Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Netskope - Anomalous User Behavior High Volume from Unmanaged Device

Netskope - Anomalous User Behavior High Volume from Unmanaged Device

Back
Idfa4c4f1c-3c5f-4c3a-a13f-924c30db56e9
RulenameNetskope - Anomalous User Behavior (High Volume from Unmanaged Device)
DescriptionDetects anomalous user behavior including high data volume transfers from unmanaged devices, unusual access patterns, and suspicious application usage.
SeverityMedium
TacticsExfiltration
Collection
TechniquesT1567
T1074
Required data connectorsNetskopeWebTxConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule1.yaml
Version1.0.0
Arm templatefa4c4f1c-3c5f-4c3a-a13f-924c30db56e9.json
Deploy To Azure
let highVolumeThresholdGB = 1;
NetskopeWebTransactions_CL
| where TimeGenerated > ago(1h)
| where isnotempty(CsUsername)
| summarize 
    TotalBytes = sum(Bytes),
    UploadBytes = sum(CsBytes),
    DownloadBytes = sum(ScBytes),
    UniqueApps = dcount(XCsApp),
    Apps = make_set(XCsApp, 20),
    UniqueHosts = dcount(CsHost),
    Activities = make_set(XCsAppActivity),
    Countries = make_set(XCCountry),
    Devices = make_set(XCDevice),
    AccessMethods = make_set(XCsAccessMethod),
    EventCount = count()
    by CsUsername, XCDevice, XCsAccessMethod
| extend 
    TotalGB = round(TotalBytes / 1073741824.0, 3),
    UploadGB = round(UploadBytes / 1073741824.0, 3),
    DownloadGB = round(DownloadBytes / 1073741824.0, 3)
| where TotalGB > highVolumeThresholdGB
| extend IsUnmanagedDevice = XCDevice =~ 'unmanaged' or XCDevice =~ 'BYOD' or XCDevice =~ 'Personal' or XCDevice =~ 'Unknown' or XCsAccessMethod != 'Client'
| where IsUnmanagedDevice or TotalGB > 5 or UniqueApps > 20
| extend RiskIndicators = strcat_array(array_concat(
    iff(IsUnmanagedDevice, dynamic(['Unmanaged Device']), dynamic([])),
    iff(TotalGB > 5, dynamic(['High Data Volume']), dynamic([])),
    iff(UniqueApps > 20, dynamic(['Many Apps Accessed']), dynamic([])),
    iff(array_length(Countries) > 1, dynamic(['Multiple Countries']), dynamic([]))
), ', ')
| project 
    TimeGenerated = now(),
    User = CsUsername,
    Device = XCDevice,
    AccessMethod = XCsAccessMethod,
    TotalDataGB = TotalGB,
    UploadGB,
    DownloadGB,
    UniqueApplications = UniqueApps,
    Applications = Apps,
    UniqueHosts,
    Activities,
    Countries,
    EventCount,
    IsUnmanagedDevice,
    RiskIndicators

id: fa4c4f1c-3c5f-4c3a-a13f-924c30db56e9
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule1.yaml
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: User
  entityType: Account
- fieldMappings:
  - identifier: HostName
    columnName: Device
  entityType: Host
requiredDataConnectors:
- dataTypes:
  - NetskopeWebTransactions_CL
  connectorId: NetskopeWebTxConnector
queryFrequency: 1h
queryPeriod: 1h
status: Available
query: |
  let highVolumeThresholdGB = 1;
  NetskopeWebTransactions_CL
  | where TimeGenerated > ago(1h)
  | where isnotempty(CsUsername)
  | summarize 
      TotalBytes = sum(Bytes),
      UploadBytes = sum(CsBytes),
      DownloadBytes = sum(ScBytes),
      UniqueApps = dcount(XCsApp),
      Apps = make_set(XCsApp, 20),
      UniqueHosts = dcount(CsHost),
      Activities = make_set(XCsAppActivity),
      Countries = make_set(XCCountry),
      Devices = make_set(XCDevice),
      AccessMethods = make_set(XCsAccessMethod),
      EventCount = count()
      by CsUsername, XCDevice, XCsAccessMethod
  | extend 
      TotalGB = round(TotalBytes / 1073741824.0, 3),
      UploadGB = round(UploadBytes / 1073741824.0, 3),
      DownloadGB = round(DownloadBytes / 1073741824.0, 3)
  | where TotalGB > highVolumeThresholdGB
  | extend IsUnmanagedDevice = XCDevice =~ 'unmanaged' or XCDevice =~ 'BYOD' or XCDevice =~ 'Personal' or XCDevice =~ 'Unknown' or XCsAccessMethod != 'Client'
  | where IsUnmanagedDevice or TotalGB > 5 or UniqueApps > 20
  | extend RiskIndicators = strcat_array(array_concat(
      iff(IsUnmanagedDevice, dynamic(['Unmanaged Device']), dynamic([])),
      iff(TotalGB > 5, dynamic(['High Data Volume']), dynamic([])),
      iff(UniqueApps > 20, dynamic(['Many Apps Accessed']), dynamic([])),
      iff(array_length(Countries) > 1, dynamic(['Multiple Countries']), dynamic([]))
  ), ', ')
  | project 
      TimeGenerated = now(),
      User = CsUsername,
      Device = XCDevice,
      AccessMethod = XCsAccessMethod,
      TotalDataGB = TotalGB,
      UploadGB,
      DownloadGB,
      UniqueApplications = UniqueApps,
      Applications = Apps,
      UniqueHosts,
      Activities,
      Countries,
      EventCount,
      IsUnmanagedDevice,
      RiskIndicators  
name: Netskope - Anomalous User Behavior (High Volume from Unmanaged Device)
kind: Scheduled
tactics:
- Exfiltration
- Collection
severity: Medium
relevantTechniques:
- T1567
- T1074
triggerThreshold: 0
version: 1.0.0
description: |
    Detects anomalous user behavior including high data volume transfers from unmanaged devices, unusual access patterns, and suspicious application usage.