KQL Search

Query Details

50 NK Category Shift Anomaly

Query

id: a3b4c5d6-e7f8-4a9b-0c1d-2e3f4a5b6c7d
name: "Netskope - Category Shift Anomaly - Domain Recategorization"
version: 1.0.0
kind: Scheduled
description: |
  Detects domains that were previously categorized as benign but have recently shifted
  to a suspicious or uncategorized state. Attackers may compromise legitimate sites
  or register domains that graduate from 'Uncategorized' to malicious use.
  MITRE ATT&CK: T1584 (Compromise Infrastructure), T1583 (Acquire Infrastructure)
severity: Medium
requiredDataConnectors:
  - connectorId: NetskopeWebTransactions
    dataTypes:
      - NetskopeWebTx_CL
queryFrequency: P1D
queryPeriod: P14D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - ResourceDevelopment
relevantTechniques:
  - T1584
  - T1583
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
  let SuspiciousCategories = dynamic([
      "Uncategorized", "Unknown", "Newly Observed Domain",
      "Newly Registered Domain", "Suspicious", "Parked",
      "Dynamic DNS Host"]);
  let BenignCategories = dynamic([
      "Business", "Technology", "News/Media", "Education",
      "Government", "Health", "Finance", "Shopping",
      "Entertainment", "Reference", "Travel", "Sports"]);
  // Baseline: domains seen with benign categories in older window
  let BaselineDomains =
      union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
      | where TimeGenerated between (ago(14d) .. ago(1d))
      | where category_s in (BenignCategories)
      | where isnotempty(domain_s)
      | summarize
          OldCategories = make_set(category_s, 5),
          OldRequests   = count()
        by domain_s;
  // Recent: same domains now appearing with suspicious categories
  union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
  | where TimeGenerated > ago(1d)
  | where category_s in (SuspiciousCategories)
  | where isnotempty(domain_s)
  | summarize
      NewCategory      = take_any(category_s),
      RecentRequests   = count(),
      UniqueUsers      = dcount(user_s),
      UserList         = make_set(user_s, 10),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated)
    by domain_s
  | join kind=inner BaselineDomains on domain_s
  | project
      domain_s, OldCategories, NewCategory,
      OldRequests, RecentRequests, UniqueUsers, UserList,
      FirstSeen, LastSeen
  | order by UniqueUsers desc, RecentRequests desc
entityMappings:
  - entityType: DNS
    fieldMappings:
      - identifier: DomainName
        columnName: domain_s
customDetails:
  OldCategories: OldCategories
  NewCategory: NewCategory
  UniqueUsers: UniqueUsers
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope Category Shift - {{domain_s}} → {{NewCategory}}"
  alertDescriptionFormat: "Domain {{domain_s}} shifted from {{OldCategories}} to {{NewCategory}}. {{UniqueUsers}} users affected."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: P1D
    matchingMethod: Selected
    groupByEntities:
      - DNS
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect changes in the categorization of internet domains, specifically looking for domains that were previously considered safe but have recently been reclassified as suspicious or uncategorized. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to identify domains that have shifted from benign categories (like Business, Education, etc.) to suspicious categories (like Uncategorized, Suspicious, etc.). This can indicate potential security threats, such as compromised legitimate sites or newly registered domains being used for malicious purposes.

  2. Data Source: It uses data from Netskope Web Transactions to analyze domain categorizations.

  3. Time Frame: The query looks at domain categorizations over the past 14 days, comparing the last 13 days to the most recent day.

  4. Process:

    • Baseline: It first establishes a baseline by identifying domains that were categorized as benign in the older time window (13 days ago to 1 day ago).
    • Recent Changes: It then checks if any of these domains have been reclassified into suspicious categories in the most recent day.
    • Analysis: For domains that have shifted categories, it gathers additional information such as the number of requests, unique users accessing the domain, and the time range of these accesses.

  5. Output: The query outputs a list of domains that have changed categories, along with details like the old and new categories, the number of users affected, and the time of first and last detection.

  6. Alerting: If such a shift is detected, an alert is generated with details about the domain and the nature of the category shift. This alert can be used to create an incident for further investigation.

  7. Severity and Tactics: The severity of the alert is set to medium, and it aligns with specific MITRE ATT&CK tactics related to resource development and infrastructure compromise.

Overall, this query helps security teams monitor domain categorizations for potential threats and take action if a domain's classification changes in a way that could indicate malicious activity.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeDomainCategoriesUsersDNS

Operators

letdatatabledynamicunionisfuzzywhereinisnotemptysummarizemake_setcountbytake_anydcountminmaxjoinkindonprojectorder by

Actions