Netskope IA - Suspicious File Download from Uncategorized Domain
69 NK IA Suspicious File Download Uncategorized
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let SuspiciousCategories = dynamic([
"Uncategorized", "Unknown", "Newly Observed Domain",
"Newly Registered Domain", "Suspicious", "Parked",
"Dynamic DNS Host"]);
let RiskyFileTypes = dynamic([
"exe", "dll", "scr", "bat", "cmd", "ps1", "vbs", "js",
"hta", "msi", "iso", "img", "zip", "7z", "rar"]);
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s) and isnotempty(domain_s)
| where activity_s has_any ("Download", "download")
or todouble(bytes_downloaded_d) > 1048576
| where category_s in (SuspiciousCategories)
| where isnotempty(file_type_s) or isnotempty(object_s)
| summarize
DownloadCount = count(),
TotalMBDownloaded = round(sum(todouble(bytes_downloaded_d)) / 1048576, 2),
UniqueFiles = dcount(object_s),
FileNames = make_set(object_s, 10),
FileTypes = make_set(file_type_s, 10),
Domains = make_set(domain_s, 10),
Categories = make_set(category_s, 5),
URLSamples = make_set(url_s, 5),
DstCountries = make_set(dst_country_s, 5),
SourceIPs = make_set(srcip_s, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by user_s
| where DownloadCount >= 1
| order by TotalMBDownloaded desc, DownloadCount descExplanation
This query is designed to detect suspicious file downloads from domains that are newly registered, uncategorized, or deemed suspicious. It uses data from the Netskope Internet Access data connector, specifically the NetskopeEvents_CL table. Here's a simplified breakdown of what the query does:
-
Purpose: The query aims to identify potential security threats by monitoring file downloads from domains that might be used by attackers to stage malicious payloads.
-
Data Source: It uses data from the
NetskopeEvents_CLtable, which is part of the Netskope Internet Access data connector. -
Detection Criteria:
- It looks for downloads from domains categorized as "Uncategorized," "Unknown," "Newly Observed Domain," "Newly Registered Domain," "Suspicious," "Parked," or "Dynamic DNS Host."
- It focuses on risky file types such as executables (e.g.,
.exe,.dll), scripts (e.g.,.bat,.ps1), and compressed files (e.g.,.zip,.rar). - It considers downloads where the file size is greater than 1 MB.
-
Query Execution:
- The query runs every 30 minutes and looks at data from the past day.
- It filters events to find those with non-empty user and domain fields, and where the activity involves downloading.
- It summarizes the data by user, counting the number of downloads, total megabytes downloaded, unique files, and other details.
-
Alerting:
- If any downloads are detected, it generates an alert with details about the user, the number of files downloaded, and the total size of the downloads.
- The alert includes information about the domains and file types involved.
-
Incident Management:
- The query is configured to create an incident if suspicious activity is detected.
- It groups incidents by user account to manage related alerts together.
Overall, this query helps security teams monitor and respond to potential threats from suspicious file downloads, enhancing their ability to detect and mitigate attacks involving malicious file transfers.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT30M
Period: P1D