Netskope Secure Web Gateway Custom Response Integration

Netskope Secure Web Gateway Custom Response Integration

Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised to use that integration instead.
This article shows how to leverage the Lumu Defender API and the Netskope URL list REST API to mitigate security risks.
Data collection setup from Netskope Events API to Lumu Data collection setup from Netskope Events API to Lumu.

Requirements

  1. Netskope Secure Web Gateway license.
    1. You need to have a Netskope Secure Web Gateway license and it must be enabled. Please refer to About Netskope Secure Web Gateway  on Netskope's official documentation.
  2. Netskope API key v1.
    1. For further reference, please refer to Netskope Platform REST API  on Netskope's official documentation.
  3. Lumu Defender API key.
    1. Scripting host with Python v3.6+.
    2. The host must be able to reach both Netskope REST API and Lumu Defender REST API endpoints.
  4. Script package.
    1. Contact the Lumu Support Team  to request the package we created to deploy the required files.

Set up Netskope Secure Web Gateway

First, you need to define a URL list, associate it to a Custom Category, and reference the Custom Category into a Real-time protection policy. For further reference, please refer to Netskope Create Custom Categories  and Create a Real-time Protection Policy for Web Categories   on Netskope's official documentation .

Real-time protection policy sample Real-time protection policy sample.

Deploy the script

First, contact the Lumu Support Team  to request the deployment package.

Script location

Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <netskope_lumu_root> .

Install requirements

The file requirements.txt contains the list of dependencies for this data collector. After deploying the package locally, run the following command from the deployment folder:

[sudo] pip install -r ./requirements.txt

Script details

For using the script, you must locate yourself on the path selected for deployment ( <netskope_lumu_root> ). Use the following command to show all options available for the package:

python lumu_netskope.py --help

Usage: lumu_netskope.py [options]

Options
Description
-h, --help
show this help message and exit
--config CONFIG

--company-key COMPANY_KEY
--company_key COMPANY_KEY
Lumu Company Key (Defender API)

--proxy-host PROXY_HOST
--proxy_host PROXY_HOST
Proxy host (if required)

--proxy-port PROXY_PORT
--proxy_port PROXY_PORT
Proxy port (if required)

--proxy-user PROXY_USER
--proxy_user PROXY_USER
Proxy user (if required)

--proxy-password PROXY_PASSWORD
--proxy_password PROXY_PASSWORD
Proxy password (if required)

--logging {screen,file}
Logging option (default screen).
--verbose, -v
Verbosity level.
--tenant TENANT
Netskope tenant.
--key KEY
Netskope API key.
--version VERSION
Netskope API version (default 1)
--adversary-types {C2C,Malware,DGA,Mining,Spam,Phishing}
--adversary_types {C2C,Malware,DGA,Mining,Spam,Phishing}
Lumu adversary types to be filtered.

--url-list URL_LIST
--url_list URL_LIST
Neskope URL list name to populate.


Usage examples

Task: fetch all Lumu detected adversaries and push them into Netskope URL list for the last 30 days
Use the following command to fetch and push all adversaries detected by Lumu in the last 
30 days to the defined Netskope URL list.

python lumu_netskope.py --tenant <netskope-tenant> --key <netskope-api-key> --company-key <lumu-defender-api-key> --url-list <netskope-url-list-name>

Each time the script runs, it will overwrite the list contents. There is no way to append new indicators due to Netskope API limitations.

Task: fetch Lumu detected adversaries filtering by type
Use the option  --adversary-types ADVERSARY-TYPE  to filter your query to specific types of adversaries. If you need to set more types of adversaries, you can repeat the option as follows:
python lumu_netskope.py --tenant <netskope-tenant> --key <netskope-api-key> --company-key <lumu-defender-api-key> --url-list <netskope-url-list-name> --adversary-types C2C --adversary-types Mining

For this example, the script will fetch Lumu detected adversaries of types C&C and Mining.

Task: save log output to file
Use the argument --logging file to store a record of all tasks run. Using this, the entire script output will be redirected to a file named lumu_netskope.log in the script root path ( <netskope_lumu_root> ).
python lumu_netskope.py --tenant <netskope-tenant> --key <netskope-api-key> --company-key <lumu-defender-api-key> --url-list <netskope-url-list-name> --logging file

Other tasks
The above samples could be combined according to your needs.

Expected results

After running the script, all queries adversaries will be pushed into the selected URL list as follows:

Netskope URL list populated by the script Netskope URL list populated by the script.

The policy enforcing will reflect as alerts in Netskope Console:

Netskope SkopeIT alerts Netskope SkopeIT alerts.

Further considerations

To run the script on a timely basis, consider implementing a Scheduled job in Windows or a cron task in Unix-based systems.

Troubleshooting

To identify failures on the script, please use the -v flag . This will allow you to identify failures in the script's execution.
    Still can’t find an answer?
    Send a message to our experts.
    Contact Us

        • Related Articles

        • McAfee Web Gateway Custom Response Integration

          Before going through this article, check our Out-of-the-Box App Integrations category. Out-of-the-Box Integration is highly recommended for to easily integrate the components of your cybersecurity stack with Lumu. If the product you are looking to ...

        • Cisco Secure Endpoint Custom Response Integration

          This article shows how to leverage the Lumu Defender API and Cisco Secure Endpoint API to mitigate security risks. Requirements Cisco Secure Endpoint subscription You need a Cisco Secure Endpoint Essentials or above. Lumu Defender API key. To ...

        • McAfee Web Gateway Out-of-the-box Response Integration

          To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. In this article, you will find out how to configure McAfee Web Gateway to receive and block adversaries detected by Lumu and improve the detection & ...

        • Bitdefender Custom Response Integration

          Bitdefender Custom Response Integration This article shows how to leverage the Lumu Defender API and Bitdefender API to mitigate security risks. Requirements GravityZone Business Security Enterprise, cloud version, ...

        • Infoblox Custom Response Integration

          Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...