Zscaler ZIA - Off-Hours High-Volume Proxy Activity (Behavioral Anomaly)
26 CSL Zscaler Off Hours High Volume Activity
Query
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Zscaler"
| where DeviceAction !in ("block", "BLOCK", "Blocked", "deny", "DROP")
| where isnotempty(SourceUserName)
| extend HourOfDay = hourofday(TimeGenerated)
| where HourOfDay between (0 .. 6) or HourOfDay >= 22
| summarize
OffHoursRequests = count(),
MBDownloaded = round(sum(todouble(ReceivedBytes)) / 1048576, 2),
MBUploaded = round(sum(todouble(SentBytes)) / 1048576, 2),
UniqueDestinations = dcount(DestinationHostName),
Categories = make_set(DeviceCustomString2, 5),
EarliestEvent = min(TimeGenerated),
LatestEvent = max(TimeGenerated)
by UserName = tolower(SourceUserName)
| where OffHoursRequests > 500 or MBDownloaded > 100
| order by MBDownloaded desc, OffHoursRequests descExplanation
This query is designed to detect unusual activity by users of Zscaler ZIA, a cloud security service, during off-hours (10 PM to 6 AM). It looks for users who make more than 500 allowed proxy requests or download more than 100 MB of data during these hours. Such activity is considered abnormal because most business users are typically inactive during this time. The query aims to identify potential security threats, such as compromised accounts, insider threats, or malware activity.
Here's a simplified breakdown of what the query does:
- Data Source: It uses logs from Zscaler, specifically looking at events from the last day.
- Filter Criteria: It filters out blocked or denied actions and focuses on actions that occurred between 10 PM and 6 AM.
- Data Aggregation: It calculates the number of requests, the amount of data downloaded and uploaded, the number of unique destinations accessed, and the time range of the events for each user.
- Anomaly Detection: It flags users who exceed 500 requests or download more than 100 MB during off-hours.
- Alert Generation: If such activity is detected, it generates an alert with details about the user and their activity.
- Incident Management: It creates an incident for further investigation and groups related alerts by user account.
The query is part of a scheduled task that runs every hour and is associated with specific MITRE ATT&CK techniques related to account misuse and data exfiltration.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT1H
Period: P1D