Netskope (Built-in) - Low & Slow Multi-Channel Exfiltration
63 NK BI Low Slow Exfiltration
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let HuntWindow = 7d;
let ExfilCategories = dynamic([
"Cloud Storage", "File Sharing", "Online Storage and Backup",
"Personal Sites & Blogs", "Webmail", "Social Networking"]);
let Daily =
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(HuntWindow)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| where isnotempty(user_s)
| where category_s in (ExfilCategories) or activity_s == "Upload"
| summarize
DaySentBytes = sum(todouble(bytes_uploaded_d)),
DayRequestCount = count(),
DayDestCount = dcount(domain_s)
by user_s, Day = bin(TimeGenerated, 1d);
let Users =
Daily
| summarize
TotalMBSent = round(toreal(sum(DaySentBytes)) / 1048576, 2),
ActiveDays = dcount(Day),
TotalRequests = sum(DayRequestCount),
UniqueDestCnt = sum(DayDestCount)
by user_s;
let globalAvg = toscalar(Users | summarize avg(TotalMBSent));
let globalStd = toscalar(Users | summarize stdev(TotalMBSent));
Users
| extend
Zscore = iff(globalStd > 0,
round((TotalMBSent - globalAvg) / globalStd, 2),
0.0)
| where Zscore >= 3.0
or (ActiveDays >= 5 and TotalMBSent > 100)
| project
user_s,
TotalMBSent, ActiveDays, TotalRequests, UniqueDestCnt,
Zscore
| order by Zscore desc, TotalMBSent descExplanation
This query is designed to detect suspicious data exfiltration activities over a period of seven days using cloud services. It leverages a statistical method called Z-score to identify anomalies in user behavior. Here's a simple breakdown of what the query does:
-
Purpose: The query aims to identify users who might be exfiltrating data slowly and discreetly across multiple cloud services over a week.
-
Data Source: It uses data from the
NetskopeEvents_CLtable, which logs events related to cloud service usage. -
Detection Method:
- It looks for activities categorized under "Cloud Storage," "File Sharing," and similar categories, focusing on uploads.
- It calculates the total megabytes (MB) of data uploaded by each user, the number of active days, the total number of requests, and the number of unique destinations.
- It computes a Z-score for each user to measure how much their data upload behavior deviates from the average user. A Z-score of 3 or more indicates significant deviation.
-
Alert Criteria:
- Users with a Z-score of 3 or higher are flagged.
- Users who have uploaded more than 100 MB over at least 5 days are also flagged.
-
Output:
- The query lists users with their total data uploaded, active days, total requests, unique destinations, and Z-score.
- Alerts are generated for these users, with details on their data upload behavior.
-
Incident Management:
- An incident is created for each alert, and similar incidents are grouped by user account for easier management.
Overall, this query helps in identifying potential data exfiltration activities by analyzing user behavior patterns and highlighting significant deviations from the norm.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: P1D
Period: P7D