Secureworks Taegis Plugin for Threat Exchange

Secureworks Taegis Plugin for Threat Exchange

This document explains how to configure the v1.0.0 Secureworks Taegis plugin for the Threat Exchange module of the Netskope Cloud Exchange platform. This plugin fetches Domains and IP Addresses. This plugin does not support sharing of indicators to the Secureworks Taegis platform.

Prerequisites

To complete this configuration, you need:

  • Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • A Secure Web Gateway subscription for URL sharing. Refer to URL Lists for more information.
  • A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
  • Connectivity to Secureworks Taegis (https://<secureworks taegis>)
CE Version Compatibility

Netskope CE v4.2.0, v5.0.1

Secureworks Taegis Plugin Support

This plugin fetches Domains and IP Addresses. This plugin does not support sharing of indicators to the Secureworks Taegis platform.

Fetched indicator types Domains, IP Address
Shared indicator types Not Supported
Mappings
Pull Mapping
Netskope CE Fields Secureworks Taegis Fields
Value HostAddress
Type IP or Domain
firstSeen MemberSince
Tags WatchList (IoC type in Secureworks)
Comments ReasonAdded
Tags Mapping
Netskope CE Tags Secureworks Taegis Tags
CTU Botnet Indicators IP CTU Botnet Indicators IP List – MSS
CTU Threat Group Indicators IP CTU Threat Group Indicators IP List – MSS
Third Party Threat Group Indicators IP Third Party Threat Group Indicators IP List – MSS
CTU Botnet Indicators Domain CTU Botnet Indicators Domain List – MSS
CTU Threat Group Indicators Domain CTU Threat Group Indicators Domain List – MSS
Third Party Threat Group Indicators Domain Third Party Threat Group Indicators Domain List – MSS
Permissions

You will need the admin account access in order to generate the required credentials for the plugin.

API Details
List of APIs used
API Endpoint Method Use Case
/auth/api/v2/auth/token POST Get OAuth2 token
/intel-requester/ti-list/latest GET Get threat indicator lists
Get OAuth2 token

API Endpoint: <BASE_URL>/auth/api/v2/auth/token
Method: POST
Headers

Key Value
Authorization Basic {$CLIENT_ID:$CLIENT_SECRET}

Body:

{
     "grant_type": "client_credentials"
}

Sample API Response:

{
    "access_token": "eyJhbGcrruuzwo7-....",
    "expires_in": 36000,
    "expiry": "2024-07-19T19:09:43.000Z",
    "token_type": "Bearer"
}
Get Threat Indicator Lists

API Endpoint: <BASE_URL>/intel-requester/ti-list/latest
Method: GET
Headers

Key Value
Authorization Bearer ${ACCESS_TOKEN}

Sample API Response:

