Query Details

Zscaler ZPA - Repeated Connection Failures - Possible Credential Spray Against Internal Apps

32 CSL ZPA Repeated Connection Failures

Query

CommonSecurityLog
| where TimeGenerated > ago(1h)
| where DeviceVendor == "Zscaler" and DeviceProduct has "ZPA"
| where DeviceAction in (
    "block", "BLOCK", "Blocked", "Failed", "Error",
    "Closed", "denied", "DENIED", "reject", "REJECT")
| where isnotempty(SourceUserName) or isnotempty(SourceIP)
| summarize
    FailureCount = count(),
    UniqueApps   = dcount(DestinationHostName),
    TargetApps   = make_set(DestinationHostName, 10),
    SourceIPs    = make_set(SourceIP, 5),
    FirstFailure = min(TimeGenerated),
    LastFailure  = max(TimeGenerated)
  by SourceUserName
| where FailureCount > 20
| order by FailureCount desc

Explanation

This query is designed to detect potential security threats related to Zscaler Private Access (ZPA) by identifying users or source IPs that have more than 20 failed or blocked connection attempts to internal applications within a one-hour period. This could indicate various issues, such as password spraying attacks, repeated multi-factor authentication (MFA) denials, configuration errors, or malicious probing of internal applications using compromised credentials.

Here's a simplified breakdown of the query:

  1. Data Source: It uses logs from Zscaler ZPA, specifically looking at security events.

  2. Time Frame: The query examines events from the past hour.

  3. Conditions: It filters for events where the action was a failure or block (e.g., "block", "Failed", "denied").

  4. User/IP Identification: It checks for non-empty usernames or source IPs.

  5. Aggregation: The query counts the number of failures, identifies unique applications targeted, and notes the first and last failure times for each user.

  6. Threshold: It only considers cases where there are more than 20 failures.

  7. Output: Results are ordered by the number of failures, and alerts are generated with details about the user, the number of failures, and the applications targeted.

  8. Alerting: If the conditions are met, an alert is created, and incidents are grouped by user account for efficient management.

This query helps in identifying and responding to potential credential-based attacks or misconfigurations that could compromise internal applications.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

ZscalerZPAUsersSourceIPsInternalApplicationsPasswordSprayingMFAConfigurationErrorsAttackerAppSegmentsCredentialsMITREATT&CKBruteForceExternalRemoteServicesCommonSecurityEventsCommonSecurityLogTimeGeneratedDeviceVendorDeviceProductDeviceActionSourceUserNameSourceIPFailureCountUniqueAppsTargetAppsDestinationHostNameFirstFailureLastFailureAccountFullNameConnectionSpray

Operators

agohasinisnotemptysummarizecountdcountmake_setminmaxbyorder by

Severity

High

Tactics

CredentialAccessInitialAccess

MITRE Techniques

Frequency: PT1H

Period: PT1H

Actions

GitHub