Updated on March 13, 2024

Cloud Exchange Supported Integrations

Cloud Exchange Supported Integrations

A module-specific write-access user can create, enable, modify, or delete plugins. This section describes the 3rd-party plugins supported by Netskope Cloud Exchange.

In addition to the Netskope plugins, Cloud Exchange works with the following plugins which, as of version 4.1, are found in the Github repository and are pulled down by Cloud Exchange during initial installation, whenever the Cloud Exchange service is started or stopped, and whenever a write-access user responds to an updates are available prompt with a command to retrieve the new or updated plugins.

Log Shipper

  • AWS CloudTrail Lake: Send Netskope Events and Alerts to your CloudTrail event data store.
  • AWS S3 Events, Alerts: Send Netskope Events and Alerts as compressed archives.
  • AWS S3 WebTx: Send Netskope Web Transaction Logs as compressed archives.
  • AWS Security Lake: Send Netskope Events, Alerts, and Web Transaction Logs in OCFS format.
  • Bitsight ThirdPartyTrust: Send Netskope Events and Alerts from Netskope to the ThirdPartyTrust platform.
  • CrowdStrike LogScale: Send Netskope Alerts, Events, and Web Transaction Logs in JSON format from your Netskope tenant to the CrowdStrike LogScale HTTP Event Collector. 
  • Elastic (Filebeam): Send Netskope Events and Alerts in raw JSON format or Syslog CEF with custom field mappings.
  • Google Cloud SCC: Send Netskope Events and Alerts in raw JSON format or Syslog CEF with custom field mappings.
  • Google GCP Storage: Send Netskope Web Transaction Logs as compressed archives.
  • Google Chronicle: Send Netskope Events and Alerts in raw JSON format or Syslog CEF with custom field mappings.
  • IBM QRadar: Send Netskope Events, Alerts, and Web Transaction Logs in raw JSON format or Syslog CEF with custom field mappings.
  • Kafka: Send Netskope Events, Alerts, and Web Transaction Logs to the Kafka topic on the Kafka server/cluster. The plugin will act as a producer to publish the message to the Kafka topic.
  • Microsoft Azure Sentinel: Send Netskope Events, Alerts, and Web Transaction Logs in raw JSON format or Syslog CEF with custom field mappings.
  • Microsoft Azure Monitor: Send Netskope Events and Alerts in raw JSON format or Syslog CEF with custom field mappings.
  • Microsoft Azure Cloud Storage: Send Netskope Web Transaction Logs as compressed archives.
  • Microsoft Defender for Cloud Apps: Send Netskope Events and Alerts in raw JSON format or Syslog CEF with custom field mappings.
  • Rapid7: Send Netskope Events, Alerts, and Web Transaction Logs in raw JSON format or Syslog CEF with custom field mappings.
  • Secureworks: Send Netskope Events and Alerts in raw JSON format or Syslog CEF with custom field mappings.
  • Syslog: Send Netskope Events, Alerts, and Web Transaction Logs in Syslog CEF format using custom field mappings or pre-built field mappings for Rapid7, QRadar, LogRhythm, Azure Sentinel, CSCC, Chronicle, Elastic, ArcSight, AlienVault, AWS S3, AWS CloudTrail Lake, Secureworks, SolarWinds, Azure Monitor, Amazon Security Lake, BitSight, Microsoft Defender for Cloud Apps. Also send Netskope Events, Alerts, and Web Transaction Logs in raw JSON format.
  • Syslog and WebTx with Splunk: Send Netskope Alerts, Events, and Web Transaction Logs in CEF format from Netskope Tenant to Splunk using Cloud Exchange via the Log Shipper Syslog and WebTx
  • WebTx: Fetch Netskope Web Transaction Logs which can be sent to supported SIEM platforms.
  • ArcSight: Send Netskope Events, Alerts, and Web Transaction Logs in raw JSON format or Syslog CEF with custom field mappings.
  • LogRhythm: Send Netskope Events, Alerts, and Web Transaction Logs in raw JSON format or Syslog CEF with custom field mappings.
  • AT&T AlienVault (using the default Syslog plugin): Send Netskope Events, Alerts, and Web Transaction Logs in raw JSON format or Syslog CEF with custom field mappings.
  • Solarwinds (using the default Syslog plugin): Send Netskope Events, Alerts, and Web Transaction Logs in raw JSON format or Syslog CEF with custom field mappings.

