Skip to main content
 
Splunk Lantern

Web proxy data

 

Web proxies are designed as intermediary layers between clients and applications to accelerate resource access as well as provide defense against advanced web-based threats. They examine traffic between users and HTTP/HTTPS sites, and identify, allow, block or limit the applications and URLs, but also what a specific user is allowed to send and receive according to policies. User web activity can often be an indicator of possible compromise, phishing attempts, malware command and control, abuse, and outdated software.

Proxy Requests. Access logs and events (via syslog or API) from the web proxy provide details into the requests made by users and applications on the network, including web site requests by users, but also application or service requests made to the Internet. At a minimum, the logs should contain the timestamp, target IP/hostname and port, client IP and source port, content type, user agent, HTTP request method, action taken by the proxy, and the HTTP status code of the reply.

Application Awareness. Web proxies offer application awareness by looking at the contents of the data packets, rather than just the port, source and destination IP address, and protocol. Application awareness refers to the capability of permitting or denying the use of specific applications, such as peer to peer file sharing or to restrict how applications are used.

In the Common Information Model, proxy data is typically mapped to the Web data model.

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: 

Use cases for Splunk security products