HarfangLab Plugin for Threat Exchange

HarfangLab Plugin for Threat Exchange

This document explains how to configure the Harfanglab v1.0.0 integration with the Threat Exchange module of the Netskope Cloud Exchange platform. This plugin does not support pulling any indicators from the HarfangLab platform. This plugin supports sharing the Netskope CE indicators with the IoC List available under the Threat Intelligence module on the HarfangLab platform.

Prerequisites

To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
  • Connectivity to the HarfangLab platform login URL.
    • Example: https://b517af1bf2225fc3.hurukai.io:8443/
Compatibility

This plugin is compatible with these Netskope CE versions: 4.1.0 and 4.2.0.

HarfangLab Plugin Support
Fetched indicator types NA
Shared indicator types SHA256, MD5, URL(URLs, IPv4, IPv6, Domains)
Permissions

These two permissions are needed for the plugin to share IoCs on the HarfangLab platform.

  • View rules, IOC, rulesets, and whitelists
  • Edit rules, IOC, and rulesets
Performance Matrix

Here is the performance reading conducted after sharing 1K IoCs on a large CE instance with the below specifications.

Stack details Size: Large
RAM: 32 GB
CPU: 16 Cores
Indicators shared with HarfangLab ~100 per minute
API Details
List of APIs used
API Detail Method API Endpoint
Create IOC List POST /api/data/threat_intelligence/IOCSource/
Fetch Existing IOC List GET /api/data/threat_intelligence/IOCSource/?limit=100
Push Indicators POST /api/data/threat_intelligence/IOCRule/
Create IoC List

Parameters: None.

API Request Curl:

curl --location 'https://b517af1bf2225fc3.hurukai.io:8443/api/data/threat_intelligence/IOCSource/' \
--header 'Authorization: Token 66752e19a9872d67e348e0e192a9bexxxxxxxxxx' \
--header 'Content-Type: application/json' \
--data '{
"block_on_agent": true,
"description": "IOC list",
"enabled": true,
"endpoint_detection": true,
"name": "Test IOC List"
}'

Sample API Response:

{
"id": "7f3ceca9-33d4-4db7-bdd6-3e1dc63a7aa0",
"ioc_count": 0,
"ioc_testing_in_progress_count": 0,
"ioc_testing_count": 0,
"ioc_experimental_count": 0,
"last_update": "2023-10-03T12:59:16.381480Z",
"creation_date": "2023-10-03T12:59:16.381564Z",
"name": "Test IOC List",
"description": "IOC list",
"enabled": true,
"block_on_agent": true,
"endpoint_detection": true,
"last_modifier": null
}
Fetch Existing IOC List

Parameters:

Parameter Value Comments
limit 1000 Limit for 1 page
next For example,
/api/data/threat_intelligence/IOCSource/?limit=1000&offset=1000
api endpoint for next api call containing the offset

API Request Curl:

curl --location 'https://b517af1bf2225fc3.hurukai.io:8443/api/data/threat_intelligence/IOCSource/?limit=1000&offset=1' \
--header 'Authorization: Token 66752e19a9872d67e348e0e192a9bexxxxxxxxxx'

Sample API Response:

{
"count": 8,
"next": null,
"previous": "/api/data/threat_intelligence/IOCSource/?limit=20",
"results": [
{
"id": "f72c82c9-e136-43a5-8a37-4bd121af5464",
"ioc_count": 370,
"ioc_testing_in_progress_count": 0,
"ioc_testing_count": 0,
"ioc_experimental_count": 0,
"last_update": "2023-09-29T06:02:41.011727Z",
"creation_date": "2023-09-29T06:02:41.011770Z",
"name": "test",
"description": "IOC List created from Netskope CE",
"enabled": false,
"block_on_agent": false,
"endpoint_detection": false,
"last_modifier": null
}
]
}
Push Indicators

Parameters: None.

API Request Curl:

curl --location 'https://b517af1bf2225fc3.hurukai.io:8443/api/data/threat_intelligence/IOCRule/' \
--header 'Authorization: Token 66752e19a9872d67e348e0e192a9bexxxxxxxxxx' \
--header 'Content-Type: application/json' \
--data '{
"value": "61.134.36.102",
"source_id": "6345304d-2592-4286-9682-06a900d6ca96",
"type": "url"
}'

Sample API Response:

{
"id": "19a89c4e-b58a-446a-b27a-6b55d4fb891e",
"source_id": "6345304d-2592-4286-9682-06a900d6ca96",
"last_modifier": {
"id": 7,
"username": "NetskopeCE"
},
"last_update": "2023-10-03T12:54:24.608988Z",
"creation_date": "2023-10-03T12:54:24.609060Z",
"hl_status": "stable",
"hl_local_testing_status": null,
"enabled": true,
"type": "url",
"value": "61.134.36.102",
"comment": null,
"info": null,
"category": null,
"description": null,
"references": [],
"source": "6345304d-2592-4286-9682-06a900d6ca96"
}
User Agent

The user agent added for this plugin is in the following format: “netskope-ce-<CE VERSION>-<MODULE NAME>-<PLUGIN NAME>-v<PLUGIN VERSION>”

For example: netskope-ce-4.2.0-cte-harfanglab-v1.0.0

Workflow

  1. Get your HarfangLab API token and Ioc List.
  2. Configure the HarfangLab plugin.
  3. Configure business rules for the HarfangLab plugin.
  4. Configure sharing for Netskope and HarfangLab.
  5. Validate the HarfangLab plugin.

