Never forget that network devices are endpoints too.

https://c2defense.medium.com/man-in-the-network-network-devices-are-endpoints-too-d5bd4a279e37

Incredibly useful cheat sheet for detecting maliciousness in proxy logs

https://www.nextron-systems.com/2020/07/24/web-proxy-event-analysis-cheat-sheet/

Threat Hunting and Detection with Web Proxy Logs by Mehmet Ergene

https://posts.bluraven.io/threat-hunting-and-detection-with-web-proxy-logs-58094cae3537

Washing your proxy/DNS logs against lists of common lookups can surface the uncommon and potentially malicious. These are a few:

https://s3-us-west-1.amazonaws.com/umbrella-static/index.html

https://tranco-list.eu/

https://majestic.com/reports/majestic-million

All of the top level domains. How many of these do you see in your proxy logs? How many are legit traffic?

https://www.iana.org/domains/root/db

Detecting Data Staging & Exfil Using the Producer-Consumer Ratio

http://detect-respond.blogspot.com/2016/09/detecting-data-staging-exfil-using-PCR-shift.html

Hunting for suspicious DNS

https://c99.sh/hunting-for-suspicious-dns-communications/

Finding C2

http://findingbad.blogspot.com/2018/03/c2-hunting.html

Legitimate domains being used by attackers to facilitate c2 and host malicious content

https://lots-project.com/

C2 traffic patterns

https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/

Monitor the hijacking of your prefixes

https://github.com/nttgin/BGPalerter

https://bgpartemis.org/