KQL Search

Query Details

66 NK IA Unauthorized Cloud App Access

Query

id: c5d6e7f8-a9b0-4c1d-2e3f-4a5b6c7d8e9f
name: "Netskope IA - Unauthorized Cloud App Access (Shadow IT)"
version: 1.0.0
kind: Scheduled
description: |
  Detects users accessing unsanctioned cloud applications with low Cloud Confidence Level (CCL).
  Shadow IT usage exposes the organization to data leakage, compliance risks, and potential
  supply-chain compromise through unvetted SaaS platforms.
  Uses the built-in NetskopeEvents_CL table from the Netskope Internet Access data connector.
  MITRE ATT&CK: T1567 (Exfiltration Over Web Service), T1537 (Transfer Data to Cloud Account)
severity: Medium
requiredDataConnectors:
  - connectorId: NetskopeDataConnector
    dataTypes:
      - NetskopeEvents_CL
queryFrequency: PT1H
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Exfiltration
  - DefenseEvasion
relevantTechniques:
  - T1567
  - T1537
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
  let RiskyCCL = dynamic(["poor", "low", "unknown"]);
  union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(user_s) and isnotempty(app_s)
  | where action_s !in ("block", "Block", "blocked", "Blocked")
  | where ccl_s in (RiskyCCL) or isempty(ccl_s)
  | where category_s !in ("Business", "Technology", "Government", "Education")
  | summarize
      RequestCount      = count(),
      TotalMBUploaded   = round(sum(todouble(bytes_uploaded_d)) / 1048576, 2),
      TotalMBDownloaded = round(sum(todouble(bytes_downloaded_d)) / 1048576, 2),
      UniqueApps        = dcount(app_s),
      Apps              = make_set(app_s, 20),
      Categories        = make_set(category_s, 10),
      Domains           = make_set(domain_s, 20),
      SourceIPs         = make_set(srcip_s, 5),
      CCLValues         = make_set(ccl_s, 5),
      FirstSeen         = min(TimeGenerated),
      LastSeen          = max(TimeGenerated)
    by user_s
  | where UniqueApps >= 3 or TotalMBUploaded > 50
  | order by UniqueApps desc, TotalMBUploaded desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: user_s
customDetails:
  UniqueApps: UniqueApps
  TotalMBUploaded: TotalMBUploaded
  CCLValues: CCLValues
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope IA Shadow IT - {{user_s}} ({{UniqueApps}} unsanctioned apps)"
  alertDescriptionFormat: "User {{user_s}} accessed {{UniqueApps}} unsanctioned cloud apps with low CCL, uploading {{TotalMBUploaded}} MB."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect and alert on users accessing unsanctioned cloud applications, often referred to as "Shadow IT," which can pose security risks to an organization. Here's a simple breakdown of what the query does:

  1. Purpose: It identifies users accessing cloud applications that are not approved by the organization and have a low or unknown Cloud Confidence Level (CCL). This is important because such applications can lead to data leaks or compliance issues.

  2. Data Source: The query uses data from the NetskopeEvents_CL table, which is part of the Netskope Internet Access data connector.

  3. Detection Criteria:

    • It looks at events from the past day (P1D).
    • It filters out actions that are blocked and focuses on those that are not.
    • It checks for applications with a CCL of "poor," "low," or "unknown," or where the CCL is not specified.
    • It excludes categories like "Business," "Technology," "Government," and "Education."

  4. Summary Metrics:

    • Counts the number of requests.
    • Calculates the total megabytes uploaded and downloaded.
    • Counts the number of unique applications accessed.
    • Collects sets of applications, categories, domains, source IPs, and CCL values.

  5. Alert Conditions:

    • Triggers an alert if a user accesses three or more unique unsanctioned apps or uploads more than 50 MB of data.
    • Orders results by the number of unique apps accessed and the total data uploaded.

  6. Alert Details:

    • The alert includes the user's name and the number of unsanctioned apps accessed.
    • It provides a description of the user's activity, including the amount of data uploaded.

  7. Incident Management:

    • Creates an incident for each alert.
    • Groups incidents by user account to manage related alerts together.

Overall, this query helps security teams monitor and respond to unauthorized cloud app usage, reducing the risk of data breaches and compliance violations.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeInternetAccessCloudApplicationsUsersDataLeakageComplianceRisksSaaSPlatformsEventsAccount

Operators

letdatatabledynamicunionisfuzzyagoisnotempty!inisemptysummarizecountroundsumtodoubledcountmake_setminmaxbyorder bydesc

Actions