Query Details

Netskope (Built-in) - Multi-User Phishing Campaign Detection

56 NK BI Multi User Phishing Campaign

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let PhishingCategories = dynamic([
    "Phishing", "Phishing and Other Frauds", "Newly Observed Domain",
    "Newly Registered Domain", "Suspicious", "Malware"]);
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where category_s in (PhishingCategories)
    or severity_s in ("high", "critical")
| where isnotempty(user_s) and isnotempty(domain_s)
| summarize
    UniqueUsers      = dcount(user_s),
    UserList         = make_set(user_s, 30),
    TotalRequests    = count(),
    Blocked          = countif(action_s in ("block", "Block", "blocked", "Blocked")),
    Allowed          = countif(action_s !in ("block", "Block", "blocked", "Blocked")),
    Categories       = make_set(category_s, 5),
    URLSamples       = make_set(url_s, 5),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by domain_s
| where UniqueUsers >= 3
| extend CampaignDuration = datetime_diff('minute', LastSeen, FirstSeen)
| order by UniqueUsers desc, TotalRequests desc

Explanation

This query is designed to detect potential phishing campaigns by identifying multiple users accessing the same suspicious domain within a short time frame. Here's a simplified breakdown:

  1. Purpose: The query aims to identify phishing campaigns by detecting when multiple users (at least three) access the same phishing-related domain within a day.

  2. Data Source: It uses data from the NetskopeEvents_CL table, which logs various network events.

  3. Phishing Indicators: The query looks for events categorized under phishing-related terms or with high/critical severity.

  4. User and Domain Filtering: It filters out events where both the user and domain fields are not empty.

  5. Aggregation: For each domain, it calculates:

    • The number of unique users accessing it.
    • A list of these users.
    • Total requests made.
    • Requests that were blocked or allowed.
    • Categories and URL samples associated with the domain.
    • The first and last time the domain was accessed.
  6. Campaign Detection: It only considers domains accessed by three or more users and calculates the duration of the campaign.

  7. Alerting: If a potential phishing campaign is detected, it creates an alert with details like the domain name, number of users, and allowed requests.

  8. Incident Management: The query is set to create incidents for detected campaigns, with a grouping configuration to manage related alerts efficiently.

Overall, this query helps in early detection of phishing campaigns by monitoring user access patterns to suspicious domains.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeEventsDevicesUsersDomainDNSPhishingCampaign

Operators

letdatatabledynamicunionisfuzzyagoinorisnotemptysummarizedcountmake_setcountcountifminmaxbyextenddatetime_difforder bydesc

Severity

High

Tactics

InitialAccess

MITRE Techniques

Frequency: PT15M

Period: P1D

Actions

GitHub