Rule Name

Rule Description
Use Case category
Alert Category
Log sources required
used case logic

Key Fields Required

Sample Scenario and Findings

Impact

Quick Remediation

Permanent Remediation

Root Cause Analysis

 Access attempt through ex-employee IDs
Rule will triggers if we observe any login attempts by the Ex-employees
Authentication
Authentication failures
AD servers
When events contains BB:EX-employees_list AND Same username with 5 times in 1 mins

From AD server

Source IP
Source Username
Source Hostname
Destination IP
Destination Hostname
Destination Username
Logon Type
Device Address
Device Hostname
Time

If any login attempts observed from Ex-employees/personnel ID's this alert should trigger

If any unauthorized user trying to access and got access to the server may perform some unwanted changes
which will not be able to track
1. Need to check why login attempts are happenning from Ex-emp ID's which can be tracked by source
hostnname.
2. Need to check Service/Background application that might be tying to get authenticated with saved/cached
credentials and clear the same if any.

1. Need to check Service/Background application that might be tying to get authenticated with saved/cached
credentials and clear the same if any.2. Need to clear the cache in brower which may contain saved
credentials of Ex-employees

1. Need to check Service/Background application that might be tying to get authenticated with saved/cached
credentials and clear the same if any.2. Need to clear the cache in brower which may contain saved
credentials of Ex-employees
 Rule Name
Rule Description
Use Case category
Alert Category
Log sources required

used case logic

Key Fields Required

Sample Scenario and Findings

Impact

Quick Remediation

Permanent Remediation

Root Cause Analysis

Access to prohibited/Blocked URL category
Rule will trigger when any user trying to access blocked URL in proxy
Prohibited access
Prohibited access
Proxy
when the event(s) were detected by one or more of McAfee Web Gateway and when the event matches Proxy_BlockReason (
and when at least 10 events are seen with the same Source IP in 2 minutes

Event Description
Source IP
Source Username
Source Hostname
Destination IP
Destination Hostname
Destination Username
Device Address
Device Hostname
Time
Proxy_BlockReason (custom)
Proxy_URL (custom)
Proxy_URL_Category (custom)

This happens when any user contiously trying the access the URL and getting denied by proxy
1. If we are observing huge number of traffics which may affect the proxy utilization
2. There might be source machine be infected
1. Need to check and guide the source user that he should not try to access the blocked sites.
2. If it is legitimate request then need to allow in proxy.
1. Need to check whether source is infected by any virus or malware which may cause these type of traffics to be generated to
2. Need to scan the source machine completely.
1. Need to check whether source is infected by any virus or malware which may cause these type of traffics to be generated to
2. Need to scan the source machine completely.
 Rule Name
Rule Description
Use Case category
Alert Category
Log sources required
used case logic

Fields Required

Sample Scenario and Findings

Impact
Quick Remediation
Permanent Remediation
Root Cause
Unauthorized access attempt on proxy
This rule will will trigger if any unathorized user trying to access the proxy device
Unathorized access
Unathorized access
Proxy
And when the event were detected by one or more of Mcafee web gateway And NOT when any of Username are contained in

Event Name
Event Properties
Username
Source IP
Destination IP
Destination Hostname
Device IP

we observe more number of deny events if any unauthorized user tried to access the proxy and getting denied
1. If any unauthorized user gained access and might do any changes in the configuration.
1. Need to check who is trying to access the proxy and guide them to not to access the same if he is unauthorized.
1. Need to check who is trying to access the proxy and guide them to not to access the same if he is unauthorized.
 Rule Name
Rule Description
Use Case category
Alert Category
Log sources required

use case logic

Key Fields Required

Sample Scenario and Findings

Impact

Quick Remediation
Permanent Remediation
Root Cause
Social_Media_Usage_Observed
This rule will trigger when any user accessing any social media
Unauthorized access
Unauthorized access
Proxy
and when the event(s) were detected by one or more of McAfee Web Gateway
and when the event matches Proxy_URL_Category (custom) is any of Social Networking
and when the event matches Event Name is Allowed

Event name
Source IP

Source Hostname

Destination IP

Destination Hostname

Destination port

username

Device IP

Device Hostname

Proxy_URL (custom)
Proxy_URL_Category (custom)

If any user accessing social websites which can be tracked by proxy

1. Using social sites might be integrity/complaince issue.
2. Using social sites might chance of source machine get infected
1. Need to track the source user and check whether he is authorized to access the same.
2.
1. Scan the fulluser
If paricular system
is notand check for need
authorized, any infections
the blockand
it indelete
proxy. accordingly.
2. If user is authorized then can be whitelisted in rule level post customer approval.