Monday, April 1, 2019

Threat Hunting in Proxy Logs



Threat hunting techniques to be used for user Web proxy, to capture the malicious scripts, or malware, are executable code added to web pages that execute when the user visits the site, exploit codes to detect the unnoticed computer infection, pop-up advertisements, a blocked browser, redirection to other sites, or other potentially harmful or unwanted activities.

The URLs can change but the methodology a threat actor employ will (almost) systematically be the same.

General - Proxy - Uncategorised Proxy Events

Attackers rely on the abstraction provided between domains and IP addresses to make their infrastructure more resilient. A domain name can be registered in a matter of minutes, and multiple domains can be configured to point to the same host. This allows attackers to quickly switch between domains and subdomains to avoid detection

Finding uncategorized domains only requires that you have access to the data feed generated by your proxy, that you’re logging URL categorization, and that those logs are collected somewhere that’s searchable. With that in mind, we ask the question “Did any system on my network make an HTTP request to an uncategorized site?”

TA0010 - Exfiltration - Proxy - File upload to Unauthorised storage.

Excessive file uploads to unauthorised storage medium can be a good indication of exfiltration but depend on the nature of the event this may not be always malicious.


SSL interception allows to intersect and understand the nature of the data, without SSL interception, profiling of user can be carried to understand whether the user’s role involves uploading to online storage. In any way, this will help understanding the baseling of the environment.

To look for following categorisation in the web proxy 
  • Online storage and backup
  • File Transfer Services
  • Peer File Transfer
  • Web-based Emails
  • Parked domain is also worth to be included in the list.

Splunk Search

`proxy_index` (category="Online storage and backup" OR category="File Transfer Services" OR category="Peer File Transfer" OR category="Web-based Emails" OR category="Parked Domains" ) | strcat category "--" action category_action | eval in_mb=((bytes_in/1024)/1024), in_mb=round(in_mb,2) | eval out_mb=((bytes_out/1024)/1024), out_mb=round(out_mb,2) | fillnull value="unknown" category http_user_agent, user, sc_content_type, user_type | bin _time span=10m | stats sum(in_mb) as in_MBytes values(dest) by _time user action category | where in_MBytes>30

TA0010 - Exfiltration - Proxy - High Bandwidth usage

Hunting for large data traffic to and from the user

Splunk Search

`proxy_index` (| eval in_mB=(bytes_in/1000000000) | eval out_mB=(bytes_out/1000000000) | timechart span=1h sum(in_mB) as "in_GBytes" by user


TA0002 - Execution - Proxy - Download from Suspicious Dyndns Hosts

Detects download of certain file types from hosts with dynamic DNS names (selected list)

