Query Details

Zscaler ZIA - Blocked Request to Malicious / C2 Category

09 CSL Zscaler Malicious Category Blocks

Query

let MaliciousCategories = dynamic([
    "BOTNET_SITES", "MALWARE_SITES", "PHISHING", "SPYWARE_ADWARE_KEYLOGGERS",
    "RANSOMWARE", "C2_SITES", "COMMAND_CONTROL", "SUSPICIOUS_DESTINATIONS",
    "MALICIOUS_LINKS", "ANONYMOUS_PROXY"]);
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Zscaler"
| where DeviceAction in ("block", "BLOCK", "Blocked", "blocked")
| where DeviceCustomString2 in (MaliciousCategories)
    or DeviceCustomString3 in (MaliciousCategories)
    or RequestContext has_any ("BOTNET", "MALWARE", "PHISHING", "COMMAND_CONTROL", "RANSOMWARE")
| summarize
    BlockCount       = count(),
    UniqueUsers      = dcount(SourceUserName),
    UserList         = make_set(SourceUserName, 20),
    DestinationURLs  = make_set(RequestURL, 20),
    DestIPs          = make_set(DestinationIP, 10),
    Categories       = make_set(DeviceCustomString2, 10),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by DeviceCustomString2, DeviceCustomString3
| order by BlockCount desc

Explanation

This query is designed to detect and alert on web requests that are blocked by Zscaler ZIA because they are associated with malicious activities. Here's a simple breakdown:

  • Purpose: The query identifies web requests blocked by Zscaler ZIA that are categorized as malicious, such as botnet, malware, phishing, ransomware, command-and-control (C2), or anonymous proxy destinations. These blocked requests indicate attempts by users or hosts to connect to known malicious sites.

  • Frequency: The query runs every 15 minutes and looks at data from the past day (24 hours).

  • Severity: The alert generated by this query is considered high severity, as repeated attempts to access these sites may suggest persistent malware activity.

  • Data Source: It uses data from the "CommonSecurityEvents" connector, specifically looking at "CommonSecurityLog" data.

  • Logic:

    • It filters logs from the past day where the vendor is Zscaler and the action is a block.
    • It checks if the blocked request falls under specific malicious categories.
    • It summarizes the data by counting the number of blocks, the number of unique users involved, and lists the users, destination URLs, IPs, and categories.
  • Output: The results are ordered by the number of blocks, and an alert is generated with details about the blocked category and the number of attempts.

  • Alert Details: The alert includes the number of blocked requests and the malicious category, indicating potential malware or phishing activity.

  • Incident Management: If an alert is triggered, an incident is created. Incidents can be grouped if they share the same malicious category, but closed incidents will not be reopened.

This query helps security teams monitor and respond to potential threats by identifying and alerting on attempts to access malicious sites, which could indicate compromised systems or users.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

ZscalerMaliciousBlockRequestUserHostMalwarePhishingRansomwareCommandControlProxyBotnetInfrastructureSecurityLogDeviceVendorActionContextSourceNameURLDestinationIPCategoriesTimeGeneratedAlertIncident

Operators

letdynamicinhas_anyagosummarizecountdcountmake_setminmaxbyorder by

Severity

High

Tactics

CommandAndControl

MITRE Techniques

Frequency: 15m

Period: 1d

Actions

GitHub