Ticket Orchestrator

  • Jira: Create issues/tickets in Jira.
  • Microsoft Teams Notifier: Send notifications to Microsoft Teams.
  • Notifier (Slack/Gmail/Email): Send notifications to various platforms: Email (SMTP), Gitter, Gmail, Hipchat, Join, Mailgun, Pagerduty, PopcornNotify, Pushbullet, Pushover, SimplePush, Slack (Webhooks), StatusPage, Telegram, Twilio, Zulip.
  • Okta Webhook: Enables automated synchronization of user data and events. This integration can help detect special security events and can trigger special actions on the user’s end with the Okta Workflows.
  • ServiceNow: Create incidents in ServiceNow (does not support ServiceNow DLP Incident Response).
  • Webhook: Create create notifications for Netskope alerts.

Threat Exchange

  • Anomali ThreatStream XDR: Fetch URL, Domain, IP (IPv4), IPv6, SHA256, and MD5, and push the same to the Anomali ThreatStream XDR platform.
  • API Source: Allows for categorization of data for identifying source and for subsequent filtering delivered to Threat Exchange via API.
  • AWS GuardDuty: Fetch SHA256 file hashes from GuardDuty.
  • Carbon Black: Fetch file hashes and URLs from Carbon Black for known malware, and send file hashes to Carbon Black via the ThreatHunter API.
  • Commvault: Fetch URLs from Commvault, and send URLs to Commvault.
  • CrowdStrike: Fetch file hashes and URLs from CrowdStrike’s Custom IoC, and send file hashes and URLs to CrowdStrike’s Custom IoC.
  • Cybereason: Fetch file hashes and URLs from Cybereason Custom IOC, and send file hashes and URLs to Cybereason Custom IOC.
  • Digital Shadow: Fetch impersonating domains from Digital Shadows.
  • External Website: Fetch URLs (URLs, IPv4, Domains), SHA256, and MD5 types of indicators from any external websites. This plugin does not support pushing any indicators to the external websites.
  • ExtraHop Reveal(x) 360: Fetch URL (IP Address, Hostname) type of indicators from ExtraHop Reveal(x) 360.
  • Feedly: Fetch SHA256 hashes, MD5 hashes, URLs, domains, and IP addresses from Feedly Stream. This plugin also fetches IoCs in MISP format from Feedly Stream.
  • Github: Fetch MD5 file hashes from the owner Github Repository, and send MD5 file hashes from Netskope to Github.
  • HarfangLab: Fetch Netskope IoCs with the IoC List available under the Threat Intelligence module on the HarfangLab platform.
  • Illumio: Fetch workloads within a configured policy scope and create Netskope Threat IoCs for all interfaces on each workload. The IoCs can then be used for granular access control with workloads that are not managed by Illumio policy.
  • Mandiant: Fetch URLs, MD5, FQDN, IPV4, and IPV6 from the Google Mandiant.
  • Microsoft Office 365 Endpoints: Fetch URLs and IP from Microsoft Office 365 Endpoints.
  • Microsoft Defender for Cloud Apps: Fetch unsanctioned URLs from Microsoft Defender for Cloud Apps.
  • Microsoft Defender for Endpoints: Fetch URLs, MD5, SHA256 file hashes from Microsoft Defender for Endpoints.
  • Mimecast: Fetch SHA256 file hashes and URLS from Mimecast, and send file hashes and URLs to the Mimecast IoC.
  • Palo Alto Networks Cortex XDR: Fetch indicators of types File (MD5 and SHA256) from Palo Alto Networks Cortex XDR and store them into Netskope Cloud Exchange. The plugin also supports sharing the Cloud Exchange indicators SHA256, MD5, URL ( IPv4, Domain) with existing groups on the Palo Alto Networks Cortex XDR platform
  • Palo Alto Networks Panorama: Fetch information about domains, IP addresses, and file hashes (SHA256) from Wildfire logs, and URLs from URL-Filtering logs.
  • Proofpoint: Fetch malicious file hashes and URLs for several types of Targeted Attack Protection events from Proofpoint.
  • SecurityScorecard: Fetch domains from SecurityScorecard as URLs into Netskope.
  • SentinelOne: Fetch URLs, MD5 & SHA256 file hashes from the SentinelOne, and send file hashes and URLs to SentinelOne.
  • ServiceNow Threat Intelligence: Fetch MD5, SHA256 and URL type of observables and sharing new observables from ServiceNow Threat Intelligence, and send URL, MD5, SHA256 file hashes from the Netskope to the ServiceNow Threat Intelligence.
  • Skyhigh: Fetch URLs to share them with Netskope.
  • Sophos: Fetch the SHA256 type of threat indicator from Threat Graphs under Threat Analysis Center in the Sophos platform. This plugin does not support sharing of indicators to the Sophos platform.
  • STIX/TAXII: Fetch polls TAXII feeds and extracts URLs, MD5, SHA256 file hashes. Most threat systems support creating a feed for CE to read, including Anomali.
  • ThreatConnect: Fetch indicators of type malware hashes and URLs from the ThreatConnect, and send hashes and URLs from Netskope to the ThreatConnect.
  • ThreatQ: Fetch MD5, SHA256 and URL type of observables and sharing new observables from ThreatQ.
  • Trend Micro: Fetch URLs, domains, ShA256 File Hashes and IP addresses from Trend Micro Vision One, and share SHA256 file hashes and URL from Netskope to Trend Micro Vision One.
  • MISP: Fetch file hashes and URLs from MISP, and share file hashes and URL from Netskope to MISP.
  • SecLytics: Fetch URLs, IPs, and CIDRs from Netskope.

