Cybereason Plugin for Threat Exchange

Cybereason Plugin for Threat Exchange

This document explains how to configure the v1.1.0 Cybereason plugin with the Threat Exchange module of the Netskope Cloud Exchange platform. The Cybereason plugin is designed to fetch the IoCs (Domain, IPv4, IPv6, MD5, and SHA256) from the Security Profile > Reputations page, and store them in Cloud Exchange. Additionally, the plugin supports sharing of IoCs (Domain, IPv4, IPv6, MD5, and SHA256) to the Cybereason Security Profile > Reputations page.

Prerequisites

To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • A Secure Web Gateway subscription for URL sharing.
  • A Netskope Threat Prevention subscription for malicious file hash sharing.
  • A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
  • Your Cybereason account username and password.
  • Connectivity to the following host: https://integration.cybereason.net:8443.
CE Version Compatibility

Netskope CE: v4.2.0, and v5.0.1

Cybereason Plugin Support

Fetched indicator types

SHA256, MD5, Domain, IPv4, IPv6

Shared indicator types

SHA256, MD5, Domain, IPv4, IPv6

Permissions

To access this plugin you will need admin access to your Cybereason platform. Contact the Cybereason team for admin access.

Mappings
Pull Mapping
Netskope CE FieldsCybereason Fields
ValueValue
TypeType
First SeenAdded On
Last SeenLast Modified
Push Mapping
Netskope CE Fields Cybereason UI Fields
CommentDescription
ValueValue
Permissions 

To access this plugin, you will need admin access to your Cybereason platform. Contact the Cybereason team for admin access.

API Details
List of APIs used
API EndpointMethodUse Case
/login.htmlPOSTTo authenticate the plugin
/rest/classification/reputations/listPOSTTo Pull Reputations (IoCs)
/rest/classification/uploadPOSTTo Push Reputations (IoCs)
To Authenticate

API Endpoint: https://<baseurl>/login.html

Method: POST

Headers

KeyValue
User-Agent<User Agent>
Content-Typeapplication/x-www-form-urlencoded
Cookie<Cookie>
Acceptapplication/json

Payload:

KeyValue
username<username>
password<password>

Sample API Response:

<!doctype html>
<html>

<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <title>Cybereason</title>
    <meta name="viewport" content="width=device-width">
    <link rel="shortcut icon" href="favicon.ico">
</head>

<body class="cbr-theme-light">

    <app></app>

    <script type="text/javascript">
        (function () {
        var loadScript = function({ uri, async, onLoad, onError, attrs }) {
        var isSync = async === undefined ? true : async;
        const script = document.createElement('script');
        script.setAttribute('type', 'text/javascript');
        script.setAttribute('src', uri);
        script.async = isSync;
        if (onLoad) script.onload = onLoad;
        if (onError) script.onerror = onError;
        if (attrs && attrs.length) attrs.forEach(function (attr) {script.setAttribute(attr.name,       attr.val)});
        document.body.appendChild(script);
    };
    var loadCSS = function(uri) {
        const head = document.getElementsByTagName('head')[0];
        const link = document.createElement('link');
        link.rel = 'stylesheet';
        link.type = 'text/css';
        link.href = uri;
        link.media = 'all';
        head.appendChild(link);
    };
	var attrs = [{ name: 'data-shell-sdk-url', val: 'rest/uimodules/js/shell-sdk' }];

    function loadFallbackGlobalStyles() {
        loadScript({ uri: '/externals/cbr-global-styles-1.4.1.js' });
    }
    function requireGlobalStyles() {
        var initRuntimesPromise = window.CbrInfraShell &&       window.CbrInfraShell.initRuntimesPromise;
		if (initRuntimesPromise) {
    		initRuntimesPromise.then(() => {
       			require(['@cbr/global-styles']);
    		}).catch(() => {
                loadFallbackGlobalStyles();
            })
		} else {
            loadFallbackGlobalStyles();
        }
    }
    function loadFallback() {
        window.__isLoadShellFallback__ = true;
        
        var fallbSrc = '/rest/uimodules/js/shell-sdk/latest/shell.js';
        loadScript({ uri: fallbSrc, async: false, onLoad: requireGlobalStyles, onError: loadFallbackGlobalStyles, attrs });
    
