Netskope Help

Proofpoint Plugin for Threat Exchange

This document explains how to integrate Proofpoint with the Threat Exchange module of the Netskope Cloud Exchange platform. This integration allows for sharing of URLs and file hashes with Netskope that have been identified by Proofpoint.

Requirements
  • A Netskope tenant (or multiple, for example, production and development/test instances).

  • A Secure Web Gateway subscription for URL sharing.

  • A Threat Protection subscription for malicious file hash sharing.

  • A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.

  • Your Proofpoint TAP username and password.

Workflow
  1. Create a Custom File Profile to use in Threat Exchange.

  2. Get your service principal and secret (username/password) from the Settings page in the Threat Insight Dashboard to authenticate the Proofpoint APIs in Threat Exchange.

  3. Configure the Proofpoint plugin in Threat Exchange and then configure sharing of IoCs.

To configure the Proofpoint plugin:

  1. In Threat Exchange, go to Settings > Plugins.

  2. Select the Proofpoint plugin box to open the Plugin creation pages.

    image3.png
  3. Enter a Configuration Name.

  4. Adjust the Poll Interval to appropriate value: Suggested is 5+ minutes.

    image1.png
  5. Click Next.

    image2.png
  6. Enter your Proofpoint Base URL (if it’s different from the default one).

  7. Enter your Proofpoint Username and Password.

  8. Enter appropriate Event Type(s) to be fetched from Proofpoint. The IoCs corresponding to selected event types will be fetched.

  9. Set the Initial Range (in hours) from 1 to 12 (The maximum time into the past that can be queried is limited to 12 hours by Proofpoint. Therefore, if “Last Run” is older than 12 hours, the data older than 12 hours won’t be fetched).

  10. The rest of this form can remain as default.

  11. Click Save.

  12. Go to Threat Exchange and select Sharing. The Sharing page displays the existing relationships for each sharing configuration in grid view as shown below. The Sharing page also has inputs to configure new sharing from one plugin to another.

    image6.png
  13. Click Add Sharing Configuration, and in the Source Configuration dropdown list, select Proofpoint.

    image7.png
  14. Select a Business Rule, and then select Netskope for the Destination Configuration. Sharing configurations are unidirectional. data obtained from one plugin is shared with another plugin. To achieve bi- or multi-directional sharing, configure each separately.

    image9.png
  15. Select a Target. Each plugin will have a different target or destination for the IoC.

  16. Select an Action. Some plugins support multiple actions that equate to where the IoC could go, and therefore, what the receiving system will do with a matching indicator.

    image8.png

    Some systems will support the IoC only to be used to match for certain endpoint OS (Windows, Mac, Linux).

  17. Click Save .

  18. Repeat steps 2-5, but select Netskope as the Source Configuration and Proofpoint as the Destination Configuration.

  19. Click Save.

    Note that sharing of IoCs to Proofpoint is not supported by this plugin.

    In order to validate the workflow, you must have Proofpoint indicators. Polling Intervals will be defined during plugin configuration.

  20. Go to Threat Exchange and select Threat IoCs.

    image7.png
  21. Validate data is being shared between the two plugins. If data is not being shared between the platforms, look at the audit logs in Cloud Exchange. Select Logging and look through the logs for errors.

    image8.png