KQL Search

Query Details

63 NK BI Low Slow Exfiltration

Query

id: 2f3a4b5c-6d7e-4f8a-9b0c-1d2e3f4a5b69
name: "Netskope (Built-in) - Low & Slow Multi-Channel Exfiltration"
version: 1.0.0
kind: Scheduled
description: |
  Detects exfiltration spread across cloud services over 7 days using Z-score
  peer-group deviation analysis. Uses the built-in NetskopeEvents_CL table.
  MITRE ATT&CK: T1041 (Exfiltration Over C2 Channel), T1567.002 (Exfiltration to Cloud Storage)
severity: High
requiredDataConnectors:
  - connectorId: NetskopeDataConnector
    dataTypes:
      - NetskopeEvents_CL
queryFrequency: P1D
queryPeriod: P7D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Exfiltration
  - Collection
relevantTechniques:
  - T1041
  - T1567
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
  let HuntWindow = 7d;
  let ExfilCategories = dynamic([
      "Cloud Storage", "File Sharing", "Online Storage and Backup",
      "Personal Sites & Blogs", "Webmail", "Social Networking"]);
  let Daily =
      union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
      | where TimeGenerated > ago(HuntWindow)
      | where action_s !in ("block", "Block", "blocked", "Blocked")
      | where isnotempty(user_s)
      | where category_s in (ExfilCategories) or activity_s == "Upload"
      | summarize
          DaySentBytes    = sum(todouble(bytes_uploaded_d)),
          DayRequestCount = count(),
          DayDestCount    = dcount(domain_s)
        by user_s, Day = bin(TimeGenerated, 1d);
  let Users =
      Daily
      | summarize
          TotalMBSent   = round(toreal(sum(DaySentBytes)) / 1048576, 2),
          ActiveDays    = dcount(Day),
          TotalRequests = sum(DayRequestCount),
          UniqueDestCnt = sum(DayDestCount)
        by user_s;
  let globalAvg = toscalar(Users | summarize avg(TotalMBSent));
  let globalStd = toscalar(Users | summarize stdev(TotalMBSent));
  Users
  | extend
      Zscore = iff(globalStd > 0,
                   round((TotalMBSent - globalAvg) / globalStd, 2),
                   0.0)
  | where Zscore >= 3.0
      or (ActiveDays >= 5 and TotalMBSent > 100)
  | project
      user_s,
      TotalMBSent, ActiveDays, TotalRequests, UniqueDestCnt,
      Zscore
  | order by Zscore desc, TotalMBSent desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: user_s
customDetails:
  TotalMBSent: TotalMBSent
  Zscore: Zscore
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope BI Exfil - {{user_s}} (Z={{Zscore}}, {{TotalMBSent}} MB)"
  alertDescriptionFormat: "User {{user_s}} uploaded {{TotalMBSent}} MB across {{ActiveDays}} days. Z-score: {{Zscore}}."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: P1D
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect suspicious data exfiltration activities over a period of seven days using cloud services. It leverages a statistical method called Z-score to identify anomalies in user behavior. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to identify users who might be exfiltrating data slowly and discreetly across multiple cloud services over a week.

  2. Data Source: It uses data from the NetskopeEvents_CL table, which logs events related to cloud service usage.

  3. Detection Method:

    • It looks for activities categorized under "Cloud Storage," "File Sharing," and similar categories, focusing on uploads.
    • It calculates the total megabytes (MB) of data uploaded by each user, the number of active days, the total number of requests, and the number of unique destinations.
    • It computes a Z-score for each user to measure how much their data upload behavior deviates from the average user. A Z-score of 3 or more indicates significant deviation.

  4. Alert Criteria:

    • Users with a Z-score of 3 or higher are flagged.
    • Users who have uploaded more than 100 MB over at least 5 days are also flagged.

  5. Output:

    • The query lists users with their total data uploaded, active days, total requests, unique destinations, and Z-score.
    • Alerts are generated for these users, with details on their data upload behavior.

  6. Incident Management:

    • An incident is created for each alert, and similar incidents are grouped by user account for easier management.

Overall, this query helps in identifying potential data exfiltration activities by analyzing user behavior patterns and highlighting significant deviations from the norm.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeEventsCloudStorageFileSharingOnlineStorageBackupPersonalSitesBlogsWebmailSocialNetworkingUserAccount

Operators

letdatatableunionisfuzzyagoinisnotemptysummarizesumtodoublecountdcountbinroundtorealtoscalaravgstdevextendiffprojectorder bydesc

Actions