Documentation forSecurity Event Manager

Create and enable the Known Spyware Site traffic rule

You can track when users attempt to access suspicious websites using partial or complete URL addresses by enabling the Known Spyware Site Traffic rule. This rule generates a HostIncident event by default that you can use in conjunction with the Incidents report to notify auditors that you are auditing critical events on your network.

Before you enable this rule, ensure your proxy server transmits complete URL addresses to your SEM Manager by checking the URL field of any WebTrafficAudit event generated by your proxy server. If your proxy server does not log web traffic events with this level of detail, check the events coming from your firewalls, as they can sometimes be used for this rule as well.

  1. On the SEM Console, select Rules.
  2. On the Rules toolbar, click Create rule from template.

  3. In the search box, enter "known spyware site traffic". As you type the list of templates will be filtered to show just the one required.

  4. Select the Known Spyware Site Traffic rule template, and click Next.
  5. Review and edit the existing conditions and values where needed, and click Next.
  6. Review and adjust the rule details where needed, and click Create.

    See Create a new rule for additional guidance.