KQL Search

Query Details

22 CSL Zscaler ATP Sandbox Malicious File

Query

id: cc22e5f6-a7b8-4c9d-0e1f-2a3b4c5d6e7f
name: "Zscaler ZIA - Advanced Threat Protection (ATP) / Sandbox Malicious File Blocked"
version: 1.0.0
kind: Scheduled
description: |
  Detects Zscaler ZIA Advanced Threat Protection (ATP) or Sandbox events where a file download was blocked due to a malicious verdict. A sandbox block means Zscaler detonated the file and identified malicious behaviour — ransomware, trojan, exploit, or C2 callback. Treat any sandbox block as a high-confidence malware delivery attempt requiring immediate endpoint investigation. MITRE ATT&CK: T1204 (User Execution), T1566 (Phishing — Malicious File), T1071.
severity: High
requiredDataConnectors:
  - connectorId: CommonSecurityEvents
    dataTypes:
      - CommonSecurityLog
queryFrequency: PT15M
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
  - Execution
relevantTechniques:
  - T1204
  - T1566
query: |
    CommonSecurityLog
    | where TimeGenerated > ago(1d)
    | where DeviceVendor == "Zscaler"
    | where DeviceAction in ("block", "BLOCK", "Blocked")
    | where DeviceCustomString2 has_any (
        "SANDBOX", "ADVANCED_THREAT", "MALWARE_DOWNLOAD_BLOCKED",
        "ADVANCED_MALWARE_POLICY", "RANSOMWARE", "EXPLOIT", "ADVANCED_THREAT_C2")
        or DeviceCustomString1 has_any (
        "sandbox", "malicious", "virus", "trojan",
        "ransomware", "exploit", "backdoor", "rat")
        or Activity has_any ("Sandbox", "Advanced Threat Protection", "Malware")
    | summarize
        BlockCount     = count(),
        UserCount      = dcount(SourceUserName),
        UserList       = make_set(SourceUserName, 10),
        BlockedDomains = make_set(DestinationHostName, 10),
        BlockedURLs    = make_set(RequestURL, 10),
        ThreatNames    = make_set(DeviceCustomString1, 10),
        FirstSeen      = min(TimeGenerated),
        LastSeen       = max(TimeGenerated),
        RepUser        = any(SourceUserName)
      by ThreatCategory = DeviceCustomString2
    | order by BlockCount desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: RepUser
customDetails:
  BlockCount: BlockCount
  UserCount: UserCount
  ThreatCategory: ThreatCategory
alertDetailsOverride:
  alertDisplayNameFormat: "Zscaler ATP Block - {{ThreatCategory}} ({{BlockCount}} events, {{UserCount}} users)"
  alertDescriptionFormat: "Zscaler blocked {{BlockCount}} ATP or Sandbox events for category {{ThreatCategory}} affecting {{UserCount}} users."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT4H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect and alert on events where Zscaler's Advanced Threat Protection (ATP) or Sandbox has blocked a file download due to it being identified as malicious. Here's a simple breakdown:

  • Purpose: The query identifies instances where Zscaler has blocked potentially harmful files, such as ransomware or trojans, indicating a high-confidence malware delivery attempt. These events require immediate investigation.

  • Data Source: It uses data from the "CommonSecurityLog" provided by the "CommonSecurityEvents" connector.

  • Time Frame: The query looks at events from the past day (1 day).

  • Conditions: It filters for events where:

    • The vendor is Zscaler.
    • The action taken was a block (e.g., "block", "BLOCK", "Blocked").
    • Specific threat indicators are present in the logs, such as "SANDBOX", "MALWARE_DOWNLOAD_BLOCKED", or related terms like "ransomware" or "trojan".

  • Output: The query summarizes the data by:

    • Counting the number of block events.
    • Counting and listing unique users affected.
    • Listing domains and URLs that were blocked.
    • Listing threat names.
    • Recording the first and last time such events were seen.

  • Severity: The severity of these alerts is classified as "High".

  • Alert and Incident Management:

    • Alerts are generated with a display name and description that includes the threat category, number of events, and number of users affected.
    • Incidents are created for these alerts, and similar incidents are grouped together based on the user account involved.

  • MITRE ATT&CK Framework: The query maps to techniques T1204 (User Execution) and T1566 (Phishing — Malicious File), indicating the tactics of Initial Access and Execution.

Overall, this query helps security teams quickly identify and respond to threats blocked by Zscaler's security measures, focusing on high-confidence malware attempts.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

CommonSecurityLogZscalerDeviceVendorDeviceActionDeviceCustomString2DeviceCustomString1ActivityBlockCountUserCountSourceUserNameDestinationHostNameRequestURLThreatNamesTimeGeneratedThreatCategoryAccountRepUser

Operators

agohas_anyinorder bysummarizewherecountdcountmake_setminmaxany

Actions