This alert detects when an app connector experiences an error while setting up a data connection to a specific server. This is caused because the application server closed the connection with TCP Reset (RST) or the server was not listening on the port. Impact Adversaries may use valid accounts to connect to servers to perform malicious actions as the logged-on user. Mitigation Check with the user if the connection request is legitimate or not. If not, investigate further. Also, verify if the application is reachable from the App Connector, and check the available server capacity. MITRE Tactic: TA0008 MITRE Technique: T1021

This alert detects when the Browser Access service cannot set up an HTTPS connection to the web server due to an issue occurring during TLS setup. Impact When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The product might connect to a malicious host while believing it is a trusted host, or the product might be deceived into accepting spoofed data that appears to originate from a trusted host. Mitigation Verify that the web server certificate configured for the application is valid. If not, remove the invalid certificate and use the valid certificate. MITRE Tactic: TA0042 MITRE Technique: T1587.003

This alert detects when a TLS version mismatch between ZPA and the Browser Access-enabled application occurred. This happens when the web server is running TLS 1.0/1.1 or earlier versions. Impact TLS 1.0/1.1 are vulnerable to downgrade attacks since they rely on SHA-1 hash for the integrity of exchanged messages. Even authentication of handshakes is done based on SHA-1, which makes it easier for an attacker to impersonate a server for MITM attacks. Mitigation It is recommended to enable TLS 1.2 or a higher version on the webserver to avoid TLS version mismatch. also, make sure that outdated TLS versions are discontinued in the environment. MITRE Tactic: TA0011 MITRE Technique: T1573

This alert detects when the ZPA service blocks the application request because a policy isn't configured for the requested application. The application request is also blocked when an App Segment or App Group Segment is disabled. Please see the below link for more detail on configuring access policies: https://help.zscaler.com/zpa/configuring-access-policies Impact Threat actors after initial access and sufficient permissions in a network may try to gain access to critical applications by modifying the policy settings. Mitigation Check if the user is aware of the application request and if the request is legitimate. If not, investigate further. If the request is legitimate consider updating the policy to allow the user. Enable the App Segment and App Group Segment. MITRE Tactic: TA0004 MITRE Technique: T1484

This alert detects when the application server certificate is not signed by a trusted CA and ZPA is configured to verify that the web server certificate is signed by a trusted CA. Impact Threat actors may create self-signed certificates or use certificates not signed by a trusted CA to use them during targeting such as encrypting C2 traffic. Mitigation Check if the administrator is aware of the untrusted CA in use. If yes, investigate the reason behind using it. Also, consider replacing the existing certificate with a certificate signed by a trusted CA. MITRE Tactic: TA0042 MITRE Technique: T1587

This alert detects when the ZPA Public Service Edge or ZPA Private Service Edge connection was closed because the user certificate either expired or was deleted. Impact Attackers may delete user certificates to inhibit legitimate users from accessing services in a network. This may impact normal business functionalities. Mitigation Check if the user is aware of the certificate deletion activity. If not, take the necessary action to remediate and investigate further. If the certificate expired for a legitimate user, the certificate should be renewed for the user. You can additionally ask the user to re-authenticate. If the error persists, it is recommended to contact Zscaler support. MITRE Tactic: TA0042 MITRE Technique: T1588 MITRE SUb-technique: 004

This alert detects when the ZPA Public Service Edge or ZPA Private Service Edge connection is closed because the user is flagged as disabled. Impact Adversaries after initially compromising a network can further disable legitimate user accounts to inhibit them to access network resources. This may impact normal business functionalities. Mitigation Check if this activity was legitimate. If not, revert the action and investigate further. If the user was not disabled, ask the user to authenticate. If the issue persists, it is recommended to contact Zscaler support. MITRE Tactic: TA0005 MITRE Technique: T1078

This alert detects when: 1. None of the App Connectors configured for the application could successfully resolve the hostname within three seconds of sending a DNS request. This might be because of a DNS resolution failure on the App Connector or a misconfigured DNS in the DC environment. 2. The connector resolves DNS successfully, but the health check fails. This might happen because the connector cannot reach the application server over the network or the connector can reach the application server, but the server is rejecting the health check. Impact Threat actors might take down a domain's DNS server by targeting it with a DDoS (Distributed denial of service) attack. This could cause disruption in DNS resolution for that domain. Mitigation Check the DNS response code that was generated as a result of the failed DNS resolution. Investigate further if a suspicious DNS code was generated in the anomaly. Additionally, administrators can do the following: 1. Ensure that the hostname is correctly configured. 2. Verify the App Connector can consistently resolve DNS for the hostname. 3. Check that the App Connector can reach the application server and the server accepts requests on the expected ports. 4. Ensure that services between the connector and the application server (e.g., access control lists, host-based firewalls, etc.) allow them to communicate on the expected ports and protocols. MITRE Tactic: TA0011 MITRE Technique: T1071

