Splunk Enterprise Security

How to detect url/domain category change in proxy logs

vicky2903
New Member

Hi Everyone,

I want to create a splunk query which can detect url/domain category change in the proxy logs within last 7 days

Example

Initial domain/url category

Domain/url : abc.com
Category : New Domain
Date : 12 May 2020

Final domain/url category

Domain/url : abc.com
Category : Business
Date : 18 May 2020

Kindly help at the earliest

Thanks

Labels (1)
0 Karma
1 Solution

PavelP
Motivator

Hello @vicky2903

from the naive perspective this search will find domains with more than 1 category:

sourcetype=proxylog earliest=-7@d latest=now
| stats  dc(url_category) AS num_of_cat by domain 
|  where num_of_cat > 1

but in real life things are different:

I suggest to compare not domains alone but domain + first segment of url to handle such cases.

Which URL database do use use? Cases above can be applied to Talos (Cisco), Trustedsource (McAfee) and BlueCoat/Symantec/Broadcom among others

View solution in original post

0 Karma

PavelP
Motivator

Hello @vicky2903

from the naive perspective this search will find domains with more than 1 category:

sourcetype=proxylog earliest=-7@d latest=now
| stats  dc(url_category) AS num_of_cat by domain 
|  where num_of_cat > 1

but in real life things are different:

I suggest to compare not domains alone but domain + first segment of url to handle such cases.

Which URL database do use use? Cases above can be applied to Talos (Cisco), Trustedsource (McAfee) and BlueCoat/Symantec/Broadcom among others

View solution in original post

0 Karma

vicky2903
New Member

Hi ,

Thanks for the answer

Thanks

0 Karma

PavelP
Motivator

@vicky2903 please accept my answer if it resolve your query

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!