reviewed saas_outbound_access

Internal users' outbound access to a SaaS service via the Internet

This scenario covers outbound access by authenticated users (identified by directory group) from the internal network to a SaaS service hosted on the Internet. It enables outbound SSL decryption (ssl_forward_proxy) for L7 inspection of HTTPS traffic, with regulatory exclusions (health, finance) to preserve privacy and legal compliance. A DLP (data loss prevention) profile is applied to detect sensitive data exfiltration. The c2_protection, IPS, url_filtering, and dns_security profiles address the risks of shadow IT, compromised accounts, and exfiltration through a hijacked legitimate SaaS. Device compliance (device_posture: compliant) is required to access the SaaS.

Esquema:: 1.0.0
Versión:: 1.0.0
Autores:: NeuralWall Rules Team (NeuralWall)

Confianza y atestaciones

Trust tierreviewed

Cargando información de confianza…

community

reviewed

verified

Next tier: verified

Vista previa {} Machine JSON AI AI/RAG Markdown ~ Source YAML RAG [fr]

Modelo de amenazas

Resumen

Outbound SaaS access presents three distinct risk categories. (1) Intentional or accidental exfiltration: a user (or their compromised endpoint) transfers sensitive data to external cloud storage. (2) Shadow IT: access to unapproved SaaS services outside the company's control, which may not meet security or data residency requirements. (3) Compromised account: an authenticated attacker with stolen credentials uses a legitimate SaaS as a C2 relay or exfiltration channel. Without ssl_forward_proxy decryption, L7 inspection (DLP, IPS, c2_protection) is blind. Decryption exclusions (finance, health) are legal and privacy requirements that create a controlled, documented blind spot.

Objetivo del atacante

Exfiltrate sensitive company data (intellectual property, personal data, financial information) through a hijacked legitimate SaaS, or establish a persistent C2 channel via the APIs of an approved cloud service, exploiting the trust granted to outbound HTTPS traffic toward known domains.

Controles clave

ssl_forward_proxydlpc2_protectionidentity_user_groupdevice_postureurl_filteringdns_security

MITRE ATT&CK

Técnica	Nombre	Táctica
T1567.002	Exfiltration Over Web Service: Exfiltration to Cloud Storage	exfiltration
T1071.001	Application Layer Protocol: Web Protocols	command-and-control
T1078	Valid Accounts	defense-evasion
T1048	Exfiltration Over Alternative Protocol	exfiltration

Reglas

#	App ID	Acción	Dirección	Zonas	Riesgo	Perfiles de seguridad	Descifrado
0	saas_generic	allow	outbound	internal → internet	3	antivirus, c2_protection, dlp, dns_security, file_control, ips, sandboxing, url_filtering	ssl_forward_proxy
1	dns	allow	internal	trust → internal	2	dns_security	none
2	saas_generic	drop	outbound	internal → internet	4	—	—

Detalle de las reglas

Regla 0 — `saas_generic` (allow)

Justificación

This rule allows users in the authorized directory groups (compliant devices only) to access approved SaaS services over outbound HTTPS. The ssl_forward_proxy decryption mode is enabled to allow full L7 inspection — without it, DLP (the central exfiltration control) is inoperative. The finance and health exclusions respect legal and privacy constraints and create an explicitly documented blind spot. The DLP profile blocks uploads containing sensitive data (PAN, PII, source code). The user_group restricts access to the least-privilege principle and limits shadow IT. Device compliance (device_posture: compliant) prevents access from unmanaged or compromised endpoints.

Aplicación

app_id:: saas_generic
category:: saas
risk:: 3
depends_on:: dns, ssl

Zonas

internal → internet

direction: outbound

Perfiles de seguridad

antivirus: action=block c2_protection: action=block, min_severity=medium dlp: action=block, patterns=credit_card+national_id+iban+api_key+pii_email+source_code dns_security: action=block, sinkhole=true file_control: block_types=encrypted_archive+database_dump, direction=outbound ips: action=block, min_severity=medium sandboxing: enabled=true, file_types=pe+pdf+office+script url_filtering: alert_categories=unknown+parked+grayware, block_categories=malware+phishing+c2+newly_registered_domain+proxy_avoidance+hacking, credential_phishing=block, uncategorized_action=block

Descifrado

mode=ssl_forward_proxy

exclusions: finance, health

Registro

log_start: false

log_end: true

forwarding → siem_dlp_priority

Regla 1 — `dns` (allow)

Justificación

DNS resolution is required for internal endpoints to resolve SaaS service FQDNs. The flow is restricted to a controlled internal resolver (least privilege, no direct Internet resolution). The dns_security profile with sinkhole blocks DNS tunneling from compromised endpoints. Decryption is not applicable: standard DNS over UDP is not an encrypted flow.

Aplicación

app_id:: dns
category:: networking
risk:: 2

Zonas

trust → internal

direction: internal

Perfiles de seguridad

dns_security: action=block, sinkhole=true

Descifrado

mode=none

Registro

log_end: true

forwarding → siem_default

Regla 2 — `saas_generic` (drop)

Justificación

Shadow IT mitigation rule: any SaaS access from the internal network that does not match the identity and compliance criteria of the main rule (unauthorized group, non-compliant device) is silently dropped. This includes attempts to access unapproved SaaS services from unmanaged devices. High-priority logging enables detection of abnormal behavior and policy circumvention attempts (shadow IT, insider threat).

Aplicación

app_id:: saas_generic
category:: saas
risk:: 4

Zonas

internal → internet

direction: outbound

Registro

log_start: true

log_end: true

forwarding → siem_high_priority

Confianza y atestaciones

Modelo de amenazas

MITRE ATT&CK

Reglas

Detalle de las reglas

Regla 0 — saas_generic (allow)

Regla 1 — dns (allow)

Regla 2 — saas_generic (drop)

Uso y comentarios

Regla 0 — `saas_generic` (allow)

Regla 1 — `dns` (allow)

Regla 2 — `saas_generic` (drop)