Splunk Search

`proxy_index` ((url="*exe" OR url="*vbs" OR url="*bat" OR url="*rar" OR url="*ps1" OR url="*doc" OR url="*docm" OR url="*xls" OR url="*xlsm" OR url="*pptm" OR url="*rtf" OR url="*hta" OR url="*dll" OR url="*ws" OR url="*wsf" OR url="*sct" OR url="*zip") (dest="*.hopto.org" OR dest="*.no-ip.org" OR dest="*.no-ip.info" OR dest="*.no-ip.biz" OR dest="*.no-ip.com" OR dest="*.noip.com" OR dest="*.ddns.name" OR dest="*.myftp.org" OR dest="*.myftp.biz" OR dest="*.serveblog.net" OR dest="*.servebeer.com" OR dest="*.servemp3.com" OR dest="*.serveftp.com" OR dest="*.servequake.com" OR dest="*.servehalflife.com" OR dest="*.servehttp.com" OR dest="*.servegame.com" OR dest="*.servepics.com" OR dest="*.myvnc.com" OR dest="*.ignorelist.com" OR dest="*.jkub.com" OR dest="*.dlinkddns.com" OR dest="*.jumpingcrab.com" OR dest="*.ddns.info" OR dest="*.mooo.com" OR dest="*.dns-dns.com" OR dest="*.strangled.net" OR dest="*.adultdns.net" OR dest="*.craftx.biz" OR dest="*.ddns01.com" OR dest="*.dns53.biz" OR dest="*.dnsapi.info" OR dest="*.dnsd.info" OR dest="*.dnsdynamic.com" OR dest="*.dnsdynamic.net" OR dest="*.dnsget.org" OR dest="*.fe100.net" OR dest="*.flashserv.net" OR dest="*.ftp21.net" OR dest="*.http01.com" OR dest="*.http80.info" OR dest="*.https443.com" OR dest="*.imap01.com" OR dest="*.kadm5.com" OR dest="*.mysq1.net" OR dest="*.ns360.info" OR dest="*.ntdll.net" OR dest="*.ole32.com" OR dest="*.proxy8080.com" OR dest="*.sql01.com" OR dest="*.ssh01.com" OR dest="*.ssh22.net" OR dest="*.tempors.com" OR dest="*.tftpd.net" OR dest="*.ttl60.com" OR dest="*.ttl60.org" OR dest="*.user32.com" OR dest="*.voip01.com" OR dest="*.wow64.net" OR dest="*.x64.me" OR dest="*.xns01.com" OR dest="*.dyndns.org" OR dest="*.dyndns.info" OR dest="*.dyndns.tv" OR dest="*.dyndns-at-home.com" OR dest="*.dnsomatic.com" OR dest="*.zapto.org" OR dest="*.webhop.net" OR dest="*.25u.com" OR dest="*.slyip.net")) | strcat domain "--" uri_path URL | strcat user "--> from , src_ip: " src user_src | eval in_mb=((bytes_in/1024)/1024), in_mb=round(in_mb,2) | eval out_mb=((bytes_out/1024)/1024), out_mb=round(out_mb,2 | fillnull value="unknown" category http_user_agent, user, sc_content_type, user_type | stats values(user_src) As user_and_src dc(user) As unique_users dc(uri_path) AS uri_path values(cause) AS Location count by _time user, src, action dest category http_user_agent sc_content_type


TA0002 - Execution - Proxy - Download from Suspicious TLD

Detects download of certain file types from hosts in suspicious TLDs

Splunk Search

`proxy_index` ((url="*exe" OR url="*vbs" OR url="*bat" OR url="*rar" OR url="*ps1" OR url="*doc" OR url="*docm" OR url="*xls" OR url="*xlsm" OR url="*pptm" OR url="*rtf" OR url="*hta" OR url="*dll" OR url="*ws" OR url="*wsf" OR url="*sct" OR url="*zip") (dest="*.country" OR dest="*.stream" OR dest="*.gdn" OR dest="*.mom" OR dest="*.xin" OR dest="*.kim" OR dest="*.men" OR dest="*.loan" OR dest="*.download" OR dest="*.racing" OR dest="*.online" OR dest="*.science" OR dest="*.ren" OR dest="*.gb" OR dest="*.win" OR dest="*.top" OR dest="*.review" OR dest="*.vip" OR dest="*.party" OR dest="*.tech" OR dest="*.xyz" OR dest="*.date" OR dest="*.faith" OR dest="*.zip" OR dest="*.cricket" OR dest="*.space" OR dest="*.info" OR dest="*.vn" OR dest="*.cm" OR dest="*.am" OR dest="*.cc" OR dest="*.asia" OR dest="*.ws" OR dest="*.tk" OR dest="*.biz" OR dest="*.su" OR dest="*.st" OR dest="*.ro" OR dest="*.ge" OR dest="*.ms" OR dest="*.pk" OR dest="*.nu" OR dest="*.me" OR dest="*.ph" OR dest="*.to" OR dest="*.tt" OR dest="*.name" OR dest="*.tv" OR dest="*.kz" OR dest="*.tc" OR dest="*.mobi" OR dest="*.study" OR dest="*.click" OR dest="*.link" OR dest="*.trade" OR dest="*.accountant" OR dest="*.cf" OR dest="*.gq" OR dest="*.ml" OR dest="*.ga" OR dest="*.pw")) | strcat domain "--" uri_path URL | strcat user "--> from , src_ip: " src user_src | eval in_mb=((bytes_in/1024)/1024), in_mb=round(in_mb,2) | eval out_mb=((bytes_out/1024)/1024), out_mb=round(out_mb,2) | fillnull value="unknown" category http_user_agent, user, sc_content_type, user_type | stats values(user_src) As user_and_src dc(user) As unique_users dc(uri_path) AS uri_path values(cause) AS Location count by _time user, src, action dest category http_user_agent sc_content_type


TA0002 - Execution - Proxy - Windows PowerShell User Agent

Detects Windows PowerShell Web Access and to detects WebDav DownloadCradle. This may need more tuning depending upon the environment.

