Cybereason Plugin for Threat Exchange

This document explains how to configure the CTE Cybereason plugin with the Threat Exchange module of the Netskope Cloud Exchange platform. The Cybereason plugin is designed to fetch the indicators (Domains, IP Address, and File Hash) from the Security Profile > Reputations and store them in Netskope CE. This integration also allows sharing of indicators with Cybereason.

Prerequisites

To complete this configuration, you need:

• A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
• A Netskope Threat Prevention subscription for malicious file hash sharing.
• A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
• A Cybereason account.

Cybereason Plugin Support

Fetched indicator types	Domain, IP Address, File Hash
Shared indicator types	URL, MD5

Permissions

To access this plugin you will need admin access to your Cybereason platform. Contact the Cybereason team for admin access.

API Details

Below are the APIs used for the plugin:

API details	Method	Endpoint
Validate Authentication – Get Session	POST	/login.html
Validate Authentication – Fetch Reputation List	POST	/rest/classification/reputations/list
Get indicators – Download classification	GET	/rest/classification/download
Push Indicator – Update classification	GET	/rest/classification/update

Workflow

Click play to watch a video.

Get your Cybereason Information

For configuring the Cybereason plugin, you will need the Base URL, Username, and Password from your Cybereason instance.

• Username: Username of your Cybereason platform.
• Password: Password of your Cybereason platform.

Configure the Cybereason Plugin

1. In Cloud Exchange, go to Settings > Plugins.
2. Search for the Cybereason plugin and click on the plugin box.

   

3. For Basic Information, enter these values:
   • Configuration Name: Unique name for the configuration.
   • Sync Interval: Leave Default.
   • Aging Criteria: Leave Default.
   • Override Reputation: Leave Default.
   • Enable SSL verification: Enable if SSL verification is required for communication.
   • Use System Proxy: Enable if the proxy is required for communication.

   

4. Click Next.
5. For Configuration Parameters, enter these values:
   • Base URL: URL of Cybereason console from which you want to fetch the data.
   • Username: API username/Username to access the Cybereason platform.
   • Password: API Password/Password of the Cybereason platform.
   • Enable Polling: Enable if you want to fetch data.

   

6. Click Save.

   

Add a Threat Exchange Business Rule for Cybereason

To share the indicators to Cybereason, add a business rule to filter out the data that you want to share. To do this, follow the below steps.

1. Go to Threat Exchange > Business rule.
2. Click Create New Rule.

   

3. Add a Rule name and filter.
4. Click Save..

Configure Threat Exchange Sharing for Cybereason

Configure Sharing in order to share the IoCs with Cybereason.

1. In Threat Exchange, go to Sharing.
2. Click Add Sharing Configuration.

   

3. Click on the Source Configuration dropdown and choose Netskope (or any source plugin that you want to share IoCs from).
4. Click the Business Rule dropdown and select the Business Rule created earlier.
5. Click the Destination Configuration dropdown and select Cybereason.
6. Select the Target dropdown and choose Share Indicators.

   

7. Click Save.

Validate the Cybereason Plugin

Validate in Cloud Exchange

1. Go to Threat IoCs and search for IoCs from Source Cybereason.

To verify Sharing:

1. Go to Threat IoCs in Threat Exchange.
2. Search for IoCs that are Shared with Cybereason.

Validate in Cybereason

1. Log in to the Cybereason Console and go to Security Profile > Reputations.
2. You will be able to see the IOCs on Cybereason.

NOTE: IoCs on Cybereason are pulled and pushed from Reputations.