Netskope - User Visibility Loss - No Traffic Detected
46 NK Visibility Loss No Traffic
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
let baselineWindow = 7d;
let recentWindow = 4h;
let minBaselineReqsPerDay = 20;
// Users with consistent Netskope activity in the baseline window
let BaselineUsers =
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
| where isnotempty(user_s)
| summarize
BaselineReqPerDay = round(toreal(count()) / (baselineWindow / 1d), 1),
BaselineApps = make_set(app_s, 10),
BaselineIPs = make_set(srcip_s, 5)
by user_s
| where BaselineReqPerDay >= minBaselineReqsPerDay;
// Users with ANY activity in the recent window
let RecentActiveUsers =
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(recentWindow)
| where isnotempty(user_s)
| distinct user_s;
// Users who went silent
BaselineUsers
| join kind=leftanti RecentActiveUsers on user_s
| project
user_s, BaselineReqPerDay, BaselineApps, BaselineIPs
| order by BaselineReqPerDay descExplanation
This query is designed to detect users who have stopped generating web traffic through Netskope, which could indicate a potential security issue. Here's a simple breakdown of what the query does:
-
Purpose: The query identifies users who previously had regular Netskope web transaction activity but have shown no activity in the last 4 hours. This could suggest that the Netskope client has been uninstalled, disabled, bypassed, or that the user is using another method to avoid traffic inspection.
-
Data Source: It uses data from Netskope web transactions.
-
Time Windows:
- Baseline Window: Looks at user activity over the past 7 days to establish a baseline of normal activity.
- Recent Window: Checks for any activity in the last 4 hours.
-
Criteria:
- Users must have had at least 20 requests per day on average in the baseline period to be considered.
- The query identifies users who had consistent activity in the baseline period but no activity in the recent window.
-
Output: The query lists users who have gone silent, along with their average requests per day and the applications and IPs they used during the baseline period.
-
Alerting: If any users meet these criteria, an alert is generated with details about the user and their baseline activity. This alert is linked to the MITRE ATT&CK framework techniques related to impairing defenses.
-
Incident Management: The system can create incidents based on these alerts, with options for grouping related alerts by user account.
Overall, this query helps in identifying potential security risks by flagging users who might be trying to evade network monitoring.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT4H
Period: P7D