SentinelOne Plugin for Threat Exchange
SentinelOne Plugin for Threat Exchange
This document explains how to configure the SentinelOne integration with the Threat Exchange module of the Netskope Cloud Exchange platform. This plugin supports pulling of SHA256 indicators from the SentinelOne platform and allows the sharing of URLs and hashes (MD5 and SHA256) with Netskope.
Prerequisites
To complete this configuration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- A File Profile configured on your Netskope tenant.
- A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
- A SentinelOne tenant.
CE Version Compatibility
Netskope CE: v4.2.0, v5.0.0, v5.0.1
SentinelOne Plugin Support
This plugin is used to fetch indicators of type SHA256. This plugin also supports pushing IoCs of type URL, MD5, and SHA256 to the SentinelOne platform.
Fetched indicator types | SHA256 |
Shared indicator types | URL, SHA256, MD5 |
Mappings
Mappings for Pull (Netskope fields – SentinelOne fields)
Netskope CE Fields | SentinelOne Fields |
---|---|
value | fileSha256 |
comments | classification: {SentinelOne_URL}/analyze/threats/{id}/overview |
firstSeen | createdAt |
lastSeen | updatedAt |
Mapping for Push (Netskope fields – SentinelOne fields)
Netskope CE Fields | SentinelOne Fields |
---|---|
value | value |
type | type |
value | externalId |
firstseen | creationTime |
expireAt | validUntill |
comments | description |
Permissions
For the SentinelOne plugin to work properly, these minimum permissions are required to be attached to the role:
- Endpoint threats -> Fetch Threat File
- Threat Intelligence -> Manage
While creating a role, there default permissions are attached to the role:
- Accounts -> view
- Groups -> view
- Roles -> view
- Sites -> view
Apart from these default permissions, the above two permissions (Endpoint threats and Threat Intelligence) need to be provided. Only a user who has the (Roles -> create, edit) permission can add permissions to a role.
API Details
List of APIs used
API Endpoint | Method | Use Case |
---|---|---|
/web/api/v2.0/sites | GET | Fetch Site IDs |
/web/api/v2.0/threats | GET | Fetch Indicators |
/web/api/v2.1/threat-intelligence/iocs | POST | Push Indicators |
Fetch Site IDs
API Endpoint: /web/api/v2.0/sites
Method: GET
Headers:
Authorization | ApiToken <TOKEN> |
Parameters:
name | SITE NAME |
API Request Endpoint:
https://<SENTINEL TENANT>/web/api/v2.0/sites
Sample API Response:
{ "data": { "allSites": { "activeLicenses": 7, "totalLicenses": 25 }, "sites": [ { "accountId": "1268419425097944269", "accountName": "Netskope", "activeLicenses": 7, "createdAt": "2021-10-17T02:02:58.519858Z", "creator": "Sandeep Minhas", "creatorId": "1170348439571106212", "description": null, "expiration": null, "externalId": "97e5ca8f-5ad4-cb4a-7ef8-9d27a2557175", "healthStatus": true, "id": "1268419425114721486", "isDefault": true, "licenses": { "bundles": [ { "displayName": "Core", "majorVersion": 1, "minorVersion": 6, "name": "core", "surfaces": [ { "count": 25, "name": "Total Agents" } ], "totalSurfaces": 25 } ], "modules": [ { "displayName": "Ranger", "majorVersion": 1, "name": "ranger" } ], "settings": [ { "displayName": "365 Days", "groupName": "malicious_data_retention", "setting": "365 Days", "settingGroup": "malicious_data_retention", "settingGroupDisplayName": "Malicious Data Retention" }, { "displayName": "Available", "groupName": "marketplace_access_status", "setting": "Available", "settingGroup": "marketplace_access_status", "settingGroupDisplayName": "Marketplace