Query Details

Zscaler ZIA - Mass Cloud Storage Download - Data Staging Risk

23 CSL Zscaler Mass Cloud Storage Download

Query

CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Zscaler"
| where DeviceAction !in ("block", "BLOCK", "Blocked", "deny", "DROP")
| where DeviceCustomString2 has_any (
    "DROPBOX", "BOX_NET", "GOOGLEDRIVE", "GOOGLE_DRIVE",
    "ONEDRIVE", "SHAREPOINT", "WETRANSFER", "CLOUD_STORAGE", "WEBDAV")
| where isnotempty(SourceUserName)
| summarize
    DownloadCount  = count(),
    MBDownloaded   = round(sum(todouble(ReceivedBytes)) / 1048576, 2),
    MBUploaded     = round(sum(todouble(SentBytes)) / 1048576, 2),
    UniqueServices = dcount(DeviceCustomString2),
    Services       = make_set(DeviceCustomString2, 5),
    URLSamples     = make_set(RequestURL, 5),
    FirstSeen      = min(TimeGenerated),
    LastSeen       = max(TimeGenerated)
  by SourceUserName
| where MBDownloaded > 500 or DownloadCount > 200
| extend RiskScore = case(
    MBDownloaded > 5000, "Critical",
    MBDownloaded > 2000 or DownloadCount > 1000, "High",
    "Medium")
| order by MBDownloaded desc, DownloadCount desc

Explanation

This query is designed to monitor and detect potentially risky behavior involving large data downloads from cloud storage services using Zscaler ZIA. Here's a simple breakdown of what it does:

  1. Purpose: The query identifies users who download more than 500 MB or make more than 200 requests to cloud storage services (like Dropbox, OneDrive, Google Drive, etc.) within a 24-hour period. Such activity could indicate data staging for exfiltration, which might be performed by a malicious insider or a compromised account.

  2. Data Source: It uses data from the "CommonSecurityLog" where the vendor is "Zscaler" and excludes blocked or denied actions.

  3. Key Metrics:

    • Counts the number of download requests (DownloadCount).
    • Calculates the total amount of data downloaded in megabytes (MBDownloaded).
    • Calculates the total amount of data uploaded in megabytes (MBUploaded).
    • Identifies the number of unique cloud services accessed (UniqueServices).
    • Collects samples of URLs accessed (URLSamples).
  4. Risk Assessment:

    • Assigns a risk score based on the volume of data downloaded:
      • "Critical" for downloads over 5000 MB.
      • "High" for downloads over 2000 MB or more than 1000 requests.
      • "Medium" for other cases that meet the initial criteria.
  5. Alerting:

    • Generates alerts with details like the username, amount of data downloaded, and risk score.
    • Alerts are grouped by user account to manage incidents efficiently.
  6. Incident Management:

    • Automatically creates incidents for detected activities.
    • Groups related alerts into a single incident to avoid duplication.

Overall, this query helps in identifying and managing potential data exfiltration risks by monitoring large-scale data downloads from cloud storage services.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

CommonSecurityLogDevicesUsersCloudStorageDataExfiltrationZscaler

Operators

ago()has_any()isnotempty()summarizecount()round()todouble()sum()dcount()make_set()min()max()byextendcase()order by

Severity

High

Tactics

CollectionExfiltration

MITRE Techniques

Frequency: PT1H

Period: P1D

Actions

GitHub