Netskope - Suspicious File Download from Uncategorized Domain
76 NK Suspicious File Download Uncategorized
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let SuspiciousCategories = dynamic([
"Uncategorized", "Unknown", "Newly Observed Domain",
"Newly Registered Domain", "Suspicious", "Parked",
"Dynamic DNS Host"]);
let RiskyFileTypes = dynamic([
"exe", "dll", "scr", "bat", "cmd", "ps1", "vbs", "js",
"hta", "msi", "iso", "img", "zip", "7z", "rar"]);
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s) and isnotempty(domain_s)
| where activity_s has_any ("Download", "download")
or todouble(bytes_downloaded_d) > 1048576
| where category_s in (SuspiciousCategories)
| where isnotempty(file_type_s) or isnotempty(object_s)
| summarize
DownloadCount = count(),
TotalMBDownloaded = round(sum(todouble(bytes_downloaded_d)) / 1048576, 2),
UniqueFiles = dcount(object_s),
FileNames = make_set(object_s, 10),
FileTypes = make_set(file_type_s, 10),
Domains = make_set(domain_s, 10),
Categories = make_set(category_s, 5),
URLSamples = make_set(url_s, 5),
DstCountries = make_set(dst_country_s, 5),
SourceIPs = make_set(srcip_s, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by user_s
| where DownloadCount >= 1
| order by TotalMBDownloaded desc, DownloadCount descExplanation
This KQL query is designed to detect suspicious file downloads from domains that are either newly registered, uncategorized, or considered suspicious. Here's a simple breakdown of what the query does:
-
Purpose: The query aims to identify potentially malicious file downloads from domains that haven't been categorized yet or are flagged as suspicious. This is important because attackers often use such domains to distribute harmful files.
-
Data Source: It uses data from the
NetskopeWebTx_CLtable, which is ingested via Blob Storage. -
Detection Criteria:
- The query looks for file download activities within the last 24 hours.
- It focuses on downloads from domains categorized as "Uncategorized," "Unknown," "Newly Observed Domain," "Newly Registered Domain," "Suspicious," "Parked," or "Dynamic DNS Host."
- It checks for downloads of risky file types like executables (e.g.,
.exe,.dll), scripts (e.g.,.bat,.ps1), and compressed files (e.g.,.zip,.rar).
-
Output:
- The query summarizes the data by user, providing counts of downloads, total megabytes downloaded, unique files, and other details like file types, domains, and source IPs.
- It orders the results by the total data downloaded and the number of downloads.
-
Alerting:
- If any suspicious downloads are detected, an alert is created with details about the user, the number of files downloaded, and the total size of the downloads.
- The alert is formatted to display the user's name and download details.
-
Incident Management:
- The query is set to create incidents for detected activities, with a grouping configuration that allows for efficient incident management by grouping related alerts by user account.
Overall, this query helps security teams monitor and respond to potential threats from suspicious file downloads, enhancing the organization's security posture.
Details

David Alonso
Released: May 14, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT30M
Period: P1D