Splunk web proxy query

Raj7 · ‎11-26-2023

Hey,

Can someone please help me in building a query for user accessing webpage despite warning sign from proxy? @splunk

Raj7 · ‎11-26-2023

Let's say my proxy is zscaler.

Now was able to fetch logs for rule "Uncategorised/Unknown URL" with vendor_signature as "Request method cautioned". This capture associated user who received a warning when he tried accessing suspicious/malicious page. He still continued to take the risk and access the URL. So, the idea is to build a usecase that would captured these warning pages followed by successful connection towards the page.

PickleRick · ‎11-27-2023

I don't know zscaler logs but this task can be tricky. While the general approach seems to be relatively straightforward (just search, group by URL and user with the stats command and check if you have both the vendor_signature as well as successful request for the same URL/user pair), it might not be that easy to execute since proxies are usually quite talkative so if you did this over a longer timeframe the amount of returned data could overwhelm your SH.

PickleRick · ‎11-26-2023

And what data you have that shows this scenario?

Splunk web proxy query

regex

search job inspector

stats

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?