Trellix Plugin for Threat Exchange

Trellix Plugin for Threat Exchange

This document explains how to configure the Trellix plugin for the Threat Exchange module of the Netskope Cloud Exchange platform. This plugin fetches MD5, SHA256, URL (Domain, IP (IPv4, IPv6), URL) from Trellix EPO. This plugin does not support pushing data to the Trellix platform.

Prerequisites

  • Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • File Profile on the Netskope tenant.
  • URL List on the Netskope tenant.
  • A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
  • Trellix platform access.
  • Trellix developer access with pre-approved client credentials.
  • Connectivity to the following host: Trellix Platform (Example: https://api.manage.trellix.com)
CE Version Compatibility

Netskope CE: v4.2.0, v5.0.0, v5.0.1

Trellix Plugin Support

Fetched indicator types

URL (Domains, URLs, IP(IPv4, IPv6)), SHA256, MD5
Shared indicator types

Not Supported

Mappings
Severity
Trellix Severity CE Severity
Destruction (>70) Critical
Malicious (51-70) High
Malicious Enabler (31-50) Medium
Probable Malicious (16-30) Low
Dual Use (1-15) Low
Unconfirmed (0/Null) Unknown
Mappings for Pull (Netskope fields – Trellix fields)
Netskope CE Fields Trellix Fields
type attributes.type
value attributes.value
firstSeen attributes.created-on
comments attributes.comments
severity attributes.lethality
Permissions

Below are the permissions needed for the plugin workflow to pull data from Trellix using Get IoCs API.
Note: You need to generate a Client ID and Client Secret from Trellix Platform; for that contact Trellix support.

  • Ins.user
  • Ins.suser
  • ins.ms.
  • soc.act.tg
API Details
List of APIs used
API Endpoint API Method Use Case
https://iam.mcafee-cloud.com/iam/v1.4/token POST Used for authorization process & Generating access token.
https://api.manage.trellix.com/insights/v2/iocs GET Used for pulling indicators in pagination from Trellix Platform.
Authorization API

API Endpoint: https://iam.mcafee-cloud.com/iam/v1.4/token
API Method: POST
Headers:

Key Value
Authorization <Basic Token>
Content-Type application/json
x-api-key <Trellix API Key>
Accept application/json

Body:

Key Value
scope [“ins.user | ins.suser | ins.ms.r | soc.act.tg”]
grant_type client_credentials
audience iam_client

Sample API Response:

{
    "tid": 1134613553,
    "token_type": "Bearer",
    "expires_in": 600,
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImI3SUFJeXpseDUyOG9sdjZWNEx6dFRRU0oxWSIsImtpZCI6ImI3SUFJeXpseDUyOG9sdjZWNEx6dFRRU0oxWSJ9.eyJpYXQiOjE3MTIwNjU1NjksImp0aSI6Ijg3OWRhMThlLWJlNjYtNDI5MS0wODhhLTE4NWVlMGI4MTY2MiIsIm5iZiI6MTcxMjA2NTU1OSwiZXhwIjoxNzEyMDY2MTY5LCJzdWIiOiJMRUkzU2pobHJKRzF2QVdZTGZSTk5xd3l4IiwiY2xpZW50X2lkIjoiTEVJM1NqaGxySkcxdkFXWUxmUk5OcXd5eCIsImlzcyI6Imh0dHBzOi8vaWFtLm1jYWZlZS1jbG91ZC5jb20vaWFtL3YxLjAiLCJzY29wZSI6Imlucy5tcy5yIGlucy5zdXNlciIsImNsaWVudF90eXBlIjoiTmV0c2tvcGVEZWxlZ2F0ZSIsInRlbmFudF9pZCI6IkQxOTU4NTcwLUY1NUEtNDRCOC04QjQ0LTE1M0ExRTQ5NUFBNyIsImF1ZCI6ImlhbV9jbGllbnQiLCJhcGkiOiJ2MS40IiwidG9rZW5faWQiOiJIdTRoZ2tGQWdWWG52SVc4aGRncmp3cnJyIn0.cdOP9qC49Szr55JHZNMVnsIPYEeKt99OO8Xi_SMr485P1f7SaSUL07nTSJZHIxVDs82C3pbW7RpA4TWLYmpnxbj8T8kUwsOlPFwz_13aQkN_RGDB3C4ahpG6KDTtsl6suqTCmwNQhABmMpIo0O75YmXZsrIcj_0pesXPgzXeDsICiUVTdwkheQETE6uX2MKHJpPak5sbCcyxIXyk5uRD9z2O9PqGr8M_D3QHV_PZgLYwuC0UlwKXXeSg6JrdM75UQowF1pRarDacv9EyYBfOc0eAKfTtQuOiLGBU4_xQbXDArm"
}
Get IoCs API

