration.
To solve these issues:
- Make sure that valid IOCs are present in the Cybereason if pulling is needed. If IOCs are present on the platform, check the description of the IOCs if it is “created from netskope” the IOCs will not be pulled as those are shared from CE itself.
- Wait for API to recover the timeout issue.
- Set Polling as “Yes” in the Cybereason plugin.
Known Behaviors
- All the indicators will be shared as blacklist on the Cybereason Platform. Hence, you will see action in the Cybereason platform as “Detect Only”.
- If any of the invalid IOCs are present in a batch for sharing, the whole batch will be ignored.
- Once the pulling for all the pages is done, the pulling will again start from page 1, because there is no field in the API to implement the checkpoint mechanism.