Netskope Malicious Cloud Worker Detection
Query
//This query checks DeviceNetworkEvents against known malicious Cloudflare workers from Netskope
let NetskopeCloudflareWorkers = externaldata(Url: string)[@"https://raw.githubusercontent.com/netskopeoss/NetskopeThreatLabsIOCs/main/Phishing/CloudflareWorkers/IOCs/README.md"] with (format="csv", ignoreFirstRecord=True);
let DomainList = NetskopeCloudflareWorkers
| where Url <> "```text"
| where Url <> "- **URLs**"
| where Url <> "```"
| extend domain = split(Url,'/')
| extend domain = split(domain,'.')
| extend url = strcat(domain[1],domain[2])
| extend RemoteUrl = replace_string(url,'[.]','.')
| project domain;
DeviceNetworkEvents
| where RemoteUrl in (DomainList)Explanation
This query is designed to identify potentially malicious network activity on devices by comparing network events against a list of known malicious Cloudflare worker URLs provided by Netskope. Here's a breakdown of what the query does:
-
Data Import: It imports a list of malicious URLs from an external CSV file hosted on GitHub by Netskope. This file contains indicators of compromise (IOCs) related to phishing activities using Cloudflare workers.
-
Data Cleaning and Preparation:
- It filters out unnecessary lines from the imported data that don't contain URLs.
- It processes each URL to extract the domain part by splitting the URL string and reconstructing it to form a clean domain name.
- It replaces any obfuscated parts of the domain (e.g.,
[.]) with the actual dot (.) to form a valid domain name.
-
Comparison with Device Network Events:
- It compares the cleaned list of malicious domains against the
RemoteUrlfield in theDeviceNetworkEventstable. - It identifies any network events where the
RemoteUrlmatches one of the domains in the list, indicating potential malicious activity.
- It compares the cleaned list of malicious domains against the
In simple terms, this query checks if any network activity on devices matches known malicious URLs associated with Cloudflare workers, helping to detect potential phishing threats.
Details

Jay Kerai
Released: November 10, 2024
Tables
Keywords
Operators