Netskope - DLP Policy Violation - Blocked Sensitive Data Upload
39 NK DLP Blocked Upload
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where action_s in ("block", "Block", "blocked", "alert", "Alert")
| where isnotempty(dlp_rule_s) or isnotempty(dlp_profile_s)
or activity_s has_any ("DLP", "Upload", "Share")
| where isnotempty(user_s)
| summarize
ViolationCount = count(),
MBUploaded = round(sum(todouble(bytes_uploaded_d)) / 1048576, 2),
UniqueDestDomains = dcount(domain_s),
DestDomains = make_set(domain_s, 10),
DLPRules = make_set(dlp_rule_s, 10),
DLPProfiles = make_set(dlp_profile_s, 5),
FileTypes = make_set(file_type_s, 10),
ObjectSamples = make_set(object_s, 5),
FirstViolation = min(TimeGenerated),
LastViolation = max(TimeGenerated)
by user_s, dlp_profile_s
| order by ViolationCount desc, MBUploaded descExplanation
This query is designed to detect and alert on data loss prevention (DLP) policy violations in Netskope, specifically when sensitive data uploads are blocked or alerted. Here's a simple breakdown of what the query does:
-
Purpose: It identifies instances where users attempt to upload or transfer sensitive data to external services, which are blocked or flagged by Netskope's DLP policies. Such violations could indicate potential data exfiltration or compromised accounts.
-
Severity and Techniques: The query is marked with high severity and is associated with MITRE ATT&CK techniques T1048 (Exfiltration Over Alternative Protocol) and T1567 (Exfiltration Over Web Service).
-
Data Source: It uses data from the
NetskopeWebTx_CLdata type, which logs web transactions monitored by Netskope. -
Time Frame: The query looks at data from the past day (1 day) and runs every 30 minutes.
-
Filtering Criteria:
- It checks for actions labeled as "block" or "alert".
- It ensures there is a DLP rule or profile involved, or activities related to DLP, uploads, or sharing.
- It requires the presence of a user identifier.
-
Summarization: For each user and DLP profile, it summarizes:
- The number of violations.
- The total megabytes uploaded.
- Unique destination domains and a sample of them.
- DLP rules and profiles involved.
- File types and object samples.
- The first and last violation times.
-
Alerting:
- Alerts are generated with details about the user and the number of violations.
- Alerts are grouped by user accounts to manage incidents efficiently.
-
Incident Management:
- Incidents are created for violations, with a grouping configuration to consolidate alerts related to the same user within a 6-hour window.
This query helps organizations monitor and respond to potential data breaches or policy violations by providing detailed insights into user activities that may compromise data security.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT30M
Period: P1D