zscaler/internet-access Dashboards

Web - Threat Activity

The Zscaler Internet Access Web - Threat Activity dashboard provides comprehensive visibility into web-based security threats and malicious activities through interconnected visualizations. This dashboard enables monitoring of threat patterns, analysis of attack vectors, and response to web security incidents across the environment.
Web - User Investigation

The Zscaler Internet Access Web - User Investigation dashboard provides detailed insights into user web behaviors and potential security violations through correlated data visualizations. This dashboard enables investigation of suspicious activities, tracking of policy violations, and identification of risky web access patterns.
Web - Web Activity

The Zscaler Internet Access Web - Web Activity dashboard provides real-time visibility into overall web traffic patterns and usage metrics through integrated visualizations. This dashboard enables monitoring of web access trends, analysis of bandwidth consumption, and tracking of application usage across the environment.

Web - Threat Activity

The Zscaler Internet Access Web - Threat Activity dashboard provides comprehensive visibility into web-based security threats and malicious activities through interconnected visualizations. This dashboard enables monitoring of threat patterns, analysis of attack vectors, and response to web security incidents across the environment.

Widget	Description	Type
Top Blocked DLP Dictionaries	Displays a pie chart of a user's top blocked DLP dictionaries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email =~ wildcard(?Username, ignoreCase=true) \| event.action = "blocked" \| Vendor.dlpdictionaries!="None" \| top(Vendor.dlpdictionaries)`	`Pie Chart`
Top CrowdStrike IOC Hits by Threat Actor	Displays a chart of top CrowdStrike IOC hits by threat actor and limits results to the first 10 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true) \| ioc.detected=true \| case { ioc[0].labels=Actor* \| regex("^Actor\/(?<iocActor>\w+)\W+", field=ioc[0].labels, strict=false) ; * \| iocActor:="None Listed" ; } \| rename(iocActor, as="IOC.Actor") \| timechart(IOC.Actor, limit=10)`	`Time Chart`
CrowdStrike IOC Enrichment on Destination Domain	Displays a table of CrowdStrike IOC enrichment data regarding the destination domain and associated data (user email, IOC domain, etc) then limits results to the first 1000 entries. Hide Query Show Query logscale #event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| regex("^(?<Vendor.domain>.?)(\/\|$)", field=url.original, strict=false) \| ioc:lookup(field=Vendor.domain, type=domain, confidenceThreshold=Unverified, strict=true) \| case { ioc[0].labels=Actor \| regex("^Actor\/(?<iocActor>\w+)\W+", field=ioc[0].labels, strict=false) ; * \| iocActor:="None Listed" ; } \| replace(",", with="\n", field=ioc[0].labels, as="IOC.Details") \| rename(Continent, as="IOC.Continent") \| rename(ioc[0].indicator, as="IOC.Domain") \| rename(ioc[0].malicious_confidence, as="IOC.Confidence") \| rename(iocActor, as="IOC.Actor") \| table([@timestamp, user.email, source.ip, IOC.Domain, IOC.Confidence, IOC.Actor, IOC.Details], limit=1000)	`Table`
Top Vendor Threat Names	Displays a chart of the top 10 vendor threat names. Hide Query Show Query logscale `#event.dataset = "zia.web" \| #event.kind = "alert" \| array:contains("event.type[]", value="threat") \| user.email=~wildcard(?Username, ignoreCase=true) \| rule.name!="None" \| timechart(rule.name, limit=10)`	`Time Chart`
Top CrowdStrike IOCs by Confidence	Displays a pie chart of top CrowdStrike IOCs by confidence. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true) \| replace(",", with="\n", field=ioc[0].labels, as="IOC.Details") \| rename(ioc[0].malicious_confidence, as="IOC.Confidence") \| top(IOC.Confidence)`	`Pie Chart`
Top Blocked DLP Engines	Displays a pie chart of top blocked DLP engines. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email =~ wildcard(?Username, ignoreCase=true) \| event.action = "blocked" \| Vendor.dlpengine != "None" \| top(Vendor.dlpengine)`	`Pie Chart`
CrowdStrike IOC Enrichment on Server IP	Displays a table of CrowdStrike IOC enrichment instances and server IPs and limits results to the first 1000 entries. Hide Query Show Query logscale #event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true) \| ipLocation(ioc[0].indicator) \| case { ioc[0].labels=Actor* \| regex("^Actor\/(?<iocActor>\w+)\W+", field=ioc[0].labels, strict=false) ; * \| iocActor:="None Listed" ; } \| replace(",", with="\n", field=ioc[0].labels, as="IOC.Details") \| rename(Continent, as="IOC.Continent") \| rename(ioc[0].indicator, as="IOC.IP") \| rename(ioc[0].malicious_confidence, as="IOC.Confidence") \| rename(iocActor, as="IOC.Actor") \| rename(ioc[0].indicator.country, as="IOC.Country") \| table([@timestamp, user.email, source.ip, IOC.IP, IOC.Confidence, IOC.Country, IOC.Actor, IOC.Details], limit=1000)	`Table`
Top CrowdStrike IOCs by Country	Displays a pie chart of the top CrowdStrike IOCs by country. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true) \| ipLocation(ioc[0].indicator) \| rename(ioc[0].indicator.country, as="IOC.Country") \| top(IOC.Country)`	`Pie Chart`
Top Threat Name	Displays a pie chart of the top threat names via username and user email. Hide Query Show Query logscale `#event.dataset = "zia.web" \| #event.kind = "alert" \| array:contains("event.type[]", value="threat") \| user.email =~ wildcard(?Username, ignoreCase=true) \| rule.name != "None" \| top(rule.name)`	`Pie Chart`
Top Vendor Categories to Threat Names	Displays a flow chart of top vendor categories to threat names. Hide Query Show Query logscale `#event.dataset = "zia.web" \| #event.kind = "alert" \| array:contains("event.type[]", value="threat") \| user.email=~wildcard(?Username, ignoreCase=true) \| rule.name!="None" \| top([Vendor.urlcategory, rule.name]) \| sankey(source=Vendor.urlcategory, target=rule.name)`	`Sankey`

