Netskope - ATP/Sandbox Malicious File Detection
44 NK ATP Sandbox Malicious File
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where isnotempty(malware_name_s) or isnotempty(malware_type_s)
or threat_name_s has_any ("malware", "trojan", "ransomware", "exploit", "worm", "adware")
| where isnotempty(user_s)
| summarize
DetectionCount = count(),
UniqueFiles = dcount(object_s),
FileNames = make_set(object_s, 10),
FileTypes = make_set(file_type_s, 10),
MalwareNames = make_set(malware_name_s, 10),
MalwareTypes = make_set(malware_type_s, 5),
ThreatNames = make_set(threat_name_s, 10),
ActionsTaken = make_set(action_s, 5),
Domains = make_set(domain_s, 10),
Apps = make_set(app_s, 5),
Blocked = countif(action_s in ("block", "Block", "blocked", "Blocked")),
Allowed = countif(action_s !in ("block", "Block", "blocked", "Blocked")),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by user_s, malware_name_s
| order by Allowed desc, DetectionCount descExplanation
This query is part of a scheduled detection rule designed to identify files flagged as malicious by Netskope's Advanced Threat Protection (ATP) sandbox analysis or inline malware scanning. Here's a simple breakdown of what it does:
-
Purpose: The query detects files that have been identified as malicious, indicating that they were either downloaded or uploaded with malware signatures or behaviors recognized as malicious.
-
Severity and Techniques: The detection is marked with a high severity level and is associated with MITRE ATT&CK techniques T1105 (Ingress Tool Transfer) and T1204.002 (User Execution: Malicious File).
-
Data Source: It uses data from the
NetskopeWebTransactionsconnector, specifically theNetskopeWebTx_CLdata type. -
Frequency and Period: The query runs every 15 minutes and looks at data from the past day (24 hours).
-
Detection Logic:
- It checks for records where the
malware_name_sormalware_type_sfields are not empty, or where thethreat_name_sfield contains terms like "malware," "trojan," "ransomware," etc. - It ensures that the
user_sfield is not empty, indicating that a user is associated with the detected activity.
- It checks for records where the
-
Summarization:
- It counts the total detections and unique files.
- It collects sets of file names, file types, malware names, malware types, threat names, actions taken, domains, and applications involved.
- It counts how many actions were blocked versus allowed.
- It records the first and last time the malicious activity was seen.
-
Ordering: The results are ordered by the number of allowed actions and then by the total detection count.
-
Entity Mapping: The query maps the
user_sfield to an account entity, using it as the identifier for the user involved. -
Alert Details:
- The alert display name includes the malware name and user.
- The alert description specifies the malware detected, the user involved, and the count of allowed versus blocked events.
-
Incident Configuration:
- It creates an incident for each detection.
- Incidents can be grouped by account (user) to consolidate related alerts.
Overall, this query helps security teams monitor and respond to potential malware threats detected by Netskope ATP, providing detailed insights into the nature and scope of the threats.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT15M
Period: P1D