Query Details

Netskope (Built-in) - Category Shift Anomaly - Domain Recategorization

64 NK BI Category Shift Anomaly

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let SuspiciousCategories = dynamic([
    "Uncategorized", "Unknown", "Newly Observed Domain",
    "Newly Registered Domain", "Suspicious", "Parked",
    "Dynamic DNS Host"]);
let BenignCategories = dynamic([
    "Business", "Technology", "News/Media", "Education",
    "Government", "Health", "Finance", "Shopping",
    "Entertainment", "Reference", "Travel", "Sports"]);
let BaselineDomains =
    union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
    | where TimeGenerated between (ago(14d) .. ago(1d))
    | where category_s in (BenignCategories)
    | where isnotempty(domain_s)
    | summarize
        OldCategories = make_set(category_s, 5),
        OldRequests   = count()
      by domain_s;
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where category_s in (SuspiciousCategories)
| where isnotempty(domain_s)
| summarize
    NewCategory      = take_any(category_s),
    RecentRequests   = count(),
    UniqueUsers      = dcount(user_s),
    UserList         = make_set(user_s, 10),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by domain_s
| join kind=inner BaselineDomains on domain_s
| project
    domain_s, OldCategories, NewCategory,
    OldRequests, RecentRequests, UniqueUsers, UserList,
    FirstSeen, LastSeen
| order by UniqueUsers desc, RecentRequests desc

Explanation

This query is designed to detect changes in the categorization of internet domains, specifically identifying domains that have shifted from benign categories to suspicious or uncategorized ones. This could indicate a potential compromise or takeover of the domain's infrastructure.

Here's a simple breakdown of what the query does:

  1. Data Source: It uses data from the NetskopeEvents_CL table, which logs events related to domain activities.

  2. Categories:

    • Suspicious Categories: Includes "Uncategorized", "Unknown", "Newly Observed Domain", "Newly Registered Domain", "Suspicious", "Parked", and "Dynamic DNS Host".
    • Benign Categories: Includes categories like "Business", "Technology", "News/Media", "Education", etc.
  3. Baseline Domains:

    • It first identifies domains that were categorized as benign in the past 14 days but not in the last day.
    • It records the old categories and the number of requests for these domains.
  4. Recent Suspicious Activity:

    • It then checks for domains that have been categorized as suspicious in the last day.
    • It gathers information such as the new category, number of recent requests, unique users accessing the domain, and the time range of these activities.
  5. Comparison and Alerting:

    • The query compares the recent suspicious domains with the baseline benign domains.
    • If a domain has shifted from a benign to a suspicious category, it generates an alert.
    • The alert includes details like the domain name, the new suspicious category, the number of unique users affected, and the time frame of the activity.
  6. Alert Configuration:

    • Alerts are configured to display the domain name and new category.
    • Incidents are created for these alerts, with grouping based on DNS entities.

Overall, this query helps in identifying potential security threats by monitoring domain category shifts, which could suggest malicious activities or domain misuse.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeEventsDomainUserDNSCategoryInfrastructure

Operators

letdatatabledynamicunionisfuzzywhereinisnotemptysummarizemake_setcountbytake_anydcountminmaxjoinkindonprojectorder by

Severity

Medium

Tactics

ResourceDevelopment

MITRE Techniques

Frequency: P1D

Period: P14D

Actions

GitHub