Skip to main content

Netskope Help

Sophos Plugin for Threat Exchange

This document will provide the technical documentation required to configure the Sophos integration with the Cloud Threat Exchange module of the Netskope Cloud Exchange platform. This plugin fetches the SHA256 type of threat indicator from Threat Graphs under Threat Analysis Center in the Sophos platform. This plugin does not support sharing of indicators to the Sophos platform.

Fetched indicator types

SHA256

Prerequisites

To complete this configuration, you need:

  • A Netskope Tenant (or multiple, for example, production and development/test instances).

  • A Threat Prevention subscription for malicious file hash sharing.

  • A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.

  • A Sophos instance.

  • A Service Principal ReadOnly user that can fetch the events using SIEM API.

Workflow
  1. Get your Sophos Client ID and Client Secret.

  2. Configure the Sophos plugin.

  3. Configure Sharing for Netskope and Sophos.

  4. Validate the Sophos Plugin.

Click play to watch a video.

 
  1. Log in to your Sophos Account.

    image1.png
  2. Go to Global Settings and click API Credentials.

    image2.png
  3. Enter a name for your credential set and a description, and then click Add.

    image3.png
  4. Click Copy to save the Client ID, and then click Show the Client Secret to unhide the value.

    image4.png
  5. Click Copy to save the Client Secret. These two values are needed for the Sophos plugin configuration.

  1. In Cloud Exchange, go to Settings > Plugins.

  2. Search for and select the Sophos plugin box to open the plugin creation page.

  3. Enter a Configuration Name.

  4. Adjust the Sync Interval to the appropriate value: Suggested is 5+ minutes.

  5. Enter an Aging Criteria.

  6. Adjust the Override Reputation to the appropriate value.

    image5.png
  7. Click Next.

  8. Enter your Sophos Client ID and Client Secret.

    image6.png
  9. Click Save.

    image7.png
  1. In Threat Exchange, go to Sharing.

    image8.png
  2. Click Add Sharing Configuration.

  3. For Source Configuration, select the Sophos plugin you just created.

  4. Select an appropriate Business Rule from the dropdown.

  5. For Destination Configuration, select Netskope.

    image9.png
  6. For Target, select Add to File Hash List from the dropdown and enter a name and size.

    image10.png
  7. Click Save.

    image11.png