Zscaler ZIA - Sudden Category Shift - User Accessing New High-Risk URL Categories
29 CSL Zscaler Category Shift Anomaly
Query
let HighRiskCategories = dynamic([
"GAMBLING", "ADULT_CONTENT", "NUDITY", "DATING",
"PROXY_AVOIDANCE_ANONYMIZERS", "PERSONAL_VPN", "ANONYMIZING_UTILITIES",
"EXTREMISM_ADVOCACY", "TASTELESS", "ILLEGAL_OR_QUESTIONABLE"]);
let recentWindow = 1h;
let baselineWindow = 7d;
let baseline = CommonSecurityLog
| where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
| where DeviceVendor == "Zscaler" and isnotempty(SourceUserName)
| summarize BaselineCategories = make_set(DeviceCustomString2)
by SourceUserName;
let recent = CommonSecurityLog
| where TimeGenerated > ago(recentWindow)
| where DeviceVendor == "Zscaler" and isnotempty(SourceUserName)
| where DeviceCustomString2 in (HighRiskCategories)
| summarize
RecentCategories = make_set(DeviceCustomString2),
RequestCount = count(),
Domains = make_set(DestinationHostName, 10)
by SourceUserName;
recent
| join kind=leftouter baseline on SourceUserName
| extend BaselineCategories = coalesce(BaselineCategories, dynamic([]))
| extend NewCategories = set_difference(RecentCategories, BaselineCategories)
| where array_length(NewCategories) > 0
| project SourceUserName, NewCategories, RequestCount, Domains, RecentCategories
| order by RequestCount descExplanation
This query is designed to detect unusual behavior by monitoring users who suddenly start accessing high-risk URL categories that they haven't accessed in the past week. The high-risk categories include gambling, adult content, proxy avoidance, personal VPNs, dating, extremism, tasteless, or illegal content. Such behavior could indicate compromised credentials, policy bypass attempts, or insider threats.
Here's a simplified breakdown of the query:
-
High-Risk Categories: A list of URL categories considered high-risk is defined.
-
Time Windows:
- Recent Window: The last hour.
- Baseline Window: The past seven days, excluding the last hour.
-
Baseline Data: Collects data on which URL categories each user accessed during the baseline window.
-
Recent Data: Collects data on which high-risk URL categories each user accessed during the recent window.
-
Comparison:
- The query compares the recent data against the baseline data for each user.
- It identifies new high-risk categories accessed by users that were not accessed in the baseline period.
-
Output:
- Lists users who accessed new high-risk categories, the number of requests made, and the domains visited.
- Results are ordered by the number of requests.
-
Alerting:
- If any new high-risk categories are detected, an alert is generated.
- The alert includes details such as the username, the number of requests, and the new categories accessed.
-
Incident Management:
- Incidents are created for detected alerts, with options for grouping by user account.
This query helps in identifying potential security threats by flagging unusual access patterns to high-risk content.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT1H
Period: P7D