Query Details
27 CSL Zscaler Multi User Phishing Campaign
Query
id: a127b2c3-d4e5-4f6a-7b8c-9d0e1f2a3b4c
name: "Zscaler ZIA - Multi-User Phishing Campaign - Same Domain Hit by 3+ Users in 1 Hour"
version: 1.0.0
kind: Scheduled
description: |
Detects when 3 or more distinct users access the same destination domain within a 1-hour window and that domain is classified as a phishing, advanced security risk, botnet, or malware category by Zscaler ZIA. A single user clicking a phishing link is a user error; multiple users targeting the same domain in the same hour is a strong indicator of an active phishing campaign delivered via email or collaboration tools. MITRE ATT&CK: T1566 (Phishing), T1192 (Spearphishing Link).
severity: High
requiredDataConnectors:
- connectorId: CommonSecurityEvents
dataTypes:
- CommonSecurityLog
queryFrequency: PT1H
queryPeriod: PT1H
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CommonSecurityLog
| where TimeGenerated > ago(1h)
| where DeviceVendor == "Zscaler"
| where isnotempty(DestinationHostName) and isnotempty(SourceUserName)
| where DeviceCustomString2 has_any (
"PHISHING", "ADVANCED_SECURITY_RISK", "BOTNET_SITES",
"MALWARE_SITES", "SUSPICIOUS_DESTINATIONS", "MALICIOUS_LINKS")
| summarize
UserCount = dcount(SourceUserName),
Users = make_set(SourceUserName, 20),
Actions = make_set(DeviceAction, 5),
URLSamples = make_set(RequestURL, 5),
Category = any(DeviceCustomString2),
FirstHit = min(TimeGenerated),
LastHit = max(TimeGenerated),
RepURL = any(DestinationHostName)
by DestinationHostName
| where UserCount >= 3
| order by UserCount desc
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: RepURL
customDetails:
UserCount: UserCount
DestinationHostName: DestinationHostName
Category: Category
alertDetailsOverride:
alertDisplayNameFormat: "Zscaler Phishing Campaign - {{DestinationHostName}} ({{UserCount}} users in 1h)"
alertDescriptionFormat: "{{UserCount}} users accessed phishing/malicious domain {{DestinationHostName}} within 1 hour. Category: {{Category}}."
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT2H
matchingMethod: Selected
groupByEntities:
- URL
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect potential phishing campaigns by identifying when three or more distinct users access the same domain within a one-hour period. The domain must be classified by Zscaler ZIA as a phishing, advanced security risk, botnet, or malware site. The query runs every hour and checks logs from the past hour to find such occurrences.
Here's a breakdown of what the query does:
- Data Source: It uses logs from Zscaler, specifically looking at security events.
- Time Frame: It examines events from the last hour.
- Conditions: It filters for events where:
- The domain accessed is classified as a security risk (e.g., phishing, malware).
- At least three different users have accessed the same domain.
- Output: It summarizes the data to show:
- The number of users who accessed the domain.
- A list of these users.
- Actions taken.
- Sample URLs accessed.
- The category of the threat.
- The first and last time the domain was accessed within the hour.
- Alerting: If the conditions are met, an alert is generated with details about the domain and the number of users involved.
- Incident Management: It creates an incident if such an event is detected, grouping related alerts to avoid duplicates.
This query helps security teams quickly identify and respond to potential phishing campaigns targeting multiple users in a short time frame.
Details
David Alonso
Released: March 2, 2026
Tables
CommonSecurityLog
Keywords
CommonSecurityLogTimeGeneratedDeviceVendorDestinationHostNameSourceUserNameDeviceCustomString2DeviceActionRequestURLUserCountUsersActionsURLSamplesCategoryFirstHitLastHitRepURLUrl
Operators
agohas_anyisnotemptysummarizedcountmake_setanyminmaxorder by