KQL Search

Query Details

38 NK Malicious Category Blocks

Query

id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
name: "Netskope - Blocked Request to Malicious / C2 Category"
version: 1.0.0
kind: Scheduled
description: |
  Detects Netskope blocked web requests categorized as malware, phishing, botnet,
  command-and-control, or other known-malicious destinations. Repeated blocked attempts
  may indicate persistent malware on the endpoint attempting to reach C2 infrastructure.
  MITRE ATT&CK: T1071 (Application Layer Protocol)
severity: High
requiredDataConnectors:
  - connectorId: NetskopeWebTransactions
    dataTypes:
      - NetskopeWebTx_CL
queryFrequency: PT15M
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CommandAndControl
relevantTechniques:
  - T1071
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
  let MaliciousCategories = dynamic([
      "Malware", "Phishing", "Botnet", "Command and Control",
      "Spyware/Adware", "Ransomware", "Cryptomining",
      "Newly Observed Domain", "Newly Registered Domain"]);
  union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
  | where TimeGenerated > ago(1d)
  | where action_s in ("block", "Block", "blocked", "Blocked")
  | where category_s in (MaliciousCategories)
      or severity_s in ("high", "critical")
      or isnotempty(malware_name_s)
  | summarize
      BlockCount       = count(),
      UniqueUsers      = dcount(user_s),
      UserList         = make_set(user_s, 20),
      DestDomains      = make_set(domain_s, 20),
      DestIPs          = make_set(dstip_s, 10),
      Categories       = make_set(category_s, 10),
      MalwareNames     = make_set(malware_name_s, 10),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated)
    by category_s, domain_s
  | order by BlockCount desc
entityMappings:
  - entityType: DNS
    fieldMappings:
      - identifier: DomainName
        columnName: domain_s
customDetails:
  BlockCount: BlockCount
  UniqueUsers: UniqueUsers
  Category: category_s
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope Malicious Block - {{category_s}} ({{BlockCount}} attempts)"
  alertDescriptionFormat: "{{BlockCount}} Netskope requests blocked for malicious category {{category_s}} affecting {{UniqueUsers}} users."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: AnyAlert
    groupByEntities: []
    groupByAlertDetails: []
    groupByCustomDetails:
      - Category

Explanation

This query is designed to detect and alert on web requests that have been blocked by Netskope due to being associated with malicious activities such as malware, phishing, botnets, or command-and-control (C2) operations. Here's a simplified breakdown:

  • Purpose: The query identifies blocked web requests that are categorized as malicious, indicating potential threats like persistent malware on an endpoint trying to connect to C2 infrastructure.

  • Data Source: It uses data from the NetskopeWebTransactions connector, specifically the NetskopeWebTx_CL data type.

  • Frequency and Period: The query runs every 15 minutes and looks at data from the past day (24 hours).

  • Conditions: It filters for web requests that were blocked and belong to certain malicious categories or have a high/critical severity. It also considers requests with a non-empty malware name.

  • Output: The query summarizes the data by counting the number of blocked requests, identifying unique users involved, and listing affected domains, IPs, categories, and malware names. It also notes the first and last time these events were seen.

  • Alerting: If any blocked requests are found, an alert is generated with details such as the number of attempts and the category of the threat. The alert is configured to create an incident if triggered.

  • Severity: The severity of the alert is marked as high, indicating a significant threat level.

  • MITRE ATT&CK Mapping: The query is associated with the MITRE ATT&CK technique T1071, which involves the use of application layer protocols for command and control.

  • Incident Management: The query is set to create incidents for detected threats, with specific configurations for grouping and managing these incidents.

Overall, this query helps security teams monitor and respond to potential threats by identifying and alerting on blocked malicious web requests.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeWebRequestsMalwarePhishingBotnetCommandControlSpywareAdwareRansomwareCryptominingDomainUsersDNS

Operators

letdatatabledynamicunionisfuzzyagoinorisnotemptysummarizecountdcountmake_setminmaxbyorder by

Actions