<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">action</span>
<span class="pill kill-chain">action_isolate</span>
<span class="pill kill-chain">amp_disposition</span>
<span class="pill kill-chain">amp_malwarename</span>
<span class="pill kill-chain">amp_score</span>
<span class="pill kill-chain">app</span>
<span class="pill kill-chain">application_ids</span>
<span class="pill kill-chain">av_detection</span>
<span class="pill kill-chain">blocked_category</span>
<span class="pill kill-chain">bytes</span>
<span class="pill kill-chain">bytes_in</span>
<span class="pill kill-chain">bytes_out</span>
<span class="pill kill-chain">category</span>
<span class="pill kill-chain">certificate_errors</span>
<span class="pill kill-chain">content_type</span>
<span class="pill kill-chain">data_center</span>
<span class="pill kill-chain">datamodel</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dest_asset</span>
<span class="pill kill-chain">dest_asset_id</span>
<span class="pill kill-chain">dest_asset_tag</span>
<span class="pill kill-chain">dest_bunit</span>
<span class="pill kill-chain">dest_category</span>
<span class="pill kill-chain">dest_city</span>
<span class="pill kill-chain">dest_country</span>
<span class="pill kill-chain">dest_dns</span>
<span class="pill kill-chain">dest_ip</span>
<span class="pill kill-chain">dest_is_expected</span>
<span class="pill kill-chain">dest_lat</span>
<span class="pill kill-chain">dest_long</span>
<span class="pill kill-chain">dest_mac</span>
<span class="pill kill-chain">dest_nt_host</span>
<span class="pill kill-chain">dest_owner</span>
<span class="pill kill-chain">dest_pci_domain</span>
<span class="pill kill-chain">dest_priority</span>
<span class="pill kill-chain">dest_requires_av</span>
<span class="pill kill-chain">dest_should_timesync</span>
<span class="pill kill-chain">dest_should_update</span>
<span class="pill kill-chain">destination_list_id</span>
<span class="pill kill-chain">detected_response_file_type</span>
<span class="pill kill-chain">disposition</span>
<span class="pill kill-chain">dlp_status</span>
<span class="pill kill-chain">egress</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">file_action</span>
<span class="pill kill-chain">file_hash</span>
<span class="pill kill-chain">filename</span>
<span class="pill kill-chain">forward_method</span>
<span class="pill kill-chain">geo_location_of_blocked_destination_countries</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">hostname</span>
<span class="pill kill-chain">http_content_type</span>
<span class="pill kill-chain">http_method</span>
<span class="pill kill-chain">http_referrer</span>
<span class="pill kill-chain">http_user_agent</span>
<span class="pill kill-chain">http_user_agent_length</span>
<span class="pill kill-chain">identities</span>
<span class="pill kill-chain">identity_type</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">isolateAction</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">malwarename_name</span>
<span class="pill kill-chain">message_correlation_id</span>
<span class="pill kill-chain">msp_organization_id</span>
<span class="pill kill-chain">organization_id</span>
<span class="pill kill-chain">policy_identities</span>
<span class="pill kill-chain">policy_identity_type</span>
<span class="pill kill-chain">policy_type</span>
<span class="pill kill-chain">producer</span>
<span class="pill kill-chain">product</span>
<span class="pill kill-chain">pua</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">request_method</span>
<span class="pill kill-chain">request_size</span>
<span class="pill kill-chain">response_size</span>
<span class="pill kill-chain">response_size_body</span>
<span class="pill kill-chain">rule_id</span>
<span class="pill kill-chain">rule_set_id</span>
<span class="pill kill-chain">s3_uri</span>
<span class="pill kill-chain">score</span>
<span class="pill kill-chain">security_overridden</span>
<span class="pill kill-chain">server_name</span>
<span class="pill kill-chain">sha256</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">splunk_server_group</span>
<span class="pill kill-chain">src</span>
<span class="pill kill-chain">src_asset</span>
<span class="pill kill-chain">src_asset_id</span>
<span class="pill kill-chain">src_asset_tag</span>
<span class="pill kill-chain">src_bunit</span>
<span class="pill kill-chain">src_category</span>
<span class="pill kill-chain">src_city</span>
