KQL Search

Query Details

67 NK IA Impossible Travel

Query

id: d6e7f8a9-b0c1-4d2e-3f4a-5b6c7d8e9f0a
name: "Netskope IA - Impossible Travel Detection"
version: 1.0.0
kind: Scheduled
description: |
  Detects users generating Netskope Internet Access traffic from geographically distant
  source countries within a short time window, indicating potential credential compromise
  or VPN/proxy abuse. Flags when the same user appears from different countries within 2 hours.
  Uses the built-in NetskopeEvents_CL table from the Netskope Internet Access data connector.
  MITRE ATT&CK: T1078 (Valid Accounts), T1078.004 (Cloud Accounts)
severity: High
requiredDataConnectors:
  - connectorId: NetskopeDataConnector
    dataTypes:
      - NetskopeEvents_CL
queryFrequency: PT30M
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
  - CredentialAccess
relevantTechniques:
  - T1078
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
  let TravelWindow = 2h;
  union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(user_s) and isnotempty(src_country_s)
  | where src_country_s != "Unknown" and src_country_s != ""
  | summarize
      Countries        = make_set(src_country_s, 10),
      CountryCount     = dcount(src_country_s),
      SourceIPs        = make_set(srcip_s, 20),
      UniqueIPs        = dcount(srcip_s),
      RequestCount     = count(),
      Apps             = make_set(app_s, 10),
      AccessMethods    = make_set(access_method_s, 5),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated)
    by user_s, bin(TimeGenerated, TravelWindow)
  | where CountryCount >= 2
  | extend TravelWindowMinutes = datetime_diff('minute', LastSeen, FirstSeen)
  | project
      user_s, Countries, CountryCount, SourceIPs, UniqueIPs,
      RequestCount, Apps, AccessMethods,
      TravelWindowMinutes, FirstSeen, LastSeen
  | order by CountryCount desc, UniqueIPs desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: user_s
customDetails:
  CountryCount: CountryCount
  Countries: Countries
  UniqueIPs: UniqueIPs
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope IA Impossible Travel - {{user_s}} ({{CountryCount}} countries)"
  alertDescriptionFormat: "User {{user_s}} accessed from {{CountryCount}} different countries within a 2-hour window: {{Countries}}."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect suspicious activity by identifying users who appear to access Netskope Internet Access from multiple geographically distant countries within a short time frame, specifically within two hours. This could indicate potential credential compromise or misuse of VPN/proxy services.

Here's a simple breakdown of what the query does:

  1. Data Source: It uses data from the NetskopeEvents_CL table, which is part of the Netskope Internet Access data connector.

  2. Time Frame: The query looks at events from the past day (24 hours).

  3. User Activity: It focuses on users who have logged in from different countries, excluding unknown or empty country entries.

  4. Detection Logic:

    • It groups data by user and checks for instances where a user has appeared in at least two different countries within a two-hour window.
    • It collects information about the countries accessed, the number of unique IPs used, the applications accessed, and the methods of access.

  5. Alert Generation: If a user is detected accessing from multiple countries within the specified time frame, an alert is generated with details about the user, the number of countries, and the countries themselves.

  6. Severity and Tactics: The alert is marked as high severity and is associated with tactics like Initial Access and Credential Access, aligning with MITRE ATT&CK techniques T1078 and T1078.004.

  7. Incident Management: The query is configured to create incidents for detected cases, with options for grouping related alerts by user account.

Overall, this query helps identify potentially compromised accounts or misuse of network access by flagging unusual travel patterns in user activity.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeInternetAccessTrafficUsersCountriesSourceCountriesSourceIPsAppsAccessMethodsTimeGenerated

Operators

datatableletunionisfuzzywhereisnotemptysummarizemake_setdcountcountminmaxbinextenddatetime_diffprojectorder by

Actions