Query Details

Netskope IA - Impossible Travel Detection

67 NK IA Impossible Travel

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let TravelWindow = 2h;
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s) and isnotempty(src_country_s)
| where src_country_s != "Unknown" and src_country_s != ""
| summarize
    Countries        = make_set(src_country_s, 10),
    CountryCount     = dcount(src_country_s),
    SourceIPs        = make_set(srcip_s, 20),
    UniqueIPs        = dcount(srcip_s),
    RequestCount     = count(),
    Apps             = make_set(app_s, 10),
    AccessMethods    = make_set(access_method_s, 5),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by user_s, bin(TimeGenerated, TravelWindow)
| where CountryCount >= 2
| extend TravelWindowMinutes = datetime_diff('minute', LastSeen, FirstSeen)
| project
    user_s, Countries, CountryCount, SourceIPs, UniqueIPs,
    RequestCount, Apps, AccessMethods,
    TravelWindowMinutes, FirstSeen, LastSeen
| order by CountryCount desc, UniqueIPs desc

Explanation

This query is designed to detect suspicious activity by identifying users who appear to access Netskope Internet Access from multiple geographically distant countries within a short time frame, specifically within two hours. This could indicate potential credential compromise or misuse of VPN/proxy services.

Here's a simple breakdown of what the query does:

  1. Data Source: It uses data from the NetskopeEvents_CL table, which is part of the Netskope Internet Access data connector.

  2. Time Frame: The query looks at events from the past day (24 hours).

  3. User Activity: It focuses on users who have logged in from different countries, excluding unknown or empty country entries.

  4. Detection Logic:

    • It groups data by user and checks for instances where a user has appeared in at least two different countries within a two-hour window.
    • It collects information about the countries accessed, the number of unique IPs used, the applications accessed, and the methods of access.
  5. Alert Generation: If a user is detected accessing from multiple countries within the specified time frame, an alert is generated with details about the user, the number of countries, and the countries themselves.

  6. Severity and Tactics: The alert is marked as high severity and is associated with tactics like Initial Access and Credential Access, aligning with MITRE ATT&CK techniques T1078 and T1078.004.

  7. Incident Management: The query is configured to create incidents for detected cases, with options for grouping related alerts by user account.

Overall, this query helps identify potentially compromised accounts or misuse of network access by flagging unusual travel patterns in user activity.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeInternetAccessTrafficUsersCountriesSourceIPsAppsMethodsTimeGenerated

Operators

datatableletunionisfuzzywhereisnotemptysummarizemake_setdcountcountminmaxbinextenddatetime_diffprojectorder by

Severity

High

Tactics

InitialAccessCredentialAccess

MITRE Techniques

Frequency: PT30M

Period: P1D

Actions

GitHub