Techniques
Sample rules
Cisco SA - Access to Anonymizer Services
- source: splunk
- technicques:
Description
This analytic detects attempts to access proxy-evasion or anonymizer services using Cisco Secure Access DNS and secure web proxy telemetry. Users who reach anonymizer or proxy-evasion infrastructure are often trying to bypass corporate controls such as secure web gateway inspection, DLP monitoring, CASB visibility, and threat-detection systems. These services frequently establish encrypted tunnels that hide subsequent traffic from inspection. Early identification helps security teams spot circumvention attempts before potential data exfiltration or follow-on malicious activity. Correlating DNS resolution and proxy session data strengthens confidence that access was intentional.
Detection logic
`cisco_secure_access_dns`
action = "allowed" category= "*anonymizer*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime values(domain) as domain values(query) as query values(reply_code) as reply_code values(record_type) as record_type by src_ip src_external_ip user identity_type action category sourcetype
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_sa___access_to_anonymizer_services_filter`