Skip to content

neerdael-nl/threatintelligence-netskope

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
config.json
config.json
 
 
requirements.txt
requirements.txt
 
 
threatintelligence-netskope.py
threatintelligence-netskope.py
 
 

Repository files navigation

threatintelligence-netskope

Ingest OSINT (Open Source) Threat Intelligence directly in Netskope.
It is required to fill in the correct API tokens and Tenant name in your config.json in order for the tool to work. (Tenant name takes the format of name.region, except for some regions like our main US management environment only where you only need to enter name, script has been updated for better json handling and added a dnsoverhttps feed.

Currently includes the following feeds:

dnsoverhttps: https://download.dnscrypt.info/resolvers-list/json/public-resolvers.json,
rescure_ip: https://rescure.me/rescure_blacklist.txt,
cins_ip: http://cinsscore.com/list/ci-badguys.txt,
feodo_recommended_ip: https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt,
feodo_ip: https://feodotracker.abuse.ch/downloads/ipblocklist.txt,
urlhaus_url: https://urlhaus.abuse.ch/downloads/text/,
emergingthreats_tor_snort: https://rules.emergingthreats.net/blockrules/emerging-tor.rules,
rescure_domain: https://rescure.me/rescure_domain_blacklist.txt,
securityscorecard_ip: https://raw.githubusercontent.com/securityscorecard/SSC-Threat-Intel-IoCs/master/KillNet-DDoS-Blocklist/ipblocklist.txt,
rutgers_ip: https://report.cs.rutgers.edu/DROP/attackers,
emergingthreats_ip: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt,
banlist_ip: https://www.binarydefense.com/banlist.txt,
digitalside_ip: https://osint.digitalside.it/Threat-Intel/lists/latestips.txt,
digitalside_url: https://osint.digitalside.it/Threat-Intel/lists/latesturls.txt,
digitalside_domain: https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt,
abusetracker_ip: https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt,
ipsum_ip: https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt,
jamesbrine_ip: https://jamesbrine.com.au/iplist.txt,
malshare_hash: https://www.malshare.com/daily/malshare.current.sha256.txt,
malware_bazaar_hash: https://bazaar.abuse.ch/export/txt/sha256/recent/,
openphish_url: https://openphish.com/feed.txt,
phishtank_csv: http://data.phishtank.com/data/online-valid.csv,
abusetracker_ip: https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt,
threatminer_url: https://www.threatminer.org/getData.php?e=malware_container&q=malware_delivery&t=21&rt=3&p=1,
firehol_ip: https://iplists.firehol.org/files/firehol_level1.netset,
blocklist_ip: http://lists.blocklist.de/lists/dnsbl/all.list,

You will need a REST API v2 key for managing URL-lists, the token requires URLLIST permissions: https://docs.netskope.com/en/rest-api-v2-overview-312207.html

And a REST API v1 key for managing file profiles (ingesting malware hashes): https://docs.netskope.com/en/rest-api-v1-overview.html

This tool only creates new URL Lists and uses the name of feed as name of list, if the list already exists nothing happens (we need to add logic to then update the list :) As for file profiles make sure your profile already exists and be aware it will be overridden, they can't be created using the API.

About

Ingest OSINT in Netskope

Resources

Readme

License

Unlicense license
Activity
Custom properties

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages