Query Details

Netskope (Built-in) - ATP/Sandbox Malicious File Detection

58 NK BI ATP Sandbox Malicious File

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where isnotempty(malware_name_s) or isnotempty(malware_type_s)
    or threat_name_s has_any ("malware", "trojan", "ransomware", "exploit", "worm", "adware")
| where isnotempty(user_s)
| summarize
    DetectionCount   = count(),
    UniqueFiles      = dcount(object_s),
    FileNames        = make_set(object_s, 10),
    FileTypes        = make_set(file_type_s, 10),
    MalwareNames     = make_set(malware_name_s, 10),
    MalwareTypes     = make_set(malware_type_s, 5),
    ThreatNames      = make_set(threat_name_s, 10),
    ActionsTaken     = make_set(action_s, 5),
    Domains          = make_set(domain_s, 10),
    Apps             = make_set(app_s, 5),
    Blocked          = countif(action_s in ("block", "Block", "blocked", "Blocked")),
    Allowed          = countif(action_s !in ("block", "Block", "blocked", "Blocked")),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by user_s, malware_name_s
| order by Allowed desc, DetectionCount desc

Explanation

This query is part of a scheduled detection rule designed to identify malicious files detected by Netskope's Advanced Threat Protection (ATP) sandbox or inline malware scanning. Here's a simplified breakdown of what it does:

  1. Purpose: The query aims to detect malicious files and prioritize those that were allowed through, indicating potential policy gaps.

  2. Data Source: It uses data from the NetskopeEvents_CL table, which logs events related to Netskope's security services.

  3. Frequency and Period: The query runs every 15 minutes and looks back over the past day (24 hours) for relevant data.

  4. Detection Logic:

    • It checks for events within the last day that have non-empty fields for malware names or types, or contain threat names like "malware," "trojan," "ransomware," etc.
    • It focuses on events where a user is specified.
    • It summarizes the data by counting detections, unique files, and various attributes like file names, types, malware names, and actions taken.
    • It distinguishes between actions that were blocked and those that were allowed.
  5. Output: The results are ordered by the number of allowed actions and detection counts, highlighting potential security gaps.

  6. Alerting:

    • Alerts are generated with a display name format that includes the malware name and user.
    • The alert description includes the number of detections and how many were allowed.
    • Incidents are created for these alerts, with grouping enabled by user account to consolidate related alerts.
  7. MITRE ATT&CK Mapping: The query is associated with techniques T1105 (Ingress Tool Transfer) and T1204.002 (Malicious File), indicating the types of threats it is designed to detect.

Overall, this query helps security teams identify and respond to malicious file detections, especially those that might have been allowed through existing security policies.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeEventsFileDetectionMalwareUserDomainApplicationAccount

Operators

letdatatableunionisfuzzywhereagoisnotemptyhas_anysummarizecountdcountmake_setcountifminmaxbyorder bydesc

Severity

High

Tactics

ExecutionCommandAndControl

MITRE Techniques

Frequency: PT15M

Period: P1D

Actions

GitHub