- Posture Control (ZPC) Help
- Alerts
- Alert Details
- Alert Attributes
Posture Control (ZPC)
Alert Attributes
The alert framework includes the following alert attributes:
Alert Attribute
Description
Sample
Account
The name of the cloud account
Account ID
The unique ID for the cloud account
Alert Age
The number of days an alert was in Open status
10 days
Alert Description
A dynamic description of the alert
EC2 instance is running a vulnerable image. Last vulnerability scan was at 2023-08-11 01:16:26.913. Found vulnerabilities statistics: {'critical': 12, 'high': 47, 'low': 3, 'medium': 32, 'unknown': 2}.
Alert Focus
The resource for which the alert was triggered
- Asset
- Identity
Alert ID
A unique identifier for the alert
ZS-CLOUD-115039
Alert Source
The source is ZPC. This data helps third-party systems to identify the security product that generated the alert.
Alert Status
The status of the alert
- Open
- Closed
- Resolved
Alert Status Description
Describes the transition of the alert from one status to another.
- Auto Resolved
- Manually Deleted
Alert Type
Cloud alert or IaC alert
Asset Category
Top level grouping of asset types
- Compute
- Container
- Storage
Asset Type
The type of asset
- EC2
- Disk
- Repository
- Route
Associated Cloud
Icon that indicates the CSP on which the Kubernetes resource is running.
- AWS
- GCP
- Azure
Audit Procedure
Procedure to manually audit the violation in the customer's environment. This data is usually shown for compliance.
Branch
The branch in which the repository exists. This is not applicable for CI/CD integration.
main-patch-3465
Business Unit
ZPC business unit for the cloud account
Default
Cloud
The cloud service provider
- Azure
- AWS
- GCP
- Kubernetes
Cluster Name
The name of the Kubernetes cluster
Cluster Type
The Kubernetes type
- EKS
- AKS
- GKE
Commit ID
Push ID for version control systems only
Compliance
The benchmark name and version related to compliance policies only
CIS Amazon Web Services Foundations v.1.2.0
Compliance Control Number
The compliance control number
1.14.2
Contributing Factors
The aggregated findings of an alert that describes the security violation in the policy.
Created Date
The date when the alert was triggered
Developer
The name of the developer who initiated the IaC scan
End Line
The last line of code
15
Identity ID
The unique ID for the cloud identity
Identity Name
The name of the cloud identity
Identity Power Category
Applicable only to identities with a power score of more than 80.
- Data
- Compute
- Billing
Identity Power Score
The numeric score granted to an identity based on an internal Zscaler IP calculation of power.
1–100
Identity Source
Identity's entitlement on the resource
- Local
- External
- Federated
Identity Type
The type of identity
- Human
- Non human
Last Observed
The date of the last scan when ZPC checked the security policy against the resource.
Manual Remediation Procedure
Procedure to manually remediate a policy violation
MITRE ATT&CK
The link to the technique on the MITRE ATT&CK website
Exploitation for Privilege Escalation (T1068)
Module
Set of configuration files
Terraform module
Namespace
The Kubernetes cluster namespace in which the resource is stored
Organization ID
The unique ID for the organization
Organization Name
The name of the organization or tenant
Policy Description
A detailed description of the security policy
This rule detects when an identity changed the KMS key of S3 server-side encryption to a key that is owned by another account.
Policy ID
The unique identification number for the security policy
ZS-GCP-00126
Policy Name
The title of the security policy
Power identities without MFA
Policy Severity
The severity of the policy violation
- Critical
- High
- Medium
- Low
Policy Source
Predefined or custom security policy
- Zscaler
- Custom
Pull Request ID
ID for version control systems only
Remediation Allowed
Indicates whether remediation is allowed for a policy. This is applicable when remediation is enabled for a policy.
- True
- False
Remediation Initiated By
The admin who initiated the remediation action
Zscaler (if the alert was remediated automatically through alert management flow)
Remediation Status
The status of the remediation
- Progress
- Success
- Failed
- Blank
Repository
The repository on which the IaC scan was triggered
- Organization
- Repository
Resource ID
The cloud ID of the resource
Azure Resource IDs are displayed in lowercase, regardless of the case in which they are originally created.
- ID in AWS and GCP
- ARN in AWS
Resource Metadata
The metadata of the cloud asset or identity
Resource Name
The name of the resource
external-key-storage bucket
Resource Region
The region where the resource is stored
Risk Level
The risk applied to the asset or identity while triggering the alert.
- Critical
- High
- Medium
- Low
Scan ID
A unique number generated by ZPC for every IaC scan
Scan Plugin
The type of IaC plugin
- GitHub
- GitLab
- Jenkins
- Azure Pipelines
- GitHub Actions
- Azure Repos
- Jenkins
- Terraform Cloud
Scan Time
The time when the IaC scan was triggered
Time is displayed based on user locale
Scan Type
The activity that triggered the scan
- Push
- Pull
- Build
Sensitive Data
Summary of sensitive data found for DLP policies
10 files, 3 engines
Start Line
The first line of code from where the violation is detected
10
Supports Remediation
Indicates that remediation can be enabled for a policy
- True
- False
Tags
Tags (key-value pairs) associated with the asset
env:dev
Template
The name of the IaC template
Template Type
The type of IaC template
- Terraform
- CFT
- ARM
- Kubernetes
- YAML
- Helm charts
Theme
The security policy theme
- Compliance
- Security Exposure
- Security Events
- Blank (-)
Threat Category
The threat category to which the policy belongs
- Ransomware
- Misconfiguration
- Account Takeover
Trusted IP
Indicates whether the alert is publicly exposed and associated with a trusted IP list.
- True: The alert is publicly exposed and associated with a trusted IP list.
- False: The alert is publicly exposed but not associated with a trusted IP list.
- -: The alert is not publicly exposed and not associated with a trusted IP list.
Updated By
The admin who resolved or updated the alert
Updated Date
The date when the alert was updated
Violating Resource
The IaC code that contains the misconfiguration. This information is shown for IaC alerts.
ZPC Tenant ID
The unique ID for the ZPC customer tenant
to
of
Page
of