KQL Search

Query Details

39 NK DLP Blocked Upload

Query

id: b2c3d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e
name: "Netskope - DLP Policy Violation - Blocked Sensitive Data Upload"
version: 1.0.0
kind: Scheduled
description: |
  Detects Netskope DLP policy violations where an upload or file transfer was blocked
  or alerted. DLP violations indicate a user attempted to send sensitive or restricted
  data to an external service. Repeated violations may indicate intentional exfiltration
  or a compromised account used for data theft.
  MITRE ATT&CK: T1048 (Exfiltration Over Alternative Protocol), T1567 (Exfiltration Over Web Service)
severity: High
requiredDataConnectors:
  - connectorId: NetskopeWebTransactions
    dataTypes:
      - NetskopeWebTx_CL
queryFrequency: PT30M
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Exfiltration
relevantTechniques:
  - T1048
  - T1567
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
  union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
  | where TimeGenerated > ago(1d)
  | where action_s in ("block", "Block", "blocked", "alert", "Alert")
  | where isnotempty(dlp_rule_s) or isnotempty(dlp_profile_s)
      or activity_s has_any ("DLP", "Upload", "Share")
  | where isnotempty(user_s)
  | summarize
      ViolationCount    = count(),
      MBUploaded        = round(sum(todouble(bytes_uploaded_d)) / 1048576, 2),
      UniqueDestDomains = dcount(domain_s),
      DestDomains       = make_set(domain_s, 10),
      DLPRules          = make_set(dlp_rule_s, 10),
      DLPProfiles       = make_set(dlp_profile_s, 5),
      FileTypes         = make_set(file_type_s, 10),
      ObjectSamples     = make_set(object_s, 5),
      FirstViolation    = min(TimeGenerated),
      LastViolation     = max(TimeGenerated)
    by user_s, dlp_profile_s
  | order by ViolationCount desc, MBUploaded desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: user_s
customDetails:
  ViolationCount: ViolationCount
  MBUploaded: MBUploaded
  DLPProfile: dlp_profile_s
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope DLP Violation - {{user_s}} ({{ViolationCount}} blocks)"
  alertDescriptionFormat: "User {{user_s}} violated DLP policy {{ViolationCount}} times. Profile: {{dlp_profile_s}}."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect and alert on data loss prevention (DLP) policy violations in Netskope, specifically when sensitive data uploads are blocked or alerted. Here's a simple breakdown of what the query does:

  1. Purpose: It identifies instances where users attempt to upload or transfer sensitive data to external services, which are blocked or flagged by Netskope's DLP policies. Such violations could indicate potential data exfiltration or compromised accounts.

  2. Severity and Techniques: The query is marked with high severity and is associated with MITRE ATT&CK techniques T1048 (Exfiltration Over Alternative Protocol) and T1567 (Exfiltration Over Web Service).

  3. Data Source: It uses data from the NetskopeWebTx_CL data type, which logs web transactions monitored by Netskope.

  4. Time Frame: The query looks at data from the past day (1 day) and runs every 30 minutes.

  5. Filtering Criteria:

    • It checks for actions labeled as "block" or "alert".
    • It ensures there is a DLP rule or profile involved, or activities related to DLP, uploads, or sharing.
    • It requires the presence of a user identifier.

  6. Summarization: For each user and DLP profile, it summarizes:

    • The number of violations.
    • The total megabytes uploaded.
    • Unique destination domains and a sample of them.
    • DLP rules and profiles involved.
    • File types and object samples.
    • The first and last violation times.

  7. Alerting:

    • Alerts are generated with details about the user and the number of violations.
    • Alerts are grouped by user accounts to manage incidents efficiently.

  8. Incident Management:

    • Incidents are created for violations, with a grouping configuration to consolidate alerts related to the same user within a 6-hour window.

This query helps organizations monitor and respond to potential data breaches or policy violations by providing detailed insights into user activities that may compromise data security.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeDLPPolicyViolationBlockedSensitiveDataUploadUserAccountDomainFileTypeObjectActivityAlertViolationCountMBUploadedDLPProfileDLPRulesDLPProfilesDestDomainsUniqueDestDomainsFirstViolationLastViolation

Operators

letdatatableunionisfuzzywhereinisnotemptyhas_anysummarizecountroundsumtodoubledcountmake_setminmaxbyorder bydesc

Actions