KQL Search

Query Details

57 NK BI High Confidence Threat Allowed

Query

id: 6f7a8b9c-0d1e-4f2a-3b4c-5d6e7f8a9b03
name: "Netskope (Built-in) - High-Confidence Threat Allowed Through"
version: 1.0.0
kind: Scheduled
description: |
  Detects Netskope allowed traffic with high/critical threat severity or known malware
  detections, indicating policy gaps or misconfigurations. Uses the built-in NetskopeEvents_CL table.
  MITRE ATT&CK: T1071 (Application Layer Protocol), T1204 (User Execution)
severity: High
requiredDataConnectors:
  - connectorId: NetskopeDataConnector
    dataTypes:
      - NetskopeEvents_CL
queryFrequency: PT15M
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CommandAndControl
  - Execution
relevantTechniques:
  - T1071
  - T1204
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
  union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
  | where TimeGenerated > ago(1d)
  | where action_s !in ("block", "Block", "blocked", "Blocked")
  | where severity_s in ("high", "critical")
      or isnotempty(malware_name_s)
      or isnotempty(threat_name_s)
  | where isnotempty(user_s)
  | summarize
      RequestCount     = count(),
      UniqueUsers      = dcount(user_s),
      UserList         = make_set(user_s, 20),
      Domains          = make_set(domain_s, 10),
      ThreatNames      = make_set(threat_name_s, 10),
      MalwareNames     = make_set(malware_name_s, 10),
      Categories       = make_set(category_s, 5),
      Severities       = make_set(severity_s, 5),
      TotalBytesRecv   = sum(todouble(bytes_downloaded_d)),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated)
    by domain_s, severity_s
  | extend TotalMBRecv = round(toreal(TotalBytesRecv) / 1048576, 2)
  | order by RequestCount desc
entityMappings:
  - entityType: DNS
    fieldMappings:
      - identifier: DomainName
        columnName: domain_s
customDetails:
  RequestCount: RequestCount
  Severity: severity_s
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope BI Threat Allowed - {{domain_s}} ({{severity_s}})"
  alertDescriptionFormat: "{{RequestCount}} requests to {{domain_s}} allowed despite severity {{severity_s}}."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - DNS
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect potentially dangerous network traffic that has been allowed through a security system, specifically using data from Netskope. Here's a simplified breakdown:

  • Purpose: The query identifies traffic that has been allowed despite having high or critical threat levels or known malware, which might indicate security policy gaps or misconfigurations.

  • Data Source: It uses the NetskopeEvents_CL table, which contains logs of network events captured by Netskope.

  • Frequency and Period: The query runs every 15 minutes and looks at data from the past day.

  • Severity: The alert generated by this query is considered high severity.

  • Detection Logic:

    • It filters out events that are not blocked and have either a high/critical severity or are associated with known malware or threats.
    • It focuses on events with a user associated with them.
    • It summarizes the data by counting requests, unique users, and other details like domains, threat names, and malware names.
    • It calculates the total data received in megabytes and orders the results by the number of requests.

  • Alert and Incident Configuration:

    • An alert is generated with a custom display name and description, highlighting the domain and severity.
    • If an alert is triggered, an incident is created, and similar alerts are grouped together based on the DNS entity.

  • MITRE ATT&CK Techniques: The query is associated with techniques T1071 (Application Layer Protocol) and T1204 (User Execution), which relate to how threats might communicate or execute.

Overall, this query helps security teams identify and respond to potentially harmful traffic that has been allowed through their network, ensuring they can address any policy issues or misconfigurations.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeEventsThreatSeverityMalwareUserDomainIPBytesApplicationURLDLPActivityFileObjectCountryAccessMethodTraffic

Operators

datatableunionisfuzzyagowhere!ininisnotemptysummarizecountdcountmake_setsumtodoubleminmaxbyextendroundtorealorder by

Actions