Query Details

Netskope (Built-in) - High-Confidence Threat Allowed Through

57 NK BI High Confidence Threat Allowed

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| where severity_s in ("high", "critical")
    or isnotempty(malware_name_s)
    or isnotempty(threat_name_s)
| where isnotempty(user_s)
| summarize
    RequestCount     = count(),
    UniqueUsers      = dcount(user_s),
    UserList         = make_set(user_s, 20),
    Domains          = make_set(domain_s, 10),
    ThreatNames      = make_set(threat_name_s, 10),
    MalwareNames     = make_set(malware_name_s, 10),
    Categories       = make_set(category_s, 5),
    Severities       = make_set(severity_s, 5),
    TotalBytesRecv   = sum(todouble(bytes_downloaded_d)),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by domain_s, severity_s
| extend TotalMBRecv = round(toreal(TotalBytesRecv) / 1048576, 2)
| order by RequestCount desc

Explanation

This query is designed to detect potentially dangerous network traffic that has been allowed through a security system, specifically using data from Netskope. Here's a simplified breakdown:

  • Purpose: The query identifies traffic that has been allowed despite having high or critical threat levels or known malware, which might indicate security policy gaps or misconfigurations.

  • Data Source: It uses the NetskopeEvents_CL table, which contains logs of network events captured by Netskope.

  • Frequency and Period: The query runs every 15 minutes and looks at data from the past day.

  • Severity: The alert generated by this query is considered high severity.

  • Detection Logic:

    • It filters out events that are not blocked and have either a high/critical severity or are associated with known malware or threats.
    • It focuses on events with a user associated with them.
    • It summarizes the data by counting requests, unique users, and other details like domains, threat names, and malware names.
    • It calculates the total data received in megabytes and orders the results by the number of requests.
  • Alert and Incident Configuration:

    • An alert is generated with a custom display name and description, highlighting the domain and severity.
    • If an alert is triggered, an incident is created, and similar alerts are grouped together based on the DNS entity.
  • MITRE ATT&CK Techniques: The query is associated with techniques T1071 (Application Layer Protocol) and T1204 (User Execution), which relate to how threats might communicate or execute.

Overall, this query helps security teams identify and respond to potentially harmful traffic that has been allowed through their network, ensuring they can address any policy issues or misconfigurations.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeEventsThreatSeverityMalwareUserDomainIPBytesApplicationURLDLPActivityFileObjectCountryAccessMethodTraffic

Operators

datatableunionisfuzzyagowhere!ininisnotemptysummarizecountdcountmake_setsumtodoubleminmaxbyextendroundtorealorder by

Severity

High

Tactics

CommandAndControlExecution

MITRE Techniques

Frequency: PT15M

Period: P1D

Actions

GitHub