How many unique IP addresses are connected to the proxy server?

cut -d ' ' -f2 access.log | sort | uniq | wc -l 

> 9

How many unique domains were accessed by all workstations?

cut -d ' ' -f3 access.log | cut -d ':' -f1 | sort | uniq | wc -l

> 111

What status code is generated by the HTTP requests to the least accessed domain?

503

Based on the high count of connection attempts, what is the name of the suspicious domain?

frostlings.bigbadstash.thm

What is the source IP of the workstation that accessed the malicious domain?

cat access.log | grep "frostlings.bigbadstash.thm" | cut -d ' ' -f2 | uniq

> 10.10.185.225

How many requests were made on the malicious domain in total?

cat access.log | grep "frostlings.bigbadstash.thm" | wc -l

> 1581

Having retrieved the exfiltrated data, what is the hidden flag?

cat access.log | grep "frostlings.bigbadstash.thm" | cut -d '=' -f2 | cut -d ' ' -f1 > flag.txt && cat flag.txt | base64 -d | grep THM

> THM{a_gift_for_you_awesome_analyst!}