Forcepoint Secure Web Gateway unusual spike found in requests for low reputation urls by users

This rule is part of a beta feature. To learn more, contact Support.
forcepoint-secure-web-gateway

Classification:

attack

Tactic:

TA0011-command-and-control

Technique:

T1071-application-layer-protocol

Set up the forcepoint-secure-web-gateway integration.

Goal

Identify an unusual spike in requests for low reputation URLs.

Strategy

This rule analyzes Forcepoint SWG logs to identify an unusual spike in requests for low reputation URLs.

Triage and Response

  1. Review the Forcepoint SWG logs to identify the user`{{@usr.name}}requesting a bad reputation URL{{@http.url}}`.
  2. Examine user activities and actions taken by Forcepoint SWG, focusing on fields like activity, action, and application.
  3. Identify any potential sensitive data patterns in the DLP pattern field, if present, and analyze uploaded file details such as file type, size, and hash values, if available.
  4. Reset user credentials if malicious intent is suspected.
  5. Quarantine flagged files and ensure uploads are blocked if not already restricted.
  6. Immediately block the bad reputed URL if not already blocked.
  7. Notify and educate the user about safe browsing practices.