Zscaler ZIA - Mass Cloud Storage Download - Data Staging Risk
23 CSL Zscaler Mass Cloud Storage Download
Query
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Zscaler"
| where DeviceAction !in ("block", "BLOCK", "Blocked", "deny", "DROP")
| where DeviceCustomString2 has_any (
"DROPBOX", "BOX_NET", "GOOGLEDRIVE", "GOOGLE_DRIVE",
"ONEDRIVE", "SHAREPOINT", "WETRANSFER", "CLOUD_STORAGE", "WEBDAV")
| where isnotempty(SourceUserName)
| summarize
DownloadCount = count(),
MBDownloaded = round(sum(todouble(ReceivedBytes)) / 1048576, 2),
MBUploaded = round(sum(todouble(SentBytes)) / 1048576, 2),
UniqueServices = dcount(DeviceCustomString2),
Services = make_set(DeviceCustomString2, 5),
URLSamples = make_set(RequestURL, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SourceUserName
| where MBDownloaded > 500 or DownloadCount > 200
| extend RiskScore = case(
MBDownloaded > 5000, "Critical",
MBDownloaded > 2000 or DownloadCount > 1000, "High",
"Medium")
| order by MBDownloaded desc, DownloadCount descExplanation
This query is designed to monitor and detect potentially risky behavior involving large data downloads from cloud storage services using Zscaler ZIA. Here's a simple breakdown of what it does:
-
Purpose: The query identifies users who download more than 500 MB or make more than 200 requests to cloud storage services (like Dropbox, OneDrive, Google Drive, etc.) within a 24-hour period. Such activity could indicate data staging for exfiltration, which might be performed by a malicious insider or a compromised account.
-
Data Source: It uses data from the "CommonSecurityLog" where the vendor is "Zscaler" and excludes blocked or denied actions.
-
Key Metrics:
- Counts the number of download requests (
DownloadCount). - Calculates the total amount of data downloaded in megabytes (
MBDownloaded). - Calculates the total amount of data uploaded in megabytes (
MBUploaded). - Identifies the number of unique cloud services accessed (
UniqueServices). - Collects samples of URLs accessed (
URLSamples).
- Counts the number of download requests (
-
Risk Assessment:
- Assigns a risk score based on the volume of data downloaded:
- "Critical" for downloads over 5000 MB.
- "High" for downloads over 2000 MB or more than 1000 requests.
- "Medium" for other cases that meet the initial criteria.
- Assigns a risk score based on the volume of data downloaded:
-
Alerting:
- Generates alerts with details like the username, amount of data downloaded, and risk score.
- Alerts are grouped by user account to manage incidents efficiently.
-
Incident Management:
- Automatically creates incidents for detected activities.
- Groups related alerts into a single incident to avoid duplication.
Overall, this query helps in identifying and managing potential data exfiltration risks by monitoring large-scale data downloads from cloud storage services.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: P1D