This analytic detects and blocks scam-related activities within a network, utilizing Zscaler web proxy logs. It identifies instances where actions have been flagged as scam threats, analyzing various data points such as device owner, user ID, URL category, destination URL, and source IP. The detection protocol is crucial for Security Operations Centers (SOC) as it facilitates the early identification and mitigation of potential scam activities, thereby ensuring network safety and integrity. If confirmed as malicious, these activities could lead to data theft or financial losses for affected users. The rule is implemented by configuring the Zscaler Add-on for Splunk and requires feeding Zscaler logs into a Splunk environment. Adjustments to the detection parameters are encouraged to tailor the analytic to specific organizational needs.