icon-itdr.svg
ITDR

Containment Configuration Guide for Zscaler Private Access (ZPA)

This configuration guide provides information on prerequisites and how to integrate Zscaler ITDR with Zscaler Private Access (ZPA) to contain and isolate detected attackers.

Prerequisites

Before you configure the containment integration, ensure that you have:

Configuring Containment Integration with ZPA

Follow these steps to configure containment integration with ZPA:

    1. In the Zscaler ITDR Admin Portal, go to Orchestrate > Containment.
    2. In the table, locate Zscaler Private Access and click the Edit icon.

    3. In the Zscaler Private Access configuration window:

      • Enabled: Select to enable containment.
      • Customer ID: Verify if the customer ID matches the ZPA tenant ID that you obtained from the ZPA Admin Portal.
      • IdP: Select all IdPs that you want to integrate.

        If SCIM Sync or SCIM Attributes for Policy are disabled in the IdP, enter the SAML attribute name.

      • Under ITDR Identity Metadata, select Enabled to enable sync and fetch data from ZPA for traffic violations or bad activities.

    4. Click Save.
    5. After the configuration is saved, click Test to verify network connectivity between the ITDR Admin Portal and ZPA.

      • If ZIdentity is enabled for your organization, the ZIdentity IdP is displayed automatically in the Zscaler Private Access configuration window. This cannot be edited or deleted.
      • If a user is contained with ZPA, real apps become inaccessible and only app decoys remain accessible.
    Close
  • You can contain detected attackers automatically by creating an orchestration rule or manually by taking action from the Investigate page.

    Close

After containing the detected attackers, you can view the details of the attacker.

Related Articles
About Containment IntegrationContainment Configuration Guide for CrowdStrikeContainment Configuration Guide for Identity Threat Protection with Okta AIContainment Configuration Guide for Zscaler Internet Access (ZIA)Containment Configuration Guide for Zscaler Private Access (ZPA)Viewing the Blocked Identities