Skip to main content

Netskope Help

Microsoft Defender Plugin for Threat Exchange

This document provides instructions to configure the Microsoft Defender ATP integration with the Threat Exchange module of the Netskope Cloud Exchange platform. This integration allows for sharing of file hashes with Netskope.


To complete this configuration, you need:

  • A Netskope Tenant (or multiple, for example, production and development/test instances).

  • A Secure Web Gateway subscription for URL sharing.

  • A Netskope Cloud Exchange with the Threat Exchange module already configured.

  • A Microsoft Defender Account.

  1. Create a custom File Profile.

  2. Get the Microsoft Defender credentials.

  3. Configure the Microsoft Defender Plugin.

  4. Configure sharing between Netskope and Microsoft Defender.

  5. Validate the Microsoft Defender Plugin.

Click play to watch a video.

  1. In the Netskope UI, go to Policies , select File , and click New File Profile.

  2. Click File Hash in the left panel, select SHA256 from the File Hash dropdown list.

  3. Enter a temporary value in the text field. Netskope does not support progressing without having a value in this field, and recommends entering a string of 64 characters that consists of the character f. For example, ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff. This will have a very low possibility of matching a valid file format.

  4. Click Next.

  5. Enter a Profile Name and a Description. We recommend not having blank spaces in your profile name; use underscores for spaces.

  6. Click Save.

  7. To publish this profile into the tenant, click Apply Changes in the top right.

  1. Log in to your Microsoft Defender Security dashboard.

  2. Go to Settings and select SIEM under APIs.

  3. Copy the Client ID, and Client Secret.

  4. Click on the email on the top right corner. Copy the Tenant ID.

  1. In Cloud Exchange, go to Settings and click Plugins.

  2. Select the Microsoft Defender ATP Plugin box to open the plugin creation pages.

  3. Enter and select the Basic Information on the first page:

    • Configuration Name: Enter a name appropriate for your integration.

    • Poll Interval: Adjust to environment needs. We recommend not to go below 5 minutes for production environments.

    • Aging Criteria: Leave the default.

    • Override Reputation: Leave the default.

    • Enable SSL Verification: Leave the default.

  4. Click Next.

  5. Enter and select the Configuration Parameters on the second page:

    • Tenant ID: Enter the Tenant ID from your Defender API.

    • App ID: Enter the Client ID from your Defender API.

    • App Secret: Enter the Client Secret from your defender API.

    • Region: Select the appropriate region.

    • Device Groups: Leave the default.

    • Initial Range (in days): Leave the default.

  6. Click Save in the top right corner. Go to Threat Exchange > Plugins to see your new Defender plugin.

  1. Go to Threat Exchange and select Sharing. The Sharing page displays the existing relationships for each sharing configuration in grid view as shown below. The Sharing page also has inputs to configure new sharing from one plugin to another.

  2. Click Add Sharing Configuration, and in the Source Configuration dropdown list, select Defender.

  3. Select a Business Rule, and then select Netskope for the Destination Configuration. Sharing configurations are unidirectional. data obtained from one plugin is shared with another plugin. To achieve bi- or multi-directional sharing, configure each separately.

  4. Select a Target. Each plugin will have a different target or destination for the IoC.

  5. Click Save.

  6. Repeat steps 2-5, but select Netskope as the Source Configuration and Microsoft Defender as the Destination Configuration.

  7. Click Save.

Adding a new sharing configuration on the active source poll will share the existing IoCs of the configuration to the destination configuration. Whenever a new sharing configuration is built, all the active IoCs will also be considered for sharing if they match the source/destination combination.


Plugins that do not have API for ingesting data cannot receive threat data. This is true of the installed plugin API Source, which provides a bucket associated with an API endpoint for remote 3rd-party systems to push data to. Once a Sharing policy has been added, it takes effect.

After a sharing configuration has been created, the sharing table will show the rule being invoked, the source system providing the potential IoC matches, the destination system that will receive matching IoC, and the target applicable to that rule. Multiple Sharing configurations can be made to support mapping certain IoC to multiple targets even on the system destination system.

Modify, Test, or Delete a Sharing Configuration

Each configuration supports 3 actions:

  • Edit the rule by clicking on the pencil icon.

  • Test the rule by clicking on the synchronization icon. This tests how many IoC will actually be sent to the destination system based on the timeframe and the rule.

  • Delete the rule by clicking on the garbage can icon.

In order to validate the integration you must have alerts generated on Microsoft Defender for Endpoint. Defender polling intervals were defined during plugin configuration.

  1. Go to Cloud Exchange and select Threat IoCs. You should see records from your Defender plugin. You can filter based on Source values to check both the Netskope and Defender plugins.

  2. In the Netskope UI, go to Policies > File, select your custom File Profile, and click File Hash.

  3. If data is not being brokered between the platforms, you can look at the audit logs in Cloud Exchange. In Cloud Exchange, go to Logging and look through the logs for errors.