Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Netskope - Data Movement Tracking UploadDownload Monitoring

Netskope - Data Movement Tracking UploadDownload Monitoring

Back
Idcf103180-cb81-4796-921d-3cc7eef4e817
RulenameNetskope - Data Movement Tracking (Upload/Download Monitoring)
DescriptionTracks file uploads and downloads, monitoring data movement direction, size, and destination. Provides visibility into data flow patterns.
SeverityInformational
TacticsExfiltration
Collection
TechniquesT1567
T1074
Required data connectorsNetskopeWebTxConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule2.yaml
Version1.0.0
Arm templatecf103180-cb81-4796-921d-3cc7eef4e817.json
Deploy To Azure
let significantSizeMB = 50;
NetskopeWebTransactions_CL
| where TimeGenerated > ago(1h)
| where isnotempty(CsUsername)
| where CsBytes > 0 or ScBytes > 0 or XRsFileSize > 0
| extend 
    Direction = case(
        CsBytes > ScBytes, 'Upload',
        ScBytes > CsBytes, 'Download',
        'Unknown'),
    TransferSize = max_of(CsBytes, ScBytes, XRsFileSize)
| summarize 
    TotalUploadBytes = sumif(CsBytes, Direction == 'Upload'),
    TotalDownloadBytes = sumif(ScBytes, Direction == 'Download'),
    UploadCount = countif(Direction == 'Upload'),
    DownloadCount = countif(Direction == 'Download'),
    UniqueFiles = dcount(XCsAppObjectName),
    Files = make_set(XCsAppObjectName, 20),
    FileTypes = make_set(XRsFileType),
    Apps = make_set(XCsApp),
    Destinations = make_set(CsHost, 20)
    by CsUsername, XCDevice, XCCountry, bin(TimeGenerated, 1h)
| extend 
    TotalUploadMB = round(TotalUploadBytes / 1048576.0, 2),
    TotalDownloadMB = round(TotalDownloadBytes / 1048576.0, 2),
    TotalTransferMB = round((TotalUploadBytes + TotalDownloadBytes) / 1048576.0, 2)
| where TotalTransferMB > significantSizeMB
| extend DataFlowSummary = strcat('Upload: ', TotalUploadMB, ' MB (', UploadCount, ' ops), Download: ', TotalDownloadMB, ' MB (', DownloadCount, ' ops)')
| project 
    TimeGenerated,
    User = CsUsername,
    Device = XCDevice,
    Country = XCCountry,
    TotalUploadMB,
    TotalDownloadMB,
    TotalTransferMB,
    UploadOperations = UploadCount,
    DownloadOperations = DownloadCount,
    UniqueFiles,
    FilesSample = Files,
    FileTypes,
    Applications = Apps,
    Destinations,
    DataFlowSummary

relevantTechniques:
- T1567
- T1074
queryFrequency: 1h
description: |
    Tracks file uploads and downloads, monitoring data movement direction, size, and destination. Provides visibility into data flow patterns.
triggerThreshold: 0
id: cf103180-cb81-4796-921d-3cc7eef4e817
name: Netskope - Data Movement Tracking (Upload/Download Monitoring)
queryPeriod: 1h
query: |
  let significantSizeMB = 50;
  NetskopeWebTransactions_CL
  | where TimeGenerated > ago(1h)
  | where isnotempty(CsUsername)
  | where CsBytes > 0 or ScBytes > 0 or XRsFileSize > 0
  | extend 
      Direction = case(
          CsBytes > ScBytes, 'Upload',
          ScBytes > CsBytes, 'Download',
          'Unknown'),
      TransferSize = max_of(CsBytes, ScBytes, XRsFileSize)
  | summarize 
      TotalUploadBytes = sumif(CsBytes, Direction == 'Upload'),
      TotalDownloadBytes = sumif(ScBytes, Direction == 'Download'),
      UploadCount = countif(Direction == 'Upload'),
      DownloadCount = countif(Direction == 'Download'),
      UniqueFiles = dcount(XCsAppObjectName),
      Files = make_set(XCsAppObjectName, 20),
      FileTypes = make_set(XRsFileType),
      Apps = make_set(XCsApp),
      Destinations = make_set(CsHost, 20)
      by CsUsername, XCDevice, XCCountry, bin(TimeGenerated, 1h)
  | extend 
      TotalUploadMB = round(TotalUploadBytes / 1048576.0, 2),
      TotalDownloadMB = round(TotalDownloadBytes / 1048576.0, 2),
      TotalTransferMB = round((TotalUploadBytes + TotalDownloadBytes) / 1048576.0, 2)
  | where TotalTransferMB > significantSizeMB
  | extend DataFlowSummary = strcat('Upload: ', TotalUploadMB, ' MB (', UploadCount, ' ops), Download: ', TotalDownloadMB, ' MB (', DownloadCount, ' ops)')
  | project 
      TimeGenerated,
      User = CsUsername,
      Device = XCDevice,
      Country = XCCountry,
      TotalUploadMB,
      TotalDownloadMB,
      TotalTransferMB,
      UploadOperations = UploadCount,
      DownloadOperations = DownloadCount,
      UniqueFiles,
      FilesSample = Files,
      FileTypes,
      Applications = Apps,
      Destinations,
      DataFlowSummary  
severity: Informational
triggerOperator: gt
entityMappings:
- fieldMappings:
  - columnName: User
    identifier: Name
  entityType: Account
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule2.yaml
requiredDataConnectors:
- connectorId: NetskopeWebTxConnector
  dataTypes:
  - NetskopeWebTransactions_CL
status: Available
version: 1.0.0
tactics:
- Exfiltration
- Collection
kind: Scheduled