Splunk Enterprise Security

How to detect url/domain category change in proxy logs

vicky2903
New Member

Hi Everyone,

I want to create a splunk query which can detect url/domain category change in the proxy logs within last 7 days

Example

Initial domain/url category

Domain/url : abc.com
Category : New Domain
Date : 12 May 2020

Final domain/url category

Domain/url : abc.com
Category : Business
Date : 18 May 2020

Kindly help at the earliest

Thanks

0 Karma
1 Solution

PavelP
Motivator

Hello @vicky2903

from the naive perspective this search will find domains with more than 1 category:

sourcetype=proxylog earliest=-7@d latest=now
| stats  dc(url_category) AS num_of_cat by domain 
|  where num_of_cat > 1

but in real life things are different:

I suggest to compare not domains alone but domain + first segment of url to handle such cases.

Which URL database do use use? Cases above can be applied to Talos (Cisco), Trustedsource (McAfee) and BlueCoat/Symantec/Broadcom among others

View solution in original post

0 Karma

PavelP
Motivator

Hello @vicky2903

from the naive perspective this search will find domains with more than 1 category:

sourcetype=proxylog earliest=-7@d latest=now
| stats  dc(url_category) AS num_of_cat by domain 
|  where num_of_cat > 1

but in real life things are different:

I suggest to compare not domains alone but domain + first segment of url to handle such cases.

Which URL database do use use? Cases above can be applied to Talos (Cisco), Trustedsource (McAfee) and BlueCoat/Symantec/Broadcom among others

0 Karma

vicky2903
New Member

Hi ,

Thanks for the answer

Thanks

0 Karma

PavelP
Motivator

@vicky2903 please accept my answer if it resolve your query

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...