Query Details

Netskope IA - Unauthorized Cloud App Access (Shadow IT)

66 NK IA Unauthorized Cloud App Access

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let RiskyCCL = dynamic(["poor", "low", "unknown"]);
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s) and isnotempty(app_s)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| where ccl_s in (RiskyCCL) or isempty(ccl_s)
| where category_s !in ("Business", "Technology", "Government", "Education")
| summarize
    RequestCount      = count(),
    TotalMBUploaded   = round(sum(todouble(bytes_uploaded_d)) / 1048576, 2),
    TotalMBDownloaded = round(sum(todouble(bytes_downloaded_d)) / 1048576, 2),
    UniqueApps        = dcount(app_s),
    Apps              = make_set(app_s, 20),
    Categories        = make_set(category_s, 10),
    Domains           = make_set(domain_s, 20),
    SourceIPs         = make_set(srcip_s, 5),
    CCLValues         = make_set(ccl_s, 5),
    FirstSeen         = min(TimeGenerated),
    LastSeen          = max(TimeGenerated)
  by user_s
| where UniqueApps >= 3 or TotalMBUploaded > 50
| order by UniqueApps desc, TotalMBUploaded desc

Explanation

This query is designed to detect and alert on users accessing unsanctioned cloud applications, often referred to as "Shadow IT," which can pose security risks to an organization. Here's a simple breakdown of what the query does:

  1. Purpose: It identifies users accessing cloud applications that are not approved by the organization and have a low or unknown Cloud Confidence Level (CCL). This is important because such applications can lead to data leaks or compliance issues.

  2. Data Source: The query uses data from the NetskopeEvents_CL table, which is part of the Netskope Internet Access data connector.

  3. Detection Criteria:

    • It looks at events from the past day (P1D).
    • It filters out actions that are blocked and focuses on those that are not.
    • It checks for applications with a CCL of "poor," "low," or "unknown," or where the CCL is not specified.
    • It excludes categories like "Business," "Technology," "Government," and "Education."
  4. Summary Metrics:

    • Counts the number of requests.
    • Calculates the total megabytes uploaded and downloaded.
    • Counts the number of unique applications accessed.
    • Collects sets of applications, categories, domains, source IPs, and CCL values.
  5. Alert Conditions:

    • Triggers an alert if a user accesses three or more unique unsanctioned apps or uploads more than 50 MB of data.
    • Orders results by the number of unique apps accessed and the total data uploaded.
  6. Alert Details:

    • The alert includes the user's name and the number of unsanctioned apps accessed.
    • It provides a description of the user's activity, including the amount of data uploaded.
  7. Incident Management:

    • Creates an incident for each alert.
    • Groups incidents by user account to manage related alerts together.

Overall, this query helps security teams monitor and respond to unauthorized cloud app usage, reducing the risk of data breaches and compliance violations.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeInternetAccessCloudApplicationsUsersDataLeakageComplianceRisksSaaSPlatformsEventsAccount

Operators

letdatatabledynamicunionisfuzzyagoisnotempty!inisemptysummarizecountroundsumtodoubledcountmake_setminmaxbyorder bydesc

Severity

Medium

Tactics

ExfiltrationDefenseEvasion

MITRE Techniques

Frequency: PT1H

Period: P1D

Actions

GitHub