Netskope - Impossible Travel Detection
74 NK Impossible Travel
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let TravelWindow = 2h;
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s) and isnotempty(src_country_s)
| where src_country_s != "Unknown" and src_country_s != ""
| summarize
Countries = make_set(src_country_s, 10),
CountryCount = dcount(src_country_s),
SourceIPs = make_set(srcip_s, 20),
UniqueIPs = dcount(srcip_s),
RequestCount = count(),
Apps = make_set(app_s, 10),
AccessMethods = make_set(access_method_s, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by user_s, bin(TimeGenerated, TravelWindow)
| where CountryCount >= 2
| extend TravelWindowMinutes = datetime_diff('minute', LastSeen, FirstSeen)
| project
user_s, Countries, CountryCount, SourceIPs, UniqueIPs,
RequestCount, Apps, AccessMethods,
TravelWindowMinutes, FirstSeen, LastSeen
| order by CountryCount desc, UniqueIPs descExplanation
This query is designed to detect suspicious activity by identifying users who generate web traffic from geographically distant locations within a short time frame, specifically within a 2-hour window. This could indicate potential credential compromise or misuse of VPN/proxy services.
Here's a simplified breakdown of the query:
-
Purpose: It aims to find users who appear to be accessing the internet from different countries within a short period, which is unusual and could suggest unauthorized access.
-
Data Source: The query uses data from the
NetskopeWebTx_CLtable, which is ingested via Blob Storage. -
Detection Logic:
- It looks at web traffic data from the past day.
- It filters out entries where the user or source country is unknown or empty.
- It groups data by user and 2-hour time windows, summarizing the number of different countries and source IPs a user has accessed from.
- It flags users who have accessed from at least two different countries within the same 2-hour window.
-
Output: The query outputs details such as the user, countries accessed, number of unique IPs, and the time window of the activity.
-
Alerting: If such activity is detected, an alert is generated with details about the user and the countries involved. The alert is considered high severity and can create an incident for further investigation.
-
MITRE ATT&CK Framework: The query is associated with tactics like Initial Access and Credential Access, and techniques such as Valid Accounts and Cloud Accounts.
-
Incident Management: The configuration allows for incident creation and grouping based on user accounts to manage and investigate related alerts efficiently.
Details

David Alonso
Released: May 14, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT30M
Period: P1D