This document describes the Netskope Direct to Zero Trust App which integrates Netskope (Malsite & Malware alerts) with CrowdStrike Falcon Foundry to extract, normalize, deduplicate, and manage IOCs (Indicators of Compromise). It also describes workflows that push CrowdStrike-detected IOCs back to Netskope URL and File Lists.

Note: The Netskope Direct to Zero Trust App provides customers with another option for sharing IOC besides Cloud Exchange

What this app does

1. Fetch Malsite Alerts and extract domain IOCs from those alerts.
2. Fetch Malware Alerts and extract MD5 / SHA256 IOCs from those alerts.
3. Fetch Domain, IPv4, MD5, and SHA256 IOCs from CrowdStrike and update Netskope URL and File Lists accordingly.

Prerequisites

1. CrowdStrike Falcon tenant with Foundry license

2. Netskope tenant

Netskope v1 and v2 token creation

Netskope v2 token

Go to Netskope Tenant > Settings > Administration > Administrators & Roles
Create the Role with the below access:
- Object > URL List > Manage and Apply
- Skope IT > Alerts > View

Go to the Administrators tab and create the service account to obtain the v2 API token.

Image references (insert into Google Doc):

Netskope v1 token

Go to Netskope Tenant > Settings > Tools > Rest API v1

Image reference:

App Configuration

Install the Netskope Foundry App and complete the v1 and v2 API configuration. Provide the host: if your tenant is 'test.goskope.com', set the host to 'test'. Perform the configuration for both API versions.

Image reference:

Workflows

The app provides the following workflows. Each workflow includes configuration notes and image references.

1) Update Netskope URL List – CrowdStrike (Historical)

Description: Fetches historical domain and IPv4 IOCs and updates the Netskope URL List. Runs on demand.

Notes:
- Set 'Days' to the lookback window needed.
- Optionally add filters in 'Get CrowdStrike Domain and IPv4 IOCs'.
 

Image references:

2) Update Netskope URL List – CrowdStrike (Hourly)

Description: Fetches domain and IPv4 IOCs and updates the Netskope URL List. Runs every hour.

Notes:
- Optionally add filters in 'Get CrowdStrike Domain and IPv4 IOCs'.
 

Image references:

3) Update Netskope Hash List – CrowdStrike

Description: Fetches MD5 and SHA256 IOCs and updates the Netskope File (hash) List. Runs on demand.

Notes:
- Set 'Days' to the lookback window needed.
- Optionally add filters in 'Get CrowdStrike MD5 and SHA256 IOCs'.
- Limitation: Maximum 7000 IOCs can be updated in the Netskope Hash List per run.

Image references:

4) Fetch Netskope Malware Alerts (Historical)

Description: Fetches Netskope Malware Alerts and extracts IOCs detected by Netskope. Pulls historical data.

Notes:
- Set 'Days' to the lookback window needed.
- Add filters to create only specific IOC types or severities.

Image references:

5) Fetch Netskope Malware Alerts (Hourly)

Description: Fetches Netskope Malware Alerts to extract IOCs on an hourly basis.

Notes:
- Set 'Days' to the lookback window needed.
- Add filters to create only specific IOC types or severities.

Image reference:

6) Fetch Netskope Malsite Alerts (Historical)

Description: Fetches Netskope Malsite Alerts to extract malicious domains (URL indicators). Pulls historical data.

Notes:
- Set 'Days' to the lookback window needed.
- Add filters to create only specific IOC types or severities.
- Domain actions supported: 'No Action' or 'Detect' only.

Image references:

7) Fetch Netskope Malsite Alerts (Hourly)

Description: Fetches Netskope Malsite Alerts to extract malicious domains on an hourly basis.

Notes:
- Set 'Days' to the lookback window needed.
- Add filters to create only specific IOC types or severities.
- Domain actions supported: 'No Action' or 'Detect' only.

Image references: