Dear Community, I have the following situation: Outbound= Client -> Proxy -> IDS -> Internet Inbound (Return Traffic) = Internet -> IDS -> Proxy -> Client I'm getting logs from both the Proxy and the IDS. In essence, I would like to be able to correlate information from the Proxy and the IDS so I have correct IP information about the connection (Since the proxy changes the IP header, I lose visibility on the IDS and get a lot of false positives) For Outbound, I would like to get the source IP from the Proxy and the destination from the IDS (Outbound = SrcPROXY - DstIDS) into one single row. For Inbound, I would need to get the source from the IDS and the destination from the Proxy (Inbound = SrcIDS – DstPROXY) into one single row. Ideally, I would like to create a transaction that displays the flow (outbound-inbound) into one single row for better visibility and incident response. https://ibb.co/fM6V5D2 Example of logs: IDS log example Nov 17 07:11:30 10.x.x.x 2020-11-17T12:11:56Z 01 %IDS-6-******, SrcIP: 192.168.10.10, DstIP: 208.x.x.x, SrcPort: 23116, DstPort: 443, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: inside, EgressZone: outside, Client: SSL client, ApplicationProtocol: HTTPS, ConnectionDuration: 0, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 2721, ResponderBytes: 4693, URL: https://** Destination_IDS = DstIP: 208.x.x.x host = 10.10.10.10 source = splunk-ids sourcetype = ids_Syslog Proxy Logs 11/17/20 8:16:01.000 AM Nov 17 08:16:01 10.x.x.x Nov 17 13:16:29 proxy_hostname Splunk_S: Info: 1605618979.572 170133 CLIENT_IP_ADDRESS TCP_MISS/200 7462 CONNECT tunnel://safebrowsing.googleapis.com:443/ "(Unauthenticated)CLIENT_IP_ADDRESS" DIRECT/safebrowsing.googleapis.com - OTHER-NONE-PassiveAuth_or_NTLM-NONE-NONE-NONE-DefaultGroup-NONE Source_proxy = "(Unauthenticated)10.x.x.x" host = 10.x.x.x source = splunk-proxy sourcetype = tools:proxy:squid I would highly appreciate any guidance, help, suggestion, comment. Thanks! Aka 2.12.0.0 2.12.0.0
... View more