Hey,
Can someone please help me in building a query for user accessing webpage despite warning sign from proxy? @splunk
Let's say my proxy is zscaler.
Now was able to fetch logs for rule "Uncategorised/Unknown URL" with vendor_signature as "Request method cautioned". This capture associated user who received a warning when he tried accessing suspicious/malicious page. He still continued to take the risk and access the URL. So, the idea is to build a usecase that would captured these warning pages followed by successful connection towards the page.
I don't know zscaler logs but this task can be tricky. While the general approach seems to be relatively straightforward (just search, group by URL and user with the stats command and check if you have both the vendor_signature as well as successful request for the same URL/user pair), it might not be that easy to execute since proxies are usually quite talkative so if you did this over a longer timeframe the amount of returned data could overwhelm your SH.
And what data you have that shows this scenario?