Web Proxies
Overview
Monitoring logs from web proxies to detect and respond to web-based threats, anomalous user behavior, and potential security incidents.
Sample products
- Zscaler Internet Access
- Symantec Web Security Service
- Sophos Web Gateway
- McAfee Web Gateway
Use Case Categories
| Category | Description |
|---|---|
| User Activity and Web Usage | Monitor user activity logs to track web browsing behavior, including websites visited, URLs accessed, and content downloaded. Identify suspicious or unauthorized activity, such as accessing restricted websites or downloading malware-infected files, to enforce acceptable use policies and mitigate security risks. |
| Access Control and Policy Enforcement | Monitor access control lists (ACLs), authentication logs, and policy enforcement mechanisms to ensure that only authorized users and devices can access the internet through the proxy server. Detect and respond to policy violations, such as unauthorized access attempts or bypassing content filtering rules, to enforce security policies and regulatory compliance. |
| Content Filtering and Threat Detection | Monitor content filtering logs and threat detection mechanisms to identify and block malicious or inappropriate content, such as malware, phishing sites, and malicious URLs. Monitor security alerts and threat intelligence feeds to detect emerging threats and security incidents in real time. |
| Anomaly Detection and Behavior Analysis | Monitor web proxy logs for anomalous patterns and behavior, such as unusual spikes in traffic, abnormal user activity, or patterns indicative of security threats. Use machine learning algorithms and behavioral analytics to detect and respond to suspicious activities in real time, such as botnet activity, data exfiltration attempts, or insider threats. |
Core Use Cases
| Alert Name | Description |
|---|---|
| Anomaly in Web Traffic Patterns | Monitor outbound connections from the network for anomalies, such as connections to known malicious IP addresses or domains. |
| Suspicious Download Activity | Monitor web proxy logs for suspicious download activity, such as large file downloads or downloads from untrusted sources. |
| Unauthorized Web Application Usage | Monitor web proxy logs for unauthorized usage of web applications or services, such as cloud storage or social media. |
| Blocked Website Access Attempts | Monitor web proxy logs for attempts to access blocked or restricted websites. |
| Policy Violation Detection | Monitor web proxy logs for violations of acceptable use policies or access control rules. |
| Abnormal Proxy Bypass Attempts | Monitor web proxy logs for attempts to bypass the proxy server and access the internet directly. |
| Unauthorized User Access Attempts | Monitor web proxy logs for unauthorized attempts to access the internet or internal resources. |
| Malicious Website Access Detection | Monitor web proxy logs for access to known malicious websites or URLs. |
| Content-Based Threat Detection | Monitor web proxy logs for content-based threats, such as malicious scripts, exploits, or obfuscated code. |
| Phishing Website Access Detection | Monitor web proxy logs for access to known phishing websites or URLs. |
| Suspicious File Download Detection | Monitor web proxy logs for downloads of suspicious files, such as executable binaries or script files. |
| Suspicious User-Agent Identification | Monitor web proxy logs for suspicious or anomalous user-agent strings used in HTTP requests. |
| Abnormal Protocol Usage Detection | Monitor web proxy logs for abnormal usage of protocols, such as unusual port numbers or non-standard protocols. |
| Unusual Data Transfer Patterns | Monitor web proxy logs for unusual data transfer patterns, such as large uploads or downloads outside of business hours. |
MITRE ATT&CK
T1071, T1560, T1048, T1190, T1105, T1022, T1071, T1114, T1070, T1078, T1049, T1552, T1566, T1189, T1204, T1572, T1025, T1059