Query Details

Zscaler ZIA - Shadow IT and Unauthorized File Sharing - High Volume

10 CSL Zscaler Shadow IT File Sharing

Query

let ShadowITCategories = dynamic([
    "PERSONAL_SITES_BLOGS", "FILE_HOST", "SHAREWARE_FREEWARE",
    "SOCIAL_NETWORKING", "PERSONAL_EMAIL", "WEB_BASED_EMAIL", "CLOUD_STORAGE",
    "ONLINE_STORAGE_AND_BACKUP", "GENERAL_FILESHARING"]);
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor == "Zscaler"
| where DeviceCustomString2 in (ShadowITCategories)
    or DeviceCustomString3 in (ShadowITCategories)
| summarize
    RequestCount     = count(),
    TotalBytesSent   = sum(SentBytes),
    TotalBytesRecv   = sum(ReceivedBytes),
    UniqueURLs       = dcount(RequestURL),
    URLSamples       = make_set(RequestURL, 10),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by SourceUserName, DeviceCustomString2
| extend TotalMBSent = round(toreal(TotalBytesSent) / 1048576, 2)
| where TotalMBSent > 50 or RequestCount > 200
| order by TotalMBSent desc

Explanation

This query is part of a scheduled detection rule designed to identify potential data exfiltration activities through unauthorized or shadow IT services using Zscaler logs. Here's a simple breakdown of what it does:

  1. Purpose: The query detects users who are either uploading more than 50 MB of data or making over 200 requests to personal cloud storage, file-sharing platforms, or personal webmail services. These activities are considered potential indicators of data exfiltration, especially if they coincide with other security alerts or identity risks.

  2. Data Source: It uses data from the CommonSecurityLog table, specifically logs from the vendor "Zscaler."

  3. Time Frame: The query examines logs from the past 7 days.

  4. Shadow IT Categories: It focuses on specific categories of services that are often used for personal purposes, such as personal blogs, file hosting, social networking, personal email, and cloud storage.

  5. Analysis:

    • It counts the number of requests (RequestCount) and sums up the total bytes sent (TotalBytesSent) and received (TotalBytesRecv).
    • It also tracks the number of unique URLs accessed (UniqueURLs) and samples up to 10 URLs (URLSamples).
    • It records the first and last time the activity was seen.
  6. Thresholds: The query filters results to only include users who have sent more than 50 MB of data or made more than 200 requests to these shadow IT services.

  7. Output: The results are sorted by the amount of data sent, and an alert is generated for each user meeting the criteria. The alert includes details such as the user's name, the amount of data sent, and the category of the shadow IT service used.

  8. Alert Configuration:

    • Alerts are configured to create incidents automatically.
    • Incidents are grouped by user account to avoid duplication and to provide a consolidated view of potential exfiltration activities by the same user.
  9. Severity and Tactics: The severity of the alert is set to "Medium," and it is associated with the "Exfiltration" tactic in the MITRE ATT&CK framework, specifically technique T1048.002 (Exfiltration Over Web Service).

Overall, this query helps security teams monitor and respond to potential data leaks through unauthorized cloud services, which could indicate malicious insider activity or compromised accounts.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

ZscalerShadowITUnauthorizedFileSharingDataExfiltrationUsersCloudStoragePersonalWebmailSecurityAlertsIdentityRiskSignalsCommonEventsLogSitesBlogsHostSharewareFreewareSocialNetworkingEmailWebBasedOnlineBackupGeneralFilesharingRequestURLSourceUserName

Operators

letdynamicagoinsummarizecountsumdcountmake_setminmaxbyextendroundtorealorder by

Severity

Medium

Tactics

Exfiltration

MITRE Techniques

Frequency: 6h

Period: 7d

Actions

GitHub