Query Details

Zscaler ZIA - Sudden Category Shift - User Accessing New High-Risk URL Categories

29 CSL Zscaler Category Shift Anomaly

Query

let HighRiskCategories = dynamic([
    "GAMBLING", "ADULT_CONTENT", "NUDITY", "DATING",
    "PROXY_AVOIDANCE_ANONYMIZERS", "PERSONAL_VPN", "ANONYMIZING_UTILITIES",
    "EXTREMISM_ADVOCACY", "TASTELESS", "ILLEGAL_OR_QUESTIONABLE"]);
let recentWindow    = 1h;
let baselineWindow  = 7d;
let baseline = CommonSecurityLog
    | where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
    | where DeviceVendor == "Zscaler" and isnotempty(SourceUserName)
    | summarize BaselineCategories = make_set(DeviceCustomString2)
        by SourceUserName;
let recent = CommonSecurityLog
    | where TimeGenerated > ago(recentWindow)
    | where DeviceVendor == "Zscaler" and isnotempty(SourceUserName)
    | where DeviceCustomString2 in (HighRiskCategories)
    | summarize
        RecentCategories = make_set(DeviceCustomString2),
        RequestCount     = count(),
        Domains          = make_set(DestinationHostName, 10)
        by SourceUserName;
recent
| join kind=leftouter baseline on SourceUserName
| extend BaselineCategories = coalesce(BaselineCategories, dynamic([]))
| extend NewCategories = set_difference(RecentCategories, BaselineCategories)
| where array_length(NewCategories) > 0
| project SourceUserName, NewCategories, RequestCount, Domains, RecentCategories
| order by RequestCount desc

Explanation

This query is designed to detect unusual behavior by monitoring users who suddenly start accessing high-risk URL categories that they haven't accessed in the past week. The high-risk categories include gambling, adult content, proxy avoidance, personal VPNs, dating, extremism, tasteless, or illegal content. Such behavior could indicate compromised credentials, policy bypass attempts, or insider threats.

Here's a simplified breakdown of the query:

  1. High-Risk Categories: A list of URL categories considered high-risk is defined.

  2. Time Windows:

    • Recent Window: The last hour.
    • Baseline Window: The past seven days, excluding the last hour.
  3. Baseline Data: Collects data on which URL categories each user accessed during the baseline window.

  4. Recent Data: Collects data on which high-risk URL categories each user accessed during the recent window.

  5. Comparison:

    • The query compares the recent data against the baseline data for each user.
    • It identifies new high-risk categories accessed by users that were not accessed in the baseline period.
  6. Output:

    • Lists users who accessed new high-risk categories, the number of requests made, and the domains visited.
    • Results are ordered by the number of requests.
  7. Alerting:

    • If any new high-risk categories are detected, an alert is generated.
    • The alert includes details such as the username, the number of requests, and the new categories accessed.
  8. Incident Management:

    • Incidents are created for detected alerts, with options for grouping by user account.

This query helps in identifying potential security threats by flagging unusual access patterns to high-risk content.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

ZscalerUserURLCategoriesGamblingAdultContentNudityDatingProxyAvoidanceAnonymizersPersonalVPNAnonymizingUtilitiesExtremismAdvocacyTastelessIllegalOrQuestionableCommonSecurityLogSourceNameDeviceVendorCustomStringDestinationHostAccountFull

Operators

letdynamicbetweenagoisnotemptysummarizemake_setincountjoinkindextendcoalesceset_differencearray_lengthwhereprojectorder by

Severity

Medium

Tactics

InitialAccessCommandAndControl

MITRE Techniques

Frequency: PT1H

Period: P7D

Actions

GitHub