Query Details
32 CSL ZPA Repeated Connection Failures
Query
id: f632a7b8-c9d0-4e1f-2a3b-4c5d6e7f8a9b
name: "Zscaler ZPA - Repeated Connection Failures - Possible Credential Spray Against Internal Apps"
version: 1.0.0
kind: Scheduled
description: |
Detects ZPA users or source IPs generating more than 20 failed or blocked connection attempts to internal applications in a 1-hour window. Unlike network-level brute force, ZPA connection failures can indicate password spraying targeting applications exposed via ZPA, repeated MFA denials, configuration errors causing mass reconnects, or an attacker probing internal app segments using compromised ZPA credentials. MITRE ATT&CK: T1110 (Brute Force), T1133 (External Remote Services).
severity: High
requiredDataConnectors:
- connectorId: CommonSecurityEvents
dataTypes:
- CommonSecurityLog
queryFrequency: PT1H
queryPeriod: PT1H
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
- InitialAccess
relevantTechniques:
- T1110
- T1133
query: |
CommonSecurityLog
| where TimeGenerated > ago(1h)
| where DeviceVendor == "Zscaler" and DeviceProduct has "ZPA"
| where DeviceAction in (
"block", "BLOCK", "Blocked", "Failed", "Error",
"Closed", "denied", "DENIED", "reject", "REJECT")
| where isnotempty(SourceUserName) or isnotempty(SourceIP)
| summarize
FailureCount = count(),
UniqueApps = dcount(DestinationHostName),
TargetApps = make_set(DestinationHostName, 10),
SourceIPs = make_set(SourceIP, 5),
FirstFailure = min(TimeGenerated),
LastFailure = max(TimeGenerated)
by SourceUserName
| where FailureCount > 20
| order by FailureCount desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: SourceUserName
customDetails:
FailureCount: FailureCount
UniqueApps: UniqueApps
TargetApps: TargetApps
alertDetailsOverride:
alertDisplayNameFormat: "ZPA Connection Spray - {{SourceUserName}} ({{FailureCount}} failures)"
alertDescriptionFormat: "ZPA user {{SourceUserName}} generated {{FailureCount}} connection failures against {{UniqueApps}} internal apps in 1 hour."
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT4H
matchingMethod: Selected
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect potential security threats related to Zscaler Private Access (ZPA) by identifying users or source IPs that have more than 20 failed or blocked connection attempts to internal applications within a one-hour period. This could indicate various issues, such as password spraying attacks, repeated multi-factor authentication (MFA) denials, configuration errors, or malicious probing of internal applications using compromised credentials.
Here's a simplified breakdown of the query:
-
Data Source: It uses logs from Zscaler ZPA, specifically looking at security events.
-
Time Frame: The query examines events from the past hour.
-
Conditions: It filters for events where the action was a failure or block (e.g., "block", "Failed", "denied").
-
User/IP Identification: It checks for non-empty usernames or source IPs.
-
Aggregation: The query counts the number of failures, identifies unique applications targeted, and notes the first and last failure times for each user.
-
Threshold: It only considers cases where there are more than 20 failures.
-
Output: Results are ordered by the number of failures, and alerts are generated with details about the user, the number of failures, and the applications targeted.
-
Alerting: If the conditions are met, an alert is created, and incidents are grouped by user account for efficient management.
This query helps in identifying and responding to potential credential-based attacks or misconfigurations that could compromise internal applications.
Details
David Alonso
Released: March 2, 2026
Tables
Keywords
Operators