SentinelOne Plugin for Threat Exchange

SentinelOne Plugin for Threat Exchange

This document explains how to configure the SentinelOne integration with the Threat Exchange module of the Netskope Cloud Exchange platform. This plugin supports pulling of SHA256 indicators from the SentinelOne platform and allows the sharing of URLs and hashes (MD5 and SHA256) with Netskope.

Prerequisites

To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • A File Profile configured on your Netskope tenant.
  • A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
  • A SentinelOne tenant.
CE Version Compatibility

Netskope CE: v4.2.0, v5.0.0, v5.0.1

SentinelOne Plugin Support

This plugin is used to fetch indicators of type SHA256. This plugin also supports pushing IoCs of type URL, MD5, and SHA256 to the SentinelOne platform.

 Fetched indicator types SHA256
Shared indicator types URL, SHA256, MD5
Mappings
Mappings for Pull (Netskope fields – SentinelOne fields)
Netskope CE Fields SentinelOne Fields
value fileSha256
comments classification: {SentinelOne_URL}/analyze/threats/{id}/overview
firstSeen createdAt
lastSeen updatedAt
Mapping for Push (Netskope fields – SentinelOne fields)
Netskope CE Fields SentinelOne Fields
value value
type type
value externalId
firstseen creationTime
expireAt validUntill
comments description
Permissions

For the SentinelOne plugin to work properly, these minimum permissions are required to be attached to the role:

  • Endpoint threats -> Fetch Threat File
  • Threat Intelligence -> Manage

While creating a role, there default permissions are attached to the role:

  • Accounts -> view
  • Groups -> view
  • Roles -> view
  • Sites -> view

Apart from these default permissions, the above two permissions (Endpoint threats and Threat Intelligence) need to be provided. Only a user who has the (Roles -> create, edit) permission can add permissions to a role.

API Details
List of APIs used
API Endpoint Method Use Case
/web/api/v2.0/sites GET Fetch Site IDs
/web/api/v2.0/threats GET Fetch Indicators
/web/api/v2.1/threat-intelligence/iocs POST Push Indicators
Fetch Site IDs

API Endpoint: /web/api/v2.0/sites
Method: GET
Headers:

Authorization ApiToken <TOKEN>

Parameters:

name SITE NAME

API Request Endpoint:

https://<SENTINEL TENANT>/web/api/v2.0/sites

Sample API Response:

{
    "data": {
        "allSites": {
            "activeLicenses": 7,
            "totalLicenses": 25
        },
        "sites": [
            {
                "accountId": "1268419425097944269",
                "accountName": "Netskope",
                "activeLicenses": 7,
                "createdAt": "2021-10-17T02:02:58.519858Z",
                "creator": "Sandeep Minhas",
                "creatorId": "1170348439571106212",
                "description": null,
                "expiration": null,
                "externalId": "97e5ca8f-5ad4-cb4a-7ef8-9d27a2557175",
                "healthStatus": true,
                "id": "1268419425114721486",
                "isDefault": true,
                "licenses": {
                    "bundles": [
                        {
                            "displayName": "Core",
                            "majorVersion": 1,
                            "minorVersion": 6,
                            "name": "core",
                            "surfaces": [
                                {
                                    "count": 25,
                                    "name": "Total Agents"
                                }
                            ],
                            "totalSurfaces": 25
                        }
                    ],
                    "modules": [
                        {
                            "displayName": "Ranger",
                            "majorVersion": 1,
                            "name": "ranger"
                        }
                    ],
                    "settings": [
                        {
                            "displayName": "365 Days",
                            "groupName": "malicious_data_retention",
                            "setting": "365 Days",
                            "settingGroup": "malicious_data_retention",
                            "settingGroupDisplayName": "Malicious Data Retention"
                        },
                        {
                            "displayName": "Available",
                            "groupName": "marketplace_access_status",
                            "setting": "Available",
                            "settingGroup": "marketplace_access_status",
                            "settingGroupDisplayName": "Marketplace Access"
                        },
                        {
                            "displayName": "Account",
                            "groupName": "account_level_ranger",
                            "setting": "Account",
                            "settingGroup": "account_level_ranger",
                            "settingGroupDisplayName": "Ranger Consolidation Level"
                        }
                    ]
                },
                "name": "Default site",
                "registrationToken": "eyJ1cmwiOiAiaHR0cHM6Ly91c2VhMS1wYXJ0bmVycy5zZW50aW5lbG9uZS5uZXQiLCAic2l0ZV9rZXkiOiAiYjVjYTA0ZDVlYjc0MjA0MyJ9",
                "siteType": "Paid",
                "sku": "Core",
                "state": "active",
                "suite": "Core",
                "totalLicenses": 25,
                "unlimitedExpiration": true,
                "unlimitedLicenses": false,
                "updatedAt": "2024-01-23T12:37:22.573745Z"
            }
        ]
    },
    "pagination": {
        "nextCursor": null,
        "totalItems": 1
    }
}
Fetch Indicators

