Netskope + SecurityAlert Correlation - C2/Malware Corroboration
48 NK Security Alert Correlation
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
let NetskopeBlocks =
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where action_s in ("block", "Block", "blocked", "Blocked")
| where category_s has_any (
"Malware", "Phishing", "Botnet", "Command and Control",
"Ransomware", "Cryptomining", "Spyware/Adware")
or isnotempty(malware_name_s)
| summarize
NK_BlockCount = count(),
NK_DestDomains = make_set(domain_s, 10),
NK_Categories = make_set(category_s, 5),
NK_MalwareNames = make_set(malware_name_s, 5),
NK_Users = make_set(user_s, 5),
NK_FirstSeen = min(TimeGenerated)
by NK_SrcIP = srcip_s;
SecurityAlert
| where TimeGenerated > ago(1d)
| where AlertSeverity in ("High", "Medium")
| mv-expand todynamic(Entities)
| extend EntityIP = tostring(Entities.Address)
| where isnotempty(EntityIP)
| summarize
Alert_Count = count(),
Alert_Names = make_set(AlertName, 5),
Alert_Products = make_set(ProductName, 5),
Alert_Severity = make_set(AlertSeverity, 3),
Alert_FirstSeen = min(TimeGenerated)
by EntityIP
| join kind=inner NetskopeBlocks on $left.EntityIP == $right.NK_SrcIP
| project
NK_SrcIP, NK_BlockCount, NK_DestDomains, NK_Categories,
NK_MalwareNames, NK_Users,
Alert_Count, Alert_Names, Alert_Products, Alert_Severity,
NK_FirstSeen, Alert_FirstSeen
| order by NK_BlockCount desc, Alert_Count descExplanation
This query is designed to identify potential security threats by cross-referencing data from two sources: Netskope and Microsoft Defender or Sentinel. Here's a simplified breakdown of what it does:
-
Purpose: The query aims to find instances where Netskope has blocked malicious or command-and-control (C2) requests and there are concurrent security alerts from Microsoft Defender or Sentinel for the same source IP address. This dual-source corroboration increases confidence in identifying an active compromise.
-
Data Sources:
- Netskope: It looks for blocked actions related to malware, phishing, botnets, command and control, ransomware, cryptomining, and spyware/adware within the last day.
- Microsoft Defender/Sentinel: It checks for security alerts with high or medium severity within the last day.
-
Process:
- It gathers data on blocked requests from Netskope, including details like the number of blocks, destination domains, categories, malware names, users, and the first time the block was seen.
- It collects security alerts from Microsoft Defender/Sentinel, including the count of alerts, alert names, products involved, severity, and the first time the alert was seen.
- The query then matches these two datasets based on the source IP address.
-
Output:
- The result is a list of source IPs that have both Netskope blocks and Microsoft security alerts, along with detailed information about each.
- The results are sorted by the number of Netskope blocks and security alerts.
-
Alert and Incident Management:
- If a match is found, an alert is generated with a display name indicating the number of blocks and alerts for the IP.
- An incident is created for each matched IP, and incidents can be grouped by IP address.
-
Severity and Techniques:
- The query is marked with high severity and is associated with MITRE ATT&CK techniques T1071 (Application Layer Protocol) and T1078 (Valid Accounts), indicating tactics related to command and control and defense evasion.
In summary, this query is a proactive security measure to detect and confirm potential compromises by correlating network activity and security alerts from different sources.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: P1D