LoFP LoFP / false positives are limited to zscaler configuration.

Techniques

Sample rules

Zscaler Exploit Threat Blocked

Description

The analytic is aimed at detecting potential exploit attempts that involve command and script interpreters blocked by Zscaler. By querying web proxy logs, it isolates incidents where actions have been either blocked with references to exploits. The search compiles statistics by user, threat name, URL, hostname, file class, and filename, giving a detailed view of any exploit-related activity. Marked as a tactic, technique, and procedure (TTP), this analytic is essential for identifying and mitigating exploit attempts.

Detection logic

`zscaler_proxy` action=blocked threatname=*exploit* 
| stats count min(_time) as firstTime max(_time) as lastTime  by user threatname src hostname fileclass filename url dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_exploit_threat_blocked_filter`

Zscaler Potentially Abused File Download

Description

The analytic is engineered to detect potential rarely abused malicious filetypes downloaded within a network. They are usually used to spread malwares. Utilizing Splunk search functionality, it examines web proxy logs for blocked actions related to potential threats. Essential data points like the deviceowner, user, urlcategory, url, dest, and filename taken are analyzed to highlight possible malicious endeavors. This detection, marked as an anomaly, aids in early identification and mitigation of malicious download activities, ensuring a safer network environment.

Detection logic

`zscaler_proxy` url IN ("*.scr", "*.dll", "*.bat", "*.lnk") 
| stats count min(_time) as firstTime max(_time) as lastTime by deviceowner user urlcategory url src filename dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_potentially_abused_file_download_filter`

Zscaler Adware Activities Threat Blocked

Description

The following analytic is designed to detect potential adware activity which is blocked by Zscaler. Utilizing Splunk search functionality, it filters web proxy logs for blocked actions associated with adware threats. Key data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to highlight possible adware intrusions.

Detection logic

`zscaler_proxy` action=blocked threatname=*adware* 
| stats count min(_time) as firstTime max(_time) as lastTime  by action deviceowner user urlcategory url src dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_adware_activities_threat_blocked_filter`

Zscaler Privacy Risk Destinations Threat Blocked

Description

The analytic is designed to identify blocked destinations within a network deemed as privacy risks by Zscaler. Utilizing Splunk search functionality, it processes web proxy logs, focusing on entries marked as Privacy Risk. Key data points such as device owner, user, URL category, destination URL and IP, and action taken are analyzed to enumerate the privacy risk destinations. This anomaly-type detection aids in monitoring and managing privacy risks, promoting a secure network environment.

Detection logic

`zscaler_proxy` action=blocked urlclass="Privacy Risk" 
|  stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest 
| dedup urlcategory 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_privacy_risk_destinations_threat_blocked_filter`

Zscaler CryptoMiner Downloaded Threat Blocked

Description

The analytic is crafted to detect potential download of cryptomining software within a network that is blocked by Zscaler. Utilizing Splunk search functionality, it sifts through web proxy logs for blocked actions associated with cryptominer threats. Key data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to highlight possible cryptominer downloads. This detection, categorized as an anomaly, aids in early identification and mitigation of cryptomining activities, ensuring network integrity and resource availability.

Detection logic

`zscaler_proxy` action=blocked threatname=*miner* 
| stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_cryptominer_downloaded_threat_blocked_filter`

Zscaler Employment Search Web Activity

Description

The analytic is designed to identify destinations within a network deemed as potential Empolyment Searches. Utilizing Splunk’s search functionality, it processes web proxy logs, focusing on entries marked as ‘Job/Employment Search’. Key data points such as device owner, user, URL category, destination URL and IP, and action taken are analyzed to enumerate the employment risk destinations. This anomaly-type detection aids in monitoring and managing risks, promoting a secure environment from insider threats.

Detection logic

`zscaler_proxy` urlsupercategory="Job/Employment Search" 
| stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_employment_search_web_activity_filter`

Zscaler Virus Download threat blocked

Description

The analytic is formulated to detect blocked virus download activities within a network by Zscaler. Employing Splunk’s search functionality, it reviews web proxy logs for blocked actions indicative of virus threats downloads. Key data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to pinpoint possible virus downloads. As an anomaly-type detection, this analytic facilitates early detection and remediation of virus download attempts, contributing to enhanced network security.

Detection logic

`zscaler_proxy` action=blocked threatname!="None" threatclass=Virus 
| stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_virus_download_threat_blocked_filter`

Zscaler Scam Destinations Threat Blocked

Description

The analytic is engineered to detect potential scam activities within a network by Zscaler. Utilizing Splunk search functionality, it examines web proxy logs for blocked actions related to scam threats. Essential data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to highlight possible scam endeavors. This detection, marked as an anomaly, aids in early identification and mitigation of scam activities, ensuring a safer network environment.

Detection logic

`zscaler_proxy` action=blocked threatname=*scam* 
| stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_scam_destinations_threat_blocked_filter`

Description

The analytic is aimed at identifying the most significant legal liability threats blocked by zcaler web proxy. It leverages web proxy logs to list the destinations, device owners, users, URL categories, and actions that are associated with Legal Liability, by utilizing stats on unique fields, it ensures a precise focus on unique legal liability threats, thereby providing valuable insights for organizations to enforce legal compliance and risk management.

Detection logic

`zscaler_proxy` urlclass="Legal Liability" 
|  stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| dedup urlcategory 
| `zscaler_legal_liability_threat_blocked_filter`