Forcepoint Secure Web Gateway threat indicator detected

This rule is part of a beta feature. To learn more, contact Support.
forcepoint-secure-web-gateway

Classification:

attack

Tactic:

TA0011-command-and-control

Technique:

T1071-application-layer-protocol

Set up the forcepoint-secure-web-gateway integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Identify that a threat indicator was detected within Forcepoint Secure Web Gateway.

Strategy

This rule analyzes Forcepoint SWG logs to identify a detected threat indicator.

Triage and Response

  1. Analyze the Forcepoint SWG logs and identify the user {{@usr.name}} associated with the occurrences of flagged threat indicator.
  2. Review activities, accessed URLs, and files associated with the flagged threat indicators to understand the nature of the threat indicator.
  3. Assess web categories and reputation scores of accessed URLs.
  4. Examine patterns like DLP pattern or keyword to identify sensitive or regulated data involved in the flagged actions.
  5. Quarantine flagged files or data uploads if they contain sensitive information.
  6. Block further access to flagged URLs or applications if not already restricted.
  7. Suspend or reset the user’s account credentials if compromise is suspected.