Netskope (Built-in) - Tunnel/Proxy/VPN Bypass Attempt
59 NK BI Tunnel Proxy Bypass
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
let BypassCategories = dynamic([
"Proxy Avoidance", "Anonymizers", "VPN",
"Remote Access", "Tunneling", "Tor",
"P2P File Sharing", "Web Proxy"]);
let BypassApps = dynamic([
"Tor", "NordVPN", "ExpressVPN", "Private Internet Access",
"Psiphon", "Ultrasurf", "Hotspot Shield", "Windscribe",
"ProtonVPN", "CyberGhost", "Shadowsocks", "WireGuard"]);
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where isnotempty(user_s)
| where category_s in (BypassCategories)
or app_s in (BypassApps)
or domain_s has_any ("torproject.org", "psiphon", "ultrasurf",
"nordvpn", "expressvpn", "protonvpn")
| summarize
RequestCount = count(),
UniqueApps = dcount(app_s),
Apps = make_set(app_s, 10),
Categories = make_set(category_s, 10),
Domains = make_set(domain_s, 10),
Actions = make_set(action_s, 5),
Blocked = countif(action_s in ("block", "Block", "blocked", "Blocked")),
Allowed = countif(action_s !in ("block", "Block", "blocked", "Blocked")),
SourceIPs = make_set(srcip_s, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by user_s
| order by Allowed desc, RequestCount descExplanation
This query is designed to detect attempts by users to bypass security controls by accessing tunnel, proxy, VPN, or anonymizer services through Netskope. Here's a simplified breakdown of what the query does:
-
Purpose: The query identifies users who are trying to use services that can bypass security measures, such as proxies, VPNs, and anonymizers. This is important because such activities can indicate attempts to evade security controls.
-
Data Source: It uses data from the
NetskopeEvents_CLtable, which logs events related to Netskope, a cloud security platform. -
Detection Logic:
- It looks at events from the past day (
1d). - It checks if users are accessing certain categories or applications known for bypassing security, like "Proxy Avoidance" or apps like "Tor" and "NordVPN".
- It also checks if users are visiting domains associated with these services.
- It looks at events from the past day (
-
Analysis:
- It counts how many requests each user made to these services (
RequestCount). - It identifies how many different apps were used (
UniqueApps) and lists them (Apps). - It also lists the categories, domains, and actions (e.g., blocked or allowed) associated with these requests.
- It counts how many requests were blocked versus allowed.
- It counts how many requests each user made to these services (
-
Output:
- The results are summarized by user, showing the number of allowed requests and total requests.
- The output is ordered by the number of allowed requests, highlighting users with the most successful bypass attempts.
-
Alerting:
- If any bypass attempts are detected, an alert is generated with details about the user and the number of allowed requests.
- An incident is created for further investigation, with incidents grouped by user account.
This query helps security teams monitor and respond to potential security control evasion attempts, enhancing the organization's security posture.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT30M
Period: P1D