Query Details

Netskope + SecurityAlert Correlation - C2/Malware Corroboration

48 NK Security Alert Correlation

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
let NetskopeBlocks =
    union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
    | where TimeGenerated > ago(1d)
    | where action_s in ("block", "Block", "blocked", "Blocked")
    | where category_s has_any (
        "Malware", "Phishing", "Botnet", "Command and Control",
        "Ransomware", "Cryptomining", "Spyware/Adware")
        or isnotempty(malware_name_s)
    | summarize
        NK_BlockCount    = count(),
        NK_DestDomains   = make_set(domain_s, 10),
        NK_Categories    = make_set(category_s, 5),
        NK_MalwareNames  = make_set(malware_name_s, 5),
        NK_Users         = make_set(user_s, 5),
        NK_FirstSeen     = min(TimeGenerated)
      by NK_SrcIP = srcip_s;
SecurityAlert
| where TimeGenerated > ago(1d)
| where AlertSeverity in ("High", "Medium")
| mv-expand todynamic(Entities)
| extend EntityIP = tostring(Entities.Address)
| where isnotempty(EntityIP)
| summarize
    Alert_Count      = count(),
    Alert_Names      = make_set(AlertName, 5),
    Alert_Products   = make_set(ProductName, 5),
    Alert_Severity   = make_set(AlertSeverity, 3),
    Alert_FirstSeen  = min(TimeGenerated)
  by EntityIP
| join kind=inner NetskopeBlocks on $left.EntityIP == $right.NK_SrcIP
| project
    NK_SrcIP, NK_BlockCount, NK_DestDomains, NK_Categories,
    NK_MalwareNames, NK_Users,
    Alert_Count, Alert_Names, Alert_Products, Alert_Severity,
    NK_FirstSeen, Alert_FirstSeen
| order by NK_BlockCount desc, Alert_Count desc

Explanation

This query is designed to identify potential security threats by cross-referencing data from two sources: Netskope and Microsoft Defender or Sentinel. Here's a simplified breakdown of what it does:

  1. Purpose: The query aims to find instances where Netskope has blocked malicious or command-and-control (C2) requests and there are concurrent security alerts from Microsoft Defender or Sentinel for the same source IP address. This dual-source corroboration increases confidence in identifying an active compromise.

  2. Data Sources:

    • Netskope: It looks for blocked actions related to malware, phishing, botnets, command and control, ransomware, cryptomining, and spyware/adware within the last day.
    • Microsoft Defender/Sentinel: It checks for security alerts with high or medium severity within the last day.
  3. Process:

    • It gathers data on blocked requests from Netskope, including details like the number of blocks, destination domains, categories, malware names, users, and the first time the block was seen.
    • It collects security alerts from Microsoft Defender/Sentinel, including the count of alerts, alert names, products involved, severity, and the first time the alert was seen.
    • The query then matches these two datasets based on the source IP address.
  4. Output:

    • The result is a list of source IPs that have both Netskope blocks and Microsoft security alerts, along with detailed information about each.
    • The results are sorted by the number of Netskope blocks and security alerts.
  5. Alert and Incident Management:

    • If a match is found, an alert is generated with a display name indicating the number of blocks and alerts for the IP.
    • An incident is created for each matched IP, and incidents can be grouped by IP address.
  6. Severity and Techniques:

    • The query is marked with high severity and is associated with MITRE ATT&CK techniques T1071 (Application Layer Protocol) and T1078 (Valid Accounts), indicating tactics related to command and control and defense evasion.

In summary, this query is a proactive security measure to detect and confirm potential compromises by correlating network activity and security alerts from different sources.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeWebTx_CLSecurityAlert

Keywords

NetskopeSecurityAlertMicrosoftDefenderSentinelIPAddressDomainUserMalwarePhishingBotnetCommandAndControlRansomwareCryptominingSpywareAdwareAlertNameProductNameAlertSeverity

Operators

letdatatableunionisfuzzyagoinhas_anyisnotemptysummarizecountmake_setminbymv-expandtodynamicextendtostringjoinkindonprojectorder bydesc

Severity

High

Tactics

CommandAndControlDefenseEvasion

MITRE Techniques

Frequency: PT1H

Period: P1D

Actions

GitHub