Netskope (Built-in) - User Visibility Loss - No Traffic Detected
60 NK BI Visibility Loss No Traffic
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let baselineWindow = 7d;
let recentWindow = 4h;
let minBaselineReqsPerDay = 20;
let BaselineUsers =
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
| where isnotempty(user_s)
| summarize
BaselineReqPerDay = round(toreal(count()) / (baselineWindow / 1d), 1),
BaselineApps = make_set(app_s, 10),
BaselineIPs = make_set(srcip_s, 5)
by user_s
| where BaselineReqPerDay >= minBaselineReqsPerDay;
let RecentActiveUsers =
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(recentWindow)
| where isnotempty(user_s)
| distinct user_s;
BaselineUsers
| join kind=leftanti RecentActiveUsers on user_s
| project
user_s, BaselineReqPerDay, BaselineApps, BaselineIPs
| order by BaselineReqPerDay descExplanation
This query is designed to detect users who typically have consistent activity but suddenly stop generating traffic through Netskope, which could indicate a potential issue such as bypassing the client, disabling it, or a compromise of credentials. Here's a simplified breakdown of what the query does:
-
Data Source: It uses data from the
NetskopeEvents_CLtable, which logs Netskope-related events. -
Detection Logic:
- Baseline Calculation: It calculates a baseline of activity for each user over the past 7 days. A user must have at least 20 requests per day to be considered active.
- Recent Activity Check: It checks for users who have not generated any traffic in the last 4 hours.
- Comparison: It identifies users who had consistent activity in the past but have no recent activity.
-
Output:
- The query outputs a list of users who meet the criteria, including their baseline request rate, applications used, and IP addresses.
-
Alerting:
- If any users are detected, an alert is generated with details about the user and their baseline activity.
- The alert is configured to create an incident if triggered, with specific grouping settings to manage incidents efficiently.
-
Severity and Techniques:
- The severity of the alert is set to "Medium."
- It is associated with MITRE ATT&CK techniques related to defense evasion, specifically impairing defenses or disabling tools.
Overall, this query helps identify potential security issues by flagging users who suddenly stop generating expected traffic, which could be a sign of malicious activity or a technical issue.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT4H
Period: P7D