    	// prevent chaching by adding query param
        loadCSS('/public/common.css?23.2.120');
        loadCSS('/public/vendors.css?23.2.120');
        loadCSS('/public/app.css?23.2.120');
        
        loadScript({ uri: '/public/common.js?23.2.120' });
        loadScript({ uri: '/public/vendors.js?23.2.120' });
        loadScript({ uri: '/app.js?23.2.120' });
        loadScript({ uri: '/externals/pendo.js' });
    }
    var tenant = window.location.hostname.split('.')[0];

    var _shellSdkUri = (window?.localStorage && window?.localStorage.getItem('shell.shellSdkUri')) || '';
    var shellSrc = (_shellSdkUri || '/rest/dynamic/v1/ui-infra-shell/public-api/js/shell.js') + '?pVersion=23.2.120&tenantId='+ tenant;
    loadScript({ uri: shellSrc, async: false, onLoad: requireGlobalStyles, onError: loadFallback, attrs });
})();
    </script>
</body>
</html>
Pull Reputations (IoCs)

API Endpoint: https://<baseurl>/rest/classification/reputations/list

Method: POST

Headers:

KeyValue
User-Agent<User Agent>
Content-Typeapplication/json

Sample Payload:

{
  "filter": {
    		"includeExpired": true,
  	   },
  "page": 0,
  "size": 20
}

Sample API Response

{
    "outcome": "success",
    "data": {
        "reputations": [
            {
                "key": "2001:0db8:0:0:0:ff00:42:8888",
                "reputationType": "IP",
                "isBlocking": false,
                "maliciousType": "blacklist",
                "comment": "",
                "expiration": -1,
                "owningUser": "gjenkins@netskope.com",
                "firstSeen": 1713948991801,
                "lastUpdated": 1713948991801,
                "additionalKeys": [],
                "lookupKeyType": "IPV6"
            }
        ],
        "total": 1
    }
}
Push Reputations (IoCs)

API Endpoint: https://<baseurl>/rest/classification/upload

Method: POST 

Headers:

KeyValue
User-Agent<User Agent>
Cookie<cookie>

Payload:

KeyValue
classification_fileCSV file [Upload the reputations csv file]
Performance Matrix

Below is the performance reading conducted by pulling and sharing 100K indicators from/to Cybereason on a Large CE Stack with the below specifications.

Stack detailsSize: Large
RAM: 32 GB
CPU: 16 Cores
Indicators fetched from Cybereason~15K per minute
Indicators shared with Cybereason~1K per minute
User Agent

netskope-ce-5.0.1-cte-cybereason-v1.1.0

Workflow

  1. Get your Cybereason instance information.
  2. Configure the Cybereason Plugin.
  3. Configure a business rule for Cybereason.
  4. Configure sharing between Netskope and Cybereason.
  5. Validate the Cybereason Plugin.

Click play to watch a video.

 

Get your Cybereason Information

For configuring the Cybereason plugin, you will need the Base URL, Username, and Password from your Cybereason instance.

  • Username: Username of your Cybereason platform.
  • Password: Password of your Cybereason platform.

Configure the Cybereason Plugin

  1. In Cloud Exchange, go to Settings > Plugins.
  2. Search for and select the Cybereason plugin box.
  3. For Basic Information, enter these values:
    • Configuration Name: Unique name for the configuration.
    • Sync Interval: Interval to fetch data from this plugin source.
    • Aging Criteria: Expire indicators after a specific time.
    • Override Reputation: Set value to override the reputation of indicators.
    • Enable SSL verification: Enable if SSL verification is required for communication.
    • Use System Proxy: Enable if the proxy is required for communication.
  4. Click Next.
  5. For Configuration Parameters, enter these values:
    • Base URL: URL of Cybereason console from which you want to fetch the data.
    • Username: API username/Username to access the Cybereason platform.
    • Password: API Password/Password of the Cybereason platform.
    • Enable Polling: Enable if you want to fetch data.
  6. Click Save.

