Forcepoint Secure Web Gateway unusual spike found in web category urls

This rule is part of a beta feature. To learn more, contact Support.
forcepoint-secure-web-gateway

Classification:

attack

Tactic:

TA0011-command-and-control

Technique:

T1071-application-layer-protocol

Set up the forcepoint-secure-web-gateway integration.

Goal

Identify an unusual spike in request for URLs within a {{@webcategories}}.

Strategy

This rule analyzes Forcepoint SWG logs to detect an abnormal increase in requests for URLs within a specific web category.

Triage and Response

  1. Analyze the Forcepoint SWG logs and identify the users and user groups associated with spike in request for web category {{@webcategories}} URLs.
  2. Check the web reputation of the URLs being accessed within the flagged category. Ensure that no high-risk URLs or known malicious destinations are being requested.
  3. Examine any correlated activities that could be linked to the spike, such as file uploads, downloads, or data requests that may raise security concerns (such as matching DLP patterns or confidential data uploads).
  4. Review actions taken by Forcepoint SWG, and block the web category or specific URLs associated with suspicious activity if they have not already been blocked.
  5. Notify the users about the suspicious activity and educate them on safe browsing practices.