Proxy server data is a type of web data that is generated by a proxy server often hosted on a multi-purpose network security appliance. A network proxy is a software service or appliance device that relays traffic from the origin to the destination. In many implementations of a proxy, a primary purpose of this technology is to mask intranet IP and user information from the public internet, providing a layer of security through obscurity. Proxy technology can also be used similar to a firewall by serving as a filter or redirect for some network activity that falls outside of standard acceptable use.
Proxy logs are beneficial in many security use cases, not the least of which include threat hunting, malware and virus detection, and insider threat detection.
In the Common Information Model, proxy server data is typically mapped to the Web Data model. This data type has many available fields, but users typically derive the most value out of the fields listed here.
The action taken by the server or proxy.
The destination of the network traffic (the remote host). You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.
The amount of time, in seconds, it took to receive a response in the authentication event.
The source involved in the authentication. In the case of endpoint protection authentication, the source is the client.
The HTTP response code that indicates the status of the proxy request.
The path of the resource served by the web server or proxy.
The path of the resource requested by the client.
The URL of the requested HTTP resource.
The length of the URL.
The user that requested the HTTP resource.
Known data sources and source types
Guidance for onboarding data can be found in the Splunk documentation, Getting Data In.