Get Started with Cloud Exchange
Get Started with Cloud Exchange
These instructions are for the Admin only. This section describes the initial steps for getting started with Netskope Cloud Exchange after installation is complete.
Default User Login
By default, a single user is created with administrative capabilities with these credentials: Username: admin Password: admin
This user will have Administrator level access to the application. This user will have write access, and will be able to create new users as well.
On the first login, you will be required to change these credentials. After that, log in using your new credentials.
 |
Service Status can be viewed on the i icon mouse hover at the top of the login screen. The default color of that icon should be grey. If any of the services are down, the icon will be highlighted with red color.
Enable Modules
Upon successful login, enable the modules you want to use.
 |
Enabled modules appear in the left panel.
 |
Go to the following sections to configure the Cloud Exchange modules you enabled.
Configure the Netskope Tenant Settings for Cloud Exchange
Before configuring the plugins for the modules you just enable, add a tenant in Cloud Exchange. To do this you must create a RESTful API v1 token in your Netskope tenant at Settings > Tools > REST API. Currently, a Netskope RESTful v1 API token must be installed for Cloud Exchange to communicate with Netskope because it is required for uploading file hashes for use in Threat Protection and DLP policies. You should also create a RESTful API v2 token in your Netskope tenant at Settings > Tools > REST API v2. Cloud Exchange will use the v2 endpoints whenever possible when communicating with the Netskope tenant.
When creating an API token for Cloud Exchange to use to communicate with a Netskope tenant, use least privileged access concepts. API v1 token should be rotated on a regular basis. Create and use in the Netskope Tenant configuration on the Cloud Exchange a properly entitled v2 token with the specified privileges.
v1 REST API Scopes
| Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) | Notes |
|---|---|---|---|---|---|---|---|
| Token Generated and Not Expired | (all) | x | Required for sharing file hashes |
v2 REST API Scopes
| Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) | Notes |
|---|---|---|---|---|---|---|---|
| /api/v2/events/data/alert | Read | ||||||
| /api/v2/events/data/application | Read | ||||||
| /api/v2/events/data/audit | Read | ||||||
| /api/v2/events/data/infrastructure | Read | ||||||
| /api/v2/events/data/network | Read | ||||||
| /api/v2/events/data/page | Read | ||||||
| /api/v2/events/dataexport/events/alert | Read | x | x | x | x | x | Required to validate API token |
| /api/v2/events/dataexport/events/application | Read | x | x | ||||
| /api/v2/events/dataexport/events/audit | Read | x | |||||
| /api/v2/events/dataexport/events/connection | Read | ||||||
| /api/v2/events/dataexport/events/incident | Read | x | |||||
| /api/v2/events/dataexport/events/infrastructure | Read | x | |||||
| /api/v2/events/dataexport/events/network | Read | x | |||||
| /api/v2/events/dataexport/events/page | Read | x | |||||
| /api/v2/events/dataexport/alerts/uba | Read | x | x | ||||
| /api/v2/events/dataexport/alerts/securityassessment | Read | x | x | ||||
| /api/v2/events/dataexport/alerts/quarantine | Read | x | x | x | |||
| /api/v2/events/dataexport/alerts/remediation | Read | x | x | ||||
| /api/v2/events/dataexport/alerts/policy | Read | x | x | ||||
| /api/v2/events/dataexport/alerts/malware | Read | x | x | x | |||
| /api/v2/events/dataexport/alerts/malsite | Read | x | x | x | |||
| /api/v2/events/dataexport/alerts/compromisedcredential | Read | x | x | ||||
| /api/v2/events/dataexport/alerts/ctep (or ips) | Read | ||||||
| /api/v2/events/dataexport/alerts/dlp | Read | x | x | ||||
| /api/v2/events/dataexport/alerts/watchlist | Read | x | x | ||||
| /api/v2/policy/urllist/file | Read + Write | ||||||
| /api/v2/policy/urllist | Read + Write | x | |||||
| /api/v2/policy/urllist/deploy | Read + Write | x | |||||
| /api/v2/incidents/uba/getuci | Read + Write | x | |||||
| /api/v2/ubadatasvc/user/uci | Read + Write | x | |||||
| /api/v2/services/cci/app | Read | x | |||||
| /api/v2/services/cci/domain | Read | x | |||||
| /api/v2/services/cci/tags | Read | x |
x: Required API scopes for the corresponding CE module.
