Query Details

Netskope - User Visibility Loss - No Traffic Detected

46 NK Visibility Loss No Traffic

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
let baselineWindow = 7d;
let recentWindow   = 4h;
let minBaselineReqsPerDay = 20;
// Users with consistent Netskope activity in the baseline window
let BaselineUsers =
    union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
    | where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
    | where isnotempty(user_s)
    | summarize
        BaselineReqPerDay = round(toreal(count()) / (baselineWindow / 1d), 1),
        BaselineApps           = make_set(app_s, 10),
        BaselineIPs            = make_set(srcip_s, 5)
      by user_s
    | where BaselineReqPerDay >= minBaselineReqsPerDay;
// Users with ANY activity in the recent window
let RecentActiveUsers =
    union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
    | where TimeGenerated > ago(recentWindow)
    | where isnotempty(user_s)
    | distinct user_s;
// Users who went silent
BaselineUsers
| join kind=leftanti RecentActiveUsers on user_s
| project
    user_s, BaselineReqPerDay, BaselineApps, BaselineIPs
| order by BaselineReqPerDay desc

Explanation

This query is designed to detect users who have stopped generating web traffic through Netskope, which could indicate a potential security issue. Here's a simple breakdown of what the query does:

  1. Purpose: The query identifies users who previously had regular Netskope web transaction activity but have shown no activity in the last 4 hours. This could suggest that the Netskope client has been uninstalled, disabled, bypassed, or that the user is using another method to avoid traffic inspection.

  2. Data Source: It uses data from Netskope web transactions.

  3. Time Windows:

    • Baseline Window: Looks at user activity over the past 7 days to establish a baseline of normal activity.
    • Recent Window: Checks for any activity in the last 4 hours.
  4. Criteria:

    • Users must have had at least 20 requests per day on average in the baseline period to be considered.
    • The query identifies users who had consistent activity in the baseline period but no activity in the recent window.
  5. Output: The query lists users who have gone silent, along with their average requests per day and the applications and IPs they used during the baseline period.

  6. Alerting: If any users meet these criteria, an alert is generated with details about the user and their baseline activity. This alert is linked to the MITRE ATT&CK framework techniques related to impairing defenses.

  7. Incident Management: The system can create incidents based on these alerts, with options for grouping related alerts by user account.

Overall, this query helps in identifying potential security risks by flagging users who might be trying to evade network monitoring.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeWebTransactionsUserAccountDevicesTrafficAppsIPs

Operators

letdatatableunionisfuzzywherebetweenagoisnotemptysummarizeroundtorealcountmake_setbydistinctjoinkindleftantionprojectorder by

Severity

Medium

Tactics

DefenseEvasion

MITRE Techniques

Frequency: PT4H

Period: P7D

Actions

GitHub