LoFP / false positives are limited to zscalar configuration.

Techniques

• T1566

Sample rules

Zscaler Malware Activity Threat Blocked

• source: splunk
• technicques:
  • T1566

Description

The following analytic identifies potential malware activities within a network that are blocked by Zscaler. It leverages web proxy logs to filter for blocked actions associated with malware, aggregating occurrences by user, URL, and threat category. This detection is significant for SOC as it highlights attempts to access malicious content, indicating potential compromise or targeted attacks. If confirmed malicious, this activity could signify an ongoing attempt to infiltrate the network, necessitating immediate investigation to prevent further threats and ensure network integrity.

Detection logic

`zscaler_proxy` action=blocked threatname=*malware* threatcategory!=None 
| stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_malware_activity_threat_blocked_filter`

Zscaler Phishing Activity Threat Blocked

• source: splunk
• technicques:
  • T1566

Description

The following analytic identifies potential phishing attempts blocked by Zscaler within a network. It leverages web proxy logs to detect actions tagged as HTML.Phish. The detection method involves analyzing critical data points such as user, threat name, URL, and hostname. This activity is significant for a SOC as it serves as an early warning system for phishing threats, enabling prompt investigation and mitigation. If confirmed malicious, this activity could indicate an attempt to deceive users into divulging sensitive information, potentially leading to data breaches or credential theft.

Detection logic

`zscaler_proxy` action=blocked threatname="HTML.Phish*" 
| stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user threatname url src dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_phishing_activity_threat_blocked_filter`

Zscaler Behavior Analysis Threat Blocked

• source: splunk
• technicques:
  • T1566

Description

The following analytic identifies threats blocked by the Zscaler proxy based on behavior analysis. It leverages web proxy logs to detect entries where actions are blocked and threat names and classes are specified. This detection is significant as it highlights potential malicious activities that were intercepted by Zscaler’s behavior analysis, providing early indicators of threats. If confirmed malicious, these blocked threats could indicate attempted breaches or malware infections, helping security teams to understand and mitigate potential risks in their environment.

Detection logic

`zscaler_proxy` action=blocked threatname!="None" threatclass="Behavior Analysis" 
| stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user threatname url src dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_behavior_analysis_threat_blocked_filter`