reviewed saas_outbound_access

Internal users' outbound access to a SaaS service via the Internet

This scenario covers outbound access by authenticated users (identified by directory group) from the internal network to a SaaS service hosted on the Internet. It enables outbound SSL decryption (ssl_forward_proxy) for L7 inspection of HTTPS traffic, with regulatory exclusions (health, finance) to preserve privacy and legal compliance. A DLP (data loss prevention) profile is applied to detect sensitive data exfiltration. The c2_protection, IPS, url_filtering, and dns_security profiles address the risks of shadow IT, compromised accounts, and exfiltration through a hijacked legitimate SaaS. Device compliance (device_posture: compliant) is required to access the SaaS.

Schema:: 1.0.0
Version:: 1.0.0
Authors:: NeuralWall Rules Team (NeuralWall)

Trust & attestations

Trust tierreviewed

Loading trust info…

community

reviewed

verified

Next tier: verified

Preview {} Machine JSON AI AI/RAG Markdown ~ Source YAML RAG [fr]

Threat model

Summary

Outbound SaaS access presents three distinct risk categories. (1) Intentional or accidental exfiltration: a user (or their compromised endpoint) transfers sensitive data to external cloud storage. (2) Shadow IT: access to unapproved SaaS services outside the company's control, which may not meet security or data residency requirements. (3) Compromised account: an authenticated attacker with stolen credentials uses a legitimate SaaS as a C2 relay or exfiltration channel. Without ssl_forward_proxy decryption, L7 inspection (DLP, IPS, c2_protection) is blind. Decryption exclusions (finance, health) are legal and privacy requirements that create a controlled, documented blind spot.

Attacker goal

Exfiltrate sensitive company data (intellectual property, personal data, financial information) through a hijacked legitimate SaaS, or establish a persistent C2 channel via the APIs of an approved cloud service, exploiting the trust granted to outbound HTTPS traffic toward known domains.

Key controls

ssl_forward_proxydlpc2_protectionidentity_user_groupdevice_postureurl_filteringdns_security

MITRE ATT&CK

Technique	Name	Tactic
T1567.002	Exfiltration Over Web Service: Exfiltration to Cloud Storage	exfiltration
T1071.001	Application Layer Protocol: Web Protocols	command-and-control
T1078	Valid Accounts	defense-evasion
T1048	Exfiltration Over Alternative Protocol	exfiltration

Rules

#	App ID	Action	Direction	Zones	Risk	Security profiles	Decryption
0	saas_generic	allow	outbound	internal → internet	3	antivirus, c2_protection, dlp, dns_security, file_control, ips, sandboxing, url_filtering	ssl_forward_proxy
1	dns	allow	internal	trust → internal	2	dns_security	none
2	saas_generic	drop	outbound	internal → internet	4	—	—

Rule details

Rule 0 — `saas_generic` (allow)

Rationale

This rule allows users in the authorized directory groups (compliant devices only) to access approved SaaS services over outbound HTTPS. The ssl_forward_proxy decryption mode is enabled to allow full L7 inspection — without it, DLP (the central exfiltration control) is inoperative. The finance and health exclusions respect legal and privacy constraints and create an explicitly documented blind spot. The DLP profile blocks uploads containing sensitive data (PAN, PII, source code). The user_group restricts access to the least-privilege principle and limits shadow IT. Device compliance (device_posture: compliant) prevents access from unmanaged or compromised endpoints.

Application

app_id:: saas_generic
category:: saas
risk:: 3
depends_on:: dns, ssl

Zones

internal → internet

direction: outbound

Security profiles

antivirus: action=block c2_protection: action=block, min_severity=medium dlp: action=block, patterns=credit_card+national_id+iban+api_key+pii_email+source_code dns_security: action=block, sinkhole=true file_control: block_types=encrypted_archive+database_dump, direction=outbound ips: action=block, min_severity=medium sandboxing: enabled=true, file_types=pe+pdf+office+script url_filtering: alert_categories=unknown+parked+grayware, block_categories=malware+phishing+c2+newly_registered_domain+proxy_avoidance+hacking, credential_phishing=block, uncategorized_action=block

Decryption

mode=ssl_forward_proxy

exclusions: finance, health

Logging

log_start: false

log_end: true

forwarding → siem_dlp_priority

Rule 1 — `dns` (allow)

Rationale

DNS resolution is required for internal endpoints to resolve SaaS service FQDNs. The flow is restricted to a controlled internal resolver (least privilege, no direct Internet resolution). The dns_security profile with sinkhole blocks DNS tunneling from compromised endpoints. Decryption is not applicable: standard DNS over UDP is not an encrypted flow.

Application

app_id:: dns
category:: networking
risk:: 2

Zones

trust → internal

direction: internal

Security profiles

dns_security: action=block, sinkhole=true

Decryption

mode=none

Logging

log_end: true

forwarding → siem_default

Rule 2 — `saas_generic` (drop)

Rationale

Shadow IT mitigation rule: any SaaS access from the internal network that does not match the identity and compliance criteria of the main rule (unauthorized group, non-compliant device) is silently dropped. This includes attempts to access unapproved SaaS services from unmanaged devices. High-priority logging enables detection of abnormal behavior and policy circumvention attempts (shadow IT, insider threat).

Application

app_id:: saas_generic
category:: saas
risk:: 4

Zones

internal → internet

direction: outbound

Logging

log_start: true

log_end: true

forwarding → siem_high_priority

Trust & attestations

Threat model

MITRE ATT&CK

Rules

Rule details

Rule 0 — saas_generic (allow)

Rule 1 — dns (allow)

Rule 2 — saas_generic (drop)

Usage & feedback

Rule 0 — `saas_generic` (allow)

Rule 1 — `dns` (allow)

Rule 2 — `saas_generic` (drop)