Cloud Exchange Supported Integrations

Cloud Exchange Supported Integrations

A module-specific write-access user can create, enable, modify, or delete plugins. This section describes the 3rd-party plugins supported by Netskope Cloud Exchange.

In addition to the Netskope plugins, Cloud Exchange works with the following plugins which, as of version 4.1, are found in the Github repository and are pulled down by Cloud Exchange during initial installation, whenever the Cloud Exchange service is started or stopped, and whenever a write-access user responds to an updates are available prompt with a command to retrieve the new or updated plugins.

Log Shipper

  • AWS CloudTrail Lake: Send Netskope Events and Alerts to your CloudTrail event data store.
  • AWS S3 Events, Alerts: Send Netskope Events and Alerts as compressed archives.
  • AWS S3 WebTx: Send Netskope Web Transaction Logs as compressed archives.
  • AWS Security Lake: Send Netskope Events, Alerts, and Web Transaction Logs in OCFS format.
  • AWS SQS: Send Alerts (DLP, Malware, Policy, Compromised Credential, Malsite, Quarantine, Remediation, Security Assessment, Watchlist, CTEP, UBA) data to the AWS SQS platform.
  • Bitsight ThirdPartyTrust: Send Netskope Events and Alerts from Netskope to the ThirdPartyTrust platform.
  • CrowdStrike LogScale: Send Netskope Alerts, Events, and Web Transaction Logs in JSON format from your Netskope tenant to the CrowdStrike LogScale HTTP Event Collector. 
  • Datadog: Send Netskope Events, Alerts, Syslog CE Logs, and WebTx logs in CEF and JSON format.
  • Elastic (Filebeam): Send Netskope Events and Alerts in raw JSON format or Syslog CEF with custom field mappings.
  • Google Cloud SCC: Send Netskope Events and Alerts in raw JSON format or Syslog CEF with custom field mappings.
  • Google GCP Storage: Send Netskope Web Transaction Logs as compressed archives.
  • Google Chronicle: Send Netskope Events and Alerts in raw JSON format or Syslog CEF with custom field mappings.
  • IBM QRadar: Send Netskope Events, Alerts, and Web Transaction Logs in raw JSON format or Syslog CEF with custom field mappings.
  • Kafka: Send Netskope Events, Alerts, and Web Transaction Logs to the Kafka topic on the Kafka server/cluster. The plugin will act as a producer to publish the message to the Kafka topic.
  • Local Export: Send web transactions data to a designated location in your local storage.
  • Microsoft Azure Sentinel: Send Netskope raw events, alerts, and Webtx data to the Azure Sentinel Platform. To access the plugin, you would need the credentials for the Azure Sentinel Platform. This plugin only supports JSON data.
  • Microsoft Azure Monitor: Send Alerts and Events data to the Microsoft Azure Monitor Log Analytics Workspace.
  • Microsoft Azure Cloud Storage: Send Netskope Web Transaction Logs as compressed archives.
  • Microsoft Defender for Cloud Apps: Send Netskope Events and Alerts in raw JSON format or Syslog CEF with custom field mappings.
  • Rapid7: Send Netskope Events, Alerts, and Web Transaction Logs in raw JSON format or Syslog CEF with custom field mappings.
  • Secureworks: Send Netskope Events and Alerts in raw JSON format or Syslog CEF with custom field mappings.
  • Syslog: Send Netskope Events, Alerts, and Web Transaction Logs in Syslog CEF format using custom field mappings or pre-built field mappings for Rapid7, QRadar, LogRhythm, Azure Sentinel, CSCC, Chronicle, Elastic, ArcSight, AlienVault, AWS S3, AWS CloudTrail Lake, Secureworks, SolarWinds, Azure Monitor, Amazon Security Lake, BitSight, Microsoft Defender for Cloud Apps. Also send Netskope Events, Alerts, and Web Transaction Logs in raw JSON format.
  • Syslog and WebTx with Splunk: Send Netskope Alerts, Events, and Web Transaction Logs in CEF format from Netskope Tenant to Splunk using Cloud Exchange via the Log Shipper Syslog and WebTx
  • WebTx: Fetch Netskope Web Transaction Logs which can be sent to supported SIEM platforms.
  • ArcSight: Send Netskope Events, Alerts, and Web Transaction Logs in raw JSON format or Syslog CEF with custom field mappings.
  • LogRhythm: Send Netskope Events, Alerts, and Web Transaction Logs in raw JSON format or Syslog CEF with custom field mappings.
  • AT&T AlienVault (using the default Syslog plugin): Send Netskope Events, Alerts, and Web Transaction Logs in raw JSON format or Syslog CEF with custom field mappings.
  • Solarwinds (using the default Syslog plugin): Send Netskope Events, Alerts, and Web Transaction Logs in raw JSON format or Syslog CEF with custom field mappings.

