|
Top Blocked DLP Dictionaries |
Displays a pie chart of a user's top blocked DLP dictionaries.
Hide Query Show Query #event.dataset = "zia.web"
| user.email =~ wildcard(?Username, ignoreCase=true)
| event.action = "blocked"
| Vendor.dlpdictionaries!="None"
| top(Vendor.dlpdictionaries)
| Pie Chart |
|
Top Users by Volume |
Displays a chart of top users by volume using user email data,
then limits the results to the first 10 entries.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| timechart(user.email, function=sum(http.request.bytes), limit=10)
| Time Chart |
|
Top CrowdStrike IOC Hits by Threat Actor |
Displays a chart of top CrowdStrike IOC hits by threat actor and
limits results to the first 10 entries.
Hide Query Show Query #event.dataset = "zia.web"
| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true)
| ioc.detected=true
| case {
ioc[0].labels=Actor*
| regex("^Actor\/(?<iocActor>\w+)\W+", field=ioc[0].labels, strict=false) ;
* | iocActor:="None Listed" ;
}
| rename(iocActor, as="IOC.Actor")
| timechart(IOC.Actor, limit=10)
| Time Chart |
|
Total Distinct Users |
Displays the number of total distinct users and their email
addresses.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| count(user.email, distinct=true)
| Single Value |
|
CrowdStrike IOC Enrichment on Destination Domain |
Displays a table of CrowdStrike IOC enrichment data regarding the
destination domain and associated data (user email, IOC domain,
etc) then limits results to the first 1000 entries.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| regex("^(?<Vendor.domain>.*?)(\/|$)", field=url.original, strict=false)
| ioc:lookup(field=Vendor.domain, type=domain, confidenceThreshold=Unverified, strict=true)
| case {
ioc[0].labels=Actor*
| regex("^Actor\/(?<iocActor>\w+)\W+", field=ioc[0].labels, strict=false) ;
* | iocActor:="None Listed" ;
}
| replace(",", with="\n", field=ioc[0].labels, as="IOC.Details")
| rename(Continent, as="IOC.Continent")
| rename(ioc[0].indicator, as="IOC.Domain")
| rename(ioc[0].malicious_confidence, as="IOC.Confidence")
| rename(iocActor, as="IOC.Actor")
| table([@timestamp, user.email, source.ip, IOC.Domain, IOC.Confidence, IOC.Actor, IOC.Details], limit=1000)
| Table |
|
Top Allowed Domains |
Displays a user's top allowed domains based on their email
address.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| regex("^(?<Vendor.domain>.*?)(\/|$)", field=url.original, strict=false)
| event.action="allowed"
| top([Vendor.domain])
| Table |
|
Top Allowed Super Categories |
Displays a chart of top allowed super categories by user email,
and limits results to the first 10 entries.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| event.action="allowed"
| timechart(Vendor.urlsupercategory, limit=10)
| Time Chart |
|
Top Blocked Domains |
Displays a list of a users top blocked domains by username and
email address.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| regex("^(?<Vendor.domain>.*?)(\/|$)", field=url.original, strict=false)
| event.action="blocked"
| top([Vendor.domain])
| Table |
|
Top Vendor Threat Names |
Displays a chart of the top 10 vendor threat names.
Hide Query Show Query #event.dataset = "zia.web"
| #event.kind = "alert"
| array:contains("event.type[]", value="threat")
| user.email=~wildcard(?Username, ignoreCase=true)
| rule.name!="None"
| timechart(rule.name, limit=10)
| Time Chart |
|
Top Application Names |
Displays a pie chart of top applications names.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| top(Vendor.appname)
| Pie Chart |
|
Top Blocked Super Categories |
Displays a chart of top blocked super categories over time then
limits results to the first 10 entries.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| event.action="blocked"
| timechart(Vendor.urlsupercategory, limit=10)
| Time Chart |
|
Top User Agents |
Displays a list of top user agents by user email address and
limits the results to the first 100 entries.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| event.action="allowed"
| top(user_agent.original, limit=100)
| Table |
|
Top CrowdStrike IOCs by Confidence |
Displays a pie chart of top CrowdStrike IOCs by confidence.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true)
| replace(",", with="\n", field=ioc[0].labels, as="IOC.Details")
| rename(ioc[0].malicious_confidence, as="IOC.Confidence")
| top(IOC.Confidence)
| Pie Chart |
|
Top Blocked DLP Engines |
Displays a pie chart of top blocked DLP engines.
