Proxy data

Proxy server data is a type of web data that is generated by a proxy server often hosted on a multi-purpose network security appliance. A network proxy is a software service or appliance device that relays traffic from the origin to the destination. In many implementations of a proxy, a primary purpose of this technology is to mask intranet IP and user information from the public internet, providing a layer of security through obscurity. Proxy technology can also be used similar to a firewall by serving as a filter or redirect for some network activity that falls outside of standard acceptable use. 

Data visibility 

Proxy logs are beneficial in many security use cases, not the least of which include threat hunting, malware and virus detection, and insider threat detection.

High-value fields

In the Common Information Model, proxy server data is typically mapped to the Web Data model. This data type has many available fields, but users typically derive the most value out of the fields listed here.

action

The action taken by the server or proxy.

dest

The destination of the network traffic (the remote host). You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.

response_time

The amount of time, in seconds, it took to receive a response in the authentication event.

src

The source involved in the authentication. In the case of endpoint protection authentication, the source is the client.

status

The HTTP response code that indicates the status of the proxy request.

uri_path

The path of the resource served by the web server or proxy.

uri_query

The path of the resource requested by the client.

url

The URL of the requested HTTP resource.

url_length

The length of the URL.

user

The user that requested the HTTP resource.

Known data sources and source types

Guidance for onboarding data can be found in the Splunk documentation, Getting Data In.

Related Use Cases

• Monitoring employee network traffic