Skip to main content

Netskope Help

Share the IoCs from an API Source to a Netskope Tenant

As an example, if your use case requires sharing of IoCs from the API Source to a Netskope tenant, you need to specify the Netskope tenant, a business rule, and a sharing configuration.

Configure the Netskope Tenant

To specify a Netskope tenant, go to Settings > Netskope Tenant and click Add Tenant.

  1. Enter these parameters:

    • Name: Enter a name for this tenant configuration name.

    • Tenant Name: Enter the tenant name (do not include goskope.com).

    • V1 API Token: Enter the V1 API token, available from your Netskope tenant under Settings > Tools > Rest API v1.

    • V2 API Token (optional): Enter the V2 API token, available from your Netskope tenant under Settings > Tools > Rest API v2. Be sure to provide the proper permission to the token.

    • Initial Range (in days): Enter the number of days for which data must be pulled during the initial run.

    • Use System Proxy: Set this parameter if you have configured a proxy for the Cloud Exchange and you want this plugin to use the same proxy.

  2. Click Save.

image3.jpeg
Configure a Netskope Plugin for Threat Exchange

In Cloud Exchange go to Settings > Plugins and click Netskope v1.0.0.0 (CTE).

  1. Enter these Basic Information parameters :

    • Configuration Name: Enter a name for this plugin.

    • Tenant: insert the tenant configuration name that you have defined when you have created the Netskope tenant.

    • Aging Criteria: Set an expiration time (in days) for the indicator

    • Override Reputation: set this parameter to override the reputation of the indicators received from this configuration. Set 0 to keep the default.

    image4.jpeg
  2. Click Next and enter the Configuration Parameters:

    • Enable Polling: Enable or disable polling data from Netskope.

    • Type of Threat Data: Select the data you want to share with this plugin. Possible values are: Malware, URL, or Both.

    image5.jpeg
  3. Click Save.

After saving the plugin configuration, you will see the configured plugin under Threat Exchange > Plugins.

image6.jpeg
Create a Business Rule

Before configuring a sharing configuration, you need to define a Business Rule, which decides the criteria to share the IoCs between the two configurations. To do so, go to Threat Exchange > Business Rules and click Create New Rule. For example, the business rule below, called Every Severity, selects the IoCs with all the possible severities.

  1. Enter a Rule Name.

  2. Select the rules to use.

  3. Click Save.

image7.jpeg
Create a Sharing Configuration

To create a sharing configuration, go to Threat Exchange > Sharing and click Add Sharing Configuration:

  1. Enter these parameters:

    • Source Configuration: Enter a configuration name for the ‘API Source’ plugin you configured previously. Remember that the ‘API Source’ plugin can only push IoCs to a third-party. If you want to read the IoCs from the Threat Exchange, use the corresponding GET method for the /api/cte/indicators/ endpoint below. This means that you cannot insert an API Source as a destination configuration.

    • Business Rule: Select the Business Rule that you have defined previously and that states which indicators must be shared.

    • Destination Configuration: insert the configuration of the Netskope tenant that you have defined previously.

    • Target: Define the list where you want to insert the indicators of compromise. It is possible to define a URL list or a hash list. Please do note that the lists must be defined in the Netskope tenant.

      Custom URL lists can be defined from Policies > Profiles > Web > URL Lists. A URL list must be inserted into a custom category to be enforced in a policy.

      Custom file profiles can be defined from Policies > Profiles > File. A file profile must be inserted into a custom malware profile to be inserted in a policy.

    • List Name: Enter the name of the list (URL or file) where you want the indicator to be inserted.

    • List Size: Enter a size for the list (default is 8Mb).

    • Default URL/File Hash: Enter the default list where the indicator must be inserted when the List Name field is empty.

    image8.jpeg
  2. Click Save.