Suspicious Proxy Activity - Targeted - Rare Domain Containing Ad Hoc Indicators
Upload to personal site can indicate malicious insider or cyber exfiltration activity. This spike can indicate malicious insider or cyber exfiltration activity.Īny proxy avoidance against a domain can be a compliance issue or it can help identify gaps, for example, when a domain is both allowed and blocked.
This policy detects spike in the amount of data uploaded to public sites. Malware and ransomware use randomly generated domains to hide from existing detection technologies.Ībnormal amount of data uploaded to external sites This indicates flight risk behavior.Īny web traffic to known malicious domains can indicate a malicious payload or process that can cause an endpoint to communicate with known bad domains.Īny web traffic to randomly generated domains can indicate that malicious payload can be transferred to an endpoint. The policy detects employee seeking employment opportunities. Upload Attempts to Multiple Distinct Storage SitesĪttempting to upload data to multiple distinct storage sites may indicate malicious insider or cyber exfiltration activity.Īny web traffic to known malicious IP addresses can indicate a malicious payload or process that can cause an endpoint to communicate with known bad IP addresses. The job exiting behavior identifies entities that are intending to resign or leave the organization. Web traffic to domains categorized as proxy anonymizer indicates that a malicious entity is attempting to circumvent the organizations control. This policy detects web traffic to and from exit nodes, which can indicate a malicious entity attempting to circumvent the organizations control.īeaconing Traffic to proxy anonymizing websites This spike can indicate malicious insider/cyber exfiltration activity.
This policy detects spike in the amount of data uploaded to public storage sites. This policy detects activity by terminated users, which can indicate a possible account misuse or a gap in the deprovisioning process.Ībnormal amount of data uploaded to storage sites Web browsing activity from terminated accounts This policy detects behavior that indicates communication with a command and control server. This policy detects communication with a command and control server.īeaconing traffic to known black list site Sandbox: Policies that are categorized as Sandbox must be tested and fine-tuned based on your requirement.Observables: Policies that are categorized as observables need monitoring as they might turn into a threat.Threat: Policies that are categorized as threats, need immediate investigation.The policies are categorized based on the following: This section lists out-of-box policies available for web proxy. Teleconferencing application accessed by an account
Note: You can refer to the Detailed Policy Description to view specified attributes required for a policy.Ībnormal amount of data exfiltrated via teleconferencing applicationsĭetection of possible proxy circumvention This section lists attributes required to support all out-of-the-box use cases for this functionality. Detailed Policy Description: Lists detailed information for each policy such as policy status, policy criticality, policy category, MITRE mapping, violation entity, named list, vendor specific use case, and required attributes.īefore you can use any out-of-box policies, you have to ensure you have information for required attributes.Policy Overview: Lists policy signature ID, description, criticality, MITRE threat indicator.Prerequisite: Lists all the attributes required to support all out-of-box policies for web proxy.This section provides the following information for the out-of-box policies available for web proxy: Web Proxy tools act as an intermediary between the servers on your network and external networks to prevent malicious or unauthorized traffic from leaving or entering the network, and to protect the identity of the server.