Forcepoint Secure Web Gateway threat indicator detected

This rule is part of a beta feature. To learn more, contact Support.
forcepoint-secure-web-gateway

Classification:

attack

Tactic:

TA0011-command-and-control

Technique:

T1071-application-layer-protocol

Set up the forcepoint-secure-web-gateway integration.

Goal

Identify that a threat indicator was detected within Forcepoint Secure Web Gateway.

Strategy

This rule analyzes Forcepoint SWG logs to identify a detected threat indicator.

Triage and Response

  1. Analyze the Forcepoint SWG logs and identify the user {{@usr.name}} associated with the occurrences of flagged threat indicator.
  2. Review activities, accessed URLs, and files associated with the flagged threat indicators to understand the nature of the threat indicator.
  3. Assess web categories and reputation scores of accessed URLs.
  4. Examine patterns like DLP pattern or keyword to identify sensitive or regulated data involved in the flagged actions.
  5. Quarantine flagged files or data uploads if they contain sensitive information.
  6. Block further access to flagged URLs or applications if not already restricted.
  7. Suspend or reset the user’s account credentials if compromise is suspected.