This anomaly rule detects attempts to access proxy-evasion or anonymizer services by correlating Cisco Secure Access DNS telemetry with secure web proxy data. It targets users who reach anonymizer or proxy-evasion infrastructure, a common tactic to bypass controls like SSL inspection, DLP, and CASB visibility, often establishing encrypted tunnels to hide subsequent traffic. The detection ingests Cisco Secure Access DNS events and uses a macro (cisco_sa___access_to_anonymizer_services_filter) to filter for suspicious domains and query patterns, then aggregates by src_ip, user, domain, and query to surface first/last seen times and contextual fields (domain, query, reply_code, record_type). It supports drill-down into per-user risk and session details, enabling SOC teams to assess whether access was deliberate and mitigates follow-on malicious activity. Correlation with proxy session data increases confidence that access is intentional. The analytic aligns with MITRE ATT&CK technique T1090.003 (Proxy). Early identification aids in preventing data exfiltration and follow-on activity, with ingestion designed for Cisco Secure Access DNS and related Splunk deployments (Splunk Add-on for Cisco Security Cloud). Known false positives can arise from research or legitimate privacy tools; tuning via the filter macro and allow-lists for known-good users/domains is recommended after validation.