Microsoft Defender for Cloud Apps Plugin for Threat Exchange

This document provides instructions to configure Microsoft Defender for Cloud Apps with the Threat Exchange module of the Netskope Cloud Exchange platform. This integration allows for sharing of sanctioned URLs with Netskope.

Prerequisites

To complete this configuration, you need:

Workflow

Click play to watch a video.

Create a Custom Category for the Microsoft Defender URL List

1. In the Netskope UI, go to Policies, and in the Profile section, and click Web.

   

2. Create new Custom Category.

   

3. Add the required details for the Custom Category. List created by the Microsoft Defender Plugin adds it in the Include/Exclude List. Click Save.

   

Create a Real-time Threat Protection Policy for Microsoft Custom Category

1. In the Netskope UI, go to Policies > Real-time Protection.

Note

The policy configured here is just an example. Modify as appropriate for your organization.

2. Click New Policy and select Web Access.

   

3. For Source, leave the default (User = All Users)
4. For Destination: select Category
5. Select the Custom Category created for the URL List shared by the Microsoft Defender for Cloud Apps Plugin.

   

6. When the Activities & Constraints section opens, click Edit.
7. Select All, and then click Save.

   

8. For Profile & Action, click in the text field.
9. Select Action to Block or choose any other option from the list. Select Template > Default Template.

   

10. For Set Policy, enter a descriptive Policy Name.

    

11. Click Save in the top right to save the policy.
12. Choose the To the top option when it appears. (Or appropriate location in your security policy.)
13. To publish this policy into the tenant, select Apply Changes in the top right.

Get the Microsoft Defender for Cloud Apps API Token

1. Log in to your Microsoft 365 Defender dashboard.
2. On the Settings menu, click Cloud Apps > API tokens, and then click + Add token.

   

3. Provide a name to identify the token in the future, and then click Generate.

   

4. Copy the newly generated API Token and URL.

   

Configure the Microsoft Defender for Cloud Apps Plugin

1. In Cloud Exchange, go to Settings and click Plugins.
2. Search for and select the Microsoft Defender for Cloud Apps (CTE) plugin box to open the plugin creation pages.
3. Enter and select the Basic Information on the first page:
   • Configuration Name: Enter a name appropriate for your integration.
   • Sync Interval: Adjust to environment needs. We recommend not to go below 5 minutes for production environments.
   • Aging Criteria: Leave the default.
   • Last Run: Click the calendar icon and choose a date and time.
   • Override Reputation: Leave the default.
   • Enable SSL Verification: Leave the default.

   

4. Click Next.
5. Enter and select the Configuration Parameters on the second page:
   • URL: Enter the URL of your Microsoft Defender for Cloud Apps API.
   • API Token: Enter your Microsoft Defender for Cloud Apps API token.
   • Enable Tagging: Leave the default (Yes).
   • Tag Name: Leave the default.

   

6. Click Save in the top right corner. Go to Threat Exchange > Plugins to see your new Microsoft Defender for Cloud Apps (CAS) plugin.

   

Configure Sharing for Netskope and Microsoft Defender for Cloud Apps

1. Go to Threat Exchange and select Sharing. The Sharing page displays the existing relationships for each sharing configuration in grid view as shown below. The Sharing page also has inputs to configure new sharing from one plugin to another.

   

2. Click Add Sharing Configuration, and in the Source Configuration dropdown list, select Microsoft Defender.

   

3. Select a Business Rule, and then select Netskope for the Destination Configuration. Sharing configurations are unidirectional for the Microsoft Defender for Cloud Apps plugin. Data can only be shared from Microsoft to Netskope plugin.

4. Select a Target. Each plugin will have a different target or destination for the IoC.
5. Click Save.

Adding a new sharing configuration on the active source poll will share the existing IoCs of the source configuration to the destination configuration. Whenever a new sharing configuration is built, all the active IoCs will also be considered for sharing if they match the source/destination combination.

After a sharing configuration has been created, the sharing table will show the rule being invoked, the source system providing the potential IoC matches, the destination system that will receive matching IoC, and the target applicable to that rule. Multiple Sharing configurations can be made to support mapping certain IoC to multiple targets even on the system destination system.

Modify, Test, or Delete a Sharing Configuration

Each configuration supports three actions:



• Edit the rule by clicking on the pencil icon.
• Test the rule by clicking on the synchronization icon. This tests how many IoC will actually be sent to the destination system based on the timeframe and the rule.
• Delete the rule by clicking on the garbage can icon.

Validate the Microsoft Defender for Cloud Apps Plugin

In order to validate the integration you must have Unsanctioned apps on Microsoft Defender. Microsoft Defender sync Intervals were defined during plugin configuration.



1. Go to Cloud Exchange and select Threat IoCs. You should see records from your Defender plugin. You can filter based on Source values to check both the Netskope and Microsoft Defender for Cloud Apps plugins.

   

2. In the Netskope UI, go to Policies > Web, and click URL List.

   

3. Click on the URL List used to configure the plugin. If data is not being brokered between the platforms, you can look at the audit logs in Cloud Exchange. In Threat Exchange, go to Logging and look through the logs for errors.