Ticket Orchestrator

  • Azure Service Bus: Send messages in the Queues available on the Azure Service Bus platform. This plugin only supports adding (creating) messages in the Queues; the plugin does not support updating or syncing messages in Queues.
  • HaloITSM: Create tickets for Netskope alerts on the HaloITSM Platform. Supports ticket creation and ticket status syncing. The HaloITSM plugin does not support updating the tickets (incidents).
  • Ivanti: Create, update, and sync incidents/tickets on the Ivanti Platform.
  • Jira: Create issues/tickets in Jira.
  • Microsoft Teams Notifier: Send notifications to Microsoft Teams.
  • Notifier (Slack/Gmail/Email): Send notifications to various platforms: Email (SMTP), Gitter, Gmail, Hipchat, Join, Mailgun, Pagerduty, PopcornNotify, Pushbullet, Pushover, SimplePush, Slack (Webhooks), StatusPage, Telegram, Twilio, Zulip.
  • Okta Webhook: Enables automated synchronization of user data and events. This integration can help detect special security events and can trigger special actions on the user’s end with the Okta Workflows.
  • ServiceNow: Create incidents in ServiceNow (does not support ServiceNow DLP Incident Response).
  • Webhook: Create create notifications for Netskope alerts.

Threat Exchange

  • Anomali ThreatStream XDR: Fetch URL, Domain, IP (IPv4, IPv6), SHA256, and MD5 from Observables on the ThreatStream platform, and push the same to the Anomali ThreatStream XDR’s Observables.
  • API Source: Allows for categorization of data for identifying source and for subsequent filtering delivered to Threat Exchange via API.
  • AWS GuardDuty: Fetch SHA256 file hashes from GuardDuty.
  • Carbon Black: Fetch indicators of type SHA256 from the Carbon Black’s Alerts page. Additionally, this plugin also supports sharing of the indicators (IPv4, IPv6, Domain, MD5, SHA256) to the Carbon Black’s Watchlist page.
  • Commvault: Fetch URLs from Commvault, and send URLs to Commvault.
  • CrowdStrike: Fetch indicators of type SHA256, MD5, IPv4, IPv6, and Domain from CrowdStrike’s Endpoint Detection and IoC Management pages. This plugin also supports sharing of the indicators to CrowdStrike’s Custom IoC Management page.
  • Cybereason: Fetch file hashes and URLs from Cybereason Custom IOC, and send file hashes and URLs to Cybereason Custom IOC.
  • Digital Shadow: Fetch impersonating domains from Digital Shadows.
  • External Website: Fetch URLs (URLs, IPv4, Domains), SHA256, and MD5 types of indicators from any external websites. This plugin does not support pushing any indicators to the external websites.
  • ExtraHop Reveal(x) 360: Fetch URL (IP Address, Hostname) type of indicators from ExtraHop Reveal(x) 360.
  • Feedly: Fetch SHA256 hashes, MD5 hashes, URLs, domains, and IP addresses from Feedly Stream. This plugin also fetches IoCs in MISP format from Feedly Stream.
  • Github: Fetch MD5 file hashes from the owner Github Repository, and send MD5 file hashes from Netskope to Github.
  • HarfangLab: Fetch Netskope IoCs with the IoC List available under the Threat Intelligence module on the HarfangLab platform.
  • Illumio: Fetch workloads within a configured policy scope and create Netskope Threat IoCs for all interfaces on each workload. The IoCs can then be used for granular access control with workloads that are not managed by Illumio policy.
  • Mandiant: Fetch URLs, MD5, FQDN, IPV4, and IPV6 from the Google Mandiant.
  • Microsoft Office 365 Endpoints: Fetch URLs and IP from Microsoft Office 365 Endpoints.
  • Microsoft Defender for Cloud Apps: Fetch unsanctioned URLs from Microsoft Defender for Cloud Apps.
  • Microsoft Defender for Endpoints: Fetch URLs, MD5, SHA256 file hashes from Microsoft Defender for Endpoints.
  • Mimecast: Fetch SHA256 file hashes and URLS from Mimecast, and send file hashes and URLs to the Mimecast IoC.
  • MISP: Fetch event attributes from MISP (Malware Information Sharing Platform) and extract indicators of type SHA256, MD5, URL, Domain, IP (IPv4 and IPv6) from them. It can also share the indicators of type SHA256, MD5, URL, Domain (Domain, FQDN and Hostname), and IP (IPv4 and IPv6) as attributes to MISP Custom Events.
  • Palo Alto Networks Cortex XDR: Fetch indicators of types File (MD5 and SHA256) from Palo Alto Networks Cortex XDR and store them into Netskope Cloud Exchange. The plugin also supports sharing the Cloud Exchange indicators SHA256, MD5, URL ( IPv4, Domain) with existing groups on the Palo Alto Networks Cortex XDR platform
  • Palo Alto Networks Panorama: Fetch information about domains, IP addresses, and file hashes (SHA256) from Wildfire logs, and URLs from URL-Filtering logs.
  • Proofpoint: Fetch malicious file hashes and URLs for several types of Targeted Attack Protection events from Proofpoint.
  • SecLytics: Fetch URLs, IPs, and CIDRs from Netskope.
  • SecurityScorecard: Fetch domains from SecurityScorecard as URLs into Netskope.
  • SentinelOne: Fetch SHA256 indicators from the SentinelOne platform and share URLs and hashes (MD5 and SHA256) with Netskope.
  • ServiceNow Threat Intelligence: Fetch MD5, SHA256 and URL type of observables and sharing new observables from ServiceNow Threat Intelligence, and send URL, MD5, SHA256 file hashes from the Netskope to the ServiceNow Threat Intelligence.
  • Skyhigh: Fetch URLs to share them with Netskope.
  • Sophos: Fetch the SHA256 type of threat indicator from Threat Graphs under Threat Analysis Center in the Sophos platform. This plugin does not support sharing of indicators to the Sophos platform.
  • STIX/TAXII: Fetch polls TAXII feeds and extracts URLs, MD5, SHA256 file hashes. Most threat systems support creating a feed for CE to read, including Anomali.
  • ThreatConnect: Fetch indicators of type malware hashes and URLs from the ThreatConnect, and send hashes and URLs from Netskope to the ThreatConnect.
  • ThreatQ: Fetch MD5, SHA256 and URL type of observables and sharing new observables from ThreatQ.
  • Trellix: Fetch MD5, SHA256, URL (Domain, IP (IPv4, IPv6), URL) from Trellix EPO.
  • Trend Micro: Fetch URLs, domains, ShA256 File Hashes and IP addresses from Trend Micro Vision One, and share SHA256 file hashes and URL from Netskope to Trend Micro Vision One.