API Endpoint:
/web/api/v2.0/threats
Method: GET
Headers:

Authorization ApiToken <TOKEN>

Parameters:

createdAt__gte 2023-02-02T08:30:37.680000Z
createdAt__lte 2023-02-09T08:47:37.680000Z
limit 100

API Request Endpoint:
https://<SENTINEL TENANT>/web/api/v2.0/sites

Sample API Response:

{
    "data": [
        {
            "accountId": "1268419425097944269",
            "accountName": "Netskope",
            "agentComputerName": "WSAMZN-FE0FUJ90",
            "agentDomain": "NETSKOPE",
            "agentId": "1860065221432363061",
            "agentInfected": false,
            "agentIp": "18.140.109.245",
            "agentIsActive": false,
            "agentIsDecommissioned": true,
            "agentMachineType": "server",
            "agentNetworkStatus": "connected",
            "agentOsType": "windows",
            "agentVersion": "23.3.3.264",
            "annotation": "Automatically resolved by SentinelOne Console",
            "automaticallyResolved": true,
            "browserType": null,
            "certId": "",
            "classification": "Malware",
            "classificationSource": "Static",
            "classifierName": "STATIC",
            "cloudVerdict": null,
            "collectionId": "1860067293544368339",
            "commandId": null,
            "createdAt": "2024-01-11T09:41:40.575731Z",
            "createdDate": "2024-01-11T09:41:39.995000Z",
            "description": "malware detected - waiting for validation (static engine)",
            "engines": [
                "pre_execution_suspicious"
            ],
            "external_ticket_id": null,
            "fileContentHash": "c216b4134e0bd47a048699c6d961be65ef5672b3",
            "fileCreatedDate": null,
            "fileDisplayName": "wildfire-test-pe-file (2).exe",
            "fileExtensionType": "Executable",
            "fileIsDotNet": null,
            "fileIsExecutable": true,
            "fileIsSystem": false,
            "fileMaliciousContent": null,
            "fileObjectId": "187C7E773CBBC497",
            "filePath": "\\Device\\HarddiskVolume2\\Users\\mrai\\Downloads\\wildfire-test-pe-file (2).exe",
            "fileSha256": null,
            "fileVerificationType": "NotSigned",
            "fromCloud": false,
            "fromScan": false,
            "id": "1860067293510813906",
            "indicators": [
                32,
                33,
                6
            ],
            "initiatedBy": "agentPolicy",
            "initiatedByDescription": "Agent Policy",
            "initiatingUserId": null,
            "isCertValid": false,
            "isInteractiveSession": false,
            "isPartialStory": false,
            "maliciousGroupId": "4C7C7E773CBBC497",
            "maliciousProcessArguments": null,
            "markedAsBenign": false,
            "mitigationMode": "detect",
            "mitigationReport": {
                "kill": {
                    "status": null
                },
                "network_quarantine": {
                    "status": null
                },
                "quarantine": {
                    "status": null
                },
                "remediate": {
                    "status": null
                },
                "remove_macros": {
                    "status": null
                },
                "restore_macros": {
                    "status": null
                },
                "rollback": {
                    "status": null
                },
                "unquarantine": {
                    "status": null
                }
            },
            "mitigationStatus": "suspicious_resolved",
            "publisher": "",
            "rank": null,
            "resolved": true,
            "siteId": "1268419425114721486",
            "siteName": "Default site",
            "threatAgentVersion": "23.3.3.264",
            "threatName": "wildfire-test-pe-file (2).exe",
            "updatedAt": "2024-02-10T10:10:28.751389Z",
            "username": "NETSKOPE\\mrai",
            "whiteningOptions": [
                "hash",
                "path"
            ]
        }
    ],
    "pagination": {
        "nextCursor": "eyJpZF9jb2x1bW4iOiAiVGhyZWF0Vmlldy5pZCIsICJpZF92YWx1ZSI6IDE4NjAwNjcyOTM1MTA4MTM5MDYsICJpZF9zb3J0X29yZGVyIjogImFzYyIsICJzb3J0X2J5X2NvbHVtbiI6ICJUaHJlYXRWaWV3LmlkIiwgInNvcnRfYnlfdmFsdWUiOiAxODYwMDY3MjkzNTEwODEzOTA2LCAic29ydF9vcmRlciI6ICJhc2MifQ%3D%3D",
        "totalItems": 7
    }
}
Push Indicators

