Forcepoint Secure Web Gateway unusual spike found in web category urls

This rule is part of a beta feature. To learn more, contact Support.

Classification:

attack

Tactic:

Technique:

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Identify an unusual spike in request for URLs within a {{@webcategories}}.

This rule analyzes Forcepoint SWG logs to detect an abnormal increase in requests for URLs within a specific web category.

Analyze the Forcepoint SWG logs and identify the users and user groups associated with spike in request for web category {{@webcategories}} URLs.
Check the web reputation of the URLs being accessed within the flagged category. Ensure that no high-risk URLs or known malicious destinations are being requested.
Examine any correlated activities that could be linked to the spike, such as file uploads, downloads, or data requests that may raise security concerns (such as matching DLP patterns or confidential data uploads).
Review actions taken by Forcepoint SWG, and block the web category or specific URLs associated with suspicious activity if they have not already been blocked.
Notify the users about the suspicious activity and educate them on safe browsing practices.