Access" }, { "displayName": "Account", "groupName": "account_level_ranger", "setting": "Account", "settingGroup": "account_level_ranger", "settingGroupDisplayName": "Ranger Consolidation Level" } ] }, "name": "Default site", "registrationToken": "eyJ1cmwiOiAiaHR0cHM6Ly91c2VhMS1wYXJ0bmVycy5zZW50aW5lbG9uZS5uZXQiLCAic2l0ZV9rZXkiOiAiYjVjYTA0ZDVlYjc0MjA0MyJ9", "siteType": "Paid", "sku": "Core", "state": "active", "suite": "Core", "totalLicenses": 25, "unlimitedExpiration": true, "unlimitedLicenses": false, "updatedAt": "2024-01-23T12:37:22.573745Z" } ] }, "pagination": { "nextCursor": null, "totalItems": 1 } }
Fetch Indicators
API Endpoint:
/web/api/v2.0/threats
Method: GET
Headers:
Authorization | ApiToken <TOKEN> |
Parameters:
createdAt__gte | 2023-02-02T08:30:37.680000Z |
createdAt__lte | 2023-02-09T08:47:37.680000Z |
limit | 100 |
API Request Endpoint:
https://<SENTINEL TENANT>/web/api/v2.0/sites
Sample API Response:
{ "data": [ { "accountId": "1268419425097944269", "accountName": "Netskope", "agentComputerName": "WSAMZN-FE0FUJ90", "agentDomain": "NETSKOPE", "agentId": "1860065221432363061", "agentInfected": false, "agentIp": "18.140.109.245", "agentIsActive": false, "agentIsDecommissioned": true, "agentMachineType": "server", "agentNetworkStatus": "connected", "agentOsType": "windows", "agentVersion": "23.3.3.264", "annotation": "Automatically resolved by SentinelOne Console", "automaticallyResolved": true, "browserType": null, "certId": "", "classification": "Malware", "classificationSource": "Static", "classifierName": "STATIC", "cloudVerdict": null, "collectionId": "1860067293544368339", "commandId": null, "createdAt": "2024-01-11T09:41:40.575731Z", "createdDate": "2024-01-11T09:41:39.995000Z", "description": "malware detected - waiting for validation (static engine)", "engines": [ "pre_execution_suspicious" ], "external_ticket_id": null, "fileContentHash": "c216b4134e0bd47a048699c6d961be65ef5672b3", "fileCreatedDate": null, "fileDisplayName": "wildfire-test-pe-file (2).exe", "fileExtensionType": "Executable", "fileIsDotNet": null, "fileIsExecutable": true, "fileIsSystem": false, "fileMaliciousContent": null, "fileObjectId": "187C7E773CBBC497", "filePath": "\\Device\\HarddiskVolume2\\Users\\mrai\\Downloads\\wildfire-test-pe-file (2).exe", "fileSha256": null, "fileVerificationType": "NotSigned", "fromCloud": false, "fromScan": false, "id": "1860067293510813906", "indicators": [ 32, 33, 6 ], "initiatedBy": "agentPolicy", "initiatedByDescription": "Agent Policy", "initiatingUserId": null, "isCertValid": false, "isInteractiveSession": false, "isPartialStory": false, "maliciousGroupId": "4C7C7E773CBBC497", "maliciousProcessArguments": null, "markedAsBenign": false, "mitigationMode": "detect", "mitigationReport": { "kill": { "status": null }, "network_quarantine": { "status": null }, "quarantine": { "status": null }, "remediate": { "status": null }, "remove_macros": { "status": null }, "restore_macros": { "status": null }, "rollback": { "status": null }, "unquarantine": { "status": null } }, "mitigationStatus": "suspicious_resolved", "publisher": "", "rank": null, "resolved": true, "siteId": "1268419425114721486", "siteName": "Default site", "threatAgentVersion": "23.3.3.264", "threatName": "wildfire-test-pe-file (2).exe", "updatedAt": "2024-02-10T10:10:28.751389Z", "username": "NETSKOPE\\mrai", "whiteningOptions": [ "hash", "path" ] } ], "pagination": { "nextCursor": "eyJpZF9jb2x1bW4iOiAiVGhyZWF0Vmlldy5pZCIsICJpZF92YWx1ZSI6IDE4NjAwNjcyOTM1MTA4MTM5MDYsICJpZF9zb3J0X29yZGVyIjogImFzYyIsICJzb3J0X2J5X2NvbHVtbiI6ICJUaHJlYXRWaWV3LmlkIiwgInNvcnRfYnlfdmFsdWUiOiAxODYwMDY3MjkzNTEwODEzOTA2LCAic29ydF9vcmRlciI6ICJhc2MifQ%3D%3D", "totalItems": 7 } }
