Netskope Help

Proofpoint Plugin for Threat Exchange

This document explains how to integrate Proofpoint with the Threat Exchange module of the Netskope Cloud Exchange platform. This integration allows for sharing of URLs and file hashes with Netskope that have been identified by Proofpoint.

Requirements
  • A Netskope tenant (or multiple, for example, production and development/test instances)

  • A Secure Web Gateway subscription for URL sharing

  • A Threat Protection subscription for malicious file hash sharing

  • A Netskope Cloud Exchange tenant with the Threat Exchange module installed

  • Your Proofpoint TAP username and password.

Workflow
  1. Create a Custom File Profile to use in Threat Exchange.

  2. Get your service principal and secret (username/password) from the Settings page in the Threat Insight Dashboard to authenticate the Proofpoint APIs in Threat Exchange.

  3. Configure the Proofpoint plugin in Threat Exchange and then configure sharing of IoCs.

To configure the Proofpoint plugin:

  1. In Threat Exchange, go to Settings > Plugins.

  2. Select the Proofpoint plugin box to open the Plugin creation pages.

    image3.png
  3. Enter a Configuration Name.

  4. Adjust the Poll Interval to appropriate value: Suggested is 5+ minutes.

    image1.png
  5. Click Next.

    image2.png
  6. Enter your Proofpoint Base URL (if it’s different from the default one).

  7. Enter your Proofpoint Username and Password.

  8. Enter appropriate Event Type(s) to be fetched from Proofpoint. The IoCs corresponding to selected event types will be fetched.

  9. Set the Initial Range (in hours) from 1 to 12 (The maximum time into the past that can be queried is limited to 12 hours by Proofpoint. Therefore, if “Last Run” is older than 12 hours, the data older than 12 hours won’t be fetched).

  10. The rest of this form can remain as default.

  11. Click the Save button to continue.

  12. Under Threat Exchange, select Sharing from the navigation bar.

    image4.png
  13. Click on the Plugin Configuration dropdown and select the Proofpoint plugin.

  14. In the second dropdown box Plugin Configuration to Share, select the Netskope plugin.

    image5.png
  15. Click the Add button to continue.

    image6.png

    Note that sharing of IoCs to Proofpoint is not supported by this plugin.

    In order to validate the workflow, you must have Proofpoint indicators. Polling Intervals will be defined during plugin configuration.

  16. Go to Threat Exchange and select Threat IoCs.

    image7.png
  17. Validate data is being shared between the two plugins. If data is not being shared between the platforms, look at the audit logs in Cloud Exchange. Select Logging and look through the logs for errors.

    image8.png