Query Details

Zscaler ZIA - High ThreatRiskLevel Browsing in Allowed Traffic

28 CSL Zscaler High Threat Risk Level Allowed

Query

CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Zscaler"
| where DeviceAction !in ("block", "BLOCK", "Blocked", "blocked", "deny", "DROP")
| where isnotempty(DeviceCustomNumber1)
| where toint(DeviceCustomNumber1) >= 50
| where isnotempty(SourceUserName)
| summarize
    EventCount        = count(),
    MaxRiskScore      = max(toint(DeviceCustomNumber1)),
    UniqueDestinations= dcount(DestinationHostName),
    HighRiskDomains   = make_set(DestinationHostName, 10),
    Categories        = make_set(DeviceCustomString2, 5),
    FirstSeen         = min(TimeGenerated),
    LastSeen          = max(TimeGenerated)
  by SourceUserName
| order by MaxRiskScore desc, EventCount desc

Explanation

This query is designed to detect potentially risky web browsing activities that are allowed through Zscaler's ZIA (Zscaler Internet Access) service. Here's a simple breakdown of what it does:

  1. Purpose: It identifies web requests that were allowed by Zscaler but have been assigned a high threat risk level (50 or above) by Zscaler's ThreatLabz. This indicates that the destination might be suspicious or potentially malicious.

  2. Data Source: It uses data from the "CommonSecurityEvents" connector, specifically looking at "CommonSecurityLog" data.

  3. Time Frame: The query looks at data from the past day (24 hours).

  4. Conditions:

    • The vendor must be "Zscaler".
    • The action taken should not be a block or deny (i.e., the traffic was allowed).
    • The threat risk score (DeviceCustomNumber1) must be 50 or higher.
    • The source username must be present.
  5. Output: For each user, it summarizes:

    • The number of events (EventCount).
    • The highest risk score encountered (MaxRiskScore).
    • The number of unique destinations accessed (UniqueDestinations).
    • A list of up to 10 high-risk domains accessed (HighRiskDomains).
    • A list of up to 5 categories of these domains (Categories).
    • The first and last time such activity was seen (FirstSeen, LastSeen).
  6. Sorting: The results are sorted by the highest risk score and then by the number of events.

  7. Alerting: If any such activity is detected, an alert is created with details about the user and the risk score. The alert is configured to create an incident if triggered, grouping incidents by user account.

  8. Relevance: This query is associated with tactics like Command and Control and Initial Access, and techniques such as using application layer protocols and phishing.

In summary, this query helps identify users who are accessing potentially dangerous websites that are not being blocked by Zscaler, highlighting possible security policy gaps or emerging threats.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

ZscalerThreatRiskLevelThreatLabzDeviceVendorDeviceActionDeviceCustomNumber1SourceUserNameEventCountMaxRiskScoreUniqueDestinationsHighRiskDomainsCategoriesTimeGeneratedDestinationHostNameDeviceCustomString2AccountFullName

Operators

ago!inisnotemptytointsummarizecountmaxdcountmake_setminorder by

Severity

High

Tactics

CommandAndControlInitialAccess

MITRE Techniques

Frequency: PT1H

Period: P1D

Actions

GitHub