Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Netskope - Data Movement Tracking UploadDownload Monitoring

Netskope - Data Movement Tracking UploadDownload Monitoring

Back
Idcf103180-cb81-4796-921d-3cc7eef4e817
RulenameNetskope - Data Movement Tracking (Upload/Download Monitoring)
DescriptionTracks file uploads and downloads, monitoring data movement direction, size, and destination. Provides visibility into data flow patterns.
SeverityInformational
TacticsExfiltration
Collection
TechniquesT1567
T1074
Required data connectorsNetskopeWebTxConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule2.yaml
Version1.0.0
Arm templatecf103180-cb81-4796-921d-3cc7eef4e817.json
Deploy To Azure
let significantSizeMB = 50;
NetskopeWebTransactions_CL
| where TimeGenerated > ago(1h)
| where isnotempty(CsUsername)
| where CsBytes > 0 or ScBytes > 0 or XRsFileSize > 0
| extend 
    Direction = case(
        CsBytes > ScBytes, 'Upload',
        ScBytes > CsBytes, 'Download',
        'Unknown'),
    TransferSize = max_of(CsBytes, ScBytes, XRsFileSize)
| summarize 
    TotalUploadBytes = sumif(CsBytes, Direction == 'Upload'),
    TotalDownloadBytes = sumif(ScBytes, Direction == 'Download'),
    UploadCount = countif(Direction == 'Upload'),
    DownloadCount = countif(Direction == 'Download'),
    UniqueFiles = dcount(XCsAppObjectName),
    Files = make_set(XCsAppObjectName, 20),
    FileTypes = make_set(XRsFileType),
    Apps = make_set(XCsApp),
    Destinations = make_set(CsHost, 20)
    by CsUsername, XCDevice, XCCountry, bin(TimeGenerated, 1h)
| extend 
    TotalUploadMB = round(TotalUploadBytes / 1048576.0, 2),
    TotalDownloadMB = round(TotalDownloadBytes / 1048576.0, 2),
    TotalTransferMB = round((TotalUploadBytes + TotalDownloadBytes) / 1048576.0, 2)
| where TotalTransferMB > significantSizeMB
| extend DataFlowSummary = strcat('Upload: ', TotalUploadMB, ' MB (', UploadCount, ' ops), Download: ', TotalDownloadMB, ' MB (', DownloadCount, ' ops)')
| project 
    TimeGenerated,
    User = CsUsername,
    Device = XCDevice,
    Country = XCCountry,
    TotalUploadMB,
    TotalDownloadMB,
    TotalTransferMB,
    UploadOperations = UploadCount,
    DownloadOperations = DownloadCount,
    UniqueFiles,
    FilesSample = Files,
    FileTypes,
    Applications = Apps,
    Destinations,
    DataFlowSummary

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule2.yaml
query: |
  let significantSizeMB = 50;
  NetskopeWebTransactions_CL
  | where TimeGenerated > ago(1h)
  | where isnotempty(CsUsername)
  | where CsBytes > 0 or ScBytes > 0 or XRsFileSize > 0
  | extend 
      Direction = case(
          CsBytes > ScBytes, 'Upload',
          ScBytes > CsBytes, 'Download',
          'Unknown'),
      TransferSize = max_of(CsBytes, ScBytes, XRsFileSize)
  | summarize 
      TotalUploadBytes = sumif(CsBytes, Direction == 'Upload'),
      TotalDownloadBytes = sumif(ScBytes, Direction == 'Download'),
      UploadCount = countif(Direction == 'Upload'),
      DownloadCount = countif(Direction == 'Download'),
      UniqueFiles = dcount(XCsAppObjectName),
      Files = make_set(XCsAppObjectName, 20),
      FileTypes = make_set(XRsFileType),
      Apps = make_set(XCsApp),
      Destinations = make_set(CsHost, 20)
      by CsUsername, XCDevice, XCCountry, bin(TimeGenerated, 1h)
  | extend 
      TotalUploadMB = round(TotalUploadBytes / 1048576.0, 2),
      TotalDownloadMB = round(TotalDownloadBytes / 1048576.0, 2),
      TotalTransferMB = round((TotalUploadBytes + TotalDownloadBytes) / 1048576.0, 2)
  | where TotalTransferMB > significantSizeMB
  | extend DataFlowSummary = strcat('Upload: ', TotalUploadMB, ' MB (', UploadCount, ' ops), Download: ', TotalDownloadMB, ' MB (', DownloadCount, ' ops)')
  | project 
      TimeGenerated,
      User = CsUsername,
      Device = XCDevice,
      Country = XCCountry,
      TotalUploadMB,
      TotalDownloadMB,
      TotalTransferMB,
      UploadOperations = UploadCount,
      DownloadOperations = DownloadCount,
      UniqueFiles,
      FilesSample = Files,
      FileTypes,
      Applications = Apps,
      Destinations,
      DataFlowSummary  
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: User
kind: Scheduled
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - NetskopeWebTransactions_CL
  connectorId: NetskopeWebTxConnector
tactics:
- Exfiltration
- Collection
triggerThreshold: 0
description: |
    Tracks file uploads and downloads, monitoring data movement direction, size, and destination. Provides visibility into data flow patterns.
queryPeriod: 1h
version: 1.0.0
queryFrequency: 1h
severity: Informational
name: Netskope - Data Movement Tracking (Upload/Download Monitoring)
id: cf103180-cb81-4796-921d-3cc7eef4e817
status: Available
relevantTechniques:
- T1567
- T1074