Zscaler ZIA - DLP Policy Violation - Blocked Sensitive Data Upload
21 CSL Zscaler DLP Data Upload Violation
Query
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Zscaler"
| where DeviceAction in ("block", "BLOCK", "Blocked", "blocked", "caution", "CAUTION")
| where DeviceCustomString2 has_any (
"DLP", "FILE_SHARE", "DATA_LOSS_PREVENTION",
"DROPBOX", "BOX_NET", "GOOGLE_DRIVE", "ONEDRIVE", "SHAREPOINT",
"WETRANSFER", "PEER_FILE_SHARE", "CLOUD_STORAGE")
or Activity has_any ("DLP", "Data Loss")
| where isnotempty(SourceUserName)
| summarize
ViolationCount = count(),
MBUploaded = round(sum(todouble(SentBytes)) / 1048576, 2),
UniqueDestDomains = dcount(DestinationHostName),
DestDomains = make_set(DestinationHostName, 10),
URLSamples = make_set(RequestURL, 5),
FirstViolation = min(TimeGenerated),
LastViolation = max(TimeGenerated)
by SourceUserName, DLPCategory = DeviceCustomString2
| order by ViolationCount desc, MBUploaded descExplanation
This KQL query is designed to detect and alert on data loss prevention (DLP) policy violations in Zscaler ZIA, specifically when sensitive data uploads are blocked. Here's a simplified breakdown:
-
Purpose: The query identifies instances where a user attempts to upload or transfer sensitive data to external services (like cloud storage or file-sharing sites) and the action is blocked by Zscaler's DLP policies. Such violations could indicate either intentional data exfiltration or a compromised account.
-
Severity: The alert is considered high severity due to the potential risk of data theft.
-
Data Source: It uses data from the
CommonSecurityLogvia theCommonSecurityEventsconnector. -
Time Frame: It looks at logs from the past day (24 hours) and runs every 30 minutes.
-
Conditions: The query filters logs where:
- The vendor is Zscaler.
- The action is a block or caution related to DLP.
- The event involves specific services like Dropbox, Google Drive, etc.
-
Output: For each user (
SourceUserName), it summarizes:- The number of violations (
ViolationCount). - The total data attempted to be uploaded in MB (
MBUploaded). - Unique destination domains and samples of URLs involved.
- The time of the first and last violation.
- The number of violations (
-
Alerting:
- Alerts are generated with details about the user and the number of violations.
- Incidents are created and grouped by user accounts to manage and track these violations efficiently.
-
MITRE ATT&CK Techniques: The query is aligned with techniques T1048 and T1567, which involve data exfiltration over alternative protocols and web services.
Overall, this query helps security teams monitor and respond to potential data exfiltration attempts by identifying and alerting on blocked data transfers involving sensitive information.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT30M
Period: P1D