Query Details

Netskope - Geo Anomaly - Traffic to High-Risk Countries

78 NK Geo Anomaly High Risk Country

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let HighRiskCountries = dynamic([
    "RU", "CN", "KP", "IR", "SY", "CU", "VE", "BY",
    "Russia", "China", "North Korea", "Iran", "Syria", "Cuba", "Venezuela", "Belarus"]);
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s) and isnotempty(dst_country_s)
| where dst_country_s in (HighRiskCountries)
| where action_s !in ("block", "Block", "blocked", "Blocked")
| summarize
    RequestCount      = count(),
    TotalMBUploaded   = round(sum(todouble(bytes_uploaded_d)) / 1048576, 2),
    TotalMBDownloaded = round(sum(todouble(bytes_downloaded_d)) / 1048576, 2),
    UniqueDomains     = dcount(domain_s),
    Domains           = make_set(domain_s, 20),
    DestIPs           = make_set(dstip_s, 10),
    Apps              = make_set(app_s, 10),
    Categories        = make_set(category_s, 10),
    SourceIPs         = make_set(srcip_s, 5),
    SrcIP             = take_any(srcip_s),
    FirstSeen         = min(TimeGenerated),
    LastSeen          = max(TimeGenerated)
  by user_s, dst_country_s
| where RequestCount >= 5
| order by TotalMBUploaded desc, RequestCount desc

Explanation

This query is designed to detect unusual web traffic patterns where users are sending data to servers located in high-risk countries. Here's a simplified breakdown of what the query does:

  1. Purpose: It identifies users whose web traffic is directed to countries considered high-risk, such as Russia, China, North Korea, and others. This could indicate potential security threats like command and control (C2) communication, data theft, or compromised systems.

  2. Data Source: The query uses data from a custom table called NetskopeWebTx_CL, which is populated via Blob Storage ingestion.

  3. Frequency and Scope: The query runs every hour and looks at data from the past day.

  4. Filter Criteria:

    • It checks for non-empty user and destination country fields.
    • It focuses on traffic directed to high-risk countries.
    • It excludes traffic that was blocked.
  5. Data Aggregation: For each user and destination country, it calculates:

    • The number of requests made.
    • The total megabytes uploaded and downloaded.
    • The number of unique domains accessed.
    • Lists of domains, destination IPs, applications, categories, and source IPs involved.
    • The first and last time the traffic was seen.
  6. Alert Conditions: An alert is triggered if a user makes at least 5 requests to high-risk countries, with the results sorted by the amount of data uploaded.

  7. Alert Details: The alert includes the user's name, the destination country, and the number of requests. It also specifies the amount of data uploaded.

  8. Incident Management: If an alert is generated, an incident is created. Incidents can be grouped by user account and destination country to manage them more effectively.

Overall, this query helps security teams monitor and respond to potential threats by identifying and alerting on suspicious web traffic patterns to high-risk countries.

Details

David Alonso profile picture

David Alonso

Released: May 14, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeGeoAnomalyTrafficHighRiskCountriesWebDestinationServersUsersSanctionedAdversaryAlignedNationsC2CommunicationDataExfiltrationCompromisedInfrastructureNetskopeWebTxCLBlobStorageIngestionMITREATTCKApplicationLayerProtocolOverAlternativeNetskopeWebTransactionsRussiaChinaNorthKoreaIranSyriaCubaVenezuelaBelarusTimeGeneratedActionCategorySeverityMalwareNameTypeThreatUserDomainDstipSrcipBytesUploadedDownloadedAppUrlDlpRuleProfileActivityFileObjectDstCountrySrcCclAccessMethodRequestCountTotalMBUploadedTotalMBDownloadedUniqueDomainsDomainsDestIPsAppsCategoriesSourceIPsFirstSeenLastSeenAccountFullNameIPAddressDstCountryRequestsUploadingMBIncidentConfigurationGrouping

Operators

letdatatabledynamicunionisfuzzywhereagoisnotemptyin!insummarizecountroundsumtodoubledcountmake_settake_anyminmaxbyorder by

Severity

Medium

Tactics

CommandAndControlExfiltration

MITRE Techniques

Frequency: PT1H

Period: P1D

Actions

GitHub