Netskope (Built-in) - DLP Policy Violation - Blocked Sensitive Data Upload
53 NK BI DLP Blocked Upload
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where action_s in ("block", "Block", "blocked", "alert", "Alert")
| where isnotempty(dlp_rule_s) or isnotempty(dlp_profile_s)
or activity_s has_any ("DLP", "Upload", "Share")
| where isnotempty(user_s)
| summarize
ViolationCount = count(),
MBUploaded = round(sum(todouble(bytes_uploaded_d)) / 1048576, 2),
UniqueDestDomains = dcount(domain_s),
DestDomains = make_set(domain_s, 10),
DLPRules = make_set(dlp_rule_s, 10),
DLPProfiles = make_set(dlp_profile_s, 5),
FileTypes = make_set(file_type_s, 10),
ObjectSamples = make_set(object_s, 5),
FirstViolation = min(TimeGenerated),
LastViolation = max(TimeGenerated)
by user_s, dlp_profile_s
| order by ViolationCount desc, MBUploaded descExplanation
This query is designed to detect and report on data loss prevention (DLP) policy violations in Netskope, specifically focusing on instances where sensitive data uploads or file transfers were blocked or alerted. Here's a simple breakdown of what the query does:
-
Purpose: It identifies attempts by users to send sensitive or restricted data to external services, which were either blocked or flagged by Netskope's DLP policies.
-
Data Source: The query uses data from the
NetskopeEvents_CLtable, which logs events related to Netskope's security operations. -
Frequency and Period: The query runs every 30 minutes and looks back over the past day (24 hours) to find relevant events.
-
Conditions:
- It filters events where the action was "block" or "alert".
- It checks for non-empty DLP rules or profiles, or activities related to DLP, uploads, or sharing.
- It ensures that the user information is present.
-
Summary Metrics: For each user and DLP profile, it calculates:
- The number of violations (
ViolationCount). - The total megabytes of data attempted to be uploaded.
- The number of unique destination domains.
- Lists of destination domains, DLP rules, DLP profiles, file types, and object samples involved in the violations.
- The timestamps of the first and last violations.
- The number of violations (
-
Severity and Tactics: The severity is marked as high, and it aligns with MITRE ATT&CK tactics for data exfiltration.
-
Alerting:
- Alerts are generated with a display name indicating the user and the number of blocks.
- The alert description provides details about the user and the DLP profile involved.
- Incidents are created for these alerts, with grouping enabled by user account to consolidate related events.
In summary, this query helps security teams monitor and respond to potential data exfiltration attempts by identifying and summarizing DLP policy violations in Netskope.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT30M
Period: P1D