Query Details

Netskope (Built-in) - User Visibility Loss - No Traffic Detected

60 NK BI Visibility Loss No Traffic

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let baselineWindow = 7d;
let recentWindow   = 4h;
let minBaselineReqsPerDay = 20;
let BaselineUsers =
    union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
    | where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
    | where isnotempty(user_s)
    | summarize
        BaselineReqPerDay = round(toreal(count()) / (baselineWindow / 1d), 1),
        BaselineApps           = make_set(app_s, 10),
        BaselineIPs            = make_set(srcip_s, 5)
      by user_s
    | where BaselineReqPerDay >= minBaselineReqsPerDay;
let RecentActiveUsers =
    union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
    | where TimeGenerated > ago(recentWindow)
    | where isnotempty(user_s)
    | distinct user_s;
BaselineUsers
| join kind=leftanti RecentActiveUsers on user_s
| project
    user_s, BaselineReqPerDay, BaselineApps, BaselineIPs
| order by BaselineReqPerDay desc

Explanation

This query is designed to detect users who typically have consistent activity but suddenly stop generating traffic through Netskope, which could indicate a potential issue such as bypassing the client, disabling it, or a compromise of credentials. Here's a simplified breakdown of what the query does:

  1. Data Source: It uses data from the NetskopeEvents_CL table, which logs Netskope-related events.

  2. Detection Logic:

    • Baseline Calculation: It calculates a baseline of activity for each user over the past 7 days. A user must have at least 20 requests per day to be considered active.
    • Recent Activity Check: It checks for users who have not generated any traffic in the last 4 hours.
    • Comparison: It identifies users who had consistent activity in the past but have no recent activity.
  3. Output:

    • The query outputs a list of users who meet the criteria, including their baseline request rate, applications used, and IP addresses.
  4. Alerting:

    • If any users are detected, an alert is generated with details about the user and their baseline activity.
    • The alert is configured to create an incident if triggered, with specific grouping settings to manage incidents efficiently.
  5. Severity and Techniques:

    • The severity of the alert is set to "Medium."
    • It is associated with MITRE ATT&CK techniques related to defense evasion, specifically impairing defenses or disabling tools.

Overall, this query helps identify potential security issues by flagging users who suddenly stop generating expected traffic, which could be a sign of malicious activity or a technical issue.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeEventsUserTrafficAccountAlertIncident

Operators

datatableletunionisfuzzywhereisnotemptysummarizeroundtorealcountmake_setbydistinctjoinkindleftantionprojectorder bydesc

Severity

Medium

Tactics

DefenseEvasion

MITRE Techniques

Frequency: PT4H

Period: P7D

Actions

GitHub