KQL Search

Query Details

30 CSL Zscaler Visibility Loss No Traffic

Query

id: d430e5f6-a7b8-4c9d-0e1f-2a3b4c5d6e7f
name: "Zscaler ZIA / ZPA - Visibility Loss - No Events Received in 2 Hours"
version: 1.0.0
kind: Scheduled
description: |
  Detects when no Zscaler ZIA or ZPA events are received in the CommonSecurityLog table for 2 or more consecutive hours. Zscaler NSS feeds should produce a continuous stream of events during business hours. A complete gap in events indicates NSS Cloud Connector failure, CEF/Syslog forwarding disruption, Azure Monitor Agent issues, or — in a threat scenario — deliberate interference with the Zscaler integration to blind the SOC. This rule fires when the event count is 0 during the query window.MITRE ATT&CK: T1562 (Impair Defenses), T1562.001.
severity: Medium
requiredDataConnectors:
  - connectorId: CommonSecurityEvents
    dataTypes:
      - CommonSecurityLog
queryFrequency: PT30M
queryPeriod: PT2H
triggerOperator: gt
triggerThreshold: 0
tactics:
  - DefenseEvasion
relevantTechniques:
  - T1562
query: |
    CommonSecurityLog
    | where TimeGenerated > ago(2h)
    | where DeviceVendor == "Zscaler"
    | summarize EventCount = count()
    | where EventCount == 0
    | extend AppName = "Zscaler NSS"
    | extend AlertReason = "No Zscaler ZIA/ZPA events received in the last 2 hours"
entityMappings:
  - entityType: CloudApplication
    fieldMappings:
      - identifier: Name
        columnName: AppName
customDetails:
  EventCount: EventCount
  AlertReason: AlertReason
alertDetailsOverride:
  alertDisplayNameFormat: "Zscaler Visibility Loss - No NSS Events for 2 Hours"
  alertDescriptionFormat: "No Zscaler ZIA/ZPA events received in CommonSecurityLog for 2 hours. NSS Cloud Connector or CEF forwarding may be broken."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT4H
    matchingMethod: Selected
    groupByEntities:
      - CloudApplication
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to monitor the flow of security events from Zscaler's ZIA (Zscaler Internet Access) or ZPA (Zscaler Private Access) services. It checks for any gaps in event data over a two-hour period, which could indicate a problem with the data feed. Here's a simple breakdown:

  • Purpose: To detect when no events from Zscaler ZIA or ZPA are received in the CommonSecurityLog table for two consecutive hours.
  • Why It Matters: Zscaler's NSS (Nanolog Streaming Service) should continuously send event data during business hours. A complete lack of events could mean:
    • A failure in the NSS Cloud Connector.
    • Issues with CEF/Syslog forwarding.
    • Problems with the Azure Monitor Agent.
    • Potential deliberate interference to disrupt security monitoring.
  • Severity: Medium, as it could indicate significant issues or threats.
  • Frequency: The query runs every 30 minutes, checking the last two hours of data.
  • Trigger: An alert is triggered if no events are detected in the two-hour window.
  • Response: If triggered, an alert is generated with details about the lack of events, and an incident is created for further investigation.
  • MITRE ATT&CK Techniques: It relates to "Impair Defenses" (T1562), specifically "Disable or Modify Tools" (T1562.001), as it could indicate an attempt to blind the Security Operations Center (SOC).

The query also includes configurations for alert display names, descriptions, and incident grouping to manage and track these alerts effectively.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

CommonSecurityLogZscalerCloudApplication

Operators

ago()count()extendsummarizewhere

Actions