Query Details

Netskope (Built-in) - Threat Intelligence Domain/IP Correlation

54 NK BI Threat Intelligence Domain IP Match

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let TI_IOCs =
    ThreatIntelIndicators
    | where TimeGenerated > ago(30d)
    | where isempty(ValidUntil) or ValidUntil > now()
    | where (isnotnull(parse_ipv4(ObservableValue)) or ObservableKey has "domain")
    | where isnotempty(ObservableValue)
    | summarize
        TI_ThreatTypes = make_set(Tags),
        TI_Confidence  = max(Confidence),
        TI_Tags        = make_set(Tags)
      by IOC_Value = ObservableValue;
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| where isnotempty(domain_s) or isnotempty(dstip_s)
| extend MatchKey = coalesce(domain_s, tostring(dstip_s))
| summarize
    RequestCount     = count(),
    UniqueUsers      = dcount(user_s),
    UserList         = make_set(user_s, 10),
    BytesRecv        = sum(todouble(bytes_downloaded_d)),
    BytesSent        = sum(todouble(bytes_uploaded_d)),
    Apps             = make_set(app_s, 5),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by MatchKey, domain_s, dstip_s
| join kind=inner TI_IOCs on $left.MatchKey == $right.IOC_Value
| project
    MatchKey, domain_s, dstip_s,
    RequestCount, UniqueUsers, UserList,
    BytesRecv, BytesSent, Apps,
    TI_ThreatTypes, TI_Confidence, TI_Tags,
    FirstSeen, LastSeen
| order by TI_Confidence desc, RequestCount desc

Explanation

This query is part of a scheduled task designed to detect potentially malicious network activity by correlating Netskope allowed traffic with threat intelligence indicators from Microsoft Sentinel. Here's a simple breakdown of what it does:

  1. Purpose: It checks if any allowed network traffic (that wasn't blocked) is connecting to known malicious domains or IP addresses. This helps identify threats that might have bypassed security measures.

  2. Data Sources:

    • It uses data from the NetskopeEvents_CL table, which contains logs of network events.
    • It also uses threat intelligence data from the ThreatIntelIndicators table to identify known malicious domains and IPs.
  3. Process:

    • The query looks at traffic from the past day (P1D) and checks it against threat intelligence data from the past 30 days.
    • It filters out traffic that was blocked and focuses on allowed traffic.
    • It matches the domains or IPs from the Netskope data with those in the threat intelligence feed.
    • It summarizes the findings, including the number of requests, unique users involved, data transferred, and applications used.
  4. Output:

    • The results include details like the domain or IP involved, the number of requests, the confidence level of the threat intelligence match, and when the activity was first and last seen.
    • The results are sorted by the confidence level of the threat intelligence match and the number of requests.
  5. Alerts and Incidents:

    • If a match is found, an alert is generated with details about the domain or IP and the confidence level of the threat intelligence match.
    • An incident is created if the alert criteria are met, and similar incidents can be grouped together based on DNS entities.
  6. Severity and Techniques:

    • The severity of this detection is marked as "High".
    • It is associated with MITRE ATT&CK techniques T1071 (Application Layer Protocol) and T1568 (Dynamic Resolution), which are related to command and control tactics.

Overall, this query helps security teams identify and respond to potential threats by leveraging threat intelligence to monitor allowed traffic that might be connecting to malicious infrastructure.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CLThreatIntelIndicators

Keywords

NetskopeThreatIntelligenceDomainIPTrafficIndicatorsDNSUserApplications

Operators

datatableletThreatIntelIndicatorswhereisemptyisnotnullparse_ipv4hasisnotemptysummarizemake_setmaxunionisfuzzyagocoalescetostringcountdcountsumtodoubleminjoinkindonprojectorder bydesc

Severity

High

Tactics

CommandAndControl

MITRE Techniques

Frequency: PT1H

Period: P1D

Actions

GitHub