Netskope - Category Shift Anomaly - Domain Recategorization
50 NK Category Shift Anomaly
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
let SuspiciousCategories = dynamic([
"Uncategorized", "Unknown", "Newly Observed Domain",
"Newly Registered Domain", "Suspicious", "Parked",
"Dynamic DNS Host"]);
let BenignCategories = dynamic([
"Business", "Technology", "News/Media", "Education",
"Government", "Health", "Finance", "Shopping",
"Entertainment", "Reference", "Travel", "Sports"]);
// Baseline: domains seen with benign categories in older window
let BaselineDomains =
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated between (ago(14d) .. ago(1d))
| where category_s in (BenignCategories)
| where isnotempty(domain_s)
| summarize
OldCategories = make_set(category_s, 5),
OldRequests = count()
by domain_s;
// Recent: same domains now appearing with suspicious categories
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where category_s in (SuspiciousCategories)
| where isnotempty(domain_s)
| summarize
NewCategory = take_any(category_s),
RecentRequests = count(),
UniqueUsers = dcount(user_s),
UserList = make_set(user_s, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by domain_s
| join kind=inner BaselineDomains on domain_s
| project
domain_s, OldCategories, NewCategory,
OldRequests, RecentRequests, UniqueUsers, UserList,
FirstSeen, LastSeen
| order by UniqueUsers desc, RecentRequests descExplanation
This query is designed to detect changes in the categorization of internet domains, specifically looking for domains that were previously considered safe but have recently been reclassified as suspicious or uncategorized. Here's a simple breakdown of what the query does:
-
Purpose: The query aims to identify domains that have shifted from benign categories (like Business, Education, etc.) to suspicious categories (like Uncategorized, Suspicious, etc.). This can indicate potential security threats, such as compromised legitimate sites or newly registered domains being used for malicious purposes.
-
Data Source: It uses data from Netskope Web Transactions to analyze domain categorizations.
-
Time Frame: The query looks at domain categorizations over the past 14 days, comparing the last 13 days to the most recent day.
-
Process:
- Baseline: It first establishes a baseline by identifying domains that were categorized as benign in the older time window (13 days ago to 1 day ago).
- Recent Changes: It then checks if any of these domains have been reclassified into suspicious categories in the most recent day.
- Analysis: For domains that have shifted categories, it gathers additional information such as the number of requests, unique users accessing the domain, and the time range of these accesses.
-
Output: The query outputs a list of domains that have changed categories, along with details like the old and new categories, the number of users affected, and the time of first and last detection.
-
Alerting: If such a shift is detected, an alert is generated with details about the domain and the nature of the category shift. This alert can be used to create an incident for further investigation.
-
Severity and Tactics: The severity of the alert is set to medium, and it aligns with specific MITRE ATT&CK tactics related to resource development and infrastructure compromise.
Overall, this query helps security teams monitor domain categorizations for potential threats and take action if a domain's classification changes in a way that could indicate malicious activity.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: P1D
Period: P14D