Zscaler ZIA - Uncategorized or Newly Registered Domain Request Spike
24 CSL Zscaler Uncategorized Domain Spike
Query
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Zscaler"
| where DeviceCustomString2 in (
"NONE", "UNCATEGORIZED", "OTHER_MISCELLANEOUS",
"NEWLY_REGISTERED_DOMAINS", "DYNAMIC_DNS")
or isempty(DeviceCustomString2)
| where isnotempty(SourceUserName)
| summarize
RequestCount = count(),
UniqueDestinations = dcount(DestinationHostName),
Destinations = make_set(DestinationHostName, 20),
URLSamples = make_set(RequestURL, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserName = tolower(SourceUserName)
| where RequestCount > 100 or UniqueDestinations > 20
| order by UniqueDestinations desc, RequestCount descExplanation
This query is designed to detect unusual activity by users or hosts that are making a large number of requests to uncategorized, newly registered, or dynamically-resolved domains through Zscaler ZIA. Such behavior is uncommon for legitimate users and can indicate potential malicious activities like command-and-control (C2) traffic, which might use domain generation algorithms (DGA) or DNS-over-HTTPS tunneling.
Here's a breakdown of how the query works:
-
Data Source: It uses security logs from Zscaler, focusing on events from the past day.
-
Filtering Criteria: The query looks for requests to domains that are uncategorized, newly registered, or dynamically resolved. It also ensures that the source username is not empty.
-
Data Aggregation: For each user, it counts the total number of requests and the number of unique destination domains. It also collects up to 20 destination hostnames and 10 sample URLs.
-
Alert Conditions: An alert is triggered if a user makes more than 100 requests or contacts more than 20 unique destinations.
-
Alert Details: The alert includes the username, the number of unique destinations contacted, and the total number of requests. It suggests possible covert C2 or DGA activity.
-
Incident Management: If an alert is generated, an incident is created. Incidents are grouped by user account, and the system checks for similar activities within a 6-hour window to avoid reopening closed incidents.
Overall, this query helps identify potential security threats by flagging unusual domain request patterns that could indicate malicious activities.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT1H
Period: P1D