Push Indicators
API Endpoint:
/web/api/v2.1/threat-intelligence/iocs
Method: POST
Headers:
Authorization | ApiToken <TOKEN> |
Parameters:
name | SITE NAME |
Body:
{ "data": [ { "value": "", "type": "SHA256", "source": "Netskope", "externalId": "", "method": "EQUALS", "creationTime": "", "validUntil": ””, "description": "" } ], "filter": {} }
API Request Endpoint:
https://<SENTINEL TENANT>/web/api/v2.0/sites
Sample API Response:
{ "data": [ { "batchId": "atmtn00000002b942b706c907339a1373a629", "category": [], "creationTime": "2023-02-02T08:37:37.680000Z", "creator": "sahil.jagtap@crestdatasys.com", "description": ": http: //10.50.2.243:8000/analyze/threats//overview", "externalId": "5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9", "intrusionSets": [], "metadata": "", "method": "EQUALS", "mitreTactic": [], "reference": [], "scope": "account", "scopeId": "1268419425097944269", "source": "Netskope", "threatActors": [], "type": "SHA256", "updatedAt": "2024-03-18T11:00:45.263263Z", "uploadTime": "2024-03-18T05:48:13.399541Z", "uuid": "3308ef9bde79444d7d41c5f537687483", "validUntil": "2024-09-14T11:00:45.263263Z", "value": "5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9" } ] }
Performance Matrix
Here is the performance reading conducted for fetching and pushing 100K IoCs on a Large CE instance with these specifications.
Stack details | Size: Large RAM: 32 GB CPU: 16 Cores |
Indicators fetched from SentinelOne | ~11K per minute |
Indicators shared with SentinelOne | ~33K per minute |
Workflow
- Add roles to a user.
- Get your SentinelOne Management URL and API token.
- Configure the SentinelOne Plugin.
- Configure a Business Rule for SentinelOne.
- Configure Sharing for Netskope and SentinelOne.
- Validate the SentinelOne Plugin.
Click play to watch a video.
Add Roles to a User
To configure the SentinelOne plugin, the user should have specific roles added. Follow these steps to add the necessary roles to your user.
- Log in to your SentinelOne platform.
- Go to Settings > Users > Roles > Actions > New Role.
- Provide a Role name and description, and add these Roles.
- Accounts -> view
- Groups -> view
- Roles -> view
- Sites -> view
- Endpoint threats -> Fetch Threat File
- Threat Intelligence -> Manage
- Click Save. Your Role will be added. If the user already has some roles assigned, make sure it has all the above-mentioned roles added to the existing roles.
- If your user has no roles assigned to them, add the newly added roles to your user by following the next steps.
- Go to Console Users and click on your user Email; a popup box will open. Click Actions > Change Scope of Access.
- Select the Role name created in the above steps and click Save.
- Give the user permission to generate an API token.
- Log in to your SentinelOne dashboard.
- Click on your username on the top right corner, and then click My User.
- Click Actions > Api Token Operations > Regenerate API Token (generate if not already generated). Save the token once generated because it will only be visible once.
- After copying the API token, copy the Management URL. These are needed to configure the SentinelOne plugin.
- In Cloud Exchange, go to Settings and click Plugins.
- Search for and select the SentinelOne Plugin box to open the plugin creation pages.
- Enter and select the Basic Information on the first page:
- Configuration Name: Unique name for the configuration.
- Sync Interval: Leave the default.
