Netskope - High-Volume Data Transfer to Risky Cloud App
77 NK Risky Cloud App Data Transfer
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let RiskyCCL = dynamic(["poor", "low", "unknown"]);
let ExfilCategories = dynamic([
"Cloud Storage", "File Sharing", "Online Storage and Backup",
"Personal Sites & Blogs", "Webmail"]);
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s) and isnotempty(app_s)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| where ccl_s in (RiskyCCL) or isempty(ccl_s)
| where category_s in (ExfilCategories) or activity_s has_any ("Upload", "Share", "Post")
| summarize
UploadCount = count(),
TotalMBUploaded = round(sum(todouble(bytes_uploaded_d)) / 1048576, 2),
UniqueFiles = dcount(object_s),
FileNames = make_set(object_s, 10),
FileTypes = make_set(file_type_s, 10),
Apps = make_set(app_s, 10),
Domains = make_set(domain_s, 10),
Categories = make_set(category_s, 5),
CCLValues = make_set(ccl_s, 5),
SourceIPs = make_set(srcip_s, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by user_s
| where TotalMBUploaded > 100 or UploadCount > 50
| order by TotalMBUploaded desc, UploadCount descExplanation
This query is designed to detect and alert on high-volume data uploads to cloud applications that are considered risky due to their low or poor Cloud Confidence Level (CCL). Here's a simple breakdown of what the query does:
-
Purpose: It identifies potential data exfiltration activities by monitoring large data transfers to cloud apps that are not well-vetted or have a low trust level.
-
Data Source: The query uses data from the
NetskopeWebTx_CLtable, which is ingested via Blob Storage. -
Detection Criteria:
- It looks at data from the past day (
1d). - It filters out actions that are blocked and focuses on uploads to apps with low or unknown CCL.
- It targets specific categories like "Cloud Storage" and "File Sharing" or activities like "Upload" and "Share".
- It looks at data from the past day (
-
Analysis:
- It summarizes the data by counting uploads, calculating the total megabytes uploaded, and identifying unique files, apps, and domains involved.
- It flags users who have uploaded more than 100 MB or made more than 50 upload requests.
-
Alerting:
- If the criteria are met, an alert is generated with details such as the user's name and the total data uploaded.
- The alert is configured to create an incident in the system, grouping similar alerts by user account.
-
Severity and Techniques:
- The severity of this detection is marked as high.
- It aligns with MITRE ATT&CK techniques related to data exfiltration to cloud storage.
In summary, this query helps identify and alert on suspiciously large data uploads to potentially risky cloud applications, which could indicate unauthorized data transfers or shadow IT activities.
Details

David Alonso
Released: May 14, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: P1D