[
{"link": "https://s3.us-east-2.amazonaws.com/ctpx-prod-threat-intel/scwx-attackerdb/ip/40/attackerdb-ip-third-party-threat-group-indicators-ip-list---mss-rev4207.csv?REDACTED_AUTH",
  "name": "scwx-attackerdb/ip/40/attackerdb-ip-third-party-threat-group-indicators-ip-list---mss-rev4207.csv"},
 {"link": "https://ctpx-prod-threat-intel.s3.us-east-2.amazonaws.com/ctp-attackerdb/ip/38/attackerdb-ip-ctu-threat-group-indicators-ip-list---mss-rev4200.csv?REDACTED_AUTH",
  "name": "ctp-attackerdb/ip/38/attackerdb-ip-ctu-threat-group-indicators-ip-list---mss-rev4200.csv"},
 {"link": "https://s3.us-east-2.amazonaws.com/ctpx-prod-threat-intel/scwx-attackerdb/ip/42/attackerdb-ip-ctu-botnet-indicators-ip-list---mss-rev4207.csv?REDACTED_AUTH",
  "name": "scwx-attackerdb/ip/42/attackerdb-ip-ctu-botnet-indicators-ip-list---mss-rev4207.csv"},
 {"link": "https://s3.us-east-2.amazonaws.com/ctpx-prod-threat-intel/scwx-attackerdb/domainname/43/attackerdb-domainname-ctu-threat-group-indicators-domain-list---mss-rev4184.csv?REDACTED_AUTH",
  "name": "scwx-attackerdb/domainname/43/attackerdb-domainname-ctu-threat-group-indicators-domain-list---mss-rev4184.csv"},
 {"link": "https://s3.us-east-2.amazonaws.com/ctpx-prod-threat-intel/scwx-attackerdb/domainname/45/attackerdb-domainname-third-party-threat-group-indicators-domain-list---mss-rev4207.csv?REDACTED_AUTH",
  "name": "scwx-attackerdb/domainname/45/attackerdb-domainname-third-party-threat-group-indicators-domain-list---mss-rev4207.csv"},
 {"link": "https://s3.us-east-2.amazonaws.com/ctpx-prod-threat-intel/scwx-attackerdb/domainname/47/attackerdb-domainname-ctu-botnet-indicators-domain-list---mss-rev4207.csv?REDACTED_AUTH",
  "name": "scwx-attackerdb/domainname/47/attackerdb-domainname-ctu-botnet-indicators-domain-list---mss-rev4207.csv"}
 ]
Performance Matrix

This reading is conducted on a Large CE Stack with below mentioned specs by pulling and pushing 100K IoCs.

Stack details Size: Large
RAM: 32 GB
CPU: 16 Cores
Indicators fetched from Secureworks Taegis ~25K per minute
Indicators shared with Secureworks Taegis Not Supported
User Agent

netskope-ce-5.0.1-cte-secureworks-taegis-v1.0.0

Workflow

  1. Get your Tenant ID.
  2. Generate an Access Token.
  3. Get your Client ID and Client Secret.
  4. Configure the Secureworks Taegis plugin.
  5. Validate the Secureworks Taegis plugin.

Click play to watch a video.




 

Get your Secureworks Taegis Credentials

Use the steps provided in the Secureworks Taegis documentation in order to generate the Client ID and Secret.
https://docs.ctpx.secureworks.com/apis/api_authenticate/#part-1-create-client-credentials
Or use the steps in the following sections.

Get your Tenant ID

To get your tenant ID, log in to Taegis XDR, go to Tenant Settings from the left-hand panel, and select Subscriptions

Save the Tenant ID to use it to get your Client ID and Secret.

Generate the Access Token

  1. Log in to XDR in Chrome.
  2. Open the Chrome Developer Tools (Right click on your Secureworks Taegis Subscription page, and go to Inspect > Console).
  3. Enter “copy(localStorage.access_token)” in your Console. The access token will be copied in your clipboard.

Note: The access token token is not displayed in the Chrome Developer Tools Console, it is only copied to your clipboard. The command returns undefined.

Get your Client ID and Client Secret

  1. In a command line terminal, run the following commands to create your client credentials. Paste the access_token from your clipboard into the commands in place of your_access_token. Also, substitute your tenant ID in place of your_tenant_id and enter a unique name to identify your application in place of your_unique_application_name.
  2. Your new client credentials are returned in the response. Save the client_id and client_secret values from this response.

Credentials for Linux:

export ACCESS_TOKEN="your_access_token"
export TENANT_ID="your_tenant_id"
curl -g \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "X-Tenant-Context: $TENANT_ID" \
-H "Content-type: application/json" \
-X POST \
-d '{"query": "mutation createClient($name: String!, $roles: [ID!]) { createClient(name: $name, roles: $roles) { client { id name client_id roles role_assignments { id tenant_id role_id role_name expires_at } tenant_id created_at updated_at created_by updated_by environment } client_secret } }", "variables": {"name": "your_awesome_app_name"}}' \
https://api.ctpx.secureworks.com/graphql

