Query Details

Netskope - Tunnel/Proxy/VPN Bypass Attempt

45 NK Tunnel Proxy Bypass

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
let BypassCategories = dynamic([
    "Proxy Avoidance", "Anonymizers", "VPN",
    "Remote Access", "Tunneling", "Tor",
    "P2P File Sharing", "Web Proxy"]);
let BypassApps = dynamic([
    "Tor", "NordVPN", "ExpressVPN", "Private Internet Access",
    "Psiphon", "Ultrasurf", "Hotspot Shield", "Windscribe",
    "ProtonVPN", "CyberGhost", "Shadowsocks", "WireGuard"]);
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s)
| where category_s in (BypassCategories)
    or app_s in (BypassApps)
    or domain_s has_any ("torproject.org", "psiphon", "ultrasurf",
        "nordvpn", "expressvpn", "protonvpn")
| summarize
    RequestCount     = count(),
    UniqueApps       = dcount(app_s),
    Apps             = make_set(app_s, 10),
    Categories       = make_set(category_s, 10),
    Domains          = make_set(domain_s, 10),
    Actions          = make_set(action_s, 5),
    Blocked          = countif(action_s in ("block", "Block", "blocked", "Blocked")),
    Allowed          = countif(action_s !in ("block", "Block", "blocked", "Blocked")),
    SourceIPs        = make_set(srcip_s, 5),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by user_s
| order by Allowed desc, RequestCount desc

Explanation

This query is designed to detect attempts by users to bypass security controls by accessing tunnel, proxy, VPN, or anonymizer services through Netskope. It is scheduled to run every 30 minutes and looks back over the past day. The query identifies users who might be trying to establish encrypted channels that are not visible to corporate security measures, which could indicate potential security threats.

Here's a simple breakdown of what the query does:

  1. Data Source: It uses data from Netskope web transactions.
  2. Categories and Apps: It checks for specific categories like "Proxy Avoidance" and apps like "Tor" or "NordVPN" that are known for bypassing security.
  3. Conditions: It looks for users who have accessed these categories or apps, or specific domains related to bypassing tools.
  4. Data Aggregation: For each user, it counts the number of requests, identifies unique apps and categories accessed, and checks if the actions were blocked or allowed.
  5. Alerting: If any bypass attempts are detected, it creates an alert with details about the user, the number of allowed and blocked requests, and other relevant information.
  6. Incident Management: It can create incidents for detected bypass attempts and group them by user account for easier management.

Overall, this query helps in monitoring and alerting on potential security bypass attempts, aiding in maintaining the integrity of corporate security controls.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeTunnelProxyVPNBypassAttemptUsersSecurityControlsChannelsCorporateVisibilityMITREATTCKProtocolTunnelingCommandAndControlDefenseEvasionNetskopeWebTransactionsNetskopeWebTxCLTimeGeneratedActionCategorySeverityMalwareNameTypeThreatUserDomainDstipSrcipBytesUploadedDownloadedAppUrlDlpRuleProfileActivityFileObjectAvoidanceAnonymizersRemoteAccessTorP2PSharingWebNordVPNExpressVPNPrivateInternetPsiphonUltrasurfHotspotShieldWindscribeProtonVPNCyberGhostShadowsocksWireGuardTorprojectRequestCountUniqueAppsAppsCategoriesDomainsActionsBlockedAllowedSourceIPsFirstSeenLastSeenAccountFullNameServicesRequests

Operators

letdatatabledynamicunionisfuzzyagoisnotemptyinhas_anysummarizecountdcountmake_setcountifminmaxbyorder bydesc

Severity

Medium

Tactics

CommandAndControlDefenseEvasion

MITRE Techniques

Frequency: PT30M

Period: P1D

Actions

GitHub