Netskope - Heavy Personal Cloud Storage Usage Shadow IT

let heavyUsageThresholdMB = 500;
NetskopeWebTransactions_CL
| where TimeGenerated > ago(1h)
| where isnotempty(CsUsername) and isnotempty(XCsApp)
| where XCsApp has_any ('Dropbox', 'Google Drive', 'OneDrive', 'Box', 'iCloud', 'pCloud', 'MEGA', 'MediaFire', 'WeTransfer')
| where XCsAppInstanceTag contains 'Personal' 
    or XCsAppInstanceName contains 'Personal'
    or XCsAppTags contains 'Unsanctioned'
    or not(XCsAppTags contains 'Enterprise')
| summarize 
    TotalBytes = sum(Bytes),
    UploadBytes = sum(CsBytes),
    DownloadBytes = sum(ScBytes),
    FileCount = dcount(XCsAppObjectName),
    Files = make_set(XCsAppObjectName, 10),
    Activities = make_set(XCsAppActivity),
    EventCount = count()
    by CsUsername, XCsApp, XCsAppCategory, XCsAppInstanceName, XCsAppTags, XCDevice, XCCountry
| extend 
    TotalMB = round(TotalBytes / 1048576.0, 2),
    UploadMB = round(UploadBytes / 1048576.0, 2),
    DownloadMB = round(DownloadBytes / 1048576.0, 2)
| where TotalMB > heavyUsageThresholdMB or FileCount > 50
| project 
    TimeGenerated = now(),
    User = CsUsername,
    CloudApplication = XCsApp,
    AppCategory = XCsAppCategory,
    AppInstance = XCsAppInstanceName,
    AppTags = XCsAppTags,
    TotalDataMB = TotalMB,
    UploadMB,
    DownloadMB,
    FileCount,
    Files,
    Activities,
    Device = XCDevice,
    Country = XCCountry,
    EventCount

relevantTechniques:
- T1567
- T1530
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: User
    identifier: Name
- entityType: CloudApplication
  fieldMappings:
  - columnName: CloudApplication
    identifier: Name
version: 1.0.0
id: 272f9bca-5fd0-4413-b494-03b2d9f0bb9b
severity: Medium
kind: Scheduled
queryFrequency: 1h
description: |
    Detects heavy usage of personal cloud storage applications like personal Dropbox, Google Drive, OneDrive personal, etc. Indicates potential Shadow IT or data leakage risk.
requiredDataConnectors:
- connectorId: NetskopeWebTxConnector
  dataTypes:
  - NetskopeWebTransactions_CL
triggerOperator: gt
name: Netskope - Heavy Personal Cloud Storage Usage (Shadow IT)
tactics:
- Exfiltration
- Collection
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule4.yaml
triggerThreshold: 0
queryPeriod: 1h
query: |
  let heavyUsageThresholdMB = 500;
  NetskopeWebTransactions_CL
  | where TimeGenerated > ago(1h)
  | where isnotempty(CsUsername) and isnotempty(XCsApp)
  | where XCsApp has_any ('Dropbox', 'Google Drive', 'OneDrive', 'Box', 'iCloud', 'pCloud', 'MEGA', 'MediaFire', 'WeTransfer')
  | where XCsAppInstanceTag contains 'Personal' 
      or XCsAppInstanceName contains 'Personal'
      or XCsAppTags contains 'Unsanctioned'
      or not(XCsAppTags contains 'Enterprise')
  | summarize 
      TotalBytes = sum(Bytes),
      UploadBytes = sum(CsBytes),
      DownloadBytes = sum(ScBytes),
      FileCount = dcount(XCsAppObjectName),
      Files = make_set(XCsAppObjectName, 10),
      Activities = make_set(XCsAppActivity),
      EventCount = count()
      by CsUsername, XCsApp, XCsAppCategory, XCsAppInstanceName, XCsAppTags, XCDevice, XCCountry
  | extend 
      TotalMB = round(TotalBytes / 1048576.0, 2),
      UploadMB = round(UploadBytes / 1048576.0, 2),
      DownloadMB = round(DownloadBytes / 1048576.0, 2)
  | where TotalMB > heavyUsageThresholdMB or FileCount > 50
  | project 
      TimeGenerated = now(),
      User = CsUsername,
      CloudApplication = XCsApp,
      AppCategory = XCsAppCategory,
      AppInstance = XCsAppInstanceName,
      AppTags = XCsAppTags,
      TotalDataMB = TotalMB,
      UploadMB,
      DownloadMB,
      FileCount,
      Files,
      Activities,
      Device = XCDevice,
      Country = XCCountry,
      EventCount  
status: Available