Query Details
18 CSL Zscaler Impossible Travel
Query
id: f8a9b0c1-d2e3-4f4a-5b6c-7d8e9f0a1b2c
name: "Zscaler ZIA - Impossible Travel (Same User, Multiple Locations in 1 Hour)"
version: 1.0.0
kind: Scheduled
description: |
Detects Zscaler ZIA users who generate requests from more than one distinct geographic
location within the same 1-hour window. Since physical travel between locations within
one hour is impossible, this indicates credential sharing, VPN/proxy abuse to change
apparent location, or an account compromise where both the legitimate user and an attacker
are using the credentials concurrently.
MITRE ATT&CK: T1078 (Valid Accounts)
severity: High
requiredDataConnectors:
- connectorId: CommonSecurityEvents
dataTypes:
- CommonSecurityLog
queryFrequency: 1h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- DefenseEvasion
relevantTechniques:
- T1078
query: |
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Zscaler"
| where isnotempty(SourceUserName)
| extend HourBucket = bin(TimeGenerated, 1h)
| summarize
CountryCount = dcount(SourceGeoCity),
Countries = make_set(SourceGeoCity, 10),
RequestCount = count(),
SourceIPs = make_set(SourceIP, 10),
URLSamples = make_set(RequestURL, 5)
by SourceUserName, HourBucket
| where CountryCount > 1
| order by CountryCount desc, RequestCount desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: SourceUserName
customDetails:
CountryCount: CountryCount
RequestCount: RequestCount
alertDetailsOverride:
alertDisplayNameFormat: "Impossible Travel - {{SourceUserName}} in {{CountryCount}} locations/hr"
alertDescriptionFormat: "User {{SourceUserName}} accessed Zscaler from {{CountryCount}} distinct locations within 1 hour across {{RequestCount}} requests. Possible credential compromise or proxy bypass."
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT6H
matchingMethod: Selected
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect suspicious activity involving Zscaler ZIA users. It looks for instances where a user appears to access the service from multiple geographic locations within a single hour, which is typically impossible without some form of credential misuse or manipulation. This could indicate that the user's credentials are being shared, that a VPN or proxy is being used to disguise the user's true location, or that the account has been compromised.
Here's a breakdown of the query's key components:
- Purpose: To identify users who generate requests from more than one distinct geographic location within the same hour, signaling potential security issues.
- Severity: High, due to the risk of credential compromise or misuse.
- Data Source: It uses data from the "CommonSecurityEvents" connector, specifically the "CommonSecurityLog" data type.
- Frequency: The query runs every hour and examines data from the past day.
- Logic:
- It filters logs to include only those from Zscaler.
- It groups data by user and hour, counting the number of distinct cities (CountryCount) from which requests originate.
- It flags cases where a user accesses from more than one city in an hour.
- Alerting: If such activity is detected, an alert is generated with details about the user, the number of locations accessed, and the number of requests made.
- Incident Management: The system can create incidents based on these alerts, grouping them by user account to manage and track potential security breaches effectively.
Overall, this query helps security teams quickly identify and respond to potential unauthorized access or misuse of user credentials.
Details
David Alonso
Released: March 2, 2026
Tables
CommonSecurityLog
Keywords
ZscalerZIAUsersRequestsGeographicLocationCredentialSharingVPNProxyAccountCompromiseUserAttackerCredentialsCommonSecurityEventsCommonSecurityLogTimeGeneratedDeviceVendorSourceUserNameHourBucketCountryCountCountriesRequestCountSourceIPsURLSamplesSourceGeoCitySourceIPRequestURLAccountFullName
Operators
ago()bin()bycount()dcount()descextendisnotempty()make_set()order bysummarizewhere