v1 REST API Scopes
| Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) | Notes |
|---|---|---|---|---|---|---|---|
| Token Generated and Not Expired | (all) | y | y | x+y (*) | y | y | * Required for sharing file hashes |
v2 REST API Scopes
| Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) | Notes |
|---|---|---|---|---|---|---|---|
| /api/v2/events/data/alert | Read | y | y | y | y | y | |
| /api/v2/events/data/application | Read | y | |||||
| /api/v2/events/data/audit | Read | y | |||||
| /api/v2/events/data/infrastructure | Read | y | |||||
| /api/v2/events/data/network | Read | y | |||||
| /api/v2/events/data/page | Read | y | |||||
| /api/v2/events/dataexport/events/alert | Read | x | x | x | x | x | |
| /api/v2/events/dataexport/events/application | Read | x | x | ||||
| /api/v2/events/dataexport/events/audit | Read | x | |||||
| /api/v2/events/dataexport/events/connection | Read | ||||||
| /api/v2/events/dataexport/events/incident | Read | ||||||
| /api/v2/events/dataexport/events/infrastructure | Read | x | |||||
| /api/v2/events/dataexport/events/network | Read | x | |||||
| /api/v2/events/dataexport/events/page | Read | x | |||||
| /api/v2/events/dataexport/alerts/uba | Read | ||||||
| /api/v2/events/dataexport/alerts/securityassessment | Read | ||||||
| /api/v2/events/dataexport/alerts/quarantine | Read | ||||||
| /api/v2/events/dataexport/alerts/remediation | Read | ||||||
| /api/v2/events/dataexport/alerts/policy | Read | ||||||
| /api/v2/events/dataexport/alerts/malware | Read | ||||||
| /api/v2/events/dataexport/alerts/malsite | Read | ||||||
| /api/v2/events/dataexport/alerts/compromisedcredential | Read | ||||||
| /api/v2/events/dataexport/alerts/ctep (or ips) | Read | ||||||
| /api/v2/events/dataexport/alerts/dlp | Read | ||||||
| /api/v2/events/dataexport/alerts/watchlist | Read | ||||||
| /api/v2/policy/urllist/file | Read + Write | ||||||
| /api/v2/policy/urllist | Read + Write | x + y | |||||
| /api/v2/policy/urllist/deploy | Read + Write | x + y | |||||
| /api/v2/incidents/uba/getuci | Read + Write | x + y | |||||
| /api/v2/ubadatasvc/user/uci | Read + Write | x + y | |||||
| /api/v2/services/cci/app | Read | x + y | |||||
| /api/v2/services/cci/domain | Read | x + y | |||||
| /api/v2/services/cci/tags | Read | x + y |
x: Required API scopes for the corresponding CE module if modern /events/dataexport endpoints will be used (recommended).
y: Required API scopes for the corresponding CE module if legacy /events/data endpoints will be used (deprecated starting in 4.1.0).
x+y: Required API scopes for the corresponding CE module (when using either /events/dataexport or /events/data endpoints).
