KQL Search

Query Details

40 NK Threat Intelligence Domain IP Match

Query

id: c3d4e5f6-a7b8-4c9d-0e1f-2a3b4c5d6e7f
name: "Netskope - Threat Intelligence Domain/IP Correlation"
version: 1.0.0
kind: Scheduled
description: |
  Correlates Netskope allowed web traffic against active Threat Intelligence indicators.
  Matches destination domains and IPs from NetskopeWebTx against ThreatIntelIndicators
  to detect allowed connections to known-malicious infrastructure.
  MITRE ATT&CK: T1071 (Application Layer Protocol), T1568 (Dynamic Resolution)
severity: High
requiredDataConnectors:
  - connectorId: NetskopeWebTransactions
    dataTypes:
      - NetskopeWebTx_CL
  - connectorId: ThreatIntelligence
    dataTypes:
      - ThreatIntelIndicators
queryFrequency: PT1H
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CommandAndControl
relevantTechniques:
  - T1071
  - T1568
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
  let TI_IOCs =
      ThreatIntelIndicators
      | where TimeGenerated > ago(30d)
      | where isempty(ValidUntil) or ValidUntil > now()
      | where (isnotnull(parse_ipv4(ObservableValue)) or ObservableKey has "domain")
      | where isnotempty(ObservableValue)
      | summarize
          TI_ThreatTypes = make_set(Tags),
          TI_Confidence  = max(Confidence),
          TI_Tags        = make_set(Tags)
        by IOC_Value = ObservableValue;
  union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
  | where TimeGenerated > ago(1d)
  | where action_s !in ("block", "Block", "blocked", "Blocked")
  | where isnotempty(domain_s) or isnotempty(dstip_s)
  | extend MatchKey = coalesce(domain_s, tostring(dstip_s))
  | summarize
      RequestCount     = count(),
      UniqueUsers      = dcount(user_s),
      UserList         = make_set(user_s, 10),
      BytesRecv        = sum(todouble(bytes_downloaded_d)),
      BytesSent        = sum(todouble(bytes_uploaded_d)),
      Apps             = make_set(app_s, 5),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated)
    by MatchKey, domain_s, dstip_s
  | join kind=inner TI_IOCs on $left.MatchKey == $right.IOC_Value
  | project
      MatchKey, domain_s, dstip_s,
      RequestCount, UniqueUsers, UserList,
      BytesRecv, BytesSent, Apps,
      TI_ThreatTypes, TI_Confidence, TI_Tags,
      FirstSeen, LastSeen
  | order by TI_Confidence desc, RequestCount desc
entityMappings:
  - entityType: DNS
    fieldMappings:
      - identifier: DomainName
        columnName: domain_s
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: dstip_s
customDetails:
  RequestCount: RequestCount
  TI_Confidence: TI_Confidence
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope TI Match - {{MatchKey}} (Confidence: {{TI_Confidence}})"
  alertDescriptionFormat: "{{RequestCount}} Netskope allowed requests to TI-listed destination {{MatchKey}} affecting {{UniqueUsers}} users."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - DNS
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to identify potentially malicious web traffic that has been allowed by Netskope, a cloud security platform. Here's a simple breakdown of what it does:

  1. Purpose: The query checks Netskope's allowed web traffic against known threat intelligence indicators to find any connections to malicious domains or IP addresses.

  2. Data Sources: It uses two main data sources:

    • NetskopeWebTransactions: Logs of web traffic allowed by Netskope.
    • ThreatIntelligence: A list of known malicious domains and IP addresses.

  3. Process:

    • It first gathers threat intelligence indicators from the last 30 days that are still valid.
    • It then looks at Netskope web transactions from the past day, focusing on traffic that wasn't blocked.
    • It matches the destination domains and IPs from Netskope's logs with the threat intelligence indicators.

  4. Output:

    • For each match, it provides details like the number of requests, unique users involved, data transferred, and the applications used.
    • It also includes threat intelligence details such as threat types and confidence levels.

  5. Alerts:

    • If any matches are found, it generates alerts with a high severity level.
    • The alerts include information about the number of requests, the confidence level of the threat intelligence, and the number of affected users.

  6. Incident Management:

    • The query is set to create incidents for any matches found.
    • It groups incidents by domain name to manage them more effectively.

Overall, this query helps security teams quickly identify and respond to potentially harmful web traffic that has been allowed through Netskope, using up-to-date threat intelligence data.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

ThreatIntelIndicatorsNetskopeWebTx_CL

Keywords

NetskopeThreatIntelligenceDomainIPIndicatorsDevicesUserDNSIP

Operators

letdatatableunionisfuzzywhereisemptyisnotnullparse_ipv4hasisnotemptysummarizemake_setmaxbyagonowcoalescetostringcountdcountsumtodoubleminmaxjoinkindonprojectorder bydesc

Actions