I don't have proxy logs, but I do have ids/firewalls etc and I want to create a search that will identify when a user has downloaded tools such as nmap, kali etc. any ideas?
Some IDS tools have options for alerting on such downloads. What IDS tools are you using, and are they deployed in a location to view users' web traffic?
cisco firesight i am able to see that urls are being captured just not many.