Documentation forSecurity Event Manager

Create and enable the Known Spyware Site traffic rule

You can track when users attempt to access suspicious websites by partial or complete URL addresses by enabling the Known Spyware Site Traffic rule. This rule generates a HostIncident event by default you can use in conjunction with the Incidents report to notify auditors that you are auditing critical events on your network.

Before you enable this rule, ensure your proxy server transmits complete URL addresses to your SEM Manager by checking the URL field of any WebTrafficAudit event generated by your proxy server. If your proxy server does not log web traffic events with this level of detail, check the events coming from your firewalls, as they can sometimes be used for this rule as well.

  1. In the SEM Events Console, click the Rules tab.
  2. On the Rules toolbar, click Create rule from template.

  3. In the search box, enter known spyware site traffic.

  4. Select the known spyware site traffic rule template, and then click Next.
  5. Review and edit the existing conditions and values where needed, and then click Next.
  6. Review and adjust the rule details where needed, and then click Create.

    See Create a new rule for additional guidance.