API Endpoint:
/web/api/v2.1/threat-intelligence/iocs
Method: POST
Headers:

Authorization ApiToken <TOKEN>

Parameters:

name SITE NAME

Body:

{
    "data": [
        {
            "value": "",
            "type": "SHA256",
            "source": "Netskope",
            "externalId": "",
            "method": "EQUALS",
            "creationTime": "",
            "validUntil": ””,
            "description": ""
        }
    ],
    "filter": {}
}

API Request Endpoint:
https://<SENTINEL TENANT>/web/api/v2.0/sites
Sample API Response:

{
    "data": [
        {
            "batchId": "atmtn00000002b942b706c907339a1373a629",
            "category": [],
            "creationTime": "2023-02-02T08:37:37.680000Z",
            "creator": "sahil.jagtap@crestdatasys.com",
            "description": ": http: //10.50.2.243:8000/analyze/threats//overview",
            "externalId": "5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9",
            "intrusionSets": [],
            "metadata": "",
            "method": "EQUALS",
            "mitreTactic": [],
            "reference": [],
            "scope": "account",
            "scopeId": "1268419425097944269",
            "source": "Netskope",
            "threatActors": [],
            "type": "SHA256",
            "updatedAt": "2024-03-18T11:00:45.263263Z",
            "uploadTime": "2024-03-18T05:48:13.399541Z",
            "uuid": "3308ef9bde79444d7d41c5f537687483",
            "validUntil": "2024-09-14T11:00:45.263263Z",
            "value": "5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9"
        }
    ]
}
Performance Matrix

Here is the performance reading conducted for fetching and pushing 100K IoCs on a Large CE instance with these specifications.

Stack details Size: Large
RAM: 32 GB
CPU: 16 Cores
Indicators fetched from SentinelOne ~11K per minute
Indicators shared with SentinelOne ~33K per minute

Workflow

  1. Add roles to a user.
  2. Get your SentinelOne Management URL and API token.
  3. Configure the SentinelOne Plugin.
  4. Configure a Business Rule for SentinelOne.
  5. Configure Sharing for Netskope and SentinelOne.
  6. Validate the SentinelOne Plugin.

Click play to watch a video.

 

Add Roles to a User

To configure the SentinelOne plugin, the user should have specific roles added. Follow these steps to add the necessary roles to your user.

  1. Log in to your SentinelOne platform.
  2. Go to Settings > Users > Roles > Actions > New Role.
  3. Provide a Role name and description, and add these Roles.
    • Accounts -> view
    • Groups -> view
    • Roles -> view
    • Sites -> view
    • Endpoint threats -> Fetch Threat File
    • Threat Intelligence -> Manage
  4. Click Save. Your Role will be added. If the user already has some roles assigned, make sure it has all the above-mentioned roles added to the existing roles.
  5. If your user has no roles assigned to them, add the newly added roles to your user by following the next steps.
  6. Go to Console Users and click on your user Email; a popup box will open. Click Actions > Change Scope of Access.
  7. Select the Role name created in the above steps and click Save.
  8. Give the user permission to generate an API token.

Get your SentinelOne Management URL and API Token

  1. Log in to your SentinelOne dashboard.
  2. Click on your username on the top right corner, and then click My User.
  3. Click Actions > Api Token Operations > Regenerate API Token (generate if not already generated). Save the token once generated because it will only be visible once.
  4. After copying the API token, copy the Management URL. These are needed to configure the SentinelOne plugin.

