Detection rules › Kusto
Netskope - Impossible Travel Detection (Two Countries in Less Than 1 Hour)
Detects when a user accesses resources from two distinct countries within less than 1 hour, indicating potential credential compromise or VPN abuse.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078 Valid Accounts |
Rule body kusto
id: d1b88716-3cd4-4585-a9a2-2dd2c9b04ecb
name: Netskope - Impossible Travel Detection (Two Countries in Less Than 1 Hour)
description: |
Detects when a user accesses resources from two distinct countries within less than 1 hour, indicating potential credential compromise or VPN abuse.
severity: High
status: Available
requiredDataConnectors:
- connectorId: NetskopeWebTxConnector
dataTypes:
- NetskopeWebTransactions_CL
queryFrequency: 1h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- CredentialAccess
relevantTechniques:
- T1078
query: |
let timeWindow = 1h;
NetskopeWebTransactions_CL
| where TimeGenerated > ago(1h)
| where isnotempty(CsUsername) and isnotempty(XCCountry)
| summarize
Countries = make_set(XCCountry),
Locations = make_set(XCLocation),
IPs = make_set(CIp),
MinTime = min(TimeGenerated),
MaxTime = max(TimeGenerated),
EventCount = count()
by CsUsername, bin(TimeGenerated, timeWindow)
| where array_length(Countries) > 1
| extend TimeDiffMinutes = datetime_diff('minute', MaxTime, MinTime)
| where TimeDiffMinutes < 60
| project
TimeGenerated,
User = CsUsername,
DistinctCountries = Countries,
Locations,
SourceIPs = IPs,
TimeDifferenceMinutes = TimeDiffMinutes,
EventCount,
AlertDetails = strcat('User ', CsUsername, ' accessed from ', array_length(Countries), ' countries within ', TimeDiffMinutes, ' minutes')
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: User
version: 1.0.0
kind: Scheduled
Stages and Predicates
Parameters
let timeWindow = 1h;
Stage 1: source
NetskopeWebTransactions_CL
Stage 2: where
| where TimeGenerated > ago(1h)
Stage 3: where
| where isnotempty(CsUsername) and isnotempty(XCCountry)
Stage 4: summarize
| summarize
Countries = make_set(XCCountry),
Locations = make_set(XCLocation),
IPs = make_set(CIp),
MinTime = min(TimeGenerated),
MaxTime = max(TimeGenerated),
EventCount = count()
by CsUsername, bin(TimeGenerated, timeWindow)
Stage 5: where
| where array_length(Countries) > 1
Stage 6: extend
| extend TimeDiffMinutes = datetime_diff('minute', MaxTime, MinTime)
Stage 7: where
| where TimeDiffMinutes < 60
Stage 8: project
| project
TimeGenerated,
User = CsUsername,
DistinctCountries = Countries,
Locations,
SourceIPs = IPs,
TimeDifferenceMinutes = TimeDiffMinutes,
EventCount,
AlertDetails = strcat('User ', CsUsername, ' accessed from ', array_length(Countries), ' countries within ', TimeDiffMinutes, ' minutes')
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Countries | gt |
|
CsUsername | is_not_null | |
TimeDiffMinutes | lt |
|
XCCountry | is_not_null |
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
AlertDetails | project |
DistinctCountries | project |
EventCount | project |
Locations | project |
SourceIPs | project |
TimeDifferenceMinutes | project |
TimeGenerated | project |
User | project |