Splunk Search

`proxy_index` http_user_agent="*WindowsPowerShell/*" OR http_user_agent="*Microsoft-WebDAV-MiniRedir/*" | strcat domain "--" uri_path URL | strcat user "--> from , src_ip: " src user_src | eval in_mb=((bytes_in/1024)/1024), in_mb=round(in_mb,2) | eval out_mb=((bytes_out/1024)/1024), out_mb=round(out_mb,2) | fillnull value="unknown" category http_user_agent, user, sc_content_type, user_type | stats values(user_src) As user_and_src dc(user) As unique_users dc(uri_path) AS uri_path values(cause) AS Location count by _time user, src, action dest category http_user_agent sc_content_type

TA0011 - CnC - Proxy - Flash Player Update from Suspicious Location

Detects a flashplayer update from an unofficial location

Splunk Search

`proxy_index` ((url="*/install_flash_player.exe" OR url="*/flash_install.php*") NOT (dest="*.adobe.com/*")) | strcat domain "--" uri_path URL | strcat user "--> from , src_ip: " src user_src | eval in_mb=((bytes_in/1024)/1024), in_mb=round(in_mb,2) | eval out_mb=((bytes_out/1024)/1024), out_mb=round(out_mb,2) | fillnull value="unknown" category http_user_agent, user, sc_content_type, user_type | stats values(user_src) As user_and_src dc(user) As unique_users dc(uri_path) AS uri_path values(cause) AS Location count by _time user, src, action dest category http_user_agent sc_content_type

TA0011 - CnC - Proxy - APT User Agent

Detects suspicious user agent strings used in APT malware in proxy logs

Splunk Search

`proxy_index` (http_user_agent="SJZJ (compatible; MSIE 6.0; Win32)" OR http_user_agent="Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0" OR http_user_agent="User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)" OR http_user_agent="webclient" OR http_user_agent="Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200" OR http_user_agent="Mozilla/4.0 (compatible; MSI 6.0;" OR http_user_agent="Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0" OR http_user_agent="Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/" OR http_user_agent="Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2" OR http_user_agent="Mozilla/4.0" OR http_user_agent="Netscape" OR http_user_agent="Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7" OR http_user_agent="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 8.0; Win32)" OR http_user_agent="Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1" OR http_user_agent="Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)" OR http_user_agent="Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko" OR http_user_agent="Mozilla v5.1 *" OR http_user_agent="MSIE 8.0" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)" OR http_user_agent="Mozilla/4.0 (compatible; RMS)" OR http_user_agent="O/9.27 (W; U; Z)" OR http_user_agent="Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0*" OR http_user_agent="Mozilla/5.0 (Windows NT 9; *") | strcat domain "--" uri_path URL | strcat user "--> from , src_ip: " src user_src | eval in_mb=((bytes_in/1024)/1024), in_mb=round(in_mb,2) | eval out_mb=((bytes_out/1024)/1024), out_mb=round(out_mb,2) | fillnull value="unknown" category http_user_agent, user, sc_content_type, user_type | bin _time span=30m | stats values(user_src) As user_and_src dc(user) As unique_users dc(uri_path) AS uri_path values(cause) AS Location count by _time user, src, action dest category http_user_agent sc_content_type

