KQL Search

Query Details

56 NK BI Multi User Phishing Campaign

Query

id: 5e6f7a8b-9c0d-4e1f-2a3b-4c5d6e7f8a92
name: "Netskope (Built-in) - Multi-User Phishing Campaign Detection"
version: 1.0.0
kind: Scheduled
description: |
  Detects multiple users accessing the same phishing domain within a short window,
  indicating an active phishing campaign. Uses the built-in NetskopeEvents_CL table.
  MITRE ATT&CK: T1566 (Phishing), T1566.002 (Spearphishing Link)
severity: High
requiredDataConnectors:
  - connectorId: NetskopeDataConnector
    dataTypes:
      - NetskopeEvents_CL
queryFrequency: PT15M
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
  let PhishingCategories = dynamic([
      "Phishing", "Phishing and Other Frauds", "Newly Observed Domain",
      "Newly Registered Domain", "Suspicious", "Malware"]);
  union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
  | where TimeGenerated > ago(1d)
  | where category_s in (PhishingCategories)
      or severity_s in ("high", "critical")
  | where isnotempty(user_s) and isnotempty(domain_s)
  | summarize
      UniqueUsers      = dcount(user_s),
      UserList         = make_set(user_s, 30),
      TotalRequests    = count(),
      Blocked          = countif(action_s in ("block", "Block", "blocked", "Blocked")),
      Allowed          = countif(action_s !in ("block", "Block", "blocked", "Blocked")),
      Categories       = make_set(category_s, 5),
      URLSamples       = make_set(url_s, 5),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated)
    by domain_s
  | where UniqueUsers >= 3
  | extend CampaignDuration = datetime_diff('minute', LastSeen, FirstSeen)
  | order by UniqueUsers desc, TotalRequests desc
entityMappings:
  - entityType: DNS
    fieldMappings:
      - identifier: DomainName
        columnName: domain_s
customDetails:
  UniqueUsers: UniqueUsers
  Allowed: Allowed
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope BI Phishing Campaign - {{domain_s}} ({{UniqueUsers}} users)"
  alertDescriptionFormat: "{{UniqueUsers}} users accessed phishing domain {{domain_s}} with {{Allowed}} allowed requests."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - DNS
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect potential phishing campaigns by identifying multiple users accessing the same suspicious domain within a short time frame. Here's a simplified breakdown:

  1. Purpose: The query aims to identify phishing campaigns by detecting when multiple users (at least three) access the same phishing-related domain within a day.

  2. Data Source: It uses data from the NetskopeEvents_CL table, which logs various network events.

  3. Phishing Indicators: The query looks for events categorized under phishing-related terms or with high/critical severity.

  4. User and Domain Filtering: It filters out events where both the user and domain fields are not empty.

  5. Aggregation: For each domain, it calculates:

    • The number of unique users accessing it.
    • A list of these users.
    • Total requests made.
    • Requests that were blocked or allowed.
    • Categories and URL samples associated with the domain.
    • The first and last time the domain was accessed.

  6. Campaign Detection: It only considers domains accessed by three or more users and calculates the duration of the campaign.

  7. Alerting: If a potential phishing campaign is detected, it creates an alert with details like the domain name, number of users, and allowed requests.

  8. Incident Management: The query is set to create incidents for detected campaigns, with a grouping configuration to manage related alerts efficiently.

Overall, this query helps in early detection of phishing campaigns by monitoring user access patterns to suspicious domains.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeEventsDevicesUsersDomainDNSPhishingCampaign

Operators

letdatatabledynamicunionisfuzzyagoinorisnotemptysummarizedcountmake_setcountcountifminmaxbyextenddatetime_difforder bydesc

Actions