Zscaler ZIA - Impossible Travel (Same User, Multiple Locations in 1 Hour)
18 CSL Zscaler Impossible Travel
Query
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Zscaler"
| where isnotempty(SourceUserName)
| extend HourBucket = bin(TimeGenerated, 1h)
| summarize
CountryCount = dcount(SourceGeoCity),
Countries = make_set(SourceGeoCity, 10),
RequestCount = count(),
SourceIPs = make_set(SourceIP, 10),
URLSamples = make_set(RequestURL, 5)
by SourceUserName, HourBucket
| where CountryCount > 1
| order by CountryCount desc, RequestCount descExplanation
This query is designed to detect suspicious activity involving Zscaler ZIA users. It looks for instances where a user appears to access the service from multiple geographic locations within a single hour, which is typically impossible without some form of credential misuse or manipulation. This could indicate that the user's credentials are being shared, that a VPN or proxy is being used to disguise the user's true location, or that the account has been compromised.
Here's a breakdown of the query's key components:
- Purpose: To identify users who generate requests from more than one distinct geographic location within the same hour, signaling potential security issues.
- Severity: High, due to the risk of credential compromise or misuse.
- Data Source: It uses data from the "CommonSecurityEvents" connector, specifically the "CommonSecurityLog" data type.
- Frequency: The query runs every hour and examines data from the past day.
- Logic:
- It filters logs to include only those from Zscaler.
- It groups data by user and hour, counting the number of distinct cities (CountryCount) from which requests originate.
- It flags cases where a user accesses from more than one city in an hour.
- Alerting: If such activity is detected, an alert is generated with details about the user, the number of locations accessed, and the number of requests made.
- Incident Management: The system can create incidents based on these alerts, grouping them by user account to manage and track potential security breaches effectively.
Overall, this query helps security teams quickly identify and respond to potential unauthorized access or misuse of user credentials.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
MITRE Techniques
Frequency: 1h
Period: 1d