User Risk Exchange

  • Azure AD: Fetch users and their respective scores from Microsoft Azure AD, and add or remove users from Microsoft Azure AD groups.
  • BeyondCorp: Fetch user scores from BeyondCorp, and add or remove users from BeyondCorp groups.
  • CrowdStrike: Fetch host risk scores (ZTA) from CrowdStrike, and send risk score range to CrowdStrike.
  • CrowdStrike Falcon Identity Protection: Fetch user risk scores from CrowdStrike Falcon Identity Protection, and add or remove users from CrowdStrike Falcon Identity Protection groups.
  • CyberArk: Use to add or remove a CyberArk user to the CyberArk Roles.
  • Elastic: Fetch users available on the Security > Explore > Users > All users page, and their respective risk scores available on the Security > Explore > Users > User risk page, from your Elastic instance.
  • KnowBe4 (Security Advisor): Fetch Behaviour score of users from Security Advisor.
  • Okta: Add or remove users from Okta groups.
  • Mimecast (Training Awareness safe score): Fetch user risk scores from Mimecast, and add or remove users from Mimecast groups.
  • Proofpoint: Fetch attack index of users from Proofpoint using the VAP module.
  • LDAP: Perform operations like add to group and remove from the group on users.

Application Risk Exchange

  • ServiceNow: Send application risk scores (CCI) to ServiceNow.
  • ThirdPartyTrust: Send application risk scores (CCI) to ThirdParty Trust.

Upload a Custom Plugin

You can upload new plugins. After creating your custom plugin, follow these steps to upload your new plugin.

  1. Go to Settings and click Plugins.
  2. Click Add new Plugin, locate the ZIP or tar file for your custom plugin, and then click Upload. After successful validation, the newly added plugin is available under the supported plugins list for this CE instance only. Uploaded plugins are stored in the host file system.
  3. If the core docker container is upgraded or reset, all your uploaded plugins will still remain with all the configurations.
  4. Use this template to create a plugin user guide.

Search and Filter the Plugins List

On the Plugins page there’s an option to search via plugin name.

Share this Doc

Cloud Exchange Supported Integrations

Or copy link

In this topic ...