Netskope IA - Geo Anomaly - Traffic to High-Risk Countries
71 NK IA Geo Anomaly High Risk Country
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let HighRiskCountries = dynamic([
"RU", "CN", "KP", "IR", "SY", "CU", "VE", "BY",
"Russia", "China", "North Korea", "Iran", "Syria", "Cuba", "Venezuela", "Belarus"]);
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s) and isnotempty(dst_country_s)
| where dst_country_s in (HighRiskCountries)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| summarize
RequestCount = count(),
TotalMBUploaded = round(sum(todouble(bytes_uploaded_d)) / 1048576, 2),
TotalMBDownloaded = round(sum(todouble(bytes_downloaded_d)) / 1048576, 2),
UniqueDomains = dcount(domain_s),
Domains = make_set(domain_s, 20),
DestIPs = make_set(dstip_s, 10),
Apps = make_set(app_s, 10),
Categories = make_set(category_s, 10),
SourceIPs = make_set(srcip_s, 5),
SrcIP = take_any(srcip_s),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by user_s, dst_country_s
| where RequestCount >= 5
| order by TotalMBUploaded desc, RequestCount descExplanation
This query is designed to detect and alert on web traffic from users that is being routed to servers located in high-risk countries. Here's a simple breakdown of what it does:
-
Purpose: The query identifies users whose internet traffic is going to countries considered high-risk, which could indicate potential security threats like command-and-control communication, data exfiltration, or compromised systems.
-
Data Source: It uses data from the
NetskopeEvents_CLtable, which is part of the Netskope Internet Access data connector. -
High-Risk Countries: The query specifically looks for traffic going to countries such as Russia, China, North Korea, Iran, Syria, Cuba, Venezuela, and Belarus.
-
Conditions:
- It checks for traffic in the last 24 hours.
- It excludes traffic that has been blocked.
- It only considers cases where there are at least 5 requests to these countries.
-
Output:
- The query summarizes the data by user and destination country, counting the number of requests and calculating the total data uploaded and downloaded.
- It also lists unique domains, destination IPs, applications, categories, and source IPs involved in the traffic.
-
Alerting:
- If the conditions are met, an alert is generated with details such as the user, destination country, number of requests, and data uploaded.
- The alert is configured to create an incident, which can be grouped by user account and destination country for better management.
-
Severity and Techniques: The alert is marked with medium severity and is associated with MITRE ATT&CK techniques related to command and control and data exfiltration.
In summary, this query helps security teams monitor and respond to potentially suspicious web traffic to high-risk countries, providing insights into possible security incidents.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT1H
Period: P1D