Query Details

Zscaler ZIA - Tunnel, SOCKS Proxy, or SSL Bypass Category Detected

25 CSL Zscaler Tunnel Proxy Bypass

Query

CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Zscaler"
| where DeviceCustomString2 has_any (
    "TUNNEL", "PROXY_AVOIDANCE_ANONYMIZERS", "ENCRYPTED_TUNNEL",
    "SECURE_TUNNELING", "VPN_PROTOCOLS", "TOR_PROXY",
    "ANONYMIZING_UTILITIES", "PRIVACY_PROTECTION")
    or ApplicationProtocol has_any ("TUNNEL", "SOCKS", "CONNECT")
| where isnotempty(SourceUserName)
| summarize
    TunnelAttempts = count(),
    UniqueTargets  = dcount(DestinationHostName),
    TargetDomains  = make_set(DestinationHostName, 10),
    DevicePorts    = make_set(DestinationPort, 5),
    Protocols      = make_set(ApplicationProtocol, 5),
    FirstSeen      = min(TimeGenerated),
    LastSeen       = max(TimeGenerated)
  by SourceUserName, TunnelCategory = DeviceCustomString2
| order by TunnelAttempts desc

Explanation

This query is designed to detect and alert on suspicious network activity related to Zscaler ZIA traffic. Here's a simplified breakdown:

  • Purpose: The query identifies attempts to establish encrypted channels or bypass security measures using tunnels, proxies, or specific protocols that could hide the true destination of traffic or prevent data loss prevention (DLP) and threat detection.

  • Data Source: It uses data from the "CommonSecurityEvents" connector, specifically the "CommonSecurityLog" data type.

  • Frequency and Duration: The query runs every hour and looks at data from the past day.

  • Detection Criteria:

    • It checks for logs from Zscaler devices.
    • It looks for specific categories or protocols indicating tunneling or proxy use, such as "TUNNEL", "PROXY_AVOIDANCE_ANONYMIZERS", "VPN_PROTOCOLS", etc.
    • It ensures that the source username is not empty.
  • Output:

    • Counts the number of tunneling attempts.
    • Identifies unique target hostnames and domains.
    • Lists the ports and protocols used.
    • Records the first and last time the activity was seen.
  • Alerting:

    • Generates alerts with a display name and description that include the username and number of attempts.
    • Creates incidents for these alerts, grouping them by account if multiple related alerts are detected within a six-hour window.
  • Severity and Techniques:

    • The severity of the alert is set to medium.
    • It relates to MITRE ATT&CK techniques for protocol tunneling and proxy use, specifically T1572 and T1090. Overall, this query helps security teams monitor and respond to potential security threats involving unauthorized tunneling or proxy usage that could bypass security controls.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

ZscalerTunnelSocksProxySSLBypassUserHostEncryptedChannelInspectionEngineTrafficAnonymizingDestinationDLPThreatDetectionMITREATTCKProtocolTunnelingCommandAndControlDefenseEvasionCommonSecurityEventsLogTimeGeneratedDeviceVendorCustomStringApplicationSourceNamePort

Operators

agohas_anyisnotemptysummarizecountdcountmake_setminmaxorder by

Severity

Medium

Tactics

CommandAndControlDefenseEvasion

MITRE Techniques

Frequency: PT1H

Period: P1D

Actions

GitHub