Netskope (Built-in) - Category Shift Anomaly - Domain Recategorization
64 NK BI Category Shift Anomaly
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let SuspiciousCategories = dynamic([
"Uncategorized", "Unknown", "Newly Observed Domain",
"Newly Registered Domain", "Suspicious", "Parked",
"Dynamic DNS Host"]);
let BenignCategories = dynamic([
"Business", "Technology", "News/Media", "Education",
"Government", "Health", "Finance", "Shopping",
"Entertainment", "Reference", "Travel", "Sports"]);
let BaselineDomains =
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated between (ago(14d) .. ago(1d))
| where category_s in (BenignCategories)
| where isnotempty(domain_s)
| summarize
OldCategories = make_set(category_s, 5),
OldRequests = count()
by domain_s;
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where category_s in (SuspiciousCategories)
| where isnotempty(domain_s)
| summarize
NewCategory = take_any(category_s),
RecentRequests = count(),
UniqueUsers = dcount(user_s),
UserList = make_set(user_s, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by domain_s
| join kind=inner BaselineDomains on domain_s
| project
domain_s, OldCategories, NewCategory,
OldRequests, RecentRequests, UniqueUsers, UserList,
FirstSeen, LastSeen
| order by UniqueUsers desc, RecentRequests descExplanation
This query is designed to detect changes in the categorization of internet domains, specifically identifying domains that have shifted from benign categories to suspicious or uncategorized ones. This could indicate a potential compromise or takeover of the domain's infrastructure.
Here's a simple breakdown of what the query does:
-
Data Source: It uses data from the
NetskopeEvents_CLtable, which logs events related to domain activities. -
Categories:
- Suspicious Categories: Includes "Uncategorized", "Unknown", "Newly Observed Domain", "Newly Registered Domain", "Suspicious", "Parked", and "Dynamic DNS Host".
- Benign Categories: Includes categories like "Business", "Technology", "News/Media", "Education", etc.
-
Baseline Domains:
- It first identifies domains that were categorized as benign in the past 14 days but not in the last day.
- It records the old categories and the number of requests for these domains.
-
Recent Suspicious Activity:
- It then checks for domains that have been categorized as suspicious in the last day.
- It gathers information such as the new category, number of recent requests, unique users accessing the domain, and the time range of these activities.
-
Comparison and Alerting:
- The query compares the recent suspicious domains with the baseline benign domains.
- If a domain has shifted from a benign to a suspicious category, it generates an alert.
- The alert includes details like the domain name, the new suspicious category, the number of unique users affected, and the time frame of the activity.
-
Alert Configuration:
- Alerts are configured to display the domain name and new category.
- Incidents are created for these alerts, with grouping based on DNS entities.
Overall, this query helps in identifying potential security threats by monitoring domain category shifts, which could suggest malicious activities or domain misuse.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: P1D
Period: P14D