KQL Search

Query Details

68 NK IA Credential Phishing Submission

Query

id: e7f8a9b0-c1d2-4e3f-4a5b-6c7d8e9f0a1b
name: "Netskope IA - Credential Phishing Submission Detection"
version: 1.0.0
kind: Scheduled
description: |
  Detects users who uploaded or submitted data (POST activity) to domains categorized as
  Phishing or Suspicious by Netskope. Unlike simple browse-to-phishing detections, this
  rule specifically targets data submission, indicating the user may have entered credentials.
  Uses the built-in NetskopeEvents_CL table from the Netskope Internet Access data connector.
  MITRE ATT&CK: T1566 (Phishing), T1056 (Input Capture)
severity: High
requiredDataConnectors:
  - connectorId: NetskopeDataConnector
    dataTypes:
      - NetskopeEvents_CL
queryFrequency: PT15M
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
  - CredentialAccess
relevantTechniques:
  - T1566
  - T1056
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
  let PhishingCategories = dynamic([
      "Phishing", "Phishing and Other Frauds", "Suspicious",
      "Newly Observed Domain", "Newly Registered Domain"]);
  union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(user_s) and isnotempty(domain_s)
  | where category_s in (PhishingCategories)
      or severity_s in ("high", "critical")
  | where activity_s has_any ("Upload", "Post", "Submit", "Login", "FormSubmit")
      or todouble(bytes_uploaded_d) > 100
  | summarize
      SubmissionCount   = count(),
      TotalBytesPosted  = sum(todouble(bytes_uploaded_d)),
      UniqueURLs        = dcount(url_s),
      URLSamples        = make_set(url_s, 10),
      Categories        = make_set(category_s, 5),
      Activities        = make_set(activity_s, 5),
      SourceIPs         = make_set(srcip_s, 5),
      DstCountries      = make_set(dst_country_s, 5),
      Actions           = make_set(action_s, 5),
      FirstSeen         = min(TimeGenerated),
      LastSeen          = max(TimeGenerated)
    by user_s, domain_s
  | order by SubmissionCount desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: user_s
  - entityType: DNS
    fieldMappings:
      - identifier: DomainName
        columnName: domain_s
customDetails:
  SubmissionCount: SubmissionCount
  Categories: Categories
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope IA Credential Phishing - {{user_s}} → {{domain_s}}"
  alertDescriptionFormat: "User {{user_s}} submitted data {{SubmissionCount}} times to phishing domain {{domain_s}} ({{Categories}})."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect potential credential phishing activities by monitoring user data submissions to suspicious or phishing domains. Here's a simplified breakdown:

  1. Purpose: The query identifies users who have uploaded or submitted data to domains flagged as "Phishing" or "Suspicious" by Netskope. This is more specific than just visiting such sites; it focuses on actions indicating potential credential entry.

  2. Data Source: It uses the NetskopeEvents_CL table from the Netskope Internet Access data connector.

  3. Detection Criteria:

    • The query looks at events from the past day (P1D).
    • It filters for events where users have interacted with domains categorized as phishing or suspicious, or where the severity is marked as "high" or "critical".
    • It specifically checks for activities like "Upload", "Post", "Submit", "Login", or "FormSubmit", or where the data uploaded is more than 100 bytes.

  4. Output:

    • It summarizes the number of submissions, total bytes posted, unique URLs accessed, and other details like source IPs and actions.
    • The results are ordered by the number of submissions.

  5. Alerting:

    • If any suspicious activity is detected, an alert is generated with details like the user involved and the domain accessed.
    • The alert includes a description of how many times data was submitted to the phishing domain.

  6. Incident Management:

    • An incident is created for each alert, with configurations to group incidents by user account if multiple alerts are related.

Overall, this query helps in identifying and alerting on potential phishing incidents where users might have unknowingly submitted sensitive information to malicious sites.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeEventsNetskopeInternetAccessPhishingSuspiciousUsersDomainsCredentialsDataSubmissionActivityUserDomainSourceIPDestinationCountryActionsTimeGeneratedURLCategoriesActivities

Operators

letdatatabledynamicunionisfuzzyagoisnotemptyinorhas_anytodoublesummarizecountsumdcountmake_setminmaxbyorder bydesc

Actions