TA0011 - CnC - Proxy - Exploit Framework User Agent

Detects suspicious user agent strings used by exploit / pentest framworks like Metasploit in proxy logs

references: https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/

Splunk Search

`proxy_index` (http_user_agent="Internet Explorer *" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)" OR http_user_agent="Mozilla/4.0 (compatible; Metasploit RSPEC)" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N" OR http_user_agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" OR http_user_agent="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13" OR http_user_agent="Mozilla/5.0" OR http_user_agent="Mozilla/4.0 (compatible; SPIPE/1.0" OR http_user_agent="Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0" OR http_user_agent="Sametime Community Agent" OR http_user_agent="X-FORWARDED-FOR" OR http_user_agent="DotDotPwn v2.1" OR http_user_agent="SIPDROID" OR http_user_agent="Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)" OR http_user_agent="*wordpress hash grabber*" OR http_user_agent="*exploit*") | strcat domain "--" uri_path URL | strcat user "--> from , src_ip: " src user_src | eval in_mb=((bytes_in/1024)/1024), in_mb=round(in_mb,2) | eval out_mb=((bytes_out/1024)/1024), out_mb=round(out_mb,2) | fillnull value="unknown" category http_user_agent, user, sc_content_type, user_type | stats values(user_src) As user_and_src dc(user) As unique_users dc(uri_path) AS uri_path values(cause) AS Location count by _time user, src, action dest category http_user_agent sc_content_type

TA0011 - CnC - Proxy - Hack Tool User Agent

Detects suspicious user agent strings user by hack tools in proxy logs

Splunk Search

`proxy_index` (http_user_agent="*(hydra)*" OR http_user_agent="*arachni/*" OR http_user_agent="*BFAC*" OR http_user_agent="*brutus*" OR http_user_agent="*cgichk*" OR http_user_agent="*core-project/1.0*" OR http_user_agent="*crimscanner/*" OR http_user_agent="*datacha0s*" OR http_user_agent="*dirbuster*" OR http_user_agent="*domino hunter*" OR http_user_agent="*dotdotpwn*" OR http_user_agent="FHScan Core" OR http_user_agent="*floodgate*" OR http_user_agent="*get-minimal*" OR http_user_agent="*gootkit auto-rooter scanner*" OR http_user_agent="*grendel-scan*" OR http_user_agent="*inspath*" OR http_user_agent="*internet ninja*" OR http_user_agent="*jaascois*" OR http_user_agent="*zmeu*" OR http_user_agent="*masscan*" OR http_user_agent="*metis*" OR http_user_agent="*morfeus fucking scanner*" OR http_user_agent="*n-stealth*" OR http_user_agent="*nsauditor*" OR http_user_agent="*pmafind*" OR http_user_agent="*security scan*" OR http_user_agent="*springenwerk*" OR http_user_agent="*teh forest lobster*" OR http_user_agent="*toata dragostea*" OR http_user_agent="*vega/*" OR http_user_agent="*voideye*" OR http_user_agent="*webshag*" OR http_user_agent="*webvulnscan*" OR http_user_agent="* whcc/*" OR http_user_agent="* Havij" OR http_user_agent="*absinthe*" OR http_user_agent="*bsqlbf*" OR http_user_agent="*mysqloit*" OR http_user_agent="*pangolin*" OR http_user_agent="*sql power injector*" OR http_user_agent="*sqlmap*" OR http_user_agent="*sqlninja*" OR http_user_agent="*uil2pn*" OR http_user_agent="ruler" OR http_user_agent="Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)") | strcat domain "--" uri_path URL | strcat user "--> from , src_ip: " src user_src | eval in_mb=((bytes_in/1024)/1024), in_mb=round(in_mb,2) | eval out_mb=((bytes_out/1024)/1024), out_mb=round(out_mb,2) | fillnull value="unknown" category http_user_agent, user, sc_content_type, user_type | stats values(user_src) As user_and_src dc(user) As unique_users dc(uri_path) AS uri_path values(cause) AS Location count by _time user, src, action dest category http_user_agent sc_content_type

