KQL Search

Query Details

62 NK BI Security Alert Correlation

Query

id: 1e2f3a4b-5c6d-4e7f-8a9b-0c1d2e3f4a58
name: "Netskope (Built-in) + SecurityAlert Correlation - C2/Malware Corroboration"
version: 1.0.0
kind: Scheduled
description: |
  Cross-correlates Netskope C2/malware blocks with Defender/Sentinel security alerts
  on the same source IP for dual-source threat corroboration.
  Uses the built-in NetskopeEvents_CL table.
  MITRE ATT&CK: T1071 (Application Layer Protocol), T1078 (Valid Accounts)
severity: High
requiredDataConnectors:
  - connectorId: NetskopeDataConnector
    dataTypes:
      - NetskopeEvents_CL
queryFrequency: PT1H
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CommandAndControl
  - DefenseEvasion
relevantTechniques:
  - T1071
  - T1078
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
  let NetskopeBlocks =
      union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
      | where TimeGenerated > ago(1d)
      | where action_s in ("block", "Block", "blocked", "Blocked")
      | where category_s has_any (
          "Malware", "Phishing", "Botnet", "Command and Control",
          "Ransomware", "Cryptomining", "Spyware/Adware")
          or isnotempty(malware_name_s)
      | summarize
          NK_BlockCount    = count(),
          NK_DestDomains   = make_set(domain_s, 10),
          NK_Categories    = make_set(category_s, 5),
          NK_MalwareNames  = make_set(malware_name_s, 5),
          NK_Users         = make_set(user_s, 5),
          NK_FirstSeen     = min(TimeGenerated)
        by NK_SrcIP = srcip_s;
  SecurityAlert
  | where TimeGenerated > ago(1d)
  | where AlertSeverity in ("High", "Medium")
  | mv-expand todynamic(Entities)
  | extend EntityIP = tostring(Entities.Address)
  | where isnotempty(EntityIP)
  | summarize
      Alert_Count      = count(),
      Alert_Names      = make_set(AlertName, 5),
      Alert_Products   = make_set(ProductName, 5),
      Alert_Severity   = make_set(AlertSeverity, 3),
      Alert_FirstSeen  = min(TimeGenerated)
    by EntityIP
  | join kind=inner NetskopeBlocks on $left.EntityIP == $right.NK_SrcIP
  | project
      NK_SrcIP, NK_BlockCount, NK_DestDomains, NK_Categories,
      NK_MalwareNames, NK_Users,
      Alert_Count, Alert_Names, Alert_Products, Alert_Severity,
      NK_FirstSeen, Alert_FirstSeen
  | order by NK_BlockCount desc, Alert_Count desc
entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: NK_SrcIP
customDetails:
  NK_BlockCount: NK_BlockCount
  Alert_Count: Alert_Count
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope BI + Alert Correlation - {{NK_SrcIP}} ({{Alert_Count}} alerts)"
  alertDescriptionFormat: "IP {{NK_SrcIP}} has {{NK_BlockCount}} Netskope blocks and {{Alert_Count}} security alerts."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - IP
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to enhance security monitoring by cross-referencing data from two sources: Netskope and Microsoft Defender/Sentinel. Here's a simplified breakdown:

  1. Purpose: The query aims to identify potential threats by correlating Netskope's blocks of command-and-control (C2) or malware activities with security alerts from Defender/Sentinel that originate from the same IP address. This dual-source corroboration helps in confirming threats more reliably.

  2. Data Sources:

    • NetskopeEvents_CL: This table contains logs of blocked activities related to malware, phishing, botnets, etc., from Netskope.
    • SecurityAlert: This table contains security alerts from Microsoft Defender/Sentinel.

  3. Process:

    • Netskope Data: The query filters Netskope events from the last day where actions were blocked and categories include malware-related activities. It summarizes the data by counting blocks, listing domains, categories, malware names, users involved, and noting the first time the block was seen, grouped by source IP.

    • Security Alerts: It filters security alerts from the last day with high or medium severity. It expands the alert entities to extract IP addresses and summarizes the data by counting alerts, listing alert names, products, and severities, and noting the first time the alert was seen, grouped by IP.

  4. Correlation: The query joins the summarized Netskope data with the security alerts based on matching source IP addresses. This helps in identifying IPs that have both Netskope blocks and security alerts.

  5. Output: The results are ordered by the number of Netskope blocks and alert counts, providing a clear view of the most significant threats.

  6. Alerting and Incident Management:

    • An alert is generated for each correlated IP, with details on the number of Netskope blocks and security alerts.
    • Incidents are created for these alerts, and similar incidents are grouped together based on the IP address to manage them efficiently.

This query is part of a scheduled task that runs every hour, looking back over the past day, to ensure timely detection and response to potential threats.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CLSecurityAlert

Keywords

NetskopeSecurityAlertDevicesMalwareUserIP

Operators

letdatatableunionisfuzzywhereinhas_anyorisnotemptysummarizecountmake_setminbymv-expandtodynamicextendtostringjoinkindonprojectorder bydesc

Actions