KQL Search

Query Details

46 NK Visibility Loss No Traffic

Query

id: c9d0e1f2-a3b4-4c5d-6e7f-8a9b0c1d2e3a
name: "Netskope - User Visibility Loss - No Traffic Detected"
version: 1.0.0
kind: Scheduled
description: |
  Detects users who previously had consistent Netskope web transaction activity but have
  generated zero traffic in the recent window. Visibility loss may indicate the Netskope
  Client has been uninstalled, disabled, or bypassed, or the user is routing traffic
  through an alternate channel to avoid inspection.
  MITRE ATT&CK: T1562 (Impair Defenses), T1562.001 (Disable or Modify Tools)
severity: Medium
requiredDataConnectors:
  - connectorId: NetskopeWebTransactions
    dataTypes:
      - NetskopeWebTx_CL
queryFrequency: PT4H
queryPeriod: P7D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - DefenseEvasion
relevantTechniques:
  - T1562
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
  let baselineWindow = 7d;
  let recentWindow   = 4h;
  let minBaselineReqsPerDay = 20;
  // Users with consistent Netskope activity in the baseline window
  let BaselineUsers =
      union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
      | where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
      | where isnotempty(user_s)
      | summarize
          BaselineReqPerDay = round(toreal(count()) / (baselineWindow / 1d), 1),
          BaselineApps           = make_set(app_s, 10),
          BaselineIPs            = make_set(srcip_s, 5)
        by user_s
      | where BaselineReqPerDay >= minBaselineReqsPerDay;
  // Users with ANY activity in the recent window
  let RecentActiveUsers =
      union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
      | where TimeGenerated > ago(recentWindow)
      | where isnotempty(user_s)
      | distinct user_s;
  // Users who went silent
  BaselineUsers
  | join kind=leftanti RecentActiveUsers on user_s
  | project
      user_s, BaselineReqPerDay, BaselineApps, BaselineIPs
  | order by BaselineReqPerDay desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: user_s
customDetails:
  BaselineReqPerDay: BaselineReqPerDay
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope Visibility Loss - {{user_s}} went silent"
  alertDescriptionFormat: "User {{user_s}} had {{BaselineRequestsPerDay}} requests/day baseline but generated zero Netskope traffic in last 4 hours."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect users who have stopped generating web traffic through Netskope, which could indicate a potential security issue. Here's a simple breakdown of what the query does:

  1. Purpose: The query identifies users who previously had regular Netskope web transaction activity but have shown no activity in the last 4 hours. This could suggest that the Netskope client has been uninstalled, disabled, bypassed, or that the user is using another method to avoid traffic inspection.

  2. Data Source: It uses data from Netskope web transactions.

  3. Time Windows:

    • Baseline Window: Looks at user activity over the past 7 days to establish a baseline of normal activity.
    • Recent Window: Checks for any activity in the last 4 hours.

  4. Criteria:

    • Users must have had at least 20 requests per day on average in the baseline period to be considered.
    • The query identifies users who had consistent activity in the baseline period but no activity in the recent window.

  5. Output: The query lists users who have gone silent, along with their average requests per day and the applications and IPs they used during the baseline period.

  6. Alerting: If any users meet these criteria, an alert is generated with details about the user and their baseline activity. This alert is linked to the MITRE ATT&CK framework techniques related to impairing defenses.

  7. Incident Management: The system can create incidents based on these alerts, with options for grouping related alerts by user account.

Overall, this query helps in identifying potential security risks by flagging users who might be trying to evade network monitoring.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeWebTransactionsUserAccountDevicesTrafficAppsIPs

Operators

letdatatableunionisfuzzywherebetweenagoisnotemptysummarizeroundtorealcountmake_setbydistinctjoinkindleftantionprojectorder by

Actions