Zscaler ZPA - Repeated Connection Failures - Possible Credential Spray Against Internal Apps
32 CSL ZPA Repeated Connection Failures
Query
CommonSecurityLog
| where TimeGenerated > ago(1h)
| where DeviceVendor == "Zscaler" and DeviceProduct has "ZPA"
| where DeviceAction in (
"block", "BLOCK", "Blocked", "Failed", "Error",
"Closed", "denied", "DENIED", "reject", "REJECT")
| where isnotempty(SourceUserName) or isnotempty(SourceIP)
| summarize
FailureCount = count(),
UniqueApps = dcount(DestinationHostName),
TargetApps = make_set(DestinationHostName, 10),
SourceIPs = make_set(SourceIP, 5),
FirstFailure = min(TimeGenerated),
LastFailure = max(TimeGenerated)
by SourceUserName
| where FailureCount > 20
| order by FailureCount descExplanation
This query is designed to detect potential security threats related to Zscaler Private Access (ZPA) by identifying users or source IPs that have more than 20 failed or blocked connection attempts to internal applications within a one-hour period. This could indicate various issues, such as password spraying attacks, repeated multi-factor authentication (MFA) denials, configuration errors, or malicious probing of internal applications using compromised credentials.
Here's a simplified breakdown of the query:
-
Data Source: It uses logs from Zscaler ZPA, specifically looking at security events.
-
Time Frame: The query examines events from the past hour.
-
Conditions: It filters for events where the action was a failure or block (e.g., "block", "Failed", "denied").
-
User/IP Identification: It checks for non-empty usernames or source IPs.
-
Aggregation: The query counts the number of failures, identifies unique applications targeted, and notes the first and last failure times for each user.
-
Threshold: It only considers cases where there are more than 20 failures.
-
Output: Results are ordered by the number of failures, and alerts are generated with details about the user, the number of failures, and the applications targeted.
-
Alerting: If the conditions are met, an alert is created, and incidents are grouped by user account for efficient management.
This query helps in identifying and responding to potential credential-based attacks or misconfigurations that could compromise internal applications.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: PT1H