KQL Search

Query Details

53 NK BI DLP Blocked Upload

Query

id: 2b3c4d5e-6f7a-4b8c-9d0e-1f2a3b4c5d6f
name: "Netskope (Built-in) - DLP Policy Violation - Blocked Sensitive Data Upload"
version: 1.0.0
kind: Scheduled
description: |
  Detects Netskope DLP policy violations where an upload or file transfer was blocked
  or alerted. DLP violations indicate a user attempted to send sensitive or restricted
  data to an external service. Uses the built-in NetskopeEvents_CL table.
  MITRE ATT&CK: T1048 (Exfiltration Over Alternative Protocol), T1567 (Exfiltration Over Web Service)
severity: High
requiredDataConnectors:
  - connectorId: NetskopeDataConnector
    dataTypes:
      - NetskopeEvents_CL
queryFrequency: PT30M
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Exfiltration
relevantTechniques:
  - T1048
  - T1567
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
  union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
  | where TimeGenerated > ago(1d)
  | where action_s in ("block", "Block", "blocked", "alert", "Alert")
  | where isnotempty(dlp_rule_s) or isnotempty(dlp_profile_s)
      or activity_s has_any ("DLP", "Upload", "Share")
  | where isnotempty(user_s)
  | summarize
      ViolationCount    = count(),
      MBUploaded        = round(sum(todouble(bytes_uploaded_d)) / 1048576, 2),
      UniqueDestDomains = dcount(domain_s),
      DestDomains       = make_set(domain_s, 10),
      DLPRules          = make_set(dlp_rule_s, 10),
      DLPProfiles       = make_set(dlp_profile_s, 5),
      FileTypes         = make_set(file_type_s, 10),
      ObjectSamples     = make_set(object_s, 5),
      FirstViolation    = min(TimeGenerated),
      LastViolation     = max(TimeGenerated)
    by user_s, dlp_profile_s
  | order by ViolationCount desc, MBUploaded desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: user_s
customDetails:
  ViolationCount: ViolationCount
  MBUploaded: MBUploaded
  DLPProfile: dlp_profile_s
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope BI DLP Violation - {{user_s}} ({{ViolationCount}} blocks)"
  alertDescriptionFormat: "User {{user_s}} violated DLP policy {{ViolationCount}} times. Profile: {{dlp_profile_s}}."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect and report on data loss prevention (DLP) policy violations in Netskope, specifically focusing on instances where sensitive data uploads or file transfers were blocked or alerted. Here's a simple breakdown of what the query does:

  1. Purpose: It identifies attempts by users to send sensitive or restricted data to external services, which were either blocked or flagged by Netskope's DLP policies.

  2. Data Source: The query uses data from the NetskopeEvents_CL table, which logs events related to Netskope's security operations.

  3. Frequency and Period: The query runs every 30 minutes and looks back over the past day (24 hours) to find relevant events.

  4. Conditions:

    • It filters events where the action was "block" or "alert".
    • It checks for non-empty DLP rules or profiles, or activities related to DLP, uploads, or sharing.
    • It ensures that the user information is present.

  5. Summary Metrics: For each user and DLP profile, it calculates:

    • The number of violations (ViolationCount).
    • The total megabytes of data attempted to be uploaded.
    • The number of unique destination domains.
    • Lists of destination domains, DLP rules, DLP profiles, file types, and object samples involved in the violations.
    • The timestamps of the first and last violations.

  6. Severity and Tactics: The severity is marked as high, and it aligns with MITRE ATT&CK tactics for data exfiltration.

  7. Alerting:

    • Alerts are generated with a display name indicating the user and the number of blocks.
    • The alert description provides details about the user and the DLP profile involved.
    • Incidents are created for these alerts, with grouping enabled by user account to consolidate related events.

In summary, this query helps security teams monitor and respond to potential data exfiltration attempts by identifying and summarizing DLP policy violations in Netskope.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeDLPPolicyViolationUserAccountDomainFileTypeObjectActivityViolationCountMBUploadedDLPRulesDLPProfilesDestDomainsUniqueDestDomainsFirstViolationLastViolation

Operators

datatableunionisfuzzywhereinisnotemptyhas_anysummarizecountroundsumtodoubledcountmake_setminmaxbyorder by

Actions