{ "authors": [ { "email": "rules@neuralwall.io", "name": "NeuralWall Rules Team", "org": "NeuralWall" } ], "description": { "en": "This scenario covers outbound access by authenticated users (identified by directory\ngroup) from the internal network to a SaaS service hosted on the Internet. It enables\noutbound SSL decryption (ssl_forward_proxy) for L7 inspection of HTTPS traffic, with\nregulatory exclusions (health, finance) to preserve privacy and legal compliance.\nA DLP (data loss prevention) profile is applied to detect sensitive data exfiltration.\nThe c2_protection, IPS, url_filtering, and dns_security profiles address the risks of\nshadow IT, compromised accounts, and exfiltration through a hijacked legitimate SaaS.\nDevice compliance (device_posture: compliant) is required to access the SaaS.\n", "fr": "Ce scénario couvre l'accès sortant d'utilisateurs authentifiés (identifiés par groupe\nannuaire) depuis le réseau interne vers un service SaaS hébergé sur Internet.\nIl active le déchiffrement SSL sortant (ssl_forward_proxy) pour permettre l'inspection\nL7 du trafic HTTPS, avec des exclusions réglementaires (santé, finance) pour préserver\nla vie privée et la conformité légale. Un profil DLP (prévention des fuites de données)\nest appliqué pour détecter les exfiltrations de données sensibles. Les profils\nc2_protection, IPS, url_filtering et dns_security couvrent les risques de shadow IT,\nde compte compromis et d'exfiltration via un SaaS légitime détourné.\nLa conformité du poste (device_posture: compliant) est requise pour accéder au SaaS.\n" }, "id": "saas_outbound_access", "mitre_attack": [ { "name": "Exfiltration Over Web Service: Exfiltration to Cloud Storage", "tactic": "exfiltration", "technique_id": "T1567.002" }, { "name": "Application Layer Protocol: Web Protocols", "tactic": "command-and-control", "technique_id": "T1071.001" }, { "name": "Valid Accounts", "tactic": "defense-evasion", "technique_id": "T1078" }, { "name": "Exfiltration Over Alternative Protocol", "tactic": "exfiltration", "technique_id": "T1048" } ], "rules": [ { "action": "allow", "application": { "app_id": "saas_generic", "category": "saas", "default_ports": [ "tcp/443" ], "depends_on": [ "dns", "ssl" ], "risk": 3 }, "decryption": { "exclusions": [ "finance", "health" ], "mode": "ssl_forward_proxy" }, "direction": "outbound", "identity": { "device_posture": "compliant", "user_group": [ "saas_authorized_users", "remote_workers" ] }, "logging": { "log_end": true, "log_forwarding": true, "log_start": false, "profile": "siem_dlp_priority" }, "rationale": { "en": "This rule allows users in the authorized directory groups (compliant devices only)\nto access approved SaaS services over outbound HTTPS. The ssl_forward_proxy\ndecryption mode is enabled to allow full L7 inspection — without it, DLP (the\ncentral exfiltration control) is inoperative. The finance and health exclusions\nrespect legal and privacy constraints and create an explicitly documented blind\nspot. The DLP profile blocks uploads containing sensitive data (PAN, PII, source\ncode). The user_group restricts access to the least-privilege principle and limits\nshadow IT. Device compliance (device_posture: compliant) prevents access from\nunmanaged or compromised endpoints.\n", "fr": "Cette règle autorise les utilisateurs des groupes annuaire autorisés (postes\nconformes uniquement) à accéder aux SaaS approuvés via HTTPS sortant.\nLe déchiffrement ssl_forward_proxy est activé pour permettre l'inspection L7\ncomplète — sans lui, le DLP (contrôle central d'exfiltration) est inopérant.\nLes exclusions finance et health respectent les contraintes légales et de vie privée\net créent un angle mort explicitement documenté. Le profil DLP bloque les uploads\ncontenant des données sensibles (PAN, PII, code source). Le user_group restreint\nl'accès au principe de moindre privilège et limite le shadow IT. La conformité\ndu poste (device_posture: compliant) empêche les accès depuis des équipements\nnon gérés ou compromis.\n" }, "security_profiles": { "antivirus": { "action": "block" }, "c2_protection": { "action": "block", "min_severity": "medium" }, "dlp": { "action": "block", "patterns": [ "credit_card", "national_id", "iban", "api_key", "pii_email", "source_code" ] }, "dns_security": { "action": "block", "sinkhole": true }, "file_control": { "block_types": [ "encrypted_archive", "database_dump" ], "direction": "outbound" }, "ips": { "action": "block", "min_severity": "medium" }, "sandboxing": { "enabled": true, "file_types": [ "pe", "pdf", "office", "script" ] }, "url_filtering": { "alert_categories": [ "unknown", "parked", "grayware" ], "block_categories": [ "malware", "phishing", "c2", "newly_registered_domain", "proxy_avoidance", "hacking" ], "credential_phishing": "block", "uncategorized_action": "block" } }, "service": { "app_default": true, "ports": [ "443" ], "protocol": "tcp" }, "zones": { "destination": [ "internet" ], "source": [ "internal" ] } }, { "action": "allow", "application": { "app_id": "dns", "category": "networking", "default_ports": [ "udp/53", "tcp/53" ], "risk": 2 }, "decryption": { "mode": "none" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "DNS resolution is required for internal endpoints to resolve SaaS service FQDNs.