Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Netskope - Data Movement Tracking UploadDownload Monitoring

Netskope - Data Movement Tracking UploadDownload Monitoring

Back
Idcf103180-cb81-4796-921d-3cc7eef4e817
RulenameNetskope - Data Movement Tracking (Upload/Download Monitoring)
DescriptionTracks file uploads and downloads, monitoring data movement direction, size, and destination. Provides visibility into data flow patterns.
SeverityInformational
TacticsExfiltration
Collection
TechniquesT1567
T1074
Required data connectorsNetskopeWebTxConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule2.yaml
Version1.0.0
Arm templatecf103180-cb81-4796-921d-3cc7eef4e817.json
Deploy To Azure
let significantSizeMB = 50;
NetskopeWebTransactions_CL
| where TimeGenerated > ago(1h)
| where isnotempty(CsUsername)
| where CsBytes > 0 or ScBytes > 0 or XRsFileSize > 0
| extend 
    Direction = case(
        CsBytes > ScBytes, 'Upload',
        ScBytes > CsBytes, 'Download',
        'Unknown'),
    TransferSize = max_of(CsBytes, ScBytes, XRsFileSize)
| summarize 
    TotalUploadBytes = sumif(CsBytes, Direction == 'Upload'),
    TotalDownloadBytes = sumif(ScBytes, Direction == 'Download'),
    UploadCount = countif(Direction == 'Upload'),
    DownloadCount = countif(Direction == 'Download'),
    UniqueFiles = dcount(XCsAppObjectName),
    Files = make_set(XCsAppObjectName, 20),
    FileTypes = make_set(XRsFileType),
    Apps = make_set(XCsApp),
    Destinations = make_set(CsHost, 20)
    by CsUsername, XCDevice, XCCountry, bin(TimeGenerated, 1h)
| extend 
    TotalUploadMB = round(TotalUploadBytes / 1048576.0, 2),
    TotalDownloadMB = round(TotalDownloadBytes / 1048576.0, 2),
    TotalTransferMB = round((TotalUploadBytes + TotalDownloadBytes) / 1048576.0, 2)
| where TotalTransferMB > significantSizeMB
| extend DataFlowSummary = strcat('Upload: ', TotalUploadMB, ' MB (', UploadCount, ' ops), Download: ', TotalDownloadMB, ' MB (', DownloadCount, ' ops)')
| project 
    TimeGenerated,
    User = CsUsername,
    Device = XCDevice,
    Country = XCCountry,
    TotalUploadMB,
    TotalDownloadMB,
    TotalTransferMB,
    UploadOperations = UploadCount,
    DownloadOperations = DownloadCount,
    UniqueFiles,
    FilesSample = Files,
    FileTypes,
    Applications = Apps,
    Destinations,
    DataFlowSummary

description: |
    Tracks file uploads and downloads, monitoring data movement direction, size, and destination. Provides visibility into data flow patterns.
status: Available
tactics:
- Exfiltration
- Collection
triggerOperator: gt
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule2.yaml
id: cf103180-cb81-4796-921d-3cc7eef4e817
version: 1.0.0
requiredDataConnectors:
- dataTypes:
  - NetskopeWebTransactions_CL
  connectorId: NetskopeWebTxConnector
triggerThreshold: 0
queryPeriod: 1h
query: |
  let significantSizeMB = 50;
  NetskopeWebTransactions_CL
  | where TimeGenerated > ago(1h)
  | where isnotempty(CsUsername)
  | where CsBytes > 0 or ScBytes > 0 or XRsFileSize > 0
  | extend 
      Direction = case(
          CsBytes > ScBytes, 'Upload',
          ScBytes > CsBytes, 'Download',
          'Unknown'),
      TransferSize = max_of(CsBytes, ScBytes, XRsFileSize)
  | summarize 
      TotalUploadBytes = sumif(CsBytes, Direction == 'Upload'),
      TotalDownloadBytes = sumif(ScBytes, Direction == 'Download'),
      UploadCount = countif(Direction == 'Upload'),
      DownloadCount = countif(Direction == 'Download'),
      UniqueFiles = dcount(XCsAppObjectName),
      Files = make_set(XCsAppObjectName, 20),
      FileTypes = make_set(XRsFileType),
      Apps = make_set(XCsApp),
      Destinations = make_set(CsHost, 20)
      by CsUsername, XCDevice, XCCountry, bin(TimeGenerated, 1h)
  | extend 
      TotalUploadMB = round(TotalUploadBytes / 1048576.0, 2),
      TotalDownloadMB = round(TotalDownloadBytes / 1048576.0, 2),
      TotalTransferMB = round((TotalUploadBytes + TotalDownloadBytes) / 1048576.0, 2)
  | where TotalTransferMB > significantSizeMB
  | extend DataFlowSummary = strcat('Upload: ', TotalUploadMB, ' MB (', UploadCount, ' ops), Download: ', TotalDownloadMB, ' MB (', DownloadCount, ' ops)')
  | project 
      TimeGenerated,
      User = CsUsername,
      Device = XCDevice,
      Country = XCCountry,
      TotalUploadMB,
      TotalDownloadMB,
      TotalTransferMB,
      UploadOperations = UploadCount,
      DownloadOperations = DownloadCount,
      UniqueFiles,
      FilesSample = Files,
      FileTypes,
      Applications = Apps,
      Destinations,
      DataFlowSummary  
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: User
relevantTechniques:
- T1567
- T1074
name: Netskope - Data Movement Tracking (Upload/Download Monitoring)
severity: Informational
kind: Scheduled