Netskope (Built-in) + SecurityAlert Correlation - C2/Malware Corroboration
62 NK BI Security Alert Correlation
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let NetskopeBlocks =
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where action_s in ("block", "Block", "blocked", "Blocked")
| where category_s has_any (
"Malware", "Phishing", "Botnet", "Command and Control",
"Ransomware", "Cryptomining", "Spyware/Adware")
or isnotempty(malware_name_s)
| summarize
NK_BlockCount = count(),
NK_DestDomains = make_set(domain_s, 10),
NK_Categories = make_set(category_s, 5),
NK_MalwareNames = make_set(malware_name_s, 5),
NK_Users = make_set(user_s, 5),
NK_FirstSeen = min(TimeGenerated)
by NK_SrcIP = srcip_s;
SecurityAlert
| where TimeGenerated > ago(1d)
| where AlertSeverity in ("High", "Medium")
| mv-expand todynamic(Entities)
| extend EntityIP = tostring(Entities.Address)
| where isnotempty(EntityIP)
| summarize
Alert_Count = count(),
Alert_Names = make_set(AlertName, 5),
Alert_Products = make_set(ProductName, 5),
Alert_Severity = make_set(AlertSeverity, 3),
Alert_FirstSeen = min(TimeGenerated)
by EntityIP
| join kind=inner NetskopeBlocks on $left.EntityIP == $right.NK_SrcIP
| project
NK_SrcIP, NK_BlockCount, NK_DestDomains, NK_Categories,
NK_MalwareNames, NK_Users,
Alert_Count, Alert_Names, Alert_Products, Alert_Severity,
NK_FirstSeen, Alert_FirstSeen
| order by NK_BlockCount desc, Alert_Count descExplanation
This query is designed to enhance security monitoring by cross-referencing data from two sources: Netskope and Microsoft Defender/Sentinel. Here's a simplified breakdown:
-
Purpose: The query aims to identify potential threats by correlating Netskope's blocks of command-and-control (C2) or malware activities with security alerts from Defender/Sentinel that originate from the same IP address. This dual-source corroboration helps in confirming threats more reliably.
-
Data Sources:
- NetskopeEvents_CL: This table contains logs of blocked activities related to malware, phishing, botnets, etc., from Netskope.
- SecurityAlert: This table contains security alerts from Microsoft Defender/Sentinel.
-
Process:
-
Netskope Data: The query filters Netskope events from the last day where actions were blocked and categories include malware-related activities. It summarizes the data by counting blocks, listing domains, categories, malware names, users involved, and noting the first time the block was seen, grouped by source IP.
-
Security Alerts: It filters security alerts from the last day with high or medium severity. It expands the alert entities to extract IP addresses and summarizes the data by counting alerts, listing alert names, products, and severities, and noting the first time the alert was seen, grouped by IP.
-
-
Correlation: The query joins the summarized Netskope data with the security alerts based on matching source IP addresses. This helps in identifying IPs that have both Netskope blocks and security alerts.
-
Output: The results are ordered by the number of Netskope blocks and alert counts, providing a clear view of the most significant threats.
-
Alerting and Incident Management:
- An alert is generated for each correlated IP, with details on the number of Netskope blocks and security alerts.
- Incidents are created for these alerts, and similar incidents are grouped together based on the IP address to manage them efficiently.
This query is part of a scheduled task that runs every hour, looking back over the past day, to ensure timely detection and response to potential threats.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: P1D