LoFP / false positives are limited to zscalar configuration.

Techniques

• T1566

Sample rules

Zscaler Phishing Activity Threat Blocked

• source: splunk
• technicques:
  • T1566

Description

The analytic is devised to detect likely phishing attempts within a network blocked by Zscaler. By leveraging Splunk search functionality, it evaluates web proxy logs for blocked actions correlated with phishing threats, specifically those tagged as HTML.Phish. Critical data points such as the user, threat name, URL, and hostname are analyzed to accentuate possible phishing activities. This anomaly-type detection serves as an early warning system, facilitating prompt investigation and mitigation of phishing threats, thereby bolstering network security.

Detection logic

`zscaler_proxy` action=blocked threatname="HTML.Phish*" 
| stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user threatname url src dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_phishing_activity_threat_blocked_filter`

Zscaler Behavior Analysis Threat Blocked

• source: splunk
• technicques:
  • T1566

Description

The analytic is built to identify threats blocked by the Zscaler proxy based on behavior analysis. It filters web proxy logs for entries where actions are blocked and threat names and classes are specified. The search further refines the results to include only those with reasons related to “block”. It then aggregates the count, providing a clear view of the threat landscape as handled by the behavior analysis proxy.

Detection logic

`zscaler_proxy` action=blocked threatname!="None" threatclass="Behavior Analysis" 
| stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user threatname url src dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_behavior_analysis_threat_blocked_filter`

Zscaler Malware Activity Threat Blocked

• source: splunk
• technicques:
  • T1566

Description

The analytic targets the detection of potential malware activities within a network that are blocked by Zscaler. By filtering web proxy logs for blocked actions associated with malware, where a threat category is specified, the analytic aggregates occurrences by user, URL, and threat category. This approach ensures a focused identification of malware activities, making it an effective tool for ongoing network security monitoring and anomaly detection.

Detection logic

`zscaler_proxy` action=blocked threatname=*malware* threatcategory!=None 
| stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_malware_activity_threat_blocked_filter`