Zscaler ZIA - Tunnel, SOCKS Proxy, or SSL Bypass Category Detected
25 CSL Zscaler Tunnel Proxy Bypass
Query
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Zscaler"
| where DeviceCustomString2 has_any (
"TUNNEL", "PROXY_AVOIDANCE_ANONYMIZERS", "ENCRYPTED_TUNNEL",
"SECURE_TUNNELING", "VPN_PROTOCOLS", "TOR_PROXY",
"ANONYMIZING_UTILITIES", "PRIVACY_PROTECTION")
or ApplicationProtocol has_any ("TUNNEL", "SOCKS", "CONNECT")
| where isnotempty(SourceUserName)
| summarize
TunnelAttempts = count(),
UniqueTargets = dcount(DestinationHostName),
TargetDomains = make_set(DestinationHostName, 10),
DevicePorts = make_set(DestinationPort, 5),
Protocols = make_set(ApplicationProtocol, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SourceUserName, TunnelCategory = DeviceCustomString2
| order by TunnelAttempts descExplanation
This query is designed to detect and alert on suspicious network activity related to Zscaler ZIA traffic. Here's a simplified breakdown:
-
Purpose: The query identifies attempts to establish encrypted channels or bypass security measures using tunnels, proxies, or specific protocols that could hide the true destination of traffic or prevent data loss prevention (DLP) and threat detection.
-
Data Source: It uses data from the "CommonSecurityEvents" connector, specifically the "CommonSecurityLog" data type.
-
Frequency and Duration: The query runs every hour and looks at data from the past day.
-
Detection Criteria:
- It checks for logs from Zscaler devices.
- It looks for specific categories or protocols indicating tunneling or proxy use, such as "TUNNEL", "PROXY_AVOIDANCE_ANONYMIZERS", "VPN_PROTOCOLS", etc.
- It ensures that the source username is not empty.
-
Output:
- Counts the number of tunneling attempts.
- Identifies unique target hostnames and domains.
- Lists the ports and protocols used.
- Records the first and last time the activity was seen.
-
Alerting:
- Generates alerts with a display name and description that include the username and number of attempts.
- Creates incidents for these alerts, grouping them by account if multiple related alerts are detected within a six-hour window.
-
Severity and Techniques:
- The severity of the alert is set to medium.
- It relates to MITRE ATT&CK techniques for protocol tunneling and proxy use, specifically T1572 and T1090. Overall, this query helps security teams monitor and respond to potential security threats involving unauthorized tunneling or proxy usage that could bypass security controls.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT1H
Period: P1D