ITDR
Containment Configuration Guide for Zscaler Private Access (ZPA)
This configuration guide provides information on prerequisites and how to integrate Zscaler ITDR with Zscaler Private Access (ZPA) to contain and isolate detected attackers.
Prerequisites
Before you configure the containment integration, ensure that you have:
- Signed in to the ZPA Admin Portal and configured an IdP for single sign-on (SSO) in ZPA.
- Obtained the ZPA tenant ID (Administration > Company) from the ZPA Admin Portal.
Configuring Containment Integration with ZPA
Follow these steps to configure containment integration with ZPA:
- Step 1: Configure the Containment Integration Between ITDR and ZPA
- In the Zscaler ITDR Admin Portal, go to Orchestrate > Containment.
In the table, locate Zscaler Private Access and click the Edit icon.
In the Zscaler Private Access configuration window:
- Enabled: Select to enable containment.
- Customer ID: Verify if the customer ID matches the ZPA tenant ID that you obtained from the ZPA Admin Portal.
IdP: Select all IdPs that you want to integrate.
If SCIM Sync or SCIM Attributes for Policy are disabled in the IdP, enter the SAML attribute name.
- Under ITDR Identity Metadata, select Enabled to enable sync and fetch data from ZPA for traffic violations or bad activities.
- Click Save.
After the configuration is saved, click Test to verify network connectivity between the ITDR Admin Portal and ZPA.
- If ZIdentity is enabled for your organization, the ZIdentity IdP is displayed automatically in the Zscaler Private Access configuration window. This cannot be edited or deleted.
- If a user is contained with ZPA, real apps become inaccessible and only app decoys remain accessible.
- Step 2: Create an Orchestration Rule or Take Action to Contain Detected Attackers
You can contain detected attackers automatically by creating an orchestration rule or manually by taking action from the Investigate page.
- Create an orchestration rule.
- Go to Orchestrate > Rule.
Click Add Rule.
- In the Rule Details window:
- Enter the name of the rule.
- Select Enabled to enable the rule.
Create a rule using queries and conditions. To learn how to build queries, see Understanding and Building Queries.
Under Respond, enable Zscaler Private Access.
- Click Save.
The attacker is contained by ZPA based on the conditions defined while configuring the rule.
Close - Take action from the Investigate page.
On the Investigate page, click an attack icon on the alert graph.
The attacker details pane opens.
Click Actions.
A list of actions that you can take to remediate the threat appears.
Click the Zscaler drop-down menu, and then select Contain with Zscaler Private Access.
- In the confirmation window, click OK.
- Create an orchestration rule.
After containing the detected attackers, you can view the details of the attacker.