Netskope Cloud Exchange

IoC Sharing Best Practices

Setting Up the Netskope Plugin(s)

Only need to setup a single plugin to pull data FROM Netskope. If you wish to share data from TE to multiple/different tenant files, then you may need to create multiple plugins.

Using Filtering and Tagging

TE is a garbage in, garbage out system when it comes to working with IoCs. Not every receiving system will work with the data as delivered to TE. Some systems, like CrowdStrike, do not work with full URI but instead only use the domain (dropbox.com instead of https://www.dropbox.com/sh/icuXXXXX). Clearly, automatically sharing everything that is learned may be problematic. Other challenging corner cases include running out of IoC intake capacity on a receiving system, or seeing IoCs being shared that are false positives when it comes to a particular customer environment.

Netskope provides filtering rules and tags as means to stage content for it to be either staged for manual flagging (and sharing) or programmatically eliminated or shared.

Configure filtering to only send the IoC you want

Filtering is implemented in each plugin configuration, specifying which data will be pushed to the 3rd-party system. In the example below any matching IOC would be shared with MISP.

Build the matching filter using the search query in the Threat IoCs page (1), copy that filter (2), then paste it in the Filter Query section of the plug-in (3).

image1.png
image2.png

In this example, the only information to be shared to this MISP instance are URLs, sourced from a plugin with a reputation of 8 or greater, that have been in TE for less than 2 days.

If the receiving system is generating erroneous or needless alerts based on information TE has been configured to send, the TE admin is advised to fine tune the filter to eliminate the problematic IoC output flowing from TE. For example, the CrowdStrike plugin should not ingest URL information from TE, so add the filter query: type NOT IN (“url”).

Tagging IoC to Stage IoC for Manual Sharing

Tagging enables TE users to create sharing rules that only apply to IoC that have been manually tagged the first time. Subsequent matches will be tagged the same.

In this example, the URL IoC mycoronavirusdisinfecting.com has been tagged by the TE admin as KNOWN_MALWARE.

image3.png

Prior to this it would NOT have been shared with a receiving plugin (CrowdStrike) configured as shown below; this sharing filter ONLY matches on and shares IOC tagged Known_Malware.

image4.png

Combining the two tools enables TE admin to ensure that only IoC that are appropriately tagged and that match any other needed conditions are shared. Filtering can be set up ahead of time to leverage ANY But or Nothing But combinations, and can be continuously modified to ensure that TE is only passing along IOC that SecOps teams have validated (and tagged) to the receiving system(s).