Netskope Help

GitHub Plugin for Threat Exchange

This document provide instructions to configure the GitHub plugin with the Threat Exchange module of the Netskope Cloud Exchange platform. This integration allows for sharing of file hashes of GitHub repository files with Netskope.

Prerequisites

To complete this configuration, you need:

  • A Netskope Tenant (or multiple, for example, production and development/test instances).

  • A Netskope Threat prevention subscription for malicious file hash sharing

  • A Netskope Cloud Exchange tenant with the Threat Exchange module already configure.d.

  • A GitHub Account with access to repositories from which the file hashes are required to be fetched.

Workflow
  1. Get the GitHub API token.

  2. Configure the GitHub Plugin.

  3. Configure sharing between Netskope and GitHub.

  4. Validate the GitHub Plugin.

Click play to watch a video.

  1. Log in to GitHub.

  2. In the top right corner of any page, click your profile photo, and then click Settings.

    image2.jpeg
  3. In the left panel, click Developer settings.

    image3.jpeg
  4. In the left panel, click Personal access tokens.

    image4.jpeg
  5. Click Generate new token from top right corner.

    image5.jpeg
  6. In Note, give your token a descriptive name.

    image6.jpeg
  7. Select the following scopes for repo and user.

    image7.jpeg
    image8.jpeg
  8. Click the Generate token icon .

  9. Copy the newly generated token by pressing image9.jpeg and save it in a secure location. This token is used to configuring the GitHub plugin.

    image10.jpeg
  1. In Cloud Exchange, go to Settings from the left panel and then click Plugins.

  2. Select the GitHub plugin box to open the plugin creation pages.

  3. Enter and select the Basic Information on the first page:

    • Configuration Name: Enter a name appropriate for your integration.

    • Poll Interval: Adjust to environment needs. We recommend not to go below 5 minutes for production environments.

    • Aging Criteria: Leave the default.

    • Override Reputation: Leave the default.

    • Enable SSL Verification: Leave the default.

    image11.jpeg
  4. Click Next.

  5. Enter and select the Configuration Parameters on the second page:

    • Base URL: Enter the Base URL of your GitHub API (only if default needs to be changed).

    • API Token: Enter your GitHub API token.

    • Repository Name: Enter comma-separated names of the repositories for which the file hashes are to be fetched. Leave empty to include all accessible repositories.

    • Tag: Leave the default.

    • Quota Limit: Leave the default.

  6. Click Save in the top right corner. Go to Threat Exchange > Plugins to see your new GitHub plugin.

    image12.jpeg
  1. Go to Threat Exchange and select Sharing. The Sharing page displays the existing relationships for each sharing configuration in grid view as shown below. The Sharing page also has inputs to configure new sharing from one plugin to another.

    image6.png
  2. Click Add Sharing Configuration, and in the Source Configuration dropdown list, select Github.

    image7.png
  3. Select a Business Rule, and then select Netskope for the Destination Configuration. Sharing configurations are unidirectional. data obtained from one plugin is shared with another plugin. To achieve bi- or multi-directional sharing, configure each separately.

    image9.png
  4. Select a Target. Each plugin will have a different target or destination for the IoC.

  5. Select an Action. Some plugins support multiple actions that equate to where the IoC could go, and therefore, what the receiving system will do with a matching indicator.

    image8.png

    Some systems will support the IoC only to be used to match for certain endpoint OS (Windows, Mac, Linux).

  6. Click Save.

  7. Repeat steps 2-5, but select Netskope as the Source Configuration and GitHub as the Destination Configuration.

  8. Click Save.

Adding a new sharing configuration on the active source poll will share the existing IoCs of the configuration to the destination configuration. Whenever a new sharing configuration is built, all the active IoCs will also be considered for sharing if they match the source/destination combination.

Note

Plugins that do not have API for ingesting data cannot receive threat data. This is true of the installed plugin API Source, which provides a bucket associated with an API endpoint for remote 3rd-party systems to push data to. Once a Sharing policy has been added, it takes effect.

After a sharing configuration has been created, the sharing table will show the rule being invoked, the source system providing the potential IoC matches, the destination system that will receive matching IoC, and the target applicable to that rule. Multiple Sharing configurations can be made to support mapping certain IoC to multiple targets even on the system destination system.

Modify, Test, or Delete a Sharing Configuration

Each configuration supports 3 actions:

image10.png
  • Edit the rule by clicking on the pencil icon.

  • Test the rule by clicking on the synchronization icon. This tests how many IoC will actually be sent to the destination system based on the timeframe and the rule.

  • Delete the rule by clicking on the garbage can icon.

In order to validate the integration you must have at least one repository accessible to the configured user on GitHub.

  1. Go to Threat Exchange, and click Threat IoCs. You should see records from your GitHub plugin. You can filter based on Source values to check both the Netskope and GitHub plugin.

    image16.jpeg
  2. In the Netskope UI, go to Policies > File > Your Custom File Profile and click File Hash.

    image17.jpeg
  3. If data is not being brokered between the platforms, you can look at the audit logs in Cloud Exchange. In Cloud Exchange go to Logging and look through the logs for errors.

    image18.jpeg