Netskope (Built-in) - Threat Intelligence Domain/IP Correlation
54 NK BI Threat Intelligence Domain IP Match
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let TI_IOCs =
ThreatIntelIndicators
| where TimeGenerated > ago(30d)
| where isempty(ValidUntil) or ValidUntil > now()
| where (isnotnull(parse_ipv4(ObservableValue)) or ObservableKey has "domain")
| where isnotempty(ObservableValue)
| summarize
TI_ThreatTypes = make_set(Tags),
TI_Confidence = max(Confidence),
TI_Tags = make_set(Tags)
by IOC_Value = ObservableValue;
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| where isnotempty(domain_s) or isnotempty(dstip_s)
| extend MatchKey = coalesce(domain_s, tostring(dstip_s))
| summarize
RequestCount = count(),
UniqueUsers = dcount(user_s),
UserList = make_set(user_s, 10),
BytesRecv = sum(todouble(bytes_downloaded_d)),
BytesSent = sum(todouble(bytes_uploaded_d)),
Apps = make_set(app_s, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by MatchKey, domain_s, dstip_s
| join kind=inner TI_IOCs on $left.MatchKey == $right.IOC_Value
| project
MatchKey, domain_s, dstip_s,
RequestCount, UniqueUsers, UserList,
BytesRecv, BytesSent, Apps,
TI_ThreatTypes, TI_Confidence, TI_Tags,
FirstSeen, LastSeen
| order by TI_Confidence desc, RequestCount descExplanation
This query is part of a scheduled task designed to detect potentially malicious network activity by correlating Netskope allowed traffic with threat intelligence indicators from Microsoft Sentinel. Here's a simple breakdown of what it does:
-
Purpose: It checks if any allowed network traffic (that wasn't blocked) is connecting to known malicious domains or IP addresses. This helps identify threats that might have bypassed security measures.
-
Data Sources:
- It uses data from the
NetskopeEvents_CLtable, which contains logs of network events. - It also uses threat intelligence data from the
ThreatIntelIndicatorstable to identify known malicious domains and IPs.
- It uses data from the
-
Process:
- The query looks at traffic from the past day (
P1D) and checks it against threat intelligence data from the past 30 days. - It filters out traffic that was blocked and focuses on allowed traffic.
- It matches the domains or IPs from the Netskope data with those in the threat intelligence feed.
- It summarizes the findings, including the number of requests, unique users involved, data transferred, and applications used.
- The query looks at traffic from the past day (
-
Output:
- The results include details like the domain or IP involved, the number of requests, the confidence level of the threat intelligence match, and when the activity was first and last seen.
- The results are sorted by the confidence level of the threat intelligence match and the number of requests.
-
Alerts and Incidents:
- If a match is found, an alert is generated with details about the domain or IP and the confidence level of the threat intelligence match.
- An incident is created if the alert criteria are met, and similar incidents can be grouped together based on DNS entities.
-
Severity and Techniques:
- The severity of this detection is marked as "High".
- It is associated with MITRE ATT&CK techniques T1071 (Application Layer Protocol) and T1568 (Dynamic Resolution), which are related to command and control tactics.
Overall, this query helps security teams identify and respond to potential threats by leveraging threat intelligence to monitor allowed traffic that might be connecting to malicious infrastructure.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: P1D