\nThe flow is restricted to a controlled internal resolver (least privilege, no\ndirect Internet resolution). The dns_security profile with sinkhole blocks DNS\ntunneling from compromised endpoints. Decryption is not applicable: standard\nDNS over UDP is not an encrypted flow.\n", "fr": "La résolution DNS est requise pour que les postes internes puissent résoudre les\nFQDNs des services SaaS. Le flux est restreint vers un résolveur interne contrôlé\n(moindre privilège, pas de résolution directe vers Internet). Le profil dns_security\navec sinkhole bloque le tunneling DNS depuis les postes compromis. Le déchiffrement\nest non applicable : DNS UDP standard n'est pas un flux chiffré.\n" }, "security_profiles": { "dns_security": { "action": "block", "sinkhole": true } }, "service": { "app_default": true, "ports": [ "53" ], "protocol": "udp" }, "zones": { "destination": [ "internal" ], "source": [ "trust" ] } }, { "action": "drop", "application": { "app_id": "saas_generic", "category": "saas", "default_ports": [ "tcp/443" ], "risk": 4 }, "direction": "outbound", "logging": { "log_end": true, "log_forwarding": true, "log_start": true, "profile": "siem_high_priority" }, "rationale": { "en": "Shadow IT mitigation rule: any SaaS access from the internal network that does not\nmatch the identity and compliance criteria of the main rule (unauthorized group,\nnon-compliant device) is silently dropped. This includes attempts to access\nunapproved SaaS services from unmanaged devices. High-priority logging enables\ndetection of abnormal behavior and policy circumvention attempts (shadow IT,\ninsider threat).\n", "fr": "Règle de shadow IT mitigation : tout accès à un SaaS depuis le réseau interne qui\nne correspond pas aux critères d'identité et de conformité de la règle principale\n(groupe non autorisé, poste non conforme) est bloqué silencieusement. Cela inclut\nles tentatives d'accès à des SaaS non approuvés depuis des postes non gérés.\nLe log en mode high_priority permet de détecter les comportements anormaux et\nles tentatives de contournement de la politique (shadow IT, insider threat).\n" }, "service": { "app_default": true, "ports": [ "443" ], "protocol": "tcp" }, "zones": { "destination": [ "internet" ], "source": [ "internal" ] } } ], "schema_version": "1.0.0", "threat_model": { "attacker_goal": { "en": "Exfiltrate sensitive company data (intellectual property, personal data, financial\ninformation) through a hijacked legitimate SaaS, or establish a persistent C2\nchannel via the APIs of an approved cloud service, exploiting the trust granted\nto outbound HTTPS traffic toward known domains.\n", "fr": "Exfiltrer des données sensibles de l'entreprise (propriété intellectuelle,\ndonnées personnelles, informations financières) via un SaaS légitime détourné,\nou établir un canal C2 persistant via les APIs d'un service cloud approuvé,\nen exploitant la confiance accordée au trafic HTTPS sortant vers des domaines\nconnus.\n" }, "key_controls": [ "ssl_forward_proxy", "dlp", "c2_protection", "identity_user_group", "device_posture", "url_filtering", "dns_security" ], "summary": { "en": "Outbound SaaS access presents three distinct risk categories. (1) Intentional or\naccidental exfiltration: a user (or their compromised endpoint) transfers sensitive\ndata to external cloud storage. (2) Shadow IT: access to unapproved SaaS services\noutside the company's control, which may not meet security or data residency\nrequirements. (3) Compromised account: an authenticated attacker with stolen\ncredentials uses a legitimate SaaS as a C2 relay or exfiltration channel.\nWithout ssl_forward_proxy decryption, L7 inspection (DLP, IPS, c2_protection)\nis blind. Decryption exclusions (finance, health) are legal and privacy requirements\nthat create a controlled, documented blind spot.\n", "fr": "L'accès sortant vers un SaaS présente trois catégories de risque distinctes.\n(1) Exfiltration intentionnelle ou accidentelle : un utilisateur (ou son poste\ncompromis) transfère des données sensibles vers un stockage cloud externe.\n(2) Shadow IT : accès à des SaaS non approuvés, hors contrôle de l'entreprise,\nqui peuvent ne pas respecter les exigences de sécurité ou de résidence des données.\n(3) Compte compromis : un attaquant authentifié avec des credentials volés utilise\nun SaaS légitime comme relais C2 ou comme canal d'exfiltration. Sans déchiffrement\nssl_forward_proxy, l'inspection L7 (DLP, IPS, c2_protection) est aveugle.\nLes exclusions de déchiffrement (finance, health) sont des exigences légales et\nde vie privée qui créent un angle mort contrôlé et documenté.\n" } }, "title": { "en": "Internal users' outbound access to a SaaS service via the Internet", "fr": "Accès sortant des utilisateurs internes vers un SaaS via Internet" }, "trust_tier": "reviewed", "version": "1.0.0" }