Query Details

Netskope - High-Confidence Threat Allowed Through

43 NK High Confidence Threat Allowed

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| where severity_s in ("high", "critical")
    or isnotempty(malware_name_s)
    or isnotempty(threat_name_s)
| where isnotempty(user_s)
| summarize
    RequestCount     = count(),
    UniqueUsers      = dcount(user_s),
    UserList         = make_set(user_s, 20),
    Domains          = make_set(domain_s, 10),
    ThreatNames      = make_set(threat_name_s, 10),
    MalwareNames     = make_set(malware_name_s, 10),
    Categories       = make_set(category_s, 5),
    Severities       = make_set(severity_s, 5),
    TotalBytesRecv   = sum(todouble(bytes_downloaded_d)),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by domain_s, severity_s
| extend TotalMBRecv = round(toreal(TotalBytesRecv) / 1048576, 2)
| order by RequestCount desc

Explanation

This query is designed to detect and alert when Netskope, a cloud security platform, allows traffic to destinations that have been identified as high-risk or associated with known malware. Here's a simplified breakdown of what the query does:

  1. Purpose: It identifies instances where Netskope has detected a threat but still allowed the traffic, which might indicate policy gaps or bypass configurations.

  2. Data Source: The query uses data from the NetskopeWebTransactions connector, specifically the NetskopeWebTx_CL data type.

  3. Time Frame: It looks at data from the past day (24 hours).

  4. Conditions:

    • It filters out any traffic that was blocked.
    • It focuses on traffic with a high or critical severity level or where there is a known malware or threat name.
  5. Analysis:

    • It counts the number of requests and identifies unique users involved.
    • It compiles lists of domains, threat names, malware names, categories, and severities.
    • It calculates the total amount of data downloaded in megabytes.
    • It records the first and last time the traffic was seen.
  6. Output:

    • The results are sorted by the number of requests, with the most frequent first.
    • Alerts are generated with details about the domain, severity, number of requests, and affected users.
  7. Incident Management:

    • An incident is created for each alert, with grouping enabled to consolidate related alerts based on DNS entities.
    • The alert display name and description are customized to include relevant details like domain and severity.

Overall, this query helps security teams monitor and respond to potential threats that have been allowed through Netskope, ensuring they can address any policy issues or misconfigurations.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeThreatTrafficSeverityMalwareUserDomainIPBytesApplicationURLDLPActivityFileObjectDNS

Operators

letdatatableunionisfuzzywhereago!ininisnotemptysummarizecountdcountmake_setsumtodoubleminmaxbyextendroundtorealorder by

Severity

High

Tactics

CommandAndControlExecution

MITRE Techniques

Frequency: PT15M

Period: P1D

Actions

GitHub