TA0011 - CnC - Proxy - Malware User Agent

Detects suspicious user agent strings used by malware in proxy logs

Splunk Search

`proxy_index` (http_user_agent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" OR http_user_agent="HttpBrowser/1.0" OR http_user_agent="*<|>*" OR http_user_agent="nsis_inetc (mozilla)" OR http_user_agent="Wget/1.9+cvs-stable (Red Hat modified)" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)" OR http_user_agent="*zeroup*" OR http_user_agent="Mozilla/5.0 (Windows NT 5.1 ; v.*" OR http_user_agent="* adlib/*" OR http_user_agent="* tiny" OR http_user_agent="* BGroom *" OR http_user_agent="* changhuatong" OR http_user_agent="* CholTBAgent" OR http_user_agent="Mozilla/5.0 WinInet" OR http_user_agent="RookIE/1.0" OR http_user_agent="M" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)" OR http_user_agent="Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)" OR http_user_agent="backdoorbot" OR http_user_agent="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)" OR http_user_agent="Opera/8.81 (Windows NT 6.0; U; en)" OR http_user_agent="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)" OR http_user_agent="Opera" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" OR http_user_agent="MSIE" OR http_user_agent="*(Charon; Inferno)" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)" OR http_user_agent="Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)" OR http_user_agent="Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)" OR http_user_agent="* pxyscand*" OR http_user_agent="* asd" OR http_user_agent="* mdms" OR http_user_agent="sample" OR http_user_agent="nocase" OR http_user_agent="Moxilla" OR http_user_agent="Win32 *" OR http_user_agent="*Microsoft Internet Explorer*" OR http_user_agent="agent *" OR http_user_agent="AutoIt" OR http_user_agent="IczelionDownLoad") | strcat domain "--" uri_path URL | strcat user "--> from , src_ip: " src user_src | eval in_mb=((bytes_in/1024)/1024), in_mb=round(in_mb,2) | eval out_mb=((bytes_out/1024)/1024), out_mb=round(out_mb,2) | eval user_type=case(user LIKE "CORP%", "CorporateUserAccount", user LIKE "172.2%", "GuestWifi", user LIKE "QAN%", "QantasAsset", user LIKE "LOY-%", "LoyaltyAsset",user LIKE "TCS%", "TCSAsset", 1=1, "Other_Assets") | fillnull value="unknown" category http_user_agent, user, sc_content_type, user_type | stats values(user_src) As user_and_src dc(user) As unique_users dc(uri_path) AS uri_path values(cause) AS Location count by _time user, src, action dest category http_user_agent sc_content_type

TA0011 - CnC - Beacon Detection via Intra-Request Time Deltas

Find regular HTTP beaconing behavior which may indicate malware C2

Malware C2 often utilizes regular request intervals ("beacons") to maintain control with the attacker's infrastructure. By examining the intra-request times between requests to the same resource by the same source IP and visualizing the results, you can look for patterns of regular activity.

Splunk Search

`proxy_index` | convert mktime(_time) as epoch | sort 0 dest,src,epoch | delta epoch as epoch_delta | search epoch_delta>0 epoch_delta<30 | chart count over epoch_delta by dest

TA0002 - Execution - compromised WordPress websites

One major disease vector is compromised WordPress websites. They are notoriously used for one shot campaign and low budgets threat actors (mostly criminal). Often they will drop their malicious binaries into a directory where they have write access.

Here is a simple regular expression to search in your logs for any highly suspicious download that could have been triggered by a macro script inside a malicious document:

Splunk Search

`proxy_index` (url="*/wp-includes*" OR url="*/wp-admin*" OR url="*/wp-content*" ) AND (url="*exe*" OR url="*dll*" OR url="*scr") | strcat domain "--" uri_path URL | strcat user "--> from , src_ip: " src user_src | eval in_mb=((bytes_in/1024)/1024), in_mb=round(in_mb,2) | eval out_mb=((bytes_out/1024)/1024), out_mb=round(out_mb,2) | fillnull value="unknown" category http_user_agent, user, sc_content_type, user_type | stats values(user_src) As user_and_src dc(user) As unique_users dc(uri_path) AS uri_path values(cause) AS Location count by _time user, src, action dest category http_user_agent sc_content_type


Some other use cases are to look for
  • Traffic being sent out port 22 through your proxy servers
  • look for any exfiltration patterns in the data. Low and slow connections
  • network connections that exhibit the same pattern of bytes in and bytes out each day
  • Base64 encoded strings within the URL