KQL Search

Query Details

44 NK ATP Sandbox Malicious File

Query

id: a7b8c9d0-e1f2-4a3b-4c5d-6e7f8a9b0c1d
name: "Netskope - ATP/Sandbox Malicious File Detection"
version: 1.0.0
kind: Scheduled
description: |
  Detects files identified as malicious by Netskope Advanced Threat Protection (ATP) sandbox
  analysis or inline malware scanning. These detections indicate that a file was downloaded
  or uploaded with malware signatures or sandbox-identified malicious behavior.
  MITRE ATT&CK: T1105 (Ingress Tool Transfer), T1204.002 (User Execution: Malicious File)
severity: High
requiredDataConnectors:
  - connectorId: NetskopeWebTransactions
    dataTypes:
      - NetskopeWebTx_CL
queryFrequency: PT15M
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Execution
  - CommandAndControl
relevantTechniques:
  - T1105
  - T1204
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
  union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(malware_name_s) or isnotempty(malware_type_s)
      or threat_name_s has_any ("malware", "trojan", "ransomware", "exploit", "worm", "adware")
  | where isnotempty(user_s)
  | summarize
      DetectionCount   = count(),
      UniqueFiles      = dcount(object_s),
      FileNames        = make_set(object_s, 10),
      FileTypes        = make_set(file_type_s, 10),
      MalwareNames     = make_set(malware_name_s, 10),
      MalwareTypes     = make_set(malware_type_s, 5),
      ThreatNames      = make_set(threat_name_s, 10),
      ActionsTaken     = make_set(action_s, 5),
      Domains          = make_set(domain_s, 10),
      Apps             = make_set(app_s, 5),
      Blocked          = countif(action_s in ("block", "Block", "blocked", "Blocked")),
      Allowed          = countif(action_s !in ("block", "Block", "blocked", "Blocked")),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated)
    by user_s, malware_name_s
  | order by Allowed desc, DetectionCount desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: user_s
customDetails:
  DetectionCount: DetectionCount
  MalwareName: malware_name_s
  Allowed: Allowed
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope ATP Detection - {{malware_name_s}} ({{user_s}})"
  alertDescriptionFormat: "Malware '{{malware_name_s}}' detected for user {{user_s}}. {{Allowed}} events allowed, {{Blocked}} blocked."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is part of a scheduled detection rule designed to identify files flagged as malicious by Netskope's Advanced Threat Protection (ATP) sandbox analysis or inline malware scanning. Here's a simple breakdown of what it does:

  1. Purpose: The query detects files that have been identified as malicious, indicating that they were either downloaded or uploaded with malware signatures or behaviors recognized as malicious.

  2. Severity and Techniques: The detection is marked with a high severity level and is associated with MITRE ATT&CK techniques T1105 (Ingress Tool Transfer) and T1204.002 (User Execution: Malicious File).

  3. Data Source: It uses data from the NetskopeWebTransactions connector, specifically the NetskopeWebTx_CL data type.

  4. Frequency and Period: The query runs every 15 minutes and looks at data from the past day (24 hours).

  5. Detection Logic:

    • It checks for records where the malware_name_s or malware_type_s fields are not empty, or where the threat_name_s field contains terms like "malware," "trojan," "ransomware," etc.
    • It ensures that the user_s field is not empty, indicating that a user is associated with the detected activity.

  6. Summarization:

    • It counts the total detections and unique files.
    • It collects sets of file names, file types, malware names, malware types, threat names, actions taken, domains, and applications involved.
    • It counts how many actions were blocked versus allowed.
    • It records the first and last time the malicious activity was seen.

  7. Ordering: The results are ordered by the number of allowed actions and then by the total detection count.

  8. Entity Mapping: The query maps the user_s field to an account entity, using it as the identifier for the user involved.

  9. Alert Details:

    • The alert display name includes the malware name and user.
    • The alert description specifies the malware detected, the user involved, and the count of allowed versus blocked events.

  10. Incident Configuration:

    • It creates an incident for each detection.
    • Incidents can be grouped by account (user) to consolidate related alerts.

Overall, this query helps security teams monitor and respond to potential malware threats detected by Netskope ATP, providing detailed insights into the nature and scope of the threats.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeFilesMalwareUserDomainAppsAccount

Operators

letdatatableunionisfuzzywhereagoisnotemptyhas_anysummarizecountdcountmake_setcountifin!inminmaxbyorder by

Actions