This rule detects if there are no logs in last 24 hrs for Zscaler in the customer account. Note- This alert should be deployed in relevant app & subsystem Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

The alert detects when huge blocked traffic observed from a user machine. Impact Outbound blocked traffic may indicate that the host machine is compromised and attempting to communicate with malicious entities outside the network. This could result in data exfiltration, command and control (C2) communication, or the downloading of additional malware. Mitigation Analyze the blocked events and found suspicious immediately isolate the affected host machine from the network to prevent further outbound communication with potentially malicious or unauthorized entities. MITRE Tactic: TA0011 MITRE Technique: T1071

The alert detects the suspicious files downloads. Impact User might got an phishing email and clicked on the link which will download a suspicious file that can lead to the host compromise. Mitigation Determine if the file contains malware, such as viruses, trojans, ransomware, or spyware, which could compromise the security of systems, steal sensitive data, or disrupt operations. MITRE Tactic: TA0001 MITRE Technique: T1566

This alert detects the communication over critical ports to external host. Impact Specific to port communication Mitigation The communication should be checked if that is legitimate or the host is connecting to any C&C server. MITRE Tactic: TA0011 MITRE Technique: T1071

This alert triggers when a user tried multiple attempts to share confidential information via one or more channels and got blocked by compliance rules. Impact User trying to send the confidential information outside and trying different ways to evade the detection. Mitigation The files user trying to send should be examined if contains the confidential data. MITRE Tactic: TA0005 MITRE Technique: T1070

This alert triggers when a DLP rule on the ZScaler portal is deleted. Impact Deleting the DLP rule might stop the visibility of data sharing to external users. Mitigation The deletion of the rule must undergo validation. If the deletion is planned activity, the alert should be disregarded. Otherwise, the rule should be enabled for DLP monitoring and further investigation should be done if the deletion was unintentional of by any compromised user. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert detects a possible brute force attack against a zscaler admin user. It triggers when too many login failures occur for a specific user, more than 3 failed attempts in 5 minutes. Impact Excessive login failures for a user can indicate an attacker trying to guess a user password (manually or automatically). A successful attack will compromise a user and give an attacker access to company information and environment. Mitigation Review the details for the login failures (amount of failed logins, user, ip, location, working hours) and determine if they look suspicious or legitimate. Verify with the user if he is aware of these login attempts and investigate further if not. Especially verify if there was a successful login among the failed attempts that might indicate a compromised account. If in doubt, reset the user password as a precaution. MITRE Tactic: TA0006 MITRE Technique: T1110