Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation
In The Truman Show (1998), Truman Burbank slowly realizes that his world isn’t random. Every street he walks down, every destination he tries to reach, is subtly redirected or observed. What finally tips him off isn’t a single event, it’s the pattern of where he’s allowed to go and where he isn’t.
That idea maps well to CIS Safeguard 8.7: Collect URL Request Audit Logs. In modern environments, URLs tell the story of intent. While DNS shows where a system tried to go, URL request logs show what was actually requested, how, and often by whom. For defenders, that context is invaluable.
What Is CIS Safeguard 8.7?
Safeguard 8.7: Collect URL Request Audit Logs is part of CIS Critical Security Control 8 – Audit Log Management. The safeguard recommends that organizations:
- Collect logs of URL requests from web proxies, secure web gateways, firewalls, and cloud security controls
- Centralize and retain those logs
- Use them to support threat detection, incident response, and investigations
In short: if users, servers, or applications are requesting URLs, those requests should be logged, searchable, and protected.
Why URL Logs Matter
Modern attacks are web-centric by default. Initial access, payload delivery, command-and-control, credential harvesting, and data exfiltration often happen over HTTPS, making payload inspection harder.
URL request logs help close that visibility gap because they capture:
- Full or partial URLs
- HTTP methods (GET, POST, PUT, etc.)
- Response codes
- User or device context
- Timing and frequency
This turns encrypted web traffic into actionable security telemetry—without breaking encryption.
In Minority Report (2002), the system doesn’t just know that someone is moving, it knows where they’re headed. URL logs provide the same advantage for defenders.
What Threats URL Request Logs Expose
Safeguard 8.7 directly supports detection across multiple stages of the attack lifecycle.
- Phishing and Credential Harvesting
URL logs can reveal:
- Requests to known phishing domains
- Lookalike login pages (login-micr0soft[.]com)
- Repeated POST requests to suspicious authentication endpoints
Even if email defenses fail, URL logs show what users actually clicked.
- Malware Payload Delivery
Malware commonly retrieves second-stage payloads via HTTP/S. URL logs highlight:
- Executable downloads from uncommon domains
- Direct IP-based URLs
- Unusual file extensions (.dat, .bin, .js) from non-CDN sources
This is especially valuable when endpoint alerts arrive after the download occurred.
- Command-and-Control Over HTTPS
Attackers increasingly hide C2 traffic inside normal-looking web requests. URL patterns may show:
- Beaconing to the same path at fixed intervals
- Odd or randomized URL paths
- Abuse of legitimate platforms (paste sites, cloud storage, APIs)
DNS may show the domain but URL logs show the behavior.
- Data Exfiltration
Large or repeated POST requests to unknown endpoints can indicate:
- Stolen data uploads
- Abuse of web forms or APIs
- Exfiltration via attacker-controlled web servers
Without URL logging, this activity often blends into background noise.
What Should Be Logged?
To align with Safeguard 8.7, URL request logs should include:
- Timestamp
- Source IP / client ID
- User identity (if authenticated)
- Requested URL or URI path
- HTTP method
- HTTP response code
- Bytes sent / received (where available)
- User agent
When possible, logs should be enriched with:
- Asset criticality
- Network zone
- Threat intelligence on domains and paths
Centralization and Retention Are Non-Negotiable
Like all safeguards under Control 8, collection alone isn’t enough. URL logs must be:
- Centralized in a SIEM or log analytics platform
- Protected from deletion or tampering
- Retained long enough to support delayed detection
Many web-based attacks are discovered well after the initial click. If URL logs roll over in a few days, investigations stall quickly.
A common baseline:
- 30–90 days for active monitoring
- 6–12 months for investigations and compliance
How URL Logs Complement DNS Logs (Safeguard 8.6)
DNS and URL logs work best together:
- DNS logs answer: What domain was resolved?
- URL logs answer: What resource was requested and how?
Practical Implementation Tips
To operationalize Safeguard 8.7 effectively:
- Log at Control Points
Use secure web gateways, proxies, firewalls, and CASBs—not just endpoints.
- Balance Privacy and Security
Mask sensitive query parameters while preserving behavioral patterns.
- Normalize URLs
Break URLs into components (domain, path, query) for better analysis.
- Baseline Normal Behavior
Understand typical SaaS, API, and browsing patterns in your environment.
- Alert on Behavior, Not Just Blocklists
Focus on anomalies like:
- Repeated POSTs to rare domains
- High-frequency requests with identical paths
- Downloads outside approved software channels
Final Thoughts
CIS Safeguard 8.7 recognizes a reality of modern security: the web is the primary attack surface. URL request audit logs provide clarity in an environment where payloads are encrypted and attackers blend into normal traffic.
Defenders who collect and analyze URL logs start to see what doesn’t belong. They begin to understand intent, behavior, and risk.
And in today’s threat landscape, that context is often what turns a missed alert into a prevented incident.
Resources
Here’s a link to the Policy Templates provided free of charge from the fine folks at the Center for Internet Security:
Looking for even more details? Here you go. If this still doesn’t satisfy your curiosity, DM me.
CIS Control 8 – Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
CIS Safeguard 8.7 – Collect URL Request Audit Logs
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Shameless Marketing Information
Gotham Technology Group offers a Security Operations Center as a Service (SOCaaS) powered by Arctic Wolf Networks. Our team will work alongside your team to support and mature your security operations.