<span class="pill kill-chain">src_country</span>
<span class="pill kill-chain">src_dns</span>
<span class="pill kill-chain">src_ip</span>
<span class="pill kill-chain">src_is_expected</span>
<span class="pill kill-chain">src_lat</span>
<span class="pill kill-chain">src_long</span>
<span class="pill kill-chain">src_mac</span>
<span class="pill kill-chain">src_nt_host</span>
<span class="pill kill-chain">src_owner</span>
<span class="pill kill-chain">src_pci_domain</span>
<span class="pill kill-chain">src_priority</span>
<span class="pill kill-chain">src_requires_av</span>
<span class="pill kill-chain">src_should_timesync</span>
<span class="pill kill-chain">src_should_update</span>
<span class="pill kill-chain">src_translated_ip</span>
<span class="pill kill-chain">ssl_error</span>
<span class="pill kill-chain">ssl_subject_common_name</span>
<span class="pill kill-chain">status</span>
<span class="pill kill-chain">status_warning</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::action</span>
<span class="pill kill-chain">tag::app</span>
<span class="pill kill-chain">tag::dest_requires_av</span>
<span class="pill kill-chain">tag::dest_should_timesync</span>
<span class="pill kill-chain">tag::dest_should_update</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">tag::user_category</span>
<span class="pill kill-chain">tag::user_identity_tag</span>
<span class="pill kill-chain">tag::user_watchlist</span>
<span class="pill kill-chain">time_based_rule</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">url</span>
<span class="pill kill-chain">url_domain</span>
<span class="pill kill-chain">url_length</span>
<span class="pill kill-chain">user</span>
<span class="pill kill-chain">user_bunit</span>
<span class="pill kill-chain">user_category</span>
<span class="pill kill-chain">user_email</span>
<span class="pill kill-chain">user_endDate</span>
<span class="pill kill-chain">user_first</span>
<span class="pill kill-chain">user_identity</span>
<span class="pill kill-chain">user_identity_id</span>
<span class="pill kill-chain">user_identity_tag</span>
<span class="pill kill-chain">user_last</span>
<span class="pill kill-chain">user_managedBy</span>
<span class="pill kill-chain">user_nick</span>
<span class="pill kill-chain">user_phone</span>
<span class="pill kill-chain">user_prefix</span>
<span class="pill kill-chain">user_priority</span>
<span class="pill kill-chain">user_startDate</span>
<span class="pill kill-chain">user_suffix</span>
<span class="pill kill-chain">user_type</span>
<span class="pill kill-chain">user_watchlist</span>
<span class="pill kill-chain">user_work_city</span>
<span class="pill kill-chain">user_work_country</span>
<span class="pill kill-chain">user_work_lat</span>
<span class="pill kill-chain">user_work_long</span>
<span class="pill kill-chain">vendor</span>
<span class="pill kill-chain">vendor_product</span>
<span class="pill kill-chain">warnStatus</span>
<span class="pill kill-chain">warn_categories</span>
</div>
Data Source: Cisco Secure Access Proxy
Description
Captures HTTP/HTTPS proxy access events from Cisco Secure Access, including requesting source, user identity, URL, HTTP method, response status, and user-agent metadata. This data source supports detection of automated web reconnaissance, suspicious browsing patterns, and policy-evasion behavior based on high-volume client errors and URL enumeration activity.
Details
| Property | Value |
|---|---|
| Source | cisco_cloud_security_addon |
| Sourcetype | cisco:cloud_security:proxy |
Related Detections
| Name | Technique | Type |
|---|---|---|
| Cisco SA - Automated Web Reconnaissance via HTTP Access Errors | Active Scanning | Anomaly |
Supported Apps
- Cisco Secure Access Add-on for Splunk (version 1.0.50)
Event Fields
Fields
Example Log
1"2026-04-20 21:57:29","EC2AMAZ-J8G2CH1","10.0.1.115","3.151.127.146","104.20.23.154","text/html","ALLOWED","http://example.com/css-3444","","gobuster/3.8.1","404","","790","528","fb91d75a6bb430787a61b0aec5e374f580030f2878e1613eab5ca6310f7bbb9a","Research/Reference,Reference","","","","","","Anyconnect Roaming Client","","EC2AMAZ-J8G2CH1","Anyconnect Roaming Client","GET","ALLOWED","","css-3444","14303105","139213","","","","","","","","","","mps-7b95df5757-wmc2v.sigproxy.prod_aws_us-east-2_1_0n","PROD_AWS_US-EAST-2_1_0N","false","","false","false","","","8209150"
Required Output Fields
-
src_ip
-
user
-
status
-
url
-
http_user_agent
Source: GitHub | Version: 1