STIX/TAXII Plugin for Threat Exchange
STIX/TAXII Plugin for Threat Exchange
This document explains how to configure the STIX/TAXII integration with the Threat Exchange module of the Netskope Cloud Exchange platform. This integration allows for sharing of URLs and Hashes with Netskope.
Prerequisites
To complete this configuration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- A Secure Web Gateway subscription for URL sharing.
- A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
- A STIX/TAXII instance (AlienVault is used in this document).
Workflow
- Get your STIX/TAXII Discovery Path.
- Configure the STIX/TAXII Plugin.
- Configure Sharing for Netskope and STIX/TAXII.
- Validate the STIX/TAXII Plugin.
Click play to watch a video.
- Log in to your AlientVault account.
- On the API Integration menu, select TAXII.
- Scroll down to Discovery and copy your TAXII Discovery URL.
- In Cloud Exchange, go to Settings and click Plugins.
- Search for and select the STIX/TAXII plugin box to open the plugin creation pages.
- Enter the Basic Information on the first page:
- Configuration Name: Enter a name appropriate for your integration.
- Sync Interval: Adjust to environment needs. We recommend not to go below 5 minutes for production environments.
- Aging Criteria: Leave the default.
- Override Reputation: Leave the default.
- Enable SSL Verification: Leave the default.
- Click Next.
- Enter the Configuration Parameters on the second page:
- STIX/TAXII Version: Select the appropriate STIX/TAXII Version from the dropdown.
- Discovery URL: Enter your Discovery URL obtained earlier.
- Username and Password: Enter your Username and Password (default guest/guest in case of AlienVault).
- Collection Names: Enter comma separated Collection Names if you need to fetch indicators from only specific collections. Leave empty to fetch indicators from all collections.
- Pagination Method: Select an option from the dropdown.
- Initial Range: Leave the default.
- Enter Look Back (in hours) to pull the indicators of historical time from now on everytime the plugin syncs. Default value is set to empty and it will only be used when selected “Look Back” in Pulling Mechanism.
- Type of Threat Data to Pull: Leave the default. The rest of the values can remain as default.
- Click Save in the top right corner. Go to Threat Exchange > Plugins to see your new STIX/TAXII plugin.
- Go to Threat Exchange and select Sharing. The Sharing page displays the existing relationships for each sharing configuration in grid view as shown below. The Sharing page also has inputs to configure new sharing from one plugin to another.
- Click Add Sharing Configuration, and in the Source Configuration dropdown list, select STIX/TAXII.
- Select a Business Rule, and then select Netskope for the Destination Configuration. Sharing configurations are unidirectional. data obtained from one plugin is shared with another plugin. To achieve bi- or multi-directional sharing, configure each separately.
- Select a Target. Each plugin will have a different target or destination for the IoC.
Depending on the Target selected, Add to URL List or Add to File Hash List, the remaining options change. If using a File Hash List, jump to the next step.
For a URL List, select a List Name, enter a New List Name. The List Name must exist in the Netskope UI. For information about creating a URL List, refer to Add a URL List. Now select a URL List Type, and then a List Size and Default URL.
- For Add a File Hash List, enter a List Name, List Size, and Default File Hash. The List Name needs to exist in your Netskope UI at Settings > Policies > Profiles. For information about creating a File Profile for hashes, refer to Adding a File Profile
- Click Save.
- Repeat steps 2-6, but select Netskope as the Source Configuration and STIX/TAXII as the Destination Configuration.
- Click Save.
Adding a new sharing configuration on the active source poll will share the existing IoCs of the source configuration to the destination configuration. Whenever a new sharing configuration is built, all the active IoCs will also be considered for sharing if they match the source/destination combination.
Note
Plugins that do not have API for ingesting data cannot receive threat data. This is true of the installed plugin API Source, which provides a bucket associated with an API endpoint for remote 3rd-party systems to push data to. Once a Sharing policy has been added, it takes effect.
After a sharing configuration has been created, the sharing table will show the rule being invoked, the source system providing the potential IoC matches, the destination system that will receive matching IoC, and the target applicable to that rule. Multiple Sharing configurations can be made to support mapping certain IoC to multiple targets even on the system destination system.
Modify, Test, or Delete a Sharing Configuration
Each configuration supports 3 actions:
- Edit the rule by clicking on the pencil icon.
- Test the rule by clicking on the synchronization icon. This tests how many IoC will actually be sent to the destination system based on the timeframe and the rule.
- Delete the rule by clicking on the garbage can icon.
In order to validate the integration, you must have Hashes in AlertVault. STIX/TAXII polling Intervals are defined during plugin configuration.
- In Cloud Exchange, select Threat IoCs
- In your Netskope tenant, click on Policies. Select File and Test (File Hash List Name of Netskope plugin). Then click File Hash.
- If data is not being brokered between the platforms, look at the audit logs in Cloud Exchange (menu item found in the left menu of Cloud Exchange).
In Cloud Exchange, select Logging and look through the logs for errors. If unable to successfully troubleshoot, open a support ticket with Netskope.
