Splunk Enterprise Security
Highlighted

How to detect url/domain category change in proxy logs

New Member

Hi Everyone,

I want to create a splunk query which can detect url/domain category change in the proxy logs within last 7 days

Example

Initial domain/url category

Domain/url : abc.com
Category : New Domain
Date : 12 May 2020

Final domain/url category

Domain/url : abc.com
Category : Business
Date : 18 May 2020

Kindly help at the earliest

Thanks

Labels (1)
0 Karma
Highlighted

Re: How to detect url/domain category change in proxy logs

Motivator

Hello @vicky2903

from the naive perspective this search will find domains with more than 1 category:

sourcetype=proxylog earliest=-7@d latest=now
| stats  dc(url_category) AS num_of_cat by domain 
|  where num_of_cat > 1

but in real life things are different:

I suggest to compare not domains alone but domain + first segment of url to handle such cases.

Which URL database do use use? Cases above can be applied to Talos (Cisco), Trustedsource (McAfee) and BlueCoat/Symantec/Broadcom among others

View solution in original post

0 Karma
Highlighted

Re: How to detect url/domain category change in proxy logs

New Member

Hi ,

Thanks for the answer

Thanks

0 Karma
Highlighted

Re: How to detect url/domain category change in proxy logs

Motivator

@vicky2903 please accept my answer if it resolve your query

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.