Netskope - Tunnel/Proxy/VPN Bypass Attempt
45 NK Tunnel Proxy Bypass
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
let BypassCategories = dynamic([
"Proxy Avoidance", "Anonymizers", "VPN",
"Remote Access", "Tunneling", "Tor",
"P2P File Sharing", "Web Proxy"]);
let BypassApps = dynamic([
"Tor", "NordVPN", "ExpressVPN", "Private Internet Access",
"Psiphon", "Ultrasurf", "Hotspot Shield", "Windscribe",
"ProtonVPN", "CyberGhost", "Shadowsocks", "WireGuard"]);
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s)
| where category_s in (BypassCategories)
or app_s in (BypassApps)
or domain_s has_any ("torproject.org", "psiphon", "ultrasurf",
"nordvpn", "expressvpn", "protonvpn")
| summarize
RequestCount = count(),
UniqueApps = dcount(app_s),
Apps = make_set(app_s, 10),
Categories = make_set(category_s, 10),
Domains = make_set(domain_s, 10),
Actions = make_set(action_s, 5),
Blocked = countif(action_s in ("block", "Block", "blocked", "Blocked")),
Allowed = countif(action_s !in ("block", "Block", "blocked", "Blocked")),
SourceIPs = make_set(srcip_s, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by user_s
| order by Allowed desc, RequestCount descExplanation
This query is designed to detect attempts by users to bypass security controls by accessing tunnel, proxy, VPN, or anonymizer services through Netskope. It is scheduled to run every 30 minutes and looks back over the past day. The query identifies users who might be trying to establish encrypted channels that are not visible to corporate security measures, which could indicate potential security threats.
Here's a simple breakdown of what the query does:
- Data Source: It uses data from Netskope web transactions.
- Categories and Apps: It checks for specific categories like "Proxy Avoidance" and apps like "Tor" or "NordVPN" that are known for bypassing security.
- Conditions: It looks for users who have accessed these categories or apps, or specific domains related to bypassing tools.
- Data Aggregation: For each user, it counts the number of requests, identifies unique apps and categories accessed, and checks if the actions were blocked or allowed.
- Alerting: If any bypass attempts are detected, it creates an alert with details about the user, the number of allowed and blocked requests, and other relevant information.
- Incident Management: It can create incidents for detected bypass attempts and group them by user account for easier management.
Overall, this query helps in monitoring and alerting on potential security bypass attempts, aiding in maintaining the integrity of corporate security controls.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT30M
Period: P1D