In this article:
If you use Netskope Threat Exchange (CTE), leverage this integration to make SecurityScorecard findings appear in CTE as indicators of compromise (IoCs).
CTE is a near-real-time threat ingestion, curation, and sharing tool that enables Netskope customers and technology partners to bidirectionally exchange IoCs. It is part of the Netskope Cloud Exchange set of integration tools.
Get ready to integrate CTE
Before you set up the integration, make sure you have the following:
- A CTE account
- A paid SecurityScorecard account
- A SecurityScorecard API token (Learn how to create one if you do not have it yet.)
Set up the integration
To make SecurityScorecard findings appear in CTE as IoCs, do the following:
- In Netskope Cloud Exchange, select Threat Exchange from the left menu.
- In Threat Exchange, select Plugins from the left menu.
- Select Configure New Plugin and search for SecurityScorecard.
- Select SecurityScorecard, provide the basic configuration information as follows, and then click Next:
- Configuration Name: Enter a unique name for the plugin that identifies SecurityScorecard.
- Sync Interval: The default is 60 minutes, but 12 Hours is recommended based on the frequency of data coming from SecurityScorecard.
- Aging Criteria: Select a time window after which the indicator ages out.
- Override Reputation: You can replace the default reputation level of indicators with a different level. This is useful in sorting indicators.
- Enable SSL verification: Leave this setting activated unless you have a need or reason to disable it.
- Provide the configuration parameters and then click Save:
- API Token: Enter the SecurityScorecard API token you created.
- Portfolios: Enter a comma-separated list of Portfolio names (not IDs) that you want indicators to be sourced from.
- Company Grade Threshold: Select a maximum Scorecard grade to pull indicators from. If you select A, the integration pulls all Scorecards. If you select, B, the integration pulls all Scorecards lower than A, and so on.
- Tag Severity: Disregard this setting, which is not part of this integration.
After you finish the setup:
- The integration verifies your API token.
- Your plugin appears in the Configured Plugins menu.
- The integration starts to create IoCs, which appear in the Threat IoCs table.
Tip: You can modify the sync interval anytime to change the rate at which IoCs are created.
Start using the integration
Select Plugins to ensure at least once sync has executed by viewing the Plugins in CTE.
Select Threat IoCs in the left menu.
To see only the IoCs sourced from the SecurityScorecard plugin, search for the name you provided for the that plugin in your search.
Expand the IoC sources to view the types of indicators discovered by SecurityScorecard through the tags that have been added.
For more information on the cybersecurity posture of an organization, click the Extended Information link to view its Scorecard in the SecurityScorecard platform.
Note: The severity of the IoC source is based on the maximum severity among the discovered issue tags. A red tag indicates a high severity, and an orange tag indicates a medium severity.
If you need help or have questions about the integration, submit a Support request.