KQL Search

Query Details

09 CSL Zscaler Malicious Category Blocks

Query

id: c9d0e1f2-a3b4-4c5d-6e7f-8a9b0c1d2e3f
name: "Zscaler ZIA - Blocked Request to Malicious / C2 Category"
version: 1.0.0
kind: Scheduled
description: |
  Detects Zscaler ZIA blocked web requests categorized as botnet, malware, phishing, ransomware,
  command-and-control, or anonymous proxy destinations. Blocked events confirm the user or host
  attempted to communicate with a known-malicious destination. Repeated attempts despite blocking
  may indicate malware that is persistently trying to reach its C2 infrastructure.
  MITRE ATT&CK: T1071 (Application Layer Protocol)
severity: High
requiredDataConnectors:
  - connectorId: CommonSecurityEvents
    dataTypes:
      - CommonSecurityLog
queryFrequency: 15m
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CommandAndControl
relevantTechniques:
  - T1071
query: |
  let MaliciousCategories = dynamic([
      "BOTNET_SITES", "MALWARE_SITES", "PHISHING", "SPYWARE_ADWARE_KEYLOGGERS",
      "RANSOMWARE", "C2_SITES", "COMMAND_CONTROL", "SUSPICIOUS_DESTINATIONS",
      "MALICIOUS_LINKS", "ANONYMOUS_PROXY"]);
  CommonSecurityLog
  | where TimeGenerated > ago(1d)
  | where DeviceVendor == "Zscaler"
  | where DeviceAction in ("block", "BLOCK", "Blocked", "blocked")
  | where DeviceCustomString2 in (MaliciousCategories)
      or DeviceCustomString3 in (MaliciousCategories)
      or RequestContext has_any ("BOTNET", "MALWARE", "PHISHING", "COMMAND_CONTROL", "RANSOMWARE")
  | summarize
      BlockCount       = count(),
      UniqueUsers      = dcount(SourceUserName),
      UserList         = make_set(SourceUserName, 20),
      DestinationURLs  = make_set(RequestURL, 20),
      DestIPs          = make_set(DestinationIP, 10),
      Categories       = make_set(DeviceCustomString2, 10),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated)
    by DeviceCustomString2, DeviceCustomString3
  | order by BlockCount desc
entityMappings: []
customDetails:
  BlockCount: BlockCount
  UniqueUsers: UniqueUsers
  DeviceCustomString2: DeviceCustomString2
alertDetailsOverride:
  alertDisplayNameFormat: "Zscaler Malicious Block - {{DeviceCustomString2}} ({{BlockCount}} attempts)"
  alertDescriptionFormat: "{{BlockCount}} Zscaler requests blocked for malicious category {{DeviceCustomString2}} affecting {{UniqueUsers}} users. Possible malware C2 or phishing activity."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: AnyAlert
    groupByEntities: []
    groupByAlertDetails: []
    groupByCustomDetails:
      - DeviceCustomString2

Explanation

This query is designed to detect and alert on web requests that are blocked by Zscaler ZIA because they are associated with malicious activities. Here's a simple breakdown:

  • Purpose: The query identifies web requests blocked by Zscaler ZIA that are categorized as malicious, such as botnet, malware, phishing, ransomware, command-and-control (C2), or anonymous proxy destinations. These blocked requests indicate attempts by users or hosts to connect to known malicious sites.

  • Frequency: The query runs every 15 minutes and looks at data from the past day (24 hours).

  • Severity: The alert generated by this query is considered high severity, as repeated attempts to access these sites may suggest persistent malware activity.

  • Data Source: It uses data from the "CommonSecurityEvents" connector, specifically looking at "CommonSecurityLog" data.

  • Logic:

    • It filters logs from the past day where the vendor is Zscaler and the action is a block.
    • It checks if the blocked request falls under specific malicious categories.
    • It summarizes the data by counting the number of blocks, the number of unique users involved, and lists the users, destination URLs, IPs, and categories.

  • Output: The results are ordered by the number of blocks, and an alert is generated with details about the blocked category and the number of attempts.

  • Alert Details: The alert includes the number of blocked requests and the malicious category, indicating potential malware or phishing activity.

  • Incident Management: If an alert is triggered, an incident is created. Incidents can be grouped if they share the same malicious category, but closed incidents will not be reopened.

This query helps security teams monitor and respond to potential threats by identifying and alerting on attempts to access malicious sites, which could indicate compromised systems or users.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

ZscalerMaliciousBlockRequestUserHostMalwarePhishingRansomwareCommandControlProxyBotnetInfrastructureSecurityLogDeviceVendorActionContextSourceUserNameRequestURLDestinationIPCategoriesTimeGeneratedAlertIncident

Operators

letdynamicinhas_anyagosummarizecountdcountmake_setminmaxbyorder by

Actions