Update detections/network/cisco_sa___access_to_anonymizer_services.yml

patel-bhavin · nasbench · web-flow · commit c60da68346e7 · 2026-06-04T17:47:50.000+05:30
Co-authored-by: Nasreddine Bencherchali &lt;nasreddineb@splunk.com&gt;
diff --git a/detections/network/cisco_sa___access_to_anonymizer_services.yml b/detections/network/cisco_sa___access_to_anonymizer_services.yml
@@ -10,7 +10,6 @@ description: |
     This analytic detects attempts to access proxy-evasion or anonymizer services using Cisco Secure Access DNS and secure web proxy telemetry.
     Users who reach anonymizer or proxy-evasion infrastructure are often trying to bypass corporate controls such as secure web gateway inspection, DLP monitoring, CASB visibility, and threat-detection systems. These services frequently establish encrypted tunnels that hide subsequent traffic from inspection.
     Early identification helps security teams spot circumvention attempts before potential data exfiltration or follow-on malicious activity. Correlating DNS resolution and proxy session data strengthens confidence that access was intentional.
-    Activity is mapped to MITRE ATT&CK T1562.001 (Impair Defenses) when categories indicate anonymizer or proxy-evasion infrastructure.
 data_source:
     - Cisco Secure Access DNS
 search: |-
