Docy

Microsoft Defender for Cloud Apps Plugin for Log Shipper

Microsoft Defender for Cloud Apps Plugin for Log Shipper

This document explains how to configure the Microsoft Defender for Cloud Apps integration with the Log Shipper module of the Netskope Cloud Exchange platform. This integration allows for forwarding Netskope generated events to Microsoft Cloud App Security for additional analysis and reporting.

Prerequisites

To complete this configuration, you need:

  • A Netskope Tenant (or multiple, for example, production and development/test instances).
  • A Netskope Cloud Exchange tenant with the Log Shipper module already configured.
  • A Microsoft Defender for Cloud Apps instance.

Note

Verify your Microsoft Defender instance permissions are secure and not set up for open public access. Only allow access to your cloud storage instance from your Cloud Exchange Host and any other addresses that need access.

Workflow

  1. Configure the Microsoft Defender for Cloud Apps Data Source.
  2. Configure the Microsoft Defender for Cloud Apps plugin.
  3. Create Log Shipper Business Rules.
  4. Create Log Shipper SIEM mappings.
  5. Validate the plugin.

Click play to watch a video.

 

Configure the Microsoft Defender for Cloud Apps Data Source

  1. Go to your Microsoft Defender for Cloud Apps instance at: https://<instance-name>.portal.cloudappsecurity.com/.
    image1.png
  2. Log in to your Microsoft Defender for Cloud Apps instance.
    image2.png
  3. Click Settings and then click Log Collectors.
    image3.png
  4. Click Add data source.
    image4.png
  5. Enter a name and select Source and Receiver type, and then click Add.
    image5.png

Configure the Microsoft Defender for Cloud Apps Plugin

  1. In Cloud Exchange, go to Settings > Plugins.
  2. Search for and select the Microsoft Cloud App Security (CLS) box to open the plugin creation pages.
  3. Enter a Configuration Name.
  4. Select the valid Mapping. (Default Mappings for all plugins are available).
    image6.png
  5. Click Next.
    image7.png
  6. Enter the Portal URL, API Token, and Data Source. Enter valid extensions if you have other than the default one.
  7. Click Save.
    image8.png

Configure Log Shipper Business Rules for Microsoft Defender for Cloud Apps

  1. Go to Log Shipper > Business Rules.
    image9.png
  2. Click Create New Rule.
    image10.png
  3. Enter a Rule Name and select the filters to use.
  4. Click Save
    image11.png

Configure Log Shipper SIEM Mappings for Microsoft Defender for Cloud Apps

  1. Go to Log Shipper > SIEM Mappings and click Add SIEM Mapping.
    image12.png
  2. Select a Source Configuration, Business Rule, and Destination Configuration.
  3. Click Save.
    image13.png

Validate the Microsoft Defender for Cloud Apps Plugin

To validate the plugin workflow, you can check from Netskope Cloud Exchange and and your Microsoft Defender for Cloud Apps instance.

Validate in Netskope Cloud Exchange

Go to Logging.

image14.png

Validate in Microsoft Defender for Cloud Apps

Go to Setting Governance Log.

image15.png
Share this Doc
In this topic ...