Web - User Investigation

The Zscaler Internet Access Web - User Investigation dashboard provides detailed insights into user web behaviors and potential security violations through correlated data visualizations. This dashboard enables investigation of suspicious activities, tracking of policy violations, and identification of risky web access patterns.

Widget	Description	Type
Top Blocked DLP Dictionaries	Displays a pie chart of a user's top blocked DLP dictionaries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email =~ wildcard(?Username, ignoreCase=true) \| event.action = "blocked" \| Vendor.dlpdictionaries!="None" \| top(Vendor.dlpdictionaries)`	`Pie Chart`
Top Users by Volume	Displays a chart of top users by volume using user email data, then limits the results to the first 10 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| timechart(user.email, function=sum(http.request.bytes), limit=10)`	`Time Chart`
Top CrowdStrike IOC Hits by Threat Actor	Displays a chart of top CrowdStrike IOC hits by threat actor and limits results to the first 10 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true) \| ioc.detected=true \| case { ioc[0].labels=Actor* \| regex("^Actor\/(?<iocActor>\w+)\W+", field=ioc[0].labels, strict=false) ; * \| iocActor:="None Listed" ; } \| rename(iocActor, as="IOC.Actor") \| timechart(IOC.Actor, limit=10)`	`Time Chart`
Total Distinct Users	Displays the number of total distinct users and their email addresses. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| count(user.email, distinct=true)`	`Single Value`
CrowdStrike IOC Enrichment on Destination Domain	Displays a table of CrowdStrike IOC enrichment data regarding the destination domain and associated data (user email, IOC domain, etc) then limits results to the first 1000 entries. Hide Query Show Query logscale #event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| regex("^(?<Vendor.domain>.?)(\/\|$)", field=url.original, strict=false) \| ioc:lookup(field=Vendor.domain, type=domain, confidenceThreshold=Unverified, strict=true) \| case { ioc[0].labels=Actor \| regex("^Actor\/(?<iocActor>\w+)\W+", field=ioc[0].labels, strict=false) ; * \| iocActor:="None Listed" ; } \| replace(",", with="\n", field=ioc[0].labels, as="IOC.Details") \| rename(Continent, as="IOC.Continent") \| rename(ioc[0].indicator, as="IOC.Domain") \| rename(ioc[0].malicious_confidence, as="IOC.Confidence") \| rename(iocActor, as="IOC.Actor") \| table([@timestamp, user.email, source.ip, IOC.Domain, IOC.Confidence, IOC.Actor, IOC.Details], limit=1000)	`Table`
Top Allowed Domains	Displays a user's top allowed domains based on their email address. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| regex("^(?<Vendor.domain>.*?)(\/\|$)", field=url.original, strict=false) \| event.action="allowed" \| top([Vendor.domain])`	`Table`
Top Allowed Super Categories	Displays a chart of top allowed super categories by user email, and limits results to the first 10 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="allowed" \| timechart(Vendor.urlsupercategory, limit=10)`	`Time Chart`
Top Blocked Domains	Displays a list of a users top blocked domains by username and email address. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| regex("^(?<Vendor.domain>.*?)(\/\|$)", field=url.original, strict=false) \| event.action="blocked" \| top([Vendor.domain])`	`Table`
Top Vendor Threat Names	Displays a chart of the top 10 vendor threat names. Hide Query Show Query logscale `#event.dataset = "zia.web" \| #event.kind = "alert" \| array:contains("event.type[]", value="threat") \| user.email=~wildcard(?Username, ignoreCase=true) \| rule.name!="None" \| timechart(rule.name, limit=10)`	`Time Chart`
Top Application Names	Displays a pie chart of top applications names. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| top(Vendor.appname)`	`Pie Chart`
Top Blocked Super Categories	Displays a chart of top blocked super categories over time then limits results to the first 10 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="blocked" \| timechart(Vendor.urlsupercategory, limit=10)`	`Time Chart`
Top User Agents	Displays a list of top user agents by user email address and limits the results to the first 100 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="allowed" \| top(user_agent.original, limit=100)`	`Table`