Credentials for Windows:

set ACCESS_TOKEN=your_access_token
set TENANT_ID=your_tenant_id
curl -H "Authorization: Bearer %ACCESS_TOKEN%" -H "X-Tenant-Context: %TENANT_ID%" -H "Content-type: application/json" https://api.ctpx.secureworks.com/graphql -d "{\"query\": \"mutation createClient($name: String!, $roles: [ID!]) { createClient(name: $name, roles: $roles) { client { id name client_id roles role_assignments { id tenant_id role_id role_name expires_at } tenant_id created_at updated_at created_by updated_by environment } client_secret } }\", \"variables\": {\"name\": \"your_awesome_app_name\"}}"

You should get something similar to the following:

{
  "data": {
    "createClient": {
      "client": {
        "client_id": "<YOUR_CLIENT_ID>",
        "created_at": "2023-03-03T20:58:40.24986Z",
        "created_by": "0000",
        "environment": "production",
        "id": "<UUID>",
        "name": "your_awesome_app_name",
        "role_assignments": [
          {
            "expires_at": null,
            "id": "<UUID>",
            "role_id": "a4903f9f-465b-478f-a24e-82fa2e129d2e",
            "role_name": "TenantAnalyst",
            "tenant_id": "50530"
          }
        ],
        "roles": "tenantAnalyst",
        "tenant_id": "<TENANT_ID>",
        "updated_at": "2023-03-03T20:58:40.24986Z",
        "updated_by": "0000"
      },
      "client_secret": "<YOUR_CLIENT_SECRET>"
    }
  }
}

Configure the Secureworks Taegis Plugin

  1. Log in to Cloud Exchange and go to Settings > Plugins.
  2. Search for and select the Secureworks Taegis plugin box to configure the plugin.
  3. Enter the Basic Information:
    • Configuration Name: Unique name for the configuration.
    • Sync Interval: Leave the default.
    • Aging Criteria: Expiry time of the plugin in days (default: 90).
    • Override Reputation: Set a value to override the reputation of indicators received from this configuration.
    • Enable SSL Validation: Enable SSL Certificate validation.
    • Use System Proxy: Enable if the proxy is required for communication.

  4. Click Next.
  5. Enter the Configuration Parameters:
    • Base URL: The Base URL of your instance.
    • Client ID: The Client ID generated in Secureworks Taegis. 
    • Client Secret: The Client Secret generated in Secureworks Taegis. 
    • Type of Threat Data to pull: Select the type of Threat Data to pull from Domains and IP Address, based on your requirement.
    • Enable Tagging: Keep Yes if you want to pull tags along with the indicators. Otherwise, select No.

  6. Click Save.

Add a Business Rule

Not Supported.

Add Sharing

Not Supported

Validate the Secureworks Taegis Plugin

Validate the Pull

To verify the pulling of IoCs from Secureworks platform, go to Logging and search for Logs pulled from the Secureworks plugin.

The pulled IoCs will be stored in Cloud Exchange on the Threat IoCs page. You can filter the IoCs based on its type or plugin name.
Example: sources.source like CTE Secureworks Taegis && type IN (ipv4, domain).

Validate the Push

Push is not supported for the Secureworks Taegis plugin. If you want to push IoCs pulled from Secureworks Taegis to Netskope, refer to the Netskope Threat Exchange plugin guide.

Troubleshooting

Receiving error while pulling IOCs or configuring the plugin

If you are receiving any of the below errors in logs while configuring the plugin, or when data is being pulled from the platform, it might be due to your plugin configuration parameter being expired.

CTE Secureworks Taegis: Validation error occurred. Error: Received exit code 401, Unauthorized, Verify Client ID and Client Secret provided in the configuration parameters.
CTE Secureworks Taegis [CTE Secureworks Taegis]: Received exit code 401, Unauthorized access while getting auth token.

What to do: Follow the steps for generating the plugin credentials and use it for your plugin.

Known Behavior

We cannot see the IoCs that are pulled on the platform.

Share this Doc

Secureworks Taegis Plugin for Threat Exchange

Or copy link

In this topic ...