URL
The URL referenced or impacted by activity reported in the log.
Data Type
String
Aliases
| Use | Alias |
|---|---|
Client Console Full Name | URL |
Client Console Short Name | URL |
Web Console Tab/Name | URL |
Elasticsearch Field Name | url |
Rule Builder Column Name | URL |
Regex Pattern | <url> |
NetMon Name | Not applicable |
Field Relationships
- Domain (Domain Impacted)
- Domain Origin
- Session
- Response Code
- Protocol Number
- Protocol Name
Common Applications
- Proxy
- IDS/IPS
- Network monitoring
- Firewall
- Web servers/DNS
Use Case
- Tracking user web activity.
- Tracking and comparing hostile domains with lists of known bad web domains.
MPE/Data Masking Manipulations
Data Masking is used for QNAME format URL (14)DB001560E6EBC5(9)soasdfgtu(3)com(0.
Usage Standards
Do not use the vendor's link to details, which parses into Vendor Info.
Examples
- Blue Coat Proxy
08 27 2011 19:00:00 1.1.1.1 <USER:NOTE> 2011-08-27 02:05:36 151 3.1.4.2 - - - OBSERVED "Email" http://Host10.com/neo/launch?.rand=6upoddav8e6 204 TCP_NC_MISS POST text/json http Host10 80 /neo/stat - - "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)" 1.1.1.1 492 1434 –
Highlighted URL from proxy log parses into URL.
- Windows DNS
11/21/2011 10:14:05 AM 0F8C PACKET 00000000089853C0 UDP Snd 1.1.1.1 fa93 R Q [8385 A DR NXDOMAIN] A (14)HP001560E6EBC5(9)sonalysts(3)com(0)
(14)DB001560E6EBC5(9)soasdfgtu(3)com(0(14)DB001560E6EBC5(9)soasdfgtu(3)com(0 with length octets. This is often a use case for data masking to replace the length octet with a period.