Shadow IT

Question

Hi, 
 I am conducting a Shadow IT audit within my organisation. One of the data sources I am going to use are logs ( which logs is not determined yet) from our deployed UTM proxy server. The network guys have given me an example of a log to assess whilst they prepare a log dump for me. What i want to do, and I lack the knowledge to ask pertinent and precise questions, is to review the proxy logs and determine two things 
 
 the url accessed by the staff member ( this is captured in the example provided to me by my network guys) 
 if the staff member logged into / authenticated onto the website when they accessed it. Basically I would like to understand and define the criteria to filter these logs to only show instances where a staff member logged into a website and then disregard all instances were staff members only browsed a website. 
 
 I am unsure if that activity could be caught by the proxy logs or if it would be caught by a proxy log, which log or logs would capture it. 
 I realise this is very vague and I will provide more information if required, but as a hypothetical question - could such an action - a user accessing a website and then logging into that website -be captured by the logs created by a UTM Proxy server. 
 Thanks in advance. 
 G

BAlfson · Accepted Answer

Hi and welcome to the UTM Community! 
 I can't think of an easy way to do this. You could certainly list all of the log lines that have the word login in them somewhere, but in an organization of any size, that will yield thousands of lines. In many cases, there won't be any FQDN listed, just the path although the referrer field might show the domain being accessed. Even limiting the lines to those containing url=" https://login would leave an insurmountable task of identification. Even then, I don't see how you could identify the logoff without parsing the log manually. Using the logs alone, it would only be practical if you were targeting a specific individual or a specific FQDN that you knew to require a manual login. 
 You would have more luck with Reporting, but that would require you to have access to WebAdmin for the UTM as a "Web Protection Auditor" and some facility with using Web Protection Reporting. If you were also a Network Protection Auditor, you could learn from that database 
 If you have someone gifted in PostgreSQL, you could have that person learn the structure of the databases and create reports to gather the information you seek. 
 Net Net - you've imagined an expensive undertaking. 
 Cheers - Bob

DouglasFoster · Answer

The vast majority of business websites now use HTTPS, and essentially 100% of business service sites will use https for a login session. With decrypt-and-scan disabled, only the FQDN is visible. So as a first step, your will need to be to deploy https inspection. Then the logs might have the detail you would require to have any hope of distinguishing "login sessions" from "browsing sessions".