Netskope Secure Web Gateway Solution: New Detection Coverage for Cloud Application Visibility

What Changed

New Netskope Secure Web Gateway solution provides comprehensive monitoring of web transactions with 10 analytic rules, a CCF-based data connector, parser, and workbook dashboard.

Data Source

Netskope Web Transaction logs ingested via CCF connector using Azure Blob Storage and Event Grid. Populates NetskopeWebTransactions_CL table for analysis of user web activity, application usage, and data movement.

Ingestion Mechanism

CCF-based connector with DCR configuration for blob storage polling and Event Grid notifications. Includes custom table schema with comprehensive web transaction field mapping.

Detection Surface Unlocked

New detection coverage for:

• Impossible travel - Users accessing from multiple countries within 1 hour
• Data exfiltration patterns - Excessive downloads vs 7-day baseline (3x threshold)
• Shadow IT detection - Unsanctioned/risky cloud app access based on Cloud Confidence Level
• Personal cloud storage abuse - Heavy usage of personal Dropbox, Google Drive, OneDrive
• Anomalous user behavior - High volume transfers from unmanaged devices
• Policy violations - Repeated or critical policy blocks
• Data movement tracking - Upload/download monitoring with size thresholds
• Suspicious network context - Unusual IPs/geography/ports
• DLP violations - Large data uploads indicating potential exfiltration

MITRE Coverage

• T1078 (Valid Accounts) - Impossible travel detection
• T1567 (Exfiltration Over Web Service) - Cloud storage and data transfer monitoring
• T1074 (Data Staged) - File staging and movement detection
• T1199 (Trusted Relationship) - Unsanctioned app access
• T1530 (Data from Cloud Storage Object) - Excessive download detection
• T1562 (Impair Defenses) - Policy violation tracking

Affected Files

.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule1.yaml
Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule10.yaml
Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule2.yaml
Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule3.yaml
Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule4.yaml
Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule5.yaml
Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule6.yaml
Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule7.yaml
Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule8.yaml
Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule9.yaml
Solutions/NetskopeWebTx/Data Connectors/NetskopeWebTx_CCF/NetskopeWebtx_DCR.json
Solutions/NetskopeWebTx/Data Connectors/NetskopeWebTx_CCF/NetskopeWebtx_PollingConfig.json
Solutions/NetskopeWebTx/Data Connectors/NetskopeWebTx_CCF/NetskopeWebtx_Table.json
Solutions/NetskopeWebTx/Data Connectors/NetskopeWebTx_CCF/NetskopeWebtx_connectorDefinition.json
Solutions/NetskopeWebTx/Package/testParameters.json
Solutions/NetskopeWebTx/Parsers/NetskopeWebtx.yaml
Solutions/NetskopeWebTx/README.md
Solutions/NetskopeWebTx/Workbooks/Images/NetskopeWebtxOverviewBlack01.png
Solutions/NetskopeWebTx/Workbooks/Images/NetskopeWebtxOverviewBlack02.png
Solutions/NetskopeWebTx/Workbooks/Images/NetskopeWebtxOverviewWhite01.png
Solutions/NetskopeWebTx/Workbooks/Images/NetskopeWebtxOverviewWhite02.png
Solutions/NetskopeWebTx/Workbooks/NetskopeWebtxDashboard/NetskopeWebTx_Workbook.json
Workbooks/Images/Preview/NetskopeWebtxOverviewBlack01.png
Workbooks/Images/Preview/NetskopeWebtxOverviewBlack02.png
Workbooks/Images/Preview/NetskopeWebtxOverviewWhite01.png
Workbooks/Images/Preview/NetskopeWebtxOverviewWhite02.png
Workbooks/NetskopeWebTx_Workbook.json
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_NetskopeWebTx.json, createUiDefinition.json, mainTemplate.json)