KQL Search

Query Details

43 NK High Confidence Threat Allowed

Query

id: f6a7b8c9-d0e1-4f2a-3b4c-5d6e7f8a9b0c
name: "Netskope - High-Confidence Threat Allowed Through"
version: 1.0.0
kind: Scheduled
description: |
  Detects Netskope allowed traffic to destinations with high or critical threat severity
  or known malware detections. This indicates Netskope identified a threat but the traffic
  was still permitted, potentially due to policy gaps or bypass configurations.
  MITRE ATT&CK: T1071 (Application Layer Protocol), T1204 (User Execution)
severity: High
requiredDataConnectors:
  - connectorId: NetskopeWebTransactions
    dataTypes:
      - NetskopeWebTx_CL
queryFrequency: PT15M
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CommandAndControl
  - Execution
relevantTechniques:
  - T1071
  - T1204
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
  union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
  | where TimeGenerated > ago(1d)
  | where action_s !in ("block", "Block", "blocked", "Blocked")
  | where severity_s in ("high", "critical")
      or isnotempty(malware_name_s)
      or isnotempty(threat_name_s)
  | where isnotempty(user_s)
  | summarize
      RequestCount     = count(),
      UniqueUsers      = dcount(user_s),
      UserList         = make_set(user_s, 20),
      Domains          = make_set(domain_s, 10),
      ThreatNames      = make_set(threat_name_s, 10),
      MalwareNames     = make_set(malware_name_s, 10),
      Categories       = make_set(category_s, 5),
      Severities       = make_set(severity_s, 5),
      TotalBytesRecv   = sum(todouble(bytes_downloaded_d)),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated)
    by domain_s, severity_s
  | extend TotalMBRecv = round(toreal(TotalBytesRecv) / 1048576, 2)
  | order by RequestCount desc
entityMappings:
  - entityType: DNS
    fieldMappings:
      - identifier: DomainName
        columnName: domain_s
customDetails:
  RequestCount: RequestCount
  UniqueUsers: UniqueUsers
  Severity: severity_s
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope Threat Allowed - {{domain_s}} (Severity: {{severity_s}})"
  alertDescriptionFormat: "{{RequestCount}} Netskope requests allowed to threat destination {{domain_s}} (severity: {{severity_s}}) affecting {{UniqueUsers}} users."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - DNS
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect and alert when Netskope, a cloud security platform, allows traffic to destinations that have been identified as high-risk or associated with known malware. Here's a simplified breakdown of what the query does:

  1. Purpose: It identifies instances where Netskope has detected a threat but still allowed the traffic, which might indicate policy gaps or bypass configurations.

  2. Data Source: The query uses data from the NetskopeWebTransactions connector, specifically the NetskopeWebTx_CL data type.

  3. Time Frame: It looks at data from the past day (24 hours).

  4. Conditions:

    • It filters out any traffic that was blocked.
    • It focuses on traffic with a high or critical severity level or where there is a known malware or threat name.

  5. Analysis:

    • It counts the number of requests and identifies unique users involved.
    • It compiles lists of domains, threat names, malware names, categories, and severities.
    • It calculates the total amount of data downloaded in megabytes.
    • It records the first and last time the traffic was seen.

  6. Output:

    • The results are sorted by the number of requests, with the most frequent first.
    • Alerts are generated with details about the domain, severity, number of requests, and affected users.

  7. Incident Management:

    • An incident is created for each alert, with grouping enabled to consolidate related alerts based on DNS entities.
    • The alert display name and description are customized to include relevant details like domain and severity.

Overall, this query helps security teams monitor and respond to potential threats that have been allowed through Netskope, ensuring they can address any policy issues or misconfigurations.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeThreatTrafficSeverityMalwareUserDomainIPBytesApplicationURLDLPActivityFileObjectDNS

Operators

letdatatableunionisfuzzywhereago!ininisnotemptysummarizecountdcountmake_setsumtodoubleminmaxbyextendroundtorealorder by

Actions