Zscaler ZIA / ZPA - Visibility Loss - No Events Received in 2 Hours
30 CSL Zscaler Visibility Loss No Traffic
Query
CommonSecurityLog
| where TimeGenerated > ago(2h)
| where DeviceVendor == "Zscaler"
| summarize EventCount = count()
| where EventCount == 0
| extend AppName = "Zscaler NSS"
| extend AlertReason = "No Zscaler ZIA/ZPA events received in the last 2 hours"Explanation
This query is designed to monitor the flow of security events from Zscaler's ZIA (Zscaler Internet Access) or ZPA (Zscaler Private Access) services. It checks for any gaps in event data over a two-hour period, which could indicate a problem with the data feed. Here's a simple breakdown:
- Purpose: To detect when no events from Zscaler ZIA or ZPA are received in the CommonSecurityLog table for two consecutive hours.
- Why It Matters: Zscaler's NSS (Nanolog Streaming Service) should continuously send event data during business hours. A complete lack of events could mean:
- A failure in the NSS Cloud Connector.
- Issues with CEF/Syslog forwarding.
- Problems with the Azure Monitor Agent.
- Potential deliberate interference to disrupt security monitoring.
- Severity: Medium, as it could indicate significant issues or threats.
- Frequency: The query runs every 30 minutes, checking the last two hours of data.
- Trigger: An alert is triggered if no events are detected in the two-hour window.
- Response: If triggered, an alert is generated with details about the lack of events, and an incident is created for further investigation.
- MITRE ATT&CK Techniques: It relates to "Impair Defenses" (T1562), specifically "Disable or Modify Tools" (T1562.001), as it could indicate an attempt to blind the Security Operations Center (SOC).
The query also includes configurations for alert display names, descriptions, and incident grouping to manage and track these alerts effectively.
