Netskope - UnsanctionedRisky Cloud App Access Shadow IT
| Id | cdc01279-d6ea-41b1-a32d-49d726be95b8 |
| Rulename | Netskope - Unsanctioned/Risky Cloud App Access (Shadow IT) |
| Description | Alerts when users access unsanctioned or risky cloud applications based on Cloud Confidence Level (CCL) and app tags. Detects Shadow IT usage. |
| Severity | Medium |
| Tactics | InitialAccess Exfiltration |
| Techniques | T1199 T1567 |
| Required data connectors | NetskopeWebTxConnector |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule10.yaml |
| Version | 1.0.0 |
| Arm template | cdc01279-d6ea-41b1-a32d-49d726be95b8.json |
NetskopeWebTransactions_CL
| where TimeGenerated > ago(1h)
| where isnotempty(CsUsername) and isnotempty(XCsApp)
| where XCsAppTags contains 'Unsanctioned'
or XCsAppCcl =~ 'poor'
or XCsAppCcl =~ 'low'
or XCsAppCci < 50
| summarize
EventCount = count(),
TotalBytesMB = round(sum(Bytes) / 1048576.0, 2),
Activities = make_set(XCsAppActivity),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by
CsUsername,
XCsApp,
XCsAppCategory,
XCsAppCcl,
XCsAppCci,
XCsAppTags,
XCCountry,
XCDevice
| extend RiskLevel = case(
XCsAppCci < 30, 'Critical',
XCsAppCci < 50, 'High',
XCsAppCci < 70, 'Medium',
'Low')
| project
TimeGenerated = LastSeen,
User = CsUsername,
RiskyApplication = XCsApp,
AppCategory = XCsAppCategory,
CloudConfidenceLevel = XCsAppCcl,
CloudConfidenceIndex = XCsAppCci,
AppTags = XCsAppTags,
RiskLevel,
Country = XCCountry,
Device = XCDevice,
Activities,
EventCount,
DataTransferMB = TotalBytesMB
id: cdc01279-d6ea-41b1-a32d-49d726be95b8
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule10.yaml
entityMappings:
- fieldMappings:
- identifier: Name
columnName: User
entityType: Account
- fieldMappings:
- identifier: Name
columnName: RiskyApplication
entityType: CloudApplication
requiredDataConnectors:
- dataTypes:
- NetskopeWebTransactions_CL
connectorId: NetskopeWebTxConnector
queryFrequency: 1h
queryPeriod: 1h
status: Available
query: |
NetskopeWebTransactions_CL
| where TimeGenerated > ago(1h)
| where isnotempty(CsUsername) and isnotempty(XCsApp)
| where XCsAppTags contains 'Unsanctioned'
or XCsAppCcl =~ 'poor'
or XCsAppCcl =~ 'low'
or XCsAppCci < 50
| summarize
EventCount = count(),
TotalBytesMB = round(sum(Bytes) / 1048576.0, 2),
Activities = make_set(XCsAppActivity),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by
CsUsername,
XCsApp,
XCsAppCategory,
XCsAppCcl,
XCsAppCci,
XCsAppTags,
XCCountry,
XCDevice
| extend RiskLevel = case(
XCsAppCci < 30, 'Critical',
XCsAppCci < 50, 'High',
XCsAppCci < 70, 'Medium',
'Low')
| project
TimeGenerated = LastSeen,
User = CsUsername,
RiskyApplication = XCsApp,
AppCategory = XCsAppCategory,
CloudConfidenceLevel = XCsAppCcl,
CloudConfidenceIndex = XCsAppCci,
AppTags = XCsAppTags,
RiskLevel,
Country = XCCountry,
Device = XCDevice,
Activities,
EventCount,
DataTransferMB = TotalBytesMB
name: Netskope - Unsanctioned/Risky Cloud App Access (Shadow IT)
kind: Scheduled
tactics:
- InitialAccess
- Exfiltration
severity: Medium
relevantTechniques:
- T1199
- T1567
triggerThreshold: 0
version: 1.0.0
description: |
Alerts when users access unsanctioned or risky cloud applications based on Cloud Confidence Level (CCL) and app tags. Detects Shadow IT usage.