LoFP LoFP / security research, approved privacy tools, or mis-categorized destinations may appear as anonymizer traffic. tune this analytic with the filter macro or allow-lists for known-good users, networks, and domains after validating business justification.

Techniques

Sample rules

Cisco SA - Access to Anonymizer Services

Description

This analytic detects attempts to access proxy-evasion or anonymizer services using Cisco Secure Access DNS and secure web proxy telemetry. Users who reach anonymizer or proxy-evasion infrastructure are often trying to bypass corporate controls such as secure web gateway inspection, DLP monitoring, CASB visibility, and threat-detection systems. These services frequently establish encrypted tunnels that hide subsequent traffic from inspection. Early identification helps security teams spot circumvention attempts before potential data exfiltration or follow-on malicious activity. Correlating DNS resolution and proxy session data strengthens confidence that access was intentional.

Detection logic

`cisco_secure_access_dns`
action = "allowed" category= "*anonymizer*"

| fillnull

| stats count min(_time) as firstTime max(_time) as lastTime values(domain) as domain values(query) as query values(reply_code) as reply_code values(record_type) as record_type by src_ip src_external_ip user identity_type action category sourcetype

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_sa___access_to_anonymizer_services_filter`