Query Details

Netskope - Credential Phishing Submission Detection

75 NK Credential Phishing Submission

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let PhishingCategories = dynamic([
    "Phishing", "Phishing and Other Frauds", "Suspicious",
    "Newly Observed Domain", "Newly Registered Domain"]);
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s) and isnotempty(domain_s)
| where category_s in (PhishingCategories)
    or severity_s in ("high", "critical")
| where activity_s has_any ("Upload", "Post", "Submit", "Login", "FormSubmit")
    or todouble(bytes_uploaded_d) > 100
| summarize
    SubmissionCount   = count(),
    TotalBytesPosted  = sum(todouble(bytes_uploaded_d)),
    UniqueURLs        = dcount(url_s),
    URLSamples        = make_set(url_s, 10),
    Categories        = make_set(category_s, 5),
    Activities        = make_set(activity_s, 5),
    SourceIPs         = make_set(srcip_s, 5),
    DstCountries      = make_set(dst_country_s, 5),
    Actions           = make_set(action_s, 5),
    FirstSeen         = min(TimeGenerated),
    LastSeen          = max(TimeGenerated)
  by user_s, domain_s
| order by SubmissionCount desc

Explanation

This query is designed to detect potential credential phishing activities by monitoring user data submissions to suspicious or phishing domains. Here's a simplified breakdown:

  1. Purpose: The query identifies users who have uploaded or submitted data (like form submissions or logins) to domains flagged as "Phishing" or "Suspicious" by Netskope. This is more specific than just visiting a phishing site; it focuses on actual data submission, which might indicate credential entry.

  2. Data Source: It uses data from the NetskopeWebTx_CL table, which is ingested via Blob Storage.

  3. Detection Criteria:

    • The query looks at activities over the past day (1 day).
    • It filters for users and domains that are not empty.
    • It checks if the domain is categorized under phishing-related categories or has a high or critical severity.
    • It focuses on activities like "Upload", "Post", "Submit", "Login", or "FormSubmit", or if the uploaded data size is more than 100 bytes.
  4. Output:

    • It summarizes the data by counting submissions, totaling bytes uploaded, and listing unique URLs, categories, activities, source IPs, destination countries, and actions.
    • It records the first and last time the activity was seen.
  5. Alerting:

    • If any suspicious activity is detected, an alert is generated with details like the user, domain, submission count, and categories.
    • Alerts are grouped by user accounts to manage incidents effectively.
  6. Severity and Techniques:

    • The severity of this detection is marked as "High".
    • It aligns with MITRE ATT&CK techniques for phishing (T1566) and input capture (T1056).

In essence, this query helps identify potential credential theft by monitoring data submissions to risky domains, allowing for timely alerts and incident management.

Details

David Alonso profile picture

David Alonso

Released: May 14, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopePhishingSuspiciousUsersDomainsCredentialsDataSubmissionActivitiesURLsSourceIPsDstCountriesActionsTimeGenerated

Operators

letdatatabledynamicunionisfuzzywhereagoisnotemptyinhas_anytodoublesummarizecountsumdcountmake_setminmaxbyorder bydesc

Severity

High

Tactics

InitialAccessCredentialAccess

MITRE Techniques

Frequency: PT15M

Period: P1D

Actions

GitHub