v1 REST API Scopes
| Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | User Risk Exchange (URE) | App Risk Exchange (ARE) | Notes |
|---|---|---|---|---|---|---|---|
| Token Generated and Not Expired | (all) | y | Required for sharing file hashes |
v2 REST API Scopes
| Endpoint | Privilege | Log Shipper (CLS) | Ticket Orchestrator (CTO) | Threat Exchange (CTE) | Cloud Risk Exchange (CRE) | Notes |
|---|---|---|---|---|---|---|
| /api/v2/events/data/alert | Read | y | y | y | y | |
| /api/v2/events/data/application | Read | y | ||||
| /api/v2/events/data/audit | Read | y | ||||
| /api/v2/events/data/infrastructure | Read | y | ||||
| /api/v2/events/data/network | Read | y | ||||
| /api/v2/events/data/page | Read | y | ||||
| /api/v2/events/dataexport/events/alert | Read | |||||
| /api/v2/events/dataexport/events/application | Read | |||||
| /api/v2/events/dataexport/events/audit | Read | |||||
| /api/v2/events/dataexport/events/connection | Read | |||||
| /api/v2/events/dataexport/events/incident | Read | |||||
| /api/v2/events/dataexport/events/infrastructure | Read | |||||
| /api/v2/events/dataexport/events/network | Read | |||||
| /api/v2/events/dataexport/events/page | Read | |||||
| /api/v2/events/dataexport/alerts/uba | Read | |||||
| /api/v2/events/dataexport/alerts/securityassessment | Read | |||||
| /api/v2/events/dataexport/alerts/quarantine | Read | |||||
| /api/v2/events/dataexport/alerts/remediation | Read | |||||
| /api/v2/events/dataexport/alerts/policy | Read | |||||
| /api/v2/events/dataexport/alerts/malware | Read | |||||
| /api/v2/events/dataexport/alerts/malsite | Read | |||||
| /api/v2/events/dataexport/alerts/compromisedcredential | Read | |||||
| /api/v2/events/dataexport/alerts/ctep (or ips) | Read | |||||
| /api/v2/events/dataexport/alerts/dlp | Read | |||||
| /api/v2/events/dataexport/alerts/watchlist | Read | |||||
| /api/v2/policy/urllist/file | Read + Write | |||||
| /api/v2/policy/urllist | Read + Write | y | ||||
| /api/v2/policy/urllist/deploy | Read + Write | y | ||||
| /api/v2/incidents/uba/getuci | Read + Write | y | ||||
| /api/v2/ubadatasvc/user/uci | Read + Write | y | ||||
| /api/v2/services/cci/app | Read | |||||
| /api/v2/services/cci/domain | Read | |||||
| /api/v2/services/cci/tags | Read |
y: Required API scopes for the corresponding CE module.
Add a Netskope Tenant
Now that you have your v1 and v2 tokens ready, proceed with the Netskope tenant configuration of your Cloud Exchange instance.
- Log in to your Cloud Exchange tenant.
- Go to Settings and click Netskope Tenants.
- Click Add Tenant.
- Enter a name for this Netskope tenant configuration.
- Enter your Netskope tenant name. Do not enter the
<tenant_name>.goskope.com, URL. Enter just your tenant name. For example, if it’smycompany.goskope.com, just entermycompany. If your tenant haseuin the URL, entertenant_name.eu. - Enter your Netskope tenant API token(s) obtained previously.
- Select alerts types for filtering alerts from the tenant. The below list represents the minimum requirements per module, but each alert type selected requires the corresponding
/api/v2/events/dataexport/alerts/REST API endpoint to be allowed (see table above).- Log Shipper: All
- Ticket Orchestrator: All
- Threat Exchange: Malsite, Malware
- User Risk Exchange: Quarantine
- Application Risk Exchange: None
- Set the range for ingesting data from Netskope. In this case, set the Initial Range to 7 days to pre-populate Log Shipper.
- If you use a proxy, enable the proxy toggle.
- Click Save. Your tenant appears on the page.
- Configure Netskope Tenants
- Configure the Netskope Plugin for Log Shipper
- Configure the Netskope Plugin for Ticket Orchestrator
- Configure the Netskope Plugin for Threat Exchange
- Configure the Netskope Plugin for User Risk Exchange
- Configure the Netskope Plugin for Application Risk Exchange
- Using Beta Plugins
- Explore the Dashboards
- Cloud Exchange Setup Videos
- SSO Configuration
- Cloud Exchange SSO with Azure AD
- Cloud Exchange SSO with Okta
- SSO Access for Netskope Support
Articles
- Configure Netskope Tenants
- Configure the Netskope Plugin for Log Shipper
- Configure the Netskope Plugin for Ticket Orchestrator
- Configure the Netskope Plugin for Threat Exchange
- Configure the Netskope Plugin for User Risk Exchange
- Configure the Netskope Plugin for Application Risk Exchange
- Using Beta Plugins
- Explore the Dashboards
- Cloud Exchange Setup Videos
- SSO Configuration
- Cloud Exchange SSO with Azure AD
- Cloud Exchange SSO with Okta
- SSO Access for Netskope Support
