KQL Search

Query Details

55 NK BI Off Hours High Volume Activity

Query

id: 4d5e6f7a-8b9c-4d0e-1f2a-3b4c5d6e7f81
name: "Netskope (Built-in) - Off-Hours High-Volume Web Activity"
version: 1.0.0
kind: Scheduled
description: |
  Detects users generating unusually high web traffic during off-business hours
  (evenings 20:00-06:00 and weekends). Uses the built-in NetskopeEvents_CL table.
  MITRE ATT&CK: T1029 (Scheduled Transfer), T1567 (Exfiltration Over Web Service)
severity: Medium
requiredDataConnectors:
  - connectorId: NetskopeDataConnector
    dataTypes:
      - NetskopeEvents_CL
queryFrequency: PT1H
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Exfiltration
relevantTechniques:
  - T1029
  - T1567
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
  union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(user_s)
  | where action_s !in ("block", "Block", "blocked", "Blocked")
  | extend
      HourOfDay  = hourofday(TimeGenerated),
      DayOfWeek  = dayofweek(TimeGenerated)
  | where (HourOfDay >= 20 or HourOfDay < 6)
      or (DayOfWeek == 6d or DayOfWeek == 0d)
  | summarize
      RequestCount    = count(),
      TotalMBUploaded = round(sum(todouble(bytes_uploaded_d)) / 1048576, 2),
      TotalMBDownload = round(sum(todouble(bytes_downloaded_d)) / 1048576, 2),
      UniqueDomains   = dcount(domain_s),
      TopDomains      = make_set(domain_s, 10),
      TopApps         = make_set(app_s, 10),
      SourceIPs       = make_set(srcip_s, 5),
      FirstSeen       = min(TimeGenerated),
      LastSeen        = max(TimeGenerated)
    by user_s
  | where TotalMBUploaded > 100 or TotalMBDownload > 500 or RequestCount > 5000
  | order by TotalMBUploaded desc, RequestCount desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: user_s
customDetails:
  RequestCount: RequestCount
  TotalMBUploaded: TotalMBUploaded
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope BI Off-Hours Activity - {{user_s}} ({{RequestCount}} requests)"
  alertDescriptionFormat: "User {{user_s}} generated {{RequestCount}} requests with {{TotalMBUploaded}} MB uploaded during off-hours."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect users who generate unusually high web traffic during off-business hours, which are defined as evenings (8 PM to 6 AM) and weekends. It uses data from the NetskopeEvents_CL table and is scheduled to run every hour, analyzing data from the past day.

Here's a simple breakdown of what the query does:

  1. Data Source: It uses the NetskopeEvents_CL table to gather web activity data.

  2. Time Frame: It looks at data from the last 24 hours.

  3. User Activity: It filters out any records where the user field is empty and excludes actions that are blocked.

  4. Off-Hours Definition: It identifies off-hours as weekdays from 8 PM to 6 AM and all day on weekends.

  5. Activity Analysis: For each user, it calculates:

    • The total number of requests made.
    • The total megabytes uploaded and downloaded.
    • The number of unique domains accessed.
    • The top domains and applications used.
    • The source IP addresses involved.
    • The first and last time the activity was seen.

  6. Alert Criteria: It flags users who have uploaded more than 100 MB, downloaded more than 500 MB, or made more than 5000 requests during these off-hours.

  7. Alert Details: If a user meets these criteria, an alert is generated with details like the user's name, the number of requests, and the amount of data uploaded.

  8. Incident Management: It creates an incident for each alert, grouping them by user account if multiple alerts are related.

The query helps identify potential security risks by flagging unusual web activity during times when employees are typically not working, which could indicate unauthorized data transfers or other suspicious behavior.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeEventsWebTrafficUsersAccountsDomainsApplicationsSourceIPs

Operators

letdatatableunionisfuzzywhereagoisnotempty!inextendhourofdaydayofweeksummarizecountroundsumtodoubledcountmake_setminmaxbyorder bydesc

Actions