I have previously blogged (separately) about the merits of both aggregation and looking at outbound denied traffic. It occurs to me that it is worth a separate post to blog about the powerful combination of aggregation and outbound denies.
If one takes a rich data source (such as proxy logs), looks at the outbound denied traffic, and aggregates by certain key fields, such as:
If one takes a rich data source (such as proxy logs), looks at the outbound denied traffic, and aggregates by certain key fields, such as:
- Source IP Address
- Destination IP Address
- Domain
- URL
- Request Method (e.g., GET, POST, etc.)
- Count (ordering by Count in descending order)