Zscaler ZPA - App Access Volume Spike - User Accessing Significantly More Apps Than Baseline
34 CSL ZPA App Volume Spike
Query
let recentWindow = 1h;
let baselineWindow = 14d;
let baseline = CommonSecurityLog
| where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
| where DeviceVendor == "Zscaler" and DeviceProduct has "ZPA"
| where DeviceAction !in ("block", "BLOCK", "Blocked", "Failed")
| where isnotempty(SourceUserName)
| summarize DailyApps = dcount(DestinationHostName)
by SourceUserName, Day = bin(TimeGenerated, 1d)
| summarize AvgDailyApps = avg(DailyApps)
by SourceUserName;
let recent = CommonSecurityLog
| where TimeGenerated > ago(recentWindow)
| where DeviceVendor == "Zscaler" and DeviceProduct has "ZPA"
| where DeviceAction !in ("block", "BLOCK", "Blocked", "Failed")
| where isnotempty(SourceUserName)
| summarize
RecentAppCount = dcount(DestinationHostName),
RecentApps = make_set(DestinationHostName, 20),
RecentConns = count()
by SourceUserName;
recent
| join kind=inner baseline on SourceUserName
| where AvgDailyApps > 0
| extend SpikeRatio = round(toreal(RecentAppCount) / toreal(AvgDailyApps), 1)
| where SpikeRatio >= 3.0 and RecentAppCount >= 5
| project SourceUserName, RecentAppCount, AvgDailyApps, SpikeRatio, RecentApps, RecentConns
| order by SpikeRatio descExplanation
This query is designed to detect unusual behavior in users accessing applications through Zscaler Private Access (ZPA). Here's a simplified breakdown of what it does:
-
Purpose: The query identifies users who access significantly more applications than their usual pattern, which could indicate suspicious activity such as automated reconnaissance, credential compromise, or insider threats.
-
How It Works:
- It examines the number of distinct applications accessed by each user in the past hour.
- It compares this number to the user's average daily application access over the past 14 days.
- If a user accesses three times more applications than their average, and at least five different applications in the past hour, they are flagged.
-
Technical Details:
- The query uses data from the
CommonSecurityLogwhere the vendor is "Zscaler" and the product includes "ZPA". - It excludes actions that are blocked or failed.
- It calculates the daily average of applications accessed by each user over the last 14 days.
- It checks the number of applications accessed in the last hour and calculates a "Spike Ratio" (current access count divided by the average).
- Users with a Spike Ratio of 3.0 or higher are highlighted.
- The query uses data from the
-
Output:
- The query outputs details such as the username, the number of applications accessed recently, the average daily access, the spike ratio, and a list of recently accessed applications.
- It orders the results by the spike ratio in descending order.
-
Alerts and Incidents:
- If the conditions are met, an alert is generated with details about the spike.
- The alert can create an incident, grouping similar alerts by user account for easier management.
In summary, this query helps security teams identify potential security incidents by flagging users who suddenly access a lot more applications than usual, which could be a sign of malicious activity.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT1H
Period: P14D