KQL Search

Query Details

28 CSL Zscaler High Threat Risk Level Allowed

Query

id: b228c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
name: "Zscaler ZIA - High ThreatRiskLevel Browsing in Allowed Traffic"
version: 1.0.0
kind: Scheduled
description: |
  Detects Zscaler ZIA allowed web requests where ThreatLabz has assigned a ThreatRiskLevel of 50 or higher to the destination. ThreatRiskLevel (DeviceCustomNumber1 in the NSS CEF feed) is a 0-100 score assigned by Zscaler's cloud intelligence — scores >= 50 indicate suspicious or potentially malicious destinations. Allowed traffic with elevated risk scores may indicate policy gaps, miscategorized sites, or zero-day infrastructure not yet blocked. MITRE ATT&CK: T1071 (Application Layer Protocol), T1566.
severity: High
requiredDataConnectors:
  - connectorId: CommonSecurityEvents
    dataTypes:
      - CommonSecurityLog
queryFrequency: PT1H
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CommandAndControl
  - InitialAccess
relevantTechniques:
  - T1071
  - T1566
query: |
    CommonSecurityLog
    | where TimeGenerated > ago(1d)
    | where DeviceVendor == "Zscaler"
    | where DeviceAction !in ("block", "BLOCK", "Blocked", "blocked", "deny", "DROP")
    | where isnotempty(DeviceCustomNumber1)
    | where toint(DeviceCustomNumber1) >= 50
    | where isnotempty(SourceUserName)
    | summarize
        EventCount        = count(),
        MaxRiskScore      = max(toint(DeviceCustomNumber1)),
        UniqueDestinations= dcount(DestinationHostName),
        HighRiskDomains   = make_set(DestinationHostName, 10),
        Categories        = make_set(DeviceCustomString2, 5),
        FirstSeen         = min(TimeGenerated),
        LastSeen          = max(TimeGenerated)
      by SourceUserName
    | order by MaxRiskScore desc, EventCount desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: SourceUserName
customDetails:
  EventCount: EventCount
  MaxRiskScore: MaxRiskScore
  UniqueDestinations: UniqueDestinations
alertDetailsOverride:
  alertDisplayNameFormat: "Zscaler High ThreatRisk Allowed - {{SourceUserName}} (score {{MaxRiskScore}})"
  alertDescriptionFormat: "User {{SourceUserName}} browsed {{UniqueDestinations}} high-risk destinations (ThreatRiskLevel up to {{MaxRiskScore}}) without being blocked."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect potentially risky web browsing activity that is allowed through Zscaler's internet access service (ZIA). Here's a simple breakdown of what it does:

  1. Purpose: The query identifies web requests that Zscaler has allowed, but which have been assigned a high ThreatRiskLevel score (50 or higher) by Zscaler's ThreatLabz. This score indicates that the destination might be suspicious or potentially malicious.

  2. Data Source: It uses data from the "CommonSecurityEvents" connector, specifically looking at logs from Zscaler.

  3. Time Frame: The query examines data from the past day (24 hours).

  4. Conditions:

    • It filters out any traffic that was blocked or denied.
    • It focuses on entries where a ThreatRiskLevel score is present and is 50 or above.
    • It ensures that the source username is not empty.

  5. Analysis:

    • It counts the number of events per user.
    • It identifies the maximum risk score encountered.
    • It counts the number of unique destinations visited.
    • It lists up to 10 high-risk domains and 5 categories of these domains.
    • It records the first and last time such activity was seen for each user.

  6. Output:

    • The results are ordered by the highest risk score and event count.
    • Alerts are generated with details about the user, the number of high-risk destinations visited, and the maximum risk score.

  7. Alerting and Incident Management:

    • An alert is created for each user with high-risk browsing activity.
    • Alerts are grouped by user account to manage incidents effectively.
    • Incidents are configured to be created automatically, but closed incidents will not be reopened.

Overall, this query helps identify users who are accessing potentially dangerous websites that are not being blocked by existing security policies, highlighting possible gaps or misconfigurations in security settings.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

CommonSecurityLogDeviceVendorDeviceActionDeviceCustomNumber1SourceUserNameDestinationHostNameDeviceCustomString2TimeGenerated

Operators

ago()!inisnotempty()toint()>=summarizecount()max()dcount()make_set()min()max()order bydesc

Actions