Zscaler ZIA - Advanced Threat Protection (ATP) / Sandbox Malicious File Blocked
22 CSL Zscaler ATP Sandbox Malicious File
Query
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Zscaler"
| where DeviceAction in ("block", "BLOCK", "Blocked")
| where DeviceCustomString2 has_any (
"SANDBOX", "ADVANCED_THREAT", "MALWARE_DOWNLOAD_BLOCKED",
"ADVANCED_MALWARE_POLICY", "RANSOMWARE", "EXPLOIT", "ADVANCED_THREAT_C2")
or DeviceCustomString1 has_any (
"sandbox", "malicious", "virus", "trojan",
"ransomware", "exploit", "backdoor", "rat")
or Activity has_any ("Sandbox", "Advanced Threat Protection", "Malware")
| summarize
BlockCount = count(),
UserCount = dcount(SourceUserName),
UserList = make_set(SourceUserName, 10),
BlockedDomains = make_set(DestinationHostName, 10),
BlockedURLs = make_set(RequestURL, 10),
ThreatNames = make_set(DeviceCustomString1, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
RepUser = any(SourceUserName)
by ThreatCategory = DeviceCustomString2
| order by BlockCount descExplanation
This query is designed to detect and alert on events where Zscaler's Advanced Threat Protection (ATP) or Sandbox has blocked a file download due to it being identified as malicious. Here's a simple breakdown:
-
Purpose: The query identifies instances where Zscaler has blocked potentially harmful files, such as ransomware or trojans, indicating a high-confidence malware delivery attempt. These events require immediate investigation.
-
Data Source: It uses data from the "CommonSecurityLog" provided by the "CommonSecurityEvents" connector.
-
Time Frame: The query looks at events from the past day (1 day).
-
Conditions: It filters for events where:
- The vendor is Zscaler.
- The action taken was a block (e.g., "block", "BLOCK", "Blocked").
- Specific threat indicators are present in the logs, such as "SANDBOX", "MALWARE_DOWNLOAD_BLOCKED", or related terms like "ransomware" or "trojan".
-
Output: The query summarizes the data by:
- Counting the number of block events.
- Counting and listing unique users affected.
- Listing domains and URLs that were blocked.
- Listing threat names.
- Recording the first and last time such events were seen.
-
Severity: The severity of these alerts is classified as "High".
-
Alert and Incident Management:
- Alerts are generated with a display name and description that includes the threat category, number of events, and number of users affected.
- Incidents are created for these alerts, and similar incidents are grouped together based on the user account involved.
-
MITRE ATT&CK Framework: The query maps to techniques T1204 (User Execution) and T1566 (Phishing — Malicious File), indicating the tactics of Initial Access and Execution.
Overall, this query helps security teams quickly identify and respond to threats blocked by Zscaler's security measures, focusing on high-confidence malware attempts.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT15M
Period: P1D