KQL Search

Query Details

23 CSL Zscaler Mass Cloud Storage Download

Query

id: dd23f6a7-b8c9-4d0e-1f2a-3b4c5d6e7f8a
name: "Zscaler ZIA - Mass Cloud Storage Download - Data Staging Risk"
version: 1.0.0
kind: Scheduled
description: |
  Detects users downloading more than 500 MB or performing more than 200 requests from cloud storage services (Dropbox, OneDrive, Google Drive, Box, WeTransfer, SharePoint) via Zscaler ZIA in a 24-hour window. Bulk downloads from cloud storage are a key indicator of data staging before exfiltration — either by a malicious insider or a compromised account harvesting data. MITRE ATT&CK: T1530 (Data from Cloud Storage Object), T1048, T1213.
severity: High
requiredDataConnectors:
  - connectorId: CommonSecurityEvents
    dataTypes:
      - CommonSecurityLog
queryFrequency: PT1H
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Collection
  - Exfiltration
relevantTechniques:
  - T1530
  - T1048
query: |
    CommonSecurityLog
    | where TimeGenerated > ago(1d)
    | where DeviceVendor == "Zscaler"
    | where DeviceAction !in ("block", "BLOCK", "Blocked", "deny", "DROP")
    | where DeviceCustomString2 has_any (
        "DROPBOX", "BOX_NET", "GOOGLEDRIVE", "GOOGLE_DRIVE",
        "ONEDRIVE", "SHAREPOINT", "WETRANSFER", "CLOUD_STORAGE", "WEBDAV")
    | where isnotempty(SourceUserName)
    | summarize
        DownloadCount  = count(),
        MBDownloaded   = round(sum(todouble(ReceivedBytes)) / 1048576, 2),
        MBUploaded     = round(sum(todouble(SentBytes)) / 1048576, 2),
        UniqueServices = dcount(DeviceCustomString2),
        Services       = make_set(DeviceCustomString2, 5),
        URLSamples     = make_set(RequestURL, 5),
        FirstSeen      = min(TimeGenerated),
        LastSeen       = max(TimeGenerated)
      by SourceUserName
    | where MBDownloaded > 500 or DownloadCount > 200
    | extend RiskScore = case(
        MBDownloaded > 5000, "Critical",
        MBDownloaded > 2000 or DownloadCount > 1000, "High",
        "Medium")
    | order by MBDownloaded desc, DownloadCount desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: SourceUserName
customDetails:
  MBDownloaded: MBDownloaded
  DownloadCount: DownloadCount
  RiskScore: RiskScore
alertDetailsOverride:
  alertDisplayNameFormat: "Zscaler Mass Cloud Download - {{SourceUserName}} ({{MBDownloaded}} MB, {{RiskScore}})"
  alertDescriptionFormat: "User {{SourceUserName}} downloaded {{MBDownloaded}} MB from cloud storage services. Risk score: {{RiskScore}}."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT12H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to monitor and detect potentially risky behavior involving large data downloads from cloud storage services using Zscaler ZIA. Here's a simple breakdown of what it does:

  1. Purpose: The query identifies users who download more than 500 MB or make more than 200 requests to cloud storage services (like Dropbox, OneDrive, Google Drive, etc.) within a 24-hour period. Such activity could indicate data staging for exfiltration, which might be performed by a malicious insider or a compromised account.

  2. Data Source: It uses data from the "CommonSecurityLog" where the vendor is "Zscaler" and excludes blocked or denied actions.

  3. Key Metrics:

    • Counts the number of download requests (DownloadCount).
    • Calculates the total amount of data downloaded in megabytes (MBDownloaded).
    • Calculates the total amount of data uploaded in megabytes (MBUploaded).
    • Identifies the number of unique cloud services accessed (UniqueServices).
    • Collects samples of URLs accessed (URLSamples).

  4. Risk Assessment:

    • Assigns a risk score based on the volume of data downloaded:
      • "Critical" for downloads over 5000 MB.
      • "High" for downloads over 2000 MB or more than 1000 requests.
      • "Medium" for other cases that meet the initial criteria.

  5. Alerting:

    • Generates alerts with details like the username, amount of data downloaded, and risk score.
    • Alerts are grouped by user account to manage incidents efficiently.

  6. Incident Management:

    • Automatically creates incidents for detected activities.
    • Groups related alerts into a single incident to avoid duplication.

Overall, this query helps in identifying and managing potential data exfiltration risks by monitoring large-scale data downloads from cloud storage services.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

CommonSecurityLogDevicesUsersCloudStorageDataExfiltrationZscaler

Operators

ago()has_any()isnotempty()summarizecount()round()todouble()sum()dcount()make_set()min()max()byextendcase()order by

Actions