Netskope - Large Outbound Data Transfer Sensitive Upload DLP
| Id | 71e6586e-0d3f-4e33-b390-faa50b5e08fa |
| Rulename | Netskope - Large Outbound Data Transfer / Sensitive Upload (DLP) |
| Description | Detects large outbound data transfers and sensitive file uploads. Monitors for potential data exfiltration via cloud applications. |
| Severity | High |
| Tactics | Exfiltration |
| Techniques | T1567 T1048 |
| Required data connectors | NetskopeWebTxConnector |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule6.yaml |
| Version | 1.0.0 |
| Arm template | 71e6586e-0d3f-4e33-b390-faa50b5e08fa.json |
let uploadThresholdMB = 100;
NetskopeWebTransactions_CL
| where TimeGenerated > ago(1h)
| where isnotempty(CsUsername)
| where XCsAppActivity =~ 'Upload' or XCsAppActivity =~ 'Post' or XCsAppActivity =~ 'Share'
or CsMethod =~ 'POST' or CsMethod =~ 'PUT'
| where CsBytes > 0 or XRsFileSize > 0
| extend UploadBytes = coalesce(CsBytes, XRsFileSize, 0)
| summarize
TotalUploadBytes = sum(UploadBytes),
FileCount = dcount(XCsAppObjectName),
Files = make_set(XCsAppObjectName, 10),
FileTypes = make_set(XRsFileType),
Apps = make_set(XCsApp),
Destinations = make_set(XCsAppInstanceName),
Countries = make_set(XSCountry)
by CsUsername, XCDevice, XCCountry, bin(TimeGenerated, 1h)
| extend TotalUploadMB = round(TotalUploadBytes / 1048576.0, 2)
| where TotalUploadMB > uploadThresholdMB
| extend AlertSeverity = case(
TotalUploadMB > 1000, 'Critical',
TotalUploadMB > 500, 'High',
TotalUploadMB > 100, 'Medium',
'Low')
| project
TimeGenerated,
User = CsUsername,
UploadVolumeMB = TotalUploadMB,
FileCount,
Files,
FileTypes,
Applications = Apps,
DestinationInstances = Destinations,
SourceCountry = XCCountry,
DestinationCountries = Countries,
Device = XCDevice,
AlertSeverity
relevantTechniques:
- T1567
- T1048
entityMappings:
- entityType: Account
fieldMappings:
- columnName: User
identifier: Name
version: 1.0.0
id: 71e6586e-0d3f-4e33-b390-faa50b5e08fa
severity: High
kind: Scheduled
queryFrequency: 1h
description: |
Detects large outbound data transfers and sensitive file uploads. Monitors for potential data exfiltration via cloud applications.
requiredDataConnectors:
- connectorId: NetskopeWebTxConnector
dataTypes:
- NetskopeWebTransactions_CL
triggerOperator: gt
name: Netskope - Large Outbound Data Transfer / Sensitive Upload (DLP)
tactics:
- Exfiltration
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule6.yaml
triggerThreshold: 0
queryPeriod: 1h
query: |
let uploadThresholdMB = 100;
NetskopeWebTransactions_CL
| where TimeGenerated > ago(1h)
| where isnotempty(CsUsername)
| where XCsAppActivity =~ 'Upload' or XCsAppActivity =~ 'Post' or XCsAppActivity =~ 'Share'
or CsMethod =~ 'POST' or CsMethod =~ 'PUT'
| where CsBytes > 0 or XRsFileSize > 0
| extend UploadBytes = coalesce(CsBytes, XRsFileSize, 0)
| summarize
TotalUploadBytes = sum(UploadBytes),
FileCount = dcount(XCsAppObjectName),
Files = make_set(XCsAppObjectName, 10),
FileTypes = make_set(XRsFileType),
Apps = make_set(XCsApp),
Destinations = make_set(XCsAppInstanceName),
Countries = make_set(XSCountry)
by CsUsername, XCDevice, XCCountry, bin(TimeGenerated, 1h)
| extend TotalUploadMB = round(TotalUploadBytes / 1048576.0, 2)
| where TotalUploadMB > uploadThresholdMB
| extend AlertSeverity = case(
TotalUploadMB > 1000, 'Critical',
TotalUploadMB > 500, 'High',
TotalUploadMB > 100, 'Medium',
'Low')
| project
TimeGenerated,
User = CsUsername,
UploadVolumeMB = TotalUploadMB,
FileCount,
Files,
FileTypes,
Applications = Apps,
DestinationInstances = Destinations,
SourceCountry = XCCountry,
DestinationCountries = Countries,
Device = XCDevice,
AlertSeverity
status: Available