Query Details

Netskope (Built-in) - Tunnel/Proxy/VPN Bypass Attempt

59 NK BI Tunnel Proxy Bypass

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let BypassCategories = dynamic([
    "Proxy Avoidance", "Anonymizers", "VPN",
    "Remote Access", "Tunneling", "Tor",
    "P2P File Sharing", "Web Proxy"]);
let BypassApps = dynamic([
    "Tor", "NordVPN", "ExpressVPN", "Private Internet Access",
    "Psiphon", "Ultrasurf", "Hotspot Shield", "Windscribe",
    "ProtonVPN", "CyberGhost", "Shadowsocks", "WireGuard"]);
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s)
| where category_s in (BypassCategories)
    or app_s in (BypassApps)
    or domain_s has_any ("torproject.org", "psiphon", "ultrasurf",
        "nordvpn", "expressvpn", "protonvpn")
| summarize
    RequestCount     = count(),
    UniqueApps       = dcount(app_s),
    Apps             = make_set(app_s, 10),
    Categories       = make_set(category_s, 10),
    Domains          = make_set(domain_s, 10),
    Actions          = make_set(action_s, 5),
    Blocked          = countif(action_s in ("block", "Block", "blocked", "Blocked")),
    Allowed          = countif(action_s !in ("block", "Block", "blocked", "Blocked")),
    SourceIPs        = make_set(srcip_s, 5),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by user_s
| order by Allowed desc, RequestCount desc

Explanation

This query is designed to detect attempts by users to bypass security controls by accessing tunnel, proxy, VPN, or anonymizer services through Netskope. Here's a simplified breakdown of what the query does:

  1. Purpose: The query identifies users who are trying to use services that can bypass security measures, such as proxies, VPNs, and anonymizers. This is important because such activities can indicate attempts to evade security controls.

  2. Data Source: It uses data from the NetskopeEvents_CL table, which logs events related to Netskope, a cloud security platform.

  3. Detection Logic:

    • It looks at events from the past day (1d).
    • It checks if users are accessing certain categories or applications known for bypassing security, like "Proxy Avoidance" or apps like "Tor" and "NordVPN".
    • It also checks if users are visiting domains associated with these services.
  4. Analysis:

    • It counts how many requests each user made to these services (RequestCount).
    • It identifies how many different apps were used (UniqueApps) and lists them (Apps).
    • It also lists the categories, domains, and actions (e.g., blocked or allowed) associated with these requests.
    • It counts how many requests were blocked versus allowed.
  5. Output:

    • The results are summarized by user, showing the number of allowed requests and total requests.
    • The output is ordered by the number of allowed requests, highlighting users with the most successful bypass attempts.
  6. Alerting:

    • If any bypass attempts are detected, an alert is generated with details about the user and the number of allowed requests.
    • An incident is created for further investigation, with incidents grouped by user account.

This query helps security teams monitor and respond to potential security control evasion attempts, enhancing the organization's security posture.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeEventsUserDomainSourceIPDestinationApplicationCategoryActionTrafficTypeFileObjectCountryAccessMethod

Operators

letdatatabledynamicunionisfuzzywhereagoisnotemptyinhas_anysummarizecountdcountmake_setcountifminmaxbyorder bydesc

Severity

Medium

Tactics

CommandAndControlDefenseEvasion

MITRE Techniques

Frequency: PT30M

Period: P1D

Actions

GitHub