Netskope IA - Unauthorized Cloud App Access (Shadow IT)
66 NK IA Unauthorized Cloud App Access
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let RiskyCCL = dynamic(["poor", "low", "unknown"]);
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s) and isnotempty(app_s)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| where ccl_s in (RiskyCCL) or isempty(ccl_s)
| where category_s !in ("Business", "Technology", "Government", "Education")
| summarize
RequestCount = count(),
TotalMBUploaded = round(sum(todouble(bytes_uploaded_d)) / 1048576, 2),
TotalMBDownloaded = round(sum(todouble(bytes_downloaded_d)) / 1048576, 2),
UniqueApps = dcount(app_s),
Apps = make_set(app_s, 20),
Categories = make_set(category_s, 10),
Domains = make_set(domain_s, 20),
SourceIPs = make_set(srcip_s, 5),
CCLValues = make_set(ccl_s, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by user_s
| where UniqueApps >= 3 or TotalMBUploaded > 50
| order by UniqueApps desc, TotalMBUploaded descExplanation
This query is designed to detect and alert on users accessing unsanctioned cloud applications, often referred to as "Shadow IT," which can pose security risks to an organization. Here's a simple breakdown of what the query does:
-
Purpose: It identifies users accessing cloud applications that are not approved by the organization and have a low or unknown Cloud Confidence Level (CCL). This is important because such applications can lead to data leaks or compliance issues.
-
Data Source: The query uses data from the
NetskopeEvents_CLtable, which is part of the Netskope Internet Access data connector. -
Detection Criteria:
- It looks at events from the past day (
P1D). - It filters out actions that are blocked and focuses on those that are not.
- It checks for applications with a CCL of "poor," "low," or "unknown," or where the CCL is not specified.
- It excludes categories like "Business," "Technology," "Government," and "Education."
- It looks at events from the past day (
-
Summary Metrics:
- Counts the number of requests.
- Calculates the total megabytes uploaded and downloaded.
- Counts the number of unique applications accessed.
- Collects sets of applications, categories, domains, source IPs, and CCL values.
-
Alert Conditions:
- Triggers an alert if a user accesses three or more unique unsanctioned apps or uploads more than 50 MB of data.
- Orders results by the number of unique apps accessed and the total data uploaded.
-
Alert Details:
- The alert includes the user's name and the number of unsanctioned apps accessed.
- It provides a description of the user's activity, including the amount of data uploaded.
-
Incident Management:
- Creates an incident for each alert.
- Groups incidents by user account to manage related alerts together.
Overall, this query helps security teams monitor and respond to unauthorized cloud app usage, reducing the risk of data breaches and compliance violations.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT1H
Period: P1D