Microsoft Defender for Cloud Apps Plugin for Log Shipper

This document explains how to configure the Microsoft Defender for Cloud Apps integration with the Log Shipper module of the Netskope Cloud Exchange platform. This integration allows for forwarding Netskope generated events to Microsoft Cloud App Security for additional analysis and reporting.

Prerequisites

To complete this configuration, you need:

A Netskope Tenant (or multiple, for example, production and development/test instances).
A Netskope Cloud Exchange tenant with the Log Shipper module already configured.
A Microsoft Defender for Cloud Apps instance.

Note

Verify your Microsoft Defender instance permissions are secure and not set up for open public access. Only allow access to your cloud storage instance from your Cloud Exchange Host and any other addresses that need access.

Workflow

Configure the Microsoft Defender for Cloud Apps Data Source.
Configure the Microsoft Defender for Cloud Apps plugin.
Create Log Shipper Business Rules.
Create Log Shipper SIEM mappings.
Validate the plugin.

Click play to watch a video.

Configure the Microsoft Defender for Cloud Apps Data Source

Go to your Microsoft Defender for Cloud Apps instance at: https://<instance-name>.portal.cloudappsecurity.com/.
Log in to your Microsoft Defender for Cloud Apps instance.
Click Settings and then click Log Collectors.
Click Add data source.
Enter a name and select Source and Receiver type, and then click Add.

Configure the Microsoft Defender for Cloud Apps Plugin

In Cloud Exchange, go to Settings > Plugins.
Search for and select the Microsoft Cloud App Security (CLS) box to open the plugin creation pages.
Enter a Configuration Name.
Select the valid Mapping. (Default Mappings for all plugins are available).
Click Next.
Enter the Portal URL, API Token, and Data Source. Enter valid extensions if you have other than the default one.
Click Save.