KQL Search

Query Details

71 NK IA Geo Anomaly High Risk Country

Query

id: b0c1d2e3-f4a5-4b6c-7d8e-9f0a1b2c3d4e
name: "Netskope IA - Geo Anomaly - Traffic to High-Risk Countries"
version: 1.0.0
kind: Scheduled
description: |
  Detects web traffic routed to destination servers in high-risk countries. Identifies
  users whose traffic terminates in sanctioned or known adversary-aligned nations,
  which may indicate C2 communication, data exfiltration, or compromised infrastructure.
  Uses the built-in NetskopeEvents_CL table from the Netskope Internet Access data connector.
  MITRE ATT&CK: T1071 (Application Layer Protocol), T1048 (Exfiltration Over Alternative Protocol)
severity: Medium
requiredDataConnectors:
  - connectorId: NetskopeDataConnector
    dataTypes:
      - NetskopeEvents_CL
queryFrequency: PT1H
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CommandAndControl
  - Exfiltration
relevantTechniques:
  - T1071
  - T1048
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
  let HighRiskCountries = dynamic([
      "RU", "CN", "KP", "IR", "SY", "CU", "VE", "BY",
      "Russia", "China", "North Korea", "Iran", "Syria", "Cuba", "Venezuela", "Belarus"]);
  union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(user_s) and isnotempty(dst_country_s)
  | where dst_country_s in (HighRiskCountries)
  | where action_s !in ("block", "Block", "blocked", "Blocked")
  | summarize
      RequestCount      = count(),
      TotalMBUploaded   = round(sum(todouble(bytes_uploaded_d)) / 1048576, 2),
      TotalMBDownloaded = round(sum(todouble(bytes_downloaded_d)) / 1048576, 2),
      UniqueDomains     = dcount(domain_s),
      Domains           = make_set(domain_s, 20),
      DestIPs           = make_set(dstip_s, 10),
      Apps              = make_set(app_s, 10),
      Categories        = make_set(category_s, 10),
      SourceIPs         = make_set(srcip_s, 5),
      SrcIP             = take_any(srcip_s),
      FirstSeen         = min(TimeGenerated),
      LastSeen          = max(TimeGenerated)
    by user_s, dst_country_s
  | where RequestCount >= 5
  | order by TotalMBUploaded desc, RequestCount desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: user_s
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: SrcIP
customDetails:
  RequestCount: RequestCount
  DstCountry: dst_country_s
  TotalMBUploaded: TotalMBUploaded
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope IA Geo Anomaly - {{user_s}} → {{dst_country_s}} ({{RequestCount}} requests)"
  alertDescriptionFormat: "User {{user_s}} sent {{RequestCount}} requests to high-risk country {{dst_country_s}}, uploading {{TotalMBUploaded}} MB."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails:
      - DstCountry

Explanation

This query is designed to detect and alert on web traffic from users that is being routed to servers located in high-risk countries. Here's a simple breakdown of what it does:

  1. Purpose: The query identifies users whose internet traffic is going to countries considered high-risk, which could indicate potential security threats like command-and-control communication, data exfiltration, or compromised systems.

  2. Data Source: It uses data from the NetskopeEvents_CL table, which is part of the Netskope Internet Access data connector.

  3. High-Risk Countries: The query specifically looks for traffic going to countries such as Russia, China, North Korea, Iran, Syria, Cuba, Venezuela, and Belarus.

  4. Conditions:

    • It checks for traffic in the last 24 hours.
    • It excludes traffic that has been blocked.
    • It only considers cases where there are at least 5 requests to these countries.

  5. Output:

    • The query summarizes the data by user and destination country, counting the number of requests and calculating the total data uploaded and downloaded.
    • It also lists unique domains, destination IPs, applications, categories, and source IPs involved in the traffic.

  6. Alerting:

    • If the conditions are met, an alert is generated with details such as the user, destination country, number of requests, and data uploaded.
    • The alert is configured to create an incident, which can be grouped by user account and destination country for better management.

  7. Severity and Techniques: The alert is marked with medium severity and is associated with MITRE ATT&CK techniques related to command and control and data exfiltration.

In summary, this query helps security teams monitor and respond to potentially suspicious web traffic to high-risk countries, providing insights into possible security incidents.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeInternetAccessNetskopeEventsDevicesUserAccountIPAddressDomainCountryApplicationLayerProtocolExfiltration

Operators

letdatatabledynamicunionisfuzzyagoisnotemptyin!insummarizecountroundsumtodoubledcountmake_settake_anyminmaxbyorder bydesc

Actions