Documentation forSecurity Event Manager

Create and enable the Known Spyware Site traffic rule

You can track when users attempt to access suspicious websites using partial or complete URL addresses by enabling the Known Spyware Site Traffic rule. This rule generates a HostIncident event by default that you can use in conjunction with the Incidents report to notify auditors that you are auditing critical events on your network.

Before you enable this rule, ensure your proxy server transmits complete URL addresses to your SEM Manager by checking the URL field of any WebTrafficAudit event generated by your proxy server. If your proxy server does not log web traffic events with this level of detail, check the events coming from your firewalls, as they can sometimes be used for this rule as well.

  1. Log in to the SEM Console.

  2. On the toolbar, click Rules.
  3. On the Rules toolbar, click Create rule from template.

  4. In the search box, enter:

    Known Spyware Site traffic

    As you type the list of templates is filtered to display your search text.

  5. Select the Known Spyware Site Traffic rule template, and click Next.
  6. Review and edit the existing conditions and values where needed, and click Next.
  7. Review and adjust the rule details where needed, and click Create.

    See Create a new rule for additional guidance.