Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The ThreatQ-Netskope plugin package allows users to sync MD5, SHA-256, and URL type indicators from ThreatQ into the Netskope CTE.

Installation

Users must install the ThreatQ-Netskope on the Netskope CTE server.

1. SSH into the system containing the Netskope CTE.
2. Enter the core docker container docker exec -it core /bin/sh 
   docker exec -it core /bin/sh.
3. Install the ThreatQ SDK and then re-install the proper version of requests
   pip install -i https://<user>:<password>@extensions.threatq.com/threatq/sdk threatqsdk==1.8.0 pip install requests==2.22.0

   You can now terminate the SSH session.

4. Log into the Netskope CTE.
5. Navigate to the Plugins page.
6. Click on the Add new Plugin button.
7. Select the tq_mw_netskope tar.gz package and click the Upload button.

   You should now see a ThreatQ plugin button, as well as a Plugin Successfully Uploaded toast.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the plugin:

1. Click on the ThreatQ plugin button to pull up the prompt.
2. Enter the follow parameters under the Basic information tab for the plugin:

   Parameters annotated with a * are required.

   Parameter	Description
   Configuration Name *	The plugin configuration name.
   Sharing Filters: Filter Query	Filter indicators while sharing with this plugin. Filter query can be generated from the Threat Ioc Page.
   Sharing Filters: Age of Indicators	Set this filter to limit the indicators while sharing whose age (Last Seen) is within the time specified.
   Poll Interval *	Interval to fetch data from source.
   Aging Criteria *	Expire indicators after specific time.
   Override Reputation	Set value to override reputation of indicators received from this configuration. Set 0 to keep default.
   Enable SSL Verification	Enable SSL Certificate verification.
   Use System Proxy	Use system proxy configured in settings.

   
   
3. Click Next to navigate to the Plugin Configuration tab.
4. Enter the following configuration parameters under the Plugin Configuration tab:

   Parameter	Description
   ThreatQ URL	The full URL including scheme to the ThreatQ instance.
   ThreatQ Client ID	Client ID generated by the threatq:oauth2-client cli command.
   ThreatQ Client Secret	Client Secret generated by the threatq:oauth2-client cli command.
   ThreatQ Search Names	ThreatQ Threat Library Data Collection name. This can also be a comma delimited list of ThreatQ Threat Library data collections.

   
   
5. Click on Save.

   You should now see your ThreatQ Configuration in the Configured Plugins.

ThreatQ OAuth Client Credentials

In order to successfully have the app authenticate with ThreatQ, we first need to generate oauth2 client credentials. We can do this on the command line of the ThreatQ Appliance.

1. SSH into the console for the ThreatQ Appliance.
2. Execute the Oauth2Client command
   sudo /var/www/api/artisan threatq:oauth2-client –name=Netskope

   You can change this name to match your needs.

3. Copy the client_id and client_secret for use in the ThreatQ-Netskope Plugin.

   Example Output

   Sudo /var/www/api/artisan threatq:oauth2-client –name=Netskope
   session_timeout_minutes: 1440
   name: Netskope
   type: private
   client_id: ywewmmyymmm4mde3y2uyzdc2ytk2mjdh
   client_secret:
   MjY1OWUyM2RlZTQwZjdiODUxN2MzNGM5ZDZhMTA0MjE1M2VkOTdlNjUxMTI0MGY0
   created_at: 2020-05-13 16:47:20
   updated_at: 2020-05-13 16:47:20

/opt/tqvenv/<environment_name>/bin/tq-conn-<driver-name> -v3 -ll /var/log/tq_labs/ -c /etc/tq_labs/

Known Issues / Limitations

• At the time of writing Netskope CTE only allowed for the use of MD5, SHA- 256, and URL type indicators.

Change Log

• Version 1.0.0
  • Initial release