API Endpoint: <Trellix Base URL>/insights/v2/iocs
API Method: GET
Headers:

Key Value
Authorization <Bearer Token>
Content-Type application/json
x-api-key <Trellix API Key>
Accept application/json

Query Parameters:

Key Value
filter[created_on][gte] String representation of date & time
page[limit] 1000 is max supported limit by Trellix
page[offset] Starting from 0

Sample API Response:

{
    "links": {
        "self": "https://api.manage.trellix.com/insights/v2/iocs?filter[created_on][gte]=2024-03-19T06:55:42.989219Z&page[limit]=1000&page[offset]=0",
        "first": "https://api.manage.trellix.com/insights/v2/iocs?filter[created_on][gte]=2024-03-19T06:55:42.989219Z&page[limit]=1000&page[offset]=0",
        "last": "https://api.manage.trellix.com/insights/v2/iocs?filter[created_on][gte]=2024-03-19T06:55:42.989219Z&page[limit]=1000&page[offset]=23000",
        "prev": null,
        "next": "https://api.manage.trellix.com/insights/v2/iocs?filter[created_on][gte]=2024-03-19T06:55:42.989219Z&page[limit]=1000&page[offset]=1000"
    },
"data": [
        {
            "type": "iocs",
            "id": "0004f51a-e281-4764-9912-498d4aaf3c80",
            "links": {
                "self": "https://api.manage.trellix.com/insights/v2/iocs/0004f51a-e281-4764-9912-498d4aaf3c80"
            },
            "attributes": {
                "type": "sha1",
                "value": "9c45cd81c6d70dc584a58646aab8fdfc1102501b",
                "coverage": null,
                "uid": "e90bdf44-d93a-48df-a998-4271f5486922",
                "is-coat": 0,
                "is-sdb-dirty": 0,
                "category": "Payload delivery",
                "comment": "",
                "lethality": 70,
                "determinism": 30,
                "created-on": "2024-03-30T13:33:20.000Z"
            },
            "relationships": {
                "campaigns": {
                    "links": {
                        "self": "https://api.manage.trellix.com/insights/v2/iocs/0004f51a-e281-4764-9912-498d4aaf3c80/relationships/campaigns",
                        "related": "https://api.manage.trellix.com/insights/v2/iocs/0004f51a-e281-4764-9912-498d4aaf3c80/campaigns"
                    }
                }
            }
        },
    ]
}
Performance Matrix

This reading is conducted on a Large CE Stack with below mentioned specs by pulling and pushing 100K IOCs.

Stack details

Size: Large
RAM: 32 GB
CPU: 16 Cores
Indicators fetched from Trellix ~2.4k per minute
User Agent

netskope-ce-5.0.1-cte-trellix-v1.0.0

Workflow

  1. Get the API Key, Client Secret and Client ID.
  2. Configure the Trellix plugin.
  3. Configure a Business Rule.
  4. Configure Sharing.
  5. Validate the plugin.

Click play to watch a video.