This alert detects when the ZPA service blocks the application request because the user isn't allowed to access the requested application. By default, ZPA blocks access to applications and segment groups for users until you configure policy rules that explicitly allow access. Please see the below link for more detail on configuring access policies: https://help.zscaler.com/zpa/configuring-access-policies Impact After getting initial access to the network, adversaries may try manipulating the access policies to deny access to legitimate users to applications. They do so to impact normal business operations. Mitigation Check with the user if they are aware of the request made to access the application. If the request was not found legitimate, investigate further. Ensure that low-privileged accounts do not have permission to modify access-related policies. MITRE Tactic: TA0040 MITRE Technique: T1531

This alert detects when the app connector cannot set up a data connection to the ZPA Public Service Edger or ZPA Private Service Edge. Please see the below links for more detail on Public and Private Service Edge: https://help.zscaler.com/zpa/about-service-edges-zpa https://help.zscaler.com/zpa/about-zpa-private-service-edges Impact Adversaries may use valid accounts to connect to service edge to perform malicious actions as the logged-on user. Mitigation Check with the user if the connection request is legitimate or not. If not, investigate further. Additionally, ensure that the app connector is able to reach the ZPA Public Service Edge or ZPA Private Service Edge. MITRE Tactic: TA0008 MITRE Technique: T1021

This alert detects when the FQDN destination host doesn't match the receiving Zscaler Client Connector detected. Impact Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. Mitigation Check the detail for the invalid domain name. Investigate to see if there is any traffic flowing to that domain from/within the network. Additionally, the user can try to reauthenticate. If the error persists, it is recommended to contact Zscaler support. MITRE Tactic: TA0042 MITRE Technique: T1584

This alert detects when the receiving Zscaler Client Connector device doesn't match the request. Impact Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. Mitigation Check if the receiving client is legitimate or not. If not, investigate the client further. Ensure that all the traffic is encrypted appropriately. Additionally, the user can try to reauthenticate. If the error persists, it is recommended to contact Zscaler support. MITRE Tactic: TA0009 MITRE Technique: T1557

This alert detects when the app connector CPU limit is exceeded for a Privileged Remote Access (PRA) connection. It basically means that no more PRA connections are allowed. Please see the below link for more detail on Zscaler Privileged Remote Access: https://help.zscaler.com/zpa/about-privileged-remote-access-applications Impact Adversaries may interrupt the availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Adversaries can do so by manipulating kernel-level processes by running rootkits which might increase CPU utilization and legitimate processes might not be able to run properly. Mitigation Check for any suspicious activities happening in the network. Check in the process explorer to see which running processes have high CPU utilization. If the issue is not due to malicious activity, administrators can add cores to the App Connector or add additional App Connectors. MITRE Tactic: TA0040 MITRE Technique: T1496

This alert detects when: 1. None of the App Connectors are configured to reach the application. 2. None of the App Connectors have learned the configuration for the application even though the application is associated with App Connectors through configuration. 3. The application was just configured or the App Connector has just restarted and is still learning its configuration. 4. The App Connector is unable to learn its configuration from the ZPA CA. Impact Adversaries after gaining initial access might try connecting to different remote applications to move laterally and discover critical information from remote systems. Mitigation Check whether this error was due to a legitimate request or not. If not, investigate further. Additionally, ensure that at least one App Connector group is configured to reach this application. Also, ask the user to access the application again. If the error persists, contact Zscaler Support. MITRE Tactic: TA0001 MITRE Technique: T1133

This alert detects when the ZPA Public Service Edge or ZPA Private Service Edge was waiting for a data connection request from an App Connector that could provide access to the application, but the request timed out while waiting. Here, The request from an App Connector is triggered in response to the initial application request from the Zscaler Client Connector. Please see the below links for more detail on Public and Private Service Edge: https://help.zscaler.com/zpa/about-service-edges-zpa https://help.zscaler.com/zpa/about-zpa-private-service-edges Impact Adversaries may use valid accounts to connect to ZPA Public Service Edge or ZPA Private Service Edge to perform malicious actions as the logged-on user. Mitigation Check with the user if the connection request is legitimate or not. If not, investigate further. Also, ensure that the app connectors can reach the ZPA Public Service Edge or ZPA Private Service Edge and the requested application. MITRE Tactic: TA0008 MITRE Technique: T1021

This alert detects when the app connector timed out while waiting for a connection response from the server. Impact Adversaries may use valid accounts to connect to servers to perform malicious actions as the logged-on user. Mitigation Check with the user if the connection request is legitimate or not. If not, investigate further. Also, ensure that the app connector can reach the application. MITRE Tactic: TA0008 MITRE Technique: T1021

This alert detects when the user authentication to ZPA was unsuccessful. Impact Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Mitigation Investigate the failed login attempts and verify with the user that it was him trying to log in. If it wasn't, investigate further the source of the login attempt to determine a possible compromise. also, make sure that MFA is enabled. MITRE Tactic: TA0006 MITRE Technique: T1110

This rule detects if there are no logs in the last 12 hours for ZScaler in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562