Netskope (Built-in) - High-Confidence Threat Allowed Through
57 NK BI High Confidence Threat Allowed
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| where severity_s in ("high", "critical")
or isnotempty(malware_name_s)
or isnotempty(threat_name_s)
| where isnotempty(user_s)
| summarize
RequestCount = count(),
UniqueUsers = dcount(user_s),
UserList = make_set(user_s, 20),
Domains = make_set(domain_s, 10),
ThreatNames = make_set(threat_name_s, 10),
MalwareNames = make_set(malware_name_s, 10),
Categories = make_set(category_s, 5),
Severities = make_set(severity_s, 5),
TotalBytesRecv = sum(todouble(bytes_downloaded_d)),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by domain_s, severity_s
| extend TotalMBRecv = round(toreal(TotalBytesRecv) / 1048576, 2)
| order by RequestCount descExplanation
This query is designed to detect potentially dangerous network traffic that has been allowed through a security system, specifically using data from Netskope. Here's a simplified breakdown:
-
Purpose: The query identifies traffic that has been allowed despite having high or critical threat levels or known malware, which might indicate security policy gaps or misconfigurations.
-
Data Source: It uses the
NetskopeEvents_CLtable, which contains logs of network events captured by Netskope. -
Frequency and Period: The query runs every 15 minutes and looks at data from the past day.
-
Severity: The alert generated by this query is considered high severity.
-
Detection Logic:
- It filters out events that are not blocked and have either a high/critical severity or are associated with known malware or threats.
- It focuses on events with a user associated with them.
- It summarizes the data by counting requests, unique users, and other details like domains, threat names, and malware names.
- It calculates the total data received in megabytes and orders the results by the number of requests.
-
Alert and Incident Configuration:
- An alert is generated with a custom display name and description, highlighting the domain and severity.
- If an alert is triggered, an incident is created, and similar alerts are grouped together based on the DNS entity.
-
MITRE ATT&CK Techniques: The query is associated with techniques T1071 (Application Layer Protocol) and T1204 (User Execution), which relate to how threats might communicate or execute.
Overall, this query helps security teams identify and respond to potentially harmful traffic that has been allowed through their network, ensuring they can address any policy issues or misconfigurations.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT15M
Period: P1D