Proxy detections

A proxy server is a system or router that provides gateway between users and the internet. As a result, to helps organizations prevent cyber attacks from entire a private network as the server is an intermediary, isolating the internal network from the internet and attackers. Proxies provide a valuable layer of security in general and an important data source to analyze web traffic going to and from your organization. Monitoring the proxy data can help pinpoint attacks, show malicious behavior, and give more context to what entities are doing within your organization. The below list of out-of-the-box detections provide commonly seen use cases for potentially malicious activity through proxy logs.

Identifies file uploads above 50 MB in size. Excessive file uploads may indicate exfiltration by an adversary or insider. The size threshold should be tuned per organization.

Keep in mind that adversaries may compress uploads for speedy transfers and to avoid detection, so setting the file size threshold too large may miss such occurrences.

Source table ➝ PROXY.ALL.ACCESS

Detects the download of a file with a single character filename. Single character based file names are rare for most legitimate content and are often used by actors to upload malicious content. Users can uncomment the regex match line and modify it as necessary to target specific file types.

Source table ➝ PROXY.ALL.ACCESS