Netskope (Built-in) - ATP/Sandbox Malicious File Detection
58 NK BI ATP Sandbox Malicious File
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where isnotempty(malware_name_s) or isnotempty(malware_type_s)
or threat_name_s has_any ("malware", "trojan", "ransomware", "exploit", "worm", "adware")
| where isnotempty(user_s)
| summarize
DetectionCount = count(),
UniqueFiles = dcount(object_s),
FileNames = make_set(object_s, 10),
FileTypes = make_set(file_type_s, 10),
MalwareNames = make_set(malware_name_s, 10),
MalwareTypes = make_set(malware_type_s, 5),
ThreatNames = make_set(threat_name_s, 10),
ActionsTaken = make_set(action_s, 5),
Domains = make_set(domain_s, 10),
Apps = make_set(app_s, 5),
Blocked = countif(action_s in ("block", "Block", "blocked", "Blocked")),
Allowed = countif(action_s !in ("block", "Block", "blocked", "Blocked")),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by user_s, malware_name_s
| order by Allowed desc, DetectionCount descExplanation
This query is part of a scheduled detection rule designed to identify malicious files detected by Netskope's Advanced Threat Protection (ATP) sandbox or inline malware scanning. Here's a simplified breakdown of what it does:
-
Purpose: The query aims to detect malicious files and prioritize those that were allowed through, indicating potential policy gaps.
-
Data Source: It uses data from the
NetskopeEvents_CLtable, which logs events related to Netskope's security services. -
Frequency and Period: The query runs every 15 minutes and looks back over the past day (24 hours) for relevant data.
-
Detection Logic:
- It checks for events within the last day that have non-empty fields for malware names or types, or contain threat names like "malware," "trojan," "ransomware," etc.
- It focuses on events where a user is specified.
- It summarizes the data by counting detections, unique files, and various attributes like file names, types, malware names, and actions taken.
- It distinguishes between actions that were blocked and those that were allowed.
-
Output: The results are ordered by the number of allowed actions and detection counts, highlighting potential security gaps.
-
Alerting:
- Alerts are generated with a display name format that includes the malware name and user.
- The alert description includes the number of detections and how many were allowed.
- Incidents are created for these alerts, with grouping enabled by user account to consolidate related alerts.
-
MITRE ATT&CK Mapping: The query is associated with techniques T1105 (Ingress Tool Transfer) and T1204.002 (Malicious File), indicating the types of threats it is designed to detect.
Overall, this query helps security teams identify and respond to malicious file detections, especially those that might have been allowed through existing security policies.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT15M
Period: P1D