Netskope (Built-in) - Blocked Request to Malicious / C2 Category
52 NK BI Malicious Category Blocks
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let MaliciousCategories = dynamic([
"Malware", "Phishing", "Botnet", "Command and Control",
"Spyware/Adware", "Ransomware", "Cryptomining",
"Newly Observed Domain", "Newly Registered Domain"]);
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where action_s in ("block", "Block", "blocked", "Blocked")
| where category_s in (MaliciousCategories)
or severity_s in ("high", "critical")
or isnotempty(malware_name_s)
| summarize
BlockCount = count(),
UniqueUsers = dcount(user_s),
UserList = make_set(user_s, 20),
DestDomains = make_set(domain_s, 20),
DestIPs = make_set(dstip_s, 10),
Categories = make_set(category_s, 10),
MalwareNames = make_set(malware_name_s, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by category_s, domain_s
| order by BlockCount descExplanation
This query is designed to detect and alert on blocked web requests that are categorized as malicious by Netskope, a cloud security platform. Here's a simple breakdown of what the query does:
-
Purpose: It identifies web requests that have been blocked by Netskope because they are associated with malware, phishing, botnets, command-and-control (C2) activities, or other malicious activities.
-
Data Source: The query uses data from the
NetskopeEvents_CLtable, which is part of the Netskope Content Hub data connector. -
Detection Criteria:
- It looks for events from the past day (
1d) where the action taken was "block" and the category of the request is one of several malicious types (e.g., Malware, Phishing, Botnet). - It also considers events with high or critical severity or those that have a non-empty malware name.
- It looks for events from the past day (
-
Output: The query summarizes the results by counting the number of blocked requests, identifying unique users involved, and listing the domains and IPs targeted. It also captures the first and last time these events were seen.
-
Alerting: If any such blocked requests are detected, an alert is generated with details about the category of the threat and the number of attempts. The alert is configured to create an incident if triggered.
-
Frequency: The query runs every 15 minutes and looks back over the past day to check for any new blocked requests.
-
Severity and Tactics: The severity of the alert is marked as high, and it is associated with the MITRE ATT&CK tactic of Command and Control (T1071).
-
Incident Management: The query is set up to create incidents in a security management system, with options for grouping related alerts into a single incident.
Overall, this query helps security teams quickly identify and respond to potential threats by monitoring for blocked malicious web requests.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
MITRE Techniques
Frequency: PT15M
Period: P1D