KQL Search

Query Details

59 NK BI Tunnel Proxy Bypass

Query

id: 8b9c0d1e-2f3a-4b4c-5d6e-7f8a9b0c1d25
name: "Netskope (Built-in) - Tunnel/Proxy/VPN Bypass Attempt"
version: 1.0.0
kind: Scheduled
description: |
  Detects users accessing tunnel, proxy, VPN, or anonymizer services through Netskope.
  Allowed bypass attempts indicate higher risk of security control evasion.
  Uses the built-in NetskopeEvents_CL table.
  MITRE ATT&CK: T1090 (Proxy), T1572 (Protocol Tunneling)
severity: Medium
requiredDataConnectors:
  - connectorId: NetskopeDataConnector
    dataTypes:
      - NetskopeEvents_CL
queryFrequency: PT30M
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CommandAndControl
  - DefenseEvasion
relevantTechniques:
  - T1090
  - T1572
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
  let BypassCategories = dynamic([
      "Proxy Avoidance", "Anonymizers", "VPN",
      "Remote Access", "Tunneling", "Tor",
      "P2P File Sharing", "Web Proxy"]);
  let BypassApps = dynamic([
      "Tor", "NordVPN", "ExpressVPN", "Private Internet Access",
      "Psiphon", "Ultrasurf", "Hotspot Shield", "Windscribe",
      "ProtonVPN", "CyberGhost", "Shadowsocks", "WireGuard"]);
  union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(user_s)
  | where category_s in (BypassCategories)
      or app_s in (BypassApps)
      or domain_s has_any ("torproject.org", "psiphon", "ultrasurf",
          "nordvpn", "expressvpn", "protonvpn")
  | summarize
      RequestCount     = count(),
      UniqueApps       = dcount(app_s),
      Apps             = make_set(app_s, 10),
      Categories       = make_set(category_s, 10),
      Domains          = make_set(domain_s, 10),
      Actions          = make_set(action_s, 5),
      Blocked          = countif(action_s in ("block", "Block", "blocked", "Blocked")),
      Allowed          = countif(action_s !in ("block", "Block", "blocked", "Blocked")),
      SourceIPs        = make_set(srcip_s, 5),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated)
    by user_s
  | order by Allowed desc, RequestCount desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: user_s
customDetails:
  RequestCount: RequestCount
  Allowed: Allowed
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope BI Bypass Attempt - {{user_s}} ({{Allowed}} allowed)"
  alertDescriptionFormat: "User {{user_s}} attempted {{RequestCount}} bypass requests with {{Allowed}} allowed through."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect attempts by users to bypass security controls by accessing tunnel, proxy, VPN, or anonymizer services through Netskope. Here's a simplified breakdown of what the query does:

  1. Purpose: The query identifies users who are trying to use services that can bypass security measures, such as proxies, VPNs, and anonymizers. This is important because such activities can indicate attempts to evade security controls.

  2. Data Source: It uses data from the NetskopeEvents_CL table, which logs events related to Netskope, a cloud security platform.

  3. Detection Logic:

    • It looks at events from the past day (1d).
    • It checks if users are accessing certain categories or applications known for bypassing security, like "Proxy Avoidance" or apps like "Tor" and "NordVPN".
    • It also checks if users are visiting domains associated with these services.

  4. Analysis:

    • It counts how many requests each user made to these services (RequestCount).
    • It identifies how many different apps were used (UniqueApps) and lists them (Apps).
    • It also lists the categories, domains, and actions (e.g., blocked or allowed) associated with these requests.
    • It counts how many requests were blocked versus allowed.

  5. Output:

    • The results are summarized by user, showing the number of allowed requests and total requests.
    • The output is ordered by the number of allowed requests, highlighting users with the most successful bypass attempts.

  6. Alerting:

    • If any bypass attempts are detected, an alert is generated with details about the user and the number of allowed requests.
    • An incident is created for further investigation, with incidents grouped by user account.

This query helps security teams monitor and respond to potential security control evasion attempts, enhancing the organization's security posture.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeEventsUserDomainSourceIPDestinationIPApplicationCategoryActionTrafficTypeFileTypeObjectCountryAccessMethod

Operators

letdatatabledynamicunionisfuzzywhereagoisnotemptyinhas_anysummarizecountdcountmake_setcountifminmaxbyorder bydesc

Actions