Query Details

Netskope - Impossible Travel Detection

74 NK Impossible Travel

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let TravelWindow = 2h;
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s) and isnotempty(src_country_s)
| where src_country_s != "Unknown" and src_country_s != ""
| summarize
    Countries        = make_set(src_country_s, 10),
    CountryCount     = dcount(src_country_s),
    SourceIPs        = make_set(srcip_s, 20),
    UniqueIPs        = dcount(srcip_s),
    RequestCount     = count(),
    Apps             = make_set(app_s, 10),
    AccessMethods    = make_set(access_method_s, 5),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by user_s, bin(TimeGenerated, TravelWindow)
| where CountryCount >= 2
| extend TravelWindowMinutes = datetime_diff('minute', LastSeen, FirstSeen)
| project
    user_s, Countries, CountryCount, SourceIPs, UniqueIPs,
    RequestCount, Apps, AccessMethods,
    TravelWindowMinutes, FirstSeen, LastSeen
| order by CountryCount desc, UniqueIPs desc

Explanation

This query is designed to detect suspicious activity by identifying users who generate web traffic from geographically distant locations within a short time frame, specifically within a 2-hour window. This could indicate potential credential compromise or misuse of VPN/proxy services.

Here's a simplified breakdown of the query:

  1. Purpose: It aims to find users who appear to be accessing the internet from different countries within a short period, which is unusual and could suggest unauthorized access.

  2. Data Source: The query uses data from the NetskopeWebTx_CL table, which is ingested via Blob Storage.

  3. Detection Logic:

    • It looks at web traffic data from the past day.
    • It filters out entries where the user or source country is unknown or empty.
    • It groups data by user and 2-hour time windows, summarizing the number of different countries and source IPs a user has accessed from.
    • It flags users who have accessed from at least two different countries within the same 2-hour window.
  4. Output: The query outputs details such as the user, countries accessed, number of unique IPs, and the time window of the activity.

  5. Alerting: If such activity is detected, an alert is generated with details about the user and the countries involved. The alert is considered high severity and can create an incident for further investigation.

  6. MITRE ATT&CK Framework: The query is associated with tactics like Initial Access and Credential Access, and techniques such as Valid Accounts and Cloud Accounts.

  7. Incident Management: The configuration allows for incident creation and grouping based on user accounts to manage and investigate related alerts efficiently.

Details

David Alonso profile picture

David Alonso

Released: May 14, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeWebTrafficUsersCountriesSourceIPsAppsAccessMethods

Operators

datatableunionisfuzzywhereisnotemptysummarizemake_setdcountcountbinextenddatetime_diffprojectorder by

Severity

High

Tactics

InitialAccessCredentialAccess

MITRE Techniques

Frequency: PT30M

Period: P1D

Actions

GitHub