Netskope - High-Confidence Threat Allowed Through
43 NK High Confidence Threat Allowed
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| where severity_s in ("high", "critical")
or isnotempty(malware_name_s)
or isnotempty(threat_name_s)
| where isnotempty(user_s)
| summarize
RequestCount = count(),
UniqueUsers = dcount(user_s),
UserList = make_set(user_s, 20),
Domains = make_set(domain_s, 10),
ThreatNames = make_set(threat_name_s, 10),
MalwareNames = make_set(malware_name_s, 10),
Categories = make_set(category_s, 5),
Severities = make_set(severity_s, 5),
TotalBytesRecv = sum(todouble(bytes_downloaded_d)),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by domain_s, severity_s
| extend TotalMBRecv = round(toreal(TotalBytesRecv) / 1048576, 2)
| order by RequestCount descExplanation
This query is designed to detect and alert when Netskope, a cloud security platform, allows traffic to destinations that have been identified as high-risk or associated with known malware. Here's a simplified breakdown of what the query does:
-
Purpose: It identifies instances where Netskope has detected a threat but still allowed the traffic, which might indicate policy gaps or bypass configurations.
-
Data Source: The query uses data from the
NetskopeWebTransactionsconnector, specifically theNetskopeWebTx_CLdata type. -
Time Frame: It looks at data from the past day (24 hours).
-
Conditions:
- It filters out any traffic that was blocked.
- It focuses on traffic with a high or critical severity level or where there is a known malware or threat name.
-
Analysis:
- It counts the number of requests and identifies unique users involved.
- It compiles lists of domains, threat names, malware names, categories, and severities.
- It calculates the total amount of data downloaded in megabytes.
- It records the first and last time the traffic was seen.
-
Output:
- The results are sorted by the number of requests, with the most frequent first.
- Alerts are generated with details about the domain, severity, number of requests, and affected users.
-
Incident Management:
- An incident is created for each alert, with grouping enabled to consolidate related alerts based on DNS entities.
- The alert display name and description are customized to include relevant details like domain and severity.
Overall, this query helps security teams monitor and respond to potential threats that have been allowed through Netskope, ensuring they can address any policy issues or misconfigurations.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT15M
Period: P1D