KQL Search

Query Details

25 CSL Zscaler Tunnel Proxy Bypass

Query

id: ff25b8c9-d0e1-4f2a-3b4c-5d6e7f8a9b0c
name: "Zscaler ZIA - Tunnel, SOCKS Proxy, or SSL Bypass Category Detected"
version: 1.0.0
kind: Scheduled
description: |
  Detects Zscaler ZIA traffic matching tunnel, SOCKS proxy, VPN protocol, or SSL-bypass / proxy-avoidance URL categories. These categories indicate a user or host attempting to establish an encrypted channel that bypasses Zscaler's SSL inspection engine or to route traffic through an anonymizing proxy — hiding true destination or preventing DLP and threat detection. MITRE ATT&CK: T1572 (Protocol Tunneling), T1090 (Proxy), T1562.007.
severity: Medium
requiredDataConnectors:
  - connectorId: CommonSecurityEvents
    dataTypes:
      - CommonSecurityLog
queryFrequency: PT1H
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CommandAndControl
  - DefenseEvasion
relevantTechniques:
  - T1572
  - T1090
query: |
    CommonSecurityLog
    | where TimeGenerated > ago(1d)
    | where DeviceVendor == "Zscaler"
    | where DeviceCustomString2 has_any (
        "TUNNEL", "PROXY_AVOIDANCE_ANONYMIZERS", "ENCRYPTED_TUNNEL",
        "SECURE_TUNNELING", "VPN_PROTOCOLS", "TOR_PROXY",
        "ANONYMIZING_UTILITIES", "PRIVACY_PROTECTION")
        or ApplicationProtocol has_any ("TUNNEL", "SOCKS", "CONNECT")
    | where isnotempty(SourceUserName)
    | summarize
        TunnelAttempts = count(),
        UniqueTargets  = dcount(DestinationHostName),
        TargetDomains  = make_set(DestinationHostName, 10),
        DevicePorts    = make_set(DestinationPort, 5),
        Protocols      = make_set(ApplicationProtocol, 5),
        FirstSeen      = min(TimeGenerated),
        LastSeen       = max(TimeGenerated)
      by SourceUserName, TunnelCategory = DeviceCustomString2
    | order by TunnelAttempts desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: SourceUserName
customDetails:
  TunnelAttempts: TunnelAttempts
  UniqueTargets: UniqueTargets
  TunnelCategory: TunnelCategory
alertDetailsOverride:
  alertDisplayNameFormat: "Zscaler Tunnel/Bypass - {{SourceUserName}} ({{TunnelAttempts}} attempts)"
  alertDescriptionFormat: "User {{SourceUserName}} triggered {{TunnelAttempts}} tunneling or proxy-bypass events. Category: {{TunnelCategory}}."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect and alert on suspicious network activity related to Zscaler ZIA traffic. Here's a simplified breakdown:

  • Purpose: The query identifies attempts to establish encrypted channels or bypass security measures using tunnels, proxies, or specific protocols that could hide the true destination of traffic or prevent data loss prevention (DLP) and threat detection.

  • Data Source: It uses data from the "CommonSecurityEvents" connector, specifically the "CommonSecurityLog" data type.

  • Frequency and Duration: The query runs every hour and looks at data from the past day.

  • Detection Criteria:

    • It checks for logs from Zscaler devices.
    • It looks for specific categories or protocols indicating tunneling or proxy use, such as "TUNNEL", "PROXY_AVOIDANCE_ANONYMIZERS", "VPN_PROTOCOLS", etc.
    • It ensures that the source username is not empty.

  • Output:

    • Counts the number of tunneling attempts.
    • Identifies unique target hostnames and domains.
    • Lists the ports and protocols used.
    • Records the first and last time the activity was seen.

  • Alerting:

    • Generates alerts with a display name and description that include the username and number of attempts.
    • Creates incidents for these alerts, grouping them by account if multiple related alerts are detected within a six-hour window.

  • Severity and Techniques:

    • The severity of the alert is set to medium.
    • It relates to MITRE ATT&CK techniques for protocol tunneling and proxy use, specifically T1572 and T1090. Overall, this query helps security teams monitor and respond to potential security threats involving unauthorized tunneling or proxy usage that could bypass security controls.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

ZscalerTunnelSocksProxySSLBypassUserHostEncryptedChannelSSLInspectionEngineTrafficAnonymizingProxyDestinationDLPThreatDetectionMITREATTCKProtocolTunnelingCommandAndControlDefenseEvasionCommonSecurityEventsCommonSecurityLogTimeGeneratedDeviceVendorDeviceCustomStringApplicationProtocolSourceUserNameDestinationHostNameDestinationPort

Operators

agohas_anyisnotemptysummarizecountdcountmake_setminmaxorder by

Actions