Zscaler ZIA - High ThreatRiskLevel Browsing in Allowed Traffic
28 CSL Zscaler High Threat Risk Level Allowed
Query
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Zscaler"
| where DeviceAction !in ("block", "BLOCK", "Blocked", "blocked", "deny", "DROP")
| where isnotempty(DeviceCustomNumber1)
| where toint(DeviceCustomNumber1) >= 50
| where isnotempty(SourceUserName)
| summarize
EventCount = count(),
MaxRiskScore = max(toint(DeviceCustomNumber1)),
UniqueDestinations= dcount(DestinationHostName),
HighRiskDomains = make_set(DestinationHostName, 10),
Categories = make_set(DeviceCustomString2, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SourceUserName
| order by MaxRiskScore desc, EventCount descExplanation
This query is designed to detect potentially risky web browsing activities that are allowed through Zscaler's ZIA (Zscaler Internet Access) service. Here's a simple breakdown of what it does:
-
Purpose: It identifies web requests that were allowed by Zscaler but have been assigned a high threat risk level (50 or above) by Zscaler's ThreatLabz. This indicates that the destination might be suspicious or potentially malicious.
-
Data Source: It uses data from the "CommonSecurityEvents" connector, specifically looking at "CommonSecurityLog" data.
-
Time Frame: The query looks at data from the past day (24 hours).
-
Conditions:
- The vendor must be "Zscaler".
- The action taken should not be a block or deny (i.e., the traffic was allowed).
- The threat risk score (DeviceCustomNumber1) must be 50 or higher.
- The source username must be present.
-
Output: For each user, it summarizes:
- The number of events (EventCount).
- The highest risk score encountered (MaxRiskScore).
- The number of unique destinations accessed (UniqueDestinations).
- A list of up to 10 high-risk domains accessed (HighRiskDomains).
- A list of up to 5 categories of these domains (Categories).
- The first and last time such activity was seen (FirstSeen, LastSeen).
-
Sorting: The results are sorted by the highest risk score and then by the number of events.
-
Alerting: If any such activity is detected, an alert is created with details about the user and the risk score. The alert is configured to create an incident if triggered, grouping incidents by user account.
-
Relevance: This query is associated with tactics like Command and Control and Initial Access, and techniques such as using application layer protocols and phishing.
In summary, this query helps identify users who are accessing potentially dangerous websites that are not being blocked by Zscaler, highlighting possible security policy gaps or emerging threats.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: P1D