Share the IoCs from an API Source to a Netskope Tenant
As an example, if your use case requires sharing of IoCs from the API Source to a Netskope tenant, you need to specify the Netskope tenant, a business rule, and a sharing configuration.
Configure the Netskope Tenant
To specify a Netskope tenant, go to Settings > Netskope Tenant and click Add Tenant.
Enter these parameters:
Name: Enter a name for this tenant configuration name.
Tenant Name: Enter the tenant name (do not include goskope.com).
V1 API Token: Enter the V1 API token, available from your Netskope tenant under Settings > Tools > Rest API v1.
V2 API Token (optional): Enter the V2 API token, available from your Netskope tenant under Settings > Tools > Rest API v2. Be sure to provide the proper permission to the token.
Initial Range (in days): Enter the number of days for which data must be pulled during the initial run.
Use System Proxy: Set this parameter if you have configured a proxy for the Cloud Exchange and you want this plugin to use the same proxy.
Click Save.
 |
Configure a Netskope Plugin for Threat Exchange
In Cloud Exchange go to Settings > Plugins and click Netskope v1.0.0.0 (CTE).
Enter these Basic Information parameters :
Configuration Name: Enter a name for this plugin.
Tenant: insert the tenant configuration name that you have defined when you have created the Netskope tenant.
Aging Criteria: Set an expiration time (in days) for the indicator
Override Reputation: set this parameter to override the reputation of the indicators received from this configuration. Set 0 to keep the default.
Click Next and enter the Configuration Parameters:
Enable Polling: Enable or disable polling data from Netskope.
Type of Threat Data: Select the data you want to share with this plugin. Possible values are: Malware, URL, or Both.
Click Save.
After saving the plugin configuration, you will see the configured plugin under Threat Exchange > Plugins.
 |
Create a Business Rule
Before configuring a sharing configuration, you need to define a Business Rule, which decides the criteria to share the IoCs between the two configurations. To do so, go to Threat Exchange > Business Rules and click Create New Rule. For example, the business rule below, called Every Severity, selects the IoCs with all the possible severities.
Enter a Rule Name.
Select the rules to use.
Click Save.
 |
Create a Sharing Configuration
To create a sharing configuration, go to Threat Exchange > Sharing and click Add Sharing Configuration:
Enter these parameters:
Source Configuration: Enter a configuration name for the ‘API Source’ plugin you configured previously. Remember that the ‘API Source’ plugin can only push IoCs to a third-party. If you want to read the IoCs from the Threat Exchange, use the corresponding GET method for the
/api/cte/indicators/endpoint below. This means that you cannot insert an API Source as a destination configuration.Business Rule: Select the Business Rule that you have defined previously and that states which indicators must be shared.
Destination Configuration: insert the configuration of the Netskope tenant that you have defined previously.
Target: Define the list where you want to insert the indicators of compromise. It is possible to define a URL list or a hash list. Please do note that the lists must be defined in the Netskope tenant.
Custom URL lists can be defined from Policies > Profiles > Web > URL Lists. A URL list must be inserted into a custom category to be enforced in a policy.
Custom file profiles can be defined from Policies > Profiles > File. A file profile must be inserted into a custom malware profile to be inserted in a policy.
List Name: Enter the name of the list (URL or file) where you want the indicator to be inserted.
List Size: Enter a size for the list (default is 8Mb).
Default URL/File Hash: Enter the default list where the indicator must be inserted when the List Name field is empty.
Click Save.