KQL Search

Query Details

69 NK IA Suspicious File Download Uncategorized

Query

id: f8a9b0c1-d2e3-4f4a-5b6c-7d8e9f0a1b2c
name: "Netskope IA - Suspicious File Download from Uncategorized Domain"
version: 1.0.0
kind: Scheduled
description: |
  Detects file downloads from newly registered, uncategorized, or suspicious domains.
  Attackers frequently stage payloads on disposable domains that have not yet been
  categorized by URL classification engines.
  Uses the built-in NetskopeEvents_CL table from the Netskope Internet Access data connector.
  MITRE ATT&CK: T1105 (Ingress Tool Transfer), T1204.002 (User Execution: Malicious File)
severity: Medium
requiredDataConnectors:
  - connectorId: NetskopeDataConnector
    dataTypes:
      - NetskopeEvents_CL
queryFrequency: PT30M
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Execution
  - CommandAndControl
relevantTechniques:
  - T1105
  - T1204
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
  let SuspiciousCategories = dynamic([
      "Uncategorized", "Unknown", "Newly Observed Domain",
      "Newly Registered Domain", "Suspicious", "Parked",
      "Dynamic DNS Host"]);
  let RiskyFileTypes = dynamic([
      "exe", "dll", "scr", "bat", "cmd", "ps1", "vbs", "js",
      "hta", "msi", "iso", "img", "zip", "7z", "rar"]);
  union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(user_s) and isnotempty(domain_s)
  | where activity_s has_any ("Download", "download")
      or todouble(bytes_downloaded_d) > 1048576
  | where category_s in (SuspiciousCategories)
  | where isnotempty(file_type_s) or isnotempty(object_s)
  | summarize
      DownloadCount     = count(),
      TotalMBDownloaded = round(sum(todouble(bytes_downloaded_d)) / 1048576, 2),
      UniqueFiles       = dcount(object_s),
      FileNames         = make_set(object_s, 10),
      FileTypes         = make_set(file_type_s, 10),
      Domains           = make_set(domain_s, 10),
      Categories        = make_set(category_s, 5),
      URLSamples        = make_set(url_s, 5),
      DstCountries      = make_set(dst_country_s, 5),
      SourceIPs         = make_set(srcip_s, 5),
      FirstSeen         = min(TimeGenerated),
      LastSeen          = max(TimeGenerated)
    by user_s
  | where DownloadCount >= 1
  | order by TotalMBDownloaded desc, DownloadCount desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: user_s
customDetails:
  DownloadCount: DownloadCount
  TotalMBDownloaded: TotalMBDownloaded
  FileTypes: FileTypes
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope IA Suspicious Download - {{user_s}} ({{DownloadCount}} files, {{TotalMBDownloaded}} MB)"
  alertDescriptionFormat: "User {{user_s}} downloaded {{DownloadCount}} files ({{TotalMBDownloaded}} MB) from uncategorized/suspicious domains."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect suspicious file downloads from domains that are newly registered, uncategorized, or deemed suspicious. It uses data from the Netskope Internet Access data connector, specifically the NetskopeEvents_CL table. Here's a simplified breakdown of what the query does:

  1. Purpose: The query aims to identify potential security threats by monitoring file downloads from domains that might be used by attackers to stage malicious payloads.

  2. Data Source: It uses data from the NetskopeEvents_CL table, which is part of the Netskope Internet Access data connector.

  3. Detection Criteria:

    • It looks for downloads from domains categorized as "Uncategorized," "Unknown," "Newly Observed Domain," "Newly Registered Domain," "Suspicious," "Parked," or "Dynamic DNS Host."
    • It focuses on risky file types such as executables (e.g., .exe, .dll), scripts (e.g., .bat, .ps1), and compressed files (e.g., .zip, .rar).
    • It considers downloads where the file size is greater than 1 MB.

  4. Query Execution:

    • The query runs every 30 minutes and looks at data from the past day.
    • It filters events to find those with non-empty user and domain fields, and where the activity involves downloading.
    • It summarizes the data by user, counting the number of downloads, total megabytes downloaded, unique files, and other details.

  5. Alerting:

    • If any downloads are detected, it generates an alert with details about the user, the number of files downloaded, and the total size of the downloads.
    • The alert includes information about the domains and file types involved.

  6. Incident Management:

    • The query is configured to create an incident if suspicious activity is detected.
    • It groups incidents by user account to manage related alerts together.

Overall, this query helps security teams monitor and respond to potential threats from suspicious file downloads, enhancing their ability to detect and mitigate attacks involving malicious file transfers.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeInternetAccessDomainsFilesUsersAccountsDownloadsCategoriesURLsCountriesIPs

Operators

letdatatabledynamicunionisfuzzywhereagoisnotemptyhas_anytodoubleinsummarizecountrounddcountmake_setminmaxbyorder bydesc

Actions