Netskope - Blocked Request to Malicious / C2 Category
38 NK Malicious Category Blocks
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
let MaliciousCategories = dynamic([
"Malware", "Phishing", "Botnet", "Command and Control",
"Spyware/Adware", "Ransomware", "Cryptomining",
"Newly Observed Domain", "Newly Registered Domain"]);
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where action_s in ("block", "Block", "blocked", "Blocked")
| where category_s in (MaliciousCategories)
or severity_s in ("high", "critical")
or isnotempty(malware_name_s)
| summarize
BlockCount = count(),
UniqueUsers = dcount(user_s),
UserList = make_set(user_s, 20),
DestDomains = make_set(domain_s, 20),
DestIPs = make_set(dstip_s, 10),
Categories = make_set(category_s, 10),
MalwareNames = make_set(malware_name_s, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by category_s, domain_s
| order by BlockCount descExplanation
This query is designed to detect and alert on web requests that have been blocked by Netskope due to being associated with malicious activities such as malware, phishing, botnets, or command-and-control (C2) operations. Here's a simplified breakdown:
-
Purpose: The query identifies blocked web requests that are categorized as malicious, indicating potential threats like persistent malware on an endpoint trying to connect to C2 infrastructure.
-
Data Source: It uses data from the
NetskopeWebTransactionsconnector, specifically theNetskopeWebTx_CLdata type. -
Frequency and Period: The query runs every 15 minutes and looks at data from the past day (24 hours).
-
Conditions: It filters for web requests that were blocked and belong to certain malicious categories or have a high/critical severity. It also considers requests with a non-empty malware name.
-
Output: The query summarizes the data by counting the number of blocked requests, identifying unique users involved, and listing affected domains, IPs, categories, and malware names. It also notes the first and last time these events were seen.
-
Alerting: If any blocked requests are found, an alert is generated with details such as the number of attempts and the category of the threat. The alert is configured to create an incident if triggered.
-
Severity: The severity of the alert is marked as high, indicating a significant threat level.
-
MITRE ATT&CK Mapping: The query is associated with the MITRE ATT&CK technique T1071, which involves the use of application layer protocols for command and control.
-
Incident Management: The query is set to create incidents for detected threats, with specific configurations for grouping and managing these incidents.
Overall, this query helps security teams monitor and respond to potential threats by identifying and alerting on blocked malicious web requests.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
MITRE Techniques
Frequency: PT15M
Period: P1D