Netskope - Threat Intelligence Domain/IP Correlation
40 NK Threat Intelligence Domain IP Match
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
let TI_IOCs =
ThreatIntelIndicators
| where TimeGenerated > ago(30d)
| where isempty(ValidUntil) or ValidUntil > now()
| where (isnotnull(parse_ipv4(ObservableValue)) or ObservableKey has "domain")
| where isnotempty(ObservableValue)
| summarize
TI_ThreatTypes = make_set(Tags),
TI_Confidence = max(Confidence),
TI_Tags = make_set(Tags)
by IOC_Value = ObservableValue;
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| where isnotempty(domain_s) or isnotempty(dstip_s)
| extend MatchKey = coalesce(domain_s, tostring(dstip_s))
| summarize
RequestCount = count(),
UniqueUsers = dcount(user_s),
UserList = make_set(user_s, 10),
BytesRecv = sum(todouble(bytes_downloaded_d)),
BytesSent = sum(todouble(bytes_uploaded_d)),
Apps = make_set(app_s, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by MatchKey, domain_s, dstip_s
| join kind=inner TI_IOCs on $left.MatchKey == $right.IOC_Value
| project
MatchKey, domain_s, dstip_s,
RequestCount, UniqueUsers, UserList,
BytesRecv, BytesSent, Apps,
TI_ThreatTypes, TI_Confidence, TI_Tags,
FirstSeen, LastSeen
| order by TI_Confidence desc, RequestCount descExplanation
This query is designed to identify potentially malicious web traffic that has been allowed by Netskope, a cloud security platform. Here's a simple breakdown of what it does:
-
Purpose: The query checks Netskope's allowed web traffic against known threat intelligence indicators to find any connections to malicious domains or IP addresses.
-
Data Sources: It uses two main data sources:
- NetskopeWebTransactions: Logs of web traffic allowed by Netskope.
- ThreatIntelligence: A list of known malicious domains and IP addresses.
-
Process:
- It first gathers threat intelligence indicators from the last 30 days that are still valid.
- It then looks at Netskope web transactions from the past day, focusing on traffic that wasn't blocked.
- It matches the destination domains and IPs from Netskope's logs with the threat intelligence indicators.
-
Output:
- For each match, it provides details like the number of requests, unique users involved, data transferred, and the applications used.
- It also includes threat intelligence details such as threat types and confidence levels.
-
Alerts:
- If any matches are found, it generates alerts with a high severity level.
- The alerts include information about the number of requests, the confidence level of the threat intelligence, and the number of affected users.
-
Incident Management:
- The query is set to create incidents for any matches found.
- It groups incidents by domain name to manage them more effectively.
Overall, this query helps security teams quickly identify and respond to potentially harmful web traffic that has been allowed through Netskope, using up-to-date threat intelligence data.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: P1D