Query Details
24 CSL Zscaler Uncategorized Domain Spike
Query
id: ee24a7b8-c9d0-4e1f-2a3b-4c5d6e7f8a9b
name: "Zscaler ZIA - Uncategorized or Newly Registered Domain Request Spike"
version: 1.0.0
kind: Scheduled
description: |
Detects users or hosts generating a high volume of requests to uncategorized, newly registered, or dynamically-resolved domains through Zscaler ZIA. Legitimate users rarely contact large numbers of uncategorized domains; this pattern is a strong indicator of command-and-control (C2) traffic using domain generation algorithms (DGA), DNS-over-HTTPS tunneling, or attacker infrastructure that has not yet been categorized by Zscaler's cloud intelligence. MITRE ATT&CK: T1071.004, T1568 (Dynamic Resolution), T1071.
severity: Medium
requiredDataConnectors:
- connectorId: CommonSecurityEvents
dataTypes:
- CommonSecurityLog
queryFrequency: PT1H
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
relevantTechniques:
- T1071
- T1568
query: |
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Zscaler"
| where DeviceCustomString2 in (
"NONE", "UNCATEGORIZED", "OTHER_MISCELLANEOUS",
"NEWLY_REGISTERED_DOMAINS", "DYNAMIC_DNS")
or isempty(DeviceCustomString2)
| where isnotempty(SourceUserName)
| summarize
RequestCount = count(),
UniqueDestinations = dcount(DestinationHostName),
Destinations = make_set(DestinationHostName, 20),
URLSamples = make_set(RequestURL, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserName = tolower(SourceUserName)
| where RequestCount > 100 or UniqueDestinations > 20
| order by UniqueDestinations desc, RequestCount desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserName
customDetails:
RequestCount: RequestCount
UniqueDestinations: UniqueDestinations
alertDetailsOverride:
alertDisplayNameFormat: "Zscaler Uncategorized Domain Spike - {{UserName}} ({{UniqueDestinations}} new destinations)"
alertDescriptionFormat: "User {{UserName}} contacted {{UniqueDestinations}} uncategorized or newly-registered domains via {{RequestCount}} requests — possible covert C2 or DGA activity."
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT6H
matchingMethod: Selected
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect unusual activity by users or hosts that are making a large number of requests to uncategorized, newly registered, or dynamically-resolved domains through Zscaler ZIA. Such behavior is uncommon for legitimate users and can indicate potential malicious activities like command-and-control (C2) traffic, which might use domain generation algorithms (DGA) or DNS-over-HTTPS tunneling.
Here's a breakdown of how the query works:
-
Data Source: It uses security logs from Zscaler, focusing on events from the past day.
-
Filtering Criteria: The query looks for requests to domains that are uncategorized, newly registered, or dynamically resolved. It also ensures that the source username is not empty.
-
Data Aggregation: For each user, it counts the total number of requests and the number of unique destination domains. It also collects up to 20 destination hostnames and 10 sample URLs.
-
Alert Conditions: An alert is triggered if a user makes more than 100 requests or contacts more than 20 unique destinations.
-
Alert Details: The alert includes the username, the number of unique destinations contacted, and the total number of requests. It suggests possible covert C2 or DGA activity.
-
Incident Management: If an alert is generated, an incident is created. Incidents are grouped by user account, and the system checks for similar activities within a 6-hour window to avoid reopening closed incidents.
Overall, this query helps identify potential security threats by flagging unusual domain request patterns that could indicate malicious activities.
Details
David Alonso
Released: March 2, 2026
Tables
Keywords
Operators