KQL Search

Query Details

77 NK Risky Cloud App Data Transfer

Query

id: a9b0c1d2-e3f4-4a5b-6c7d-8e9f0a1b2c4e
name: "Netskope - High-Volume Data Transfer to Risky Cloud App"
version: 1.0.0
kind: Scheduled
description: |
  Detects high-volume data uploads to cloud applications with low or poor Cloud Confidence
  Level (CCL). Large data transfers to unvetted cloud storage or file sharing apps may
  indicate data exfiltration or policy-violating shadow IT data movement.
  Uses the custom NetskopeWebTx_CL table via Blob Storage ingestion.
  MITRE ATT&CK: T1567.002 (Exfiltration to Cloud Storage), T1537 (Transfer Data to Cloud Account)
severity: High
requiredDataConnectors:
  - connectorId: NetskopeWebTransactions
    dataTypes:
      - NetskopeWebTx_CL
queryFrequency: PT1H
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Exfiltration
  - Collection
relevantTechniques:
  - T1567
  - T1537
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
  let RiskyCCL = dynamic(["poor", "low", "unknown"]);
  let ExfilCategories = dynamic([
      "Cloud Storage", "File Sharing", "Online Storage and Backup",
      "Personal Sites & Blogs", "Webmail"]);
  union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(user_s) and isnotempty(app_s)
  | where action_s !in ("block", "Block", "blocked", "Blocked")
  | where ccl_s in (RiskyCCL) or isempty(ccl_s)
  | where category_s in (ExfilCategories) or activity_s has_any ("Upload", "Share", "Post")
  | summarize
      UploadCount       = count(),
      TotalMBUploaded   = round(sum(todouble(bytes_uploaded_d)) / 1048576, 2),
      UniqueFiles       = dcount(object_s),
      FileNames         = make_set(object_s, 10),
      FileTypes         = make_set(file_type_s, 10),
      Apps              = make_set(app_s, 10),
      Domains           = make_set(domain_s, 10),
      Categories        = make_set(category_s, 5),
      CCLValues         = make_set(ccl_s, 5),
      SourceIPs         = make_set(srcip_s, 5),
      FirstSeen         = min(TimeGenerated),
      LastSeen          = max(TimeGenerated)
    by user_s
  | where TotalMBUploaded > 100 or UploadCount > 50
  | order by TotalMBUploaded desc, UploadCount desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: user_s
customDetails:
  TotalMBUploaded: TotalMBUploaded
  UploadCount: UploadCount
  Apps: Apps
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope Risky Cloud Upload - {{user_s}} ({{TotalMBUploaded}} MB)"
  alertDescriptionFormat: "User {{user_s}} uploaded {{TotalMBUploaded}} MB in {{UploadCount}} requests to risky cloud apps with low CCL."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect and alert on high-volume data uploads to cloud applications that are considered risky due to their low or poor Cloud Confidence Level (CCL). Here's a simple breakdown of what the query does:

  1. Purpose: It identifies potential data exfiltration activities by monitoring large data transfers to cloud apps that are not well-vetted or have a low trust level.

  2. Data Source: The query uses data from the NetskopeWebTx_CL table, which is ingested via Blob Storage.

  3. Detection Criteria:

    • It looks at data from the past day (1d).
    • It filters out actions that are blocked and focuses on uploads to apps with low or unknown CCL.
    • It targets specific categories like "Cloud Storage" and "File Sharing" or activities like "Upload" and "Share".

  4. Analysis:

    • It summarizes the data by counting uploads, calculating the total megabytes uploaded, and identifying unique files, apps, and domains involved.
    • It flags users who have uploaded more than 100 MB or made more than 50 upload requests.

  5. Alerting:

    • If the criteria are met, an alert is generated with details such as the user's name and the total data uploaded.
    • The alert is configured to create an incident in the system, grouping similar alerts by user account.

  6. Severity and Techniques:

    • The severity of this detection is marked as high.
    • It aligns with MITRE ATT&CK techniques related to data exfiltration to cloud storage.

In summary, this query helps identify and alert on suspiciously large data uploads to potentially risky cloud applications, which could indicate unauthorized data transfers or shadow IT activities.

Details

David Alonso profile picture

David Alonso

Released: May 14, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeCloudAppDataExfiltrationStorageFileSharingUserAccountDomainIPAddressUploadDownloadActivityFileTypeObjectCountryAccessMethodTrafficType

Operators

letdatatabledynamicunionisfuzzywhereagoisnotempty!ininisemptyhas_anysummarizecountroundsumtodoubledcountmake_setminmaxbyorder bydesc

Actions