Hide Query Show Query #event.dataset = "zia.web"
| user.email =~ wildcard(?Username, ignoreCase=true)
| event.action = "blocked"
| Vendor.dlpengine != "None"
| top(Vendor.dlpengine)
| Pie Chart |
|
Top Protocols |
Displays a pie chart of top network protocols.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| top(network.protocol)
| Pie Chart |
|
CrowdStrike IOC Enrichment on Server IP |
Displays a table of CrowdStrike IOC enrichment instances and
server IPs and limits results to the first 1000 entries.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true)
| ipLocation(ioc[0].indicator)
| case {
ioc[0].labels=Actor*
| regex("^Actor\/(?<iocActor>\w+)\W+", field=ioc[0].labels, strict=false) ;
* | iocActor:="None Listed" ;
}
| replace(",", with="\n", field=ioc[0].labels, as="IOC.Details")
| rename(Continent, as="IOC.Continent")
| rename(ioc[0].indicator, as="IOC.IP")
| rename(ioc[0].malicious_confidence, as="IOC.Confidence")
| rename(iocActor, as="IOC.Actor")
| rename(ioc[0].indicator.country, as="IOC.Country")
| table([@timestamp, user.email, source.ip, IOC.IP, IOC.Confidence, IOC.Country, IOC.Actor, IOC.Details], limit=1000)
| Table |
|
Top Allowed Categories to Domains |
Displays a flow chart of top allowed URL categories and vendor
domains, then limits results to the first 20 entries.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| regex("^(?<Vendor.domain>.*?)(\/|$)", field=url.original, strict=false)
| event.action="allowed"
| top([Vendor.urlcategory, Vendor.domain], limit=20)
| sankey(source="Vendor.urlcategory", target="Vendor.domain")
| Sankey |
|
Top Allowed Categories |
Displays a table of top allowed URL categories by user email.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| event.action="allowed"
| top(Vendor.urlcategory)
| Table |
|
Top CrowdStrike IOCs by Country |
Displays a pie chart of the top CrowdStrike IOCs by country.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true)
| ipLocation(ioc[0].indicator)
| rename(ioc[0].indicator.country, as="IOC.Country")
| top(IOC.Country)
| Pie Chart |
|
Top Blocked Categories to Domains |
Displays a flowchart of top blocked categories by domain name.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| event.action="blocked"
| regex("^(?<Vendor.domain>.*?)(\/|$)", field=url.original, strict=false)
| top([Vendor.urlcategory, Vendor.domain])
| sankey(source="Vendor.urlcategory", target="Vendor.domain")
| Sankey |
|
Top Application Classes |
Displays a pie chart of top application classes using Zscaler
data.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| top(Vendor.appclass)
| Pie Chart |
|
Top Threat Name |
Displays a pie chart of the top threat names via username and user
email.
Hide Query Show Query #event.dataset = "zia.web"
| #event.kind = "alert"
| array:contains("event.type[]", value="threat")
| user.email =~ wildcard(?Username, ignoreCase=true)
| rule.name != "None"
| top(rule.name)
| Pie Chart |
|
Top Blocked Categories |
Displays a list top blocked categories based on a user's email
address.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| event.action="blocked"
| top(Vendor.urlcategory)
| Table |
|
Request Methods |
Displays a list of HTTP request methods by username and email.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| timechart(http.request.method)
| Time Chart |
|
Actions Over Time by Volume |
Displays a list of user actions over time by volume based on user
email.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| http.request.bytes!=0
| timechart(event.action, function=sum(http.request.bytes))
| Time Chart |
|
Top Vendor Categories to Threat Names |
Displays a flow chart of top vendor categories to threat names.
Hide Query Show Query #event.dataset = "zia.web"
| #event.kind = "alert"
| array:contains("event.type[]", value="threat")
| user.email=~wildcard(?Username, ignoreCase=true)
| rule.name!="None"
| top([Vendor.urlcategory, rule.name])
| sankey(source=Vendor.urlcategory, target=rule.name)
| Sankey |
|
Total Distinct Locations |
Displays the number of total distinct locations by username.
Hide Query Show Query #event.dataset = "zia.web"
| user.email=~wildcard(?Username, ignoreCase=true)
| count("Vendor.location", distinct=true)
| Single Value |
