Query Details

Netskope IA - Credential Phishing Submission Detection

68 NK IA Credential Phishing Submission

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let PhishingCategories = dynamic([
    "Phishing", "Phishing and Other Frauds", "Suspicious",
    "Newly Observed Domain", "Newly Registered Domain"]);
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s) and isnotempty(domain_s)
| where category_s in (PhishingCategories)
    or severity_s in ("high", "critical")
| where activity_s has_any ("Upload", "Post", "Submit", "Login", "FormSubmit")
    or todouble(bytes_uploaded_d) > 100
| summarize
    SubmissionCount   = count(),
    TotalBytesPosted  = sum(todouble(bytes_uploaded_d)),
    UniqueURLs        = dcount(url_s),
    URLSamples        = make_set(url_s, 10),
    Categories        = make_set(category_s, 5),
    Activities        = make_set(activity_s, 5),
    SourceIPs         = make_set(srcip_s, 5),
    DstCountries      = make_set(dst_country_s, 5),
    Actions           = make_set(action_s, 5),
    FirstSeen         = min(TimeGenerated),
    LastSeen          = max(TimeGenerated)
  by user_s, domain_s
| order by SubmissionCount desc

Explanation

This query is designed to detect potential credential phishing activities by monitoring user data submissions to suspicious or phishing domains. Here's a simplified breakdown:

  1. Purpose: The query identifies users who have uploaded or submitted data to domains flagged as "Phishing" or "Suspicious" by Netskope. This is more specific than just visiting such sites; it focuses on actions indicating potential credential entry.

  2. Data Source: It uses the NetskopeEvents_CL table from the Netskope Internet Access data connector.

  3. Detection Criteria:

    • The query looks at events from the past day (P1D).
    • It filters for events where users have interacted with domains categorized as phishing or suspicious, or where the severity is marked as "high" or "critical".
    • It specifically checks for activities like "Upload", "Post", "Submit", "Login", or "FormSubmit", or where the data uploaded is more than 100 bytes.
  4. Output:

    • It summarizes the number of submissions, total bytes posted, unique URLs accessed, and other details like source IPs and actions.
    • The results are ordered by the number of submissions.
  5. Alerting:

    • If any suspicious activity is detected, an alert is generated with details like the user involved and the domain accessed.
    • The alert includes a description of how many times data was submitted to the phishing domain.
  6. Incident Management:

    • An incident is created for each alert, with configurations to group incidents by user account if multiple alerts are related.

Overall, this query helps in identifying and alerting on potential phishing incidents where users might have unknowingly submitted sensitive information to malicious sites.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeEventsNetskopeInternetAccessPhishingSuspiciousUsersDomainsCredentialsDataSubmissionActivityUserDomainSourceIPDestinationCountryActionsTimeGeneratedURLCategoriesActivities

Operators

letdatatabledynamicunionisfuzzyagoisnotemptyinorhas_anytodoublesummarizecountsumdcountmake_setminmaxbyorder bydesc

Severity

High

Tactics

InitialAccessCredentialAccess

MITRE Techniques

Frequency: PT15M

Period: P1D

Actions

GitHub