Query Details

Zscaler ZIA - Uncategorized or Newly Registered Domain Request Spike

24 CSL Zscaler Uncategorized Domain Spike

Query

CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Zscaler"
| where DeviceCustomString2 in (
    "NONE", "UNCATEGORIZED", "OTHER_MISCELLANEOUS",
    "NEWLY_REGISTERED_DOMAINS", "DYNAMIC_DNS")
    or isempty(DeviceCustomString2)
| where isnotempty(SourceUserName)
| summarize
    RequestCount       = count(),
    UniqueDestinations = dcount(DestinationHostName),
    Destinations       = make_set(DestinationHostName, 20),
    URLSamples         = make_set(RequestURL, 10),
    FirstSeen          = min(TimeGenerated),
    LastSeen           = max(TimeGenerated)
  by UserName = tolower(SourceUserName)
| where RequestCount > 100 or UniqueDestinations > 20
| order by UniqueDestinations desc, RequestCount desc

Explanation

This query is designed to detect unusual activity by users or hosts that are making a large number of requests to uncategorized, newly registered, or dynamically-resolved domains through Zscaler ZIA. Such behavior is uncommon for legitimate users and can indicate potential malicious activities like command-and-control (C2) traffic, which might use domain generation algorithms (DGA) or DNS-over-HTTPS tunneling.

Here's a breakdown of how the query works:

  1. Data Source: It uses security logs from Zscaler, focusing on events from the past day.

  2. Filtering Criteria: The query looks for requests to domains that are uncategorized, newly registered, or dynamically resolved. It also ensures that the source username is not empty.

  3. Data Aggregation: For each user, it counts the total number of requests and the number of unique destination domains. It also collects up to 20 destination hostnames and 10 sample URLs.

  4. Alert Conditions: An alert is triggered if a user makes more than 100 requests or contacts more than 20 unique destinations.

  5. Alert Details: The alert includes the username, the number of unique destinations contacted, and the total number of requests. It suggests possible covert C2 or DGA activity.

  6. Incident Management: If an alert is generated, an incident is created. Incidents are grouped by user account, and the system checks for similar activities within a 6-hour window to avoid reopening closed incidents.

Overall, this query helps identify potential security threats by flagging unusual domain request patterns that could indicate malicious activities.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

CommonSecurityLogDevicesUserZscalerDomainsCommandAndControl

Operators

agoinisemptyisnotemptysummarizecountdcountmake_setminmaxtolowerorder by

Severity

Medium

Tactics

CommandAndControl

MITRE Techniques

Frequency: PT1H

Period: P1D

Actions

GitHub