KQL Search

Query Details

26 CSL Zscaler Off Hours High Volume Activity

Query

id: aa26c9d0-e1f2-4a3b-4c5d-6e7f8a9b0c1d
name: "Zscaler ZIA - Off-Hours High-Volume Proxy Activity (Behavioral Anomaly)"
version: 1.0.0
kind: Scheduled
description: |
  Detects Zscaler ZIA users generating more than 500 allowed proxy requests or downloading more than 100 MB between 10PM and 6AM local time. Most business users are inactive during these hours, so high-volume activity in this window is a strong behavioural anomaly — it may indicate a compromised account being remote-controlled, an insider threat staging data for exfiltration, or automated malware activity. MITRE ATT&CK: T1078 (Valid Accounts), T1048, T1029.
severity: Medium
requiredDataConnectors:
  - connectorId: CommonSecurityEvents
    dataTypes:
      - CommonSecurityLog
queryFrequency: PT1H
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Exfiltration
  - DefenseEvasion
relevantTechniques:
  - T1078
  - T1048
query: |
    CommonSecurityLog
    | where TimeGenerated > ago(1d)
    | where DeviceVendor == "Zscaler"
    | where DeviceAction !in ("block", "BLOCK", "Blocked", "deny", "DROP")
    | where isnotempty(SourceUserName)
    | extend HourOfDay = hourofday(TimeGenerated)
    | where HourOfDay between (0 .. 6) or HourOfDay >= 22
    | summarize
        OffHoursRequests   = count(),
        MBDownloaded       = round(sum(todouble(ReceivedBytes)) / 1048576, 2),
        MBUploaded         = round(sum(todouble(SentBytes)) / 1048576, 2),
        UniqueDestinations = dcount(DestinationHostName),
        Categories         = make_set(DeviceCustomString2, 5),
        EarliestEvent      = min(TimeGenerated),
        LatestEvent        = max(TimeGenerated)
      by UserName = tolower(SourceUserName)
    | where OffHoursRequests > 500 or MBDownloaded > 100
    | order by MBDownloaded desc, OffHoursRequests desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: UserName
customDetails:
  OffHoursRequests: OffHoursRequests
  MBDownloaded: MBDownloaded
  MBUploaded: MBUploaded
alertDetailsOverride:
  alertDisplayNameFormat: "Zscaler Off-Hours Activity - {{UserName}} ({{OffHoursRequests}} reqs, {{MBDownloaded}} MB)"
  alertDescriptionFormat: "User {{UserName}} made {{OffHoursRequests}} proxy requests and downloaded {{MBDownloaded}} MB outside business hours (10PM-6AM)."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT8H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect unusual activity by users of Zscaler ZIA, a cloud security service, during off-hours (10 PM to 6 AM). It looks for users who make more than 500 allowed proxy requests or download more than 100 MB of data during these hours. Such activity is considered abnormal because most business users are typically inactive during this time. The query aims to identify potential security threats, such as compromised accounts, insider threats, or malware activity.

Here's a simplified breakdown of what the query does:

  1. Data Source: It uses logs from Zscaler, specifically looking at events from the last day.
  2. Filter Criteria: It filters out blocked or denied actions and focuses on actions that occurred between 10 PM and 6 AM.
  3. Data Aggregation: It calculates the number of requests, the amount of data downloaded and uploaded, the number of unique destinations accessed, and the time range of the events for each user.
  4. Anomaly Detection: It flags users who exceed 500 requests or download more than 100 MB during off-hours.
  5. Alert Generation: If such activity is detected, it generates an alert with details about the user and their activity.
  6. Incident Management: It creates an incident for further investigation and groups related alerts by user account.

The query is part of a scheduled task that runs every hour and is associated with specific MITRE ATT&CK techniques related to account misuse and data exfiltration.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

ZscalerZIAUsersProxyActivityBehavioralAnomalyAccountsExfiltrationDefenseEvasionCommonSecurityEventsCommonSecurityLogDeviceVendorDeviceActionSourceUserNameTimeGeneratedReceivedBytesSentBytesDestinationHostNameUserName

Operators

ago==!inisnotemptyextendhourofdaybetweensummarizecountroundsumtodouble/dcountmake_setminmaxbytolower>ororder bydesc

Actions