Netskope Global Technical Success (GTS)
How to submit file hashes for Threat Scanning via API
Netskope Cloud Version - 120
Objective
To demonstrate the process for submitting files hashes for Threat Scanning via API
Prerequisite
Netskope Advanced Threat protection license is required
Backend flags : “Retrohunt API Query” needs to be enabled. Kindly raise a support case to get the flag enabled
Context
Netskope allows submitting files hashes for Threat scanning via API as well. This KB will give details about the process to follow for calculating & submitting file hashes for File Detection (On Tenant) & Threat scanning via API.
Demonstration
This process requires three API endpoint as shown below :
- https://achadha.goskope.com/api/v2/nsiq/retrohunt/ioc/info
- https://achadha.goskope.com/api/v2/nsiq/retrohunt/ioc/getinf
- https://achadha.goskope.com/api/v2/nsiq/retrohunt/ioc/report
Create a new token with the below permissions:
Path: Netskope Tenant UI >>> Settings >>> Tools >>> Rest API V2
- Click on “Save” and then copy the token
- Now click on API Documentation and go to the Swagger UI
Path: Netskope Tenant UI >>> Settings >>> Tools >>> Rest API V2
- On the Swagger UI, click on Authorise (at the top), enter the token created/copied above.
- Now look for the “nsiq” requests or search for “retrohunt” and click on “Try it Out” for any of the three commands:
- Get Single Sample Info: https://achadha.goskope.com/api/v2/nsiq/retrohunt/ioc/info
- Get Sample Information In Batch (up to 500 hashes): https://achadha.goskope.com/api/v2/nsiq/retrohunt/ioc/getinfo
- Get Sample Report: https://achadha.goskope.com/api/v2/nsiq/retrohunt/ioc/report
Example
- Get Single Sample Info:
- Get Sample Information In Batch:
- Get Sample Report:
Response Information include:
- Whether Threat Scanning Services has previously seen the file in the tenant traffic.
- If seen, whether the file is benign or malicious?
- Most recent detection date?
- Threat severity level
- Name of detected threat
To calculate the hash (sha256) value for any file use below commands:
- Windows (Powershell):
Get-FileHash .\sample.pac | Format-List
- macOS (Terminal):
shasum -a 256 sample.pac
Terms and Conditions
- Up to 500 hashes can be submitted in a Batch request ('getinfo’ endpoint)
- In the future, If any such platform changes are brought to our attention, we will promptly update the documentation to reflect them.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.