Configure the SentinelOne Plugin

  1. In Cloud Exchange, go to Settings and click Plugins.
  2. Search for and select the SentinelOne Plugin box to open the plugin creation pages.
  3. Enter and select the Basic Information on the first page:
    • Configuration Name: Unique name for the configuration.
    • Sync Interval: Leave the default.
    • Aging Criteria: Expiry time of the plugin in days. (Default: 90)
    • Override Reputation: Set a value to override the reputation of indicators received from this configuration.
    • Enable SSL Validation: Enable SSL Certificate validation.
    • Use System Proxy: Enable if the proxy is required for communication.
  4. Click Next.
  5. Enter these Configuration Parameters:
    • Management URL: Base URL for the SentinelOne API Endpoints
    • API Token: API Token generated from the SentinelOne Platform.
    • Site Name: Name of the site to fetch alerts from. Leave blank to pull all data.
    • Initial Range: Number of days to pull the data for the initial run.
  6. Click Save.

Configure a Business Rule for SentinelOne

To share indicators fetched from the SentinelOne to the Netskope CE you will need to have a business rule that will filter out the indicators that you want to share. To configure a business rule follow the below steps:

  1. In Threat Exchange, go to Business Rules and click Create New Rule.
  2. Add a Rule name and your required filters for the IoCs you want to share, and then click Save.

Configure Sharing for Netskope and SentinelOne

To share IoCs from the Netskope CE to the SentinelOne platform, or from SentinelOne to Netskope, follow these steps:

  1. Go to Threat Exchange and select Sharing. The Sharing page displays the existing relationships for each sharing configuration in grid view as shown below. The Sharing page also has inputs to configure new sharing from one plugin to another.
  2. Click Add Sharing Configuration, and in the Source Configuration dropdown list, select SentinelOne.
  3. Select a Business Rule, and then select Netskope for the Destination Configuration. Sharing configurations are unidirectional. Data obtained from one plugin is shared with another plugin. To achieve bi- or multi-directional sharing, configure each separately.
  4. Select a Target. Each plugin will have a different target or destination for the IoC. Select the existing IoC List Name, or create a new IoC list on the platform. Enter a List Size and Initial Range.
  5. Click Save.
  6. Repeat steps 2-5, but select Netskope as the Source Configuration and SentinelOne as the Destination Configuration.
  7. Click Save.

Modify, Test, or Delete a Sharing Configuration

Each configuration supports 3 actions:

  • Edit the rule by clicking on the pencil icon.
  • Test the rule by clicking on the synchronization icon. This tests how many IoC will actually be sent to the destination system based on the timeframe and the rule.
  • Delete the rule by clicking on the garbage can icon.

Validate the SentinelOne Plugin

Validate the Pull

  1. Based on the Plugin configuration, Indicators will pull from the SentinelOne. In Threat Exchange, go to Threat IoCs to view the received IoCs.
  2. On the SentinelOne platform, go to Incidents on the left side panel. In the Threats section, you can verify the indicators.

Validate the Push

  1. Verify sharing indicators from Threat Exchange, go to Threat IoCs. Expand one of the Source plugin IoCs and check the status of Shared with Parameter.
  2. For more information, go to Logging.

The shared indicators to SentinelOne lack a UI dashboard for viewing. However, you can use the API to see the ingested indicators.
Sample CURL:

curl --location 'https://usea1-partners.sentinelone.net/web/api/v2.1/threat-intelligence/iocs?limit=1000' \
--header 'Authorization: ApiToken TOKEN' \
--header 'Content-Type: application/json'

Troubleshooting

Unable to pull IoCs from the SentinelOne platform

After the plugin configuration, if the IoCs are not pulled from the platform, it might be due to one of the following.

  • No IOCs are available on the platform to pull
  • IOCs are not available for the given time range or do not match the configuration parameters.

What to do: Identity your root cause from above and follow below steps to resolve the issue.

No IOCs are available on the platform to pull

Check if the IoCs are available on the platform to pull. If available, check the resolution for the next point.

IOCs are not available for the given time range

If the IoCs are available on the platform to pull, but the plugin has not pulled the IoCs in CE, check the number of days mentioned in the initial range parameter of the plugin configuration. On the SentinelOne platform, check if you have data for the given time range.

If the data is available for the given time range, it might be possible that the IoCs for the provided filter in the plugin configuration are not available, so check the values in the plugin Configuration Parameters, and filter the same on the SentinelOne platform.

Share this Doc

SentinelOne Plugin for Threat Exchange

Or copy link

In this topic ...