KQL Search

Query Details

58 NK BI ATP Sandbox Malicious File

Query

id: 7a8b9c0d-1e2f-4a3b-4c5d-6e7f8a9b0c14
name: "Netskope (Built-in) - ATP/Sandbox Malicious File Detection"
version: 1.0.0
kind: Scheduled
description: |
  Detects malicious files identified by Netskope ATP sandbox or inline malware scanning.
  Prioritizes allowed malware as a policy gap indicator. Uses the built-in NetskopeEvents_CL table.
  MITRE ATT&CK: T1105 (Ingress Tool Transfer), T1204.002 (Malicious File)
severity: High
requiredDataConnectors:
  - connectorId: NetskopeDataConnector
    dataTypes:
      - NetskopeEvents_CL
queryFrequency: PT15M
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Execution
  - CommandAndControl
relevantTechniques:
  - T1105
  - T1204
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
  union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(malware_name_s) or isnotempty(malware_type_s)
      or threat_name_s has_any ("malware", "trojan", "ransomware", "exploit", "worm", "adware")
  | where isnotempty(user_s)
  | summarize
      DetectionCount   = count(),
      UniqueFiles      = dcount(object_s),
      FileNames        = make_set(object_s, 10),
      FileTypes        = make_set(file_type_s, 10),
      MalwareNames     = make_set(malware_name_s, 10),
      MalwareTypes     = make_set(malware_type_s, 5),
      ThreatNames      = make_set(threat_name_s, 10),
      ActionsTaken     = make_set(action_s, 5),
      Domains          = make_set(domain_s, 10),
      Apps             = make_set(app_s, 5),
      Blocked          = countif(action_s in ("block", "Block", "blocked", "Blocked")),
      Allowed          = countif(action_s !in ("block", "Block", "blocked", "Blocked")),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated)
    by user_s, malware_name_s
  | order by Allowed desc, DetectionCount desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: user_s
customDetails:
  DetectionCount: DetectionCount
  MalwareName: malware_name_s
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope BI Malware - {{malware_name_s}} ({{user_s}})"
  alertDescriptionFormat: "{{DetectionCount}} detections of {{malware_name_s}} for user {{user_s}}. Allowed: {{Allowed}}."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is part of a scheduled detection rule designed to identify malicious files detected by Netskope's Advanced Threat Protection (ATP) sandbox or inline malware scanning. Here's a simplified breakdown of what it does:

  1. Purpose: The query aims to detect malicious files and prioritize those that were allowed through, indicating potential policy gaps.

  2. Data Source: It uses data from the NetskopeEvents_CL table, which logs events related to Netskope's security services.

  3. Frequency and Period: The query runs every 15 minutes and looks back over the past day (24 hours) for relevant data.

  4. Detection Logic:

    • It checks for events within the last day that have non-empty fields for malware names or types, or contain threat names like "malware," "trojan," "ransomware," etc.
    • It focuses on events where a user is specified.
    • It summarizes the data by counting detections, unique files, and various attributes like file names, types, malware names, and actions taken.
    • It distinguishes between actions that were blocked and those that were allowed.

  5. Output: The results are ordered by the number of allowed actions and detection counts, highlighting potential security gaps.

  6. Alerting:

    • Alerts are generated with a display name format that includes the malware name and user.
    • The alert description includes the number of detections and how many were allowed.
    • Incidents are created for these alerts, with grouping enabled by user account to consolidate related alerts.

  7. MITRE ATT&CK Mapping: The query is associated with techniques T1105 (Ingress Tool Transfer) and T1204.002 (Malicious File), indicating the types of threats it is designed to detect.

Overall, this query helps security teams identify and respond to malicious file detections, especially those that might have been allowed through existing security policies.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeEventsFileDetectionMalwareUserDomainApplicationAccount

Operators

letdatatableunionisfuzzywhereagoisnotemptyhas_anysummarizecountdcountmake_setcountifminmaxbyorder bydesc

Actions