Query Details

Netskope IA - Geo Anomaly - Traffic to High-Risk Countries

71 NK IA Geo Anomaly High Risk Country

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let HighRiskCountries = dynamic([
    "RU", "CN", "KP", "IR", "SY", "CU", "VE", "BY",
    "Russia", "China", "North Korea", "Iran", "Syria", "Cuba", "Venezuela", "Belarus"]);
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s) and isnotempty(dst_country_s)
| where dst_country_s in (HighRiskCountries)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| summarize
    RequestCount      = count(),
    TotalMBUploaded   = round(sum(todouble(bytes_uploaded_d)) / 1048576, 2),
    TotalMBDownloaded = round(sum(todouble(bytes_downloaded_d)) / 1048576, 2),
    UniqueDomains     = dcount(domain_s),
    Domains           = make_set(domain_s, 20),
    DestIPs           = make_set(dstip_s, 10),
    Apps              = make_set(app_s, 10),
    Categories        = make_set(category_s, 10),
    SourceIPs         = make_set(srcip_s, 5),
    SrcIP             = take_any(srcip_s),
    FirstSeen         = min(TimeGenerated),
    LastSeen          = max(TimeGenerated)
  by user_s, dst_country_s
| where RequestCount >= 5
| order by TotalMBUploaded desc, RequestCount desc

Explanation

This query is designed to detect and alert on web traffic from users that is being routed to servers located in high-risk countries. Here's a simple breakdown of what it does:

  1. Purpose: The query identifies users whose internet traffic is going to countries considered high-risk, which could indicate potential security threats like command-and-control communication, data exfiltration, or compromised systems.

  2. Data Source: It uses data from the NetskopeEvents_CL table, which is part of the Netskope Internet Access data connector.

  3. High-Risk Countries: The query specifically looks for traffic going to countries such as Russia, China, North Korea, Iran, Syria, Cuba, Venezuela, and Belarus.

  4. Conditions:

    • It checks for traffic in the last 24 hours.
    • It excludes traffic that has been blocked.
    • It only considers cases where there are at least 5 requests to these countries.
  5. Output:

    • The query summarizes the data by user and destination country, counting the number of requests and calculating the total data uploaded and downloaded.
    • It also lists unique domains, destination IPs, applications, categories, and source IPs involved in the traffic.
  6. Alerting:

    • If the conditions are met, an alert is generated with details such as the user, destination country, number of requests, and data uploaded.
    • The alert is configured to create an incident, which can be grouped by user account and destination country for better management.
  7. Severity and Techniques: The alert is marked with medium severity and is associated with MITRE ATT&CK techniques related to command and control and data exfiltration.

In summary, this query helps security teams monitor and respond to potentially suspicious web traffic to high-risk countries, providing insights into possible security incidents.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeInternetAccessEventsDevicesUserAccountIPAddressDomainCountryApplicationLayerProtocolExfiltration

Operators

letdatatabledynamicunionisfuzzyagoisnotemptyin!insummarizecountroundsumtodoubledcountmake_settake_anyminmaxbyorder bydesc

Severity

Medium

Tactics

CommandAndControlExfiltration

MITRE Techniques

Frequency: PT1H

Period: P1D

Actions

GitHub