Query Details

Netskope - Suspicious File Download from Uncategorized Domain

76 NK Suspicious File Download Uncategorized

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let SuspiciousCategories = dynamic([
    "Uncategorized", "Unknown", "Newly Observed Domain",
    "Newly Registered Domain", "Suspicious", "Parked",
    "Dynamic DNS Host"]);
let RiskyFileTypes = dynamic([
    "exe", "dll", "scr", "bat", "cmd", "ps1", "vbs", "js",
    "hta", "msi", "iso", "img", "zip", "7z", "rar"]);
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s) and isnotempty(domain_s)
| where activity_s has_any ("Download", "download")
    or todouble(bytes_downloaded_d) > 1048576
| where category_s in (SuspiciousCategories)
| where isnotempty(file_type_s) or isnotempty(object_s)
| summarize
    DownloadCount     = count(),
    TotalMBDownloaded = round(sum(todouble(bytes_downloaded_d)) / 1048576, 2),
    UniqueFiles       = dcount(object_s),
    FileNames         = make_set(object_s, 10),
    FileTypes         = make_set(file_type_s, 10),
    Domains           = make_set(domain_s, 10),
    Categories        = make_set(category_s, 5),
    URLSamples        = make_set(url_s, 5),
    DstCountries      = make_set(dst_country_s, 5),
    SourceIPs         = make_set(srcip_s, 5),
    FirstSeen         = min(TimeGenerated),
    LastSeen          = max(TimeGenerated)
  by user_s
| where DownloadCount >= 1
| order by TotalMBDownloaded desc, DownloadCount desc

Explanation

This KQL query is designed to detect suspicious file downloads from domains that are either newly registered, uncategorized, or considered suspicious. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to identify potentially malicious file downloads from domains that haven't been categorized yet or are flagged as suspicious. This is important because attackers often use such domains to distribute harmful files.

  2. Data Source: It uses data from the NetskopeWebTx_CL table, which is ingested via Blob Storage.

  3. Detection Criteria:

    • The query looks for file download activities within the last 24 hours.
    • It focuses on downloads from domains categorized as "Uncategorized," "Unknown," "Newly Observed Domain," "Newly Registered Domain," "Suspicious," "Parked," or "Dynamic DNS Host."
    • It checks for downloads of risky file types like executables (e.g., .exe, .dll), scripts (e.g., .bat, .ps1), and compressed files (e.g., .zip, .rar).
  4. Output:

    • The query summarizes the data by user, providing counts of downloads, total megabytes downloaded, unique files, and other details like file types, domains, and source IPs.
    • It orders the results by the total data downloaded and the number of downloads.
  5. Alerting:

    • If any suspicious downloads are detected, an alert is created with details about the user, the number of files downloaded, and the total size of the downloads.
    • The alert is formatted to display the user's name and download details.
  6. Incident Management:

    • The query is set to create incidents for detected activities, with a grouping configuration that allows for efficient incident management by grouping related alerts by user account.

Overall, this query helps security teams monitor and respond to potential threats from suspicious file downloads, enhancing the organization's security posture.

Details

David Alonso profile picture

David Alonso

Released: May 14, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeWebTransactionsFilesDomainsUsersAccountsDownloadsCategoriesURLsIPsCountries

Operators

letdatatabledynamicunionisfuzzywhereagoisnotemptyhas_anytodoubleinsummarizecountrounddcountmake_setminmaxbyorder bydesc

Severity

Medium

Tactics

ExecutionCommandAndControl

MITRE Techniques

Frequency: PT30M

Period: P1D

Actions

GitHub