KQL Search

Query Details

76 NK Suspicious File Download Uncategorized

Query

id: f8a9b0c1-d2e3-4f4a-5b6c-7d8e9f0a1b3d
name: "Netskope - Suspicious File Download from Uncategorized Domain"
version: 1.0.0
kind: Scheduled
description: |
  Detects file downloads from newly registered, uncategorized, or suspicious domains.
  Attackers frequently stage payloads on disposable domains that have not yet been
  categorized by URL classification engines.
  Uses the custom NetskopeWebTx_CL table via Blob Storage ingestion.
  MITRE ATT&CK: T1105 (Ingress Tool Transfer), T1204.002 (User Execution: Malicious File)
severity: Medium
requiredDataConnectors:
  - connectorId: NetskopeWebTransactions
    dataTypes:
      - NetskopeWebTx_CL
queryFrequency: PT30M
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Execution
  - CommandAndControl
relevantTechniques:
  - T1105
  - T1204
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
  let SuspiciousCategories = dynamic([
      "Uncategorized", "Unknown", "Newly Observed Domain",
      "Newly Registered Domain", "Suspicious", "Parked",
      "Dynamic DNS Host"]);
  let RiskyFileTypes = dynamic([
      "exe", "dll", "scr", "bat", "cmd", "ps1", "vbs", "js",
      "hta", "msi", "iso", "img", "zip", "7z", "rar"]);
  union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(user_s) and isnotempty(domain_s)
  | where activity_s has_any ("Download", "download")
      or todouble(bytes_downloaded_d) > 1048576
  | where category_s in (SuspiciousCategories)
  | where isnotempty(file_type_s) or isnotempty(object_s)
  | summarize
      DownloadCount     = count(),
      TotalMBDownloaded = round(sum(todouble(bytes_downloaded_d)) / 1048576, 2),
      UniqueFiles       = dcount(object_s),
      FileNames         = make_set(object_s, 10),
      FileTypes         = make_set(file_type_s, 10),
      Domains           = make_set(domain_s, 10),
      Categories        = make_set(category_s, 5),
      URLSamples        = make_set(url_s, 5),
      DstCountries      = make_set(dst_country_s, 5),
      SourceIPs         = make_set(srcip_s, 5),
      FirstSeen         = min(TimeGenerated),
      LastSeen          = max(TimeGenerated)
    by user_s
  | where DownloadCount >= 1
  | order by TotalMBDownloaded desc, DownloadCount desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: user_s
customDetails:
  DownloadCount: DownloadCount
  TotalMBDownloaded: TotalMBDownloaded
  FileTypes: FileTypes
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope Suspicious Download - {{user_s}} ({{DownloadCount}} files, {{TotalMBDownloaded}} MB)"
  alertDescriptionFormat: "User {{user_s}} downloaded {{DownloadCount}} files ({{TotalMBDownloaded}} MB) from uncategorized/suspicious domains."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This KQL query is designed to detect suspicious file downloads from domains that are either newly registered, uncategorized, or considered suspicious. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to identify potentially malicious file downloads from domains that haven't been categorized yet or are flagged as suspicious. This is important because attackers often use such domains to distribute harmful files.

  2. Data Source: It uses data from the NetskopeWebTx_CL table, which is ingested via Blob Storage.

  3. Detection Criteria:

    • The query looks for file download activities within the last 24 hours.
    • It focuses on downloads from domains categorized as "Uncategorized," "Unknown," "Newly Observed Domain," "Newly Registered Domain," "Suspicious," "Parked," or "Dynamic DNS Host."
    • It checks for downloads of risky file types like executables (e.g., .exe, .dll), scripts (e.g., .bat, .ps1), and compressed files (e.g., .zip, .rar).

  4. Output:

    • The query summarizes the data by user, providing counts of downloads, total megabytes downloaded, unique files, and other details like file types, domains, and source IPs.
    • It orders the results by the total data downloaded and the number of downloads.

  5. Alerting:

    • If any suspicious downloads are detected, an alert is created with details about the user, the number of files downloaded, and the total size of the downloads.
    • The alert is formatted to display the user's name and download details.

  6. Incident Management:

    • The query is set to create incidents for detected activities, with a grouping configuration that allows for efficient incident management by grouping related alerts by user account.

Overall, this query helps security teams monitor and respond to potential threats from suspicious file downloads, enhancing the organization's security posture.

Details

David Alonso profile picture

David Alonso

Released: May 14, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeWebTransactionsFilesDomainsUsersAccountsDownloadsCategoriesURLsIPsCountries

Operators

letdatatabledynamicunionisfuzzywhereagoisnotemptyhas_anytodoubleinsummarizecountrounddcountmake_setminmaxbyorder bydesc

Actions