In SES/ICDm (Integrated Cybersecurity Defense manager) console administrator might see similar events that state "Browser navigation to known bad URL attack detected but not blocked".

SES/ICDm, 14.3 RU1+

The Antimalware policy is configured with the default intensive protection settings:

2 for Block and 4 for Monitoring, check the explanation of these settings in the following technical documentation: Using Intensive Protection settings

The URL detected is classified as Compromised site per WebPulse reputation database, this can be checked  by going to this page: WebPulse Site Review Request

Because the monitoring level was configured to Level 4, this URL was detected, and flagged by the IPS.

However the intensity level for Blocking Level is configured in case of default settings to 2, which does allow opening such compromised URLs

Per documentation Level 2:

Blocks or logs the files that are most certainly bad or potentially bad files.

Results in a comparable number of false positives and false negatives.

Hence the logs seen in your Cloud console are correct, and SEP works as designed.

If the administrator wants to have such URLs blocked as well, then the administrator will need to raise the level of blocking to 4 as the monitoring Level.

Please note, that raising the intensity level might contribute in raising the amount of False Positive detection and conviction, hence please use it with caution.