Query Details

Netskope (Built-in) - Off-Hours High-Volume Web Activity

55 NK BI Off Hours High Volume Activity

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| extend
    HourOfDay  = hourofday(TimeGenerated),
    DayOfWeek  = dayofweek(TimeGenerated)
| where (HourOfDay >= 20 or HourOfDay < 6)
    or (DayOfWeek == 6d or DayOfWeek == 0d)
| summarize
    RequestCount    = count(),
    TotalMBUploaded = round(sum(todouble(bytes_uploaded_d)) / 1048576, 2),
    TotalMBDownload = round(sum(todouble(bytes_downloaded_d)) / 1048576, 2),
    UniqueDomains   = dcount(domain_s),
    TopDomains      = make_set(domain_s, 10),
    TopApps         = make_set(app_s, 10),
    SourceIPs       = make_set(srcip_s, 5),
    FirstSeen       = min(TimeGenerated),
    LastSeen        = max(TimeGenerated)
  by user_s
| where TotalMBUploaded > 100 or TotalMBDownload > 500 or RequestCount > 5000
| order by TotalMBUploaded desc, RequestCount desc

Explanation

This query is designed to detect users who generate unusually high web traffic during off-business hours, which are defined as evenings (8 PM to 6 AM) and weekends. It uses data from the NetskopeEvents_CL table and is scheduled to run every hour, analyzing data from the past day.

Here's a simple breakdown of what the query does:

  1. Data Source: It uses the NetskopeEvents_CL table to gather web activity data.

  2. Time Frame: It looks at data from the last 24 hours.

  3. User Activity: It filters out any records where the user field is empty and excludes actions that are blocked.

  4. Off-Hours Definition: It identifies off-hours as weekdays from 8 PM to 6 AM and all day on weekends.

  5. Activity Analysis: For each user, it calculates:

    • The total number of requests made.
    • The total megabytes uploaded and downloaded.
    • The number of unique domains accessed.
    • The top domains and applications used.
    • The source IP addresses involved.
    • The first and last time the activity was seen.
  6. Alert Criteria: It flags users who have uploaded more than 100 MB, downloaded more than 500 MB, or made more than 5000 requests during these off-hours.

  7. Alert Details: If a user meets these criteria, an alert is generated with details like the user's name, the number of requests, and the amount of data uploaded.

  8. Incident Management: It creates an incident for each alert, grouping them by user account if multiple alerts are related.

The query helps identify potential security risks by flagging unusual web activity during times when employees are typically not working, which could indicate unauthorized data transfers or other suspicious behavior.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeEventsWebTrafficUsersAccountsDomainsApplicationsSourceIPs

Operators

letdatatableunionisfuzzywhereagoisnotempty!inextendhourofdaydayofweeksummarizecountroundsumtodoubledcountmake_setminmaxbyorder bydesc

Severity

Medium

Tactics

Exfiltration

MITRE Techniques

Frequency: PT1H

Period: P1D

Actions

GitHub