FortiSIEM Rules

ThreatDown Nebula: Website Blocked

Rule ID

PH_RULE_Nebula_WebsiteBlocked

Default Status

Enabled

Description

ThreatDown Nebula (powered by MalwareBytes) agent has blocked a website. Note: The underlying logs do not always contain a website domain only ip address for the given traffic.

Severity

7

Category

Security

Detection Technology

Correlation

Rule Mode

Streaming

MITRE ATT&CK® Tactics

Initial Access

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.

https://attack.mitre.org/tactics/TA0001

MITRE ATT&CK® Techniques


T1189

Drive-by Compromise

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token. The focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ. Adversaries may also use compromised websites to deliver a user to a malicious application designed to Steal Application Access Token

https://attack.mitre.org/techniques/T1189

Impacts

Server

Data Source

Threatdown Nebula via Syslog

Detection

Correlation

Remediation Guidance

Investigate if the traffic to the given website is legitimate and expected for normal use.

Time Window

If the following pattern or patterns match an ingested event within the given time window in seconds, trigger an incident.

300 seconds

Trigger Conditions

If the following defined pattern/s occur within a 300 second time window.

website_block

SubPattern Definitions

SubPattern Name: website_block

This is the named definition of the event query, this is important if multiple subpatterns are defined to distinguish them.

SubPattern Query

This is the query logic that matches incoming events

eventType="ThreatDown-Nebula-Detection-Website-blocked"

Group by Attributes

This defines how matching events are aggregated, only events with the same matching attribute values are grouped into one unique incident ID

hostName,srcIpAddr,destIpAddr,direction,domain

Aggregate Constraint

This is most typically a numerical constraint that defines when the rule should trigger an incident

COUNT(*) >= 1

Incident Attribute Mapping

This section defines which fields in matching raw events should be mapped to the incident attributes in the resulting incident.

The available raw event attributes to map are limited to the group by attributes and the aggregate event constraint fields for each subpattern

 hostName = website_block.hostName,
srcIpAddr = website_block.srcIpAddr,
destIpAddr = website_block.destIpAddr,
direction = website_block.direction,
domain = website_block.domain,
incidentCount = website_block.COUNT(*)