Query Details

Netskope - High-Volume Data Transfer to Risky Cloud App

77 NK Risky Cloud App Data Transfer

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let RiskyCCL = dynamic(["poor", "low", "unknown"]);
let ExfilCategories = dynamic([
    "Cloud Storage", "File Sharing", "Online Storage and Backup",
    "Personal Sites & Blogs", "Webmail"]);
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s) and isnotempty(app_s)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| where ccl_s in (RiskyCCL) or isempty(ccl_s)
| where category_s in (ExfilCategories) or activity_s has_any ("Upload", "Share", "Post")
| summarize
    UploadCount       = count(),
    TotalMBUploaded   = round(sum(todouble(bytes_uploaded_d)) / 1048576, 2),
    UniqueFiles       = dcount(object_s),
    FileNames         = make_set(object_s, 10),
    FileTypes         = make_set(file_type_s, 10),
    Apps              = make_set(app_s, 10),
    Domains           = make_set(domain_s, 10),
    Categories        = make_set(category_s, 5),
    CCLValues         = make_set(ccl_s, 5),
    SourceIPs         = make_set(srcip_s, 5),
    FirstSeen         = min(TimeGenerated),
    LastSeen          = max(TimeGenerated)
  by user_s
| where TotalMBUploaded > 100 or UploadCount > 50
| order by TotalMBUploaded desc, UploadCount desc

Explanation

This query is designed to detect and alert on high-volume data uploads to cloud applications that are considered risky due to their low or poor Cloud Confidence Level (CCL). Here's a simple breakdown of what the query does:

  1. Purpose: It identifies potential data exfiltration activities by monitoring large data transfers to cloud apps that are not well-vetted or have a low trust level.

  2. Data Source: The query uses data from the NetskopeWebTx_CL table, which is ingested via Blob Storage.

  3. Detection Criteria:

    • It looks at data from the past day (1d).
    • It filters out actions that are blocked and focuses on uploads to apps with low or unknown CCL.
    • It targets specific categories like "Cloud Storage" and "File Sharing" or activities like "Upload" and "Share".
  4. Analysis:

    • It summarizes the data by counting uploads, calculating the total megabytes uploaded, and identifying unique files, apps, and domains involved.
    • It flags users who have uploaded more than 100 MB or made more than 50 upload requests.
  5. Alerting:

    • If the criteria are met, an alert is generated with details such as the user's name and the total data uploaded.
    • The alert is configured to create an incident in the system, grouping similar alerts by user account.
  6. Severity and Techniques:

    • The severity of this detection is marked as high.
    • It aligns with MITRE ATT&CK techniques related to data exfiltration to cloud storage.

In summary, this query helps identify and alert on suspiciously large data uploads to potentially risky cloud applications, which could indicate unauthorized data transfers or shadow IT activities.

Details

David Alonso profile picture

David Alonso

Released: May 14, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeCloudAppDataExfiltrationStorageFileSharingUserAccountDomainIPAddressUploadDownloadActivityTypeObjectCountryAccessMethodTraffic

Operators

letdatatabledynamicunionisfuzzywhereagoisnotempty!ininisemptyhas_anysummarizecountroundsumtodoubledcountmake_setminmaxbyorder bydesc

Severity

High

Tactics

ExfiltrationCollection

MITRE Techniques

Frequency: PT1H

Period: P1D

Actions

GitHub