Updated on March 14, 2024

SentinelOne Plugin for Threat Exchange

SentinelOne Plugin for Threat Exchange

This document explains how to configure the SentinelOne integration with the Threat Exchange module of the Netskope Cloud Exchange platform. This integration allows for sharing of URLs and hashes with Netskope. Threat Exchange fetches SHA256 and MD5 hashes, not SHA1 (which is the default hash SentinelOne provides). This plugin also supports sharing of URLs and hashes with SentinelOne.

Prerequisites

To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • A Netskope Secure Web Gateway subscription for URL sharing.
  • A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
  • A SentinelOne account.

Workflow

  1. Get your SentinelOne Management URL and API token.
  2. Configure the SentinelOne Plugin.
  3. Configure sharing for Netskope and SentinelOne.
  4. Validate the SentinelOne Plugin.

Click play to watch a video about how to configure the plugin.

This video is for v1.0.0. The recent version of this plugin does support sharing of indicators to SentinelOne.

 

Click play to watch a video about how the plugin works.

 

Get your SentinelOne Management URL and API Token

  1. Log in to your SentinelOne dashboard.
  2. Click on your username on the top right corner, and then click My User.
  3. Click on API Token Generate.
    image2.png
  4. Copy the API token and the Management URL. These are needed to configure the SentinelOne plugin.

Configure the SentinelOne Plugin

  1. In Cloud Exchange, go to Settings and click Plugins.
  2. Search for and select the SentinelOne Plugin box to open the plugin creation pages.
  3. Enter and select the Basic Information on the first page:
    • Configuration Name: Enter a name appropriate for your integration.Sync Interval: Adjust to environment needs. We recommend not to go below 5 minutes for production environments.
    image3.png
  4. Click Next.
  5. Enter your SentinelOne Management URL.
  6. Enter your SentinelOne API Token.
    image4.png
  7. You can leave the default settings for the rest of the settings.
  8. Click Save.

Configure Sharing for Netskope and SentinelOne

  1. Go to Threat Exchange and select Sharing. The Sharing page displays the existing relationships for each sharing configuration in grid view as shown below. The Sharing page also has inputs to configure new sharing from one plugin to another.
  2. Click Add Sharing Configuration, and in the Source Configuration dropdown list, select SentinelOne.
  3. Select a Business Rule, and then select Netskope for the Destination Configuration. Sharing configurations are unidirectional. data obtained from one plugin is shared with another plugin. To achieve bi- or multi-directional sharing, configure each separately.
    image9.png
  4. Select a Target. Each plugin will have a different target or destination for the IoC.
  5. Click Save.
  6. Repeat steps 2-5, but select Netskope as the Source Configuration and SentinelOne as the Destination Configuration.
  7. Click Save.

Adding a new sharing configuration on the active source poll will share the existing IoCs of the source configuration to the destination configuration. Whenever a new sharing configuration is built, all the active IoCs will also be considered for sharing if they match the source/destination combination.

Note

Plugins that do not have API for ingesting data cannot receive threat data. This is true of the installed plugin API Source, which provides a bucket associated with an API endpoint for remote 3rd-party systems to push data to. Once a Sharing policy has been added, it takes effect.

After a sharing configuration has been created, the sharing table will show the rule being invoked, the source system providing the potential IoC matches, the destination system that will receive matching IoC, and the target applicable to that rule. Multiple Sharing configurations can be made to support mapping certain IoC to multiple targets even on the system destination system.

Modify, Test, or Delete a Sharing Configuration

Each configuration supports 3 actions:

  • Edit the rule by clicking on the pencil icon.
  • Test the rule by clicking on the synchronization icon. This tests how many IoC will actually be sent to the destination system based on the timeframe and the rule.
  • Delete the rule by clicking on the garbage can icon.

In order to validate the integration you must have alerts on SentinelOne. SentinelOne polling Intervals were defined during plugin configuration.

  1. Go to Threat Exchange and select Threat IoCs.
    image8.png
  2. In your Netskope UI, go to Policies > Web > URL List, and select a URL List.
  3. If data is not being brokered between the platforms, look at the audit logs in Cloud Exchange (menu item found in the left menu of Cloud Exchange).

In Cloud Exchange, click Logging in the bottom of the left panel.

Look through the logs for errors. If unable to successfully troubleshoot, open a support ticket with Netskope.

Validate the SentinelOne Plugin

In order to validate the integration you must have alerts on SentinelOne. SentinelOne polling Intervals were defined during plugin configuration.

  1. Go to Threat Exchange and select Threat IoCs.
    image8.png
  2. In your Netskope UI, go to Policies > Web > URL List, and select a URL List.
  3. If data is not being brokered between the platforms, look at the audit logs in Cloud Exchange (menu item found in the left menu of Cloud Exchange).

In Cloud Exchange, click Logging in the bottom of the left panel.

Look through the logs for errors. If unable to successfully troubleshoot, open a support ticket with Netskope.

Share this Doc

SentinelOne Plugin for Threat Exchange

Or copy link

In this topic ...