Zscaler ZIA - Blocked Request to Malicious / C2 Category
09 CSL Zscaler Malicious Category Blocks
Query
let MaliciousCategories = dynamic([
"BOTNET_SITES", "MALWARE_SITES", "PHISHING", "SPYWARE_ADWARE_KEYLOGGERS",
"RANSOMWARE", "C2_SITES", "COMMAND_CONTROL", "SUSPICIOUS_DESTINATIONS",
"MALICIOUS_LINKS", "ANONYMOUS_PROXY"]);
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Zscaler"
| where DeviceAction in ("block", "BLOCK", "Blocked", "blocked")
| where DeviceCustomString2 in (MaliciousCategories)
or DeviceCustomString3 in (MaliciousCategories)
or RequestContext has_any ("BOTNET", "MALWARE", "PHISHING", "COMMAND_CONTROL", "RANSOMWARE")
| summarize
BlockCount = count(),
UniqueUsers = dcount(SourceUserName),
UserList = make_set(SourceUserName, 20),
DestinationURLs = make_set(RequestURL, 20),
DestIPs = make_set(DestinationIP, 10),
Categories = make_set(DeviceCustomString2, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by DeviceCustomString2, DeviceCustomString3
| order by BlockCount descExplanation
This query is designed to detect and alert on web requests that are blocked by Zscaler ZIA because they are associated with malicious activities. Here's a simple breakdown:
-
Purpose: The query identifies web requests blocked by Zscaler ZIA that are categorized as malicious, such as botnet, malware, phishing, ransomware, command-and-control (C2), or anonymous proxy destinations. These blocked requests indicate attempts by users or hosts to connect to known malicious sites.
-
Frequency: The query runs every 15 minutes and looks at data from the past day (24 hours).
-
Severity: The alert generated by this query is considered high severity, as repeated attempts to access these sites may suggest persistent malware activity.
-
Data Source: It uses data from the "CommonSecurityEvents" connector, specifically looking at "CommonSecurityLog" data.
-
Logic:
- It filters logs from the past day where the vendor is Zscaler and the action is a block.
- It checks if the blocked request falls under specific malicious categories.
- It summarizes the data by counting the number of blocks, the number of unique users involved, and lists the users, destination URLs, IPs, and categories.
-
Output: The results are ordered by the number of blocks, and an alert is generated with details about the blocked category and the number of attempts.
-
Alert Details: The alert includes the number of blocked requests and the malicious category, indicating potential malware or phishing activity.
-
Incident Management: If an alert is triggered, an incident is created. Incidents can be grouped if they share the same malicious category, but closed incidents will not be reopened.
This query helps security teams monitor and respond to potential threats by identifying and alerting on attempts to access malicious sites, which could indicate compromised systems or users.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
MITRE Techniques
Frequency: 15m
Period: 1d