Netskope - Repeated or Critical Policy Violations
| Id | dacab67e-fcf3-41c6-a191-579c7be1814d |
| Rulename | Netskope - Repeated or Critical Policy Violations |
| Description | Detects users with repeated policy violations or critical policy blocks. Monitors policy enforcement effectiveness and compliance. |
| Severity | High |
| Tactics | DefenseEvasion Exfiltration |
| Techniques | T1562 T1048 |
| Required data connectors | NetskopeWebTxConnector |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule8.yaml |
| Version | 1.0.0 |
| Arm template | dacab67e-fcf3-41c6-a191-579c7be1814d.json |
let violationThreshold = 5;
NetskopeWebTransactions_CL
| where TimeGenerated > ago(1h)
| where isnotempty(CsUsername)
| where isnotempty(XPolicyAction) and isnotempty(XPolicyName)
| where XPolicyAction =~ 'block' or XPolicyAction =~ 'alert'
| summarize
ViolationCount = count(),
Policies = make_set(XPolicyName),
PolicyActions = make_set(XPolicyAction),
Apps = make_set(XCsApp),
Hosts = make_set(CsHost),
Activities = make_set(XCsAppActivity),
BlockCount = countif(XPolicyAction =~ 'block'),
AlertCount = countif(XPolicyAction =~ 'alert'),
FirstViolation = min(TimeGenerated),
LastViolation = max(TimeGenerated)
by CsUsername, XCCountry, XCDevice
| where ViolationCount >= violationThreshold or BlockCount > 0
| extend ViolationSeverity = case(
BlockCount > 10, 'Critical',
BlockCount > 5, 'High',
ViolationCount > 20, 'High',
ViolationCount > 10, 'Medium',
'Low')
| project
TimeGenerated = LastViolation,
User = CsUsername,
TotalViolations = ViolationCount,
BlockedAttempts = BlockCount,
AlertedActions = AlertCount,
ViolatedPolicies = Policies,
PolicyActions,
ApplicationsInvolved = Apps,
TargetHosts = Hosts,
Activities,
Country = XCCountry,
Device = XCDevice,
ViolationSeverity,
FirstOccurrence = FirstViolation,
LastOccurrence = LastViolation
id: dacab67e-fcf3-41c6-a191-579c7be1814d
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule8.yaml
entityMappings:
- fieldMappings:
- identifier: Name
columnName: User
entityType: Account
requiredDataConnectors:
- dataTypes:
- NetskopeWebTransactions_CL
connectorId: NetskopeWebTxConnector
queryFrequency: 1h
queryPeriod: 1h
status: Available
query: |
let violationThreshold = 5;
NetskopeWebTransactions_CL
| where TimeGenerated > ago(1h)
| where isnotempty(CsUsername)
| where isnotempty(XPolicyAction) and isnotempty(XPolicyName)
| where XPolicyAction =~ 'block' or XPolicyAction =~ 'alert'
| summarize
ViolationCount = count(),
Policies = make_set(XPolicyName),
PolicyActions = make_set(XPolicyAction),
Apps = make_set(XCsApp),
Hosts = make_set(CsHost),
Activities = make_set(XCsAppActivity),
BlockCount = countif(XPolicyAction =~ 'block'),
AlertCount = countif(XPolicyAction =~ 'alert'),
FirstViolation = min(TimeGenerated),
LastViolation = max(TimeGenerated)
by CsUsername, XCCountry, XCDevice
| where ViolationCount >= violationThreshold or BlockCount > 0
| extend ViolationSeverity = case(
BlockCount > 10, 'Critical',
BlockCount > 5, 'High',
ViolationCount > 20, 'High',
ViolationCount > 10, 'Medium',
'Low')
| project
TimeGenerated = LastViolation,
User = CsUsername,
TotalViolations = ViolationCount,
BlockedAttempts = BlockCount,
AlertedActions = AlertCount,
ViolatedPolicies = Policies,
PolicyActions,
ApplicationsInvolved = Apps,
TargetHosts = Hosts,
Activities,
Country = XCCountry,
Device = XCDevice,
ViolationSeverity,
FirstOccurrence = FirstViolation,
LastOccurrence = LastViolation
name: Netskope - Repeated or Critical Policy Violations
kind: Scheduled
tactics:
- DefenseEvasion
- Exfiltration
severity: High
relevantTechniques:
- T1562
- T1048
triggerThreshold: 0
version: 1.0.0
description: |
Detects users with repeated policy violations or critical policy blocks. Monitors policy enforcement effectiveness and compliance.