Query Details

Netskope - Category Shift Anomaly - Domain Recategorization

50 NK Category Shift Anomaly

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
let SuspiciousCategories = dynamic([
    "Uncategorized", "Unknown", "Newly Observed Domain",
    "Newly Registered Domain", "Suspicious", "Parked",
    "Dynamic DNS Host"]);
let BenignCategories = dynamic([
    "Business", "Technology", "News/Media", "Education",
    "Government", "Health", "Finance", "Shopping",
    "Entertainment", "Reference", "Travel", "Sports"]);
// Baseline: domains seen with benign categories in older window
let BaselineDomains =
    union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
    | where TimeGenerated between (ago(14d) .. ago(1d))
    | where category_s in (BenignCategories)
    | where isnotempty(domain_s)
    | summarize
        OldCategories = make_set(category_s, 5),
        OldRequests   = count()
      by domain_s;
// Recent: same domains now appearing with suspicious categories
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where category_s in (SuspiciousCategories)
| where isnotempty(domain_s)
| summarize
    NewCategory      = take_any(category_s),
    RecentRequests   = count(),
    UniqueUsers      = dcount(user_s),
    UserList         = make_set(user_s, 10),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by domain_s
| join kind=inner BaselineDomains on domain_s
| project
    domain_s, OldCategories, NewCategory,
    OldRequests, RecentRequests, UniqueUsers, UserList,
    FirstSeen, LastSeen
| order by UniqueUsers desc, RecentRequests desc

Explanation

This query is designed to detect changes in the categorization of internet domains, specifically looking for domains that were previously considered safe but have recently been reclassified as suspicious or uncategorized. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to identify domains that have shifted from benign categories (like Business, Education, etc.) to suspicious categories (like Uncategorized, Suspicious, etc.). This can indicate potential security threats, such as compromised legitimate sites or newly registered domains being used for malicious purposes.

  2. Data Source: It uses data from Netskope Web Transactions to analyze domain categorizations.

  3. Time Frame: The query looks at domain categorizations over the past 14 days, comparing the last 13 days to the most recent day.

  4. Process:

    • Baseline: It first establishes a baseline by identifying domains that were categorized as benign in the older time window (13 days ago to 1 day ago).
    • Recent Changes: It then checks if any of these domains have been reclassified into suspicious categories in the most recent day.
    • Analysis: For domains that have shifted categories, it gathers additional information such as the number of requests, unique users accessing the domain, and the time range of these accesses.
  5. Output: The query outputs a list of domains that have changed categories, along with details like the old and new categories, the number of users affected, and the time of first and last detection.

  6. Alerting: If such a shift is detected, an alert is generated with details about the domain and the nature of the category shift. This alert can be used to create an incident for further investigation.

  7. Severity and Tactics: The severity of the alert is set to medium, and it aligns with specific MITRE ATT&CK tactics related to resource development and infrastructure compromise.

Overall, this query helps security teams monitor domain categorizations for potential threats and take action if a domain's classification changes in a way that could indicate malicious activity.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeDomainCategoriesUsersDNS

Operators

letdatatabledynamicunionisfuzzywhereinisnotemptysummarizemake_setcountbytake_anydcountminmaxjoinkindonprojectorder by

Severity

Medium

Tactics

ResourceDevelopment

MITRE Techniques

Frequency: P1D

Period: P14D

Actions

GitHub