Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Netskope - Anomalous User Behavior High Volume from Unmanaged Device

Netskope - Anomalous User Behavior High Volume from Unmanaged Device

Back
Idfa4c4f1c-3c5f-4c3a-a13f-924c30db56e9
RulenameNetskope - Anomalous User Behavior (High Volume from Unmanaged Device)
DescriptionDetects anomalous user behavior including high data volume transfers from unmanaged devices, unusual access patterns, and suspicious application usage.
SeverityMedium
TacticsExfiltration
Collection
TechniquesT1567
T1074
Required data connectorsNetskopeWebTxConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule1.yaml
Version1.0.0
Arm templatefa4c4f1c-3c5f-4c3a-a13f-924c30db56e9.json
Deploy To Azure
let highVolumeThresholdGB = 1;
NetskopeWebTransactions_CL
| where TimeGenerated > ago(1h)
| where isnotempty(CsUsername)
| summarize 
    TotalBytes = sum(Bytes),
    UploadBytes = sum(CsBytes),
    DownloadBytes = sum(ScBytes),
    UniqueApps = dcount(XCsApp),
    Apps = make_set(XCsApp, 20),
    UniqueHosts = dcount(CsHost),
    Activities = make_set(XCsAppActivity),
    Countries = make_set(XCCountry),
    Devices = make_set(XCDevice),
    AccessMethods = make_set(XCsAccessMethod),
    EventCount = count()
    by CsUsername, XCDevice, XCsAccessMethod
| extend 
    TotalGB = round(TotalBytes / 1073741824.0, 3),
    UploadGB = round(UploadBytes / 1073741824.0, 3),
    DownloadGB = round(DownloadBytes / 1073741824.0, 3)
| where TotalGB > highVolumeThresholdGB
| extend IsUnmanagedDevice = XCDevice =~ 'unmanaged' or XCDevice =~ 'BYOD' or XCDevice =~ 'Personal' or XCDevice =~ 'Unknown' or XCsAccessMethod != 'Client'
| where IsUnmanagedDevice or TotalGB > 5 or UniqueApps > 20
| extend RiskIndicators = strcat_array(array_concat(
    iff(IsUnmanagedDevice, dynamic(['Unmanaged Device']), dynamic([])),
    iff(TotalGB > 5, dynamic(['High Data Volume']), dynamic([])),
    iff(UniqueApps > 20, dynamic(['Many Apps Accessed']), dynamic([])),
    iff(array_length(Countries) > 1, dynamic(['Multiple Countries']), dynamic([]))
), ', ')
| project 
    TimeGenerated = now(),
    User = CsUsername,
    Device = XCDevice,
    AccessMethod = XCsAccessMethod,
    TotalDataGB = TotalGB,
    UploadGB,
    DownloadGB,
    UniqueApplications = UniqueApps,
    Applications = Apps,
    UniqueHosts,
    Activities,
    Countries,
    EventCount,
    IsUnmanagedDevice,
    RiskIndicators

requiredDataConnectors:
- dataTypes:
  - NetskopeWebTransactions_CL
  connectorId: NetskopeWebTxConnector
relevantTechniques:
- T1567
- T1074
triggerOperator: gt
version: 1.0.0
queryFrequency: 1h
severity: Medium
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: User
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: Device
    identifier: HostName
  entityType: Host
name: Netskope - Anomalous User Behavior (High Volume from Unmanaged Device)
query: |
  let highVolumeThresholdGB = 1;
  NetskopeWebTransactions_CL
  | where TimeGenerated > ago(1h)
  | where isnotempty(CsUsername)
  | summarize 
      TotalBytes = sum(Bytes),
      UploadBytes = sum(CsBytes),
      DownloadBytes = sum(ScBytes),
      UniqueApps = dcount(XCsApp),
      Apps = make_set(XCsApp, 20),
      UniqueHosts = dcount(CsHost),
      Activities = make_set(XCsAppActivity),
      Countries = make_set(XCCountry),
      Devices = make_set(XCDevice),
      AccessMethods = make_set(XCsAccessMethod),
      EventCount = count()
      by CsUsername, XCDevice, XCsAccessMethod
  | extend 
      TotalGB = round(TotalBytes / 1073741824.0, 3),
      UploadGB = round(UploadBytes / 1073741824.0, 3),
      DownloadGB = round(DownloadBytes / 1073741824.0, 3)
  | where TotalGB > highVolumeThresholdGB
  | extend IsUnmanagedDevice = XCDevice =~ 'unmanaged' or XCDevice =~ 'BYOD' or XCDevice =~ 'Personal' or XCDevice =~ 'Unknown' or XCsAccessMethod != 'Client'
  | where IsUnmanagedDevice or TotalGB > 5 or UniqueApps > 20
  | extend RiskIndicators = strcat_array(array_concat(
      iff(IsUnmanagedDevice, dynamic(['Unmanaged Device']), dynamic([])),
      iff(TotalGB > 5, dynamic(['High Data Volume']), dynamic([])),
      iff(UniqueApps > 20, dynamic(['Many Apps Accessed']), dynamic([])),
      iff(array_length(Countries) > 1, dynamic(['Multiple Countries']), dynamic([]))
  ), ', ')
  | project 
      TimeGenerated = now(),
      User = CsUsername,
      Device = XCDevice,
      AccessMethod = XCsAccessMethod,
      TotalDataGB = TotalGB,
      UploadGB,
      DownloadGB,
      UniqueApplications = UniqueApps,
      Applications = Apps,
      UniqueHosts,
      Activities,
      Countries,
      EventCount,
      IsUnmanagedDevice,
      RiskIndicators  
tactics:
- Exfiltration
- Collection
queryPeriod: 1h
description: |
    Detects anomalous user behavior including high data volume transfers from unmanaged devices, unusual access patterns, and suspicious application usage.
kind: Scheduled
id: fa4c4f1c-3c5f-4c3a-a13f-924c30db56e9
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule1.yaml
status: Available