Add a Threat Exchange Business Rule for Cybereason

To share the indicators to Cybereason, add a business rule to filter out the data that you want to share. To do this, follow these steps.

  1. Go to Threat Exchange > Business rule.
  2. Click Create New Rule.
  3. Add a Rule name and create filters per your requirements, like those shown below.

  4. Click Save.

Configure Threat Exchange Sharing for Cybereason

Configure Sharing in order to share the IoCs with Cybereason.

  1. In Threat Exchange, go to Sharing.
  2. Click Add Sharing Configuration.
  3. Click on the Source Configuration dropdown and choose Netskope (or any source plugin that you want to share IoCs from).
  4. Click the Business Rule dropdown and select the Business Rule created earlier.
  5. Click the Destination Configuration dropdown and select Cybereason.
  6. For sharing IoCs, click on the Target dropdown and choose Share Indicators.
  7. For sharing URLs, click on the Target dropdown and choose Add to URL List. Enter the URL List name from your Netskope tenant and create a new list. Select the URL List Type, then enter a List Size and the Default URL.
  8. For sharing hashes, click on the Target dropdown and choose Add to File Hash List. Enter the List Name (File Profile) from your Netskope tenant, and then enter a List Size.
  9. Click Save.

Validate the Cybereason Plugin

Validate the Pull

  1. Indicators from Cybereason are pulled from this page: Security Profile > Reputation.
    Note that indicators that have a “created from netskope” description will not be pulled.

  2. Indicators stored in Cloud Exchange can be verified from the Threat Exchange > Threat IoCs page.
  3. Search the Cybereason IoCs by filtering indicators from Cybereason.
    Example: Add a query on the Threat IoCs page like “sources.source Is equal “<plugin configuration name>”.

  4. You can also verify the indicators pulled in Cloud Exchange from the logs available on the Logging page.

Validate the Push

Shared IoCs to Netskope/Cybereason can be verified from logs available on the Logging page of Cloud Exchange.

Troubleshooting

Unable to Validate/Push the data on the Cybereason Platform

If you are unable to view the data on the Cybereason platform, it could be due to one of these reasons:

  • URLs with invalid format (format not supported by Cybereason platform), example: protocol.subdomain.domainname are being shared for which the API returns a success message, but the whole batch of IoCs will not be shared.
  • Invalid (MD5, SHA256) IoCs are shared.
  • While pushing the data in batches, there could be server error from the Cybereason platform, and hence the batch push has been skipped.

To solve these issues:

  • Remove the URLs with invalid format (format not supported by Cybereason platform) protocol.subdomain.domainname and try to again share the IoCs using manual sync.
  • Verify in Cloud Exchange, there will be a log present which IoC is invalid. Remove the particular IoC and try to share the IoCs using manual sync.
  • Try to again push the data using manual sync.
Unable to pull the data from the Cybereason Platform

If you are unable to pull the data on the Cybereason platform, it could be due to one of these reasons:

  • No IOCs are present on the platform to pull.
  • API returning read timeout while pulling the IoCs.
  • Polling is set to “No” in the Cybereason plugin configuration.

To solve these issues:

  • Make sure that valid IOCs are present in the Cybereason if pulling is needed. If IOCs are present on the platform, check the description of the IOCs if it is “created from netskope” the IOCs will not be pulled as those are shared from CE itself.
  • Wait for API to recover the timeout issue.
  • Set Polling as “Yes” in the Cybereason plugin.

Known Behaviors

  • All the indicators will be shared as blacklist on the Cybereason Platform. Hence, you will see action in the Cybereason platform as “Detect Only”.
  • If any of the invalid IOCs are present in a batch for sharing, the whole batch will be ignored.
  • Once the pulling for all the pages is done, the pulling will again start from page 1, because there is no field in the API to implement the checkpoint mechanism.
Share this Doc

Cybereason Plugin for Threat Exchange

Or copy link

In this topic ...