IP service category reporting
Use the System Log to review security events in your org and determine which IP service categories belong in your enhanced dynamic zone.
Search by event
You can discover IP service categories in your org by focusing on two primary event types.
-
In the Admin Console, go to .
-
Search for the following event types:
- security.request.blocked: This is the primary event for tracking IP-level blocks at the org level. It's triggered when a user's request is denied based on your org's network zone configuration with the Block access from IPs matching conditions listed in this zone setting.
- policy.evaluate_sign_on: This event is triggered when a user's request originates from a network zone configured with global session policy or app sign-in policy rules.
-
Within the events, expand the IpDetails > IPServiceCategories sections.
- IsAnyonymous: Indicates whether the IP is associated with an anonymization service.
- Operator: Identifies the specific VPN, proxy, or service provider.
- Type: Categorizes the IP service detected (VPN, Proxy, Tor).
Query the System Log
Run these queries to see events sorted by IP service category.
|
IP service category |
Definition |
System Log query |
|---|---|---|
| ALL_PROXIES_VPNS | Includes all of the following IP service categories | request.ipChain.ipDetails.ipServiceCategories.type eq "Proxy" or request.ipChain.ipDetails.ipServiceCategories.type eq "VPN" |
| ALL_ANONYMIZERS | Includes TOR and Tunnel services | request.ipChain.ipDetails.ipServiceCategories.isAnonymous eq "true" |
| ALL_ANONYMIZERS_EXCEPT_TOR | Includes all Tunnel services, excludes TOR | request.ipChain.ipDetails.ipServiceCategories.type ne "Tor" and request.ipChain.ipDetails.ipServiceCategories.isAnonymous eq "true" |
| ANONYMIZER_TOR | Specific service category for TOR anonymizer | request.ipChain.ipDetails.ipServiceCategories.type eq "Tor" |
| Individual proxy service categories (by operator) | Search for a specific operator, for example EXPRESS_VPN | request.ipChain.ipDetails.ipServiceCategories.operator eq "EXPRESS_VPN" |
Add IP service categories to your enhanced dynamic zone
You can use enhanced dynamic zones as blocklists for IP service category types, or they can define the policy conditions that users must meet to sign in.
Blocklist
-
In the Admin Console, go to .
- Select the enhanced dynamic zone where you want to add IP service categories.
- Select Block access from IPs matching conditions.
- Configure the IP service category fields with the categories that you've identified, and then click Save.
Allowlist
-
In the Admin Console, go to .
- Select the enhanced dynamic zone where you want to add IP service categories.
- Clear the Block access from IPs matching conditions option.
- Configure the IP service category fields with the categories that you've identified, and then click Save.
- Add the zone that you've configured to your global session policy or app sign-in policy. Both policies have a User's IP is field that lets you specify zones to include or exclude.