KQL Search

Query Details

74 NK Impossible Travel

Query

id: d6e7f8a9-b0c1-4d2e-3f4a-5b6c7d8e9fa1
name: "Netskope - Impossible Travel Detection"
version: 1.0.0
kind: Scheduled
description: |
  Detects users generating Netskope web traffic from geographically distant source countries
  within a short time window, indicating potential credential compromise or VPN/proxy abuse.
  Flags when the same user appears from different countries within 2 hours.
  Uses the custom NetskopeWebTx_CL table via Blob Storage ingestion.
  MITRE ATT&CK: T1078 (Valid Accounts), T1078.004 (Cloud Accounts)
severity: High
requiredDataConnectors:
  - connectorId: NetskopeWebTransactions
    dataTypes:
      - NetskopeWebTx_CL
queryFrequency: PT30M
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
  - CredentialAccess
relevantTechniques:
  - T1078
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
  let TravelWindow = 2h;
  union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(user_s) and isnotempty(src_country_s)
  | where src_country_s != "Unknown" and src_country_s != ""
  | summarize
      Countries        = make_set(src_country_s, 10),
      CountryCount     = dcount(src_country_s),
      SourceIPs        = make_set(srcip_s, 20),
      UniqueIPs        = dcount(srcip_s),
      RequestCount     = count(),
      Apps             = make_set(app_s, 10),
      AccessMethods    = make_set(access_method_s, 5),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated)
    by user_s, bin(TimeGenerated, TravelWindow)
  | where CountryCount >= 2
  | extend TravelWindowMinutes = datetime_diff('minute', LastSeen, FirstSeen)
  | project
      user_s, Countries, CountryCount, SourceIPs, UniqueIPs,
      RequestCount, Apps, AccessMethods,
      TravelWindowMinutes, FirstSeen, LastSeen
  | order by CountryCount desc, UniqueIPs desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: user_s
customDetails:
  CountryCount: CountryCount
  Countries: Countries
  UniqueIPs: UniqueIPs
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope Impossible Travel - {{user_s}} ({{CountryCount}} countries)"
  alertDescriptionFormat: "User {{user_s}} accessed from {{CountryCount}} different countries within a 2-hour window: {{Countries}}."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect suspicious activity by identifying users who generate web traffic from geographically distant locations within a short time frame, specifically within a 2-hour window. This could indicate potential credential compromise or misuse of VPN/proxy services.

Here's a simplified breakdown of the query:

  1. Purpose: It aims to find users who appear to be accessing the internet from different countries within a short period, which is unusual and could suggest unauthorized access.

  2. Data Source: The query uses data from the NetskopeWebTx_CL table, which is ingested via Blob Storage.

  3. Detection Logic:

    • It looks at web traffic data from the past day.
    • It filters out entries where the user or source country is unknown or empty.
    • It groups data by user and 2-hour time windows, summarizing the number of different countries and source IPs a user has accessed from.
    • It flags users who have accessed from at least two different countries within the same 2-hour window.

  4. Output: The query outputs details such as the user, countries accessed, number of unique IPs, and the time window of the activity.

  5. Alerting: If such activity is detected, an alert is generated with details about the user and the countries involved. The alert is considered high severity and can create an incident for further investigation.

  6. MITRE ATT&CK Framework: The query is associated with tactics like Initial Access and Credential Access, and techniques such as Valid Accounts and Cloud Accounts.

  7. Incident Management: The configuration allows for incident creation and grouping based on user accounts to manage and investigate related alerts efficiently.

Details

David Alonso profile picture

David Alonso

Released: May 14, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeWebTrafficUsersCountriesSourceCountriesIPsAppsAccessMethods

Operators

datatableunionisfuzzywhereisnotemptysummarizemake_setdcountcountbinextenddatetime_diffprojectorder by

Actions