KQL Search

Query Details

21 CSL Zscaler DLP Data Upload Violation

Query

id: bb21d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e
name: "Zscaler ZIA - DLP Policy Violation - Blocked Sensitive Data Upload"
version: 1.0.0
kind: Scheduled
description: |
  Detects Zscaler ZIA Data Loss Prevention (DLP) events where an upload or file transfer was blocked or flagged. DLP violations indicate a user attempted to send sensitive or restricted data to an external service — cloud storage, file-sharing site, or personal webmail. Repeated violations may indicate intentional exfiltration or a compromised account being used for data theft. MITRE ATT&CK: T1048 (Exfiltration Over Alternative Protocol), T1567 (Exfiltration Over Web Service).
severity: High
requiredDataConnectors:
  - connectorId: CommonSecurityEvents
    dataTypes:
      - CommonSecurityLog
queryFrequency: PT30M
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Exfiltration
relevantTechniques:
  - T1048
  - T1567
query: |
    CommonSecurityLog
    | where TimeGenerated > ago(1d)
    | where DeviceVendor == "Zscaler"
    | where DeviceAction in ("block", "BLOCK", "Blocked", "blocked", "caution", "CAUTION")
    | where DeviceCustomString2 has_any (
        "DLP", "FILE_SHARE", "DATA_LOSS_PREVENTION",
        "DROPBOX", "BOX_NET", "GOOGLE_DRIVE", "ONEDRIVE", "SHAREPOINT",
        "WETRANSFER", "PEER_FILE_SHARE", "CLOUD_STORAGE")
        or Activity has_any ("DLP", "Data Loss")
    | where isnotempty(SourceUserName)
    | summarize
        ViolationCount    = count(),
        MBUploaded        = round(sum(todouble(SentBytes)) / 1048576, 2),
        UniqueDestDomains = dcount(DestinationHostName),
        DestDomains       = make_set(DestinationHostName, 10),
        URLSamples        = make_set(RequestURL, 5),
        FirstViolation    = min(TimeGenerated),
        LastViolation     = max(TimeGenerated)
      by SourceUserName, DLPCategory = DeviceCustomString2
    | order by ViolationCount desc, MBUploaded desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: SourceUserName
customDetails:
  ViolationCount: ViolationCount
  MBUploaded: MBUploaded
  DLPCategory: DLPCategory
alertDetailsOverride:
  alertDisplayNameFormat: "Zscaler DLP Violation - {{SourceUserName}} ({{ViolationCount}} blocks)"
  alertDescriptionFormat: "User {{SourceUserName}} violated DLP policy {{ViolationCount}} times. Category: {{DLPCategory}}."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This KQL query is designed to detect and alert on data loss prevention (DLP) policy violations in Zscaler ZIA, specifically when sensitive data uploads are blocked. Here's a simplified breakdown:

  1. Purpose: The query identifies instances where a user attempts to upload or transfer sensitive data to external services (like cloud storage or file-sharing sites) and the action is blocked by Zscaler's DLP policies. Such violations could indicate either intentional data exfiltration or a compromised account.

  2. Severity: The alert is considered high severity due to the potential risk of data theft.

  3. Data Source: It uses data from the CommonSecurityLog via the CommonSecurityEvents connector.

  4. Time Frame: It looks at logs from the past day (24 hours) and runs every 30 minutes.

  5. Conditions: The query filters logs where:

    • The vendor is Zscaler.
    • The action is a block or caution related to DLP.
    • The event involves specific services like Dropbox, Google Drive, etc.

  6. Output: For each user (SourceUserName), it summarizes:

    • The number of violations (ViolationCount).
    • The total data attempted to be uploaded in MB (MBUploaded).
    • Unique destination domains and samples of URLs involved.
    • The time of the first and last violation.

  7. Alerting:

    • Alerts are generated with details about the user and the number of violations.
    • Incidents are created and grouped by user accounts to manage and track these violations efficiently.

  8. MITRE ATT&CK Techniques: The query is aligned with techniques T1048 and T1567, which involve data exfiltration over alternative protocols and web services.

Overall, this query helps security teams monitor and respond to potential data exfiltration attempts by identifying and alerting on blocked data transfers involving sensitive information.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

CommonSecurityLogDeviceVendorDeviceActionDeviceCustomString2ActivitySourceUserNameSentBytesDestinationHostNameRequestURLTimeGenerated

Operators

agoinhas_anyisnotemptysummarizecountroundsumtodoubledcountmake_setminmaxorder by

Actions