Query Details

Zscaler ZIA - Advanced Threat Protection (ATP) / Sandbox Malicious File Blocked

22 CSL Zscaler ATP Sandbox Malicious File

Query

CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Zscaler"
| where DeviceAction in ("block", "BLOCK", "Blocked")
| where DeviceCustomString2 has_any (
    "SANDBOX", "ADVANCED_THREAT", "MALWARE_DOWNLOAD_BLOCKED",
    "ADVANCED_MALWARE_POLICY", "RANSOMWARE", "EXPLOIT", "ADVANCED_THREAT_C2")
    or DeviceCustomString1 has_any (
    "sandbox", "malicious", "virus", "trojan",
    "ransomware", "exploit", "backdoor", "rat")
    or Activity has_any ("Sandbox", "Advanced Threat Protection", "Malware")
| summarize
    BlockCount     = count(),
    UserCount      = dcount(SourceUserName),
    UserList       = make_set(SourceUserName, 10),
    BlockedDomains = make_set(DestinationHostName, 10),
    BlockedURLs    = make_set(RequestURL, 10),
    ThreatNames    = make_set(DeviceCustomString1, 10),
    FirstSeen      = min(TimeGenerated),
    LastSeen       = max(TimeGenerated),
    RepUser        = any(SourceUserName)
  by ThreatCategory = DeviceCustomString2
| order by BlockCount desc

Explanation

This query is designed to detect and alert on events where Zscaler's Advanced Threat Protection (ATP) or Sandbox has blocked a file download due to it being identified as malicious. Here's a simple breakdown:

  • Purpose: The query identifies instances where Zscaler has blocked potentially harmful files, such as ransomware or trojans, indicating a high-confidence malware delivery attempt. These events require immediate investigation.

  • Data Source: It uses data from the "CommonSecurityLog" provided by the "CommonSecurityEvents" connector.

  • Time Frame: The query looks at events from the past day (1 day).

  • Conditions: It filters for events where:

    • The vendor is Zscaler.
    • The action taken was a block (e.g., "block", "BLOCK", "Blocked").
    • Specific threat indicators are present in the logs, such as "SANDBOX", "MALWARE_DOWNLOAD_BLOCKED", or related terms like "ransomware" or "trojan".
  • Output: The query summarizes the data by:

    • Counting the number of block events.
    • Counting and listing unique users affected.
    • Listing domains and URLs that were blocked.
    • Listing threat names.
    • Recording the first and last time such events were seen.
  • Severity: The severity of these alerts is classified as "High".

  • Alert and Incident Management:

    • Alerts are generated with a display name and description that includes the threat category, number of events, and number of users affected.
    • Incidents are created for these alerts, and similar incidents are grouped together based on the user account involved.
  • MITRE ATT&CK Framework: The query maps to techniques T1204 (User Execution) and T1566 (Phishing — Malicious File), indicating the tactics of Initial Access and Execution.

Overall, this query helps security teams quickly identify and respond to threats blocked by Zscaler's security measures, focusing on high-confidence malware attempts.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

CommonSecurityLogZscalerDeviceVendorDeviceActionDeviceCustomString2DeviceCustomString1ActivityBlockCountUserCountSourceUserNameDestinationHostNameRequestURLThreatNamesTimeGeneratedThreatCategoryAccountRepUser

Operators

agohas_anyinorder bysummarizewherecountdcountmake_setminmaxany

Severity

High

Tactics

InitialAccessExecution

MITRE Techniques

Frequency: PT15M

Period: P1D

Actions

GitHub