KQL Search

Query Details

10 CSL Zscaler Shadow IT File Sharing

Query

id: d0e1f2a3-b4c5-4d6e-7f8a-9b0c1d2e3f4a
name: "Zscaler ZIA - Shadow IT and Unauthorized File Sharing - High Volume"
version: 1.0.0
kind: Scheduled
description: |
  Detects users uploading significant amounts of data (>50 MB) or making frequent requests
  (>200) to personal cloud storage, file-sharing platforms, or personal webmail via Zscaler.
  While individual access may be policy-acceptable, high volume to shadow IT destinations is
  a strong data exfiltration indicator, particularly when combined with recent security alerts
  or identity risk signals.
  MITRE ATT&CK: T1048.002 (Exfiltration Over Web Service)
severity: Medium
requiredDataConnectors:
  - connectorId: CommonSecurityEvents
    dataTypes:
      - CommonSecurityLog
queryFrequency: 6h
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Exfiltration
relevantTechniques:
  - T1048
query: |
  let ShadowITCategories = dynamic([
      "PERSONAL_SITES_BLOGS", "FILE_HOST", "SHAREWARE_FREEWARE",
      "SOCIAL_NETWORKING", "PERSONAL_EMAIL", "WEB_BASED_EMAIL", "CLOUD_STORAGE",
      "ONLINE_STORAGE_AND_BACKUP", "GENERAL_FILESHARING"]);
  CommonSecurityLog
  | where TimeGenerated > ago(7d)
  | where DeviceVendor == "Zscaler"
  | where DeviceCustomString2 in (ShadowITCategories)
      or DeviceCustomString3 in (ShadowITCategories)
  | summarize
      RequestCount     = count(),
      TotalBytesSent   = sum(SentBytes),
      TotalBytesRecv   = sum(ReceivedBytes),
      UniqueURLs       = dcount(RequestURL),
      URLSamples       = make_set(RequestURL, 10),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated)
    by SourceUserName, DeviceCustomString2
  | extend TotalMBSent = round(toreal(TotalBytesSent) / 1048576, 2)
  | where TotalMBSent > 50 or RequestCount > 200
  | order by TotalMBSent desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: SourceUserName
customDetails:
  TotalMBSent: TotalMBSent
  RequestCount: RequestCount
  DeviceCustomString2: DeviceCustomString2
alertDetailsOverride:
  alertDisplayNameFormat: "Shadow IT Upload Risk - {{SourceUserName}} sent {{TotalMBSent}} MB to {{DeviceCustomString2}}"
  alertDescriptionFormat: "User {{SourceUserName}} sent {{TotalMBSent}} MB to shadow IT category {{DeviceCustomString2}} across {{RequestCount}} requests. Possible data exfiltration via consumer cloud service."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: P1D
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is part of a scheduled detection rule designed to identify potential data exfiltration activities through unauthorized or shadow IT services using Zscaler logs. Here's a simple breakdown of what it does:

  1. Purpose: The query detects users who are either uploading more than 50 MB of data or making over 200 requests to personal cloud storage, file-sharing platforms, or personal webmail services. These activities are considered potential indicators of data exfiltration, especially if they coincide with other security alerts or identity risks.

  2. Data Source: It uses data from the CommonSecurityLog table, specifically logs from the vendor "Zscaler."

  3. Time Frame: The query examines logs from the past 7 days.

  4. Shadow IT Categories: It focuses on specific categories of services that are often used for personal purposes, such as personal blogs, file hosting, social networking, personal email, and cloud storage.

  5. Analysis:

    • It counts the number of requests (RequestCount) and sums up the total bytes sent (TotalBytesSent) and received (TotalBytesRecv).
    • It also tracks the number of unique URLs accessed (UniqueURLs) and samples up to 10 URLs (URLSamples).
    • It records the first and last time the activity was seen.

  6. Thresholds: The query filters results to only include users who have sent more than 50 MB of data or made more than 200 requests to these shadow IT services.

  7. Output: The results are sorted by the amount of data sent, and an alert is generated for each user meeting the criteria. The alert includes details such as the user's name, the amount of data sent, and the category of the shadow IT service used.

  8. Alert Configuration:

    • Alerts are configured to create incidents automatically.
    • Incidents are grouped by user account to avoid duplication and to provide a consolidated view of potential exfiltration activities by the same user.

  9. Severity and Tactics: The severity of the alert is set to "Medium," and it is associated with the "Exfiltration" tactic in the MITRE ATT&CK framework, specifically technique T1048.002 (Exfiltration Over Web Service).

Overall, this query helps security teams monitor and respond to potential data leaks through unauthorized cloud services, which could indicate malicious insider activity or compromised accounts.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

ZscalerShadowITUnauthorizedFileSharingDataExfiltrationUsersCloudStorageFileSharingPersonalWebmailSecurityAlertsIdentityRiskSignalsCommonSecurityEventsCommonSecurityLogPersonalSitesBlogsFileHostSharewareFreewareSocialNetworkingPersonalEmailWebBasedEmailOnlineStorageBackupGeneralFilesharingRequestURLSourceUserName

Operators

letdynamicagoinsummarizecountsumdcountmake_setminmaxbyextendroundtorealorder by

Actions