Query Details

Netskope - Low & Slow Multi-Channel Exfiltration

49 NK Low Slow Exfiltration

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
let HuntWindow = 7d;
let ExfilCategories = dynamic([
    "Cloud Storage", "File Sharing", "Online Storage and Backup",
    "Personal Sites & Blogs", "Webmail", "Social Networking"]);
// Step 1: Daily upload per user to exfil-candidate categories
let Daily =
    union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
    | where TimeGenerated > ago(HuntWindow)
    | where action_s !in ("block", "Block", "blocked", "Blocked")
    | where isnotempty(user_s)
    | where category_s in (ExfilCategories) or activity_s == "Upload"
    | summarize
        DaySentBytes    = sum(todouble(bytes_uploaded_d)),
        DayRequestCount = count(),
        DayDestCount    = dcount(domain_s)
      by user_s, Day = bin(TimeGenerated, 1d);
// Step 2: Aggregate per user
let Users =
    Daily
    | summarize
        TotalMBSent   = round(toreal(sum(DaySentBytes)) / 1048576, 2),
        ActiveDays    = dcount(Day),
        TotalRequests = sum(DayRequestCount),
        UniqueDestCnt = sum(DayDestCount)
      by user_s;
// Step 3: Peer-group statistics
let globalAvg = toscalar(Users | summarize avg(TotalMBSent));
let globalStd = toscalar(Users | summarize stdev(TotalMBSent));
// Step 4: Flag statistical outliers
Users
| extend
    Zscore = iff(globalStd > 0,
                 round((TotalMBSent - globalAvg) / globalStd, 2),
                 0.0)
| where Zscore >= 3.0
    or (ActiveDays >= 5 and TotalMBSent > 100)
| project
    user_s,
    TotalMBSent, ActiveDays, TotalRequests, UniqueDestCnt,
    Zscore
| order by Zscore desc, TotalMBSent desc

Explanation

This query is designed to detect suspicious data exfiltration activities by monitoring user uploads to cloud services over a 7-day period. Here's a simplified breakdown:

  1. Purpose: The query identifies users who might be exfiltrating data slowly and subtly across multiple cloud services. It does this by comparing their upload activities to their peers using statistical analysis.

  2. Data Source: It uses data from Netskope Web Transactions to track user activities related to cloud storage, file sharing, and similar services.

  3. Process:

    • Step 1: It calculates daily upload metrics for each user, focusing on specific categories like cloud storage and file sharing.
    • Step 2: It aggregates these daily metrics to get total uploads, active days, request counts, and unique destinations for each user over the 7-day period.
    • Step 3: It calculates the average and standard deviation of total uploads across all users to establish a baseline.
    • Step 4: It flags users as potential outliers if their upload behavior significantly deviates from the norm (Z-score >= 3.0) or if they have been active for at least 5 days with more than 100 MB uploaded.
  4. Output: The query generates alerts for users who are statistical outliers, providing details like the total data uploaded, the number of active days, and their Z-score compared to peers.

  5. Alert Configuration: Alerts are created with specific details about the user's activity, and incidents are generated for further investigation.

Overall, this query helps identify potential data exfiltration threats by analyzing user behavior patterns and comparing them to peer group norms.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeWebTransactionsUserDomainDestinationIPSourceBytesUploadedDownloadedApplicationURLDLPRuleProfileActivityFileTypeObjectAccountFullName

Operators

letdatatableunionisfuzzyago!inisnotemptyinorsummarizesumtodoublecountdcountbinroundtorealtoscalaravgstdevextendiffprojectorder bydesc

Severity

High

Tactics

ExfiltrationCollection

MITRE Techniques

Frequency: P1D

Period: P7D

Actions

GitHub