Netskope - Credential Phishing Submission Detection
75 NK Credential Phishing Submission
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let PhishingCategories = dynamic([
"Phishing", "Phishing and Other Frauds", "Suspicious",
"Newly Observed Domain", "Newly Registered Domain"]);
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s) and isnotempty(domain_s)
| where category_s in (PhishingCategories)
or severity_s in ("high", "critical")
| where activity_s has_any ("Upload", "Post", "Submit", "Login", "FormSubmit")
or todouble(bytes_uploaded_d) > 100
| summarize
SubmissionCount = count(),
TotalBytesPosted = sum(todouble(bytes_uploaded_d)),
UniqueURLs = dcount(url_s),
URLSamples = make_set(url_s, 10),
Categories = make_set(category_s, 5),
Activities = make_set(activity_s, 5),
SourceIPs = make_set(srcip_s, 5),
DstCountries = make_set(dst_country_s, 5),
Actions = make_set(action_s, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by user_s, domain_s
| order by SubmissionCount descExplanation
This query is designed to detect potential credential phishing activities by monitoring user data submissions to suspicious or phishing domains. Here's a simplified breakdown:
-
Purpose: The query identifies users who have uploaded or submitted data (like form submissions or logins) to domains flagged as "Phishing" or "Suspicious" by Netskope. This is more specific than just visiting a phishing site; it focuses on actual data submission, which might indicate credential entry.
-
Data Source: It uses data from the
NetskopeWebTx_CLtable, which is ingested via Blob Storage. -
Detection Criteria:
- The query looks at activities over the past day (1 day).
- It filters for users and domains that are not empty.
- It checks if the domain is categorized under phishing-related categories or has a high or critical severity.
- It focuses on activities like "Upload", "Post", "Submit", "Login", or "FormSubmit", or if the uploaded data size is more than 100 bytes.
-
Output:
- It summarizes the data by counting submissions, totaling bytes uploaded, and listing unique URLs, categories, activities, source IPs, destination countries, and actions.
- It records the first and last time the activity was seen.
-
Alerting:
- If any suspicious activity is detected, an alert is generated with details like the user, domain, submission count, and categories.
- Alerts are grouped by user accounts to manage incidents effectively.
-
Severity and Techniques:
- The severity of this detection is marked as "High".
- It aligns with MITRE ATT&CK techniques for phishing (T1566) and input capture (T1056).
In essence, this query helps identify potential credential theft by monitoring data submissions to risky domains, allowing for timely alerts and incident management.
Details

David Alonso
Released: May 14, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT15M
Period: P1D