Netskope IA - High-Volume Data Transfer to Risky Cloud App
70 NK IA Risky Cloud App Data Transfer
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let RiskyCCL = dynamic(["poor", "low", "unknown"]);
let ExfilCategories = dynamic([
"Cloud Storage", "File Sharing", "Online Storage and Backup",
"Personal Sites & Blogs", "Webmail"]);
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s) and isnotempty(app_s)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| where ccl_s in (RiskyCCL) or isempty(ccl_s)
| where category_s in (ExfilCategories) or activity_s has_any ("Upload", "Share", "Post")
| summarize
UploadCount = count(),
TotalMBUploaded = round(sum(todouble(bytes_uploaded_d)) / 1048576, 2),
UniqueFiles = dcount(object_s),
FileNames = make_set(object_s, 10),
FileTypes = make_set(file_type_s, 10),
Apps = make_set(app_s, 10),
Domains = make_set(domain_s, 10),
Categories = make_set(category_s, 5),
CCLValues = make_set(ccl_s, 5),
SourceIPs = make_set(srcip_s, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by user_s
| where TotalMBUploaded > 100 or UploadCount > 50
| order by TotalMBUploaded desc, UploadCount descExplanation
This query is designed to detect and alert on high-volume data uploads to cloud applications that are considered risky due to their low or unknown Cloud Confidence Level (CCL). Here's a simple breakdown of what the query does:
-
Purpose: The query aims to identify potential data exfiltration or unauthorized data movement to cloud apps that might not be secure or vetted. This is important for preventing data leaks or breaches.
-
Data Source: It uses data from the
NetskopeEvents_CLtable, which is part of the Netskope Internet Access data connector. -
Detection Criteria:
- It looks for data uploads within the last day (
P1D). - It filters out actions that were blocked.
- It focuses on cloud apps with a CCL of "poor", "low", or "unknown".
- It targets specific categories like "Cloud Storage" and "File Sharing", or activities like "Upload", "Share", or "Post".
- It looks for data uploads within the last day (
-
Summarization:
- For each user, it calculates the total number of uploads, the total megabytes uploaded, the number of unique files, and other details like file names, file types, apps used, and domains accessed.
- It flags users who uploaded more than 100 MB or made more than 50 upload requests.
-
Alerting:
- If the criteria are met, it generates an alert with details about the user and the volume of data uploaded.
- The alert includes a formatted display name and description for clarity.
-
Incident Management:
- The query is configured to create incidents for detected activities.
- It groups incidents by user account to manage related alerts together.
Overall, this query helps security teams monitor and respond to potentially risky data transfers to cloud applications, enhancing the organization's data protection efforts.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: P1D