KQL Search

Query Details

75 NK Credential Phishing Submission

Query

id: e7f8a9b0-c1d2-4e3f-4a5b-6c7d8e9f0a2c
name: "Netskope - Credential Phishing Submission Detection"
version: 1.0.0
kind: Scheduled
description: |
  Detects users who uploaded or submitted data (POST activity) to domains categorized as
  Phishing or Suspicious by Netskope. Unlike simple browse-to-phishing detections, this
  rule specifically targets data submission, indicating the user may have entered credentials.
  Uses the custom NetskopeWebTx_CL table via Blob Storage ingestion.
  MITRE ATT&CK: T1566 (Phishing), T1056 (Input Capture)
severity: High
requiredDataConnectors:
  - connectorId: NetskopeWebTransactions
    dataTypes:
      - NetskopeWebTx_CL
queryFrequency: PT15M
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
  - CredentialAccess
relevantTechniques:
  - T1566
  - T1056
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
  let PhishingCategories = dynamic([
      "Phishing", "Phishing and Other Frauds", "Suspicious",
      "Newly Observed Domain", "Newly Registered Domain"]);
  union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(user_s) and isnotempty(domain_s)
  | where category_s in (PhishingCategories)
      or severity_s in ("high", "critical")
  | where activity_s has_any ("Upload", "Post", "Submit", "Login", "FormSubmit")
      or todouble(bytes_uploaded_d) > 100
  | summarize
      SubmissionCount   = count(),
      TotalBytesPosted  = sum(todouble(bytes_uploaded_d)),
      UniqueURLs        = dcount(url_s),
      URLSamples        = make_set(url_s, 10),
      Categories        = make_set(category_s, 5),
      Activities        = make_set(activity_s, 5),
      SourceIPs         = make_set(srcip_s, 5),
      DstCountries      = make_set(dst_country_s, 5),
      Actions           = make_set(action_s, 5),
      FirstSeen         = min(TimeGenerated),
      LastSeen          = max(TimeGenerated)
    by user_s, domain_s
  | order by SubmissionCount desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: user_s
  - entityType: DNS
    fieldMappings:
      - identifier: DomainName
        columnName: domain_s
customDetails:
  SubmissionCount: SubmissionCount
  Categories: Categories
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope Credential Phishing - {{user_s}} → {{domain_s}}"
  alertDescriptionFormat: "User {{user_s}} submitted data {{SubmissionCount}} times to phishing domain {{domain_s}} ({{Categories}})."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect potential credential phishing activities by monitoring user data submissions to suspicious or phishing domains. Here's a simplified breakdown:

  1. Purpose: The query identifies users who have uploaded or submitted data (like form submissions or logins) to domains flagged as "Phishing" or "Suspicious" by Netskope. This is more specific than just visiting a phishing site; it focuses on actual data submission, which might indicate credential entry.

  2. Data Source: It uses data from the NetskopeWebTx_CL table, which is ingested via Blob Storage.

  3. Detection Criteria:

    • The query looks at activities over the past day (1 day).
    • It filters for users and domains that are not empty.
    • It checks if the domain is categorized under phishing-related categories or has a high or critical severity.
    • It focuses on activities like "Upload", "Post", "Submit", "Login", or "FormSubmit", or if the uploaded data size is more than 100 bytes.

  4. Output:

    • It summarizes the data by counting submissions, totaling bytes uploaded, and listing unique URLs, categories, activities, source IPs, destination countries, and actions.
    • It records the first and last time the activity was seen.

  5. Alerting:

    • If any suspicious activity is detected, an alert is generated with details like the user, domain, submission count, and categories.
    • Alerts are grouped by user accounts to manage incidents effectively.

  6. Severity and Techniques:

    • The severity of this detection is marked as "High".
    • It aligns with MITRE ATT&CK techniques for phishing (T1566) and input capture (T1056).

In essence, this query helps identify potential credential theft by monitoring data submissions to risky domains, allowing for timely alerts and incident management.

Details

David Alonso profile picture

David Alonso

Released: May 14, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopePhishingSuspiciousUsersDomainsCredentialsDataSubmissionActivitiesURLsSourceIPsDstCountriesActionsTimeGenerated

Operators

letdatatabledynamicunionisfuzzywhereagoisnotemptyinhas_anytodoublesummarizecountsumdcountmake_setminmaxbyorder bydesc

Actions