Query Details

Netskope (Built-in) + SecurityAlert Correlation - C2/Malware Corroboration

62 NK BI Security Alert Correlation

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let NetskopeBlocks =
    union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
    | where TimeGenerated > ago(1d)
    | where action_s in ("block", "Block", "blocked", "Blocked")
    | where category_s has_any (
        "Malware", "Phishing", "Botnet", "Command and Control",
        "Ransomware", "Cryptomining", "Spyware/Adware")
        or isnotempty(malware_name_s)
    | summarize
        NK_BlockCount    = count(),
        NK_DestDomains   = make_set(domain_s, 10),
        NK_Categories    = make_set(category_s, 5),
        NK_MalwareNames  = make_set(malware_name_s, 5),
        NK_Users         = make_set(user_s, 5),
        NK_FirstSeen     = min(TimeGenerated)
      by NK_SrcIP = srcip_s;
SecurityAlert
| where TimeGenerated > ago(1d)
| where AlertSeverity in ("High", "Medium")
| mv-expand todynamic(Entities)
| extend EntityIP = tostring(Entities.Address)
| where isnotempty(EntityIP)
| summarize
    Alert_Count      = count(),
    Alert_Names      = make_set(AlertName, 5),
    Alert_Products   = make_set(ProductName, 5),
    Alert_Severity   = make_set(AlertSeverity, 3),
    Alert_FirstSeen  = min(TimeGenerated)
  by EntityIP
| join kind=inner NetskopeBlocks on $left.EntityIP == $right.NK_SrcIP
| project
    NK_SrcIP, NK_BlockCount, NK_DestDomains, NK_Categories,
    NK_MalwareNames, NK_Users,
    Alert_Count, Alert_Names, Alert_Products, Alert_Severity,
    NK_FirstSeen, Alert_FirstSeen
| order by NK_BlockCount desc, Alert_Count desc

Explanation

This query is designed to enhance security monitoring by cross-referencing data from two sources: Netskope and Microsoft Defender/Sentinel. Here's a simplified breakdown:

  1. Purpose: The query aims to identify potential threats by correlating Netskope's blocks of command-and-control (C2) or malware activities with security alerts from Defender/Sentinel that originate from the same IP address. This dual-source corroboration helps in confirming threats more reliably.

  2. Data Sources:

    • NetskopeEvents_CL: This table contains logs of blocked activities related to malware, phishing, botnets, etc., from Netskope.
    • SecurityAlert: This table contains security alerts from Microsoft Defender/Sentinel.
  3. Process:

    • Netskope Data: The query filters Netskope events from the last day where actions were blocked and categories include malware-related activities. It summarizes the data by counting blocks, listing domains, categories, malware names, users involved, and noting the first time the block was seen, grouped by source IP.

    • Security Alerts: It filters security alerts from the last day with high or medium severity. It expands the alert entities to extract IP addresses and summarizes the data by counting alerts, listing alert names, products, and severities, and noting the first time the alert was seen, grouped by IP.

  4. Correlation: The query joins the summarized Netskope data with the security alerts based on matching source IP addresses. This helps in identifying IPs that have both Netskope blocks and security alerts.

  5. Output: The results are ordered by the number of Netskope blocks and alert counts, providing a clear view of the most significant threats.

  6. Alerting and Incident Management:

    • An alert is generated for each correlated IP, with details on the number of Netskope blocks and security alerts.
    • Incidents are created for these alerts, and similar incidents are grouped together based on the IP address to manage them efficiently.

This query is part of a scheduled task that runs every hour, looking back over the past day, to ensure timely detection and response to potential threats.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CLSecurityAlert

Keywords

NetskopeSecurityAlertDevicesMalwareUserIP

Operators

letdatatableunionisfuzzywhereinhas_anyorisnotemptysummarizecountmake_setminbymv-expandtodynamicextendtostringjoinkindonprojectorder bydesc

Severity

High

Tactics

CommandAndControlDefenseEvasion

MITRE Techniques

Frequency: PT1H

Period: P1D

Actions

GitHub