Query Details

Netskope (Built-in) - DLP Policy Violation - Blocked Sensitive Data Upload

53 NK BI DLP Blocked Upload

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where action_s in ("block", "Block", "blocked", "alert", "Alert")
| where isnotempty(dlp_rule_s) or isnotempty(dlp_profile_s)
    or activity_s has_any ("DLP", "Upload", "Share")
| where isnotempty(user_s)
| summarize
    ViolationCount    = count(),
    MBUploaded        = round(sum(todouble(bytes_uploaded_d)) / 1048576, 2),
    UniqueDestDomains = dcount(domain_s),
    DestDomains       = make_set(domain_s, 10),
    DLPRules          = make_set(dlp_rule_s, 10),
    DLPProfiles       = make_set(dlp_profile_s, 5),
    FileTypes         = make_set(file_type_s, 10),
    ObjectSamples     = make_set(object_s, 5),
    FirstViolation    = min(TimeGenerated),
    LastViolation     = max(TimeGenerated)
  by user_s, dlp_profile_s
| order by ViolationCount desc, MBUploaded desc

Explanation

This query is designed to detect and report on data loss prevention (DLP) policy violations in Netskope, specifically focusing on instances where sensitive data uploads or file transfers were blocked or alerted. Here's a simple breakdown of what the query does:

  1. Purpose: It identifies attempts by users to send sensitive or restricted data to external services, which were either blocked or flagged by Netskope's DLP policies.

  2. Data Source: The query uses data from the NetskopeEvents_CL table, which logs events related to Netskope's security operations.

  3. Frequency and Period: The query runs every 30 minutes and looks back over the past day (24 hours) to find relevant events.

  4. Conditions:

    • It filters events where the action was "block" or "alert".
    • It checks for non-empty DLP rules or profiles, or activities related to DLP, uploads, or sharing.
    • It ensures that the user information is present.
  5. Summary Metrics: For each user and DLP profile, it calculates:

    • The number of violations (ViolationCount).
    • The total megabytes of data attempted to be uploaded.
    • The number of unique destination domains.
    • Lists of destination domains, DLP rules, DLP profiles, file types, and object samples involved in the violations.
    • The timestamps of the first and last violations.
  6. Severity and Tactics: The severity is marked as high, and it aligns with MITRE ATT&CK tactics for data exfiltration.

  7. Alerting:

    • Alerts are generated with a display name indicating the user and the number of blocks.
    • The alert description provides details about the user and the DLP profile involved.
    • Incidents are created for these alerts, with grouping enabled by user account to consolidate related events.

In summary, this query helps security teams monitor and respond to potential data exfiltration attempts by identifying and summarizing DLP policy violations in Netskope.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeDLPPolicyViolationUserAccountDomainFileTypeObjectActivityCountMBUploadedDLPRulesDLPProfilesDestDomainsUniqueDestDomainsFirstViolationLastViolation

Operators

datatableunionisfuzzywhereinisnotemptyhas_anysummarizecountroundsumtodoubledcountmake_setminmaxbyorder by

Severity

High

Tactics

Exfiltration

MITRE Techniques

Frequency: PT30M

Period: P1D

Actions

GitHub