Query Details

Zscaler ZIA / ZPA - Visibility Loss - No Events Received in 2 Hours

30 CSL Zscaler Visibility Loss No Traffic

Query

CommonSecurityLog
| where TimeGenerated > ago(2h)
| where DeviceVendor == "Zscaler"
| summarize EventCount = count()
| where EventCount == 0
| extend AppName = "Zscaler NSS"
| extend AlertReason = "No Zscaler ZIA/ZPA events received in the last 2 hours"

Explanation

This query is designed to monitor the flow of security events from Zscaler's ZIA (Zscaler Internet Access) or ZPA (Zscaler Private Access) services. It checks for any gaps in event data over a two-hour period, which could indicate a problem with the data feed. Here's a simple breakdown:

  • Purpose: To detect when no events from Zscaler ZIA or ZPA are received in the CommonSecurityLog table for two consecutive hours.
  • Why It Matters: Zscaler's NSS (Nanolog Streaming Service) should continuously send event data during business hours. A complete lack of events could mean:
    • A failure in the NSS Cloud Connector.
    • Issues with CEF/Syslog forwarding.
    • Problems with the Azure Monitor Agent.
    • Potential deliberate interference to disrupt security monitoring.
  • Severity: Medium, as it could indicate significant issues or threats.
  • Frequency: The query runs every 30 minutes, checking the last two hours of data.
  • Trigger: An alert is triggered if no events are detected in the two-hour window.
  • Response: If triggered, an alert is generated with details about the lack of events, and an incident is created for further investigation.
  • MITRE ATT&CK Techniques: It relates to "Impair Defenses" (T1562), specifically "Disable or Modify Tools" (T1562.001), as it could indicate an attempt to blind the Security Operations Center (SOC).

The query also includes configurations for alert display names, descriptions, and incident grouping to manage and track these alerts effectively.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

CommonSecurityLogZscalerCloudApplication

Operators

ago()count()extendsummarizewhere

Severity

Medium

Tactics

DefenseEvasion

MITRE Techniques

Frequency: PT30M

Period: PT2H

Actions

GitHub