User Risk Exchange

  • Azure AD: Fetch users and their respective scores from Microsoft Azure AD, and add or remove users from Microsoft Azure AD groups.
  • BeyondCorp: Fetch user scores from BeyondCorp, and add or remove users from BeyondCorp groups.
  • CrowdStrike: Fetch Host IDs and their risk scores from CrowdStrike’s platform to Cloud Exchange, and performs a Put RTR Script action on the host machine based on the Host scores.
  • CrowdStrike Falcon Identity Protection: Fetch user risk scores from CrowdStrike Falcon Identity Protection, and add or remove users from CrowdStrike Falcon Identity Protection groups.
  • CyberArk: Use to add or remove a CyberArk user to the CyberArk Roles.
  • Elastic: Fetch users available on the Security > Explore > Users > All users page, and their respective risk scores available on the Security > Explore > Users > User risk page, from your Elastic instance.
  • KnowBe4 (Security Advisor): Fetch Behaviour score of users from Security Advisor.
  • Okta: Add or remove users from Okta groups. Actions such as Add to Group, Remove from Group, Push Risk Scores, and No Actions can be performed on the users. The Push risk score enables actions via group membership changes used in Okta Authentication Policies when Netskope identifies a risky user, and to share risk signals with Okta Identity Threat Protection.
  • Mimecast (Training Awareness safe score): Fetch User Risk Scores from the Mimecast platform. This plugin supports performing actions on the users, such as Add to Group, Remove from Group, and No Action.
  • Proofpoint: Fetch attack index of users from Proofpoint using the VAP module.
  • LDAP: Perform operations like add to group and remove from the group on users.

Application Risk Exchange

  • ServiceNow: Send application risk scores (CCI) to ServiceNow.
  • ThirdPartyTrust: Send application risk scores (CCI) to ThirdParty Trust.
  • Viso Trust: Send application risk scores (CCI) to Viso Trust and creates the relationships in the Viso Trust platform by grouping the applications together based on vendors.

Upload a Custom Plugin

You can upload new plugins. After creating your custom plugin, follow these steps to upload your new plugin.

  1. Go to Settings and click Plugins.
  2. Click Add new Plugin, locate the ZIP or tar file for your custom plugin, and then click Upload. After successful validation, the newly added plugin is available under the supported plugins list for this CE instance only. Uploaded plugins are stored in the host file system.
  3. If the core docker container is upgraded or reset, all your uploaded plugins will still remain with all the configurations.
  4. Use this template to create a plugin user guide.

Search and Filter the Plugins List

On the Plugins page there’s an option to search via plugin name.

Share this Doc

Cloud Exchange Supported Integrations

Or copy link

In this topic ...