KQL Search

Query Details

49 NK Low Slow Exfiltration

Query

id: f2a3b4c5-d6e7-4f8a-9b0c-1d2e3f4a5b6c
name: "Netskope - Low & Slow Multi-Channel Exfiltration"
version: 1.0.0
kind: Scheduled
description: |
  Detects exfiltration spread across multiple cloud services over 7 days using statistical
  Z-score peer-group deviation. Identifies users uploading data in many small sessions to
  cloud storage, file sharing, and paste services in aggregate volumes exceeding peer norms.
  MITRE ATT&CK: T1041 (Exfiltration Over C2 Channel), T1567.002 (Exfiltration to Cloud Storage)
severity: High
requiredDataConnectors:
  - connectorId: NetskopeWebTransactions
    dataTypes:
      - NetskopeWebTx_CL
queryFrequency: P1D
queryPeriod: P7D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Exfiltration
  - Collection
relevantTechniques:
  - T1041
  - T1567
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
  let HuntWindow = 7d;
  let ExfilCategories = dynamic([
      "Cloud Storage", "File Sharing", "Online Storage and Backup",
      "Personal Sites & Blogs", "Webmail", "Social Networking"]);
  // Step 1: Daily upload per user to exfil-candidate categories
  let Daily =
      union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
      | where TimeGenerated > ago(HuntWindow)
      | where action_s !in ("block", "Block", "blocked", "Blocked")
      | where isnotempty(user_s)
      | where category_s in (ExfilCategories) or activity_s == "Upload"
      | summarize
          DaySentBytes    = sum(todouble(bytes_uploaded_d)),
          DayRequestCount = count(),
          DayDestCount    = dcount(domain_s)
        by user_s, Day = bin(TimeGenerated, 1d);
  // Step 2: Aggregate per user
  let Users =
      Daily
      | summarize
          TotalMBSent   = round(toreal(sum(DaySentBytes)) / 1048576, 2),
          ActiveDays    = dcount(Day),
          TotalRequests = sum(DayRequestCount),
          UniqueDestCnt = sum(DayDestCount)
        by user_s;
  // Step 3: Peer-group statistics
  let globalAvg = toscalar(Users | summarize avg(TotalMBSent));
  let globalStd = toscalar(Users | summarize stdev(TotalMBSent));
  // Step 4: Flag statistical outliers
  Users
  | extend
      Zscore = iff(globalStd > 0,
                   round((TotalMBSent - globalAvg) / globalStd, 2),
                   0.0)
  | where Zscore >= 3.0
      or (ActiveDays >= 5 and TotalMBSent > 100)
  | project
      user_s,
      TotalMBSent, ActiveDays, TotalRequests, UniqueDestCnt,
      Zscore
  | order by Zscore desc, TotalMBSent desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: user_s
customDetails:
  TotalMBSent: TotalMBSent
  Zscore: Zscore
  ActiveDays: ActiveDays
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope Slow Exfil - {{user_s}} (Z-score: {{Zscore}}, {{TotalMBSent}} MB)"
  alertDescriptionFormat: "User {{user_s}} uploaded {{TotalMBSent}} MB across {{ActiveDays}} days with Z-score {{Zscore}} vs peers."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: P1D
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect suspicious data exfiltration activities by monitoring user uploads to cloud services over a 7-day period. Here's a simplified breakdown:

  1. Purpose: The query identifies users who might be exfiltrating data slowly and subtly across multiple cloud services. It does this by comparing their upload activities to their peers using statistical analysis.

  2. Data Source: It uses data from Netskope Web Transactions to track user activities related to cloud storage, file sharing, and similar services.

  3. Process:

    • Step 1: It calculates daily upload metrics for each user, focusing on specific categories like cloud storage and file sharing.
    • Step 2: It aggregates these daily metrics to get total uploads, active days, request counts, and unique destinations for each user over the 7-day period.
    • Step 3: It calculates the average and standard deviation of total uploads across all users to establish a baseline.
    • Step 4: It flags users as potential outliers if their upload behavior significantly deviates from the norm (Z-score >= 3.0) or if they have been active for at least 5 days with more than 100 MB uploaded.

  4. Output: The query generates alerts for users who are statistical outliers, providing details like the total data uploaded, the number of active days, and their Z-score compared to peers.

  5. Alert Configuration: Alerts are created with specific details about the user's activity, and incidents are generated for further investigation.

Overall, this query helps identify potential data exfiltration threats by analyzing user behavior patterns and comparing them to peer group norms.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeWebTransactionsUserDomainDestinationIPSourceIPBytesUploadedBytesDownloadedApplicationURLDLPRuleDLPProfileActivityFileTypeObjectAccountFullName

Operators

letdatatableunionisfuzzyago!inisnotemptyinorsummarizesumtodoublecountdcountbinroundtorealtoscalaravgstdevextendiffprojectorder bydesc

Actions