Sophos Plugin for Threat Exchange

Sophos Plugin for Threat Exchange

This document explains how to configure the Sophos integration with the Cloud Threat Exchange module of the Netskope Cloud Exchange platform. This plugin fetches the SHA256 type of threat indicator from Threat Graphs under Threat Analysis Center in the Sophos platform. This plugin does not support sharing of indicators to the Sophos platform.

Prerequisites

To complete this configuration, you need:

  • A Netskope Tenant (or multiple, for example, production and development/test instances).
  • A Threat Prevention subscription for malicious file hash sharing.
  • A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
  • A Sophos instance.
  • A Service Principal ReadOnly user that can fetch the events using SIEM API.
Sophos Plugin Support
Fetched indicator typesSHA256

Workflow

  1. Get your Sophos Client ID and Client Secret.
  2. Configure the Sophos plugin.
  3. Configure Sharing for Netskope and Sophos.
  4. Validate the Sophos Plugin.

Click play to watch a video.

 

Get your Sophos Client ID and Client Secret

  1. Log in to your Sophos Account.
    image1.png
  2. Go to Global Settings and click API Credentials.
    image2.png
  3. Enter a name for your credential set and a description, and then click Add.
    image3.png
  4. Click Copy to save the Client ID, and then click Show the Client Secret to unhide the value.
    image4.png
  5. Click Copy to save the Client Secret. These two values are needed for the Sophos plugin configuration.

Configure the Sophos Plugin

  1. In Cloud Exchange, go to Settings > Plugins.
  2. Search for and select the Sophos plugin box to open the plugin creation page.
  3. Enter a Configuration Name.
  4. Adjust the Sync Interval to the appropriate value: Suggested is 5+ minutes.
  5. Enter an Aging Criteria.
  6. Adjust the Override Reputation to the appropriate value.
    image5.png
  7. Click Next.
  8. Enter your Sophos Client ID and Client Secret.
    image6.png
  9. Click Save.
    image7.png

Configure Sharing for Netskope and Sophos

  1. In Threat Exchange, go to Sharing.
    image8.png
  2. Click Add Sharing Configuration.
  3. For Source Configuration, select the Sophos plugin you just created.
  4. Select an appropriate Business Rule from the dropdown.
  5. For Destination Configuration, select Netskope.
    image9.png
  6. For Target, select Add to File Hash List from the dropdown and enter a name and size.
    image10.png
  7. Click Save.
    image11.png
Share this Doc

Sophos Plugin for Threat Exchange

Or copy link

In this topic ...