reviewed saas_outbound_access

Internal users' outbound access to a SaaS service via the Internet

This scenario covers outbound access by authenticated users (identified by directory group) from the internal network to a SaaS service hosted on the Internet. It enables outbound SSL decryption (ssl_forward_proxy) for L7 inspection of HTTPS traffic, with regulatory exclusions (health, finance) to preserve privacy and legal compliance. A DLP (data loss prevention) profile is applied to detect sensitive data exfiltration. The c2_protection, IPS, url_filtering, and dns_security profiles address the risks of shadow IT, compromised accounts, and exfiltration through a hijacked legitimate SaaS. Device compliance (device_posture: compliant) is required to access the SaaS.

スキーマ:: 1.0.0
バージョン:: 1.0.0
著者:: NeuralWall Rules Team (NeuralWall)

信頼と証明

Trust tierreviewed

信頼情報を読み込み中…

community

reviewed

verified

Next tier: verified

プレビュー {} Machine JSON AI AI/RAG Markdown ~ Source YAML RAG [fr]

脅威モデル

概要

Outbound SaaS access presents three distinct risk categories. (1) Intentional or accidental exfiltration: a user (or their compromised endpoint) transfers sensitive data to external cloud storage. (2) Shadow IT: access to unapproved SaaS services outside the company's control, which may not meet security or data residency requirements. (3) Compromised account: an authenticated attacker with stolen credentials uses a legitimate SaaS as a C2 relay or exfiltration channel. Without ssl_forward_proxy decryption, L7 inspection (DLP, IPS, c2_protection) is blind. Decryption exclusions (finance, health) are legal and privacy requirements that create a controlled, documented blind spot.

攻撃者の目的

Exfiltrate sensitive company data (intellectual property, personal data, financial information) through a hijacked legitimate SaaS, or establish a persistent C2 channel via the APIs of an approved cloud service, exploiting the trust granted to outbound HTTPS traffic toward known domains.

主要コントロール

ssl_forward_proxydlpc2_protectionidentity_user_groupdevice_postureurl_filteringdns_security

MITRE ATT&CK

テクニック	名称	タクティック
T1567.002	Exfiltration Over Web Service: Exfiltration to Cloud Storage	exfiltration
T1071.001	Application Layer Protocol: Web Protocols	command-and-control
T1078	Valid Accounts	defense-evasion
T1048	Exfiltration Over Alternative Protocol	exfiltration

ルール

#	App ID	アクション	方向	ゾーン	リスク	セキュリティプロファイル	復号
0	saas_generic	allow	outbound	internal → internet	3	antivirus, c2_protection, dlp, dns_security, file_control, ips, sandboxing, url_filtering	ssl_forward_proxy
1	dns	allow	internal	trust → internal	2	dns_security	none
2	saas_generic	drop	outbound	internal → internet	4	—	—

ルール詳細

ルール 0 — `saas_generic` (allow)

根拠

This rule allows users in the authorized directory groups (compliant devices only) to access approved SaaS services over outbound HTTPS. The ssl_forward_proxy decryption mode is enabled to allow full L7 inspection — without it, DLP (the central exfiltration control) is inoperative. The finance and health exclusions respect legal and privacy constraints and create an explicitly documented blind spot. The DLP profile blocks uploads containing sensitive data (PAN, PII, source code). The user_group restricts access to the least-privilege principle and limits shadow IT. Device compliance (device_posture: compliant) prevents access from unmanaged or compromised endpoints.

アプリケーション

app_id:: saas_generic
category:: saas
risk:: 3
depends_on:: dns, ssl

ゾーン

internal → internet

direction: outbound

セキュリティプロファイル

antivirus: action=block c2_protection: action=block, min_severity=medium dlp: action=block, patterns=credit_card+national_id+iban+api_key+pii_email+source_code dns_security: action=block, sinkhole=true file_control: block_types=encrypted_archive+database_dump, direction=outbound ips: action=block, min_severity=medium sandboxing: enabled=true, file_types=pe+pdf+office+script url_filtering: alert_categories=unknown+parked+grayware, block_categories=malware+phishing+c2+newly_registered_domain+proxy_avoidance+hacking, credential_phishing=block, uncategorized_action=block

復号

mode=ssl_forward_proxy

exclusions: finance, health

ロギング

log_start: false

log_end: true

forwarding → siem_dlp_priority

ルール 1 — `dns` (allow)

根拠

DNS resolution is required for internal endpoints to resolve SaaS service FQDNs. The flow is restricted to a controlled internal resolver (least privilege, no direct Internet resolution). The dns_security profile with sinkhole blocks DNS tunneling from compromised endpoints. Decryption is not applicable: standard DNS over UDP is not an encrypted flow.

アプリケーション

app_id:: dns
category:: networking
risk:: 2

ゾーン

trust → internal

direction: internal

セキュリティプロファイル

dns_security: action=block, sinkhole=true

復号

mode=none

ロギング

log_end: true

forwarding → siem_default

ルール 2 — `saas_generic` (drop)

根拠

Shadow IT mitigation rule: any SaaS access from the internal network that does not match the identity and compliance criteria of the main rule (unauthorized group, non-compliant device) is silently dropped. This includes attempts to access unapproved SaaS services from unmanaged devices. High-priority logging enables detection of abnormal behavior and policy circumvention attempts (shadow IT, insider threat).

アプリケーション

app_id:: saas_generic
category:: saas
risk:: 4

ゾーン

internal → internet

direction: outbound

ロギング

log_start: true

log_end: true

forwarding → siem_high_priority

信頼と証明

脅威モデル

MITRE ATT&CK

ルール

ルール詳細

ルール 0 — saas_generic (allow)

ルール 1 — dns (allow)

ルール 2 — saas_generic (drop)

利用状況とフィードバック

ルール 0 — `saas_generic` (allow)

ルール 1 — `dns` (allow)

ルール 2 — `saas_generic` (drop)