 

Get your Trellix API Token, Client ID, and Client Secret

  1. Log in to your Trellix Developer Portal and click Self Service.
  2. Under Self Service, click API Access Management.
  3. Copy the API Key.
  4. Scroll down and generate Client ID and Client Secret, and then copy them.

Configure the Trellix Plugin

  1. Log in to Cloud Exchange and go to Settings > Plugins.
  2. Search for and select the Trellix plugin box to configure the plugin.
  3. Enter and select these parameters:
    • Configuration Name: Unique name for the configuration.
    • Sync Interval: Leave the default.
    • Aging Criteria: Expiry time of the plugin in days (Default: 90).
    • Override Reputation: Set a value to override the reputation of indicators received from this configuration.
    • Enable SSL Validation: Enable SSL Certificate validation.
    • Use System Proxy: Enable if the proxy is required for communication.

  4. Click Next.
  5. Enter and select these parameters:
    • Base URL: Trellix Base URL. For example: https://api.manage.trellix.com/.
    • API Key: The Trellix API Key you obtained earlier.
    • Client ID: The Client ID you obtained earlier.
    • Client Secret: Client Secret you obtained earlier.
    • Type of Threat data to pull: Type of Threat data to pull. Allowed values are MD5, SHA256, Domain, URL, and IP.
    • Initial Range: Number of days Threat IOCs to pull from initial range.

  6. Click Save.

Configure a Threat Exchange Business Rule for the Trellix Plugin

To share indicators fetched from the Trellix to the Netskope CE, you will need to have a business rule that will filter out the indicators that you want to share. To configure a business rule:

  1. In Threat Exchange, go to Business Rule and click Create New Rule.
  2. Add the filter according to your requirement in the rule, and then click Save.

Configure Threat Exchange Sharing for the Trellix Plugin

To share IoCs from Trellix to Netskope:

  1. In Threat Exchange go to Sharing and click Add Sharing Configuration.
  2. Select your Source Configuration (Trellix), a Business Rule, Destination Configuration (Netskope CTE), and Target.
  3. Click Save.

Validate the Trellix Plugin

Validate the Pull

Pulled data will be listed on the Threat IoCs page. You can filter the IoCs pulled from the platform using the filter: IoC by Sources-Source-Contains-<plugin name>.

To verify pulled logs on Cloud Exchange, go to Logging and search logs from the CTE Trellix plugin.

To verify the data available for pulling on Trellix:

  1. Log in to Trellix.
  2. On the left menu bar under MVISION, click Trellix Insights.
  3. Under Campaigns, click on any one.

Validate the Push

To validate the push in Cloud Exchange, go to Logging and filter shared logs for CTE Netskope.


To verify on the Netskope Tenant.

  1. Log in to your Tenant.
  2. Click Policies.
  3. Click File (for Sha256).
  4. Locate the File Profile name that you entered while configuring sharing.
  5. For URLs (IP and Domain)
  6. Click Web > URL Lists.
  7. Click on the URL List that was used while configuring sharing.

Troubleshooting

Indicators are not pulled from the Trellix platform

After the plugin configuration, if the IoCs are not pulled from the platform, it might be due to one of the following.

  • IoCs are not available on the platform to pull.
  • IoCs are not available for the given time range.

Go to the Trellix Platform and on the left menu bar, under MVISION, click Trellix Insights.
Check the campaigns are available.

IoCs are not available for the given time range

If the IOoCs are available on the platform to pull, but the plugin has not pulled the IoCs in CE, check the number of days mentioned in the initial range parameter of the plugin configuration. On Trellix, check if you have data for the given time range.

Known Behavior

We have received 429 errors while pulling the IoCs from the Trellix Platform, and the limit does not get reset until the next day. The process of pulling the IoCs from the Trellix Platform resulted in a series of 429 errors. Regrettably, the limit for these errors will not reset until the next day.

Share this Doc

Trellix Plugin for Threat Exchange

Or copy link

In this topic ...