GIM Category: http
The HTTP category is for events that describe web traffic over the Hypertext Transfer Protocol. These events may be generated by web servers, proxies, firewalls, intrusion detection systems, or other network and security devices that inspect or record HTTP activity. They typically capture details such as the request method, URL path, response code, and the source of the request.
HTTP activity is a critical data source for security monitoring and troubleshooting, as it provides visibility into user actions, application behavior, and potential malicious activity such as reconnaissance, exploitation attempts, or data exfiltration.
default
The default HTTP subcategory is used for generic HTTP messages that do not fit into more specific subcategories such as requests, responses, or proxied communications. These events typically contain minimal details (such as request method and source) and act as a fallback to ensure that all HTTP-related activity can be normalized within the model.
Required Fields
http_request_methodsource_reference
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
180000 |
http |
http.default |
http message |
Default http traffic |
request
HTTP request events represent when a client attempts to access a resource on a server using the Hypertext Transfer Protocol. These events typically include the HTTP method (e.g., GET, POST), the request path or URI, and the identity of the source making the request. They provide the foundation for analyzing web activity, such as what resources are being requested and by whom.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
180100 |
http |
http.request |
http request |
HTTP request message |
communication
HTTP communication events represent the complete exchange between a client and server, typically including both the request and the server's response. These events are common in logs from firewalls, web servers, IDS/IPS, or proxies that record both request details (method, path) and response details (status code). They differ from the 'request' subcategory, which focuses only on the client request, by including server response context.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
180200 |
http |
http.communication |
http communication |
An HTTP request/response transaction was logged, including details such as request method, path, and response code |
proxied
Proxied HTTP events represent communications where an intermediary system (such as a proxy server, firewall, or web gateway) relays requests and responses between a client and a destination server. These logs often capture additional context such as the action taken by the proxy (allow, block, or redirect), the client identity, and the target resource. They are distinct from direct HTTP request/response events because they describe mediated traffic rather than end-to-end communication.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
180300 |
http |
http.proxied |
http proxied communication |
An HTTP communication observed at or relayed through a proxy system. This may include requests and responses logged by forward proxies, reverse proxies, web gateways, or content filters, often with additional metadata about the proxy’s action (such as allow, block, or redirect). |