Top CrowdStrike IOCs by Confidence	Displays a pie chart of top CrowdStrike IOCs by confidence. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true) \| replace(",", with="\n", field=ioc[0].labels, as="IOC.Details") \| rename(ioc[0].malicious_confidence, as="IOC.Confidence") \| top(IOC.Confidence)`	`Pie Chart`
Top Blocked DLP Engines	Displays a pie chart of top blocked DLP engines. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email =~ wildcard(?Username, ignoreCase=true) \| event.action = "blocked" \| Vendor.dlpengine != "None" \| top(Vendor.dlpengine)`	`Pie Chart`
Top Protocols	Displays a pie chart of top network protocols. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| top(network.protocol)`	`Pie Chart`
CrowdStrike IOC Enrichment on Server IP	Displays a table of CrowdStrike IOC enrichment instances and server IPs and limits results to the first 1000 entries. Hide Query Show Query logscale #event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true) \| ipLocation(ioc[0].indicator) \| case { ioc[0].labels=Actor* \| regex("^Actor\/(?<iocActor>\w+)\W+", field=ioc[0].labels, strict=false) ; * \| iocActor:="None Listed" ; } \| replace(",", with="\n", field=ioc[0].labels, as="IOC.Details") \| rename(Continent, as="IOC.Continent") \| rename(ioc[0].indicator, as="IOC.IP") \| rename(ioc[0].malicious_confidence, as="IOC.Confidence") \| rename(iocActor, as="IOC.Actor") \| rename(ioc[0].indicator.country, as="IOC.Country") \| table([@timestamp, user.email, source.ip, IOC.IP, IOC.Confidence, IOC.Country, IOC.Actor, IOC.Details], limit=1000)	`Table`
Top Allowed Categories to Domains	Displays a flow chart of top allowed URL categories and vendor domains, then limits results to the first 20 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| regex("^(?<Vendor.domain>.*?)(\/\|$)", field=url.original, strict=false) \| event.action="allowed" \| top([Vendor.urlcategory, Vendor.domain], limit=20) \| sankey(source="Vendor.urlcategory", target="Vendor.domain")`	`Sankey`
Top Allowed Categories	Displays a table of top allowed URL categories by user email. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="allowed" \| top(Vendor.urlcategory)`	`Table`
Top CrowdStrike IOCs by Country	Displays a pie chart of the top CrowdStrike IOCs by country. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true) \| ipLocation(ioc[0].indicator) \| rename(ioc[0].indicator.country, as="IOC.Country") \| top(IOC.Country)`	`Pie Chart`
Top Blocked Categories to Domains	Displays a flowchart of top blocked categories by domain name. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="blocked" \| regex("^(?<Vendor.domain>.*?)(\/\|$)", field=url.original, strict=false) \| top([Vendor.urlcategory, Vendor.domain]) \| sankey(source="Vendor.urlcategory", target="Vendor.domain")`	`Sankey`
Top Application Classes	Displays a pie chart of top application classes using Zscaler data. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| top(Vendor.appclass)`	`Pie Chart`
Top Threat Name	Displays a pie chart of the top threat names via username and user email. Hide Query Show Query logscale `#event.dataset = "zia.web" \| #event.kind = "alert" \| array:contains("event.type[]", value="threat") \| user.email =~ wildcard(?Username, ignoreCase=true) \| rule.name != "None" \| top(rule.name)`	`Pie Chart`
Top Blocked Categories	Displays a list top blocked categories based on a user's email address. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="blocked" \| top(Vendor.urlcategory)`	`Table`
Request Methods	Displays a list of HTTP request methods by username and email. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| timechart(http.request.method)`	`Time Chart`
Actions Over Time by Volume	Displays a list of user actions over time by volume based on user email. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| http.request.bytes!=0 \| timechart(event.action, function=sum(http.request.bytes))`	`Time Chart`
Top Vendor Categories to Threat Names	Displays a flow chart of top vendor categories to threat names. Hide Query Show Query logscale `#event.dataset = "zia.web" \| #event.kind = "alert" \| array:contains("event.type[]", value="threat") \| user.email=~wildcard(?Username, ignoreCase=true) \| rule.name!="None" \| top([Vendor.urlcategory, rule.name]) \| sankey(source=Vendor.urlcategory, target=rule.name)`	`Sankey`
Total Distinct Locations	Displays the number of total distinct locations by username. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| count("Vendor.location", distinct=true)`	`Single Value`

