Zscaler ZPA - Repeated Connection Failures - Possible Credential Spray Against Internal Apps
32 CSL ZPA Repeated Connection Failures
Query
CommonSecurityLog
| where TimeGenerated > ago(1h)
| where DeviceVendor == "Zscaler" and DeviceProduct has "ZPA"
| where DeviceAction in (
"block", "BLOCK", "Blocked", "Failed", "Error",
"Closed", "denied", "DENIED", "reject", "REJECT")
| where isnotempty(SourceUserName) or isnotempty(SourceIP)
| summarize
FailureCount = count(),
UniqueApps = dcount(DestinationHostName),
TargetApps = make_set(DestinationHostName, 10),
SourceIPs = make_set(SourceIP, 5),
FirstFailure = min(TimeGenerated),
LastFailure = max(TimeGenerated)
by SourceUserName
| where FailureCount > 20
| order by FailureCount descExplanation
This query is designed to detect potential credential spraying attacks against internal applications accessed via Zscaler Private Access (ZPA). Here's a simplified breakdown:
-
Purpose: The query identifies ZPA users or source IP addresses that have more than 20 failed or blocked connection attempts to internal applications within a one-hour period. This could indicate a credential spraying attack, where an attacker tries multiple passwords against many accounts, or other issues like repeated MFA denials or configuration errors.
-
Data Source: It uses logs from the "CommonSecurityEvents" connector, specifically looking at "CommonSecurityLog" data.
-
Conditions: The query filters for logs from the past hour where the device vendor is "Zscaler" and the product is related to "ZPA". It looks for actions indicating failure, such as "block", "failed", "denied", etc.
-
Analysis: It counts the number of failures, identifies unique applications targeted, and records the first and last failure times for each user or IP.
-
Alerting: If a user or IP has more than 20 failures, an alert is generated. The alert includes details like the number of failures, the unique applications targeted, and the source username.
-
Severity: The alert is marked as high severity due to the potential security risk.
-
Incident Management: If an alert is triggered, an incident is created. Incidents can be grouped by account to manage related alerts together.
This query helps security teams quickly identify and respond to potential security threats involving ZPA, ensuring that internal applications remain secure from unauthorized access attempts.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: PT1H