KQL Search

Query Details

42 NK Multi User Phishing Campaign

Query

id: e5f6a7b8-c9d0-4e1f-2a3b-4c5d6e7f8a9b
name: "Netskope - Multi-User Phishing Campaign Detection"
version: 1.0.0
kind: Scheduled
description: |
  Detects multiple users accessing the same phishing or newly registered domain within
  a short time window, indicating an active phishing campaign. Correlates Netskope blocked
  and allowed requests to phishing-categorized destinations.
  MITRE ATT&CK: T1566 (Phishing), T1566.002 (Spearphishing Link)
severity: High
requiredDataConnectors:
  - connectorId: NetskopeWebTransactions
    dataTypes:
      - NetskopeWebTx_CL
queryFrequency: PT15M
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
  let PhishingCategories = dynamic([
      "Phishing", "Phishing and Other Frauds", "Newly Observed Domain",
      "Newly Registered Domain", "Suspicious", "Malware"]);
  union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
  | where TimeGenerated > ago(1d)
  | where category_s in (PhishingCategories)
      or severity_s in ("high", "critical")
  | where isnotempty(user_s) and isnotempty(domain_s)
  | summarize
      UniqueUsers      = dcount(user_s),
      UserList         = make_set(user_s, 30),
      TotalRequests    = count(),
      Blocked          = countif(action_s in ("block", "Block", "blocked", "Blocked")),
      Allowed          = countif(action_s !in ("block", "Block", "blocked", "Blocked")),
      Categories       = make_set(category_s, 5),
      URLSamples       = make_set(url_s, 5),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated)
    by domain_s
  | where UniqueUsers >= 3
  | extend CampaignDuration = datetime_diff('minute', LastSeen, FirstSeen)
  | order by UniqueUsers desc, TotalRequests desc
entityMappings:
  - entityType: DNS
    fieldMappings:
      - identifier: DomainName
        columnName: domain_s
customDetails:
  UniqueUsers: UniqueUsers
  TotalRequests: TotalRequests
  Allowed: Allowed
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope Phishing Campaign - {{domain_s}} ({{UniqueUsers}} users)"
  alertDescriptionFormat: "Phishing campaign detected: {{UniqueUsers}} users accessed {{domain_s}}. {{Allowed}} requests were allowed through."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - DNS
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect phishing campaigns targeting multiple users within a short time frame. It focuses on identifying situations where several users access the same suspicious or newly registered domain, which could indicate an active phishing attempt. Here's a simplified breakdown of the query:

  1. Purpose: The query aims to identify phishing campaigns by tracking multiple users accessing the same potentially harmful domain.

  2. Data Source: It uses data from Netskope Web Transactions, specifically looking at blocked and allowed requests to domains categorized as phishing or suspicious.

  3. Time Frame: The query examines data from the past day (24 hours) and runs every 15 minutes.

  4. Criteria:

    • It looks for domains that have been accessed by at least three unique users.
    • The domains should be categorized under phishing, newly observed or registered domains, or other suspicious categories.
    • It considers both blocked and allowed requests, focusing on high or critical severity levels.

  5. Output:

    • The query summarizes the number of unique users, total requests, and categorizes them into blocked and allowed actions.
    • It also captures the first and last time the domain was accessed, calculating the duration of the campaign.

  6. Alerting:

    • If the criteria are met, an alert is generated with details about the domain and the number of users involved.
    • The alert includes a custom display name and description, highlighting the number of users and allowed requests.

  7. Incident Management:

    • An incident is created for each detected campaign, with options for grouping related alerts based on the domain.

Overall, this query helps security teams quickly identify and respond to phishing campaigns by correlating user access patterns to suspicious domains.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopePhishingDomainUsersRequestsCategoriesURLDNS

Operators

letdatatabledynamicunionisfuzzyagoinorisnotemptysummarizedcountmake_setcountcountifminmaxbyextenddatetime_difforder bydesc

Actions