Web - Web Activity

The Zscaler Internet Access Web - Web Activity dashboard provides real-time visibility into overall web traffic patterns and usage metrics through integrated visualizations. This dashboard enables monitoring of web access trends, analysis of bandwidth consumption, and tracking of application usage across the environment.

Widget	Description	Type
Top Users by Volume	Displays a chart of top users by volume using user email data, then limits the results to the first 10 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| timechart(user.email, function=sum(http.request.bytes), limit=10)`	`Time Chart`
Total Distinct Users	Displays the number of total distinct users and their email addresses. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| count(user.email, distinct=true)`	`Single Value`
Top Allowed Domains	Displays a user's top allowed domains based on their email address. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| regex("^(?<Vendor.domain>.*?)(\/\|$)", field=url.original, strict=false) \| event.action="allowed" \| top([Vendor.domain])`	`Table`
Top Allowed Super Categories	Displays a chart of top allowed super categories by user email, and limits results to the first 10 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="allowed" \| timechart(Vendor.urlsupercategory, limit=10)`	`Time Chart`
Top Blocked Domains	Displays a list of a users top blocked domains by username and email address. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| regex("^(?<Vendor.domain>.*?)(\/\|$)", field=url.original, strict=false) \| event.action="blocked" \| top([Vendor.domain])`	`Table`
Top Application Names	Displays a pie chart of top applications names. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| top(Vendor.appname)`	`Pie Chart`
Top Blocked Super Categories	Displays a chart of top blocked super categories over time then limits results to the first 10 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="blocked" \| timechart(Vendor.urlsupercategory, limit=10)`	`Time Chart`
Top User Agents	Displays a list of top user agents by user email address and limits the results to the first 100 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="allowed" \| top(user_agent.original, limit=100)`	`Table`
Top Protocols	Displays a pie chart of top network protocols. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| top(network.protocol)`	`Pie Chart`
Top Allowed Categories to Domains	Displays a flow chart of top allowed URL categories and vendor domains, then limits results to the first 20 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| regex("^(?<Vendor.domain>.*?)(\/\|$)", field=url.original, strict=false) \| event.action="allowed" \| top([Vendor.urlcategory, Vendor.domain], limit=20) \| sankey(source="Vendor.urlcategory", target="Vendor.domain")`	`Sankey`
Top Allowed Categories	Displays a table of top allowed URL categories by user email. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="allowed" \| top(Vendor.urlcategory)`	`Table`
Top Blocked Categories to Domains	Displays a flowchart of top blocked categories by domain name. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="blocked" \| regex("^(?<Vendor.domain>.*?)(\/\|$)", field=url.original, strict=false) \| top([Vendor.urlcategory, Vendor.domain]) \| sankey(source="Vendor.urlcategory", target="Vendor.domain")`	`Sankey`
Top Application Classes	Displays a pie chart of top application classes using Zscaler data. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| top(Vendor.appclass)`	`Pie Chart`
Top Blocked Categories	Displays a list top blocked categories based on a user's email address. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="blocked" \| top(Vendor.urlcategory)`	`Table`
Request Methods	Displays a list of HTTP request methods by username and email. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| timechart(http.request.method)`	`Time Chart`
Actions Over Time by Volume	Displays a list of user actions over time by volume based on user email. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| http.request.bytes!=0 \| timechart(event.action, function=sum(http.request.bytes))`	`Time Chart`
Total Distinct Locations	Displays the number of total distinct locations by username. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| count("Vendor.location", distinct=true)`	`Single Value`

Versions of this Page

Package Marketplace

Package Reference

Dashboard Reference

Package Management

Other Integrations

Log Formats

zscaler/internet-access Dashboards

Web - Threat Activity

Web - User Investigation

Web - Web Activity

Enter search term