Click play to watch a video.

 

Get your HarfangLab API Token and IoC List

Get your API Token

  1. Go to your HarfangLab platform and log in with your credentials.
  2. On the left panel, go to Administration > Users.

  3. If you already have a user created, jump to step 7. If you do not have any user created, continue here.
  4. Click Create a User and enter your Username and Password, and Password Confirmation values.
  5. Select the Role as admin from the Roles dropdown list.
  6. Click Create to create the user.
  7. Click on your username and scroll down to API Token. Click Generate Token (if the token hasn’t already been generated), and copy the API Token to use it in the plugin configuration.

Create an IoC List

Indicators pushed from Netskope CE will be stored in an IoC List available on the HarfangLab platform. To create an IoC List:

  1. Log in to the HarfangLab platform and go to Threat Intelligence > IoC on the left panel.
  2. If you already have an IoC List created, you can use it, or follow these steps to create a new IoC List to store the indicators pushed from Netskope CE.
  3. Click Create IoC List.
  4. Provide the Name and Description for the IoC list, and click Add IoC List to create the list.

Configure the HarfangLab Plugin

  1. Go to Settings > Plugins, and then search for and select the Threat Exchange HarfangLab plugin box.
  2. Enter the Basic Information with these values:
    • Configuration Name: Unique name for the configuration
    • Sync Interval: Leave the default.
    • Aging Criteria: Expiry time of the plugin in days. (Default: 90)
    • Override Reputation: Set a value to override the reputation of indicators received from this configuration.
    • Enable SSL Validation: Enable SSL Certificate validation.
    • Use System Proxy: Enable if a proxy is required for communication.

    A screenshot of a computer

Description automatically generated

  3. Click Next.
  4. Enter the Configuration Parameters with these values:
    • Tenant URL: URL of your Harfang Lab platform.
    • API Token: API Token of your user.

  5. Click Save.

Configure a Business Rule for the HarfangLab Plugin

To share indicators from Netskope CE to HarfangLab, you need to have a business rule that can filter out the indicators that you want to share. To configure a business rule:

  1. Go to Threat Exchange > Business Rule > Create New Rule.
  2. Add your required filter(s) for the IoCs you want to share, and then click Save.

Configure Sharing for the HarfangLab Plugin

The HarfangLab plugin supports the sharing of URLs, MD5, and SHA256 types of IoCs. To share IoCs with HarfangLab:

  1. Go to Threat Exchange > Sharing and click on the Add Sharing Configuration.
  2. Select your Source Configuration (Netskope), Business Rule, and Destination Configuration (HarfangLab), and Target, and select an existing IoC List Name, or create a new IoC list on the platform.
  3. Click Save.

Validate the HarfangLab Plugin

Validate the Pull

Pulling indicators from the HarfangLab plugin is not supported.

Validate the Push

  1. To verify pushed IoCs on HarfangLab, Navigate to HarfangLab Platform > Threat Intelligence > IOC.
  2. Click on the IoC List name that you have used while configuring the plugin and check the IoCs available in the list.
  3. To validate the pushed indicator on Netskope CE, go to Threat IOCs and search for IOCs that are shared with HarfangLab.
  4. You can also verify the pushed IOCs from Logging in Netskope CE.
  5. Filter the logs available from the Harfanglab platform.

Troubleshooting

Receiving an invalid URL or invalid Token error while creating the plugin configuration.

This error might occur if the provided URL in the plugin configuration is invalid.

What to do: Make sure to give the correct URL that you use to access your HarfangLab platform. Make sure to only add the Base URL along with the port.

Receiving error for exit code 401, Unauthorization

If you are receiving this error, verify the API Token provided.

What to do: Make sure that the Token provided exists on the HarfangLab platform. Or generate a new API Token.

Receiving error for exit code 403, Forbidden error

What to do: If the below error is received while configuring the plugin or any time in the plugin lifecycle, check the API Tokens permission. Below are the two permissions needed for this plugin to share the IOCs.

  • View rules, IOC, rulesets, and whitelists
  • Edit rules, IOC, and rulesets

 

Share this Doc

HarfangLab Plugin for Threat Exchange

Or copy link

In this topic ...