heroui logo

Zscaler Phishing Activity Threat Blocked

Splunk Security Content

View Source
Summary
The 'Zscaler Phishing Activity Threat Blocked' analytic serves to identify and block potential phishing attempts that are detected by the Zscaler web proxy. Utilizing web proxy logs, the rule focuses on entries tagged as 'HTML.Phish' to flag suspicious activities, which include critical data points such as user interactions, threat names, URLs, and hostnames associated with blocked actions. This proactive detection approach is essential for security operations centers (SOCs), functioning as an early warning mechanism that facilitates timely investigations and responses to phishing threats. A confirmed malicious attempt may indicate an effort by attackers to mislead users into disclosing sensitive information, risking data breaches or credential theft. The detection utilizes a specific search command designed to aggregate blocked threat data, thereby assisting security teams in monitoring and mitigating ongoing phishing activities more effectively.
Categories
  • Web
  • Cloud
  • Network
Data Sources
  • Web Credential
  • Network Traffic
ATT&CK Techniques
  • T1566
Created: 2024-11-15