Web proxies are designed as intermediary layers between clients and applications to accelerate resource access as well as provide defense against advanced web-based threats. They examine traffic between users and HTTP/HTTPS sites, and identify, allow, block or limit the applications and URLs, but also what a specific user is allowed to send and receive according to policies. User web activity can often be an indicator of possible compromise, phishing attempts, malware command and control, abuse, and outdated software.
Proxy Requests. Access logs and events (via syslog or API) from the web proxy provide details into the requests made by users and applications on the network, including web site requests by users, but also application or service requests made to the Internet. At a minimum, the logs should contain the timestamp, target IP/hostname and port, client IP and source port, content type, user agent, HTTP request method, action taken by the proxy, and the HTTP status code of the reply.
Application Awareness. Web proxies offer application awareness by looking at the contents of the data packets, rather than just the port, source and destination IP address, and protocol. Application awareness refers to the capability of permitting or denying the use of specific applications, such as peer to peer file sharing or to restrict how applications are used.
In the Common Information Model, proxy data is typically mapped to the Web data model.
Common data sources
- Fortinet FortiGate Add-On for Splunk
- Splunk Add-on for Juniper
- Splunk Add-on for Symantec Blue Coat ProxySG
- Palo Alto Networks Add-on for Splunk
- Splunk Add-on for NGINX
- Splunk Add-on for Squid Proxy
- Splunk Add-on for Check Point Log Exporter
- Splunk Add-on for Cisco FireSIGHT
- Splunk Add-on for Cisco ASA
- Splunk Add-on for Fortigate
- Splunk Add-on for Imperva SecureSphere WAF
Use cases for the Splunk platform
- Running common General Data Protection Regulation (GDPR) compliance searches
- Finding large web uploads
- Monitoring NIST SP 800-53 rev5 control families
- Detecting TOR traffic
- Detecting network and port scanning
- Managing firewall rules
- Monitoring for network traffic volume outliers
- Reconstructing a website defacement
- Detecting the use of randomization in cyberattacks