- Aging Criteria: Expiry time of the plugin in days. (Default: 90)
- Override Reputation: Set a value to override the reputation of indicators received from this configuration.
- Enable SSL Validation: Enable SSL Certificate validation.
- Use System Proxy: Enable if the proxy is required for communication.
- Click Next.
- Enter these Configuration Parameters:
- Management URL: Base URL for the SentinelOne API Endpoints
- API Token: API Token generated from the SentinelOne Platform.
- Site Name: Name of the site to fetch alerts from. Leave blank to pull all data.
- Initial Range: Number of days to pull the data for the initial run.
- Click Save.
Configure a Business Rule for SentinelOne
To share indicators fetched from the SentinelOne to the Netskope CE you will need to have a business rule that will filter out the indicators that you want to share. To configure a business rule follow the below steps:
- In Threat Exchange, go to Business Rules and click Create New Rule.
- Add a Rule name and your required filters for the IoCs you want to share, and then click Save.
To share IoCs from the Netskope CE to the SentinelOne platform, or from SentinelOne to Netskope, follow these steps:
- Go to Threat Exchange and select Sharing. The Sharing page displays the existing relationships for each sharing configuration in grid view as shown below. The Sharing page also has inputs to configure new sharing from one plugin to another.
- Click Add Sharing Configuration, and in the Source Configuration dropdown list, select SentinelOne.
- Select a Business Rule, and then select Netskope for the Destination Configuration. Sharing configurations are unidirectional. Data obtained from one plugin is shared with another plugin. To achieve bi- or multi-directional sharing, configure each separately.
- Select a Target. Each plugin will have a different target or destination for the IoC. Select the existing IoC List Name, or create a new IoC list on the platform. Enter a List Size and Initial Range.
- Click Save.
- Repeat steps 2-5, but select Netskope as the Source Configuration and SentinelOne as the Destination Configuration.
- Click Save.
Modify, Test, or Delete a Sharing Configuration
Each configuration supports 3 actions:
- Edit the rule by clicking on the pencil icon.
- Test the rule by clicking on the synchronization icon. This tests how many IoC will actually be sent to the destination system based on the timeframe and the rule.
- Delete the rule by clicking on the garbage can icon.
Validate the SentinelOne Plugin
Validate the Pull
- Based on the Plugin configuration, Indicators will pull from the SentinelOne. In Threat Exchange, go to Threat IoCs to view the received IoCs.
- On the SentinelOne platform, go to Incidents on the left side panel. In the Threats section, you can verify the indicators.
Validate the Push
- Verify sharing indicators from Threat Exchange, go to Threat IoCs. Expand one of the Source plugin IoCs and check the status of Shared with Parameter.
- For more information, go to Logging.
The shared indicators to SentinelOne lack a UI dashboard for viewing. However, you can use the API to see the ingested indicators.
Sample CURL:
curl --location 'https://usea1-partners.sentinelone.net/web/api/v2.1/threat-intelligence/iocs?limit=1000' \ --header 'Authorization: ApiToken TOKEN' \ --header 'Content-Type: application/json'
Troubleshooting
Unable to pull IoCs from the SentinelOne platform
After the plugin configuration, if the IoCs are not pulled from the platform, it might be due to one of the following.
- No IOCs are available on the platform to pull
- IOCs are not available for the given time range or do not match the configuration parameters.
What to do: Identity your root cause from above and follow below steps to resolve the issue.
No IOCs are available on the platform to pull
Check if the IoCs are available on the platform to pull. If available, check the resolution for the next point.
IOCs are not available for the given time range
If the IoCs are available on the platform to pull, but the plugin has not pulled the IoCs in CE, check the number of days mentioned in the initial range parameter of the plugin configuration. On the SentinelOne platform, check if you have data for the given time range.
If the data is available for the given time range, it might be possible that the IoCs for the provided filter in the plugin configuration are not available, so check the values in the plugin Configuration Parameters, and filter the same on the SentinelOne platform.