Query Details
54 NK BI Threat Intelligence Domain IP Match
Query
id: 3c4d5e6f-7a8b-4c9d-0e1f-2a3b4c5d6e70
name: "Netskope (Built-in) - Threat Intelligence Domain/IP Correlation"
version: 1.0.0
kind: Scheduled
description: |
Correlates Netskope allowed traffic against Sentinel TI feed indicators to detect
connections to known-malicious infrastructure that bypassed block policies.
Uses the built-in NetskopeEvents_CL table.
MITRE ATT&CK: T1071 (Application Layer Protocol), T1568 (Dynamic Resolution)
severity: High
requiredDataConnectors:
- connectorId: NetskopeDataConnector
dataTypes:
- NetskopeEvents_CL
queryFrequency: PT1H
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
relevantTechniques:
- T1071
- T1568
query: |
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let TI_IOCs =
ThreatIntelIndicators
| where TimeGenerated > ago(30d)
| where isempty(ValidUntil) or ValidUntil > now()
| where (isnotnull(parse_ipv4(ObservableValue)) or ObservableKey has "domain")
| where isnotempty(ObservableValue)
| summarize
TI_ThreatTypes = make_set(Tags),
TI_Confidence = max(Confidence),
TI_Tags = make_set(Tags)
by IOC_Value = ObservableValue;
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| where isnotempty(domain_s) or isnotempty(dstip_s)
| extend MatchKey = coalesce(domain_s, tostring(dstip_s))
| summarize
RequestCount = count(),
UniqueUsers = dcount(user_s),
UserList = make_set(user_s, 10),
BytesRecv = sum(todouble(bytes_downloaded_d)),
BytesSent = sum(todouble(bytes_uploaded_d)),
Apps = make_set(app_s, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by MatchKey, domain_s, dstip_s
| join kind=inner TI_IOCs on $left.MatchKey == $right.IOC_Value
| project
MatchKey, domain_s, dstip_s,
RequestCount, UniqueUsers, UserList,
BytesRecv, BytesSent, Apps,
TI_ThreatTypes, TI_Confidence, TI_Tags,
FirstSeen, LastSeen
| order by TI_Confidence desc, RequestCount desc
entityMappings:
- entityType: DNS
fieldMappings:
- identifier: DomainName
columnName: domain_s
- entityType: IP
fieldMappings:
- identifier: Address
columnName: dstip_s
customDetails:
RequestCount: RequestCount
TI_Confidence: TI_Confidence
alertDetailsOverride:
alertDisplayNameFormat: "Netskope BI TI Match - {{domain_s}} (Confidence: {{TI_Confidence}})"
alertDescriptionFormat: "Allowed traffic to TI-listed {{domain_s}} with {{RequestCount}} requests. Confidence: {{TI_Confidence}}."
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT6H
matchingMethod: Selected
groupByEntities:
- DNS
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is part of a scheduled task designed to detect potentially malicious network activity by correlating Netskope allowed traffic with threat intelligence indicators from Microsoft Sentinel. Here's a simple breakdown of what it does:
-
Purpose: It checks if any allowed network traffic (that wasn't blocked) is connecting to known malicious domains or IP addresses. This helps identify threats that might have bypassed security measures.
-
Data Sources:
- It uses data from the
NetskopeEvents_CLtable, which contains logs of network events. - It also uses threat intelligence data from the
ThreatIntelIndicatorstable to identify known malicious domains and IPs.
- It uses data from the
-
Process:
- The query looks at traffic from the past day (
P1D) and checks it against threat intelligence data from the past 30 days. - It filters out traffic that was blocked and focuses on allowed traffic.
- It matches the domains or IPs from the Netskope data with those in the threat intelligence feed.
- It summarizes the findings, including the number of requests, unique users involved, data transferred, and applications used.
- The query looks at traffic from the past day (
-
Output:
- The results include details like the domain or IP involved, the number of requests, the confidence level of the threat intelligence match, and when the activity was first and last seen.
- The results are sorted by the confidence level of the threat intelligence match and the number of requests.
-
Alerts and Incidents:
- If a match is found, an alert is generated with details about the domain or IP and the confidence level of the threat intelligence match.
- An incident is created if the alert criteria are met, and similar incidents can be grouped together based on DNS entities.
-
Severity and Techniques:
- The severity of this detection is marked as "High".
- It is associated with MITRE ATT&CK techniques T1071 (Application Layer Protocol) and T1568 (Dynamic Resolution), which are related to command and control tactics.
Overall, this query helps security teams identify and respond to potential threats by leveraging threat intelligence to monitor allowed traffic that might be connecting to malicious infrastructure.
Details
David Alonso
Released: April 16, 2026
Tables
NetskopeEvents_CLThreatIntelIndicators
Keywords
NetskopeThreatIntelligenceDomainIPTrafficIndicatorsDNSIPUserApplications
Operators
datatableletThreatIntelIndicatorswhereisemptyisnotnullparse_ipv4hasisnotemptysummarizemake_setmaxunionisfuzzyagocoalescetostringcountdcountmake_setsumtodoubleminmaxjoinkindonprojectorder bydesc