Netskope IA - Credential Phishing Submission Detection
68 NK IA Credential Phishing Submission
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let PhishingCategories = dynamic([
"Phishing", "Phishing and Other Frauds", "Suspicious",
"Newly Observed Domain", "Newly Registered Domain"]);
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s) and isnotempty(domain_s)
| where category_s in (PhishingCategories)
or severity_s in ("high", "critical")
| where activity_s has_any ("Upload", "Post", "Submit", "Login", "FormSubmit")
or todouble(bytes_uploaded_d) > 100
| summarize
SubmissionCount = count(),
TotalBytesPosted = sum(todouble(bytes_uploaded_d)),
UniqueURLs = dcount(url_s),
URLSamples = make_set(url_s, 10),
Categories = make_set(category_s, 5),
Activities = make_set(activity_s, 5),
SourceIPs = make_set(srcip_s, 5),
DstCountries = make_set(dst_country_s, 5),
Actions = make_set(action_s, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by user_s, domain_s
| order by SubmissionCount descExplanation
This query is designed to detect potential credential phishing activities by monitoring user data submissions to suspicious or phishing domains. Here's a simplified breakdown:
-
Purpose: The query identifies users who have uploaded or submitted data to domains flagged as "Phishing" or "Suspicious" by Netskope. This is more specific than just visiting such sites; it focuses on actions indicating potential credential entry.
-
Data Source: It uses the
NetskopeEvents_CLtable from the Netskope Internet Access data connector. -
Detection Criteria:
- The query looks at events from the past day (
P1D). - It filters for events where users have interacted with domains categorized as phishing or suspicious, or where the severity is marked as "high" or "critical".
- It specifically checks for activities like "Upload", "Post", "Submit", "Login", or "FormSubmit", or where the data uploaded is more than 100 bytes.
- The query looks at events from the past day (
-
Output:
- It summarizes the number of submissions, total bytes posted, unique URLs accessed, and other details like source IPs and actions.
- The results are ordered by the number of submissions.
-
Alerting:
- If any suspicious activity is detected, an alert is generated with details like the user involved and the domain accessed.
- The alert includes a description of how many times data was submitted to the phishing domain.
-
Incident Management:
- An incident is created for each alert, with configurations to group incidents by user account if multiple alerts are related.
Overall, this query helps in identifying and alerting on potential phishing incidents where users might have unknowingly submitted sensitive information to malicious sites.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT15M
Period: P1D