Netskope (Built-in) - Multi-User Phishing Campaign Detection
56 NK BI Multi User Phishing Campaign
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let PhishingCategories = dynamic([
"Phishing", "Phishing and Other Frauds", "Newly Observed Domain",
"Newly Registered Domain", "Suspicious", "Malware"]);
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where category_s in (PhishingCategories)
or severity_s in ("high", "critical")
| where isnotempty(user_s) and isnotempty(domain_s)
| summarize
UniqueUsers = dcount(user_s),
UserList = make_set(user_s, 30),
TotalRequests = count(),
Blocked = countif(action_s in ("block", "Block", "blocked", "Blocked")),
Allowed = countif(action_s !in ("block", "Block", "blocked", "Blocked")),
Categories = make_set(category_s, 5),
URLSamples = make_set(url_s, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by domain_s
| where UniqueUsers >= 3
| extend CampaignDuration = datetime_diff('minute', LastSeen, FirstSeen)
| order by UniqueUsers desc, TotalRequests descExplanation
This query is designed to detect potential phishing campaigns by identifying multiple users accessing the same suspicious domain within a short time frame. Here's a simplified breakdown:
-
Purpose: The query aims to identify phishing campaigns by detecting when multiple users (at least three) access the same phishing-related domain within a day.
-
Data Source: It uses data from the
NetskopeEvents_CLtable, which logs various network events. -
Phishing Indicators: The query looks for events categorized under phishing-related terms or with high/critical severity.
-
User and Domain Filtering: It filters out events where both the user and domain fields are not empty.
-
Aggregation: For each domain, it calculates:
- The number of unique users accessing it.
- A list of these users.
- Total requests made.
- Requests that were blocked or allowed.
- Categories and URL samples associated with the domain.
- The first and last time the domain was accessed.
-
Campaign Detection: It only considers domains accessed by three or more users and calculates the duration of the campaign.
-
Alerting: If a potential phishing campaign is detected, it creates an alert with details like the domain name, number of users, and allowed requests.
-
Incident Management: The query is set to create incidents for detected campaigns, with a grouping configuration to manage related alerts efficiently.
Overall, this query helps in early detection of phishing campaigns by monitoring user access patterns to suspicious domains.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT15M
Period: P1D