Proxy server data is a type of web data that is generated by a proxy server often hosted on a multi-purpose network security appliance. A network proxy is a software service or appliance device that relays traffic from the origin to the destination. In many implementations of a proxy, a primary purpose of this technology is to mask intranet IP and user information from the public internet, providing a layer of security through obscurity. Proxy technology can also be used similar to a firewall by serving as a filter or redirect for some network activity that falls outside of standard acceptable use.
Proxy logs are beneficial in many security use cases, not the least of which include threat hunting, malware and virus detection, and insider threat detection.
When your Splunk deployment is ingesting proxy data, you can use the data to achieve objectives related to the following use cases:
In the Common Information Model, proxy server data is typically mapped to the Web Data model. This data type has many available fields, but users typically derive the most value out of the fields listed here.
Action taken by the server or proxy.
Destination of the network traffic (the remote host). You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.
Amount of time, in seconds, it took to receive a response in the authentication event.
Source involved in the authentication. In the case of endpoint protection authentication, the source is the client.
HTTP response code that indicates the status of the proxy request.
Path of the resource served by the web server or proxy.
[ath of the resource requested by the client.
URL of the requested HTTP resource.
Length of the URL.
User that requested the HTTP resource.
Known data sources and source types
Guidance for onboarding data can be found in the Splunk documentation, Getting Data In.